Release 0.6.1.

README
Upgrading guide from other noble libraries
2023-01-29 05:14:10 +01:00 · 2023-01-29 05:12:58 +01:00 · 2023-01-29 05:10:58 +01:00 · 2023-01-29 04:46:38 +01:00 · 2023-01-28 03:19:46 +01:00 · 2023-01-27 23:45:55 +01:00
176 changed files with 17111 additions and 10456 deletions
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -13,6 +13,5 @@ jobs:
        node-version: 18
    - run: npm install
    - run: npm run build --if-present
    - run: cd curve-definitions; npm install; npm run build --if-present
    - run: npm test
    - run: npm run lint --if-present
    - run: npm test
--- a/README.md
+++ b/README.md
@@ -1,38 +1,45 @@
 # noble-curves
-Minimal, zero-dependency JS implementation of elliptic curve cryptography.
+Minimal, auditable JS implementation of elliptic curve cryptography.
- Short Weierstrass curve with ECDSA signatures
+- Short Weierstrass, Edwards, Montgomery curves
- Twisted Edwards curve with EdDSA signatures
+- ECDSA, EdDSA, Schnorr, BLS signature schemes, ECDH key agreement
- Montgomery curve for ECDH key agreement
+- [hash to curve](https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/)
  for encoding or hashing an arbitrary string to a point on an elliptic curve
 - [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash
 - 🏎 [Ultra-fast](#speed), hand-optimized for caveats of JS engines
 - 🔍 Unique tests ensure correctness. Wycheproof vectors included
 - 🔻 Tree-shaking-friendly: there is no entry point, which ensures small size of your app
-To keep the package minimal, no curve definitions are provided out-of-box. Use `micro-curve-definitions` module:
+Package consists of two parts:
- It provides P192, P224, P256, P384, P521, secp256k1, stark curve, bn254, pasta (pallas/vesta) short weierstrass curves
+1. `abstract/` directory specifies zero-dependency EC algorithms
- It also provides ed25519 and ed448 twisted edwards curves
+2. root directory utilizes one dependency `@noble/hashes` and provides ready-to-use:
- Main reason for separate package is the fact hashing library (like `@noble/hashes`) is required for full functionality
+   - NIST curves secp192r1/P192, secp224r1/P224, secp256r1/P256, secp384r1/P384, secp521r1/P521
- We may reconsider merging packages in future, when a stable version would be ready
+   - SECG curve secp256k1
   - pairing-friendly curves bls12-381, bn254
   - ed25519/curve25519/x25519/ristretto, edwards448/curve448/x448 RFC7748 / RFC8032 / ZIP215 stuff
-Future plans:
+Curves incorporate work from previous noble packages
-
+([secp256k1](https://github.com/paulmillr/noble-secp256k1),
- hash to curve standard
+[ed25519](https://github.com/paulmillr/noble-ed25519),
- point indistinguishability
+[bls12-381](https://github.com/paulmillr/noble-bls12-381)),
- pairings
+which had security audits and were developed from 2019 to 2022.
 Check out [Upgrading](#upgrading) section if you've used them before.
 ### This library belongs to _noble_ crypto
 > **noble-crypto** — high-security, easily auditable set of contained cryptographic libraries and tools.
- No dependencies, small files
+- Minimal dependencies, small files
 - Easily auditable TypeScript/JS code
 - Supported in all major browsers and stable node.js versions
 - All releases are signed with PGP keys
 - Check out [homepage](https://paulmillr.com/noble/) & all libraries:
-  [secp256k1](https://github.com/paulmillr/noble-secp256k1),
+  [curves](https://github.com/paulmillr/noble-curves) ([secp256k1](https://github.com/paulmillr/noble-secp256k1),
  [ed25519](https://github.com/paulmillr/noble-ed25519),
-  [bls12-381](https://github.com/paulmillr/noble-bls12-381),
+  [bls12-381](https://github.com/paulmillr/noble-bls12-381)),
-  [hashes](https://github.com/paulmillr/noble-hashes),
+  [hashes](https://github.com/paulmillr/noble-hashes)
  [curves](https://github.com/paulmillr/noble-curves)
 ## Usage
@@ -44,82 +51,124 @@ Use NPM in node.js / browser, or include single file from
 The library does not have an entry point. It allows you to select specific primitives and drop everything else. If you only want to use secp256k1, just use the library with rollup or other bundlers. This is done to make your bundles tiny.
 ```ts
-import { weierstrass } from '@noble/curves/weierstrass'; // Short Weierstrass curve
+// Common.js and ECMAScript Modules (ESM)
-import { sha256 } from '@noble/hashes/sha256';
+import { secp256k1 } from '@noble/curves/secp256k1';
 const key = secp256k1.utils.randomPrivateKey();
 const pub = secp256k1.getPublicKey(key);
 const msg = new Uint8Array(32).fill(1);
 const sig = secp256k1.sign(msg, key);
 secp256k1.verify(sig, msg, pub) === true;
 sig.recoverPublicKey(msg) === pub;
 const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
 const shared = secp256k1.getSharedSecret(key, someonesPub);
 ```
 All curves:
 ```ts
 import { secp256k1 } from '@noble/curves/secp256k1';
 import { ed25519, ed25519ph, ed25519ctx, x25519, RistrettoPoint } from '@noble/curves/ed25519';
 import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448';
 import { p256 } from '@noble/curves/p256';
 import { p384 } from '@noble/curves/p384';
 import { p521 } from '@noble/curves/p521';
 import { pallas, vesta } from '@noble/curves/pasta';
 import * as stark from '@noble/curves/stark';
 import { bls12_381 } from '@noble/curves/bls12-381';
 import { bn254 } from '@noble/curves/bn';
 import { jubjub } from '@noble/curves/jubjub';
 ```
 To define a custom curve, check out API below.
 ## API
 - [Overview](#overview)
 - [abstract/edwards: Twisted Edwards curve](#abstractedwards-twisted-edwards-curve)
 - [abstract/montgomery: Montgomery curve](#abstractmontgomery-montgomery-curve)
 - [abstract/weierstrass: Short Weierstrass curve](#abstractweierstrass-short-weierstrass-curve)
 - [abstract/hash-to-curve: Hashing strings to curve points](#abstracthash-to-curve-hashing-strings-to-curve-points)
 - [abstract/poseidon: Poseidon hash](#abstractposeidon-poseidon-hash)
 - [abstract/modular](#abstractmodular)
 - [abstract/utils](#abstractutils)
 ### Overview
 There are following zero-dependency abstract algorithms:
 ```ts
 import { bls } from '@noble/curves/abstract/bls';
 import { twistedEdwards } from '@noble/curves/abstract/edwards';
 import { montgomery } from '@noble/curves/abstract/montgomery';
 import { weierstrass } from '@noble/curves/abstract/weierstrass';
 import * as mod from '@noble/curves/abstract/modular';
 import * as utils from '@noble/curves/abstract/utils';
 ```
 They allow to define a new curve in a few lines of code:
 ```ts
 import { Fp } from '@noble/curves/abstract/modular';
 import { weierstrass } from '@noble/curves/abstract/weierstrass';
 import { hmac } from '@noble/hashes/hmac';
 import { sha256 } from '@noble/hashes/sha256';
 import { concatBytes, randomBytes } from '@noble/hashes/utils';
 const secp256k1 = weierstrass({
  a: 0n,
  b: 7n,
-  P: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2fn,
+  Fp: Fp(2n ** 256n - 2n ** 32n - 2n ** 9n - 2n ** 8n - 2n ** 7n - 2n ** 6n - 2n ** 4n - 1n),
-  n: 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141n,
+  n: 2n ** 256n - 432420386565659656852420866394968145599n,
  Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n,
  Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n,
  hash: sha256,
-  hmac: (k: Uint8Array, ...msgs: Uint8Array[]) => hmac(sha256, key, concatBytes(...msgs)),
+  hmac: (key: Uint8Array, ...msgs: Uint8Array[]) => hmac(sha256, key, concatBytes(...msgs)),
  randomBytes,
 });
 const key = secp256k1.utils.randomPrivateKey();
 const pub = secp256k1.getPublicKey(key);
 const msg = randomBytes(32);
 const sig = secp256k1.sign(msg, key);
 secp256k1.verify(sig, msg, pub); // true
 sig.recoverPublicKey(msg); // == pub
 const someonesPubkey = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
 const shared = secp256k1.getSharedSecret(key, someonesPubkey);
 ```
-## API
+- To initialize new curve, you must specify its variables, order (number of points on curve), field prime (over which the modular division would be done)
-
+- All curves expose same generic interface:
- [Overview](#overview)
+  - `getPublicKey()`, `sign()`, `verify()` functions
- [edwards: Twisted Edwards curve](#edwards-twisted-edwards-curve)
+  - `Point` conforming to `Group` interface with add/multiply/double/negate/add/equals methods
- [montgomery: Montgomery curve](#montgomery-montgomery-curve)
+  - `CURVE` object with curve variables like `Gx`, `Gy`, `Fp` (field), `n` (order)
- [weierstrass: Short Weierstrass curve](#weierstrass-short-weierstrass-curve)
+  - `utils` object with `randomPrivateKey()`, `mod()`, `invert()` methods (`mod CURVE.P`)
- [modular](#modular)
+- All arithmetics is done with JS bigints over finite fields, which is defined from `modular` sub-module
- [utils](#utils)
+- Many features require hashing, which is not provided. `@noble/hashes` can be used for this purpose.
 ### Overview
 * To initialize new curve, you must specify its variables, order (number of points on curve), field prime (over which the modular division would be done)
 * All curves expose same generic interface:
    * `getPublicKey()`, `sign()`, `verify()` functions
    * `Point` conforming to `Group` interface with add/multiply/double/negate/add/equals methods
    * `CURVE` object with curve variables like `Gx`, `Gy`, `P` (field), `n` (order)
    * `utils` object with `randomPrivateKey()`, `mod()`, `invert()` methods (`mod CURVE.P`)
 * All arithmetics is done with JS bigints over finite fields
 * Many features require hashing, which is not provided. `@noble/hashes` can be used for this purpose.
  Any other library must conform to the CHash interface:
-    ```ts
+  ```ts
-    export type CHash = {
+  export type CHash = {
-      (message: Uint8Array): Uint8Array;
+    (message: Uint8Array): Uint8Array;
-      blockLen: number; outputLen: number; create(): any;
+    blockLen: number;
-    };
+    outputLen: number;
-    ```
+    create(): any;
-* w-ary non-adjacent form (wNAF) method with constant-time adjustments is used for point multiplication.
+  };
  ```
 - w-ary non-adjacent form (wNAF) method with constant-time adjustments is used for point multiplication.
  It is possible to enable precomputes for edwards & weierstrass curves.
-  Precomputes are calculated once (takes ~20-40ms), after that most `G` multiplications
+  Precomputes are calculated once (takes ~20-40ms), after that most `G` base point multiplications:
-  - for example, `getPublicKey()`, `sign()` and similar methods - would be much faster.
+  for example, `getPublicKey()`, `sign()` and similar methods - would be much faster.
-  Use `curve.utils.precompute()`
+  Use `curve.utils.precompute()` to adjust precomputation window size
-* Special params that tune performance can be optionally provided. For example:
+- You could use optional special params to tune performance:
-    * `sqrtMod` square root calculation, used for point decompression
+  - `Fp({sqrt})` square root calculation, used for point decompression
-    * `endo` endomorphism options for Koblitz curves
+  - `endo` endomorphism options for Koblitz curves
-### edwards: Twisted Edwards curve
+### abstract/edwards: Twisted Edwards curve
 Twisted Edwards curve's formula is: ax² + y² = 1 + dx²y².
-* You must specify curve params `a`, `d`, field `P`, order `n`, cofactor `h`, and coordinates `Gx`, `Gy` of generator point.
+- You must specify curve params `a`, `d`, field `Fp`, order `n`, cofactor `h` and coordinates `Gx`, `Gy` of generator point
-* For EdDSA signatures, params `hash` is also required. `adjustScalarBytes` which instructs how to change private scalars could be specified.
+- For EdDSA signatures, params `hash` is also required. `adjustScalarBytes` which instructs how to change private scalars could be specified
 ```typescript
-import { twistedEdwards } from '@noble/curves/edwards'; // Twisted Edwards curve
+import { twistedEdwards } from '@noble/curves/abstract/edwards';
 import { div } from '@noble/curves/abstract/modular';
 import { sha512 } from '@noble/hashes/sha512';
 import * as mod from '@noble/curves/modular';
 const ed25519 = twistedEdwards({
  a: -1n,
-  d: mod.div(-121665n, 121666n, 2n ** 255n - 19n), // -121665n/121666n
+  d: div(-121665n, 121666n, 2n ** 255n - 19n), // -121665n/121666n
  P: 2n ** 255n - 19n,
  n: 2n ** 252n + 27742317777372353535851937790883648493n,
  h: 8n,
@@ -127,14 +176,19 @@ const ed25519 = twistedEdwards({
  Gy: 46316835694926478169428394003475163141307993866256225615783033603165251855960n,
  hash: sha512,
  randomBytes,
-  adjustScalarBytes(bytes) { // optional
+  adjustScalarBytes(bytes) {
    // optional in general, mandatory in ed25519
    bytes[0] &= 248;
    bytes[31] &= 127;
    bytes[31] |= 64;
    return bytes;
  },
 } as const);
-ed25519.getPublicKey(ed25519.utils.randomPrivateKey());
+const key = ed25519.utils.randomPrivateKey();
 const pub = ed25519.getPublicKey(key);
 const msg = new TextEncoder().encode('hello world'); // strings not accepted, must be Uint8Array
 const sig = ed25519.sign(msg, key);
 ed25519.verify(sig, msg, pub) === true;
 ```
 `twistedEdwards()` returns `CurveFn` of following type:
@@ -149,8 +203,6 @@ export type CurveFn = {
  ExtendedPoint: ExtendedPointConstructor;
  Signature: SignatureConstructor;
  utils: {
    mod: (a: bigint, b?: bigint) => bigint;
    invert: (number: bigint, modulo?: bigint) => bigint;
    randomPrivateKey: () => Uint8Array;
    getExtendedPublicKey: (key: PrivKey) => {
      head: Uint8Array;
@@ -163,7 +215,7 @@ export type CurveFn = {
 };
 ```
-### montgomery: Montgomery curve
+### abstract/montgomery: Montgomery curve
 For now the module only contains methods for x-only ECDH on Curve25519 / Curve448 from RFC7748.
@@ -172,6 +224,8 @@ Proper Elliptic Curve Points are not implemented yet.
 You must specify curve field, `a24` special variable, `montgomeryBits`, `nByteLength`, and coordinate `u` of generator point.
 ```typescript
 import { montgomery } from '@noble/curves/abstract/montgomery';
 const x25519 = montgomery({
  P: 2n ** 255n - 19n,
  a24: 121665n, // TODO: change to a
@@ -180,7 +234,9 @@ const x25519 = montgomery({
  Gu: '0900000000000000000000000000000000000000000000000000000000000000',
  // Optional params
-  powPminus2: (x: bigint): bigint => { return mod.pow(x, P-2, P); },
+  powPminus2: (x: bigint): bigint => {
    return mod.pow(x, P - 2, P);
  },
  adjustScalarBytes(bytes) {
    bytes[0] &= 248;
    bytes[31] &= 127;
@@ -190,27 +246,27 @@ const x25519 = montgomery({
 });
 ```
-### weierstrass: Short Weierstrass curve
+### abstract/weierstrass: Short Weierstrass curve
 Short Weierstrass curve's formula is: y² = x³ + ax + b. Uses deterministic ECDSA from RFC6979. You can also specify `extraEntropy` in `sign()`.
-* You must specify curve params: `a`, `b`; field `P`; curve order `n`; coordinates `Gx`, `Gy` of generator point
+- You must specify curve params: `a`, `b`, field `Fp`, order `n`, cofactor `h` and coordinates `Gx`, `Gy` of generator point
-* For ECDSA, you must specify `hash`, `hmac`. It is also possible to recover keys from signatures
+- For ECDSA, you must specify `hash`, `hmac`. It is also possible to recover keys from signatures
-* For ECDH, use `getSharedSecret(privKeyA, pubKeyB)`
+- For ECDH, use `getSharedSecret(privKeyA, pubKeyB)`
-* Optional params are `lowS` (default value), `sqrtMod` (square root chain) and `endo` (endomorphism)
+- Optional params are `lowS` (default value) and `endo` (endomorphism)
 ```typescript
-import { weierstrass } from '@noble/curves/weierstrass'; // Short Weierstrass curve
+import { Fp } from '@noble/curves/abstract/modular';
 import { weierstrass } from '@noble/curves/abstract/weierstrass'; // Short Weierstrass curve
 import { sha256 } from '@noble/hashes/sha256';
 import { hmac } from '@noble/hashes/hmac';
 import { concatBytes, randomBytes } from '@noble/hashes/utils';
 const secp256k1 = weierstrass({
  // Required params
  a: 0n,
  b: 7n,
-  P: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2fn,
+  Fp: Fp(2n ** 256n - 2n ** 32n - 2n ** 9n - 2n ** 8n - 2n ** 7n - 2n ** 6n - 2n ** 4n - 1n),
-  n: 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141n,
+  n: 2n ** 256n - 432420386565659656852420866394968145599n,
  Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n,
  Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n,
  hash: sha256,
@@ -218,19 +274,15 @@ const secp256k1 = weierstrass({
  randomBytes,
  // Optional params
-  // Cofactor
+  h: 1n, // Cofactor
-  h: BigInt(1),
+  lowS: true, // Allow only low-S signatures by default in sign() and verify()
  // Allow only low-S signatures by default in sign() and verify()
  lowS: true,
  // More efficient curve-specific implementation of square root
  sqrtMod(y: bigint) { return sqrt(y); },
  // Endomorphism options
  endo: {
    // Endomorphism options for Koblitz curve
    // Beta param
-    beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
+    beta: 0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501een,
    // Split scalar k into k1, k2
    splitScalar: (k: bigint) => {
-      return { k1neg: true, k1: 512n, k2neg: false, k2: 448n };
+      // return { k1neg: true, k1: 512n, k2neg: false, k2: 448n };
    },
  },
 });
@@ -252,17 +304,18 @@ const shared = secp256k1.getSharedSecret(key, someonesPubkey);
 export type CurveFn = {
  CURVE: ReturnType<typeof validateOpts>;
  getPublicKey: (privateKey: PrivKey, isCompressed?: boolean) => Uint8Array;
-  getSharedSecret: (privateA: PrivKey, publicB: PubKey, isCompressed?: boolean) => Uint8Array;
+  getSharedSecret: (privateA: PrivKey, publicB: Hex, isCompressed?: boolean) => Uint8Array;
  sign: (msgHash: Hex, privKey: PrivKey, opts?: SignOpts) => SignatureType;
  verify: (
-    signature: Hex | SignatureType, msgHash: Hex, publicKey: PubKey, opts?: {lowS?: boolean;}
+    signature: Hex | SignatureType,
    msgHash: Hex,
    publicKey: Hex,
    opts?: { lowS?: boolean }
  ) => boolean;
  Point: PointConstructor;
-  JacobianPoint: JacobianPointConstructor;
+  ProjectivePoint: ProjectivePointConstructor;
  Signature: SignatureConstructor;
  utils: {
    mod: (a: bigint, b?: bigint) => bigint;
    invert: (number: bigint, modulo?: bigint) => bigint;
    isValidPrivateKey(privateKey: PrivKey): boolean;
    hashToPrivateKey: (hash: Hex) => Uint8Array;
    randomPrivateKey: () => Uint8Array;
@@ -270,23 +323,100 @@ export type CurveFn = {
 };
 ```
-### modular
+### abstract/hash-to-curve: Hashing strings to curve points
 The module allows to hash arbitrary strings to elliptic curve points.
 - `expand_message_xmd` [(spec)](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.4.1) produces a uniformly random byte string using a cryptographic hash function H that outputs b bits..
    ```ts
    function expand_message_xmd(
      msg: Uint8Array, DST: Uint8Array, lenInBytes: number, H: CHash
    ): Uint8Array;
    function expand_message_xof(
      msg: Uint8Array, DST: Uint8Array, lenInBytes: number, k: number, H: CHash
    ): Uint8Array;
    ```
 - `hash_to_field(msg, count, options)` [(spec)](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3)
 hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
    * `msg` a byte string containing the message to hash
    * `count` the number of elements of F to output
    * `options` `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`
    * Returns `[u_0, ..., u_(count - 1)]`, a list of field elements.
    ```ts
    function hash_to_field(msg: Uint8Array, count: number, options: htfOpts): bigint[][];
    type htfOpts = {
      // DST: a domain separation tag
      // defined in section 2.2.5
      DST: string;
      // p: the characteristic of F
      //    where F is a finite field of characteristic p and order q = p^m
      p: bigint;
      // m: the extension degree of F, m >= 1
      //     where F is a finite field of characteristic p and order q = p^m
      m: number;
      // k: the target security level for the suite in bits
      // defined in section 5.1
      k: number;
      // option to use a message that has already been processed by
      // expand_message_xmd
      expand?: 'xmd' | 'xof';
      // Hash functions for: expand_message_xmd is appropriate for use with a
      // wide range of hash functions, including SHA-2, SHA-3, BLAKE2, and others.
      // BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247
      // TODO: verify that hash is shake if expand==='xof' via types
      hash: CHash;
    };
    ```
 ### abstract/poseidon: Poseidon hash
 Implements [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash.
 There are many poseidon instances with different constants. We don't provide them,
 but we provide ability to specify them manually. For actual usage, check out
 stark curve source code.
 ```ts
 import { poseidon } from '@noble/curves/abstract/poseidon';
 type PoseidonOpts = {
  Fp: Field<bigint>;
  t: number;
  roundsFull: number;
  roundsPartial: number;
  sboxPower?: number;
  reversePartialPowIdx?: boolean; // Hack for stark
  mds: bigint[][];
  roundConstants: bigint[][];
 };
 const instance = poseidon(opts: PoseidonOpts);
 ```
 ### abstract/modular
 Modular arithmetics utilities.
 ```typescript
-import * as mod from '@noble/curves/modular';
+import { Fp, mod, invert, div, invertBatch, sqrt } from '@noble/curves/abstract/modular';
-mod.mod(21n, 10n); // 21 mod 10 == 1n; fixed version of 21 % 10
+const fp = Fp(2n ** 255n - 19n); // Finite field over 2^255-19
-mod.invert(17n, 10n); // invert(17) mod 10; modular multiplicative inverse
+fp.mul(591n, 932n);
-mod.div(5n, 17n, 10n); // 5/17 mod 10 == 5 * invert(17) mod 10; division
+fp.pow(481n, 11024858120n);
-mod.invertBatch([1n, 2n, 4n], 21n); // => [1n, 11n, 16n] in one inversion
+
-mod.sqrt(21n, 73n); // sqrt(21) mod 73; square root
+// Generic non-FP utils are also available
 mod(21n, 10n); // 21 mod 10 == 1n; fixed version of 21 % 10
 invert(17n, 10n); // invert(17) mod 10; modular multiplicative inverse
 div(5n, 17n, 10n); // 5/17 mod 10 == 5 * invert(17) mod 10; division
 invertBatch([1n, 2n, 4n], 21n); // => [1n, 11n, 16n] in one inversion
 sqrt(21n, 73n); // √21 mod 73; square root
 ```
-### utils
+### abstract/utils
 ```typescript
-import * as utils from '@noble/curves/utils';
+import * as utils from '@noble/curves/abstract/utils';
 utils.bytesToHex(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]));
 utils.hexToBytes('deadbeef');
@@ -315,61 +445,94 @@ We consider infrastructure attacks like rogue NPM modules very important; that's
 Benchmark results on Apple M2 with node v18.10:
 ```
-==== secp256k1 ====
+secp256k1
-  - getPublicKey1 (samples: 10000)
+init x 57 ops/sec @ 17ms/op
-    noble_old x 8,131 ops/sec @ 122μs/op
+getPublicKey x 4,946 ops/sec @ 202μs/op
-    secp256k1 x 7,374 ops/sec @ 135μs/op
+sign x 3,914 ops/sec @ 255μs/op
-  - getPublicKey255 (samples: 10000)
+verify x 682 ops/sec @ 1ms/op
-    noble_old x 7,894 ops/sec @ 126μs/op
+getSharedSecret x 427 ops/sec @ 2ms/op
-    secp256k1 x 7,327 ops/sec @ 136μs/op
+recoverPublicKey x 683 ops/sec @ 1ms/op
-  - sign (samples: 5000)
+schnorr.sign x 539 ops/sec @ 1ms/op
-    noble_old x 5,243 ops/sec @ 190μs/op
+schnorr.verify x 716 ops/sec @ 1ms/op
-    secp256k1 x 4,834 ops/sec @ 206μs/op
+
-  - getSharedSecret (samples: 1000)
+P256
-    noble_old x 653 ops/sec @ 1ms/op
+init x 30 ops/sec @ 32ms/op
-    secp256k1 x 634 ops/sec @ 1ms/op
+getPublicKey x 5,008 ops/sec @ 199μs/op
-  - verify (samples: 1000)
+sign x 3,970 ops/sec @ 251μs/op
-    secp256k1_old x 1,038 ops/sec @ 962μs/op
+verify x 515 ops/sec @ 1ms/op
-    secp256k1 x 1,009 ops/sec @ 990μs/op
+
-==== ed25519 ====
+P384
-  - getPublicKey (samples: 10000)
+init x 14 ops/sec @ 66ms/op
-    old x 8,632 ops/sec @ 115μs/op
+getPublicKey x 2,434 ops/sec @ 410μs/op
-    noble x 8,390 ops/sec @ 119μs/op
+sign x 1,942 ops/sec @ 514μs/op
-  - sign (samples: 5000)
+verify x 206 ops/sec @ 4ms/op
-    old x 4,376 ops/sec @ 228μs/op
+
-    noble x 4,233 ops/sec @ 236μs/op
+P521
-  - verify (samples: 1000)
+init x 7 ops/sec @ 126ms/op
-    old x 865 ops/sec @ 1ms/op
+getPublicKey x 1,282 ops/sec @ 779μs/op
-    noble x 860 ops/sec @ 1ms/op
+sign x 1,077 ops/sec @ 928μs/op
-==== ed448 ====
+verify x 110 ops/sec @ 9ms/op
-  - getPublicKey (samples: 5000)
+
-    noble x 3,224 ops/sec @ 310μs/op
+ed25519
-  - sign (samples: 2500)
+init x 37 ops/sec @ 26ms/op
-    noble x 1,561 ops/sec @ 640μs/op
+getPublicKey x 8,147 ops/sec @ 122μs/op
-  - verify (samples: 500)
+sign x 3,979 ops/sec @ 251μs/op
-    noble x 313 ops/sec @ 3ms/op
+verify x 848 ops/sec @ 1ms/op
-==== nist ====
+
-  - getPublicKey (samples: 2500)
+ed448
-    P256 x 7,993 ops/sec @ 125μs/op
+init x 17 ops/sec @ 58ms/op
-    P384 x 3,819 ops/sec @ 261μs/op
+getPublicKey x 3,083 ops/sec @ 324μs/op
-    P521 x 2,074 ops/sec @ 481μs/op
+sign x 1,473 ops/sec @ 678μs/op
-  - sign (samples: 1000)
+verify x 323 ops/sec @ 3ms/op
-    P256 x 5,327 ops/sec @ 187μs/op
+
-    P384 x 2,728 ops/sec @ 366μs/op
+bls12-381
-    P521 x 1,594 ops/sec @ 626μs/op
+init x 30 ops/sec @ 33ms/op
-  - verify (samples: 250)
+getPublicKey x 788 ops/sec @ 1ms/op
-    P256 x 806 ops/sec @ 1ms/op
+sign x 45 ops/sec @ 21ms/op
-    P384 x 353 ops/sec @ 2ms/op
+verify x 32 ops/sec @ 30ms/op
-    P521 x 171 ops/sec @ 5ms/op
+pairing x 88 ops/sec @ 11ms/op
-==== stark ====
+
-  - pedersen (samples: 500)
+stark
-    old x 85 ops/sec @ 11ms/op
+init x 31 ops/sec @ 31ms/op
-    noble x 1,216 ops/sec @ 822μs/op
+pedersen
-  - verify (samples: 500)
+├─old x 84 ops/sec @ 11ms/op
-    old x 302 ops/sec @ 3ms/op
+└─noble x 802 ops/sec @ 1ms/op
-    noble x 698 ops/sec @ 1ms/op
+poseidon x 7,466 ops/sec @ 133μs/op
 verify
 ├─old x 300 ops/sec @ 3ms/op
 └─noble x 474 ops/sec @ 2ms/op
 ```
 ## Upgrading
 If you're coming from single-curve noble packages, the following changes need to be kept in mind:
 - 2d affine (x, y) points have been removed to reduce complexity and improve speed
 - Removed `number` support as a type for private keys. `bigint` is still supported
 - `mod`, `invert` are no longer present in `utils`. Use `@noble/curves/abstract/modular.js` now.
 Upgrading from @noble/secp256k1 1.7:
 - Compressed (33-byte) public keys are now returned by default, instead of uncompressed
 - Methods are now synchronous. Setting `secp.utils.hmacSha256` is no longer required
 - `sign()`
    - `der`, `recovered` options were removed
    - `canonical` was renamed to `lowS`
    - Return type is now `{ r: bigint, s: bigint, recovery: number }` instance of `Signature`
 - `verify()`
    - `strict` was renamed to `lowS`
 - `recoverPublicKey()`: moved to sig instance `Signature#recoverPublicKey(msgHash)`
 - `Point` was removed: use `ProjectivePoint` in xyz coordinates
 - `utils`: Many methods were removed, others were moved to `schnorr` namespace
 Upgrading from @noble/ed25519 1.7:
 - Methods are now synchronous. Setting `secp.utils.hmacSha256` is no longer required
 - ed25519ph, ed25519ctx
 - `Point` was removed: use `ExtendedPoint` in xyzt coordinates
 - `Signature` was removed
 - `getSharedSecret` was removed: use separate x25519 sub-module
 ## Contributing & testing
 1. Clone the repository
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,18 @@
 # Security Policy
 ## Supported Versions
 | Version | Supported          |
 | ------- | ------------------ |
 | >=0.5.0   | :white_check_mark: |
 | <0.5.0   | :x:                |
 ## Reporting a Vulnerability
 Use maintainer's email specified at https://github.com/paulmillr.
 It's preferred that you use
 PGP key from [pgp proof](https://paulmillr.com/pgp_proof.txt) (current is [697079DA6878B89B](https://paulmillr.com/pgp_proof.txt)).
 Ensure the pgp proof page has maintainer's site/github specified.
 You will get an update as soon as the email is read; a "Security vulnerability" phrase in email's title would help.
--- a/benchmark/_shared.js
+++ b/benchmark/_shared.js
@@ -0,0 +1,7 @@
 export function generateData(curve) {
  const priv = curve.utils.randomPrivateKey();
  const pub = curve.getPublicKey(priv);
  const msg = curve.utils.randomPrivateKey();
  const sig = curve.sign(msg, priv);
  return { priv, pub, msg, sig };
 }
--- a/benchmark/bls.js
+++ b/benchmark/bls.js
@@ -0,0 +1,52 @@
 import { readFileSync } from 'fs';
 import { mark, run } from 'micro-bmark';
 import { bls12_381 as bls } from '../lib/bls12-381.js';
 const G2_VECTORS = readFileSync('../test/bls12-381/bls12-381-g2-test-vectors.txt', 'utf-8')
  .trim()
  .split('\n')
  .map((l) => l.split(':'));
 run(async () => {
  console.log(`\x1b[36mbls12-381\x1b[0m`);
  let p1, p2, sig;
  await mark('init', 1, () => {
    p1 =
      bls.G1.ProjectivePoint.BASE.multiply(
        0x28b90deaf189015d3a325908c5e0e4bf00f84f7e639b056ff82d7e70b6eede4cn
      );
    p2 =
      bls.G2.ProjectivePoint.BASE.multiply(
        0x28b90deaf189015d3a325908c5e0e4bf00f84f7e639b056ff82d7e70b6eede4dn
      );
    bls.pairing(p1, p2);
  });
  const priv = '28b90deaf189015d3a325908c5e0e4bf00f84f7e639b056ff82d7e70b6eede4c';
  sig = bls.sign('09', priv);
  const pubs = G2_VECTORS.map((v) => bls.getPublicKey(v[0]));
  const sigs = G2_VECTORS.map((v) => v[2]);
  const pub = bls.getPublicKey(priv);
  const pub512 = pubs.slice(0, 512); // .map(bls.PointG1.fromHex)
  const pub32 = pub512.slice(0, 32);
  const pub128 = pub512.slice(0, 128);
  const pub2048 = pub512.concat(pub512, pub512, pub512);
  const sig512 = sigs.slice(0, 512); // .map(bls.PointG2.fromSignature);
  const sig32 = sig512.slice(0, 32);
  const sig128 = sig512.slice(0, 128);
  const sig2048 = sig512.concat(sig512, sig512, sig512);
  await mark('getPublicKey 1-bit', 1000, () => bls.getPublicKey('2'.padStart(64, '0')));
  await mark('getPublicKey', 1000, () => bls.getPublicKey(priv));
  await mark('sign', 50, () => bls.sign('09', priv));
  await mark('verify', 50, () => bls.verify(sig, '09', pub));
  await mark('pairing', 100, () => bls.pairing(p1, p2));
  await mark('aggregatePublicKeys/8', 100, () => bls.aggregatePublicKeys(pubs.slice(0, 8)));
  await mark('aggregatePublicKeys/32', 50, () => bls.aggregatePublicKeys(pub32));
  await mark('aggregatePublicKeys/128', 20, () => bls.aggregatePublicKeys(pub128));
  await mark('aggregatePublicKeys/512', 10, () => bls.aggregatePublicKeys(pub512));
  await mark('aggregatePublicKeys/2048', 5, () => bls.aggregatePublicKeys(pub2048));
  await mark('aggregateSignatures/8', 100, () => bls.aggregateSignatures(sigs.slice(0, 8)));
  await mark('aggregateSignatures/32', 50, () => bls.aggregateSignatures(sig32));
  await mark('aggregateSignatures/128', 20, () => bls.aggregateSignatures(sig128));
  await mark('aggregateSignatures/512', 10, () => bls.aggregateSignatures(sig512));
  await mark('aggregateSignatures/2048', 5, () => bls.aggregateSignatures(sig2048));
 });
--- a/benchmark/curves.js
+++ b/benchmark/curves.js
@@ -0,0 +1,23 @@
 import { run, mark, utils } from 'micro-bmark';
 import { generateData } from './_shared.js';
 import { P256 } from '../lib/p256.js';
 import { P384 } from '../lib/p384.js';
 import { P521 } from '../lib/p521.js';
 import { ed25519 } from '../lib/ed25519.js';
 import { ed448 } from '../lib/ed448.js';
 run(async () => {
  const RAM = false
  for (let kv of Object.entries({ P256, P384, P521, ed25519, ed448 })) {
    const [name, curve] = kv;
    console.log();
    console.log(`\x1b[36m${name}\x1b[0m`);
    if (RAM) utils.logMem();
    await mark('init', 1, () => curve.utils.precompute(8));
    const d = generateData(curve);
    await mark('getPublicKey', 5000, () => curve.getPublicKey(d.priv));
    await mark('sign', 5000, () => curve.sign(d.msg, d.priv));
    await mark('verify', 500, () => curve.verify(d.sig, d.msg, d.pub));
    if (RAM) utils.logMem();
  }
 });
--- a/benchmark/package.json
+++ b/benchmark/package.json
@@ -0,0 +1,22 @@
 {
  "name": "benchmark",
  "private": true,
  "version": "0.1.0",
  "description": "benchmarks",
  "main": "index.js",
  "type": "module",
  "scripts": {
    "bench": "node index.js"
  },
  "keywords": [],
  "author": "",
  "license": "MIT",
  "devDependencies": {
    "micro-bmark": "0.3.0"
  },
  "dependencies": {
    "@noble/hashes": "^1.1.5",
    "@starkware-industries/starkware-crypto-utils": "^0.0.2",
    "elliptic": "^6.5.4"
  }
 }
--- a/benchmark/secp256k1.js
+++ b/benchmark/secp256k1.js
@@ -0,0 +1,22 @@
 import { run, mark, utils } from 'micro-bmark';
 import { secp256k1, schnorr } from '../lib/secp256k1.js';
 import { generateData } from './_shared.js';
 run(async () => {
  const RAM = false;
  if (RAM) utils.logMem();
  console.log(`\x1b[36msecp256k1\x1b[0m`);
  await mark('init', 1, () => secp256k1.utils.precompute(8));
  const d = generateData(secp256k1);
  await mark('getPublicKey', 10000, () => secp256k1.getPublicKey(d.priv));
  await mark('sign', 10000, () => secp256k1.sign(d.msg, d.priv));
  await mark('verify', 1000, () => secp256k1.verify(d.sig, d.msg, d.pub));
  const pub2 = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
  await mark('getSharedSecret', 1000, () => secp256k1.getSharedSecret(d.priv, pub2));
  await mark('recoverPublicKey', 1000, () => d.sig.recoverPublicKey(d.msg));
  const s = schnorr.sign(d.msg, d.priv);
  const spub = schnorr.getPublicKey(d.priv);
  await mark('schnorr.sign', 1000, () => schnorr.sign(d.msg, d.priv));
  await mark('schnorr.verify', 1000, () => schnorr.verify(s, d.msg, spub));
  if (RAM) utils.logMem();
 });
--- a/benchmark/stark.js
+++ b/benchmark/stark.js
@@ -0,0 +1,56 @@
 import { run, mark, compare, utils } from 'micro-bmark';
 import * as starkwareCrypto from '@starkware-industries/starkware-crypto-utils';
 import * as stark from '../lib/stark.js';
 run(async () => {
  const RAM = false;
  if (RAM) utils.logMem();
  console.log(`\x1b[36mstark\x1b[0m`);
  await mark('init', 1, () => stark.utils.precompute(8));
  const d = (() => {
    const priv = '2dccce1da22003777062ee0870e9881b460a8b7eca276870f57c601f182136c';
    const msg = 'c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47';
    const pub = stark.getPublicKey(priv);
    const sig = stark.sign(msg, priv);
    const privateKey = '2dccce1da22003777062ee0870e9881b460a8b7eca276870f57c601f182136c';
    const msgHash = 'c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47';
    const keyPair = starkwareCrypto.default.ec.keyFromPrivate(privateKey, 'hex');
    const publicKeyStark = starkwareCrypto.default.ec.keyFromPublic(
      keyPair.getPublic(true, 'hex'),
      'hex'
    );
    return { priv, sig, msg, pub, publicKeyStark, msgHash, keyPair };
  })();
  await compare('pedersen', 500, {
    old: () => {
      return starkwareCrypto.default.pedersen([
        '3d937c035c878245caf64531a5756109c53068da139362728feb561405371cb',
        '208a0a10250e382e1e4bbe2880906c2791bf6275695e02fbbc6aeff9cd8b31a',
      ]);
    },
    noble: () => {
      return stark.pedersen(
        '3d937c035c878245caf64531a5756109c53068da139362728feb561405371cb',
        '208a0a10250e382e1e4bbe2880906c2791bf6275695e02fbbc6aeff9cd8b31a'
      );
    },
  });
  await mark('poseidon', 10000, () => stark.poseidonHash(
    0x3d937c035c878245caf64531a5756109c53068da139362728feb561405371cbn,
    0x208a0a10250e382e1e4bbe2880906c2791bf6275695e02fbbc6aeff9cd8b31an
  ));
  await compare('verify', 500, {
    old: () => {
      return starkwareCrypto.default.verify(
        d.publicKeyStark,
        d.msgHash,
        starkwareCrypto.default.sign(d.keyPair, d.msgHash)
      );
    },
    noble: () => {
      return stark.verify(stark.sign(d.msg, d.priv), d.msg, d.pub);
    },
  });
  if (RAM) utils.logMem();
 });
--- a/curve-definitions/LICENSE
+++ b/curve-definitions/LICENSE
@@ -1,21 +0,0 @@
 The MIT License (MIT)
 Copyright (c) 2022 Paul Miller (https://paulmillr.com)
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the “Software”), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in
 all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
--- a/curve-definitions/README.md
+++ b/curve-definitions/README.md
@@ -1,28 +0,0 @@
 # micro-curve-definitions
 Elliptic curves implementations. `@noble/curves` is zero-dependency library for internal arithmetics.
 `micro-curve-definitions` is the actual implementations. Current functionality:
 - NIST curves: P192, P224, P256, P384, P521 (ECDSA)
 - secp256k1 (ECDSA, without Schnorr)
 - stark curve
 - bn254
 Pairings are not implemented.
 ## Usage
 ```sh
 npm install micro-curve-definitions
 ```
 ```ts
 import * as nist from 'micro-curve-definitions';
 // P192, P224, P256, P384, P521, bn254
 ```
 ## License
 MIT (c) Paul Miller [(https://paulmillr.com)](https://paulmillr.com), see LICENSE file.
--- a/curve-definitions/benchmark/index.js
+++ b/curve-definitions/benchmark/index.js
@@ -1,397 +0,0 @@
 import * as bench from 'micro-bmark';
 const { run, mark } = bench; // or bench.mark
 import { readFileSync } from 'fs';
 // Curves
 import { secp256k1 } from '../lib/secp256k1.js';
 import { P256 } from '../lib/p256.js';
 import { P384 } from '../lib/p384.js';
 import { P521 } from '../lib/p521.js';
 import { ed25519 } from '../lib/ed25519.js';
 import { ed448 } from '../lib/ed448.js';
 import { bls12_381 as bls } from '../lib/bls12-381.js';
 // Others
 import { hmac } from '@noble/hashes/hmac';
 import { sha256 } from '@noble/hashes/sha256';
 import { sha512 } from '@noble/hashes/sha512';
 import * as old_secp from '@noble/secp256k1';
 import * as old_bls from '@noble/bls12-381';
 import { concatBytes, hexToBytes } from '@noble/hashes/utils';
 import * as starkwareCrypto from '@starkware-industries/starkware-crypto-utils';
 import * as stark from '../lib/stark.js';
 old_secp.utils.sha256Sync = (...msgs) =>
  sha256
    .create()
    .update(concatBytes(...msgs))
    .digest();
 old_secp.utils.hmacSha256Sync = (key, ...msgs) =>
  hmac
    .create(sha256, key)
    .update(concatBytes(...msgs))
    .digest();
 import * as noble_ed25519 from '@noble/ed25519';
 noble_ed25519.utils.sha512Sync = (...m) => sha512(concatBytes(...m));
 // BLS
 const G2_VECTORS = readFileSync('../test/bls12-381/bls12-381-g2-test-vectors.txt', 'utf-8')
  .trim()
  .split('\n')
  .map((l) => l.split(':'));
 let p1, p2, oldp1, oldp2;
 // /BLS
 for (let item of [secp256k1, ed25519, ed448, P256, P384, P521, old_secp, noble_ed25519]) {
  item.utils.precompute(8);
 }
 const ONLY_NOBLE = process.argv[2] === 'noble';
 function generateData(namespace) {
  const priv = namespace.utils.randomPrivateKey();
  const pub = namespace.getPublicKey(priv);
  const msg = namespace.utils.randomPrivateKey();
  const sig = namespace.sign(msg, priv);
  return { priv, pub, msg, sig };
 }
 export const CURVES = {
  secp256k1: {
    data: () => {
      return generateData(secp256k1);
    },
    getPublicKey1: {
      samples: 10000,
      secp256k1_old: () => old_secp.getPublicKey(3n),
      secp256k1: () => secp256k1.getPublicKey(3n),
    },
    getPublicKey255: {
      samples: 10000,
      secp256k1_old: () => old_secp.getPublicKey(2n ** 255n - 1n),
      secp256k1: () => secp256k1.getPublicKey(2n ** 255n - 1n),
    },
    sign: {
      samples: 5000,
      secp256k1_old: ({ msg, priv }) => old_secp.signSync(msg, priv),
      secp256k1: ({ msg, priv }) => secp256k1.sign(msg, priv),
    },
    verify: {
      samples: 1000,
      secp256k1_old: ({ sig, msg, pub }) => {
        return old_secp.verify(new old_secp.Signature(sig.r, sig.s), msg, pub);
      },
      secp256k1: ({ sig, msg, pub }) => secp256k1.verify(sig, msg, pub),
    },
    getSharedSecret: {
      samples: 1000,
      secp256k1_old: ({ pub, priv }) => old_secp.getSharedSecret(priv, pub),
      secp256k1: ({ pub, priv }) => secp256k1.getSharedSecret(priv, pub),
    },
    recoverPublicKey: {
      samples: 1000,
      secp256k1_old: ({ sig, msg }) =>
        old_secp.recoverPublicKey(msg, new old_secp.Signature(sig.r, sig.s), sig.recovery),
      secp256k1: ({ sig, msg }) => sig.recoverPublicKey(msg),
    },
  },
  ed25519: {
    data: () => {
      function to32Bytes(numOrStr) {
        const hex = typeof numOrStr === 'string' ? numOrStr : numOrStr.toString(16);
        return hexToBytes(hex.padStart(64, '0'));
      }
      const priv = to32Bytes(0x9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60n);
      const pub = noble_ed25519.sync.getPublicKey(priv);
      const msg = to32Bytes('deadbeefdeadbeefdeadbeefdeadbeefdeadbeef');
      const sig = noble_ed25519.sync.sign(msg, priv);
      return { pub, priv, msg, sig };
    },
    getPublicKey: {
      samples: 10000,
      old: () => noble_ed25519.sync.getPublicKey(noble_ed25519.utils.randomPrivateKey()),
      noble: () => ed25519.getPublicKey(ed25519.utils.randomPrivateKey()),
    },
    sign: {
      samples: 5000,
      old: ({ msg, priv }) => noble_ed25519.sync.sign(msg, priv),
      noble: ({ msg, priv }) => ed25519.sign(msg, priv),
    },
    verify: {
      samples: 1000,
      old: ({ sig, msg, pub }) => noble_ed25519.sync.verify(sig, msg, pub),
      noble: ({ sig, msg, pub }) => ed25519.verify(sig, msg, pub),
    },
  },
  ed448: {
    data: () => {
      const priv = ed448.utils.randomPrivateKey();
      const pub = ed448.getPublicKey(priv);
      const msg = ed448.utils.randomPrivateKey();
      const sig = ed448.sign(msg, priv);
      return { priv, pub, msg, sig };
    },
    getPublicKey: {
      samples: 5000,
      noble: () => ed448.getPublicKey(ed448.utils.randomPrivateKey()),
    },
    sign: {
      samples: 2500,
      noble: ({ msg, priv }) => ed448.sign(msg, priv),
    },
    verify: {
      samples: 500,
      noble: ({ sig, msg, pub }) => ed448.verify(sig, msg, pub),
    },
  },
  nist: {
    data: () => {
      return { p256: generateData(P256), p384: generateData(P384), p521: generateData(P521) };
    },
    getPublicKey: {
      samples: 2500,
      P256: () => P256.getPublicKey(P256.utils.randomPrivateKey()),
      P384: () => P384.getPublicKey(P384.utils.randomPrivateKey()),
      P521: () => P521.getPublicKey(P521.utils.randomPrivateKey()),
    },
    sign: {
      samples: 1000,
      P256: ({ p256: { msg, priv } }) => P256.sign(msg, priv),
      P384: ({ p384: { msg, priv } }) => P384.sign(msg, priv),
      P521: ({ p521: { msg, priv } }) => P521.sign(msg, priv),
    },
    verify: {
      samples: 250,
      P256: ({ p256: { sig, msg, pub } }) => P256.verify(sig, msg, pub),
      P384: ({ p384: { sig, msg, pub } }) => P384.verify(sig, msg, pub),
      P521: ({ p521: { sig, msg, pub } }) => P521.verify(sig, msg, pub),
    },
  },
  stark: {
    data: () => {
      const priv = '2dccce1da22003777062ee0870e9881b460a8b7eca276870f57c601f182136c';
      const msg = 'c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47';
      const pub = stark.getPublicKey(priv);
      const sig = stark.sign(msg, priv);
      const privateKey = '2dccce1da22003777062ee0870e9881b460a8b7eca276870f57c601f182136c';
      const msgHash = 'c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47';
      const keyPair = starkwareCrypto.default.ec.keyFromPrivate(privateKey, 'hex');
      const publicKeyStark = starkwareCrypto.default.ec.keyFromPublic(
        keyPair.getPublic(true, 'hex'),
        'hex'
      );
      return { priv, sig, msg, pub, publicKeyStark, msgHash, keyPair };
    },
    pedersen: {
      samples: 500,
      old: () => {
        return starkwareCrypto.default.pedersen([
          '3d937c035c878245caf64531a5756109c53068da139362728feb561405371cb',
          '208a0a10250e382e1e4bbe2880906c2791bf6275695e02fbbc6aeff9cd8b31a',
        ]);
      },
      noble: () => {
        return stark.pedersen(
          '3d937c035c878245caf64531a5756109c53068da139362728feb561405371cb',
          '208a0a10250e382e1e4bbe2880906c2791bf6275695e02fbbc6aeff9cd8b31a'
        );
      },
    },
    verify: {
      samples: 500,
      old: ({ publicKeyStark, msgHash, keyPair }) => {
        return starkwareCrypto.default.verify(
          publicKeyStark,
          msgHash,
          starkwareCrypto.default.sign(keyPair, msgHash)
        );
      },
      noble: ({ priv, msg, pub }) => {
        return stark.verify(stark.sign(msg, priv), msg, pub);
      },
    },
  },
  'bls12-381': {
    data: async () => {
      const priv = '28b90deaf189015d3a325908c5e0e4bf00f84f7e639b056ff82d7e70b6eede4c';
      const pubs = G2_VECTORS.map((v) => bls.getPublicKey(v[0]));
      const sigs = G2_VECTORS.map((v) => v[2]);
      const pub = bls.getPublicKey(priv);
      const pub512 = pubs.slice(0, 512); // .map(bls.PointG1.fromHex)
      const pub32 = pub512.slice(0, 32);
      const pub128 = pub512.slice(0, 128);
      const pub2048 = pub512.concat(pub512, pub512, pub512);
      const sig512 = sigs.slice(0, 512); // .map(bls.PointG2.fromSignature);
      const sig32 = sig512.slice(0, 32);
      const sig128 = sig512.slice(0, 128);
      const sig2048 = sig512.concat(sig512, sig512, sig512);
      return {
        priv,
        pubs,
        sigs,
        pub,
        pub512,
        pub32,
        pub128,
        pub2048,
        sig32,
        sig128,
        sig512,
        sig2048,
      };
    },
    init: {
      samples: 1,
      old: () => {
        oldp1 =
          old_bls.PointG1.BASE.multiply(
            0x28b90deaf189015d3a325908c5e0e4bf00f84f7e639b056ff82d7e70b6eede4cn
          );
        oldp2 =
          old_bls.PointG2.BASE.multiply(
            0x28b90deaf189015d3a325908c5e0e4bf00f84f7e639b056ff82d7e70b6eede4dn
          );
        old_bls.pairing(oldp1, oldp2);
      },
      noble: () => {
        p1 =
          bls.G1.Point.BASE.multiply(
            0x28b90deaf189015d3a325908c5e0e4bf00f84f7e639b056ff82d7e70b6eede4cn
          );
        p2 =
          bls.G2.Point.BASE.multiply(
            0x28b90deaf189015d3a325908c5e0e4bf00f84f7e639b056ff82d7e70b6eede4dn
          );
        bls.pairing(p1, p2);
      },
    },
    'getPublicKey (1-bit)': {
      samples: 1000,
      old: () => old_bls.getPublicKey('2'.padStart(64, '0')),
      noble: () => bls.getPublicKey('2'.padStart(64, '0')),
    },
    getPublicKey: {
      samples: 1000,
      old: ({ priv }) => old_bls.getPublicKey(priv),
      noble: ({ priv }) => bls.getPublicKey(priv),
    },
    sign: {
      samples: 50,
      old: ({ priv }) => old_bls.sign('09', priv),
      noble: ({ priv }) => bls.sign('09', priv),
    },
    verify: {
      samples: 50,
      old: ({ pub }) =>
        old_bls.verify(
          '8647aa9680cd0cdf065b94e818ff2bb948cc97838bcee987b9bc1b76d0a0a6e0d85db4e9d75aaedfc79d4ea2733a21ae0579014de7636dd2943d45b87c82b1c66a289006b0b9767921bb8edd3f6c5c5dec0d54cd65f61513113c50cc977849e5',
          '09',
          pub
        ),
      noble: ({ pub }) =>
        bls.verify(
          '8647aa9680cd0cdf065b94e818ff2bb948cc97838bcee987b9bc1b76d0a0a6e0d85db4e9d75aaedfc79d4ea2733a21ae0579014de7636dd2943d45b87c82b1c66a289006b0b9767921bb8edd3f6c5c5dec0d54cd65f61513113c50cc977849e5',
          '09',
          pub
        ),
    },
    pairing: {
      samples: 100,
      old: () => old_bls.pairing(oldp1, oldp2),
      noble: () => bls.pairing(p1, p2),
    },
    // Requires points which we cannot init before (data fn same for all)
    // await mark('sign/nc', 30, () => bls.sign(msgp, priv));
    // await mark('verify/nc', 30, () => bls.verify(sigp, msgp, pubp));
    'aggregatePublicKeys/8': {
      samples: 100,
      old: ({ pubs }) => old_bls.aggregatePublicKeys(pubs.slice(0, 8)),
      noble: ({ pubs }) => bls.aggregatePublicKeys(pubs.slice(0, 8)),
    },
    'aggregatePublicKeys/32': {
      samples: 50,
      old: ({ pub32 }) => old_bls.aggregatePublicKeys(pub32.map(old_bls.PointG1.fromHex)),
      noble: ({ pub32 }) => bls.aggregatePublicKeys(pub32.map(bls.G1.Point.fromHex)),
    },
    'aggregatePublicKeys/128': {
      samples: 20,
      old: ({ pub128 }) => old_bls.aggregatePublicKeys(pub128.map(old_bls.PointG1.fromHex)),
      noble: ({ pub128 }) => bls.aggregatePublicKeys(pub128.map(bls.G1.Point.fromHex)),
    },
    'aggregatePublicKeys/512': {
      samples: 10,
      old: ({ pub512 }) => old_bls.aggregatePublicKeys(pub512.map(old_bls.PointG1.fromHex)),
      noble: ({ pub512 }) => bls.aggregatePublicKeys(pub512.map(bls.G1.Point.fromHex)),
    },
    'aggregatePublicKeys/2048': {
      samples: 5,
      old: ({ pub2048 }) => old_bls.aggregatePublicKeys(pub2048.map(old_bls.PointG1.fromHex)),
      noble: ({ pub2048 }) => bls.aggregatePublicKeys(pub2048.map(bls.G1.Point.fromHex)),
    },
    'aggregateSignatures/8': {
      samples: 50,
      old: ({ sigs }) => old_bls.aggregateSignatures(sigs.slice(0, 8)),
      noble: ({ sigs }) => bls.aggregateSignatures(sigs.slice(0, 8)),
    },
    'aggregateSignatures/32': {
      samples: 10,
      old: ({ sig32 }) => old_bls.aggregateSignatures(sig32.map(old_bls.PointG2.fromSignature)),
      noble: ({ sig32 }) => bls.aggregateSignatures(sig32.map(bls.Signature.decode)),
    },
    'aggregateSignatures/128': {
      samples: 5,
      old: ({ sig128 }) => old_bls.aggregateSignatures(sig128.map(old_bls.PointG2.fromSignature)),
      noble: ({ sig128 }) => bls.aggregateSignatures(sig128.map(bls.Signature.decode)),
    },
    'aggregateSignatures/512': {
      samples: 3,
      old: ({ sig512 }) => old_bls.aggregateSignatures(sig512.map(old_bls.PointG2.fromSignature)),
      noble: ({ sig512 }) => bls.aggregateSignatures(sig512.map(bls.Signature.decode)),
    },
    'aggregateSignatures/2048': {
      samples: 2,
      old: ({ sig2048 }) => old_bls.aggregateSignatures(sig2048.map(old_bls.PointG2.fromSignature)),
      noble: ({ sig2048 }) => bls.aggregateSignatures(sig2048.map(bls.Signature.decode)),
    },
    'hashToCurve/G1': {
      samples: 500,
      old: () => old_bls.PointG1.hashToCurve('abcd'),
      noble: () => bls.G1.Point.hashToCurve('abcd'),
    },
    'hashToCurve/G2': {
      samples: 200,
      old: () => old_bls.PointG2.hashToCurve('abcd'),
      noble: () => bls.G2.Point.hashToCurve('abcd'),
    },
  },
 };
 const main = () =>
  run(async () => {
    for (const [name, curve] of Object.entries(CURVES)) {
      console.log(`==== ${name} ====`);
      const data = await curve.data();
      for (const [fnName, libs] of Object.entries(curve)) {
        if (fnName === 'data') continue;
        const samples = libs.samples;
        console.log(`  - ${fnName} (samples: ${samples})`);
        for (const [lib, fn] of Object.entries(libs)) {
          if (lib === 'samples') continue;
          if (ONLY_NOBLE && lib !== 'noble') continue;
          await mark(`    ${lib}`, samples, () => fn(data));
        }
      }
    }
    // Log current RAM
    bench.logMem();
  });
 // ESM is broken.
 import url from 'url';
 if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
  main();
 }
--- a/curve-definitions/benchmark/package.json
+++ b/curve-definitions/benchmark/package.json
@@ -1,23 +0,0 @@
 {
    "name": "benchmark",
    "private": true,
    "version": "0.1.0",
    "description": "benchmarks",
    "main": "index.js",
    "type": "module",
    "scripts": {
        "bench": "node index.js"
    },
    "keywords": [],
    "author": "",
    "license": "MIT",
    "devDependencies": {
        "micro-bmark": "0.2.0"
    },
    "dependencies": {
        "@noble/bls12-381": "^1.4.0",
        "@noble/ed25519": "^1.7.1",
        "@noble/secp256k1": "^1.7.0",
        "@starkware-industries/starkware-crypto-utils": "^0.0.2"
    }
 }
--- a/curve-definitions/package.json
+++ b/curve-definitions/package.json
@@ -1,58 +0,0 @@
 {
  "name": "micro-curve-definitions",
  "version": "0.4.0",
  "description": "Curve definitions for @noble/curves",
  "files": [
    "lib"
  ],
  "main": "lib/index.js",
  "module": "lib/index.js",
  "types": "lib/index.d.ts",
  "dependencies": {
    "@noble/curves": "0.4.0",
    "@noble/hashes": "1.1.5"
  },
  "devDependencies": {
    "@scure/base": "~1.1.0",
    "@scure/bip32": "^1.1.1",
    "@scure/bip39": "^1.1.0",
    "@types/node": "18.11.3",
    "fast-check": "3.0.0",
    "micro-should": "0.2.0",
    "prettier": "2.6.2",
    "typescript": "4.7.3"
  },
  "author": "Paul Miller (https://paulmillr.com)",
  "license": "MIT",
  "homepage": "https://github.com/paulmillr/noble-curves",
  "repository": {
    "type": "git",
    "url": "git+https://github.com/paulmillr/noble-curves.git"
  },
  "scripts": {
    "build": "tsc && tsc -p tsconfig.esm.json",
    "lint": "prettier --check src",
    "test": "node test/index.test.js"
  },
  "keywords": [
    "secp192r1",
    "secp224r1",
    "secp256r1",
    "secp384r1",
    "secp521r1",
    "NIST P192",
    "NIST P224",
    "NIST P256",
    "NIST P384",
    "NIST P521",
    "NIST curves",
    "EC",
    "elliptic curves"
  ],
  "funding": [
    {
      "type": "individual",
      "url": "https://paulmillr.com/funding/"
    }
  ]
 }
--- a/curve-definitions/src/ed448.ts
+++ b/curve-definitions/src/ed448.ts
@@ -1,146 +0,0 @@
 /*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { shake256 } from '@noble/hashes/sha3';
 import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils';
 import { twistedEdwards } from '@noble/curves/edwards';
 import { mod, pow2, Fp } from '@noble/curves/modular';
 import { montgomery } from '../../lib/montgomery.js';
 /**
 * Edwards448 (not Ed448-Goldilocks) curve with following addons:
 * * X448 ECDH
 * Conforms to RFC 8032 https://www.rfc-editor.org/rfc/rfc8032.html#section-5.2
 */
 const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
 const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
 const ed448P = BigInt(
  '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439'
 );
 // powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
 function ed448_pow_Pminus3div4(x: bigint): bigint {
  const P = ed448P;
  // prettier-ignore
  let [_1n, _2n, _3n, _11n, _22n, _44n, _88n, _223n] = [1, 2, 3, 11, 22, 44, 88, 223]
    .map(n => BigInt(n));
  // x ** ((P - 3n)/4n) % P
  // [223 of 1, 0, 222 of 1], almost same as secp!
  const b2 = (x * x * x) % P;
  const b3 = (b2 * b2 * x) % P;
  const b6 = (pow2(b3, _3n, P) * b3) % P;
  const b9 = (pow2(b6, _3n, P) * b3) % P;
  const b11 = (pow2(b9, _2n, P) * b2) % P;
  const b22 = (pow2(b11, _11n, P) * b11) % P;
  const b44 = (pow2(b22, _22n, P) * b22) % P;
  const b88 = (pow2(b44, _44n, P) * b44) % P;
  const b176 = (pow2(b88, _88n, P) * b88) % P;
  const b220 = (pow2(b176, _44n, P) * b44) % P;
  const b222 = (pow2(b220, _2n, P) * b2) % P;
  const b223 = (pow2(b222, _1n, P) * x) % P;
  return (pow2(b223, _223n, P) * b222) % P;
 }
 function adjustScalarBytes(bytes: Uint8Array): Uint8Array {
  // Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0, and the most
  // significant bit of the last byte to 1.
  bytes[0] &= 252; // 0b11111100
  // and the most significant bit of the last byte to 1.
  bytes[55] |= 128; // 0b10000000
  // NOTE: is is NOOP for 56 bytes scalars (X25519/X448)
  bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
  return bytes;
 }
 const ED448_DEF = {
  // Param: a
  a: BigInt(1),
  // -39081. Negative number is P - number
  d: BigInt(
    '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'
  ),
  // Finite field 𝔽p over which we'll do calculations; 2n ** 448n - 2n ** 224n - 1n
  Fp: Fp(ed448P, 456),
  // Subgroup order: how many points ed448 has; 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
  n: BigInt(
    '181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'
  ),
  nBitLength: 456,
  // Cofactor
  h: BigInt(4),
  // Base point (x, y) aka generator point
  Gx: BigInt(
    '224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'
  ),
  Gy: BigInt(
    '298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'
  ),
  // SHAKE256(dom4(phflag,context)||x, 114)
  hash: shake256_114,
  randomBytes,
  adjustScalarBytes,
  // dom4
  domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
    if (ctx.length > 255) throw new Error(`Context is too big: ${ctx.length}`);
    return concatBytes(
      utf8ToBytes('SigEd448'),
      new Uint8Array([phflag ? 1 : 0, ctx.length]),
      ctx,
      data
    );
  },
  // Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
  // Uses algo from RFC8032 5.1.3.
  uvRatio: (u: bigint, v: bigint): { isValid: boolean; value: bigint } => {
    const P = ed448P;
    // https://datatracker.ietf.org/doc/html/rfc8032#section-5.2.3
    // To compute the square root of (u/v), the first step is to compute the
    //   candidate root x = (u/v)^((p+1)/4).  This can be done using the
    // following trick, to use a single modular powering for both the
    // inversion of v and the square root:
    //           (p+1)/4    3            (p-3)/4
    // x = (u/v)        = u  v (u^5 v^3)         (mod p)
    const u2v = mod(u * u * v, P);
    const u3v = mod(u2v * u, P); // u^2v
    const u5v3 = mod(u3v * u2v * v, P); // u^5v^3
    const root = ed448_pow_Pminus3div4(u5v3);
    const x = mod(u3v * root, P);
    // Verify that root is exists
    const x2 = mod(x * x, P); // x^2
    // If v * x^2 = u, the recovered x-coordinate is x.  Otherwise, no
    // square root exists, and the decoding fails.
    return { isValid: mod(x2 * v, P) === u, value: x };
  },
 } as const;
 export const ed448 = twistedEdwards(ED448_DEF);
 // NOTE: there is no ed448ctx, since ed448 supports ctx by default
 export const ed448ph = twistedEdwards({ ...ED448_DEF, preHash: shake256_64 });
 export const x448 = montgomery({
  a24: BigInt(39081),
  montgomeryBits: 448,
  nByteLength: 57,
  P: ed448P,
  Gu: '0500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
  powPminus2: (x: bigint): bigint => {
    const P = ed448P;
    const Pminus3div4 = ed448_pow_Pminus3div4(x);
    const Pminus3 = pow2(Pminus3div4, BigInt(2), P);
    return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
  },
  adjustScalarBytes,
  // The 4-isogeny maps between the Montgomery curve and this Edwards
  // curve are:
  //   (u, v) = (y^2/x^2, (2 - x^2 - y^2)*y/x^3)
  //   (x, y) = (4*v*(u^2 - 1)/(u^4 - 2*u^2 + 4*v^2 + 1),
  //             -(u^5 - 2*u^3 - 4*u*v^2 + u)/
  //             (u^5 - 2*u^2*v^2 - 2*u^3 - 2*v^2 + u))
  // xyToU: (p: PointType) => {
  //   const P = ed448P;
  //   const { x, y } = p;
  //   if (x === _0n) throw new Error(`Point with x=0 doesn't have mapping`);
  //   const invX = invert(x * x, P); // x^2
  //   const u = mod(y * y * invX, P); // (y^2/x^2)
  //   return numberToBytesLE(u, 56);
  // },
 });
--- a/curve-definitions/src/p256.ts
+++ b/curve-definitions/src/p256.ts
@@ -1,25 +0,0 @@
 /*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { sha256 } from '@noble/hashes/sha256';
 import { Fp } from '@noble/curves/modular';
 // NIST secp256r1 aka P256
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
 export const P256 = createCurve(
  {
    // Params: a, b
    a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
    b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
    // Field over which we'll do calculations; 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
    Fp: Fp(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff')),
    // Curve order, total count of valid points in the field
    n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
    // Base point (x, y) aka generator point
    Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
    Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
    h: BigInt(1),
    lowS: false,
  } as const,
  sha256
 );
 export const secp256r1 = P256;
--- a/curve-definitions/src/p384.ts
+++ b/curve-definitions/src/p384.ts
@@ -1,23 +0,0 @@
 /*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { sha384 } from '@noble/hashes/sha512';
 import { Fp } from '@noble/curves/modular';
 // NIST secp384r1 aka P384
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
 // prettier-ignore
 export const P384 = createCurve({
  // Params: a, b
  a: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc'),
  b: BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef'),
  // Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
  Fp: Fp(BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff')),
  // Curve order, total count of valid points in the field.
  n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
  // Base point (x, y) aka generator point
  Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
  Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
  h: BigInt(1),
  lowS: false,
 } as const, sha384);
 export const secp384r1 = P384;
--- a/curve-definitions/src/p521.ts
+++ b/curve-definitions/src/p521.ts
@@ -1,33 +0,0 @@
 /*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { Fp } from '@noble/curves/modular';
 import { sha512 } from '@noble/hashes/sha512';
 import { bytesToHex, PrivKey } from '@noble/curves/utils';
 // NIST secp521r1 aka P521
 // Note that it's 521, which differs from 512 of its hash function.
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
 // prettier-ignore
 export const P521 = createCurve({
  // Params: a, b
  a: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc'),
  b: BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'),
  // Field over which we'll do calculations; 2n**521n - 1n
  Fp: Fp(BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff')),
  // Curve order, total count of valid points in the field
  n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
  // Base point (x, y) aka generator point
  Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
  Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
  h: BigInt(1),
  lowS: false,
  normalizePrivateKey(key: PrivKey) {
    if (typeof key === 'bigint') return key;
    if (key instanceof Uint8Array) key = bytesToHex(key);
    if (typeof key !== 'string' || !([130, 131, 132].includes(key.length))) {
      throw new Error('Invalid key');
    }
    return key.padStart(66 * 2, '0');
  }
 } as const, sha512);
 export const secp521r1 = P521;
--- a/curve-definitions/src/secp256k1.ts
+++ b/curve-definitions/src/secp256k1.ts
@@ -1,263 +0,0 @@
 /*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha256';
 import { Fp as FpFn, mod, pow2 } from '@noble/curves/modular';
 import { createCurve } from './_shortw_utils.js';
 import { PointType } from '@noble/curves/weierstrass';
 import {
  ensureBytes,
  concatBytes,
  Hex,
  hexToBytes,
  bytesToNumberBE,
  PrivKey,
 } from '@noble/curves/utils';
 import { randomBytes } from '@noble/hashes/utils';
 /**
 * secp256k1 belongs to Koblitz curves: it has
 * efficiently computable Frobenius endomorphism.
 * Endomorphism improves efficiency:
 * Uses 2x less RAM, speeds up precomputation by 2x and ECDH / sign key recovery by 20%.
 * Should always be used for Jacobian's double-and-add multiplication.
 * For affines cached multiplication, it trades off 1/2 init time & 1/3 ram for 20% perf hit.
 * https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
 */
 const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
 const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
 const _1n = BigInt(1);
 const _2n = BigInt(2);
 const divNearest = (a: bigint, b: bigint) => (a + b / _2n) / b;
 /**
 * Allows to compute square root √y 2x faster.
 * To calculate √y, we need to exponentiate it to a very big number:
 * `y² = x³ + ax + b; y = y² ^ (p+1)/4`
 * We are unwrapping the loop and multiplying it bit-by-bit.
 * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
 */
 // prettier-ignore
 function sqrtMod(y: bigint): bigint {
  const P = secp256k1P;
  const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11); const _22n = BigInt(22);
  const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
  const b2 = (y * y * y) % P; // x^3, 11
  const b3 = (b2 * b2 * y) % P; // x^7
  const b6 = (pow2(b3, _3n, P) * b3) % P;
  const b9 = (pow2(b6, _3n, P) * b3) % P;
  const b11 = (pow2(b9, _2n, P) * b2) % P;
  const b22 = (pow2(b11, _11n, P) * b11) % P;
  const b44 = (pow2(b22, _22n, P) * b22) % P;
  const b88 = (pow2(b44, _44n, P) * b44) % P;
  const b176 = (pow2(b88, _88n, P) * b88) % P;
  const b220 = (pow2(b176, _44n, P) * b44) % P;
  const b223 = (pow2(b220, _3n, P) * b3) % P;
  const t1 = (pow2(b223, _23n, P) * b22) % P;
  const t2 = (pow2(t1, _6n, P) * b2) % P;
  return pow2(t2, _2n, P);
 }
 const Fp = FpFn(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
 export const secp256k1 = createCurve(
  {
    // Params: a, b
    // Seem to be rigid https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
    a: BigInt(0),
    b: BigInt(7),
    // Field over which we'll do calculations;
    // 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
    Fp,
    // Curve order, total count of valid points in the field
    n: secp256k1N,
    // Base point (x, y) aka generator point
    Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
    Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
    h: BigInt(1),
    // Alllow only low-S signatures by default in sign() and verify()
    lowS: true,
    endo: {
      // Params taken from https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
      beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
      splitScalar: (k: bigint) => {
        const n = secp256k1N;
        const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');
        const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
        const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
        const b2 = a1;
        const POW_2_128 = BigInt('0x100000000000000000000000000000000');
        const c1 = divNearest(b2 * k, n);
        const c2 = divNearest(-b1 * k, n);
        let k1 = mod(k - c1 * a1 - c2 * a2, n);
        let k2 = mod(-c1 * b1 - c2 * b2, n);
        const k1neg = k1 > POW_2_128;
        const k2neg = k2 > POW_2_128;
        if (k1neg) k1 = n - k1;
        if (k2neg) k2 = n - k2;
        if (k1 > POW_2_128 || k2 > POW_2_128) {
          throw new Error('splitScalar: Endomorphism failed, k=' + k);
        }
        return { k1neg, k1, k2neg, k2 };
      },
    },
  },
  sha256
 );
 // Schnorr
 const _0n = BigInt(0);
 const numTo32b = secp256k1.utils._bigintToBytes;
 const numTo32bStr = secp256k1.utils._bigintToString;
 const normalizePrivateKey = secp256k1.utils._normalizePrivateKey;
 // TODO: export?
 function normalizePublicKey(publicKey: Hex | PointType<bigint>): PointType<bigint> {
  if (publicKey instanceof secp256k1.Point) {
    publicKey.assertValidity();
    return publicKey;
  } else {
    const bytes = ensureBytes(publicKey);
    // Schnorr is 32 bytes
    if (bytes.length === 32) {
      const x = bytesToNumberBE(bytes);
      if (!isValidFieldElement(x)) throw new Error('Point is not on curve');
      const y2 = secp256k1.utils._weierstrassEquation(x); // y² = x³ + ax + b
      let y = sqrtMod(y2); // y = y² ^ (p+1)/4
      const isYOdd = (y & _1n) === _1n;
      // Schnorr
      if (isYOdd) y = secp256k1.CURVE.Fp.negate(y);
      const point = new secp256k1.Point(x, y);
      point.assertValidity();
      return point;
    }
    // Do we need that in schnorr at all?
    return secp256k1.Point.fromHex(publicKey);
  }
 }
 const isWithinCurveOrder = secp256k1.utils._isWithinCurveOrder;
 const isValidFieldElement = secp256k1.utils._isValidFieldElement;
 const TAGS = {
  challenge: 'BIP0340/challenge',
  aux: 'BIP0340/aux',
  nonce: 'BIP0340/nonce',
 } as const;
 /** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
 const TAGGED_HASH_PREFIXES: { [tag: string]: Uint8Array } = {};
 export function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array {
  let tagP = TAGGED_HASH_PREFIXES[tag];
  if (tagP === undefined) {
    const tagH = sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
    tagP = concatBytes(tagH, tagH);
    TAGGED_HASH_PREFIXES[tag] = tagP;
  }
  return sha256(concatBytes(tagP, ...messages));
 }
 const toRawX = (point: PointType<bigint>) => point.toRawBytes(true).slice(1);
 // Schnorr signatures are superior to ECDSA from above.
 // Below is Schnorr-specific code as per BIP0340.
 function schnorrChallengeFinalize(ch: Uint8Array): bigint {
  return mod(bytesToNumberBE(ch), secp256k1.CURVE.n);
 }
 // Do we need this at all for Schnorr?
 class SchnorrSignature {
  constructor(readonly r: bigint, readonly s: bigint) {
    this.assertValidity();
  }
  static fromHex(hex: Hex) {
    const bytes = ensureBytes(hex);
    if (bytes.length !== 64)
      throw new TypeError(`SchnorrSignature.fromHex: expected 64 bytes, not ${bytes.length}`);
    const r = bytesToNumberBE(bytes.subarray(0, 32));
    const s = bytesToNumberBE(bytes.subarray(32, 64));
    return new SchnorrSignature(r, s);
  }
  assertValidity() {
    const { r, s } = this;
    if (!isValidFieldElement(r) || !isWithinCurveOrder(s)) throw new Error('Invalid signature');
  }
  toHex(): string {
    return numTo32bStr(this.r) + numTo32bStr(this.s);
  }
  toRawBytes(): Uint8Array {
    return hexToBytes(this.toHex());
  }
 }
 function schnorrGetScalar(priv: bigint) {
  const point = secp256k1.Point.fromPrivateKey(priv);
  const scalar = point.hasEvenY() ? priv : secp256k1.CURVE.n - priv;
  return { point, scalar, x: toRawX(point) };
 }
 /**
 * Synchronously creates Schnorr signature. Improved security: verifies itself before
 * producing an output.
 * @param msg message (not message hash)
 * @param privateKey private key
 * @param auxRand random bytes that would be added to k. Bad RNG won't break it.
 */
 function schnorrSign(
  message: Hex,
  privateKey: PrivKey,
  auxRand: Hex = randomBytes(32)
 ): Uint8Array {
  if (message == null) throw new TypeError(`sign: Expected valid message, not "${message}"`);
  const m = ensureBytes(message);
  // checks for isWithinCurveOrder
  const { x: px, scalar: d } = schnorrGetScalar(normalizePrivateKey(privateKey));
  const rand = ensureBytes(auxRand);
  if (rand.length !== 32) throw new TypeError('sign: Expected 32 bytes of aux randomness');
  const tag = taggedHash;
  const t0h = tag(TAGS.aux, rand);
  const t = numTo32b(d ^ bytesToNumberBE(t0h));
  const k0h = tag(TAGS.nonce, t, px, m);
  const k0 = mod(bytesToNumberBE(k0h), secp256k1.CURVE.n);
  if (k0 === _0n) throw new Error('sign: Creation of signature failed. k is zero');
  const { point: R, x: rx, scalar: k } = schnorrGetScalar(k0);
  const e = schnorrChallengeFinalize(tag(TAGS.challenge, rx, px, m));
  const sig = new SchnorrSignature(R.x, mod(k + e * d, secp256k1.CURVE.n)).toRawBytes();
  if (!schnorrVerify(sig, m, px)) throw new Error('sign: Invalid signature produced');
  return sig;
 }
 /**
 * Verifies Schnorr signature synchronously.
 */
 function schnorrVerify(signature: Hex, message: Hex, publicKey: Hex): boolean {
  try {
    const raw = signature instanceof SchnorrSignature;
    const sig: SchnorrSignature = raw ? signature : SchnorrSignature.fromHex(signature);
    if (raw) sig.assertValidity(); // just in case
    const { r, s } = sig;
    const m = ensureBytes(message);
    const P = normalizePublicKey(publicKey);
    const e = schnorrChallengeFinalize(taggedHash(TAGS.challenge, numTo32b(r), toRawX(P), m));
    // Finalize
    // R = s⋅G - e⋅P
    // -eP == (n-e)P
    const R = secp256k1.Point.BASE.multiplyAndAddUnsafe(
      P,
      normalizePrivateKey(s),
      mod(-e, secp256k1.CURVE.n)
    );
    if (!R || !R.hasEvenY() || R.x !== r) return false;
    return true;
  } catch (error) {
    return false;
  }
 }
 export const schnorr = {
  Signature: SchnorrSignature,
  // Schnorr's pubkey is just `x` of Point (BIP340)
  getPublicKey: (privateKey: PrivKey): Uint8Array =>
    toRawX(secp256k1.Point.fromPrivateKey(privateKey)),
  sign: schnorrSign,
  verify: schnorrVerify,
 };
--- a/curve-definitions/test/basic.test.js
+++ b/curve-definitions/test/basic.test.js
@@ -1,317 +0,0 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should } from 'micro-should';
 import * as fc from 'fast-check';
 import * as mod from '@noble/curves/modular';
 import { randomBytes } from '@noble/hashes/utils';
 // Generic tests for all curves in package
 import { secp192r1 } from '../lib/p192.js';
 import { secp224r1 } from '../lib/p224.js';
 import { secp256r1 } from '../lib/p256.js';
 import { secp384r1 } from '../lib/p384.js';
 import { secp521r1 } from '../lib/p521.js';
 import { secp256k1 } from '../lib/secp256k1.js';
 import { ed25519, ed25519ctx, ed25519ph } from '../lib/ed25519.js';
 import { ed448, ed448ph } from '../lib/ed448.js';
 import { starkCurve } from '../lib/stark.js';
 import { pallas, vesta } from '../lib/pasta.js';
 import { bn254 } from '../lib/bn.js';
 import { jubjub } from '../lib/jubjub.js';
 // prettier-ignore
 const CURVES = {
  secp192r1, secp224r1, secp256r1, secp384r1, secp521r1,
  secp256k1,
  ed25519, ed25519ctx, ed25519ph,
  ed448, ed448ph,
  starkCurve,
  pallas, vesta,
  bn254,
  jubjub,
 };
 const NUM_RUNS = 5;
 const getXY = (p) => ({ x: p.x, y: p.y });
 function equal(a, b, comment) {
  deepStrictEqual(a.equals(b), true, `eq(${comment})`);
  if (a.toAffine && b.toAffine) {
    deepStrictEqual(getXY(a.toAffine()), getXY(b.toAffine()), `eqToAffine(${comment})`);
  } else if (!a.toAffine && !b.toAffine) {
    // Already affine
    deepStrictEqual(getXY(a), getXY(b), `eqAffine(${comment})`);
  } else throw new Error('Different point types');
 }
 for (const name in CURVES) {
  const C = CURVES[name];
  const CURVE_ORDER = C.CURVE.n;
  const FC_BIGINT = fc.bigInt(1n + 1n, CURVE_ORDER - 1n);
  // Check that curve doesn't accept points from other curves
  const O = name === 'secp256k1' ? secp256r1 : secp256k1;
  const POINTS = {};
  const OTHER_POINTS = {};
  for (const name of ['Point', 'JacobianPoint', 'ExtendedPoint', 'ProjectivePoint']) {
    POINTS[name] = C[name];
    OTHER_POINTS[name] = O[name];
  }
  for (const pointName in POINTS) {
    const p = POINTS[pointName];
    const o = OTHER_POINTS[pointName];
    if (!p) continue;
    const G = [p.ZERO, p.BASE];
    for (let i = 2; i < 10; i++) G.push(G[1].multiply(i));
    // Here we check basic group laws, to verify that points works as group
    should(`${name}/${pointName}/Basic group laws (zero)`, () => {
      equal(G[0].double(), G[0], '(0*G).double() = 0');
      equal(G[0].add(G[0]), G[0], '0*G + 0*G = 0');
      equal(G[0].subtract(G[0]), G[0], '0*G - 0*G = 0');
      equal(G[0].negate(), G[0], '-0 = 0');
      for (let i = 0; i < G.length; i++) {
        const p = G[i];
        equal(p, p.add(G[0]), `${i}*G + 0 = ${i}*G`);
        equal(G[0].multiply(i + 1), G[0], `${i + 1}*0 = 0`);
      }
    });
    should(`${name}/${pointName}/Basic group laws (one)`, () => {
      equal(G[1].double(), G[2], '(1*G).double() = 2*G');
      equal(G[1].subtract(G[1]), G[0], '1*G - 1*G = 0');
      equal(G[1].add(G[1]), G[2], '1*G + 1*G = 2*G');
    });
    should(`${name}/${pointName}/Basic group laws (sanity tests)`, () => {
      equal(G[2].double(), G[4], `(2*G).double() = 4*G`);
      equal(G[2].add(G[2]), G[4], `2*G + 2*G = 4*G`);
      equal(G[7].add(G[3].negate()), G[4], `7*G - 3*G = 4*G`);
    });
    should(`${name}/${pointName}/Basic group laws (addition commutativity)`, () => {
      equal(G[4].add(G[3]), G[3].add(G[4]), `4*G + 3*G = 3*G + 4*G`);
      equal(G[4].add(G[3]), G[3].add(G[2]).add(G[2]), `4*G + 3*G = 3*G + 2*G + 2*G`);
    });
    should(`${name}/${pointName}/Basic group laws (double)`, () => {
      equal(G[3].double(), G[6], '(3*G).double() = 6*G');
    });
    should(`${name}/${pointName}/Basic group laws (multiply)`, () => {
      equal(G[2].multiply(3), G[6], '(2*G).multiply(3) = 6*G');
    });
    should(`${name}/${pointName}/Basic group laws (same point addition)`, () => {
      equal(G[3].add(G[3]), G[6], `3*G + 3*G = 6*G`);
    });
    should(`${name}/${pointName}/Basic group laws (same point (negative) addition)`, () => {
      equal(G[3].add(G[3].negate()), G[0], '3*G + (- 3*G) = 0*G');
      equal(G[3].subtract(G[3]), G[0], '3*G - 3*G = 0*G');
    });
    should(`${name}/${pointName}/Basic group laws (curve order)`, () => {
      equal(G[1].multiply(CURVE_ORDER - 1n).add(G[1]), G[0], '(N-1)*G + G = 0');
      equal(G[1].multiply(CURVE_ORDER - 1n).add(G[2]), G[1], '(N-1)*G + 2*G = 1*G');
      equal(G[1].multiply(CURVE_ORDER - 2n).add(G[2]), G[0], '(N-2)*G + 2*G = 0');
      const half = CURVE_ORDER / 2n;
      const carry = CURVE_ORDER % 2n === 1n ? G[1] : G[0];
      equal(G[1].multiply(half).double().add(carry), G[0], '((N/2) * G).double() = 0');
    });
    should(`${name}/${pointName}/Basic group laws (inversion)`, () => {
      const a = 1234n;
      const b = 5678n;
      const c = a * b;
      equal(G[1].multiply(a).multiply(b), G[1].multiply(c), 'a*b*G = c*G');
      const inv = mod.invert(b, CURVE_ORDER);
      equal(G[1].multiply(c).multiply(inv), G[1].multiply(a), 'c*G * (1/b)*G = a*G');
    });
    should(`${name}/${pointName}/Basic group laws (multiply, rand)`, () =>
      fc.assert(
        fc.property(FC_BIGINT, FC_BIGINT, (a, b) => {
          const c = mod.mod(a + b, CURVE_ORDER);
          if (c === CURVE_ORDER || c < 1n) return;
          const pA = G[1].multiply(a);
          const pB = G[1].multiply(b);
          const pC = G[1].multiply(c);
          equal(pA.add(pB), pB.add(pA), `pA + pB = pB + pA`);
          equal(pA.add(pB), pC, `pA + pB = pC`);
        }),
        { numRuns: NUM_RUNS }
      )
    );
    should(`${name}/${pointName}/Basic group laws (multiply2, rand)`, () =>
      fc.assert(
        fc.property(FC_BIGINT, FC_BIGINT, (a, b) => {
          const c = mod.mod(a * b, CURVE_ORDER);
          const pA = G[1].multiply(a);
          const pB = G[1].multiply(b);
          equal(pA.multiply(b), pB.multiply(a), `b*pA = a*pB`);
          equal(pA.multiply(b), G[1].multiply(c), `b*pA = c*G`);
        }),
        { numRuns: NUM_RUNS }
      )
    );
    for (const op of ['add', 'subtract']) {
      should(`${name}/${pointName}/${op} type check`, () => {
        throws(() => G[1][op](0), '0');
        throws(() => G[1][op](0n), '0n');
        G[1][op](G[2]);
        throws(() => G[1][op](CURVE_ORDER), 'CURVE_ORDER');
        throws(() => G[1][op](123.456), '123.456');
        throws(() => G[1][op](true), 'true');
        throws(() => G[1][op]('1'), "'1'");
        throws(() => G[1][op]({ x: 1n, y: 1n, z: 1n, t: 1n }), '{ x: 1n, y: 1n, z: 1n, t: 1n }');
        throws(() => G[1][op](new Uint8Array([])), 'ui8a([])');
        throws(() => G[1][op](new Uint8Array([0])), 'ui8a([0])');
        throws(() => G[1][op](new Uint8Array([1])), 'ui8a([1])');
        throws(() => G[1][op](new Uint8Array(4096).fill(1)), 'ui8a(4096*[1])');
        if (G[1].toAffine) throws(() => G[1][op](C.Point.BASE), `Point ${op} ${pointName}`);
        throws(() => G[1][op](o.BASE), `${op}/other curve point`);
      });
    }
    should(`${name}/${pointName}/equals type check`, () => {
      throws(() => G[1].equals(0), '0');
      throws(() => G[1].equals(0n), '0n');
      deepStrictEqual(G[1].equals(G[2]), false, '1*G != 2*G');
      deepStrictEqual(G[1].equals(G[1]), true, '1*G == 1*G');
      deepStrictEqual(G[2].equals(G[2]), true, '2*G == 2*G');
      throws(() => G[1].equals(CURVE_ORDER), 'CURVE_ORDER');
      throws(() => G[1].equals(123.456), '123.456');
      throws(() => G[1].equals(true), 'true');
      throws(() => G[1].equals('1'), "'1'");
      throws(() => G[1].equals({ x: 1n, y: 1n, z: 1n, t: 1n }), '{ x: 1n, y: 1n, z: 1n, t: 1n }');
      throws(() => G[1].equals(new Uint8Array([])), 'ui8a([])');
      throws(() => G[1].equals(new Uint8Array([0])), 'ui8a([0])');
      throws(() => G[1].equals(new Uint8Array([1])), 'ui8a([1])');
      throws(() => G[1].equals(new Uint8Array(4096).fill(1)), 'ui8a(4096*[1])');
      if (G[1].toAffine) throws(() => G[1].equals(C.Point.BASE), `Point.equals(${pointName})`);
      throws(() => G[1].equals(o.BASE), 'other curve point');
    });
    for (const op of ['multiply', 'multiplyUnsafe']) {
      if (!p.BASE[op]) continue;
      should(`${name}/${pointName}/${op} type check`, () => {
        if (op !== 'multiplyUnsafe') {
          throws(() => G[1][op](0), '0');
          throws(() => G[1][op](0n), '0n');
        }
        G[1][op](1n);
        G[1][op](CURVE_ORDER - 1n);
        throws(() => G[1][op](G[2]), 'G[2]');
        throws(() => G[1][op](CURVE_ORDER), 'CURVE_ORDER');
        throws(() => G[1][op](CURVE_ORDER + 1n), 'CURVE_ORDER+1');
        throws(() => G[1][op](123.456), '123.456');
        throws(() => G[1][op](true), 'true');
        throws(() => G[1][op]('1'), '1');
        throws(() => G[1][op](new Uint8Array([])), 'ui8a([])');
        throws(() => G[1][op](new Uint8Array([0])), 'ui8a([0])');
        throws(() => G[1][op](new Uint8Array([1])), 'ui8a([1])');
        throws(() => G[1][op](new Uint8Array(4096).fill(1)), 'ui8a(4096*[1])');
        throws(() => G[1][op](o.BASE), 'other curve point');
      });
    }
    // Complex point (Extended/Jacobian/Projective?)
    if (p.BASE.toAffine) {
      should(`${name}/${pointName}/toAffine()`, () => {
        equal(p.ZERO.toAffine(), C.Point.ZERO, `0 = 0`);
        equal(p.BASE.toAffine(), C.Point.BASE, `1 = 1`);
      });
    }
    if (p.fromAffine) {
      should(`${name}/${pointName}/fromAffine()`, () => {
        equal(p.ZERO, p.fromAffine(C.Point.ZERO), `0 = 0`);
        equal(p.BASE, p.fromAffine(C.Point.BASE), `1 = 1`);
      });
    }
    // toHex/fromHex (if available)
    if (p.fromHex && p.BASE.toHex) {
      should(`${name}/${pointName}/fromHex(toHex()) roundtrip`, () => {
        fc.assert(
          fc.property(FC_BIGINT, (x) => {
            const hex = p.BASE.multiply(x).toHex();
            deepStrictEqual(p.fromHex(hex).toHex(), hex);
          })
        );
      });
    }
  }
  // Generic complex things (getPublicKey/sign/verify/getSharedSecret)
  should(`${name}/getPublicKey type check`, () => {
    throws(() => C.getPublicKey(0), '0');
    throws(() => C.getPublicKey(0n), '0n');
    throws(() => C.getPublicKey(false), 'false');
    throws(() => C.getPublicKey(123.456), '123.456');
    throws(() => C.getPublicKey(true), 'true');
    throws(() => C.getPublicKey(''), "''");
    // NOTE: passes because of disabled hex padding checks for starknet, maybe enable?
    //throws(() => C.getPublicKey('1'), "'1'");
    throws(() => C.getPublicKey('key'), "'key'");
    throws(() => C.getPublicKey(new Uint8Array([])));
    throws(() => C.getPublicKey(new Uint8Array([0])));
    throws(() => C.getPublicKey(new Uint8Array([1])));
    throws(() => C.getPublicKey(new Uint8Array(4096).fill(1)));
  });
  should(`${name}.verify()/should verify random signatures`, () =>
    fc.assert(
      fc.property(fc.hexaString({ minLength: 64, maxLength: 64 }), (msg) => {
        const priv = C.utils.randomPrivateKey();
        const pub = C.getPublicKey(priv);
        const sig = C.sign(msg, priv);
        deepStrictEqual(C.verify(sig, msg, pub), true);
      }),
      { numRuns: NUM_RUNS }
    )
  );
  should(`${name}.sign()/edge cases`, () => {
    throws(() => C.sign());
    throws(() => C.sign(''));
  });
  should(`${name}.verify()/should not verify signature with wrong hash`, () => {
    const MSG = '01'.repeat(32);
    const PRIV_KEY = 0x2n;
    const WRONG_MSG = '11'.repeat(32);
    const signature = C.sign(MSG, PRIV_KEY);
    const publicKey = C.getPublicKey(PRIV_KEY);
    deepStrictEqual(C.verify(signature, WRONG_MSG, publicKey), false);
  });
  // NOTE: fails for ed, because of empty message. Since we convert it to scalar,
  // need to check what other implementations do. Empty message != new Uint8Array([0]), but what scalar should be in that case?
  // should(`${name}/should not verify signature with wrong message`, () => {
  //   fc.assert(
  //     fc.property(
  //       fc.array(fc.integer({ min: 0x00, max: 0xff })),
  //       fc.array(fc.integer({ min: 0x00, max: 0xff })),
  //       (bytes, wrongBytes) => {
  //         const privKey = C.utils.randomPrivateKey();
  //         const message = new Uint8Array(bytes);
  //         const wrongMessage = new Uint8Array(wrongBytes);
  //         const publicKey = C.getPublicKey(privKey);
  //         const signature = C.sign(message, privKey);
  //         deepStrictEqual(
  //           C.verify(signature, wrongMessage, publicKey),
  //           bytes.toString() === wrongBytes.toString()
  //         );
  //       }
  //     ),
  //     { numRuns: NUM_RUNS }
  //   );
  // });
  if (C.getSharedSecret) {
    should(`${name}/getSharedSecret() should be commutative`, () => {
      for (let i = 0; i < NUM_RUNS; i++) {
        const asec = C.utils.randomPrivateKey();
        const apub = C.getPublicKey(asec);
        const bsec = C.utils.randomPrivateKey();
        const bpub = C.getPublicKey(bsec);
        try {
          deepStrictEqual(C.getSharedSecret(asec, bpub), C.getSharedSecret(bsec, apub));
        } catch (error) {
          console.error('not commutative', { asec, apub, bsec, bpub });
          throw error;
        }
      }
    });
  }
 }
 // ESM is broken.
 import url from 'url';
 if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
  should.run();
 }
--- a/curve-definitions/test/bls12-381.test.js
+++ b/curve-definitions/test/bls12-381.test.js
--- a/curve-definitions/test/ed25519.test.js
+++ b/curve-definitions/test/ed25519.test.js
@@ -1,657 +0,0 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should } from 'micro-should';
 import * as fc from 'fast-check';
 import { ed25519, ed25519ctx, ed25519ph, x25519, RistrettoPoint } from '../lib/ed25519.js';
 import { readFileSync } from 'fs';
 import { default as zip215 } from './ed25519/zip215.json' assert { type: 'json' };
 import { hexToBytes, bytesToHex, randomBytes } from '@noble/hashes/utils';
 import { numberToBytesLE } from '@noble/curves/utils';
 import { sha512 } from '@noble/hashes/sha512';
 import { default as ed25519vectors } from './wycheproof/eddsa_test.json' assert { type: 'json' };
 import { default as x25519vectors } from './wycheproof/x25519_test.json' assert { type: 'json' };
 const ed = ed25519;
 const hex = bytesToHex;
 function to32Bytes(numOrStr) {
  let hex = typeof numOrStr === 'string' ? numOrStr : numOrStr.toString(16);
  return hexToBytes(hex.padStart(64, '0'));
 }
 function utf8ToBytes(str) {
  if (typeof str !== 'string') {
    throw new TypeError(`utf8ToBytes expected string, got ${typeof str}`);
  }
  return new TextEncoder().encode(str);
 }
 ed.utils.precompute(8);
 should('ed25519/should not accept >32byte private keys', () => {
  const invalidPriv =
    100000000000000000000000000000000000009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800073278156000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000n;
  throws(() => ed.getPublicKey(invalidPriv));
 });
 should('ed25519/should verify recent signature', () => {
  fc.assert(
    fc.property(
      fc.hexaString({ minLength: 2, maxLength: 32 }),
      fc.bigInt(2n, ed.CURVE.n),
      (message, privateKey) => {
        const publicKey = ed.getPublicKey(to32Bytes(privateKey));
        const signature = ed.sign(to32Bytes(message), to32Bytes(privateKey));
        deepStrictEqual(publicKey.length, 32);
        deepStrictEqual(signature.length, 64);
        deepStrictEqual(ed.verify(signature, to32Bytes(message), publicKey), true);
      }
    ),
    { numRuns: 5 }
  );
 });
 should('ed25519/should not verify signature with wrong message', () => {
  fc.assert(
    fc.property(
      fc.array(fc.integer({ min: 0x00, max: 0xff })),
      fc.array(fc.integer({ min: 0x00, max: 0xff })),
      fc.bigInt(1n, ed.CURVE.n),
      (bytes, wrongBytes, privateKey) => {
        const privKey = to32Bytes(privateKey);
        const message = new Uint8Array(bytes);
        const wrongMessage = new Uint8Array(wrongBytes);
        const publicKey = ed.getPublicKey(privKey);
        const signature = ed.sign(message, privKey);
        deepStrictEqual(
          ed.verify(signature, wrongMessage, publicKey),
          bytes.toString() === wrongBytes.toString()
        );
      }
    ),
    { numRuns: 5 }
  );
 });
 const privKey = to32Bytes('a665a45920422f9d417e4867ef');
 const msg = hexToBytes('874f9960c5d2b7a9b5fad383e1ba44719ebb743a');
 const wrongMsg = hexToBytes('589d8c7f1da0a24bc07b7381ad48b1cfc211af1c');
 should('ed25519/basic methods/should sign and verify', () => {
  const publicKey = ed.getPublicKey(privKey);
  const signature = ed.sign(msg, privKey);
  deepStrictEqual(ed.verify(signature, msg, publicKey), true);
 });
 should('ed25519/basic methods/should not verify signature with wrong public key', () => {
  const publicKey = ed.getPublicKey(12);
  const signature = ed.sign(msg, privKey);
  deepStrictEqual(ed.verify(signature, msg, publicKey), false);
 });
 should('ed25519/basic methods/should not verify signature with wrong hash', () => {
  const publicKey = ed.getPublicKey(privKey);
  const signature = ed.sign(msg, privKey);
  deepStrictEqual(ed.verify(signature, wrongMsg, publicKey), false);
 });
 should('ed25519/sync methods/should sign and verify', () => {
  const publicKey = ed.getPublicKey(privKey);
  const signature = ed.sign(msg, privKey);
  deepStrictEqual(ed.verify(signature, msg, publicKey), true);
 });
 should('ed25519/sync methods/should not verify signature with wrong public key', () => {
  const publicKey = ed.getPublicKey(12);
  const signature = ed.sign(msg, privKey);
  deepStrictEqual(ed.verify(signature, msg, publicKey), false);
 });
 should('ed25519/sync methods/should not verify signature with wrong hash', () => {
  const publicKey = ed.getPublicKey(privKey);
  const signature = ed.sign(msg, privKey);
  deepStrictEqual(ed.verify(signature, wrongMsg, publicKey), false);
 });
 // https://xmr.llcoins.net/addresstests.html
 should(
  'ed25519/BASE_POINT.multiply()/should create right publicKey without SHA-512 hashing TEST 1',
  () => {
    const publicKey =
      ed.Point.BASE.multiply(0x90af56259a4b6bfbc4337980d5d75fbe3c074630368ff3804d33028e5dbfa77n);
    deepStrictEqual(
      publicKey.toHex(),
      '0f3b913371411b27e646b537e888f685bf929ea7aab93c950ed84433f064480d'
    );
  }
 );
 should(
  'ed25519/BASE_POINT.multiply()/should create right publicKey without SHA-512 hashing TEST 2',
  () => {
    const publicKey =
      ed.Point.BASE.multiply(0x364e8711a60780382a5d57b061c126f039940f28a9e91fe039d4d3094d8b88n);
    deepStrictEqual(
      publicKey.toHex(),
      'ad545340b58610f0cd62f17d55af1ab11ecde9c084d5476865ddb4dbda015349'
    );
  }
 );
 should(
  'ed25519/BASE_POINT.multiply()/should create right publicKey without SHA-512 hashing TEST 3',
  () => {
    const publicKey =
      ed.Point.BASE.multiply(0xb9bf90ff3abec042752cac3a07a62f0c16cfb9d32a3fc2305d676ec2d86e941n);
    deepStrictEqual(
      publicKey.toHex(),
      'e097c4415fe85724d522b2e449e8fd78dd40d20097bdc9ae36fe8ec6fe12cb8c'
    );
  }
 );
 should(
  'ed25519/BASE_POINT.multiply()/should create right publicKey without SHA-512 hashing TEST 4',
  () => {
    const publicKey =
      ed.Point.BASE.multiply(0x69d896f02d79524c9878e080308180e2859d07f9f54454e0800e8db0847a46en);
    deepStrictEqual(
      publicKey.toHex(),
      'f12cb7c43b59971395926f278ce7c2eaded9444fbce62ca717564cb508a0db1d'
    );
  }
 );
 should('ed25519/BASE_POINT.multiply()/should throw Point#multiply on TEST 5', () => {
  for (const num of [0n, 0, -1n, -1, 1.1]) {
    throws(() => ed.Point.BASE.multiply(num));
  }
 });
 // https://ed25519.cr.yp.to/python/sign.py
 // https://ed25519.cr.yp.to/python/sign.input
 const data = readFileSync('./test/ed25519/vectors.txt', 'utf-8');
 const vectors = data
  .trim()
  .split('\n')
  .map((line) => line.split(':'));
 should('ed25519 official vectors/should match 1024 official vectors', () => {
  for (let i = 0; i < vectors.length; i++) {
    const vector = vectors[i];
    // Extract.
    const priv = vector[0].slice(0, 64);
    const expectedPub = vector[1];
    const msg = vector[2];
    const expectedSignature = vector[3].slice(0, 128);
    // Calculate
    const pub = ed.getPublicKey(to32Bytes(priv));
    deepStrictEqual(hex(pub), expectedPub);
    deepStrictEqual(pub, ed.Point.fromHex(pub).toRawBytes());
    const signature = hex(ed.sign(msg, priv));
    // console.log('vector', i);
    // expect(pub).toBe(expectedPub);
    deepStrictEqual(signature, expectedSignature);
  }
 });
 // https://tools.ietf.org/html/rfc8032#section-7
 should('rfc8032 vectors/should create right signature for 0x9d and empty string', () => {
  const privateKey = '9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60';
  const publicKey = ed.getPublicKey(privateKey);
  const message = '';
  const signature = ed.sign(message, privateKey);
  deepStrictEqual(
    hex(publicKey),
    'd75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a'
  );
  deepStrictEqual(
    hex(signature),
    'e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b'
  );
 });
 should('rfc8032 vectors/should create right signature for 0x4c and 72', () => {
  const privateKey = '4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb';
  const publicKey = ed.getPublicKey(privateKey);
  const message = '72';
  const signature = ed.sign(message, privateKey);
  deepStrictEqual(
    hex(publicKey),
    '3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c'
  );
  deepStrictEqual(
    hex(signature),
    '92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00'
  );
 });
 should('rfc8032 vectors/should create right signature for 0x00 and 5a', () => {
  const privateKey = '002fdd1f7641793ab064bb7aa848f762e7ec6e332ffc26eeacda141ae33b1783';
  const publicKey = ed.getPublicKey(privateKey);
  const message =
    '5ac1dfc324f43e6cb79a87ab0470fa857b51fb944982e19074ca44b1e40082c1d07b92efa7ea55ad42b7c027e0b9e33756d95a2c1796a7c2066811dc41858377d4b835c1688d638884cd2ad8970b74c1a54aadd27064163928a77988b24403aa85af82ceab6b728e554761af7175aeb99215b7421e4474c04d213e01ff03e3529b11077cdf28964b8c49c5649e3a46fa0a09dcd59dcad58b9b922a83210acd5e65065531400234f5e40cddcf9804968e3e9ac6f5c44af65001e158067fc3a660502d13fa8874fa93332138d9606bc41b4cee7edc39d753dae12a873941bb357f7e92a4498847d6605456cb8c0b425a47d7d3ca37e54e903a41e6450a35ebe5237c6f0c1bbbc1fd71fb7cd893d189850295c199b7d88af26bc8548975fda1099ffefee42a52f3428ddff35e0173d3339562507ac5d2c45bbd2c19cfe89b';
  const signature = ed.sign(message, privateKey);
  deepStrictEqual(
    hex(publicKey),
    '77d1d8ebacd13f4e2f8a40e28c4a63bc9ce3bfb69716334bcb28a33eb134086c'
  );
  deepStrictEqual(
    hex(signature),
    '0df3aa0d0999ad3dc580378f52d152700d5b3b057f56a66f92112e441e1cb9123c66f18712c87efe22d2573777296241216904d7cdd7d5ea433928bd2872fa0c'
  );
 });
 should('rfc8032 vectors/should create right signature for 0xf5 and long msg', () => {
  const privateKey = 'f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5';
  const publicKey = ed.getPublicKey(privateKey);
  const message =
    '08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0';
  const signature = ed.sign(message, privateKey);
  deepStrictEqual(
    hex(publicKey),
    '278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e'
  );
  deepStrictEqual(
    hex(signature),
    '0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03'
  );
 });
 // const PRIVATE_KEY = 0xa665a45920422f9d417e4867efn;
 // const MESSAGE = ripemd160(new Uint8Array([97, 98, 99, 100, 101, 102, 103]));
 // prettier-ignore
 // const MESSAGE = new Uint8Array([
 //   135, 79, 153, 96, 197, 210, 183, 169, 181, 250, 211, 131, 225, 186, 68, 113, 158, 187, 116, 58,
 // ]);
 // const WRONG_MESSAGE = ripemd160(new Uint8Array([98, 99, 100, 101, 102, 103]));
 // prettier-ignore
 // const WRONG_MESSAGE = new Uint8Array([
 //   88, 157, 140, 127, 29, 160, 162, 75, 192, 123, 115, 129, 173, 72, 177, 207, 194, 17, 175, 28,
 // ]);
 // // it("should verify just signed message", async () => {
 // //   await fc.assert(fc.asyncProperty(
 // //     fc.hexa(),
 // //     fc.bigInt(2n, ristretto25519.PRIME_ORDER),
 // //     async (message, privateKey) => {
 // //       const publicKey = await ristretto25519.getPublicKey(privateKey);
 // //       const signature = await ristretto25519.sign(message, privateKey);
 // //       expect(publicKey.length).toBe(32);
 // //       expect(signature.length).toBe(64);
 // //       expect(await ristretto25519.verify(signature, message, publicKey)).toBe(true);
 // //     }),
 // //    { numRuns: 1 }
 // //   );
 // // });
 // // it("should not verify sign with wrong message", async () => {
 // //   await fc.assert(fc.asyncProperty(
 // //     fc.array(fc.integer(0x00, 0xff)),
 // //     fc.array(fc.integer(0x00, 0xff)),
 // //     fc.bigInt(2n, ristretto25519.PRIME_ORDER),
 // //     async (bytes, wrongBytes, privateKey) => {
 // //       const message = new Uint8Array(bytes);
 // //       const wrongMessage = new Uint8Array(wrongBytes);
 // //       const publicKey = await ristretto25519.getPublicKey(privateKey);
 // //       const signature = await ristretto25519.sign(message, privateKey);
 // //       expect(await ristretto25519.verify(signature, wrongMessage, publicKey)).toBe(
 // //         bytes.toString() === wrongBytes.toString()
 // //       );
 // //     }),
 // //    { numRuns: 1 }
 // //   );
 // // });
 // // it("should sign and verify", async () => {
 // //   const publicKey = await ristretto25519.getPublicKey(PRIVATE_KEY);
 // //   const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY);
 // //   expect(await ristretto25519.verify(signature, MESSAGE, publicKey)).toBe(true);
 // // });
 // // it("should not verify signature with wrong public key", async () => {
 // //   const publicKey = await ristretto25519.getPublicKey(12);
 // //   const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY);
 // //   expect(await ristretto25519.verify(signature, MESSAGE, publicKey)).toBe(false);
 // // });
 // // it("should not verify signature with wrong hash", async () => {
 // //   const publicKey = await ristretto25519.getPublicKey(PRIVATE_KEY);
 // //   const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY);
 // //   expect(await ristretto25519.verify(signature, WRONG_MESSAGE, publicKey)).toBe(false);
 // // });
 should('ristretto255/should follow the byte encodings of small multiples', () => {
  const encodingsOfSmallMultiples = [
    // This is the identity point
    '0000000000000000000000000000000000000000000000000000000000000000',
    // This is the basepoint
    'e2f2ae0a6abc4e71a884a961c500515f58e30b6aa582dd8db6a65945e08d2d76',
    // These are small multiples of the basepoint
    '6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919',
    '94741f5d5d52755ece4f23f044ee27d5d1ea1e2bd196b462166b16152a9d0259',
    'da80862773358b466ffadfe0b3293ab3d9fd53c5ea6c955358f568322daf6a57',
    'e882b131016b52c1d3337080187cf768423efccbb517bb495ab812c4160ff44e',
    'f64746d3c92b13050ed8d80236a7f0007c3b3f962f5ba793d19a601ebb1df403',
    '44f53520926ec81fbd5a387845beb7df85a96a24ece18738bdcfa6a7822a176d',
    '903293d8f2287ebe10e2374dc1a53e0bc887e592699f02d077d5263cdd55601c',
    '02622ace8f7303a31cafc63f8fc48fdc16e1c8c8d234b2f0d6685282a9076031',
    '20706fd788b2720a1ed2a5dad4952b01f413bcf0e7564de8cdc816689e2db95f',
    'bce83f8ba5dd2fa572864c24ba1810f9522bc6004afe95877ac73241cafdab42',
    'e4549ee16b9aa03099ca208c67adafcafa4c3f3e4e5303de6026e3ca8ff84460',
    'aa52e000df2e16f55fb1032fc33bc42742dad6bd5a8fc0be0167436c5948501f',
    '46376b80f409b29dc2b5f6f0c52591990896e5716f41477cd30085ab7f10301e',
    'e0c418f7c8d9c4cdd7395b93ea124f3ad99021bb681dfc3302a9d99a2e53e64e',
  ];
  let B = RistrettoPoint.BASE;
  let P = RistrettoPoint.ZERO;
  for (const encoded of encodingsOfSmallMultiples) {
    deepStrictEqual(P.toHex(), encoded);
    deepStrictEqual(RistrettoPoint.fromHex(encoded).toHex(), encoded);
    P = P.add(B);
  }
 });
 should('ristretto255/should not convert bad bytes encoding', () => {
  const badEncodings = [
    // These are all bad because they're non-canonical field encodings.
    '00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff',
    'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
    'f3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
    'edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
    // These are all bad because they're negative field elements.
    '0100000000000000000000000000000000000000000000000000000000000000',
    '01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
    'ed57ffd8c914fb201471d1c3d245ce3c746fcbe63a3679d51b6a516ebebe0e20',
    'c34c4e1826e5d403b78e246e88aa051c36ccf0aafebffe137d148a2bf9104562',
    'c940e5a4404157cfb1628b108db051a8d439e1a421394ec4ebccb9ec92a8ac78',
    '47cfc5497c53dc8e61c91d17fd626ffb1c49e2bca94eed052281b510b1117a24',
    'f1c6165d33367351b0da8f6e4511010c68174a03b6581212c71c0e1d026c3c72',
    '87260f7a2f12495118360f02c26a470f450dadf34a413d21042b43b9d93e1309',
    // These are all bad because they give a nonsquare x^2.
    '26948d35ca62e643e26a83177332e6b6afeb9d08e4268b650f1f5bbd8d81d371',
    '4eac077a713c57b4f4397629a4145982c661f48044dd3f96427d40b147d9742f',
    'de6a7b00deadc788eb6b6c8d20c0ae96c2f2019078fa604fee5b87d6e989ad7b',
    'bcab477be20861e01e4a0e295284146a510150d9817763caf1a6f4b422d67042',
    '2a292df7e32cababbd9de088d1d1abec9fc0440f637ed2fba145094dc14bea08',
    'f4a9e534fc0d216c44b218fa0c42d99635a0127ee2e53c712f70609649fdff22',
    '8268436f8c4126196cf64b3c7ddbda90746a378625f9813dd9b8457077256731',
    '2810e5cbc2cc4d4eece54f61c6f69758e289aa7ab440b3cbeaa21995c2f4232b',
    // These are all bad because they give a negative xy value.
    '3eb858e78f5a7254d8c9731174a94f76755fd3941c0ac93735c07ba14579630e',
    'a45fdc55c76448c049a1ab33f17023edfb2be3581e9c7aade8a6125215e04220',
    'd483fe813c6ba647ebbfd3ec41adca1c6130c2beeee9d9bf065c8d151c5f396e',
    '8a2e1d30050198c65a54483123960ccc38aef6848e1ec8f5f780e8523769ba32',
    '32888462f8b486c68ad7dd9610be5192bbeaf3b443951ac1a8118419d9fa097b',
    '227142501b9d4355ccba290404bde41575b037693cef1f438c47f8fbf35d1165',
    '5c37cc491da847cfeb9281d407efc41e15144c876e0170b499a96a22ed31e01e',
    '445425117cb8c90edcbc7c1cc0e74f747f2c1efa5630a967c64f287792a48a4b',
    // This is s = -1, which causes y = 0.
    'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
  ];
  for (const badBytes of badEncodings) {
    const b = hexToBytes(badBytes);
    throws(() => RistrettoPoint.fromHex(b), badBytes);
  }
 });
 should('ristretto255/should create right points from uniform hash', async () => {
  const labels = [
    'Ristretto is traditionally a short shot of espresso coffee',
    'made with the normal amount of ground coffee but extracted with',
    'about half the amount of water in the same amount of time',
    'by using a finer grind.',
    'This produces a concentrated shot of coffee per volume.',
    'Just pulling a normal shot short will produce a weaker shot',
    'and is not a Ristretto as some believe.',
  ];
  const encodedHashToPoints = [
    '3066f82a1a747d45120d1740f14358531a8f04bbffe6a819f86dfe50f44a0a46',
    'f26e5b6f7d362d2d2a94c5d0e7602cb4773c95a2e5c31a64f133189fa76ed61b',
    '006ccd2a9e6867e6a2c5cea83d3302cc9de128dd2a9a57dd8ee7b9d7ffe02826',
    'f8f0c87cf237953c5890aec3998169005dae3eca1fbb04548c635953c817f92a',
    'ae81e7dedf20a497e10c304a765c1767a42d6e06029758d2d7e8ef7cc4c41179',
    'e2705652ff9f5e44d3e841bf1c251cf7dddb77d140870d1ab2ed64f1a9ce8628',
    '80bd07262511cdde4863f8a7434cef696750681cb9510eea557088f76d9e5065',
  ];
  for (let i = 0; i < labels.length; i++) {
    const hash = sha512(utf8ToBytes(labels[i]));
    const point = RistrettoPoint.hashToCurve(hash);
    deepStrictEqual(point.toHex(), encodedHashToPoints[i]);
  }
 });
 should('input immutability: sign/verify are immutable', () => {
  const privateKey = ed.utils.randomPrivateKey();
  const publicKey = ed.getPublicKey(privateKey);
  for (let i = 0; i < 100; i++) {
    let payload = randomBytes(100);
    let signature = ed.sign(payload, privateKey);
    if (!ed.verify(signature, payload, publicKey)) {
      throw new Error('Signature verification failed');
    }
    const signatureCopy = Buffer.alloc(signature.byteLength);
    signatureCopy.set(signature, 0); // <-- breaks
    payload = payload.slice();
    signature = signature.slice();
    if (!ed.verify(signatureCopy, payload, publicKey))
      throw new Error('Copied signature verification failed');
  }
 });
 // https://zips.z.cash/zip-0215
 // Vectors from https://gist.github.com/hdevalence/93ed42d17ecab8e42138b213812c8cc7
 should('ZIP-215 compliance tests/should pass all of them', () => {
  const str = utf8ToBytes('Zcash');
  for (let v of zip215) {
    let noble = false;
    try {
      noble = ed.verify(v.sig_bytes, str, v.vk_bytes);
    } catch (e) {
      noble = false;
    }
    deepStrictEqual(noble, v.valid_zip215);
  }
 });
 should('ZIP-215 compliance tests/disallows sig.s >= CURVE.n', () => {
  const sig = new ed.Signature(ed.Point.BASE, 1n);
  sig.s = ed.CURVE.n + 1n;
  throws(() => ed.verify(sig, 'deadbeef', ed.Point.BASE));
 });
 const rfc7748Mul = [
  {
    scalar: 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4',
    u: 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c',
    outputU: 'c3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552',
  },
  {
    scalar: '4b66e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba0d',
    u: 'e5210f12786811d3f4b7959d0538ae2c31dbe7106fc03c3efc4cd549c715a493',
    outputU: '95cbde9476e8907d7aade45cb4b873f88b595a68799fa152e6f8f7647aac7957',
  },
 ];
 for (let i = 0; i < rfc7748Mul.length; i++) {
  const v = rfc7748Mul[i];
  should(`RFC7748: scalarMult (${i})`, () => {
    deepStrictEqual(hex(x25519.scalarMult(v.u, v.scalar)), v.outputU);
  });
 }
 const rfc7748Iter = [
  { scalar: '422c8e7a6227d7bca1350b3e2bb7279f7897b87bb6854b783c60e80311ae3079', iters: 1 },
  { scalar: '684cf59ba83309552800ef566f2f4d3c1c3887c49360e3875f2eb94d99532c51', iters: 1000 },
  // { scalar: '7c3911e0ab2586fd864497297e575e6f3bc601c0883c30df5f4dd2d24f665424', iters: 1000000 },
 ];
 for (let i = 0; i < rfc7748Iter.length; i++) {
  const { scalar, iters } = rfc7748Iter[i];
  should(`RFC7748: scalarMult iteration (${i})`, () => {
    let k = x25519.Gu;
    for (let i = 0, u = k; i < iters; i++) [k, u] = [x25519.scalarMult(u, k), k];
    deepStrictEqual(hex(k), scalar);
  });
 }
 should('RFC7748 getSharedKey', () => {
  const alicePrivate = '77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a';
  const alicePublic = '8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a';
  const bobPrivate = '5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb';
  const bobPublic = 'de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f';
  const shared = '4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742';
  deepStrictEqual(alicePublic, hex(x25519.getPublicKey(alicePrivate)));
  deepStrictEqual(bobPublic, hex(x25519.getPublicKey(bobPrivate)));
  deepStrictEqual(hex(x25519.scalarMult(bobPublic, alicePrivate)), shared);
  deepStrictEqual(hex(x25519.scalarMult(alicePublic, bobPrivate)), shared);
 });
 // should('X25519/getSharedSecret() should be commutative', () => {
 //   for (let i = 0; i < 512; i++) {
 //     const asec = ed.utils.randomPrivateKey();
 //     const apub = ed.getPublicKey(asec);
 //     const bsec = ed.utils.randomPrivateKey();
 //     const bpub = ed.getPublicKey(bsec);
 //     try {
 //       deepStrictEqual(ed.getSharedSecret(asec, bpub), ed.getSharedSecret(bsec, apub));
 //     } catch (error) {
 //       console.error('not commutative', { asec, apub, bsec, bpub });
 //       throw error;
 //     }
 //   }
 // });
 // should('X25519: should convert base point to montgomery using fromPoint', () => {
 //   deepStrictEqual(
 //     hex(ed.montgomeryCurve.UfromPoint(ed.Point.BASE)),
 //     ed.montgomeryCurve.BASE_POINT_U
 //   );
 // });
 {
  const group = x25519vectors.testGroups[0];
  should(`Wycheproof/X25519`, () => {
    for (let i = 0; i < group.tests.length; i++) {
      const v = group.tests[i];
      const comment = `(${i}, ${v.result}) ${v.comment}`;
      if (v.result === 'valid' || v.result === 'acceptable') {
        try {
          const shared = hex(x25519.scalarMult(v.public, v.private));
          deepStrictEqual(shared, v.shared, comment);
        } catch (e) {
          // We are more strict
          if (e.message.includes('Expected valid scalar')) return;
          if (e.message.includes('Invalid private or public key received')) return;
          throw e;
        }
      } else if (v.result === 'invalid') {
        let failed = false;
        try {
          x25519.scalarMult(v.public, v.private);
        } catch (error) {
          failed = true;
        }
        deepStrictEqual(failed, true, comment);
      } else throw new Error('unknown test result');
    }
  });
 }
 should(`Wycheproof/ED25519`, () => {
  for (let g = 0; g < ed25519vectors.testGroups.length; g++) {
    const group = ed25519vectors.testGroups[g];
    const key = group.key;
    deepStrictEqual(hex(ed.getPublicKey(key.sk)), key.pk, `(${g}, public)`);
    for (let i = 0; i < group.tests.length; i++) {
      const v = group.tests[i];
      const comment = `(${g}/${i}, ${v.result}): ${v.comment}`;
      if (v.result === 'valid' || v.result === 'acceptable') {
        deepStrictEqual(hex(ed.sign(v.msg, key.sk)), v.sig, comment);
        deepStrictEqual(ed.verify(v.sig, v.msg, key.pk), true, comment);
      } else if (v.result === 'invalid') {
        let failed = false;
        try {
          failed = !ed.verify(v.sig, v.msg, key.pk);
        } catch (error) {
          failed = true;
        }
        deepStrictEqual(failed, true, comment);
      } else throw new Error('unknown test result');
    }
  }
 });
 should('Property test issue #1', () => {
  const message = new Uint8Array([12, 12, 12]);
  const signature = ed.sign(message, to32Bytes(1n));
  const publicKey = ed.getPublicKey(to32Bytes(1n)); // <- was 1n
  deepStrictEqual(ed.verify(signature, message, publicKey), true);
 });
 const VECTORS_RFC8032_CTX = [
  {
    secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
    publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
    message: 'f726936d19c800494e3fdaff20b276a8',
    context: '666f6f',
    signature:
      '55a4cc2f70a54e04288c5f4cd1e45a7b' +
      'b520b36292911876cada7323198dd87a' +
      '8b36950b95130022907a7fb7c4e9b2d5' +
      'f6cca685a587b4b21f4b888e4e7edb0d',
  },
  {
    secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
    publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
    message: 'f726936d19c800494e3fdaff20b276a8',
    context: '626172',
    signature:
      'fc60d5872fc46b3aa69f8b5b4351d580' +
      '8f92bcc044606db097abab6dbcb1aee3' +
      '216c48e8b3b66431b5b186d1d28f8ee1' +
      '5a5ca2df6668346291c2043d4eb3e90d',
  },
  {
    secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
    publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
    message: '508e9e6882b979fea900f62adceaca35',
    context: '666f6f',
    signature:
      '8b70c1cc8310e1de20ac53ce28ae6e72' +
      '07f33c3295e03bb5c0732a1d20dc6490' +
      '8922a8b052cf99b7c4fe107a5abb5b2c' +
      '4085ae75890d02df26269d8945f84b0b',
  },
  {
    secretKey: 'ab9c2853ce297ddab85c993b3ae14bcad39b2c682beabc27d6d4eb20711d6560',
    publicKey: '0f1d1274943b91415889152e893d80e93275a1fc0b65fd71b4b0dda10ad7d772',
    message: 'f726936d19c800494e3fdaff20b276a8',
    context: '666f6f',
    signature:
      '21655b5f1aa965996b3f97b3c849eafb' +
      'a922a0a62992f73b3d1b73106a84ad85' +
      'e9b86a7b6005ea868337ff2d20a7f5fb' +
      'd4cd10b0be49a68da2b2e0dc0ad8960f',
  },
 ];
 for (let i = 0; i < VECTORS_RFC8032_CTX.length; i++) {
  const v = VECTORS_RFC8032_CTX[i];
  should(`RFC8032ctx/${i}`, () => {
    deepStrictEqual(hex(ed25519ctx.getPublicKey(v.secretKey)), v.publicKey);
    deepStrictEqual(hex(ed25519ctx.sign(v.message, v.secretKey, v.context)), v.signature);
    deepStrictEqual(ed25519ctx.verify(v.signature, v.message, v.publicKey, v.context), true);
  });
 }
 const VECTORS_RFC8032_PH = [
  {
    secretKey: '833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42',
    publicKey: 'ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf',
    message: '616263',
    signature:
      '98a70222f0b8121aa9d30f813d683f80' +
      '9e462b469c7ff87639499bb94e6dae41' +
      '31f85042463c2a355a2003d062adf5aa' +
      'a10b8c61e636062aaad11c2a26083406',
  },
 ];
 for (let i = 0; i < VECTORS_RFC8032_PH.length; i++) {
  const v = VECTORS_RFC8032_PH[i];
  should(`RFC8032ph/${i}`, () => {
    deepStrictEqual(hex(ed25519ph.getPublicKey(v.secretKey)), v.publicKey);
    deepStrictEqual(hex(ed25519ph.sign(v.message, v.secretKey)), v.signature);
    deepStrictEqual(ed25519ph.verify(v.signature, v.message, v.publicKey), true);
  });
 }
 should('X25519 base point', () => {
  const { y } = ed25519.Point.BASE;
  const u = ed25519.utils.mod((y + 1n) * ed25519.utils.invert(1n - y, ed25519.CURVE.P));
  deepStrictEqual(hex(numberToBytesLE(u, 32)), x25519.Gu);
 });
 // ESM is broken.
 import url from 'url';
 if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
  should.run();
 }
--- a/curve-definitions/test/ed448.test.js
+++ b/curve-definitions/test/ed448.test.js
@@ -1,664 +0,0 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should } from 'micro-should';
 import * as fc from 'fast-check';
 import { ed448, ed448ph, x448 } from '../lib/ed448.js';
 import { hexToBytes, bytesToHex, randomBytes } from '@noble/hashes/utils';
 import { numberToBytesLE } from '@noble/curves/utils';
 import { default as ed448vectors } from './wycheproof/ed448_test.json' assert { type: 'json' };
 import { default as x448vectors } from './wycheproof/x448_test.json' assert { type: 'json' };
 const ed = ed448;
 const hex = bytesToHex;
 ed.utils.precompute(4);
 should(`Basic`, () => {
  const G1 = ed.Point.BASE;
  deepStrictEqual(
    G1.x,
    224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710n
  );
  deepStrictEqual(
    G1.y,
    298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660n
  );
  const G2 = ed.Point.BASE.multiply(2n);
  deepStrictEqual(
    G2.x,
    484559149530404593699549205258669689569094240458212040187660132787056912146709081364401144455726350866276831544947397859048262938744149n
  );
  deepStrictEqual(
    G2.y,
    494088759867433727674302672526735089350544552303727723746126484473087719117037293890093462157703888342865036477787453078312060500281069n
  );
  const G3 = ed.Point.BASE.multiply(3n);
  deepStrictEqual(
    G3.x,
    23839778817283171003887799738662344287085130522697782688245073320169861206004018274567429238677677920280078599146891901463786155880335n
  );
  deepStrictEqual(
    G3.y,
    636046652612779686502873775776967954190574036985351036782021535703553242737829645273154208057988851307101009474686328623630835377952508n
  );
 });
 should('Basic/decompress', () => {
  const G1 = ed.Point.BASE;
  const G2 = ed.Point.BASE.multiply(2n);
  const G3 = ed.Point.BASE.multiply(3n);
  const points = [G1, G2, G3];
  const getXY = (p) => ({ x: p.x, y: p.y });
  for (const p of points) deepStrictEqual(getXY(ed.Point.fromHex(p.toHex())), getXY(p));
 });
 const VECTORS_RFC8032 = [
  {
    secretKey:
      '6c82a562cb808d10d632be89c8513ebf' +
      '6c929f34ddfa8c9f63c9960ef6e348a3' +
      '528c8a3fcc2f044e39a3fc5b94492f8f' +
      '032e7549a20098f95b',
    publicKey:
      '5fd7449b59b461fd2ce787ec616ad46a' +
      '1da1342485a70e1f8a0ea75d80e96778' +
      'edf124769b46c7061bd6783df1e50f6c' +
      'd1fa1abeafe8256180',
    message: '',
    signature:
      '533a37f6bbe457251f023c0d88f976ae' +
      '2dfb504a843e34d2074fd823d41a591f' +
      '2b233f034f628281f2fd7a22ddd47d78' +
      '28c59bd0a21bfd3980ff0d2028d4b18a' +
      '9df63e006c5d1c2d345b925d8dc00b41' +
      '04852db99ac5c7cdda8530a113a0f4db' +
      'b61149f05a7363268c71d95808ff2e65' +
      '2600',
  },
  {
    secretKey:
      'c4eab05d357007c632f3dbb48489924d' +
      '552b08fe0c353a0d4a1f00acda2c463a' +
      'fbea67c5e8d2877c5e3bc397a659949e' +
      'f8021e954e0a12274e',
    publicKey:
      '43ba28f430cdff456ae531545f7ecd0a' +
      'c834a55d9358c0372bfa0c6c6798c086' +
      '6aea01eb00742802b8438ea4cb82169c' +
      '235160627b4c3a9480',
    message: '03',
    signature:
      '26b8f91727bd62897af15e41eb43c377' +
      'efb9c610d48f2335cb0bd0087810f435' +
      '2541b143c4b981b7e18f62de8ccdf633' +
      'fc1bf037ab7cd779805e0dbcc0aae1cb' +
      'cee1afb2e027df36bc04dcecbf154336' +
      'c19f0af7e0a6472905e799f1953d2a0f' +
      'f3348ab21aa4adafd1d234441cf807c0' +
      '3a00',
  },
  {
    secretKey:
      'cd23d24f714274e744343237b93290f5' +
      '11f6425f98e64459ff203e8985083ffd' +
      'f60500553abc0e05cd02184bdb89c4cc' +
      'd67e187951267eb328',
    publicKey:
      'dcea9e78f35a1bf3499a831b10b86c90' +
      'aac01cd84b67a0109b55a36e9328b1e3' +
      '65fce161d71ce7131a543ea4cb5f7e9f' +
      '1d8b00696447001400',
    message: '0c3e544074ec63b0265e0c',
    signature:
      '1f0a8888ce25e8d458a21130879b840a' +
      '9089d999aaba039eaf3e3afa090a09d3' +
      '89dba82c4ff2ae8ac5cdfb7c55e94d5d' +
      '961a29fe0109941e00b8dbdeea6d3b05' +
      '1068df7254c0cdc129cbe62db2dc957d' +
      'bb47b51fd3f213fb8698f064774250a5' +
      '028961c9bf8ffd973fe5d5c206492b14' +
      '0e00',
  },
  {
    secretKey:
      '258cdd4ada32ed9c9ff54e63756ae582' +
      'fb8fab2ac721f2c8e676a72768513d93' +
      '9f63dddb55609133f29adf86ec9929dc' +
      'cb52c1c5fd2ff7e21b',
    publicKey:
      '3ba16da0c6f2cc1f30187740756f5e79' +
      '8d6bc5fc015d7c63cc9510ee3fd44adc' +
      '24d8e968b6e46e6f94d19b945361726b' +
      'd75e149ef09817f580',
    message: '64a65f3cdedcdd66811e2915',
    signature:
      '7eeeab7c4e50fb799b418ee5e3197ff6' +
      'bf15d43a14c34389b59dd1a7b1b85b4a' +
      'e90438aca634bea45e3a2695f1270f07' +
      'fdcdf7c62b8efeaf00b45c2c96ba457e' +
      'b1a8bf075a3db28e5c24f6b923ed4ad7' +
      '47c3c9e03c7079efb87cb110d3a99861' +
      'e72003cbae6d6b8b827e4e6c143064ff' +
      '3c00',
  },
  {
    secretKey:
      '7ef4e84544236752fbb56b8f31a23a10' +
      'e42814f5f55ca037cdcc11c64c9a3b29' +
      '49c1bb60700314611732a6c2fea98eeb' +
      'c0266a11a93970100e',
    publicKey:
      'b3da079b0aa493a5772029f0467baebe' +
      'e5a8112d9d3a22532361da294f7bb381' +
      '5c5dc59e176b4d9f381ca0938e13c6c0' +
      '7b174be65dfa578e80',
    message: '64a65f3cdedcdd66811e2915e7',
    signature:
      '6a12066f55331b6c22acd5d5bfc5d712' +
      '28fbda80ae8dec26bdd306743c5027cb' +
      '4890810c162c027468675ecf645a8317' +
      '6c0d7323a2ccde2d80efe5a1268e8aca' +
      '1d6fbc194d3f77c44986eb4ab4177919' +
      'ad8bec33eb47bbb5fc6e28196fd1caf5' +
      '6b4e7e0ba5519234d047155ac727a105' +
      '3100',
  },
  {
    secretKey:
      'd65df341ad13e008567688baedda8e9d' +
      'cdc17dc024974ea5b4227b6530e339bf' +
      'f21f99e68ca6968f3cca6dfe0fb9f4fa' +
      'b4fa135d5542ea3f01',
    publicKey:
      'df9705f58edbab802c7f8363cfe5560a' +
      'b1c6132c20a9f1dd163483a26f8ac53a' +
      '39d6808bf4a1dfbd261b099bb03b3fb5' +
      '0906cb28bd8a081f00',
    message:
      'bd0f6a3747cd561bdddf4640a332461a' +
      '4a30a12a434cd0bf40d766d9c6d458e5' +
      '512204a30c17d1f50b5079631f64eb31' +
      '12182da3005835461113718d1a5ef944',
    signature:
      '554bc2480860b49eab8532d2a533b7d5' +
      '78ef473eeb58c98bb2d0e1ce488a98b1' +
      '8dfde9b9b90775e67f47d4a1c3482058' +
      'efc9f40d2ca033a0801b63d45b3b722e' +
      'f552bad3b4ccb667da350192b61c508c' +
      'f7b6b5adadc2c8d9a446ef003fb05cba' +
      '5f30e88e36ec2703b349ca229c267083' +
      '3900',
  },
  {
    secretKey:
      '2ec5fe3c17045abdb136a5e6a913e32a' +
      'b75ae68b53d2fc149b77e504132d3756' +
      '9b7e766ba74a19bd6162343a21c8590a' +
      'a9cebca9014c636df5',
    publicKey:
      '79756f014dcfe2079f5dd9e718be4171' +
      'e2ef2486a08f25186f6bff43a9936b9b' +
      'fe12402b08ae65798a3d81e22e9ec80e' +
      '7690862ef3d4ed3a00',
    message:
      '15777532b0bdd0d1389f636c5f6b9ba7' +
      '34c90af572877e2d272dd078aa1e567c' +
      'fa80e12928bb542330e8409f31745041' +
      '07ecd5efac61ae7504dabe2a602ede89' +
      'e5cca6257a7c77e27a702b3ae39fc769' +
      'fc54f2395ae6a1178cab4738e543072f' +
      'c1c177fe71e92e25bf03e4ecb72f47b6' +
      '4d0465aaea4c7fad372536c8ba516a60' +
      '39c3c2a39f0e4d832be432dfa9a706a6' +
      'e5c7e19f397964ca4258002f7c0541b5' +
      '90316dbc5622b6b2a6fe7a4abffd9610' +
      '5eca76ea7b98816af0748c10df048ce0' +
      '12d901015a51f189f3888145c03650aa' +
      '23ce894c3bd889e030d565071c59f409' +
      'a9981b51878fd6fc110624dcbcde0bf7' +
      'a69ccce38fabdf86f3bef6044819de11',
    signature:
      'c650ddbb0601c19ca11439e1640dd931' +
      'f43c518ea5bea70d3dcde5f4191fe53f' +
      '00cf966546b72bcc7d58be2b9badef28' +
      '743954e3a44a23f880e8d4f1cfce2d7a' +
      '61452d26da05896f0a50da66a239a8a1' +
      '88b6d825b3305ad77b73fbac0836ecc6' +
      '0987fd08527c1a8e80d5823e65cafe2a' +
      '3d00',
  },
  {
    secretKey:
      '872d093780f5d3730df7c212664b37b8' +
      'a0f24f56810daa8382cd4fa3f77634ec' +
      '44dc54f1c2ed9bea86fafb7632d8be19' +
      '9ea165f5ad55dd9ce8',
    publicKey:
      'a81b2e8a70a5ac94ffdbcc9badfc3feb' +
      '0801f258578bb114ad44ece1ec0e799d' +
      'a08effb81c5d685c0c56f64eecaef8cd' +
      'f11cc38737838cf400',
    message:
      '6ddf802e1aae4986935f7f981ba3f035' +
      '1d6273c0a0c22c9c0e8339168e675412' +
      'a3debfaf435ed651558007db4384b650' +
      'fcc07e3b586a27a4f7a00ac8a6fec2cd' +
      '86ae4bf1570c41e6a40c931db27b2faa' +
      '15a8cedd52cff7362c4e6e23daec0fbc' +
      '3a79b6806e316efcc7b68119bf46bc76' +
      'a26067a53f296dafdbdc11c77f7777e9' +
      '72660cf4b6a9b369a6665f02e0cc9b6e' +
      'dfad136b4fabe723d2813db3136cfde9' +
      'b6d044322fee2947952e031b73ab5c60' +
      '3349b307bdc27bc6cb8b8bbd7bd32321' +
      '9b8033a581b59eadebb09b3c4f3d2277' +
      'd4f0343624acc817804728b25ab79717' +
      '2b4c5c21a22f9c7839d64300232eb66e' +
      '53f31c723fa37fe387c7d3e50bdf9813' +
      'a30e5bb12cf4cd930c40cfb4e1fc6225' +
      '92a49588794494d56d24ea4b40c89fc0' +
      '596cc9ebb961c8cb10adde976a5d602b' +
      '1c3f85b9b9a001ed3c6a4d3b1437f520' +
      '96cd1956d042a597d561a596ecd3d173' +
      '5a8d570ea0ec27225a2c4aaff26306d1' +
      '526c1af3ca6d9cf5a2c98f47e1c46db9' +
      'a33234cfd4d81f2c98538a09ebe76998' +
      'd0d8fd25997c7d255c6d66ece6fa56f1' +
      '1144950f027795e653008f4bd7ca2dee' +
      '85d8e90f3dc315130ce2a00375a318c7' +
      'c3d97be2c8ce5b6db41a6254ff264fa6' +
      '155baee3b0773c0f497c573f19bb4f42' +
      '40281f0b1f4f7be857a4e59d416c06b4' +
      'c50fa09e1810ddc6b1467baeac5a3668' +
      'd11b6ecaa901440016f389f80acc4db9' +
      '77025e7f5924388c7e340a732e554440' +
      'e76570f8dd71b7d640b3450d1fd5f041' +
      '0a18f9a3494f707c717b79b4bf75c984' +
      '00b096b21653b5d217cf3565c9597456' +
      'f70703497a078763829bc01bb1cbc8fa' +
      '04eadc9a6e3f6699587a9e75c94e5bab' +
      '0036e0b2e711392cff0047d0d6b05bd2' +
      'a588bc109718954259f1d86678a579a3' +
      '120f19cfb2963f177aeb70f2d4844826' +
      '262e51b80271272068ef5b3856fa8535' +
      'aa2a88b2d41f2a0e2fda7624c2850272' +
      'ac4a2f561f8f2f7a318bfd5caf969614' +
      '9e4ac824ad3460538fdc25421beec2cc' +
      '6818162d06bbed0c40a387192349db67' +
      'a118bada6cd5ab0140ee273204f628aa' +
      'd1c135f770279a651e24d8c14d75a605' +
      '9d76b96a6fd857def5e0b354b27ab937' +
      'a5815d16b5fae407ff18222c6d1ed263' +
      'be68c95f32d908bd895cd76207ae7264' +
      '87567f9a67dad79abec316f683b17f2d' +
      '02bf07e0ac8b5bc6162cf94697b3c27c' +
      'd1fea49b27f23ba2901871962506520c' +
      '392da8b6ad0d99f7013fbc06c2c17a56' +
      '9500c8a7696481c1cd33e9b14e40b82e' +
      '79a5f5db82571ba97bae3ad3e0479515' +
      'bb0e2b0f3bfcd1fd33034efc6245eddd' +
      '7ee2086ddae2600d8ca73e214e8c2b0b' +
      'db2b047c6a464a562ed77b73d2d841c4' +
      'b34973551257713b753632efba348169' +
      'abc90a68f42611a40126d7cb21b58695' +
      '568186f7e569d2ff0f9e745d0487dd2e' +
      'b997cafc5abf9dd102e62ff66cba87',
    signature:
      'e301345a41a39a4d72fff8df69c98075' +
      'a0cc082b802fc9b2b6bc503f926b65bd' +
      'df7f4c8f1cb49f6396afc8a70abe6d8a' +
      'ef0db478d4c6b2970076c6a0484fe76d' +
      '76b3a97625d79f1ce240e7c576750d29' +
      '5528286f719b413de9ada3e8eb78ed57' +
      '3603ce30d8bb761785dc30dbc320869e' +
      '1a00',
  },
 ];
 for (let i = 0; i < VECTORS_RFC8032.length; i++) {
  const v = VECTORS_RFC8032[i];
  should(`RFC8032/${i}`, () => {
    deepStrictEqual(hex(ed.getPublicKey(v.secretKey)), v.publicKey);
    deepStrictEqual(hex(ed.sign(v.message, v.secretKey)), v.signature);
    deepStrictEqual(ed.verify(v.signature, v.message, v.publicKey), true);
  });
 }
 should('ed448/should not accept >57byte private keys', async () => {
  const invalidPriv =
    100000000000000000000000000000000000009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800073278156000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000n;
  throws(() => ed.getPublicKey(invalidPriv));
 });
 function to57Bytes(numOrStr) {
  let hex = typeof numOrStr === 'string' ? numOrStr : numOrStr.toString(16);
  return hexToBytes(hex.padStart(114, '0'));
 }
 should('ed448/should verify recent signature', () => {
  fc.assert(
    fc.property(
      fc.hexaString({ minLength: 2, maxLength: 57 }),
      fc.bigInt(2n, ed.CURVE.n),
      (message, privateKey) => {
        const publicKey = ed.getPublicKey(to57Bytes(privateKey));
        const signature = ed.sign(to57Bytes(message), to57Bytes(privateKey));
        deepStrictEqual(publicKey.length, 57);
        deepStrictEqual(signature.length, 114);
        deepStrictEqual(ed.verify(signature, to57Bytes(message), publicKey), true);
      }
    ),
    { numRuns: 5 }
  );
 });
 should('ed448/should not verify signature with wrong message', () => {
  fc.assert(
    fc.property(
      fc.array(fc.integer({ min: 0x00, max: 0xff })),
      fc.array(fc.integer({ min: 0x00, max: 0xff })),
      fc.bigInt(1n, ed.CURVE.n),
      (bytes, wrongBytes, privateKey) => {
        const message = new Uint8Array(bytes);
        const wrongMessage = new Uint8Array(wrongBytes);
        const priv = to57Bytes(privateKey);
        const publicKey = ed.getPublicKey(priv);
        const signature = ed.sign(message, priv);
        deepStrictEqual(
          ed.verify(signature, wrongMessage, publicKey),
          bytes.toString() === wrongBytes.toString()
        );
      }
    ),
    { numRuns: 5 }
  );
 });
 const privKey = to57Bytes('a665a45920422f9d417e4867ef');
 const msg = hexToBytes('874f9960c5d2b7a9b5fad383e1ba44719ebb743a');
 const wrongMsg = hexToBytes('589d8c7f1da0a24bc07b7381ad48b1cfc211af1c');
 should('ed25519/basic methods/should sign and verify', () => {
  const publicKey = ed.getPublicKey(privKey);
  const signature = ed.sign(msg, privKey);
  deepStrictEqual(ed.verify(signature, msg, publicKey), true);
 });
 should('ed25519/basic methods/should not verify signature with wrong public key', () => {
  const publicKey = ed.getPublicKey(12);
  const signature = ed.sign(msg, privKey);
  deepStrictEqual(ed.verify(signature, msg, publicKey), false);
 });
 should('ed25519/basic methods/should not verify signature with wrong hash', () => {
  const publicKey = ed.getPublicKey(privKey);
  const signature = ed.sign(msg, privKey);
  deepStrictEqual(ed.verify(signature, wrongMsg, publicKey), false);
 });
 should('ed25519/sync methods/should sign and verify', () => {
  const publicKey = ed.getPublicKey(privKey);
  const signature = ed.sign(msg, privKey);
  deepStrictEqual(ed.verify(signature, msg, publicKey), true);
 });
 should('ed25519/sync methods/should not verify signature with wrong public key', async () => {
  const publicKey = ed.getPublicKey(12);
  const signature = ed.sign(msg, privKey);
  deepStrictEqual(ed.verify(signature, msg, publicKey), false);
 });
 should('ed25519/sync methods/should not verify signature with wrong hash', async () => {
  const publicKey = ed.getPublicKey(privKey);
  const signature = ed.sign(msg, privKey);
  deepStrictEqual(ed.verify(signature, wrongMsg, publicKey), false);
 });
 should('ed25519/BASE_POINT.multiply()/should throw Point#multiply on TEST 5', () => {
  for (const num of [0n, 0, -1n, -1, 1.1]) {
    throws(() => ed.Point.BASE.multiply(num));
  }
 });
 should('input immutability: sign/verify are immutable', () => {
  const privateKey = ed.utils.randomPrivateKey();
  const publicKey = ed.getPublicKey(privateKey);
  for (let i = 0; i < 100; i++) {
    let payload = randomBytes(100);
    let signature = ed.sign(payload, privateKey);
    if (!ed.verify(signature, payload, publicKey)) {
      throw new Error('Signature verification failed');
    }
    const signatureCopy = Buffer.alloc(signature.byteLength);
    signatureCopy.set(signature, 0); // <-- breaks
    payload = payload.slice();
    signature = signature.slice();
    if (!ed.verify(signatureCopy, payload, publicKey))
      throw new Error('Copied signature verification failed');
  }
 });
 {
  for (let g = 0; g < ed448vectors.testGroups.length; g++) {
    const group = ed448vectors.testGroups[g];
    const key = group.key;
    should(`Wycheproof/ED448(${g}, public)`, () => {
      deepStrictEqual(hex(ed.getPublicKey(key.sk)), key.pk);
    });
    should(`Wycheproof/ED448`, () => {
      for (let i = 0; i < group.tests.length; i++) {
        const v = group.tests[i];
        const index = `${g}/${i} ${v.comment}`;
        if (v.result === 'valid' || v.result === 'acceptable') {
          deepStrictEqual(hex(ed.sign(v.msg, key.sk)), v.sig, index);
          deepStrictEqual(ed.verify(v.sig, v.msg, key.pk), true, index);
        } else if (v.result === 'invalid') {
          let failed = false;
          try {
            failed = !ed.verify(v.sig, v.msg, key.pk);
          } catch (error) {
            failed = true;
          }
          deepStrictEqual(failed, true, index);
        } else throw new Error('unknown test result');
      }
    });
  }
 }
 // ECDH
 const rfc7748Mul = [
  {
    scalar:
      '3d262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3',
    u: '06fce640fa3487bfda5f6cf2d5263f8aad88334cbd07437f020f08f9814dc031ddbdc38c19c6da2583fa5429db94ada18aa7a7fb4ef8a086',
    outputU:
      'ce3e4ff95a60dc6697da1db1d85e6afbdf79b50a2412d7546d5f239fe14fbaadeb445fc66a01b0779d98223961111e21766282f73dd96b6f',
  },
  {
    scalar:
      '203d494428b8399352665ddca42f9de8fef600908e0d461cb021f8c538345dd77c3e4806e25f46d3315c44e0a5b4371282dd2c8d5be3095f',
    u: '0fbcc2f993cd56d3305b0b7d9e55d4c1a8fb5dbb52f8e9a1e9b6201b165d015894e56c4d3570bee52fe205e28a78b91cdfbde71ce8d157db',
    outputU:
      '884a02576239ff7a2f2f63b2db6a9ff37047ac13568e1e30fe63c4a7ad1b3ee3a5700df34321d62077e63633c575c1c954514e99da7c179d',
  },
 ];
 for (let i = 0; i < rfc7748Mul.length; i++) {
  const v = rfc7748Mul[i];
  should(`RFC7748: scalarMult (${i})`, () => {
    deepStrictEqual(hex(x448.scalarMult(v.u, v.scalar)), v.outputU);
  });
 }
 const rfc7748Iter = [
  {
    scalar:
      '3f482c8a9f19b01e6c46ee9711d9dc14fd4bf67af30765c2ae2b846a4d23a8cd0db897086239492caf350b51f833868b9bc2b3bca9cf4113',
    iters: 1,
  },
  {
    scalar:
      'aa3b4749d55b9daf1e5b00288826c467274ce3ebbdd5c17b975e09d4af6c67cf10d087202db88286e2b79fceea3ec353ef54faa26e219f38',
    iters: 1000,
  },
  // { scalar: '077f453681caca3693198420bbe515cae0002472519b3e67661a7e89cab94695c8f4bcd66e61b9b9c946da8d524de3d69bd9d9d66b997e37', iters: 1000000 },
 ];
 for (let i = 0; i < rfc7748Iter.length; i++) {
  const { scalar, iters } = rfc7748Iter[i];
  should(`RFC7748: scalarMult iteration (${i})`, () => {
    let k = x448.Gu;
    for (let i = 0, u = k; i < iters; i++) [k, u] = [x448.scalarMult(u, k), k];
    deepStrictEqual(hex(k), scalar);
  });
 }
 should('RFC7748 getSharedKey', () => {
  const alicePrivate =
    '9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28dd9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b';
  const alicePublic =
    '9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0';
  const bobPrivate =
    '1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d';
  const bobPublic =
    '3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107bdb0d4f345b43027d8b972fc3e34fb4232a13ca706dcb57aec3dae07bdc1c67bf33609';
  const shared =
    '07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d';
  deepStrictEqual(alicePublic, hex(x448.getPublicKey(alicePrivate)));
  deepStrictEqual(bobPublic, hex(x448.getPublicKey(bobPrivate)));
  deepStrictEqual(hex(x448.scalarMult(bobPublic, alicePrivate)), shared);
  deepStrictEqual(hex(x448.scalarMult(alicePublic, bobPrivate)), shared);
 });
 {
  const group = x448vectors.testGroups[0];
  should(`Wycheproof/X448`, () => {
    for (let i = 0; i < group.tests.length; i++) {
      const v = group.tests[i];
      const index = `(${i}, ${v.result}) ${v.comment}`;
      if (v.result === 'valid' || v.result === 'acceptable') {
        try {
          const shared = hex(x448.scalarMult(v.public, v.private));
          deepStrictEqual(shared, v.shared, index);
        } catch (e) {
          // We are more strict
          if (e.message.includes('Expected valid scalar')) return;
          if (e.message.includes('Invalid private or public key received')) return;
          if (e.message.includes('Expected 56 bytes')) return;
          throw e;
        }
      } else if (v.result === 'invalid') {
        let failed = false;
        try {
          x448.scalarMult(v.public, v.private);
        } catch (error) {
          failed = true;
        }
        deepStrictEqual(failed, true, index);
      } else throw new Error('unknown test result');
    }
  });
 }
 // should('X448: should convert base point to montgomery using fromPoint', () => {
 //   deepStrictEqual(
 //     hex(ed.montgomeryCurve.UfromPoint(ed.Point.BASE)),
 //     ed.montgomeryCurve.BASE_POINT_U
 //   );
 // });
 // should('X448/getSharedSecret() should be commutative', async () => {
 //   for (let i = 0; i < 512; i++) {
 //     const asec = ed.utils.randomPrivateKey();
 //     const apub = ed.getPublicKey(asec);
 //     const bsec = ed.utils.randomPrivateKey();
 //     const bpub = ed.getPublicKey(bsec);
 //     try {
 //       deepStrictEqual(ed.getSharedSecret(asec, bpub), ed.getSharedSecret(bsec, apub));
 //     } catch (error) {
 //       console.error('not commutative', { asec, apub, bsec, bpub });
 //       throw error;
 //     }
 //   }
 // });
 const VECTORS_RFC8032_CTX = [
  {
    secretKey:
      'c4eab05d357007c632f3dbb48489924d552b08fe0c353a0d4a1f00acda2c463afbea67c5e8d2877c5e3bc397a659949ef8021e954e0a12274e',
    publicKey:
      '43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480',
    message: '03',
    context: '666f6f',
    signature:
      'd4f8f6131770dd46f40867d6fd5d5055' +
      'de43541f8c5e35abbcd001b32a89f7d2' +
      '151f7647f11d8ca2ae279fb842d60721' +
      '7fce6e042f6815ea000c85741de5c8da' +
      '1144a6a1aba7f96de42505d7a7298524' +
      'fda538fccbbb754f578c1cad10d54d0d' +
      '5428407e85dcbc98a49155c13764e66c' +
      '3c00',
  },
 ];
 for (let i = 0; i < VECTORS_RFC8032_CTX.length; i++) {
  const v = VECTORS_RFC8032_CTX[i];
  should(`RFC8032ctx/${i}`, () => {
    deepStrictEqual(hex(ed.getPublicKey(v.secretKey)), v.publicKey);
    deepStrictEqual(hex(ed.sign(v.message, v.secretKey, v.context)), v.signature);
    deepStrictEqual(ed.verify(v.signature, v.message, v.publicKey, v.context), true);
  });
 }
 const VECTORS_RFC8032_PH = [
  {
    secretKey:
      '833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42ef7822e0d5104127dc05d6dbefde69e3ab2cec7c867c6e2c49',
    publicKey:
      '259b71c19f83ef77a7abd26524cbdb3161b590a48f7d17de3ee0ba9c52beb743c09428a131d6b1b57303d90d8132c276d5ed3d5d01c0f53880',
    message: '616263',
    signature:
      '822f6901f7480f3d5f562c592994d969' +
      '3602875614483256505600bbc281ae38' +
      '1f54d6bce2ea911574932f52a4e6cadd' +
      '78769375ec3ffd1b801a0d9b3f4030cd' +
      '433964b6457ea39476511214f97469b5' +
      '7dd32dbc560a9a94d00bff07620464a3' +
      'ad203df7dc7ce360c3cd3696d9d9fab9' +
      '0f00',
  },
  {
    secretKey:
      '833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42ef7822e0d5104127dc05d6dbefde69e3ab2cec7c867c6e2c49',
    publicKey:
      '259b71c19f83ef77a7abd26524cbdb3161b590a48f7d17de3ee0ba9c52beb743c09428a131d6b1b57303d90d8132c276d5ed3d5d01c0f53880',
    message: '616263',
    context: '666f6f',
    signature:
      'c32299d46ec8ff02b54540982814dce9' +
      'a05812f81962b649d528095916a2aa48' +
      '1065b1580423ef927ecf0af5888f90da' +
      '0f6a9a85ad5dc3f280d91224ba9911a3' +
      '653d00e484e2ce232521481c8658df30' +
      '4bb7745a73514cdb9bf3e15784ab7128' +
      '4f8d0704a608c54a6b62d97beb511d13' +
      '2100',
  },
 ];
 for (let i = 0; i < VECTORS_RFC8032_PH.length; i++) {
  const v = VECTORS_RFC8032_PH[i];
  should(`RFC8032ph/${i}`, () => {
    deepStrictEqual(hex(ed448ph.getPublicKey(v.secretKey)), v.publicKey);
    deepStrictEqual(hex(ed448ph.sign(v.message, v.secretKey, v.context)), v.signature);
    deepStrictEqual(ed448ph.verify(v.signature, v.message, v.publicKey, v.context), true);
  });
 }
 should('X448 base point', () => {
  const { x, y } = ed448.Point.BASE;
  const { P } = ed448.CURVE;
  const invX = ed448.utils.invert(x * x, P); // x^2
  const u = ed448.utils.mod(y * y * invX, P); // (y^2/x^2)
  deepStrictEqual(hex(numberToBytesLE(u, 56)), x448.Gu);
 });
 // ESM is broken.
 import url from 'url';
 if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
  should.run();
 }
--- a/curve-definitions/test/jubjub.test.js
+++ b/curve-definitions/test/jubjub.test.js
@@ -1,74 +0,0 @@
 import { jubjub, findGroupHash } from '../lib/jubjub.js';
 import { should } from 'micro-should';
 import { deepStrictEqual, throws } from 'assert';
 import { hexToBytes, bytesToHex } from '@noble/hashes/utils';
 const G_SPEND = new jubjub.ExtendedPoint(
  0x055f1f24f0f0512287e51c3c5a0a6903fc0baf8711de9eafd7c0e66f69d8d2dbn,
  0x566178b2505fdd52132a5007d80a04652842e78ffb376897588f406278214ed7n,
  0x0141fafa1f11088a3b2007c14d652375888f3b37838ba6bdffae096741ceddfen,
  0x12eada93c0b7d595f5f04f5ebfb4b7d033ef2884136475cab5e41ce17db5be9cn
 );
 const G_PROOF = new jubjub.ExtendedPoint(
  0x0174d54ce9fad258a2f8a86a1deabf15c7a2b51106b0fbcd9d29020f78936f71n,
  0x16871d6d877dcd222e4ec3bccb3f37cb1865a2d37dd3a5dcbc032a69b62b4445n,
  0x57a3cd31e496d82bd4aa78bd5ecd751cfb76d54a5d3f4560866379f9fc11c9b3n,
  0x42cc53f6b519d1f4f52c47ff1256463a616c2c2f49ffe77765481eca04c72081n
 );
 const getXY = (p) => ({ x: p.x, y: p.y });
 should('toHex/fromHex', () => {
  // More than field
  throws(() =>
    jubjub.Point.fromHex(
      new Uint8Array([
        255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
        255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
      ])
    )
  );
  // Multiplicative generator (sqrt == null), not on curve.
  throws(() =>
    jubjub.Point.fromHex(
      new Uint8Array([
        7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
        0,
      ])
    )
  );
  const tmp = jubjub.Point.fromHex(
    new Uint8Array([
      0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
      0,
    ])
  );
  deepStrictEqual(tmp.x, 0x8d51ccce760304d0ec030002760300000001000000000000n);
  deepStrictEqual(tmp.y, 0n);
  const S = G_SPEND.toAffine().toRawBytes();
  const S2 = G_SPEND.double().toAffine().toRawBytes();
  const P = G_PROOF.toAffine().toRawBytes();
  const P2 = G_PROOF.double().toAffine().toRawBytes();
  const S_exp = jubjub.Point.fromHex(S);
  const S2_exp = jubjub.Point.fromHex(S2);
  const P_exp = jubjub.Point.fromHex(P);
  const P2_exp = jubjub.Point.fromHex(P2);
  deepStrictEqual(getXY(G_SPEND.toAffine()), getXY(S_exp));
  deepStrictEqual(getXY(G_SPEND.double().toAffine()), getXY(S2_exp));
  deepStrictEqual(getXY(G_PROOF.toAffine()), getXY(P_exp));
  deepStrictEqual(getXY(G_PROOF.double().toAffine()), getXY(P2_exp));
 });
 should('Find generators', () => {
  const spend = findGroupHash(new Uint8Array(), new Uint8Array([90, 99, 97, 115, 104, 95, 71, 95]));
  const proof = findGroupHash(new Uint8Array(), new Uint8Array([90, 99, 97, 115, 104, 95, 72, 95]));
  deepStrictEqual(getXY(spend.toAffine()), getXY(G_SPEND.toAffine()));
  deepStrictEqual(getXY(proof.toAffine()), getXY(G_PROOF.toAffine()));
 });
 // ESM is broken.
 import url from 'url';
 if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
  should.run();
 }
--- a/curve-definitions/test/package.json
+++ b/curve-definitions/test/package.json
@@ -1,7 +0,0 @@
 {
  "type": "module",
  "browser": {
    "crypto": false,
    "./crypto": "./esm/cryptoBrowser.js"
  }
 }
--- a/curve-definitions/test/secp256k1.test.js
+++ b/curve-definitions/test/secp256k1.test.js
@@ -1,535 +0,0 @@
 import * as fc from 'fast-check';
 import { secp256k1, schnorr } from '../lib/secp256k1.js';
 import { readFileSync } from 'fs';
 import { default as ecdsa } from './vectors/ecdsa.json' assert { type: 'json' };
 import { default as ecdh } from './vectors/ecdh.json' assert { type: 'json' };
 import { default as privates } from './vectors/privates.json' assert { type: 'json' };
 import { default as points } from './vectors/points.json' assert { type: 'json' };
 import { default as wp } from './vectors/wychenproof.json' assert { type: 'json' };
 import { should } from 'micro-should';
 import { deepStrictEqual, throws } from 'assert';
 import { hexToBytes, bytesToHex } from '@noble/hashes/utils';
 const hex = bytesToHex;
 const secp = secp256k1;
 const privatesTxt = readFileSync('./test/vectors/privates-2.txt', 'utf-8');
 const schCsv = readFileSync('./test/vectors/schnorr.csv', 'utf-8');
 const FC_BIGINT = fc.bigInt(1n + 1n, secp.CURVE.n - 1n);
 const P = secp.CURVE.Fp.ORDER;
 // prettier-ignore
 const INVALID_ITEMS = ['deadbeef', Math.pow(2, 53), [1], 'xyzxyzxyxyzxyzxyxyzxyzxyxyzxyzxyxyzxyzxyxyzxyzxyxyzxyzxyxyzxyzxy', secp.CURVE.n + 2n];
 const toBEHex = (n) => n.toString(16).padStart(64, '0');
 function hexToNumber(hex) {
  if (typeof hex !== 'string') {
    throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
  }
  // Big Endian
  return BigInt(`0x${hex}`);
 }
 should('secp256k1.getPublicKey()', () => {
  const data = privatesTxt
    .split('\n')
    .filter((line) => line)
    .map((line) => line.split(':'));
  for (let [priv, x, y] of data) {
    const point = secp.Point.fromPrivateKey(BigInt(priv));
    deepStrictEqual(toBEHex(point.x), x);
    deepStrictEqual(toBEHex(point.y), y);
    const point2 = secp.Point.fromHex(secp.getPublicKey(toBEHex(BigInt(priv))));
    deepStrictEqual(toBEHex(point2.x), x);
    deepStrictEqual(toBEHex(point2.y), y);
    const point3 = secp.Point.fromHex(secp.getPublicKey(hexToBytes(toBEHex(BigInt(priv)))));
    deepStrictEqual(toBEHex(point3.x), x);
    deepStrictEqual(toBEHex(point3.y), y);
  }
 });
 should('secp256k1.getPublicKey() rejects invalid keys', () => {
  // for (const item of INVALID_ITEMS) {
  //   throws(() => secp.getPublicKey(item));
  // }
 });
 should('secp256k1.precompute', () => {
  secp.utils.precompute(4);
  const data = privatesTxt
    .split('\n')
    .filter((line) => line)
    .map((line) => line.split(':'));
  for (let [priv, x, y] of data) {
    const point = secp.Point.fromPrivateKey(BigInt(priv));
    deepStrictEqual(toBEHex(point.x), x);
    deepStrictEqual(toBEHex(point.y), y);
    const point2 = secp.Point.fromHex(secp.getPublicKey(toBEHex(BigInt(priv))));
    deepStrictEqual(toBEHex(point2.x), x);
    deepStrictEqual(toBEHex(point2.y), y);
    const point3 = secp.Point.fromHex(secp.getPublicKey(hexToBytes(toBEHex(BigInt(priv)))));
    deepStrictEqual(toBEHex(point3.x), x);
    deepStrictEqual(toBEHex(point3.y), y);
  }
 });
 should('secp256k1.Point.isValidPoint()', () => {
  for (const vector of points.valid.isPoint) {
    const { P, expected } = vector;
    if (expected) {
      secp.Point.fromHex(P);
    } else {
      throws(() => secp.Point.fromHex(P));
    }
  }
 });
 should('secp256k1.Point.fromPrivateKey()', () => {
  for (const vector of points.valid.pointFromScalar) {
    const { d, expected } = vector;
    let p = secp.Point.fromPrivateKey(d);
    deepStrictEqual(p.toHex(true), expected);
  }
 });
 should('secp256k1.Point#toHex(compressed)', () => {
  for (const vector of points.valid.pointCompress) {
    const { P, compress, expected } = vector;
    let p = secp.Point.fromHex(P);
    deepStrictEqual(p.toHex(compress), expected);
  }
 });
 should('secp256k1.Point#toHex() roundtrip (failed case)', () => {
  const point1 =
    secp.Point.fromPrivateKey(
      88572218780422190464634044548753414301110513745532121983949500266768436236425n
    );
  // const hex = point1.toHex(true);
  // deepStrictEqual(secp.Point.fromHex(hex).toHex(true), hex);
 });
 should('secp256k1.Point#toHex() roundtrip', () => {
  fc.assert(
    fc.property(FC_BIGINT, (x) => {
      const point1 = secp.Point.fromPrivateKey(x);
      const hex = point1.toHex(true);
      deepStrictEqual(secp.Point.fromHex(hex).toHex(true), hex);
    })
  );
 });
 should('secp256k1.Point#add(other)', () => {
  for (const vector of points.valid.pointAdd) {
    const { P, Q, expected } = vector;
    let p = secp.Point.fromHex(P);
    let q = secp.Point.fromHex(Q);
    if (expected) {
      deepStrictEqual(p.add(q).toHex(true), expected);
    } else {
      if (!p.equals(q.negate())) {
        throws(() => p.add(q).toHex(true));
      }
    }
  }
 });
 should('secp256k1.Point#multiply(privateKey)', () => {
  for (const vector of points.valid.pointMultiply) {
    const { P, d, expected } = vector;
    const p = secp.Point.fromHex(P);
    if (expected) {
      deepStrictEqual(p.multiply(hexToNumber(d)).toHex(true), expected);
    } else {
      throws(() => {
        p.multiply(hexToNumber(d)).toHex(true);
      });
    }
  }
  for (const vector of points.invalid.pointMultiply) {
    const { P, d } = vector;
    if (hexToNumber(d) < secp.CURVE.n) {
      throws(() => {
        const p = secp.Point.fromHex(P);
        p.multiply(hexToNumber(d)).toHex(true);
      });
    }
  }
  for (const num of [0n, 0, -1n, -1, 1.1]) {
    throws(() => secp.Point.BASE.multiply(num));
  }
 });
 // multiply() should equal multiplyUnsafe()
 // should('JacobianPoint#multiplyUnsafe', () => {
 //   const p0 = new secp.JacobianPoint(
 //     55066263022277343669578718895168534326250603453777594175500187360389116729240n,
 //     32670510020758816978083085130507043184471273380659243275938904335757337482424n,
 //     1n
 //   );
 //   const z = 106011723082030650010038151861333186846790370053628296836951575624442507889495n;
 //   console.log(p0.multiply(z));
 //   console.log(secp.JacobianPoint.normalizeZ([p0.multiplyUnsafe(z)])[0])
 // });
 should('secp256k1.Signature.fromCompactHex() roundtrip', () => {
  fc.assert(
    fc.property(FC_BIGINT, FC_BIGINT, (r, s) => {
      const sig = new secp.Signature(r, s);
      deepStrictEqual(secp.Signature.fromCompact(sig.toCompactHex()), sig);
    })
  );
 });
 should('secp256k1.Signature.fromDERHex() roundtrip', () => {
  fc.assert(
    fc.property(FC_BIGINT, FC_BIGINT, (r, s) => {
      const sig = new secp.Signature(r, s);
      deepStrictEqual(secp.Signature.fromDER(sig.toDERHex()), sig);
    })
  );
 });
 should('secp256k1.sign()/should create deterministic signatures with RFC 6979', () => {
  for (const vector of ecdsa.valid) {
    let usig = secp.sign(vector.m, vector.d);
    let sig = usig.toCompactHex();
    const vsig = vector.signature;
    deepStrictEqual(sig.slice(0, 64), vsig.slice(0, 64));
    deepStrictEqual(sig.slice(64, 128), vsig.slice(64, 128));
  }
 });
 should('secp256k1.sign()/should not create invalid deterministic signatures with RFC 6979', () => {
  for (const vector of ecdsa.invalid.sign) {
    throws(() => secp.sign(vector.m, vector.d));
  }
 });
 should('secp256k1.sign()/edge cases', () => {
  throws(() => secp.sign());
  throws(() => secp.sign(''));
 });
 should('secp256k1.sign()/should create correct DER encoding against libsecp256k1', () => {
  const CASES = [
    [
      'd1a9dc8ed4e46a6a3e5e594615ca351d7d7ef44df1e4c94c1802f3592183794b',
      '304402203de2559fccb00c148574997f660e4d6f40605acc71267ee38101abf15ff467af02200950abdf40628fd13f547792ba2fc544681a485f2fdafb5c3b909a4df7350e6b',
    ],
    [
      '5f97983254982546d3976d905c6165033976ee449d300d0e382099fa74deaf82',
      '3045022100c046d9ff0bd2845b9aa9dff9f997ecebb31e52349f80fe5a5a869747d31dcb88022011f72be2a6d48fe716b825e4117747b397783df26914a58139c3f4c5cbb0e66c',
    ],
    [
      '0d7017a96b97cd9be21cf28aada639827b2814a654a478c81945857196187808',
      '3045022100d18990bba7832bb283e3ecf8700b67beb39acc73f4200ed1c331247c46edccc602202e5c8bbfe47ae159512c583b30a3fa86575cddc62527a03de7756517ae4c6c73',
    ],
  ];
  const privKey = hexToBytes('0101010101010101010101010101010101010101010101010101010101010101');
  for (const [msg, exp] of CASES) {
    const res = secp.sign(msg, privKey, { extraEntropy: undefined });
    deepStrictEqual(res.toDERHex(), exp);
    const rs = secp.Signature.fromDER(res.toDERHex()).toCompactHex();
    deepStrictEqual(secp.Signature.fromCompact(rs).toDERHex(), exp);
  }
 });
 should('secp256k1.sign()/sign ecdsa extraData', () => {
  const ent1 = '0000000000000000000000000000000000000000000000000000000000000000';
  const ent2 = '0000000000000000000000000000000000000000000000000000000000000001';
  const ent3 = '6e723d3fd94ed5d2b6bdd4f123364b0f3ca52af829988a63f8afe91d29db1c33';
  const ent4 = 'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141';
  const ent5 = 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff';
  for (const e of ecdsa.extraEntropy) {
    const sign = (extraEntropy) => {
      const s = secp.sign(e.m, e.d, { extraEntropy }).toCompactHex();
      return s;
    };
    deepStrictEqual(sign(), e.signature);
    deepStrictEqual(sign(ent1), e.extraEntropy0);
    deepStrictEqual(sign(ent2), e.extraEntropy1);
    deepStrictEqual(sign(ent3), e.extraEntropyRand);
    deepStrictEqual(sign(ent4), e.extraEntropyN);
    deepStrictEqual(sign(ent5), e.extraEntropyMax);
  }
 });
 should('secp256k1.verify()/should verify signature', () => {
  const MSG = '01'.repeat(32);
  const PRIV_KEY = 0x2n;
  const signature = secp.sign(MSG, PRIV_KEY);
  const publicKey = secp.getPublicKey(PRIV_KEY);
  deepStrictEqual(publicKey.length, 65);
  deepStrictEqual(secp.verify(signature, MSG, publicKey), true);
 });
 should('secp256k1.verify()/should not verify signature with wrong public key', () => {
  const MSG = '01'.repeat(32);
  const PRIV_KEY = 0x2n;
  const WRONG_PRIV_KEY = 0x22n;
  const signature = secp.sign(MSG, PRIV_KEY);
  const publicKey = secp.Point.fromPrivateKey(WRONG_PRIV_KEY).toHex();
  deepStrictEqual(publicKey.length, 130);
  deepStrictEqual(secp.verify(signature, MSG, publicKey), false);
 });
 should('secp256k1.verify()/should not verify signature with wrong hash', () => {
  const MSG = '01'.repeat(32);
  const PRIV_KEY = 0x2n;
  const WRONG_MSG = '11'.repeat(32);
  const signature = secp.sign(MSG, PRIV_KEY);
  const publicKey = secp.getPublicKey(PRIV_KEY);
  deepStrictEqual(publicKey.length, 65);
  deepStrictEqual(secp.verify(signature, WRONG_MSG, publicKey), false);
 });
 should('secp256k1.verify()/should verify random signatures', () =>
  fc.assert(
    fc.property(FC_BIGINT, fc.hexaString({ minLength: 64, maxLength: 64 }), (privKey, msg) => {
      const pub = secp.getPublicKey(privKey);
      const sig = secp.sign(msg, privKey);
      deepStrictEqual(secp.verify(sig, msg, pub), true);
    })
  )
 );
 should('secp256k1.verify()/should not verify signature with invalid r/s', () => {
  const msg = new Uint8Array([
    0xbb, 0x5a, 0x52, 0xf4, 0x2f, 0x9c, 0x92, 0x61, 0xed, 0x43, 0x61, 0xf5, 0x94, 0x22, 0xa1, 0xe3,
    0x00, 0x36, 0xe7, 0xc3, 0x2b, 0x27, 0x0c, 0x88, 0x07, 0xa4, 0x19, 0xfe, 0xca, 0x60, 0x50, 0x23,
  ]);
  const x = 100260381870027870612475458630405506840396644859280795015145920502443964769584n;
  const y = 41096923727651821103518389640356553930186852801619204169823347832429067794568n;
  const r = 1n;
  const s = 115792089237316195423570985008687907852837564279074904382605163141518162728904n;
  const pub = new secp.Point(x, y);
  const signature = new secp.Signature(2n, 2n);
  signature.r = r;
  signature.s = s;
  const verified = secp.verify(signature, msg, pub);
  // Verifies, but it shouldn't, because signature S > curve order
  deepStrictEqual(verified, false);
 });
 should('secp256k1.verify()/should not verify msg = curve order', () => {
  const msg = 'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141';
  const x = 55066263022277343669578718895168534326250603453777594175500187360389116729240n;
  const y = 32670510020758816978083085130507043184471273380659243275938904335757337482424n;
  const r = 104546003225722045112039007203142344920046999340768276760147352389092131869133n;
  const s = 96900796730960181123786672629079577025401317267213807243199432755332205217369n;
  const pub = new secp.Point(x, y);
  const sig = new secp.Signature(r, s);
  deepStrictEqual(secp.verify(sig, msg, pub), false);
 });
 should('secp256k1.verify()/should verify non-strict msg bb5a...', () => {
  const msg = 'bb5a52f42f9c9261ed4361f59422a1e30036e7c32b270c8807a419feca605023';
  const x = 3252872872578928810725465493269682203671229454553002637820453004368632726370n;
  const y = 17482644437196207387910659778872952193236850502325156318830589868678978890912n;
  const r = 432420386565659656852420866390673177323n;
  const s = 115792089237316195423570985008687907852837564279074904382605163141518161494334n;
  const pub = new secp.Point(x, y);
  const sig = new secp.Signature(r, s);
  deepStrictEqual(secp.verify(sig, msg, pub, { strict: false }), true);
 });
 should(
  'secp256k1.verify()/should not verify invalid deterministic signatures with RFC 6979',
  () => {
    for (const vector of ecdsa.invalid.verify) {
      const res = secp.verify(vector.signature, vector.m, vector.Q);
      deepStrictEqual(res, false);
    }
  }
 );
 // index,secret key,public key,aux_rand,message,signature,verification result,comment
 const vectors = schCsv
  .split('\n')
  .map((line) => line.split(','))
  .slice(1, -1);
 for (let vec of vectors) {
  const [index, sec, pub, rnd, msg, expSig, passes, comment] = vec;
  should(`sign with Schnorr scheme vector ${index}`, () => {
    if (sec) {
      deepStrictEqual(hex(schnorr.getPublicKey(sec)), pub.toLowerCase());
      const sig = schnorr.sign(msg, sec, rnd);
      deepStrictEqual(hex(sig), expSig.toLowerCase());
      deepStrictEqual(schnorr.verify(sig, msg, pub), true);
    } else {
      const passed = schnorr.verify(expSig, msg, pub);
      deepStrictEqual(passed, passes === 'TRUE');
    }
  });
 }
 should('secp256k1.recoverPublicKey()/should recover public key from recovery bit', () => {
  const message = '00000000000000000000000000000000000000000000000000000000deadbeef';
  const privateKey = 123456789n;
  const publicKey = secp.Point.fromHex(secp.getPublicKey(privateKey)).toHex(false);
  const sig = secp.sign(message, privateKey);
  const recoveredPubkey = sig.recoverPublicKey(message);
  // const recoveredPubkey = secp.recoverPublicKey(message, signature, recovery);
  deepStrictEqual(recoveredPubkey !== null, true);
  deepStrictEqual(recoveredPubkey.toHex(), publicKey);
  deepStrictEqual(secp.verify(sig, message, publicKey), true);
 });
 should('secp256k1.recoverPublicKey()/should not recover zero points', () => {
  const msgHash = '6b8d2c81b11b2d699528dde488dbdf2f94293d0d33c32e347f255fa4a6c1f0a9';
  const sig =
    '79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f817986b8d2c81b11b2d699528dde488dbdf2f94293d0d33c32e347f255fa4a6c1f0a9';
  const recovery = 0;
  throws(() => secp.recoverPublicKey(msgHash, sig, recovery));
 });
 should('secp256k1.recoverPublicKey()/should handle all-zeros msghash', () => {
  const privKey = secp.utils.randomPrivateKey();
  const pub = secp.getPublicKey(privKey);
  const zeros = '0000000000000000000000000000000000000000000000000000000000000000';
  const sig = secp.sign(zeros, privKey, { recovered: true });
  const recoveredKey = sig.recoverPublicKey(zeros);
  deepStrictEqual(recoveredKey.toRawBytes(), pub);
 });
 should('secp256k1.recoverPublicKey()/should handle RFC 6979 vectors', () => {
  for (const vector of ecdsa.valid) {
    if (secp.utils.mod(hexToNumber(vector.m), secp.CURVE.n) === 0n) continue;
    let usig = secp.sign(vector.m, vector.d);
    let sig = usig.toDERHex();
    const vpub = secp.getPublicKey(vector.d);
    const recovered = usig.recoverPublicKey(vector.m);
    deepStrictEqual(recovered.toHex(), hex(vpub));
  }
 });
 // TODO: Real implementation.
 function derToPub(der) {
  return der.slice(46);
 }
 should('secp256k1.getSharedSecret()/should produce correct results', () => {
  // TODO: Once der is there, run all tests.
  for (const vector of ecdh.testGroups[0].tests.slice(0, 230)) {
    if (vector.result === 'invalid' || vector.private.length !== 64) {
      // We support eth-like hexes
      if (vector.private.length < 64) continue;
      throws(() => {
        secp.getSharedSecret(vector.private, derToPub(vector.public), true);
      });
    } else if (vector.result === 'valid') {
      const res = secp.getSharedSecret(vector.private, derToPub(vector.public), true);
      deepStrictEqual(hex(res.slice(1)), `${vector.shared}`);
    }
  }
 });
 should('secp256k1.getSharedSecret()/priv/pub order matters', () => {
  for (const vector of ecdh.testGroups[0].tests.slice(0, 100)) {
    if (vector.result === 'valid') {
      let priv = vector.private;
      priv = priv.length === 66 ? priv.slice(2) : priv;
      throws(() => secp.getSharedSecret(derToPub(vector.public), priv, true));
    }
  }
 });
 should('secp256k1.getSharedSecret()/rejects invalid keys', () => {
  throws(() => secp.getSharedSecret('01', '02'));
 });
 should('secp256k1.utils.isValidPrivateKey()', () => {
  for (const vector of privates.valid.isPrivate) {
    const { d, expected } = vector;
    deepStrictEqual(secp.utils.isValidPrivateKey(d), expected);
  }
 });
 const normal = secp.utils._normalizePrivateKey;
 const tweakUtils = {
  privateAdd: (privateKey, tweak) => {
    const p = normal(privateKey);
    const t = normal(tweak);
    return secp.utils._bigintToBytes(secp.utils.mod(p + t, secp.CURVE.n));
  },
  privateNegate: (privateKey) => {
    const p = normal(privateKey);
    return secp.utils._bigintToBytes(secp.CURVE.n - p);
  },
  pointAddScalar: (p, tweak, isCompressed) => {
    const P = secp.Point.fromHex(p);
    const t = normal(tweak);
    const Q = secp.Point.BASE.multiplyAndAddUnsafe(P, t, 1n);
    if (!Q) throw new Error('Tweaked point at infinity');
    return Q.toRawBytes(isCompressed);
  },
  pointMultiply: (p, tweak, isCompressed) => {
    const P = secp.Point.fromHex(p);
    const h = typeof tweak === 'string' ? tweak : bytesToHex(tweak);
    const t = BigInt(`0x${h}`);
    return P.multiply(t).toRawBytes(isCompressed);
  },
 };
 should('secp256k1.privateAdd()', () => {
  for (const vector of privates.valid.add) {
    const { a, b, expected } = vector;
    deepStrictEqual(bytesToHex(tweakUtils.privateAdd(a, b)), expected);
  }
 });
 should('secp256k1.privateNegate()', () => {
  for (const vector of privates.valid.negate) {
    const { a, expected } = vector;
    deepStrictEqual(bytesToHex(tweakUtils.privateNegate(a)), expected);
  }
 });
 should('secp256k1.pointAddScalar()', () => {
  for (const vector of points.valid.pointAddScalar) {
    const { description, P, d, expected } = vector;
    const compressed = !!expected && expected.length === 66; // compressed === 33 bytes
    deepStrictEqual(bytesToHex(tweakUtils.pointAddScalar(P, d, compressed)), expected);
  }
 });
 should('secp256k1.pointAddScalar() invalid', () => {
  for (const vector of points.invalid.pointAddScalar) {
    const { P, d, exception } = vector;
    throws(() => tweakUtils.pointAddScalar(P, d));
  }
 });
 should('secp256k1.pointMultiply()', () => {
  for (const vector of points.valid.pointMultiply) {
    const { P, d, expected } = vector;
    deepStrictEqual(bytesToHex(tweakUtils.pointMultiply(P, d, true)), expected);
  }
 });
 should('secp256k1.pointMultiply() invalid', () => {
  for (const vector of points.invalid.pointMultiply) {
    const { P, d, exception } = vector;
    throws(() => tweakUtils.pointMultiply(P, d));
  }
 });
 should('secp256k1.wychenproof vectors', () => {
  for (let group of wp.testGroups) {
    const pubKey = secp.Point.fromHex(group.key.uncompressed);
    for (let test of group.tests) {
      const m = secp.CURVE.hash(hexToBytes(test.msg));
      if (test.result === 'valid' || test.result === 'acceptable') {
        const verified = secp.verify(test.sig, m, pubKey);
        if (secp.Signature.fromDER(test.sig).hasHighS()) {
          deepStrictEqual(verified, false);
        } else {
          deepStrictEqual(verified, true);
        }
      } else if (test.result === 'invalid') {
        let failed = false;
        try {
          const verified = secp.verify(test.sig, m, pubKey);
          if (!verified) failed = true;
        } catch (error) {
          failed = true;
        }
        deepStrictEqual(failed, true);
      } else {
        deepStrictEqual(false, true);
      }
    }
  }
 });
 should.run();
--- a/curve-definitions/test/stark/basic.test.js
+++ b/curve-definitions/test/stark/basic.test.js
@@ -1,200 +0,0 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should } from 'micro-should';
 import * as starknet from '../../lib/stark.js';
 import { default as issue2 } from './fixtures/issue2.json' assert { type: 'json' };
 should('Basic elliptic sanity check', () => {
  const g1 = starknet.Point.BASE;
  deepStrictEqual(
    g1.x.toString(16),
    '1ef15c18599971b7beced415a40f0c7deacfd9b0d1819e03d723d8bc943cfca'
  );
  deepStrictEqual(
    g1.y.toString(16),
    '5668060aa49730b7be4801df46ec62de53ecd11abe43a32873000c36e8dc1f'
  );
  const g2 = g1.double();
  deepStrictEqual(
    g2.x.toString(16),
    '759ca09377679ecd535a81e83039658bf40959283187c654c5416f439403cf5'
  );
  deepStrictEqual(
    g2.y.toString(16),
    '6f524a3400e7708d5c01a28598ad272e7455aa88778b19f93b562d7a9646c41'
  );
  const g3 = g2.add(g1);
  deepStrictEqual(
    g3.x.toString(16),
    '411494b501a98abd8262b0da1351e17899a0c4ef23dd2f96fec5ba847310b20'
  );
  deepStrictEqual(
    g3.y.toString(16),
    '7e1b3ebac08924d2c26f409549191fcf94f3bf6f301ed3553e22dfb802f0686'
  );
  const g32 = g1.multiply(3);
  deepStrictEqual(
    g32.x.toString(16),
    '411494b501a98abd8262b0da1351e17899a0c4ef23dd2f96fec5ba847310b20'
  );
  deepStrictEqual(
    g32.y.toString(16),
    '7e1b3ebac08924d2c26f409549191fcf94f3bf6f301ed3553e22dfb802f0686'
  );
  const minus1 = g1.multiply(starknet.CURVE.n - 1n);
  deepStrictEqual(
    minus1.x.toString(16),
    '1ef15c18599971b7beced415a40f0c7deacfd9b0d1819e03d723d8bc943cfca'
  );
  deepStrictEqual(
    minus1.y.toString(16),
    '7a997f9f55b68e04841b7fe20b9139d21ac132ee541bc5cd78cfff3c91723e2'
  );
 });
 should('Pedersen', () => {
  deepStrictEqual(
    starknet.pedersen(2, 3),
    '0x5774fa77b3d843ae9167abd61cf80365a9b2b02218fc2f628494b5bdc9b33b8'
  );
  deepStrictEqual(
    starknet.pedersen(1, 2),
    '0x5bb9440e27889a364bcb678b1f679ecd1347acdedcbf36e83494f857cc58026'
  );
  deepStrictEqual(
    starknet.pedersen(3, 4),
    '0x262697b88544f733e5c6907c3e1763131e9f14c51ee7951258abbfb29415fbf'
  );
 });
 should('Hash chain', () => {
  deepStrictEqual(
    starknet.hashChain([1, 2, 3]),
    '0x5d9d62d4040b977c3f8d2389d494e4e89a96a8b45c44b1368f1cc6ec5418915'
  );
 });
 should('Pedersen hash edgecases', () => {
  // >>> pedersen_hash(0,0)
  const zero = '0x49ee3eba8c1600700ee1b87eb599f16716b0b1022947733551fde4050ca6804';
  deepStrictEqual(starknet.pedersen(0, 0), zero);
  deepStrictEqual(starknet.pedersen(0n, 0n), zero);
  deepStrictEqual(starknet.pedersen('0', '0'), zero);
  deepStrictEqual(starknet.pedersen('0x0', '0x0'), zero);
  // >>> pedersen_hash(3618502788666131213697322783095070105623107215331596699973092056135872020475,3618502788666131213697322783095070105623107215331596699973092056135872020475)
  // 3226051580231087455100099637526672350308978851161639703631919449959447036451
  const big = 3618502788666131213697322783095070105623107215331596699973092056135872020475n;
  const bigExp = '0x721e167a36655994e88efa865e2ed8a0488d36db4d988fec043cda755728223';
  deepStrictEqual(starknet.pedersen(big, big), bigExp);
  // >= FIELD
  const big2 = 36185027886661312136973227830950701056231072153315966999730920561358720204751n;
  throws(() => starknet.pedersen(big2, big2), 'big2');
  // FIELD -1
  const big3 = 3618502788666131213697322783095070105623107215331596699973092056135872020480n;
  const big3exp = '0x7258fccaf3371fad51b117471d9d888a1786c5694c3e6099160477b593a576e';
  deepStrictEqual(starknet.pedersen(big3, big3), big3exp, 'big3');
  // FIELD
  const big4 = 3618502788666131213697322783095070105623107215331596699973092056135872020481n;
  throws(() => starknet.pedersen(big4, big4), 'big4');
  throws(() => starknet.pedersen(-1, -1), 'neg');
  throws(() => starknet.pedersen(false, false), 'false');
  throws(() => starknet.pedersen(true, true), 'true');
  throws(() => starknet.pedersen(10.1, 10.1), 'float');
 });
 should('hashChain edgecases', () => {
  deepStrictEqual(starknet.hashChain([32312321312321312312312321n]), '0x1aba6672c014b4838cc201');
  deepStrictEqual(
    starknet.hashChain([1n, 2n]),
    '0x5bb9440e27889a364bcb678b1f679ecd1347acdedcbf36e83494f857cc58026'
  );
  deepStrictEqual(
    starknet.hashChain([1, 2]),
    '0x5bb9440e27889a364bcb678b1f679ecd1347acdedcbf36e83494f857cc58026'
  );
  throws(() => starknet.hashChain([]));
  throws(() => starknet.hashChain('123'));
  deepStrictEqual(
    starknet.hashChain([1, 2]),
    '0x5bb9440e27889a364bcb678b1f679ecd1347acdedcbf36e83494f857cc58026'
  );
 });
 should('Pedersen hash, issue #2', () => {
  // Verified with starnet.js
  deepStrictEqual(
    starknet.computeHashOnElements(issue2),
    '0x22064462ea33a6ce5272a295e0f551c5da3834f80d8444e7a4df68190b1bc42'
  );
  deepStrictEqual(
    starknet.computeHashOnElements([]),
    '0x49ee3eba8c1600700ee1b87eb599f16716b0b1022947733551fde4050ca6804'
  );
  deepStrictEqual(
    starknet.computeHashOnElements([1]),
    '0x78d74f61aeaa8286418fd34b3a12a610445eba11d00ecc82ecac2542d55f7a4'
  );
 });
 import * as bip32 from '@scure/bip32';
 import * as bip39 from '@scure/bip39';
 should('Seed derivation (example)', () => {
  const layer = 'starkex';
  const application = 'starkdeployement';
  const mnemonic =
    'range mountain blast problem vibrant void vivid doctor cluster enough melody ' +
    'salt layer language laptop boat major space monkey unit glimpse pause change vibrant';
  const ethAddress = '0xa4864d977b944315389d1765ffa7e66F74ee8cd7';
  const hdKey = bip32.HDKey.fromMasterSeed(bip39.mnemonicToSeedSync(mnemonic)).derive(
    starknet.getAccountPath(layer, application, ethAddress, 0)
  );
  deepStrictEqual(
    starknet.grindKey(hdKey.privateKey),
    '6cf0a8bf113352eb863157a45c5e5567abb34f8d32cddafd2c22aa803f4892c'
  );
 });
 should('Compressed keys', () => {
  const G = starknet.Point.BASE;
  const half = starknet.CURVE.n / 2n;
  const last = starknet.CURVE.n;
  const vectors = [
    1,
    2,
    3,
    4,
    5,
    half - 5n,
    half - 4n,
    half - 3n,
    half - 2n,
    half - 1n,
    half,
    half + 1n,
    half + 2n,
    half + 3n,
    half + 4n,
    half + 5n,
    last - 5n,
    last - 4n,
    last - 3n,
    last - 2n,
    last - 1n,
  ].map((i) => G.multiply(i));
  const fixPoint = (pt) => ({ ...pt, _WINDOW_SIZE: undefined });
  for (const v of vectors) {
    const uncompressed = v.toHex();
    const compressed = v.toHex(true);
    const exp = fixPoint(v);
    deepStrictEqual(fixPoint(starknet.Point.fromHex(uncompressed)), exp);
    deepStrictEqual(fixPoint(starknet.Point.fromHex(compressed)), exp);
    deepStrictEqual(starknet.Point.fromHex(compressed).toHex(), uncompressed);
  }
 });
 // ESM is broken.
 import url from 'url';
 if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
  should.run();
 }
--- a/curve-definitions/test/stark/property.test.js
+++ b/curve-definitions/test/stark/property.test.js
@@ -1,51 +0,0 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should } from 'micro-should';
 import * as starknet from '../../lib/stark.js';
 import * as fc from 'fast-check';
 const FC_BIGINT = fc.bigInt(1n + 1n, starknet.CURVE.n - 1n);
 should('Point#toHex() roundtrip', () => {
  fc.assert(
    fc.property(FC_BIGINT, (x) => {
      const point1 = starknet.Point.fromPrivateKey(x);
      const hex = point1.toHex(true);
      deepStrictEqual(starknet.Point.fromHex(hex).toHex(true), hex);
    })
  );
 });
 should('Signature.fromCompactHex() roundtrip', () => {
  fc.assert(
    fc.property(FC_BIGINT, FC_BIGINT, (r, s) => {
      const sig = new starknet.Signature(r, s);
      deepStrictEqual(starknet.Signature.fromCompact(sig.toCompactHex()), sig);
    })
  );
 });
 should('Signature.fromDERHex() roundtrip', () => {
  fc.assert(
    fc.property(FC_BIGINT, FC_BIGINT, (r, s) => {
      const sig = new starknet.Signature(r, s);
      deepStrictEqual(starknet.Signature.fromDER(sig.toDERHex()), sig);
    })
  );
 });
 should('verify()/should verify random signatures', () =>
  fc.assert(
    fc.asyncProperty(FC_BIGINT, fc.hexaString({ minLength: 64, maxLength: 64 }), (privNum, msg) => {
      const privKey = privNum.toString(16).padStart(64, '0');
      const pub = starknet.getPublicKey(privKey);
      const sig = starknet.sign(msg, privKey);
      deepStrictEqual(starknet.verify(sig, msg, pub), true);
    })
  )
 );
 // ESM is broken.
 import url from 'url';
 if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
  should.run();
 }
--- a/curve-definitions/test/stark/stark.test.js
+++ b/curve-definitions/test/stark/stark.test.js
@@ -1,286 +0,0 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should } from 'micro-should';
 import { hex, utf8 } from '@scure/base';
 import * as bip32 from '@scure/bip32';
 import * as bip39 from '@scure/bip39';
 import * as starknet from '../../lib/stark.js';
 import { default as sigVec } from './fixtures/rfc6979_signature_test_vector.json' assert { type: 'json' };
 import { default as precomputedKeys } from './fixtures/keys_precomputed.json' assert { type: 'json' };
 should('Starknet keccak', () => {
  const value = starknet.keccak(utf8.decode('hello'));
  deepStrictEqual(value, 0x8aff950685c2ed4bc3174f3472287b56d9517b9c948127319a09a7a36deac8n);
  deepStrictEqual(value < 2n ** 250n, true);
 });
 should('RFC6979', () => {
  for (const msg of sigVec.messages) {
    const { r, s } = starknet.sign(msg.hash, sigVec.private_key);
    // const { r, s } = starknet.Signature.fromDER(sig);
    deepStrictEqual(r.toString(10), msg.r);
    deepStrictEqual(s.toString(10), msg.s);
  }
 });
 should('Signatures', () => {
  const vectors = [
    {
      // Message hash of length 61.
      msg: 'c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47',
      r: '5f496f6f210b5810b2711c74c15c05244dad43d18ecbbdbe6ed55584bc3b0a2',
      s: '4e8657b153787f741a67c0666bad6426c3741b478c8eaa3155196fc571416f3',
    },
    {
      // Message hash of length 61, with leading zeros.
      msg: '00c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47',
      r: '5f496f6f210b5810b2711c74c15c05244dad43d18ecbbdbe6ed55584bc3b0a2',
      s: '4e8657b153787f741a67c0666bad6426c3741b478c8eaa3155196fc571416f3',
    },
    {
      // Message hash of length 62.
      msg: 'c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47a',
      r: '233b88c4578f0807b4a7480c8076eca5cfefa29980dd8e2af3c46a253490e9c',
      s: '28b055e825bc507349edfb944740a35c6f22d377443c34742c04e0d82278cf1',
    },
    {
      // Message hash of length 63.
      msg: '7465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47a1',
      r: 'b6bee8010f96a723f6de06b5fa06e820418712439c93850dd4e9bde43ddf',
      s: '1a3d2bc954ed77e22986f507d68d18115fa543d1901f5b4620db98e2f6efd80',
    },
  ];
  const privateKey = '2dccce1da22003777062ee0870e9881b460a8b7eca276870f57c601f182136c';
  const publicKey = starknet.getPublicKey(privateKey);
  for (const v of vectors) {
    const sig = starknet.sign(v.msg, privateKey);
    const { r, s } = sig;
    // const { r, s } = starknet.Signature.fromDER(sig);
    deepStrictEqual(r.toString(16), v.r, 'r equality');
    deepStrictEqual(s.toString(16), v.s, 's equality');
    deepStrictEqual(starknet.verify(sig, v.msg, publicKey), true, 'verify');
  }
 });
 should('Invalid signatures', () => {
  /*
  it('should not verify invalid signature inputs lengths', () => {
    const ecOrder = starkwareCrypto.ec.n;
    const {maxEcdsaVal} = starkwareCrypto;
    const maxMsgHash = maxEcdsaVal.sub(oneBn);
    const maxR = maxEcdsaVal.sub(oneBn);
    const maxS = ecOrder.sub(oneBn).sub(oneBn);
    const maxStarkKey = maxEcdsaVal.sub(oneBn);
    // Test invalid message length.
    expect(() =>
      starkwareCrypto.verify(maxStarkKey, maxMsgHash.add(oneBn).toString(16), {
        r: maxR,
        s: maxS
      })
    ).to.throw('Message not signable, invalid msgHash length.');
    // Test invalid r length.
    expect(() =>
      starkwareCrypto.verify(maxStarkKey, maxMsgHash.toString(16), {
        r: maxR.add(oneBn),
        s: maxS
      })
    ).to.throw('Message not signable, invalid r length.');
    // Test invalid w length.
    expect(() =>
      starkwareCrypto.verify(maxStarkKey, maxMsgHash.toString(16), {
        r: maxR,
        s: maxS.add(oneBn)
      })
    ).to.throw('Message not signable, invalid w length.');
    // Test invalid s length.
    expect(() =>
      starkwareCrypto.verify(maxStarkKey, maxMsgHash.toString(16), {
        r: maxR,
        s: maxS.add(oneBn).add(oneBn)
      })
    ).to.throw('Message not signable, invalid s length.');
  });
  it('should not verify invalid signatures', () => {
    const privKey = generateRandomStarkPrivateKey();
    const keyPair = starkwareCrypto.ec.keyFromPrivate(privKey, 'hex');
    const keyPairPub = starkwareCrypto.ec.keyFromPublic(
      keyPair.getPublic(),
      'BN'
    );
    const msgHash = new BN(randomHexString(61));
    const msgSignature = starkwareCrypto.sign(keyPair, msgHash);
    // Test invalid public key.
    const invalidKeyPairPub = starkwareCrypto.ec.keyFromPublic(
      {x: keyPairPub.pub.getX().add(oneBn), y: keyPairPub.pub.getY()},
      'BN'
    );
    expect(
      starkwareCrypto.verify(
        invalidKeyPairPub,
        msgHash.toString(16),
        msgSignature
      )
    ).to.be.false;
    // Test invalid message.
    expect(
      starkwareCrypto.verify(
        keyPair,
        msgHash.add(oneBn).toString(16),
        msgSignature
      )
    ).to.be.false;
    expect(
      starkwareCrypto.verify(
        keyPairPub,
        msgHash.add(oneBn).toString(16),
        msgSignature
      )
    ).to.be.false;
    // Test invalid r.
    msgSignature.r.iadd(oneBn);
    expect(starkwareCrypto.verify(keyPair, msgHash.toString(16), msgSignature))
      .to.be.false;
    expect(
      starkwareCrypto.verify(keyPairPub, msgHash.toString(16), msgSignature)
    ).to.be.false;
    // Test invalid s.
    msgSignature.r.isub(oneBn);
    msgSignature.s.iadd(oneBn);
    expect(starkwareCrypto.verify(keyPair, msgHash.toString(16), msgSignature))
      .to.be.false;
    expect(
      starkwareCrypto.verify(keyPairPub, msgHash.toString(16), msgSignature)
    ).to.be.false;
  });
 });
  */
 });
 should('Pedersen', () => {
  deepStrictEqual(
    starknet.pedersen(
      '0x3d937c035c878245caf64531a5756109c53068da139362728feb561405371cb',
      '0x208a0a10250e382e1e4bbe2880906c2791bf6275695e02fbbc6aeff9cd8b31a'
    ),
    '0x30e480bed5fe53fa909cc0f8c4d99b8f9f2c016be4c41e13a4848797979c662'
  );
  deepStrictEqual(
    starknet.pedersen(
      '0x58f580910a6ca59b28927c08fe6c43e2e303ca384badc365795fc645d479d45',
      '0x78734f65a067be9bdb39de18434d71e79f7b6466a4b66bbd979ab9e7515fe0b'
    ),
    '0x68cc0b76cddd1dd4ed2301ada9b7c872b23875d5ff837b3a87993e0d9996b87'
  );
 });
 should('Hash chain', () => {
  deepStrictEqual(starknet.hashChain([1, 2, 3]), starknet.pedersen(1, starknet.pedersen(2, 3)));
 });
 should('Key grinding', () => {
  deepStrictEqual(
    starknet.grindKey('86F3E7293141F20A8BAFF320E8EE4ACCB9D4A4BF2B4D295E8CEE784DB46E0519'),
    '5c8c8683596c732541a59e03007b2d30dbbbb873556fe65b5fb63c16688f941'
  );
  // Loops more than once (verified manually)
  deepStrictEqual(
    starknet.grindKey('94F3E7293141F20A8BAFF320E8EE4ACCB9D4A4BF2B4D295E8CEE784DB46E0595'),
    '33880b9aba464c1c01c9f8f5b4fc1134698f9b0a8d18505cab6cdd34d93dc02'
  );
 });
 should('Private to stark key', () => {
  deepStrictEqual(
    starknet.getStarkKey('0x178047D3869489C055D7EA54C014FFB834A069C9595186ABE04EA4D1223A03F'),
    '0x1895a6a77ae14e7987b9cb51329a5adfb17bd8e7c638f92d6892d76e51cebcf'
  );
  for (const [privKey, expectedPubKey] of Object.entries(precomputedKeys)) {
    deepStrictEqual(starknet.getStarkKey(privKey), expectedPubKey);
  }
 });
 should('Private stark key from eth signature', () => {
  const ethSignature =
    '0x21fbf0696d5e0aa2ef41a2b4ffb623bcaf070461d61cf7251c74161f82fec3a43' +
    '70854bc0a34b3ab487c1bc021cd318c734c51ae29374f2beb0e6f2dd49b4bf41c';
  deepStrictEqual(
    starknet.ethSigToPrivate(ethSignature),
    '766f11e90cd7c7b43085b56da35c781f8c067ac0d578eabdceebc4886435bda'
  );
 });
 should('Key derivation', () => {
  const layer = 'starkex';
  const application = 'starkdeployement';
  const mnemonic =
    'range mountain blast problem vibrant void vivid doctor cluster enough melody ' +
    'salt layer language laptop boat major space monkey unit glimpse pause change vibrant';
  const ethAddress = '0xa4864d977b944315389d1765ffa7e66F74ee8cd7';
  const VECTORS = [
    {
      index: 0,
      path: "m/2645'/579218131'/891216374'/1961790679'/2135936222'/0",
      privateKey: '6cf0a8bf113352eb863157a45c5e5567abb34f8d32cddafd2c22aa803f4892c',
    },
    {
      index: 7,
      path: "m/2645'/579218131'/891216374'/1961790679'/2135936222'/7",
      privateKey: '341751bdc42841da35ab74d13a1372c1f0250617e8a2ef96034d9f46e6847af',
    },
    {
      index: 598,
      path: "m/2645'/579218131'/891216374'/1961790679'/2135936222'/598",
      privateKey: '41a4d591a868353d28b7947eb132aa4d00c4a022743689ffd20a3628d6ca28c',
    },
  ];
  const hd = bip32.HDKey.fromMasterSeed(bip39.mnemonicToSeedSync(mnemonic));
  for (const { index, path, privateKey } of VECTORS) {
    const realPath = starknet.getAccountPath(layer, application, ethAddress, index);
    deepStrictEqual(realPath, path);
    deepStrictEqual(starknet.grindKey(hd.derive(realPath).privateKey), privateKey);
  }
 });
 // Verified against starknet.js
 should('Starknet.js cross-tests', () => {
  const privateKey = '0x019800ea6a9a73f94aee6a3d2edf018fc770443e90c7ba121e8303ec6b349279';
  // NOTE: there is no compressed keys here, getPubKey returns stark-key (which is schnorr-like X coordinate)
  // But it is not used in signing/verifying
  deepStrictEqual(
    starknet.getStarkKey(privateKey),
    '0x33f45f07e1bd1a51b45fc24ec8c8c9908db9e42191be9e169bfcac0c0d99745'
  );
  const msgHash = '0x6d1706bd3d1ba7c517be2a2a335996f63d4738e2f182144d078a1dd9997062e';
  const sig = starknet.sign(msgHash, privateKey);
  const { r, s } = (sig);
  deepStrictEqual(
    r.toString(),
    '1427981024487605678086498726488552139932400435436186597196374630267616399345'
  );
  deepStrictEqual(
    s.toString(),
    '1853664302719670721837677288395394946745467311923401353018029119631574115563'
  );
  const hashMsg2 = starknet.pedersen(
    '0x33f45f07e1bd1a51b45fc24ec8c8c9908db9e42191be9e169bfcac0c0d99745',
    '1'
  );
  deepStrictEqual(hashMsg2, '0x2b0d4d43acce8ff68416f667f92ec7eab2b96f1d2224abd4d9d4d1e7fa4bb00');
  const pubKey =
    '04033f45f07e1bd1a51b45fc24ec8c8c9908db9e42191be9e169bfcac0c0d997450319d0f53f6ca077c4fa5207819144a2a4165daef6ee47a7c1d06c0dcaa3e456';
  const sig2 = new starknet.Signature(
    558858382392827003930138586379728730695763862039474863361948210004201119180n,
    2440689354481625417078677634625227600823892606910345662891037256374285369343n
  );
  deepStrictEqual(starknet.verify(sig2.toDERHex(), hashMsg2, pubKey), true);
 });
 // ESM is broken.
 import url from 'url';
 if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
  should.run();
 }
--- a/curve-definitions/tsconfig.esm.json
+++ b/curve-definitions/tsconfig.esm.json
@@ -1,25 +0,0 @@
 {
  "compilerOptions": {
    "strict": true,
    "declaration": true,
    "declarationMap": true,
    "target": "es2020",
    "lib": [
      "es2020",
      "dom"
    ],
    "module": "es6",
    "moduleResolution": "node16",
    "outDir": "lib/esm",
    "noImplicitAny": true,
    "preserveConstEnums": true,
    "baseUrl": ".",
  },
  "include": [
    "src",
  ],
  "exclude": [
    "node_modules",
    "lib"
  ]
 }
--- a/curve-definitions/tsconfig.json
+++ b/curve-definitions/tsconfig.json
@@ -1,25 +0,0 @@
 {
  "compilerOptions": {
    "strict": true,
    "declaration": true,
    "declarationMap": true,
    "target": "es2020",
    "lib": [
      "es2020",
      "dom"
    ],
    "module": "commonjs",
    "moduleResolution": "node16",
    "outDir": "lib",
    "noImplicitAny": true,
    "preserveConstEnums": true,
    "baseUrl": ".",
  },
  "include": [
    "src",
  ],
  "exclude": [
    "node_modules",
    "lib"
  ]
 }
--- a/index.js
+++ b/index.js
@@ -1 +0,0 @@
 throw new Error('Incorrect usage. Import submodules instead');
--- a/package.json
+++ b/package.json
@@ -1,19 +1,17 @@
 {
  "name": "@noble/curves",
-  "version": "0.4.0",
+  "version": "0.6.1",
-  "description": "Minimal, zero-dependency JS implementation of elliptic curve cryptography",
+  "description": "Minimal, auditable JS implementation of elliptic curve cryptography",
  "files": [
-    "index.js",
+    "lib"
    "lib",
    "lib/esm"
  ],
  "scripts": {
-    "bench": "node curve-definitions/benchmark/index.js",
+    "bench": "cd benchmark; node secp256k1.js; node curves.js; node stark.js; node bls.js",
    "build": "tsc && tsc -p tsconfig.esm.json",
    "build:release": "rollup -c rollup.config.js",
-    "lint": "prettier --check 'src/**/*.{js,ts}' 'curve-definitions/src/**/*.{js,ts}'",
+    "lint": "prettier --check 'src/**/*.{js,ts}' 'test/*.js'",
-    "format": "prettier --write 'src/**/*.{js,ts}' 'curve-definitions/src/**/*.{js,ts}'",
+    "format": "prettier --write 'src/**/*.{js,ts}' 'test/*.js'",
-    "test": "cd curve-definitions; node test/index.test.js"
+    "test": "node test/index.test.js"
  },
  "author": "Paul Miller (https://paulmillr.com)",
  "homepage": "https://paulmillr.com/noble/",
@@ -22,65 +20,168 @@
    "url": "https://github.com/paulmillr/noble-curves.git"
  },
  "license": "MIT",
  "dependencies": {
    "@noble/hashes": "1.1.5"
  },
  "devDependencies": {
    "@rollup/plugin-node-resolve": "13.3.0",
-    "micro-bmark": "0.2.0",
+    "@scure/base": "~1.1.1",
-    "micro-should": "0.2.0",
+    "@scure/bip32": "~1.1.1",
-    "prettier": "2.6.2",
+    "@scure/bip39": "~1.1.0",
    "@types/node": "18.11.3",
    "fast-check": "3.0.0",
    "micro-bmark": "0.3.0",
    "micro-should": "0.4.0",
    "prettier": "2.8.3",
    "rollup": "2.75.5",
    "typescript": "4.7.3"
  },
  "main": "index.js",
  "exports": {
-    "./edwards": {
+    ".": {
-      "types": "./lib/edwards.d.ts",
+      "types": "./lib/index.d.ts",
-      "import": "./lib/esm/edwards.js",
+      "import": "./lib/esm/index.js",
-      "default": "./lib/edwards.js"
+      "default": "./lib/index.js"
    },
-    "./modular": {
+    "./abstract/edwards": {
-      "types": "./lib/modular.d.ts",
+      "types": "./lib/abstract/edwards.d.ts",
-      "import": "./lib/esm/modular.js",
+      "import": "./lib/esm/abstract/edwards.js",
-      "default": "./lib/modular.js"
+      "default": "./lib/abstract/edwards.js"
    },
-    "./montgomery": {
+    "./abstract/modular": {
-      "types": "./lib/montgomery.d.ts",
+      "types": "./lib/abstract/modular.d.ts",
-      "import": "./lib/esm/montgomery.js",
+      "import": "./lib/esm/abstract/modular.js",
-      "default": "./lib/montgomery.js"
+      "default": "./lib/abstract/modular.js"
    },
-    "./weierstrass": {
+    "./abstract/montgomery": {
-      "types": "./lib/weierstrass.d.ts",
+      "types": "./lib/abstract/montgomery.d.ts",
-      "import": "./lib/esm/weierstrass.js",
+      "import": "./lib/esm/abstract/montgomery.js",
-      "default": "./lib/weierstrass.js"
+      "default": "./lib/abstract/montgomery.js"
    },
-    "./bls": {
+    "./abstract/weierstrass": {
-      "types": "./lib/bls.d.ts",
+      "types": "./lib/abstract/weierstrass.d.ts",
-      "import": "./lib/esm/bls.js",
+      "import": "./lib/esm/abstract/weierstrass.js",
-      "default": "./lib/bls.js"
+      "default": "./lib/abstract/weierstrass.js"
    },
-    "./hashToCurve": {
+    "./abstract/bls": {
-      "types": "./lib/hashToCurve.d.ts",
+      "types": "./lib/abstract/bls.d.ts",
-      "import": "./lib/esm/hashToCurve.js",
+      "import": "./lib/esm/abstract/bls.js",
-      "default": "./lib/hashToCurve.js"
+      "default": "./lib/abstract/bls.js"
    },
-    "./group": {
+    "./abstract/hash-to-curve": {
-      "types": "./lib/group.d.ts",
+      "types": "./lib/abstract/hash-to-curve.d.ts",
-      "import": "./lib/esm/group.js",
+      "import": "./lib/esm/abstract/hash-to-curve.js",
-      "default": "./lib/group.js"
+      "default": "./lib/abstract/hash-to-curve.js"
    },
-    "./utils": {
+    "./abstract/curve": {
-      "types": "./lib/utils.d.ts",
+      "types": "./lib/abstract/curve.d.ts",
-      "import": "./lib/esm/utils.js",
+      "import": "./lib/esm/abstract/curve.js",
-      "default": "./lib/utils.js"
+      "default": "./lib/abstract/curve.js"
    },
    "./abstract/utils": {
      "types": "./lib/abstract/utils.d.ts",
      "import": "./lib/esm/abstract/utils.js",
      "default": "./lib/abstract/utils.js"
    },
    "./abstract/poseidon": {
      "types": "./lib/abstract/poseidon.d.ts",
      "import": "./lib/esm/abstract/poseidon.js",
      "default": "./lib/abstract/poseidon.js"
    },
    "./_shortw_utils": {
      "types": "./lib/_shortw_utils.d.ts",
      "import": "./lib/esm/_shortw_utils.js",
      "default": "./lib/_shortw_utils.js"
    },
    "./bls12-381": {
      "types": "./lib/bls12-381.d.ts",
      "import": "./lib/esm/bls12-381.js",
      "default": "./lib/bls12-381.js"
    },
    "./bn": {
      "types": "./lib/bn.d.ts",
      "import": "./lib/esm/bn.js",
      "default": "./lib/bn.js"
    },
    "./ed25519": {
      "types": "./lib/ed25519.d.ts",
      "import": "./lib/esm/ed25519.js",
      "default": "./lib/ed25519.js"
    },
    "./ed448": {
      "types": "./lib/ed448.d.ts",
      "import": "./lib/esm/ed448.js",
      "default": "./lib/ed448.js"
    },
    "./index": {
      "types": "./lib/index.d.ts",
      "import": "./lib/esm/index.js",
      "default": "./lib/index.js"
    },
    "./jubjub": {
      "types": "./lib/jubjub.d.ts",
      "import": "./lib/esm/jubjub.js",
      "default": "./lib/jubjub.js"
    },
    "./p192": {
      "types": "./lib/p192.d.ts",
      "import": "./lib/esm/p192.js",
      "default": "./lib/p192.js"
    },
    "./p224": {
      "types": "./lib/p224.d.ts",
      "import": "./lib/esm/p224.js",
      "default": "./lib/p224.js"
    },
    "./p256": {
      "types": "./lib/p256.d.ts",
      "import": "./lib/esm/p256.js",
      "default": "./lib/p256.js"
    },
    "./p384": {
      "types": "./lib/p384.d.ts",
      "import": "./lib/esm/p384.js",
      "default": "./lib/p384.js"
    },
    "./p521": {
      "types": "./lib/p521.d.ts",
      "import": "./lib/esm/p521.js",
      "default": "./lib/p521.js"
    },
    "./pasta": {
      "types": "./lib/pasta.d.ts",
      "import": "./lib/esm/pasta.js",
      "default": "./lib/pasta.js"
    },
    "./secp256k1": {
      "types": "./lib/secp256k1.d.ts",
      "import": "./lib/esm/secp256k1.js",
      "default": "./lib/secp256k1.js"
    },
    "./stark": {
      "types": "./lib/stark.d.ts",
      "import": "./lib/esm/stark.js",
      "default": "./lib/stark.js"
    }
  },
  "keywords": [
    "elliptic",
    "curve",
    "cryptography",
-    "hyperelliptic",
+    "weierstrass",
    "montgomery",
    "edwards",
    "p256",
    "p384",
    "p521",
    "secp256r1",
    "secp256k1",
    "ed25519",
    "ed448",
    "bls12-381",
    "bn254",
    "pasta",
    "bls",
    "nist",
    "ecc",
    "ecdsa",
--- a/curve-definitions/src/_shortw_utils.ts
+++ b/curve-definitions/src/_shortw_utils.ts
@@ -1,7 +1,8 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { hmac } from '@noble/hashes/hmac';
 import { concatBytes, randomBytes } from '@noble/hashes/utils';
-import { weierstrass, CurveType } from '@noble/curves/weierstrass';
+import { weierstrass, CurveType } from './abstract/weierstrass.js';
-import { CHash } from '@noble/curves/utils';
+import { CHash } from './abstract/utils.js';
 export function getHash(hash: CHash) {
  return {
--- a/src/abstract/bls.ts
+++ b/src/abstract/bls.ts
@@ -0,0 +1,396 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 /**
 * BLS (Barreto-Lynn-Scott) family of pairing-friendly curves.
 * Implements BLS (Boneh-Lynn-Shacham) signatures.
 * Consists of two curves: G1 and G2:
 * - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
 * - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
 * - Gt, created by bilinear (ate) pairing e(G1, G2), consists of p-th roots of unity in
 *   Fq^k where k is embedding degree. Only degree 12 is currently supported, 24 is not.
 * Pairing is used to aggregate and verify signatures.
 * We are using Fp for private keys (shorter) and Fp₂ for signatures (longer).
 * Some projects may prefer to swap this relation, it is not supported for now.
 */
 import { AffinePoint } from './curve.js';
 import { Field, hashToPrivateScalar } from './modular.js';
 import { Hex, PrivKey, CHash, bitLen, bitGet, hexToBytes, bytesToHex } from './utils.js';
 import * as htf from './hash-to-curve.js';
 import {
  CurvePointsType,
  ProjPointType as ProjPointType,
  CurvePointsRes,
  weierstrassPoints,
 } from './weierstrass.js';
 type Fp = bigint; // Can be different field?
 export type SignatureCoder<Fp2> = {
  decode(hex: Hex): ProjPointType<Fp2>;
  encode(point: ProjPointType<Fp2>): Uint8Array;
 };
 export type CurveType<Fp, Fp2, Fp6, Fp12> = {
  r: bigint;
  G1: Omit<CurvePointsType<Fp>, 'n'> & {
    mapToCurve: htf.MapToCurve<Fp>;
    htfDefaults: htf.Opts;
  };
  G2: Omit<CurvePointsType<Fp2>, 'n'> & {
    Signature: SignatureCoder<Fp2>;
    mapToCurve: htf.MapToCurve<Fp2>;
    htfDefaults: htf.Opts;
  };
  x: bigint;
  Fp: Field<Fp>;
  Fr: Field<bigint>;
  Fp2: Field<Fp2> & {
    reim: (num: Fp2) => { re: bigint; im: bigint };
    multiplyByB: (num: Fp2) => Fp2;
    frobeniusMap(num: Fp2, power: number): Fp2;
  };
  Fp6: Field<Fp6>;
  Fp12: Field<Fp12> & {
    frobeniusMap(num: Fp12, power: number): Fp12;
    multiplyBy014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
    conjugate(num: Fp12): Fp12;
    finalExponentiate(num: Fp12): Fp12;
  };
  htfDefaults: htf.Opts;
  hash: CHash; // Because we need outputLen for DRBG
  randomBytes: (bytesLength?: number) => Uint8Array;
 };
 export type CurveFn<Fp, Fp2, Fp6, Fp12> = {
  CURVE: CurveType<Fp, Fp2, Fp6, Fp12>;
  Fr: Field<bigint>;
  Fp: Field<Fp>;
  Fp2: Field<Fp2>;
  Fp6: Field<Fp6>;
  Fp12: Field<Fp12>;
  G1: CurvePointsRes<Fp>;
  G2: CurvePointsRes<Fp2>;
  Signature: SignatureCoder<Fp2>;
  millerLoop: (ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]) => Fp12;
  calcPairingPrecomputes: (p: AffinePoint<Fp2>) => [Fp2, Fp2, Fp2][];
  // prettier-ignore
  hashToCurve: {
    G1: ReturnType<(typeof htf.hashToCurve<Fp>)>,
    G2: ReturnType<(typeof htf.hashToCurve<Fp2>)>,
  },
  pairing: (P: ProjPointType<Fp>, Q: ProjPointType<Fp2>, withFinalExponent?: boolean) => Fp12;
  getPublicKey: (privateKey: PrivKey) => Uint8Array;
  sign: {
    (message: Hex, privateKey: PrivKey): Uint8Array;
    (message: ProjPointType<Fp2>, privateKey: PrivKey): ProjPointType<Fp2>;
  };
  verify: (
    signature: Hex | ProjPointType<Fp2>,
    message: Hex | ProjPointType<Fp2>,
    publicKey: Hex | ProjPointType<Fp>
  ) => boolean;
  aggregatePublicKeys: {
    (publicKeys: Hex[]): Uint8Array;
    (publicKeys: ProjPointType<Fp>[]): ProjPointType<Fp>;
  };
  aggregateSignatures: {
    (signatures: Hex[]): Uint8Array;
    (signatures: ProjPointType<Fp2>[]): ProjPointType<Fp2>;
  };
  verifyBatch: (
    signature: Hex | ProjPointType<Fp2>,
    messages: (Hex | ProjPointType<Fp2>)[],
    publicKeys: (Hex | ProjPointType<Fp>)[]
  ) => boolean;
  utils: {
    stringToBytes: typeof htf.stringToBytes;
    hashToField: typeof htf.hash_to_field;
    expandMessageXMD: typeof htf.expand_message_xmd;
  };
 };
 export function bls<Fp2, Fp6, Fp12>(
  CURVE: CurveType<Fp, Fp2, Fp6, Fp12>
 ): CurveFn<Fp, Fp2, Fp6, Fp12> {
  // Fields looks pretty specific for curve, so for now we need to pass them with options
  const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE;
  const BLS_X_LEN = bitLen(CURVE.x);
  const groupLen = 32; // TODO: calculate; hardcoded for now
  // Pre-compute coefficients for sparse multiplication
  // Point addition and point double calculations is reused for coefficients
  function calcPairingPrecomputes(p: AffinePoint<Fp2>) {
    const { x, y } = p;
    // prettier-ignore
    const Qx = x, Qy = y, Qz = Fp2.ONE;
    // prettier-ignore
    let Rx = Qx, Ry = Qy, Rz = Qz;
    let ell_coeff: [Fp2, Fp2, Fp2][] = [];
    for (let i = BLS_X_LEN - 2; i >= 0; i--) {
      // Double
      let t0 = Fp2.sqr(Ry); // Ry²
      let t1 = Fp2.sqr(Rz); // Rz²
      let t2 = Fp2.multiplyByB(Fp2.mul(t1, 3n)); // 3 * T1 * B
      let t3 = Fp2.mul(t2, 3n); // 3 * T2
      let t4 = Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
      ell_coeff.push([
        Fp2.sub(t2, t0), // T2 - T0
        Fp2.mul(Fp2.sqr(Rx), 3n), // 3 * Rx²
        Fp2.neg(t4), // -T4
      ]);
      Rx = Fp2.div(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
      Ry = Fp2.sub(Fp2.sqr(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.mul(Fp2.sqr(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
      Rz = Fp2.mul(t0, t4); // T0 * T4
      if (bitGet(CURVE.x, i)) {
        // Addition
        let t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
        let t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
        ell_coeff.push([
          Fp2.sub(Fp2.mul(t0, Qx), Fp2.mul(t1, Qy)), // T0 * Qx - T1 * Qy
          Fp2.neg(t0), // -T0
          t1, // T1
        ]);
        let t2 = Fp2.sqr(t1); // T1²
        let t3 = Fp2.mul(t2, t1); // T2 * T1
        let t4 = Fp2.mul(t2, Rx); // T2 * Rx
        let t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, 2n)), Fp2.mul(Fp2.sqr(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
        Rx = Fp2.mul(t1, t5); // T1 * T5
        Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
        Rz = Fp2.mul(Rz, t3); // Rz * T3
      }
    }
    return ell_coeff;
  }
  function millerLoop(ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]): Fp12 {
    const { x } = CURVE;
    const Px = g1[0];
    const Py = g1[1];
    let f12 = Fp12.ONE;
    for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
      const E = ell[j];
      f12 = Fp12.multiplyBy014(f12, E[0], Fp2.mul(E[1], Px), Fp2.mul(E[2], Py));
      if (bitGet(x, i)) {
        j += 1;
        const F = ell[j];
        f12 = Fp12.multiplyBy014(f12, F[0], Fp2.mul(F[1], Px), Fp2.mul(F[2], Py));
      }
      if (i !== 0) f12 = Fp12.sqr(f12);
    }
    return Fp12.conjugate(f12);
  }
  const utils = {
    hexToBytes: hexToBytes,
    bytesToHex: bytesToHex,
    stringToBytes: htf.stringToBytes,
    // TODO: do we need to export it here?
    hashToField: (
      msg: Uint8Array,
      count: number,
      options: Partial<typeof CURVE.htfDefaults> = {}
    ) => htf.hash_to_field(msg, count, { ...CURVE.htfDefaults, ...options }),
    expandMessageXMD: (msg: Uint8Array, DST: Uint8Array, lenInBytes: number, H = CURVE.hash) =>
      htf.expand_message_xmd(msg, DST, lenInBytes, H),
    hashToPrivateKey: (hash: Hex): Uint8Array => Fr.toBytes(hashToPrivateScalar(hash, CURVE.r)),
    randomBytes: (bytesLength: number = groupLen): Uint8Array => CURVE.randomBytes(bytesLength),
    randomPrivateKey: (): Uint8Array => utils.hashToPrivateKey(utils.randomBytes(groupLen + 8)),
  };
  // Point on G1 curve: (x, y)
  const G1 = weierstrassPoints({
    n: Fr.ORDER,
    ...CURVE.G1,
  });
  const G1HashToCurve = htf.hashToCurve(G1.ProjectivePoint, CURVE.G1.mapToCurve, {
    ...CURVE.htfDefaults,
    ...CURVE.G1.htfDefaults,
  });
  // Sparse multiplication against precomputed coefficients
  // TODO: replace with weakmap?
  type withPairingPrecomputes = { _PPRECOMPUTES: [Fp2, Fp2, Fp2][] | undefined };
  function pairingPrecomputes(point: G2): [Fp2, Fp2, Fp2][] {
    const p = point as G2 & withPairingPrecomputes;
    if (p._PPRECOMPUTES) return p._PPRECOMPUTES;
    p._PPRECOMPUTES = calcPairingPrecomputes(point.toAffine());
    return p._PPRECOMPUTES;
  }
  // TODO: export
  // function clearPairingPrecomputes(point: G2) {
  //   const p = point as G2 & withPairingPrecomputes;
  //   p._PPRECOMPUTES = undefined;
  // }
  // Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
  const G2 = weierstrassPoints({
    n: Fr.ORDER,
    ...CURVE.G2,
  });
  const C = G2.ProjectivePoint as htf.H2CPointConstructor<Fp2>; // TODO: fix
  const G2HashToCurve = htf.hashToCurve(C, CURVE.G2.mapToCurve, {
    ...CURVE.htfDefaults,
    ...CURVE.G2.htfDefaults,
  });
  const { Signature } = CURVE.G2;
  // Calculates bilinear pairing
  function pairing(Q: G1, P: G2, withFinalExponent: boolean = true): Fp12 {
    if (Q.equals(G1.ProjectivePoint.ZERO) || P.equals(G2.ProjectivePoint.ZERO))
      throw new Error('pairing is not available for ZERO point');
    Q.assertValidity();
    P.assertValidity();
    // Performance: 9ms for millerLoop and ~14ms for exp.
    const Qa = Q.toAffine();
    const looped = millerLoop(pairingPrecomputes(P), [Qa.x, Qa.y]);
    return withFinalExponent ? Fp12.finalExponentiate(looped) : looped;
  }
  type G1 = typeof G1.ProjectivePoint.BASE;
  type G2 = typeof G2.ProjectivePoint.BASE;
  type G1Hex = Hex | G1;
  type G2Hex = Hex | G2;
  function normP1(point: G1Hex): G1 {
    return point instanceof G1.ProjectivePoint ? (point as G1) : G1.ProjectivePoint.fromHex(point);
  }
  function normP2(point: G2Hex): G2 {
    return point instanceof G2.ProjectivePoint ? point : Signature.decode(point);
  }
  function normP2Hash(point: G2Hex, htfOpts?: htf.htfBasicOpts): G2 {
    return point instanceof G2.ProjectivePoint
      ? point
      : (G2HashToCurve.hashToCurve(point, htfOpts) as G2);
  }
  // Multiplies generator by private key.
  // P = pk x G
  function getPublicKey(privateKey: PrivKey): Uint8Array {
    return G1.ProjectivePoint.fromPrivateKey(privateKey).toRawBytes(true);
  }
  // Executes `hashToCurve` on the message and then multiplies the result by private key.
  // S = pk x H(m)
  function sign(message: Hex, privateKey: PrivKey, htfOpts?: htf.htfBasicOpts): Uint8Array;
  function sign(message: G2, privateKey: PrivKey, htfOpts?: htf.htfBasicOpts): G2;
  function sign(message: G2Hex, privateKey: PrivKey, htfOpts?: htf.htfBasicOpts): Uint8Array | G2 {
    const msgPoint = normP2Hash(message, htfOpts);
    msgPoint.assertValidity();
    const sigPoint = msgPoint.multiply(G1.normalizePrivateKey(privateKey));
    if (message instanceof G2.ProjectivePoint) return sigPoint;
    return Signature.encode(sigPoint);
  }
  // Checks if pairing of public key & hash is equal to pairing of generator & signature.
  // e(P, H(m)) == e(G, S)
  function verify(
    signature: G2Hex,
    message: G2Hex,
    publicKey: G1Hex,
    htfOpts?: htf.htfBasicOpts
  ): boolean {
    const P = normP1(publicKey);
    const Hm = normP2Hash(message, htfOpts);
    const G = G1.ProjectivePoint.BASE;
    const S = normP2(signature);
    // Instead of doing 2 exponentiations, we use property of billinear maps
    // and do one exp after multiplying 2 points.
    const ePHm = pairing(P.negate(), Hm, false);
    const eGS = pairing(G, S, false);
    const exp = Fp12.finalExponentiate(Fp12.mul(eGS, ePHm));
    return Fp12.eql(exp, Fp12.ONE);
  }
  // Adds a bunch of public key points together.
  // pk1 + pk2 + pk3 = pkA
  function aggregatePublicKeys(publicKeys: Hex[]): Uint8Array;
  function aggregatePublicKeys(publicKeys: G1[]): G1;
  function aggregatePublicKeys(publicKeys: G1Hex[]): Uint8Array | G1 {
    if (!publicKeys.length) throw new Error('Expected non-empty array');
    const agg = publicKeys.map(normP1).reduce((sum, p) => sum.add(p), G1.ProjectivePoint.ZERO);
    const aggAffine = agg; //.toAffine();
    if (publicKeys[0] instanceof G1.ProjectivePoint) {
      aggAffine.assertValidity();
      return aggAffine;
    }
    // toRawBytes ensures point validity
    return aggAffine.toRawBytes(true);
  }
  // Adds a bunch of signature points together.
  function aggregateSignatures(signatures: Hex[]): Uint8Array;
  function aggregateSignatures(signatures: G2[]): G2;
  function aggregateSignatures(signatures: G2Hex[]): Uint8Array | G2 {
    if (!signatures.length) throw new Error('Expected non-empty array');
    const agg = signatures.map(normP2).reduce((sum, s) => sum.add(s), G2.ProjectivePoint.ZERO);
    const aggAffine = agg; //.toAffine();
    if (signatures[0] instanceof G2.ProjectivePoint) {
      aggAffine.assertValidity();
      return aggAffine;
    }
    return Signature.encode(aggAffine);
  }
  // https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
  // e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
  function verifyBatch(
    signature: G2Hex,
    messages: G2Hex[],
    publicKeys: G1Hex[],
    htfOpts?: htf.htfBasicOpts
  ): boolean {
    // @ts-ignore
    // console.log('verifyBatch', bytesToHex(signature as any), messages, publicKeys.map(bytesToHex));
    if (!messages.length) throw new Error('Expected non-empty messages array');
    if (publicKeys.length !== messages.length)
      throw new Error('Pubkey count should equal msg count');
    const sig = normP2(signature);
    const nMessages = messages.map((i) => normP2Hash(i, htfOpts));
    const nPublicKeys = publicKeys.map(normP1);
    try {
      const paired = [];
      for (const message of new Set(nMessages)) {
        const groupPublicKey = nMessages.reduce(
          (groupPublicKey, subMessage, i) =>
            subMessage === message ? groupPublicKey.add(nPublicKeys[i]) : groupPublicKey,
          G1.ProjectivePoint.ZERO
        );
        // const msg = message instanceof PointG2 ? message : await PointG2.hashToCurve(message);
        // Possible to batch pairing for same msg with different groupPublicKey here
        paired.push(pairing(groupPublicKey, message, false));
      }
      paired.push(pairing(G1.ProjectivePoint.BASE.negate(), sig, false));
      const product = paired.reduce((a, b) => Fp12.mul(a, b), Fp12.ONE);
      const exp = Fp12.finalExponentiate(product);
      return Fp12.eql(exp, Fp12.ONE);
    } catch {
      return false;
    }
  }
  G1.ProjectivePoint.BASE._setWindowSize(4);
  return {
    CURVE,
    Fr,
    Fp,
    Fp2,
    Fp6,
    Fp12,
    G1,
    G2,
    Signature,
    millerLoop,
    calcPairingPrecomputes,
    hashToCurve: { G1: G1HashToCurve, G2: G2HashToCurve },
    pairing,
    getPublicKey,
    sign,
    verify,
    aggregatePublicKeys,
    aggregateSignatures,
    verifyBatch,
    utils,
  };
 }
--- a/src/abstract/curve.ts
+++ b/src/abstract/curve.ts
@@ -1,22 +1,32 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Default group related functions
+// Abelian group utilities
 import { Field, validateField, nLength } from './modular.js';
 import { validateObject } from './utils.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 export type AffinePoint<T> = {
  x: T;
  y: T;
 } & { z?: never; t?: never };
 export interface Group<T extends Group<T>> {
  double(): T;
  negate(): T;
  add(other: T): T;
  subtract(other: T): T;
  equals(other: T): boolean;
-  multiply(scalar: number | bigint): T;
+  multiply(scalar: bigint): T;
 }
 export type GroupConstructor<T> = {
  BASE: T;
  ZERO: T;
 };
-// Not big, but pretty complex and it is easy to break stuff. To avoid too much copy paste
+export type Mapper<T> = (i: T[]) => T[];
 // Elliptic curve multiplication of Point by scalar. Complicated and fragile. Uses wNAF method.
 // Windowed method is 10% faster, but takes 2x longer to generate & consumes 2x memory.
 export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
  const constTimeNegate = (condition: boolean, item: T): T => {
    const neg = item.negate();
@@ -67,8 +77,9 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
    /**
     * Implements w-ary non-adjacent form for calculating ec multiplication.
-     * @param n
+     * @param W window size
     * @param affinePoint optional 2d point to save cached precompute windows on it.
     * @param n bits
     * @returns real and fake (for const-time) points
     */
    wNAF(W: number, precomputes: T[], n: bigint): { p: T; f: T } {
@@ -124,5 +135,52 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
      // which makes it less const-time: around 1 bigint multiply.
      return { p, f };
    },
    wNAFCached(P: T, precomputesMap: Map<T, T[]>, n: bigint, transform: Mapper<T>): { p: T; f: T } {
      // @ts-ignore
      const W: number = P._WINDOW_SIZE || 1;
      // Calculate precomputes on a first run, reuse them after
      let comp = precomputesMap.get(P);
      if (!comp) {
        comp = this.precomputeWindow(P, W) as T[];
        if (W !== 1) {
          precomputesMap.set(P, transform(comp));
        }
      }
      return this.wNAF(W, comp, n);
    },
  };
 }
 // Generic BasicCurve interface: works even for polynomial fields (BLS): P, n, h would be ok.
 // Though generator can be different (Fp2 / Fp6 for BLS).
 export type BasicCurve<T> = {
  Fp: Field<T>; // Field over which we'll do calculations (Fp)
  n: bigint; // Curve order, total count of valid points in the field
  nBitLength?: number; // bit length of curve order
  nByteLength?: number; // byte length of curve order
  h: bigint; // cofactor. we can assign default=1, but users will just ignore it w/o validation
  hEff?: bigint; // Number to multiply to clear cofactor
  Gx: T; // base point X coordinate
  Gy: T; // base point Y coordinate
  allowInfinityPoint?: boolean; // bls12-381 requires it. ZERO point is valid, but invalid pubkey
 };
 export function validateBasic<FP, T>(curve: BasicCurve<FP> & T) {
  validateField(curve.Fp);
  validateObject(
    curve,
    {
      n: 'bigint',
      h: 'bigint',
      Gx: 'field',
      Gy: 'field',
    },
    {
      nBitLength: 'isSafeInteger',
      nByteLength: 'isSafeInteger',
    }
  );
  // Set defaults
  return Object.freeze({ ...nLength(curve.n, curve.nBitLength), ...curve } as const);
 }
--- a/src/abstract/edwards.ts
+++ b/src/abstract/edwards.ts
@@ -0,0 +1,467 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
 import { mod } from './modular.js';
 import * as ut from './utils.js';
 import { ensureBytes, FHash, Hex } from './utils.js';
 import { Group, GroupConstructor, wNAF, BasicCurve, validateBasic, AffinePoint } from './curve.js';
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
 const _8n = BigInt(8);
 // Edwards curves must declare params a & d.
 export type CurveType = BasicCurve<bigint> & {
  a: bigint; // curve param a
  d: bigint; // curve param d
  hash: FHash; // Hashing
  randomBytes: (bytesLength?: number) => Uint8Array; // CSPRNG
  adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array; // clears bits to get valid field elemtn
  domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array; // Used for hashing
  uvRatio?: (u: bigint, v: bigint) => { isValid: boolean; value: bigint }; // Ratio √(u/v)
  preHash?: FHash; // RFC 8032 pre-hashing of messages to sign() / verify()
  mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>; // for hash-to-curve standard
 };
 function validateOpts(curve: CurveType) {
  const opts = validateBasic(curve);
  ut.validateObject(
    curve,
    {
      hash: 'function',
      a: 'bigint',
      d: 'bigint',
      randomBytes: 'function',
    },
    {
      adjustScalarBytes: 'function',
      domain: 'function',
      uvRatio: 'function',
      mapToCurve: 'function',
    }
  );
  // Set defaults
  return Object.freeze({ ...opts } as const);
 }
 // Instance of Extended Point with coordinates in X, Y, Z, T
 export interface ExtPointType extends Group<ExtPointType> {
  readonly ex: bigint;
  readonly ey: bigint;
  readonly ez: bigint;
  readonly et: bigint;
  assertValidity(): void;
  multiply(scalar: bigint): ExtPointType;
  multiplyUnsafe(scalar: bigint): ExtPointType;
  isSmallOrder(): boolean;
  isTorsionFree(): boolean;
  clearCofactor(): ExtPointType;
  toAffine(iz?: bigint): AffinePoint<bigint>;
 }
 // Static methods of Extended Point with coordinates in X, Y, Z, T
 export interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
  new (x: bigint, y: bigint, z: bigint, t: bigint): ExtPointType;
  fromAffine(p: AffinePoint<bigint>): ExtPointType;
  fromHex(hex: Hex): ExtPointType;
  fromPrivateKey(privateKey: Hex): ExtPointType;
 }
 export type CurveFn = {
  CURVE: ReturnType<typeof validateOpts>;
  getPublicKey: (privateKey: Hex) => Uint8Array;
  sign: (message: Hex, privateKey: Hex) => Uint8Array;
  verify: (sig: Hex, message: Hex, publicKey: Hex) => boolean;
  ExtendedPoint: ExtPointConstructor;
  utils: {
    randomPrivateKey: () => Uint8Array;
    getExtendedPublicKey: (key: Hex) => {
      head: Uint8Array;
      prefix: Uint8Array;
      scalar: bigint;
      point: ExtPointType;
      pointBytes: Uint8Array;
    };
  };
 };
 // It is not generic twisted curve for now, but ed25519/ed448 generic implementation
 export function twistedEdwards(curveDef: CurveType): CurveFn {
  const CURVE = validateOpts(curveDef) as ReturnType<typeof validateOpts>;
  const { Fp, n: CURVE_ORDER, preHash, hash: cHash, randomBytes, nByteLength, h: cofactor } = CURVE;
  const MASK = _2n ** BigInt(nByteLength * 8);
  const modP = Fp.create; // Function overrides
  // sqrt(u/v)
  const uvRatio =
    CURVE.uvRatio ||
    ((u: bigint, v: bigint) => {
      try {
        return { isValid: true, value: Fp.sqrt(u * Fp.inv(v)) };
      } catch (e) {
        return { isValid: false, value: _0n };
      }
    });
  const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes: Uint8Array) => bytes); // NOOP
  const domain =
    CURVE.domain ||
    ((data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
      if (ctx.length || phflag) throw new Error('Contexts/pre-hash are not supported');
      return data;
    }); // NOOP
  const inBig = (n: bigint) => typeof n === 'bigint' && 0n < n; // n in [1..]
  const inRange = (n: bigint, max: bigint) => inBig(n) && inBig(max) && n < max; // n in [1..max-1]
  const in0MaskRange = (n: bigint) => n === _0n || inRange(n, MASK); // n in [0..MASK-1]
  function assertInRange(n: bigint, max: bigint) {
    // n in [1..max-1]
    if (inRange(n, max)) return n;
    throw new Error(`Expected valid scalar < ${max}, got ${typeof n} ${n}`);
  }
  function assertGE0(n: bigint) {
    // n in [0..CURVE_ORDER-1]
    return n === _0n ? n : assertInRange(n, CURVE_ORDER); // GE = prime subgroup, not full group
  }
  const pointPrecomputes = new Map<Point, Point[]>();
  function isPoint(other: unknown) {
    if (!(other instanceof Point)) throw new Error('ExtendedPoint expected');
  }
  // Extended Point works in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z, t=xy).
  // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
  class Point implements ExtPointType {
    static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
    static readonly ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0
    constructor(
      readonly ex: bigint,
      readonly ey: bigint,
      readonly ez: bigint,
      readonly et: bigint
    ) {
      if (!in0MaskRange(ex)) throw new Error('x required');
      if (!in0MaskRange(ey)) throw new Error('y required');
      if (!in0MaskRange(ez)) throw new Error('z required');
      if (!in0MaskRange(et)) throw new Error('t required');
    }
    get x(): bigint {
      return this.toAffine().x;
    }
    get y(): bigint {
      return this.toAffine().y;
    }
    static fromAffine(p: AffinePoint<bigint>): Point {
      if (p instanceof Point) throw new Error('extended point not allowed');
      const { x, y } = p || {};
      if (!in0MaskRange(x) || !in0MaskRange(y)) throw new Error('invalid affine point');
      return new Point(x, y, _1n, modP(x * y));
    }
    static normalizeZ(points: Point[]): Point[] {
      const toInv = Fp.invertBatch(points.map((p) => p.ez));
      return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
    }
    // We calculate precomputes for elliptic curve point multiplication
    // using windowed method. This specifies window size and
    // stores precomputed values. Usually only base point would be precomputed.
    _WINDOW_SIZE?: number;
    // "Private method", don't use it directly
    _setWindowSize(windowSize: number) {
      this._WINDOW_SIZE = windowSize;
      pointPrecomputes.delete(this);
    }
    assertValidity(): void {}
    // Compare one point to another.
    equals(other: Point): boolean {
      isPoint(other);
      const { ex: X1, ey: Y1, ez: Z1 } = this;
      const { ex: X2, ey: Y2, ez: Z2 } = other;
      const X1Z2 = modP(X1 * Z2);
      const X2Z1 = modP(X2 * Z1);
      const Y1Z2 = modP(Y1 * Z2);
      const Y2Z1 = modP(Y2 * Z1);
      return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
    }
    protected is0(): boolean {
      return this.equals(Point.ZERO);
    }
    negate(): Point {
      // Flips point sign to a negative one (-x, y in affine coords)
      return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et));
    }
    // Fast algo for doubling Extended Point.
    // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
    // Cost: 4M + 4S + 1*a + 6add + 1*2.
    double(): Point {
      const { a } = CURVE;
      const { ex: X1, ey: Y1, ez: Z1 } = this;
      const A = modP(X1 * X1); // A = X12
      const B = modP(Y1 * Y1); // B = Y12
      const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12
      const D = modP(a * A); // D = a*A
      const x1y1 = X1 + Y1;
      const E = modP(modP(x1y1 * x1y1) - A - B); // E = (X1+Y1)2-A-B
      const G = D + B; // G = D+B
      const F = G - C; // F = G-C
      const H = D - B; // H = D-B
      const X3 = modP(E * F); // X3 = E*F
      const Y3 = modP(G * H); // Y3 = G*H
      const T3 = modP(E * H); // T3 = E*H
      const Z3 = modP(F * G); // Z3 = F*G
      return new Point(X3, Y3, Z3, T3);
    }
    // Fast algo for adding 2 Extended Points.
    // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
    // Cost: 9M + 1*a + 1*d + 7add.
    add(other: Point) {
      isPoint(other);
      const { a, d } = CURVE;
      const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
      const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
      // Faster algo for adding 2 Extended Points when curve's a=-1.
      // http://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-add-2008-hwcd-4
      // Cost: 8M + 8add + 2*2.
      // Note: It does not check whether the `other` point is valid.
      if (a === BigInt(-1)) {
        const A = modP((Y1 - X1) * (Y2 + X2));
        const B = modP((Y1 + X1) * (Y2 - X2));
        const F = modP(B - A);
        if (F === _0n) return this.double(); // Same point. Tests say it doesn't affect timing
        const C = modP(Z1 * _2n * T2);
        const D = modP(T1 * _2n * Z2);
        const E = D + C;
        const G = B + A;
        const H = D - C;
        const X3 = modP(E * F);
        const Y3 = modP(G * H);
        const T3 = modP(E * H);
        const Z3 = modP(F * G);
        return new Point(X3, Y3, Z3, T3);
      }
      const A = modP(X1 * X2); // A = X1*X2
      const B = modP(Y1 * Y2); // B = Y1*Y2
      const C = modP(T1 * d * T2); // C = T1*d*T2
      const D = modP(Z1 * Z2); // D = Z1*Z2
      const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B
      const F = D - C; // F = D-C
      const G = D + C; // G = D+C
      const H = modP(B - a * A); // H = B-a*A
      const X3 = modP(E * F); // X3 = E*F
      const Y3 = modP(G * H); // Y3 = G*H
      const T3 = modP(E * H); // T3 = E*H
      const Z3 = modP(F * G); // Z3 = F*G
      return new Point(X3, Y3, Z3, T3);
    }
    subtract(other: Point): Point {
      return this.add(other.negate());
    }
    private wNAF(n: bigint): { p: Point; f: Point } {
      return wnaf.wNAFCached(this, pointPrecomputes, n, Point.normalizeZ);
    }
    // Constant-time multiplication.
    multiply(scalar: bigint): Point {
      const { p, f } = this.wNAF(assertInRange(scalar, CURVE_ORDER));
      return Point.normalizeZ([p, f])[0];
    }
    // Non-constant-time multiplication. Uses double-and-add algorithm.
    // It's faster, but should only be used when you don't care about
    // an exposed private key e.g. sig verification.
    multiplyUnsafe(scalar: bigint): Point {
      let n = assertGE0(scalar);
      if (n === _0n) return I;
      if (this.equals(I) || n === _1n) return this;
      if (this.equals(G)) return this.wNAF(n).p;
      return wnaf.unsafeLadder(this, n);
    }
    // Checks if point is of small order.
    // If you add something to small order point, you will have "dirty"
    // point with torsion component.
    // Multiplies point by cofactor and checks if the result is 0.
    isSmallOrder(): boolean {
      return this.multiplyUnsafe(cofactor).is0();
    }
    // Multiplies point by curve order and checks if the result is 0.
    // Returns `false` is the point is dirty.
    isTorsionFree(): boolean {
      return wnaf.unsafeLadder(this, CURVE_ORDER).is0();
    }
    // Converts Extended point to default (x, y) coordinates.
    // Can accept precomputed Z^-1 - for example, from invertBatch.
    toAffine(iz?: bigint): AffinePoint<bigint> {
      const { ex: x, ey: y, ez: z } = this;
      const is0 = this.is0();
      if (iz == null) iz = is0 ? _8n : (Fp.inv(z) as bigint); // 8 was chosen arbitrarily
      const ax = modP(x * iz);
      const ay = modP(y * iz);
      const zz = modP(z * iz);
      if (is0) return { x: _0n, y: _1n };
      if (zz !== _1n) throw new Error('invZ was invalid');
      return { x: ax, y: ay };
    }
    clearCofactor(): Point {
      const { h: cofactor } = CURVE;
      if (cofactor === _1n) return this;
      return this.multiplyUnsafe(cofactor);
    }
    // Converts hash string or Uint8Array to Point.
    // Uses algo from RFC8032 5.1.3.
    static fromHex(hex: Hex, strict = true): Point {
      const { d, a } = CURVE;
      const len = Fp.BYTES;
      hex = ensureBytes(hex, len); // copy hex to a new array
      const normed = hex.slice(); // copy again, we'll manipulate it
      const lastByte = hex[len - 1]; // select last byte
      normed[len - 1] = lastByte & ~0x80; // clear last bit
      const y = ut.bytesToNumberLE(normed);
      if (y === _0n) {
        // y=0 is allowed
      } else {
        // RFC8032 prohibits >= p, but ZIP215 doesn't
        if (strict) assertInRange(y, Fp.ORDER); // strict=true [1..P-1] (2^255-19-1 for ed25519)
        else assertInRange(y, MASK); // strict=false [1..MASK-1] (2^256-1 for ed25519)
      }
      // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
      // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
      const y2 = modP(y * y); // denominator is always non-0 mod p.
      const u = modP(y2 - _1n); // u = y² - 1
      const v = modP(d * y2 - a); // v = d y² + 1.
      let { isValid, value: x } = uvRatio(u, v); // √(u/v)
      if (!isValid) throw new Error('Point.fromHex: invalid y coordinate');
      const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper
      const isLastByteOdd = (lastByte & 0x80) !== 0; // if x=0 and x_0 = 1, fail
      if (isLastByteOdd !== isXOdd) x = modP(-x); // if x_0 != x mod 2, set x = p-x
      return Point.fromAffine({ x, y });
    }
    static fromPrivateKey(privKey: Hex) {
      return getExtendedPublicKey(privKey).point;
    }
    toRawBytes(): Uint8Array {
      const { x, y } = this.toAffine();
      const bytes = ut.numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
      bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0; // when compressing, it's enough to store y
      return bytes; // and use the last byte to encode sign of x
    }
    toHex(): string {
      return ut.bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.
    }
  }
  const { BASE: G, ZERO: I } = Point;
  const wnaf = wNAF(Point, nByteLength * 8);
  function modN(a: bigint) {
    return mod(a, CURVE_ORDER);
  }
  // Little-endian SHA512 with modulo n
  function modN_LE(hash: Uint8Array): bigint {
    return modN(ut.bytesToNumberLE(hash));
  }
  function isHex(item: Hex, err: string) {
    if (typeof item !== 'string' && !(item instanceof Uint8Array))
      throw new Error(`${err} must be hex string or Uint8Array`);
  }
  /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
  function getExtendedPublicKey(key: Hex) {
    isHex(key, 'private key');
    const len = nByteLength;
    // Hash private key with curve's hash function to produce uniformingly random input
    // Check byte lengths: ensure(64, h(ensure(32, key)))
    const hashed = ensureBytes(cHash(ensureBytes(key, len)), 2 * len);
    const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE
    const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)
    const scalar = modN_LE(head); // The actual private scalar
    const point = G.multiply(scalar); // Point on Edwards curve aka public key
    const pointBytes = point.toRawBytes(); // Uint8Array representation
    return { head, prefix, scalar, point, pointBytes };
  }
  // Calculates EdDSA pub key. RFC8032 5.1.5. Privkey is hashed. Use first half with 3 bits cleared
  function getPublicKey(privKey: Hex): Uint8Array {
    return getExtendedPublicKey(privKey).pointBytes;
  }
  // int('LE', SHA512(dom2(F, C) || msgs)) mod N
  function hashDomainToScalar(context: Hex = new Uint8Array(), ...msgs: Uint8Array[]) {
    const msg = ut.concatBytes(...msgs);
    return modN_LE(cHash(domain(msg, ensureBytes(context), !!preHash)));
  }
  /** Signs message with privateKey. RFC8032 5.1.6 */
  function sign(msg: Hex, privKey: Hex, context?: Hex): Uint8Array {
    isHex(msg, 'message');
    msg = ensureBytes(msg);
    if (preHash) msg = preHash(msg); // for ed25519ph etc.
    const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
    const r = hashDomainToScalar(context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
    const R = G.multiply(r).toRawBytes(); // R = rG
    const k = hashDomainToScalar(context, R, pointBytes, msg); // R || A || PH(M)
    const s = modN(r + k * scalar); // S = (r + k * s) mod L
    assertGE0(s); // 0 <= s < l
    const res = ut.concatBytes(R, ut.numberToBytesLE(s, Fp.BYTES));
    return ensureBytes(res, nByteLength * 2); // 64-byte signature
  }
  function verify(sig: Hex, msg: Hex, publicKey: Hex, context?: Hex): boolean {
    isHex(sig, 'sig');
    isHex(msg, 'message');
    const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
    sig = ensureBytes(sig, 2 * len); // An extended group equation is checked.
    msg = ensureBytes(msg); // ZIP215 compliant, which means not fully RFC8032 compliant.
    if (preHash) msg = preHash(msg); // for ed25519ph, etc
    const A = Point.fromHex(publicKey, false); // Check for s bounds, hex validity
    const R = Point.fromHex(sig.slice(0, len), false); // 0 <= R < 2^256: ZIP215 R can be >= P
    const s = ut.bytesToNumberLE(sig.slice(len, 2 * len)); // 0 <= s < l
    const SB = G.multiplyUnsafe(s);
    const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
    const RkA = R.add(A.multiplyUnsafe(k));
    // [8][S]B = [8]R + [8][k]A'
    return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);
  }
  G._setWindowSize(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
  const utils = {
    getExtendedPublicKey,
    // ed25519 private keys are uniform 32b. No need to check for modulo bias, like in secp256k1.
    randomPrivateKey: (): Uint8Array => randomBytes(Fp.BYTES),
    /**
     * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
     * values. This slows down first getPublicKey() by milliseconds (see Speed section),
     * but allows to speed-up subsequent getPublicKey() calls up to 20x.
     * @param windowSize 2, 4, 8, 16
     */
    precompute(windowSize = 8, point = Point.BASE): typeof Point.BASE {
      point._setWindowSize(windowSize);
      point.multiply(BigInt(3));
      return point;
    },
  };
  return {
    CURVE,
    getPublicKey,
    sign,
    verify,
    ExtendedPoint: Point,
    utils,
  };
 }
--- a/src/abstract/hash-to-curve.ts
+++ b/src/abstract/hash-to-curve.ts
@@ -0,0 +1,236 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import type { Group, GroupConstructor, AffinePoint } from './curve.js';
 import { mod, Field } from './modular.js';
 import { CHash, Hex, concatBytes, ensureBytes } from './utils.js';
 export type Opts = {
  // DST: a domain separation tag
  // defined in section 2.2.5
  DST: string;
  encodeDST: string;
  // p: the characteristic of F
  //    where F is a finite field of characteristic p and order q = p^m
  p: bigint;
  // m: the extension degree of F, m >= 1
  //     where F is a finite field of characteristic p and order q = p^m
  m: number;
  // k: the target security level for the suite in bits
  // defined in section 5.1
  k: number;
  // option to use a message that has already been processed by
  // expand_message_xmd
  expand?: 'xmd' | 'xof';
  // Hash functions for: expand_message_xmd is appropriate for use with a
  // wide range of hash functions, including SHA-2, SHA-3, BLAKE2, and others.
  // BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247
  // TODO: verify that hash is shake if expand==='xof' via types
  hash: CHash;
 };
 export function validateOpts(opts: Opts) {
  if (typeof opts.DST !== 'string') throw new Error('Invalid htf/DST');
  if (typeof opts.p !== 'bigint') throw new Error('Invalid htf/p');
  if (typeof opts.m !== 'number') throw new Error('Invalid htf/m');
  if (typeof opts.k !== 'number') throw new Error('Invalid htf/k');
  if (opts.expand !== 'xmd' && opts.expand !== 'xof' && opts.expand !== undefined)
    throw new Error('Invalid htf/expand');
  if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
    throw new Error('Invalid htf/hash function');
 }
 // Global symbols in both browsers and Node.js since v11
 // See https://github.com/microsoft/TypeScript/issues/31535
 declare const TextEncoder: any;
 declare const TextDecoder: any;
 export function stringToBytes(str: string): Uint8Array {
  if (typeof str !== 'string') {
    throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
  }
  return new TextEncoder().encode(str);
 }
 // Octet Stream to Integer (bytesToNumberBE)
 function os2ip(bytes: Uint8Array): bigint {
  let result = 0n;
  for (let i = 0; i < bytes.length; i++) {
    result <<= 8n;
    result += BigInt(bytes[i]);
  }
  return result;
 }
 // Integer to Octet Stream
 function i2osp(value: number, length: number): Uint8Array {
  if (value < 0 || value >= 1 << (8 * length)) {
    throw new Error(`bad I2OSP call: value=${value} length=${length}`);
  }
  const res = Array.from({ length }).fill(0) as number[];
  for (let i = length - 1; i >= 0; i--) {
    res[i] = value & 0xff;
    value >>>= 8;
  }
  return new Uint8Array(res);
 }
 function strxor(a: Uint8Array, b: Uint8Array): Uint8Array {
  const arr = new Uint8Array(a.length);
  for (let i = 0; i < a.length; i++) {
    arr[i] = a[i] ^ b[i];
  }
  return arr;
 }
 // Produces a uniformly random byte string using a cryptographic hash function H that outputs b bits
 // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.4.1
 export function expand_message_xmd(
  msg: Uint8Array,
  DST: Uint8Array,
  lenInBytes: number,
  H: CHash
 ): Uint8Array {
  // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5.3.3
  if (DST.length > 255) DST = H(concatBytes(stringToBytes('H2C-OVERSIZE-DST-'), DST));
  const b_in_bytes = H.outputLen;
  const r_in_bytes = H.blockLen;
  const ell = Math.ceil(lenInBytes / b_in_bytes);
  if (ell > 255) throw new Error('Invalid xmd length');
  const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
  const Z_pad = i2osp(0, r_in_bytes);
  const l_i_b_str = i2osp(lenInBytes, 2);
  const b = new Array<Uint8Array>(ell);
  const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
  b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));
  for (let i = 1; i <= ell; i++) {
    const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
    b[i] = H(concatBytes(...args));
  }
  const pseudo_random_bytes = concatBytes(...b);
  return pseudo_random_bytes.slice(0, lenInBytes);
 }
 export function expand_message_xof(
  msg: Uint8Array,
  DST: Uint8Array,
  lenInBytes: number,
  k: number,
  H: CHash
 ): Uint8Array {
  // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5.3.3
  // DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));
  if (DST.length > 255) {
    const dkLen = Math.ceil((2 * k) / 8);
    DST = H.create({ dkLen }).update(stringToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();
  }
  if (lenInBytes > 65535 || DST.length > 255)
    throw new Error('expand_message_xof: invalid lenInBytes');
  return (
    H.create({ dkLen: lenInBytes })
      .update(msg)
      .update(i2osp(lenInBytes, 2))
      // 2. DST_prime = DST || I2OSP(len(DST), 1)
      .update(DST)
      .update(i2osp(DST.length, 1))
      .digest()
  );
 }
 /**
 * Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
 * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3
 * @param msg a byte string containing the message to hash
 * @param count the number of elements of F to output
 * @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`
 * @returns [u_0, ..., u_(count - 1)], a list of field elements.
 */
 export function hash_to_field(msg: Uint8Array, count: number, options: Opts): bigint[][] {
  // if options is provided but incomplete, fill any missing fields with the
  // value in hftDefaults (ie hash to G2).
  const log2p = options.p.toString(2).length;
  const L = Math.ceil((log2p + options.k) / 8); // section 5.1 of ietf draft link above
  const len_in_bytes = count * options.m * L;
  const DST = stringToBytes(options.DST);
  let pseudo_random_bytes = msg;
  if (options.expand === 'xmd') {
    pseudo_random_bytes = expand_message_xmd(msg, DST, len_in_bytes, options.hash);
  } else if (options.expand === 'xof') {
    pseudo_random_bytes = expand_message_xof(msg, DST, len_in_bytes, options.k, options.hash);
  }
  const u = new Array(count);
  for (let i = 0; i < count; i++) {
    const e = new Array(options.m);
    for (let j = 0; j < options.m; j++) {
      const elm_offset = L * (j + i * options.m);
      const tv = pseudo_random_bytes.subarray(elm_offset, elm_offset + L);
      e[j] = mod(os2ip(tv), options.p);
    }
    u[i] = e;
  }
  return u;
 }
 export function isogenyMap<T, F extends Field<T>>(field: F, map: [T[], T[], T[], T[]]) {
  // Make same order as in spec
  const COEFF = map.map((i) => Array.from(i).reverse());
  return (x: T, y: T) => {
    const [xNum, xDen, yNum, yDen] = COEFF.map((val) =>
      val.reduce((acc, i) => field.add(field.mul(acc, x), i))
    );
    x = field.div(xNum, xDen); // xNum / xDen
    y = field.mul(y, field.div(yNum, yDen)); // y * (yNum / yDev)
    return { x, y };
  };
 }
 export interface H2CPoint<T> extends Group<H2CPoint<T>> {
  add(rhs: H2CPoint<T>): H2CPoint<T>;
  toAffine(iz?: bigint): AffinePoint<T>;
  clearCofactor(): H2CPoint<T>;
  assertValidity(): void;
 }
 export interface H2CPointConstructor<T> extends GroupConstructor<H2CPoint<T>> {
  fromAffine(ap: AffinePoint<T>): H2CPoint<T>;
 }
 export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
 // Separated from initialization opts, so users won't accidentally change per-curve parameters (changing DST is ok!)
 export type htfBasicOpts = {
  DST: string;
 };
 export function hashToCurve<T>(
  Point: H2CPointConstructor<T>,
  mapToCurve: MapToCurve<T>,
  def: Opts
 ) {
  validateOpts(def);
  if (typeof mapToCurve !== 'function')
    throw new Error('hashToCurve: mapToCurve() has not been defined');
  return {
    // Encodes byte string to elliptic curve
    // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
    hashToCurve(msg: Hex, options?: htfBasicOpts) {
      if (!mapToCurve) throw new Error('CURVE.mapToCurve() has not been defined');
      msg = ensureBytes(msg);
      const u = hash_to_field(msg, 2, { ...def, DST: def.DST, ...options } as Opts);
      const P = Point.fromAffine(mapToCurve(u[0]))
        .add(Point.fromAffine(mapToCurve(u[1])))
        .clearCofactor();
      P.assertValidity();
      return P;
    },
    // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-3
    encodeToCurve(msg: Hex, options?: htfBasicOpts) {
      if (!mapToCurve) throw new Error('CURVE.mapToCurve() has not been defined');
      msg = ensureBytes(msg);
      const u = hash_to_field(msg, 1, { ...def, DST: def.encodeDST, ...options } as Opts);
      const P = Point.fromAffine(mapToCurve(u[0])).clearCofactor();
      P.assertValidity();
      return P;
    },
  };
 }
--- a/src/abstract/modular.ts
+++ b/src/abstract/modular.ts
@@ -0,0 +1,417 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Utilities for modular arithmetics and finite fields
 import {
  bitMask,
  numberToBytesBE,
  numberToBytesLE,
  bytesToNumberBE,
  bytesToNumberLE,
  ensureBytes,
  validateObject,
 } from './utils.js';
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 // prettier-ignore
 const _4n = BigInt(4), _5n = BigInt(5), _8n = BigInt(8);
 // prettier-ignore
 const _9n = BigInt(9), _16n = BigInt(16);
 // Calculates a modulo b
 export function mod(a: bigint, b: bigint): bigint {
  const result = a % b;
  return result >= _0n ? result : b + result;
 }
 /**
 * Efficiently exponentiate num to power and do modular division.
 * Unsafe in some contexts: uses ladder, so can expose bigint bits.
 * @example
 * powMod(2n, 6n, 11n) // 64n % 11n == 9n
 */
 // TODO: use field version && remove
 export function pow(num: bigint, power: bigint, modulo: bigint): bigint {
  if (modulo <= _0n || power < _0n) throw new Error('Expected power/modulo > 0');
  if (modulo === _1n) return _0n;
  let res = _1n;
  while (power > _0n) {
    if (power & _1n) res = (res * num) % modulo;
    num = (num * num) % modulo;
    power >>= _1n;
  }
  return res;
 }
 // Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
 export function pow2(x: bigint, power: bigint, modulo: bigint): bigint {
  let res = x;
  while (power-- > _0n) {
    res *= res;
    res %= modulo;
  }
  return res;
 }
 // Inverses number over modulo
 export function invert(number: bigint, modulo: bigint): bigint {
  if (number === _0n || modulo <= _0n) {
    throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
  }
  // Eucledian GCD https://brilliant.org/wiki/extended-euclidean-algorithm/
  let a = mod(number, modulo);
  let b = modulo;
  // prettier-ignore
  let x = _0n, y = _1n, u = _1n, v = _0n;
  while (a !== _0n) {
    // JIT applies optimization if those two lines follow each other
    const q = b / a;
    const r = b % a;
    const m = x - u * q;
    const n = y - v * q;
    // prettier-ignore
    b = a, a = r, x = u, y = v, u = m, v = n;
  }
  const gcd = b;
  if (gcd !== _1n) throw new Error('invert: does not exist');
  return mod(x, modulo);
 }
 // Tonelli-Shanks algorithm
 // Paper 1: https://eprint.iacr.org/2012/685.pdf (page 12)
 // Paper 2: Square Roots from 1; 24, 51, 10 to Dan Shanks
 export function tonelliShanks(P: bigint) {
  // Legendre constant: used to calculate Legendre symbol (a | p),
  // which denotes the value of a^((p-1)/2) (mod p).
  // (a | p) ≡ 1    if a is a square (mod p)
  // (a | p) ≡ -1   if a is not a square (mod p)
  // (a | p) ≡ 0    if a ≡ 0 (mod p)
  const legendreC = (P - _1n) / _2n;
  let Q: bigint, S: number, Z: bigint;
  // Step 1: By factoring out powers of 2 from p - 1,
  // find q and s such that p - 1 = q*(2^s) with q odd
  for (Q = P - _1n, S = 0; Q % _2n === _0n; Q /= _2n, S++);
  // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
  for (Z = _2n; Z < P && pow(Z, legendreC, P) !== P - _1n; Z++);
  // Fast-path
  if (S === 1) {
    const p1div4 = (P + _1n) / _4n;
    return function tonelliFast<T>(Fp: Field<T>, n: T) {
      const root = Fp.pow(n, p1div4);
      if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
      return root;
    };
  }
  // Slow-path
  const Q1div2 = (Q + _1n) / _2n;
  return function tonelliSlow<T>(Fp: Field<T>, n: T): T {
    // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
    if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE)) throw new Error('Cannot find square root');
    let r = S;
    // TODO: will fail at Fp2/etc
    let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b
    let x = Fp.pow(n, Q1div2); // first guess at the square root
    let b = Fp.pow(n, Q); // first guess at the fudge factor
    while (!Fp.eql(b, Fp.ONE)) {
      if (Fp.eql(b, Fp.ZERO)) return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)
      // Find m such b^(2^m)==1
      let m = 1;
      for (let t2 = Fp.sqr(b); m < r; m++) {
        if (Fp.eql(t2, Fp.ONE)) break;
        t2 = Fp.sqr(t2); // t2 *= t2
      }
      // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow
      const ge = Fp.pow(g, _1n << BigInt(r - m - 1)); // ge = 2^(r-m-1)
      g = Fp.sqr(ge); // g = ge * ge
      x = Fp.mul(x, ge); // x *= ge
      b = Fp.mul(b, g); // b *= g
      r = m;
    }
    return x;
  };
 }
 export function FpSqrt(P: bigint) {
  // NOTE: different algorithms can give different roots, it is up to user to decide which one they want.
  // For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
  // P ≡ 3 (mod 4)
  // √n = n^((P+1)/4)
  if (P % _4n === _3n) {
    // Not all roots possible!
    // const ORDER =
    //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
    // const NUM = 72057594037927816n;
    const p1div4 = (P + _1n) / _4n;
    return function sqrt3mod4<T>(Fp: Field<T>, n: T) {
      const root = Fp.pow(n, p1div4);
      // Throw if root**2 != n
      if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
      return root;
    };
  }
  // Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)
  if (P % _8n === _5n) {
    const c1 = (P - _5n) / _8n;
    return function sqrt5mod8<T>(Fp: Field<T>, n: T) {
      const n2 = Fp.mul(n, _2n);
      const v = Fp.pow(n2, c1);
      const nv = Fp.mul(n, v);
      const i = Fp.mul(Fp.mul(nv, _2n), v);
      const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
      if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
      return root;
    };
  }
  // P ≡ 9 (mod 16)
  if (P % _16n === _9n) {
    // NOTE: tonelli is too slow for bls-Fp2 calculations even on start
    // Means we cannot use sqrt for constants at all!
    //
    // const c1 = Fp.sqrt(Fp.negate(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
    // const c2 = Fp.sqrt(c1);                //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
    // const c3 = Fp.sqrt(Fp.negate(c1));     //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
    // const c4 = (P + _7n) / _16n;           //  4. c4 = (q + 7) / 16        # Integer arithmetic
    // sqrt = (x) => {
    //   let tv1 = Fp.pow(x, c4);             //  1. tv1 = x^c4
    //   let tv2 = Fp.mul(c1, tv1);           //  2. tv2 = c1 * tv1
    //   const tv3 = Fp.mul(c2, tv1);         //  3. tv3 = c2 * tv1
    //   let tv4 = Fp.mul(c3, tv1);           //  4. tv4 = c3 * tv1
    //   const e1 = Fp.equals(Fp.square(tv2), x); //  5.  e1 = (tv2^2) == x
    //   const e2 = Fp.equals(Fp.square(tv3), x); //  6.  e2 = (tv3^2) == x
    //   tv1 = Fp.cmov(tv1, tv2, e1); //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
    //   tv2 = Fp.cmov(tv4, tv3, e2); //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
    //   const e3 = Fp.equals(Fp.square(tv2), x); //  9.  e3 = (tv2^2) == x
    //   return Fp.cmov(tv1, tv2, e3); //  10.  z = CMOV(tv1, tv2, e3)  # Select the sqrt from tv1 and tv2
    // }
  }
  // Other cases: Tonelli-Shanks algorithm
  return tonelliShanks(P);
 }
 // Little-endian check for first LE bit (last BE bit);
 export const isNegativeLE = (num: bigint, modulo: bigint) => (mod(num, modulo) & _1n) === _1n;
 // Currently completly inconsistent naming:
 // - readable: add, mul, sqr, sqrt, inv, div, pow, eq, sub
 // - unreadable mess: addition, multiply, square, squareRoot, inversion, divide, power, equals, subtract
 // Field is not always over prime, Fp2 for example has ORDER(q)=p^m
 export interface Field<T> {
  ORDER: bigint;
  BYTES: number;
  BITS: number;
  MASK: bigint;
  ZERO: T;
  ONE: T;
  // 1-arg
  create: (num: T) => T;
  isValid: (num: T) => boolean;
  is0: (num: T) => boolean;
  neg(num: T): T;
  inv(num: T): T;
  sqrt(num: T): T;
  sqr(num: T): T;
  // 2-args
  eql(lhs: T, rhs: T): boolean;
  add(lhs: T, rhs: T): T;
  sub(lhs: T, rhs: T): T;
  mul(lhs: T, rhs: T | bigint): T;
  pow(lhs: T, power: bigint): T;
  div(lhs: T, rhs: T | bigint): T;
  // N for NonNormalized (for now)
  addN(lhs: T, rhs: T): T;
  subN(lhs: T, rhs: T): T;
  mulN(lhs: T, rhs: T | bigint): T;
  sqrN(num: T): T;
  // Optional
  // Should be same as sgn0 function in https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/
  // NOTE: sgn0 is 'negative in LE', which is same as odd. And negative in LE is kinda strange definition anyway.
  isOdd?(num: T): boolean; // Odd instead of even since we have it for Fp2
  // legendre?(num: T): T;
  pow(lhs: T, power: bigint): T;
  invertBatch: (lst: T[]) => T[];
  toBytes(num: T): Uint8Array;
  fromBytes(bytes: Uint8Array): T;
  // If c is False, CMOV returns a, otherwise it returns b.
  cmov(a: T, b: T, c: boolean): T;
 }
 // prettier-ignore
 const FIELD_FIELDS = [
  'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',
  'eql', 'add', 'sub', 'mul', 'pow', 'div',
  'addN', 'subN', 'mulN', 'sqrN'
 ] as const;
 export function validateField<T>(field: Field<T>) {
  const initial = {
    ORDER: 'bigint',
    MASK: 'bigint',
    BYTES: 'isSafeInteger',
    BITS: 'isSafeInteger',
  } as Record<string, string>;
  const opts = FIELD_FIELDS.reduce((map, val: string) => {
    map[val] = 'function';
    return map;
  }, initial);
  return validateObject(field, opts);
 }
 // Generic field functions
 export function FpPow<T>(f: Field<T>, num: T, power: bigint): T {
  // Should have same speed as pow for bigints
  // TODO: benchmark!
  if (power < _0n) throw new Error('Expected power > 0');
  if (power === _0n) return f.ONE;
  if (power === _1n) return num;
  let p = f.ONE;
  let d = num;
  while (power > _0n) {
    if (power & _1n) p = f.mul(p, d);
    d = f.sqr(d);
    power >>= 1n;
  }
  return p;
 }
 export function FpInvertBatch<T>(f: Field<T>, nums: T[]): T[] {
  const tmp = new Array(nums.length);
  // Walk from first to last, multiply them by each other MOD p
  const lastMultiplied = nums.reduce((acc, num, i) => {
    if (f.is0(num)) return acc;
    tmp[i] = acc;
    return f.mul(acc, num);
  }, f.ONE);
  // Invert last element
  const inverted = f.inv(lastMultiplied);
  // Walk from last to first, multiply them by inverted each other MOD p
  nums.reduceRight((acc, num, i) => {
    if (f.is0(num)) return acc;
    tmp[i] = f.mul(acc, tmp[i]);
    return f.mul(acc, num);
  }, inverted);
  return tmp;
 }
 export function FpDiv<T>(f: Field<T>, lhs: T, rhs: T | bigint): T {
  return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.inv(rhs));
 }
 // This function returns True whenever the value x is a square in the field F.
 export function FpIsSquare<T>(f: Field<T>) {
  const legendreConst = (f.ORDER - _1n) / _2n; // Integer arithmetic
  return (x: T): boolean => {
    const p = f.pow(x, legendreConst);
    return f.eql(p, f.ZERO) || f.eql(p, f.ONE);
  };
 }
 // CURVE.n lengths
 export function nLength(n: bigint, nBitLength?: number) {
  // Bit size, byte size of CURVE.n
  const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
  const nByteLength = Math.ceil(_nBitLength / 8);
  return { nBitLength: _nBitLength, nByteLength };
 }
 // NOTE: very fragile, always bench. Major performance points:
 // - NonNormalized ops
 // - Object.freeze
 // - same shape of object (don't add/remove keys)
 type FpField = Field<bigint> & Required<Pick<Field<bigint>, 'isOdd'>>;
 export function Fp(
  ORDER: bigint,
  bitLen?: number,
  isLE = false,
  redef: Partial<Field<bigint>> = {}
 ): Readonly<FpField> {
  if (ORDER <= _0n) throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`);
  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
  if (BYTES > 2048) throw new Error('Field lengths over 2048 bytes are not supported');
  const sqrtP = FpSqrt(ORDER);
  const f: Readonly<FpField> = Object.freeze({
    ORDER,
    BITS,
    BYTES,
    MASK: bitMask(BITS),
    ZERO: _0n,
    ONE: _1n,
    create: (num) => mod(num, ORDER),
    isValid: (num) => {
      if (typeof num !== 'bigint')
        throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
      return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
    },
    is0: (num) => num === _0n,
    isOdd: (num) => (num & _1n) === _1n,
    neg: (num) => mod(-num, ORDER),
    eql: (lhs, rhs) => lhs === rhs,
    sqr: (num) => mod(num * num, ORDER),
    add: (lhs, rhs) => mod(lhs + rhs, ORDER),
    sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
    mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
    pow: (num, power) => FpPow(f, num, power),
    div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
    // Same as above, but doesn't normalize
    sqrN: (num) => num * num,
    addN: (lhs, rhs) => lhs + rhs,
    subN: (lhs, rhs) => lhs - rhs,
    mulN: (lhs, rhs) => lhs * rhs,
    inv: (num) => invert(num, ORDER),
    sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
    invertBatch: (lst) => FpInvertBatch(f, lst),
    // TODO: do we really need constant cmov?
    // We don't have const-time bigints anyway, so probably will be not very useful
    cmov: (a, b, c) => (c ? b : a),
    toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
    fromBytes: (bytes) => {
      if (bytes.length !== BYTES)
        throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
      return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
    },
  } as FpField);
  return Object.freeze(f);
 }
 export function FpSqrtOdd<T>(Fp: Field<T>, elm: T) {
  if (!Fp.isOdd) throw new Error(`Field doesn't have isOdd`);
  const root = Fp.sqrt(elm);
  return Fp.isOdd(root) ? root : Fp.neg(root);
 }
 export function FpSqrtEven<T>(Fp: Field<T>, elm: T) {
  if (!Fp.isOdd) throw new Error(`Field doesn't have isOdd`);
  const root = Fp.sqrt(elm);
  return Fp.isOdd(root) ? Fp.neg(root) : root;
 }
 /**
 * FIPS 186 B.4.1-compliant "constant-time" private key generation utility.
 * Can take (n+8) or more bytes of uniform input e.g. from CSPRNG or KDF
 * and convert them into private scalar, with the modulo bias being neglible.
 * Needs at least 40 bytes of input for 32-byte private key.
 * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
 * @param hash hash output from SHA3 or a similar function
 * @returns valid private scalar
 */
 export function hashToPrivateScalar(
  hash: string | Uint8Array,
  groupOrder: bigint,
  isLE = false
 ): bigint {
  hash = ensureBytes(hash);
  const hashLen = hash.length;
  const minLen = nLength(groupOrder).nByteLength + 8;
  if (minLen < 24 || hashLen < minLen || hashLen > 1024)
    throw new Error(`hashToPrivateScalar: expected ${minLen}-1024 bytes of input, got ${hashLen}`);
  const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
  return mod(num, groupOrder - _1n) + _1n;
 }
--- a/src/abstract/montgomery.ts
+++ b/src/abstract/montgomery.ts
@@ -1,18 +1,13 @@
-import * as mod from './modular.js';
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import {
+import { mod, pow } from './modular.js';
-  ensureBytes,
+import { bytesToNumberLE, ensureBytes, numberToBytesLE, validateObject } from './utils.js';
  numberToBytesLE,
  bytesToNumberLE,
  // nLength,
 } from './utils.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 type Hex = string | Uint8Array;
 export type CurveType = {
-  // Field over which we'll do calculations. Verify with:
+  P: bigint; // finite field prime
  P: bigint;
  nByteLength: number;
  adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array;
  domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
@@ -23,33 +18,29 @@ export type CurveType = {
  Gu: string;
 };
 export type CurveFn = {
-  scalarMult: (u: Hex, scalar: Hex) => Uint8Array;
+  scalarMult: (scalar: Hex, u: Hex) => Uint8Array;
  scalarMultBase: (scalar: Hex) => Uint8Array;
  getSharedSecret: (privateKeyA: Hex, publicKeyB: Hex) => Uint8Array;
  getPublicKey: (privateKey: Hex) => Uint8Array;
  Gu: string;
 };
 function validateOpts(curve: CurveType) {
-  for (const i of ['a24'] as const) {
+  validateObject(
-    if (typeof curve[i] !== 'bigint')
+    curve,
-      throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
+    {
-  }
+      a24: 'bigint',
-  for (const i of ['montgomeryBits', 'nByteLength'] as const) {
+    },
-    if (curve[i] === undefined) continue; // Optional
+    {
-    if (!Number.isSafeInteger(curve[i]))
+      montgomeryBits: 'isSafeInteger',
-      throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
+      nByteLength: 'isSafeInteger',
-  }
+      adjustScalarBytes: 'function',
-  for (const fn of ['adjustScalarBytes', 'domain', 'powPminus2'] as const) {
+      domain: 'function',
-    if (curve[fn] === undefined) continue; // Optional
+      powPminus2: 'function',
-    if (typeof curve[fn] !== 'function') throw new Error(`Invalid ${fn} function`);
+      Gu: 'string',
-  }
+    }
-  for (const i of ['Gu'] as const) {
+  );
    if (curve[i] === undefined) continue; // Optional
    if (typeof curve[i] !== 'string')
      throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
  }
  // Set defaults
  // ...nLength(curve.n, curve.nBitLength),
  return Object.freeze({ ...curve } as const);
 }
@@ -58,34 +49,14 @@ function validateOpts(curve: CurveType) {
 export function montgomery(curveDef: CurveType): CurveFn {
  const CURVE = validateOpts(curveDef);
  const { P } = CURVE;
-  const modP = (a: bigint) => mod.mod(a, P);
+  const modP = (a: bigint) => mod(a, P);
  const montgomeryBits = CURVE.montgomeryBits;
  const montgomeryBytes = Math.ceil(montgomeryBits / 8);
  const fieldLen = CURVE.nByteLength;
  const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes: Uint8Array) => bytes);
-  const powPminus2 = CURVE.powPminus2 || ((x: bigint) => mod.pow(x, P - BigInt(2), P));
+  const powPminus2 = CURVE.powPminus2 || ((x: bigint) => pow(x, P - BigInt(2), P));
-  /**
+  // cswap from RFC7748. But it is not from RFC7748!
   * Checks for num to be in range:
   * For strict == true:  `0 <  num < max`.
   * For strict == false: `0 <= num < max`.
   * Converts non-float safe numbers to bigints.
   */
  function normalizeScalar(num: number | bigint, max: bigint, strict = true): bigint {
    if (!max) throw new TypeError('Specify max value');
    if (typeof num === 'number' && Number.isSafeInteger(num)) num = BigInt(num);
    if (typeof num === 'bigint' && num < max) {
      if (strict) {
        if (_0n < num) return num;
      } else {
        if (_0n <= num) return num;
      }
    }
    throw new TypeError('Expected valid scalar: 0 < scalar < max');
  }
  // cswap from RFC7748
  // NOTE: cswap is not from RFC7748!
  /*
    cswap(swap, x_2, x_3):
         dummy = mask(swap) AND (x_2 XOR x_3)
@@ -102,6 +73,11 @@ export function montgomery(curveDef: CurveType): CurveFn {
    return [x_2, x_3];
  }
  function assertFieldElement(n: bigint): bigint {
    if (typeof n === 'bigint' && _0n <= n && n < P) return n;
    throw new Error('Expected valid scalar 0 < scalar < CURVE.P');
  }
  // x25519 from 4
  /**
   *
@@ -110,11 +86,10 @@ export function montgomery(curveDef: CurveType): CurveFn {
   * @returns new Point on Montgomery curve
   */
  function montgomeryLadder(pointU: bigint, scalar: bigint): bigint {
-    const { P } = CURVE;
+    const u = assertFieldElement(pointU);
    const u = normalizeScalar(pointU, P);
    // Section 5: Implementations MUST accept non-canonical values and process them as
    // if they had been reduced modulo the field prime.
-    const k = normalizeScalar(scalar, P);
+    const k = assertFieldElement(scalar);
    // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
    const a24 = CURVE.a24;
    const x_1 = u;
@@ -170,23 +145,21 @@ export function montgomery(curveDef: CurveType): CurveFn {
  }
  function decodeUCoordinate(uEnc: Hex): bigint {
    const u = ensureBytes(uEnc, montgomeryBytes);
    // Section 5: When receiving such an array, implementations of X25519
    // MUST mask the most significant bit in the final byte.
    // This is very ugly way, but it works because fieldLen-1 is outside of bounds for X448, so this becomes NOOP
    // fieldLen - scalaryBytes = 1 for X448 and = 0 for X25519
    const u = ensureBytes(uEnc, montgomeryBytes);
    u[fieldLen - 1] &= 127; // 0b0111_1111
    return bytesToNumberLE(u);
  }
  function decodeScalar(n: Hex): bigint {
    const bytes = ensureBytes(n);
    if (bytes.length !== montgomeryBytes && bytes.length !== fieldLen)
      throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes.length}`);
    return bytesToNumberLE(adjustScalarBytes(bytes));
  }
-  // Multiply point u by scalar
+  function scalarMult(scalar: Hex, u: Hex): Uint8Array {
  function scalarMult(u: Hex, scalar: Hex): Uint8Array {
    const pointU = decodeUCoordinate(u);
    const _scalar = decodeScalar(scalar);
    const pu = montgomeryLadder(pointU, _scalar);
@@ -195,18 +168,15 @@ export function montgomery(curveDef: CurveType): CurveFn {
    if (pu === _0n) throw new Error('Invalid private or public key received');
    return encodeUCoordinate(pu);
  }
-  // Multiply base point by scalar
+  // Computes public key from private. By doing scalar multiplication of base point.
  function scalarMultBase(scalar: Hex): Uint8Array {
-    return scalarMult(CURVE.Gu, scalar);
+    return scalarMult(scalar, CURVE.Gu);
  }
  return {
    // NOTE: we can get 'y' coordinate from 'u', but Point.fromHex also wants 'x' coordinate oddity flag, and we cannot get 'x' without knowing 'v'
    // Need to add generic conversion between twisted edwards and complimentary curve for JubJub
    scalarMult,
    scalarMultBase,
-    // NOTE: these function work on complimentary montgomery curve
+    getSharedSecret: (privateKey: Hex, publicKey: Hex) => scalarMult(privateKey, publicKey),
    // getSharedSecret: (privateKey: Hex, publicKey: Hex) => scalarMult(publicKey, privateKey),
    getPublicKey: (privateKey: Hex): Uint8Array => scalarMultBase(privateKey),
    Gu: CURVE.Gu,
  };
--- a/src/abstract/poseidon.ts
+++ b/src/abstract/poseidon.ts
@@ -0,0 +1,119 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Poseidon Hash: https://eprint.iacr.org/2019/458.pdf, https://www.poseidon-hash.info
 import { Field, FpPow, validateField } from './modular.js';
 // We don't provide any constants, since different implementations use different constants.
 // For reference constants see './test/poseidon.test.js'.
 export type PoseidonOpts = {
  Fp: Field<bigint>;
  t: number;
  roundsFull: number;
  roundsPartial: number;
  sboxPower?: number;
  reversePartialPowIdx?: boolean; // Hack for stark
  mds: bigint[][];
  roundConstants: bigint[][];
 };
 export function validateOpts(opts: PoseidonOpts) {
  const { Fp } = opts;
  validateField(Fp);
  for (const i of ['t', 'roundsFull', 'roundsPartial'] as const) {
    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
      throw new Error(`Poseidon: invalid param ${i}=${opts[i]} (${typeof opts[i]})`);
  }
  if (opts.reversePartialPowIdx !== undefined && typeof opts.reversePartialPowIdx !== 'boolean')
    throw new Error(`Poseidon: invalid param reversePartialPowIdx=${opts.reversePartialPowIdx}`);
  // Default is 5, but by some reasons stark uses 3
  let sboxPower = opts.sboxPower;
  if (sboxPower === undefined) sboxPower = 5;
  if (typeof sboxPower !== 'number' || !Number.isSafeInteger(sboxPower))
    throw new Error(`Poseidon wrong sboxPower=${sboxPower}`);
  const _sboxPower = BigInt(sboxPower);
  let sboxFn = (n: bigint) => FpPow(Fp, n, _sboxPower);
  // Unwrapped sbox power for common cases (195->142μs)
  if (sboxPower === 3) sboxFn = (n: bigint) => Fp.mul(Fp.sqrN(n), n);
  else if (sboxPower === 5) sboxFn = (n: bigint) => Fp.mul(Fp.sqrN(Fp.sqrN(n)), n);
  if (opts.roundsFull % 2 !== 0)
    throw new Error(`Poseidon roundsFull is not even: ${opts.roundsFull}`);
  const rounds = opts.roundsFull + opts.roundsPartial;
  if (!Array.isArray(opts.roundConstants) || opts.roundConstants.length !== rounds)
    throw new Error('Poseidon: wrong round constants');
  const roundConstants = opts.roundConstants.map((rc) => {
    if (!Array.isArray(rc) || rc.length !== opts.t)
      throw new Error(`Poseidon wrong round constants: ${rc}`);
    return rc.map((i) => {
      if (typeof i !== 'bigint' || !Fp.isValid(i))
        throw new Error(`Poseidon wrong round constant=${i}`);
      return Fp.create(i);
    });
  });
  // MDS is TxT matrix
  if (!Array.isArray(opts.mds) || opts.mds.length !== opts.t)
    throw new Error('Poseidon: wrong MDS matrix');
  const mds = opts.mds.map((mdsRow) => {
    if (!Array.isArray(mdsRow) || mdsRow.length !== opts.t)
      throw new Error(`Poseidon MDS matrix row: ${mdsRow}`);
    return mdsRow.map((i) => {
      if (typeof i !== 'bigint') throw new Error(`Poseidon MDS matrix value=${i}`);
      return Fp.create(i);
    });
  });
  return Object.freeze({ ...opts, rounds, sboxFn, roundConstants, mds });
 }
 export function splitConstants(rc: bigint[], t: number) {
  if (typeof t !== 'number') throw new Error('poseidonSplitConstants: wrong t');
  if (!Array.isArray(rc) || rc.length % t) throw new Error('poseidonSplitConstants: wrong rc');
  const res = [];
  let tmp = [];
  for (let i = 0; i < rc.length; i++) {
    tmp.push(rc[i]);
    if (tmp.length === t) {
      res.push(tmp);
      tmp = [];
    }
  }
  return res;
 }
 export function poseidon(opts: PoseidonOpts) {
  const { t, Fp, rounds, sboxFn, reversePartialPowIdx } = validateOpts(opts);
  const halfRoundsFull = Math.floor(opts.roundsFull / 2);
  const partialIdx = reversePartialPowIdx ? t - 1 : 0;
  const poseidonRound = (values: bigint[], isFull: boolean, idx: number) => {
    values = values.map((i, j) => Fp.add(i, opts.roundConstants[idx][j]));
    if (isFull) values = values.map((i) => sboxFn(i));
    else values[partialIdx] = sboxFn(values[partialIdx]);
    // Matrix multiplication
    values = opts.mds.map((i) =>
      i.reduce((acc, i, j) => Fp.add(acc, Fp.mulN(i, values[j])), Fp.ZERO)
    );
    return values;
  };
  const poseidonHash = function poseidonHash(values: bigint[]) {
    if (!Array.isArray(values) || values.length !== t)
      throw new Error(`Poseidon: wrong values (expected array of bigints with length ${t})`);
    values = values.map((i) => {
      if (typeof i !== 'bigint') throw new Error(`Poseidon: wrong value=${i} (${typeof i})`);
      return Fp.create(i);
    });
    let round = 0;
    // Apply r_f/2 full rounds.
    for (let i = 0; i < halfRoundsFull; i++) values = poseidonRound(values, true, round++);
    // Apply r_p partial rounds.
    for (let i = 0; i < opts.roundsPartial; i++) values = poseidonRound(values, false, round++);
    // Apply r_f/2 full rounds.
    for (let i = 0; i < halfRoundsFull; i++) values = poseidonRound(values, true, round++);
    if (round !== rounds)
      throw new Error(`Poseidon: wrong number of rounds: last round=${round}, total=${rounds}`);
    return values;
  };
  // For verification in tests
  poseidonHash.roundConstants = opts.roundConstants;
  return poseidonHash;
 }
--- a/src/abstract/utils.ts
+++ b/src/abstract/utils.ts
@@ -0,0 +1,144 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
 const u8a = (a: any): a is Uint8Array => a instanceof Uint8Array;
 // We accept hex strings besides Uint8Array for simplicity
 export type Hex = Uint8Array | string;
 // Very few implementations accept numbers, we do it to ease learning curve
 export type PrivKey = Hex | bigint;
 export type CHash = {
  (message: Uint8Array | string): Uint8Array;
  blockLen: number;
  outputLen: number;
  create(opts?: { dkLen?: number }): any; // For shake
 };
 export type FHash = (message: Uint8Array | string) => Uint8Array;
 const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
 export function bytesToHex(bytes: Uint8Array): string {
  if (!u8a(bytes)) throw new Error('Uint8Array expected');
  // pre-caching improves the speed 6x
  let hex = '';
  for (let i = 0; i < bytes.length; i++) {
    hex += hexes[bytes[i]];
  }
  return hex;
 }
 export function numberToHexUnpadded(num: number | bigint): string {
  const hex = num.toString(16);
  return hex.length & 1 ? `0${hex}` : hex;
 }
 export function hexToNumber(hex: string): bigint {
  if (typeof hex !== 'string') throw new Error('string expected, got ' + typeof hex);
  // Big Endian
  return BigInt(`0x${hex}`);
 }
 // Caching slows it down 2-3x
 export function hexToBytes(hex: string): Uint8Array {
  if (typeof hex !== 'string') throw new Error('string expected, got ' + typeof hex);
  if (hex.length % 2) throw new Error('hex string is invalid: unpadded ' + hex.length);
  const array = new Uint8Array(hex.length / 2);
  for (let i = 0; i < array.length; i++) {
    const j = i * 2;
    const hexByte = hex.slice(j, j + 2);
    const byte = Number.parseInt(hexByte, 16);
    if (Number.isNaN(byte) || byte < 0) throw new Error('invalid byte sequence');
    array[i] = byte;
  }
  return array;
 }
 // Big Endian
 export function bytesToNumberBE(bytes: Uint8Array): bigint {
  return hexToNumber(bytesToHex(bytes));
 }
 export function bytesToNumberLE(bytes: Uint8Array): bigint {
  if (!u8a(bytes)) throw new Error('Uint8Array expected');
  return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
 }
 export const numberToBytesBE = (n: bigint, len: number) =>
  hexToBytes(n.toString(16).padStart(len * 2, '0'));
 export const numberToBytesLE = (n: bigint, len: number) => numberToBytesBE(n, len).reverse();
 // Returns variable number bytes (minimal bigint encoding?)
 export const numberToVarBytesBE = (n: bigint) => hexToBytes(numberToHexUnpadded(n));
 export function ensureBytes(hex: Hex, expectedLength?: number): Uint8Array {
  // Uint8Array.from() instead of hash.slice() because node.js Buffer
  // is instance of Uint8Array, and its slice() creates **mutable** copy
  const bytes = u8a(hex) ? Uint8Array.from(hex) : hexToBytes(hex);
  if (typeof expectedLength === 'number' && bytes.length !== expectedLength)
    throw new Error(`Expected ${expectedLength} bytes`);
  return bytes;
 }
 // Copies several Uint8Arrays into one.
 export function concatBytes(...arrs: Uint8Array[]): Uint8Array {
  const r = new Uint8Array(arrs.reduce((sum, a) => sum + a.length, 0));
  let pad = 0; // walk through each item, ensure they have proper type
  arrs.forEach((a) => {
    if (!u8a(a)) throw new Error('Uint8Array expected');
    r.set(a, pad);
    pad += a.length;
  });
  return r;
 }
 export function equalBytes(b1: Uint8Array, b2: Uint8Array) {
  // We don't care about timing attacks here
  if (b1.length !== b2.length) return false;
  for (let i = 0; i < b1.length; i++) if (b1[i] !== b2[i]) return false;
  return true;
 }
 // Bit operations
 // Amount of bits inside bigint (Same as n.toString(2).length)
 export function bitLen(n: bigint) {
  let len;
  for (len = 0; n > 0n; n >>= _1n, len += 1);
  return len;
 }
 // Gets single bit at position. NOTE: first bit position is 0 (same as arrays)
 // Same as !!+Array.from(n.toString(2)).reverse()[pos]
 export const bitGet = (n: bigint, pos: number) => (n >> BigInt(pos)) & 1n;
 // Sets single bit at position
 export const bitSet = (n: bigint, pos: number, value: boolean) =>
  n | ((value ? _1n : _0n) << BigInt(pos));
 // Return mask for N bits (Same as BigInt(`0b${Array(i).fill('1').join('')}`))
 // Not using ** operator with bigints for old engines.
 export const bitMask = (n: number) => (_2n << BigInt(n - 1)) - _1n;
 type ValMap = Record<string, string>;
 export function validateObject(object: object, validators: ValMap, optValidators: ValMap = {}) {
  const validatorFns: Record<string, (val: any) => boolean> = {
    bigint: (val) => typeof val === 'bigint',
    function: (val) => typeof val === 'function',
    boolean: (val) => typeof val === 'boolean',
    string: (val) => typeof val === 'string',
    isSafeInteger: (val) => Number.isSafeInteger(val),
    array: (val) => Array.isArray(val),
    field: (val) => (object as any).Fp.isValid(val),
    hash: (val) => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
  };
  // type Key = keyof typeof validators;
  const checkField = (fieldName: string, type: string, isOptional: boolean) => {
    const checkVal = validatorFns[type];
    if (typeof checkVal !== 'function')
      throw new Error(`Invalid validator "${type}", expected function`);
    const val = object[fieldName as keyof typeof object];
    if (isOptional && val === undefined) return;
    if (!checkVal(val)) {
      throw new Error(`Invalid param ${fieldName}=${val} (${typeof val}), expected ${type}`);
    }
  };
  for (let [fieldName, type] of Object.entries(validators)) checkField(fieldName, type, false);
  for (let [fieldName, type] of Object.entries(optValidators)) checkField(fieldName, type, true);
  return object;
 }
--- a/src/abstract/weierstrass.ts
+++ b/src/abstract/weierstrass.ts
--- a/src/bls.ts
+++ b/src/bls.ts
@@ -1,418 +0,0 @@
 // Barreto-Lynn-Scott Curves. A family of pairing friendly curves, with embedding degree = 12 or 24
 // NOTE: only 12 supported for now
 // Constructed from pair of weierstrass curves, based pairing logic
 import * as mod from './modular.js';
 import { ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitGet } from './utils.js';
 import * as utils from './utils.js';
 // Types
 import { hexToBytes, bytesToHex, Hex, PrivKey } from './utils.js';
 import { htfOpts, stringToBytes, hash_to_field, expand_message_xmd } from './hashToCurve.js';
 import { CurvePointsType, PointType, CurvePointsRes, weierstrassPoints } from './weierstrass.js';
 type Fp = bigint; // Can be different field?
 export type SignatureCoder<Fp2> = {
  decode(hex: Hex): PointType<Fp2>;
  encode(point: PointType<Fp2>): Uint8Array;
 };
 export type CurveType<Fp, Fp2, Fp6, Fp12> = {
  r: bigint;
  G1: Omit<CurvePointsType<Fp>, 'n'>;
  G2: Omit<CurvePointsType<Fp2>, 'n'> & {
    Signature: SignatureCoder<Fp2>;
  };
  x: bigint;
  Fp: mod.Field<Fp>;
  Fr: mod.Field<bigint>;
  Fp2: mod.Field<Fp2> & {
    reim: (num: Fp2) => { re: bigint; im: bigint };
    multiplyByB: (num: Fp2) => Fp2;
    frobeniusMap(num: Fp2, power: number): Fp2;
  };
  Fp6: mod.Field<Fp6>;
  Fp12: mod.Field<Fp12> & {
    frobeniusMap(num: Fp12, power: number): Fp12;
    multiplyBy014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
    conjugate(num: Fp12): Fp12;
    finalExponentiate(num: Fp12): Fp12;
  };
  htfDefaults: htfOpts;
  hash: utils.CHash; // Because we need outputLen for DRBG
  randomBytes: (bytesLength?: number) => Uint8Array;
 };
 export type CurveFn<Fp, Fp2, Fp6, Fp12> = {
  CURVE: CurveType<Fp, Fp2, Fp6, Fp12>;
  Fr: mod.Field<bigint>;
  Fp: mod.Field<Fp>;
  Fp2: mod.Field<Fp2>;
  Fp6: mod.Field<Fp6>;
  Fp12: mod.Field<Fp12>;
  G1: CurvePointsRes<Fp>;
  G2: CurvePointsRes<Fp2>;
  Signature: SignatureCoder<Fp2>;
  millerLoop: (ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]) => Fp12;
  calcPairingPrecomputes: (x: Fp2, y: Fp2) => [Fp2, Fp2, Fp2][];
  pairing: (P: PointType<Fp>, Q: PointType<Fp2>, withFinalExponent?: boolean) => Fp12;
  getPublicKey: (privateKey: PrivKey) => Uint8Array;
  sign: {
    (message: Hex, privateKey: PrivKey): Uint8Array;
    (message: PointType<Fp2>, privateKey: PrivKey): PointType<Fp2>;
  };
  verify: (
    signature: Hex | PointType<Fp2>,
    message: Hex | PointType<Fp2>,
    publicKey: Hex | PointType<Fp>
  ) => boolean;
  aggregatePublicKeys: {
    (publicKeys: Hex[]): Uint8Array;
    (publicKeys: PointType<Fp>[]): PointType<Fp>;
  };
  aggregateSignatures: {
    (signatures: Hex[]): Uint8Array;
    (signatures: PointType<Fp2>[]): PointType<Fp2>;
  };
  verifyBatch: (
    signature: Hex | PointType<Fp2>,
    messages: (Hex | PointType<Fp2>)[],
    publicKeys: (Hex | PointType<Fp>)[]
  ) => boolean;
  utils: {
    bytesToHex: typeof utils.bytesToHex;
    hexToBytes: typeof utils.hexToBytes;
    stringToBytes: typeof stringToBytes;
    hashToField: typeof hash_to_field;
    expandMessageXMD: typeof expand_message_xmd;
    mod: typeof mod.mod;
    getDSTLabel: () => string;
    setDSTLabel(newLabel: string): void;
  };
 };
 export function bls<Fp2, Fp6, Fp12>(
  CURVE: CurveType<Fp, Fp2, Fp6, Fp12>
 ): CurveFn<Fp, Fp2, Fp6, Fp12> {
  // Fields looks pretty specific for curve, so for now we need to pass them with options
  const Fp = CURVE.Fp;
  const Fr = CURVE.Fr;
  const Fp2 = CURVE.Fp2;
  const Fp6 = CURVE.Fp6;
  const Fp12 = CURVE.Fp12;
  const BLS_X_LEN = bitLen(CURVE.x);
  // Pre-compute coefficients for sparse multiplication
  // Point addition and point double calculations is reused for coefficients
  function calcPairingPrecomputes(x: Fp2, y: Fp2) {
    // prettier-ignore
    const Qx = x, Qy = y, Qz = Fp2.ONE;
    // prettier-ignore
    let Rx = Qx, Ry = Qy, Rz = Qz;
    let ell_coeff: [Fp2, Fp2, Fp2][] = [];
    for (let i = BLS_X_LEN - 2; i >= 0; i--) {
      // Double
      let t0 = Fp2.square(Ry); // Ry²
      let t1 = Fp2.square(Rz); // Rz²
      let t2 = Fp2.multiplyByB(Fp2.multiply(t1, 3n)); // 3 * T1 * B
      let t3 = Fp2.multiply(t2, 3n); // 3 * T2
      let t4 = Fp2.subtract(Fp2.subtract(Fp2.square(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
      ell_coeff.push([
        Fp2.subtract(t2, t0), // T2 - T0
        Fp2.multiply(Fp2.square(Rx), 3n), // 3 * Rx²
        Fp2.negate(t4), // -T4
      ]);
      Rx = Fp2.div(Fp2.multiply(Fp2.multiply(Fp2.subtract(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
      Ry = Fp2.subtract(Fp2.square(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.multiply(Fp2.square(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
      Rz = Fp2.multiply(t0, t4); // T0 * T4
      if (bitGet(CURVE.x, i)) {
        // Addition
        let t0 = Fp2.subtract(Ry, Fp2.multiply(Qy, Rz)); // Ry - Qy * Rz
        let t1 = Fp2.subtract(Rx, Fp2.multiply(Qx, Rz)); // Rx - Qx * Rz
        ell_coeff.push([
          Fp2.subtract(Fp2.multiply(t0, Qx), Fp2.multiply(t1, Qy)), // T0 * Qx - T1 * Qy
          Fp2.negate(t0), // -T0
          t1, // T1
        ]);
        let t2 = Fp2.square(t1); // T1²
        let t3 = Fp2.multiply(t2, t1); // T2 * T1
        let t4 = Fp2.multiply(t2, Rx); // T2 * Rx
        let t5 = Fp2.add(Fp2.subtract(t3, Fp2.multiply(t4, 2n)), Fp2.multiply(Fp2.square(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
        Rx = Fp2.multiply(t1, t5); // T1 * T5
        Ry = Fp2.subtract(Fp2.multiply(Fp2.subtract(t4, t5), t0), Fp2.multiply(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
        Rz = Fp2.multiply(Rz, t3); // Rz * T3
      }
    }
    return ell_coeff;
  }
  function millerLoop(ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]): Fp12 {
    const Px = g1[0];
    const Py = g1[1];
    let f12 = Fp12.ONE;
    for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
      const E = ell[j];
      f12 = Fp12.multiplyBy014(f12, E[0], Fp2.multiply(E[1], Px), Fp2.multiply(E[2], Py));
      if (bitGet(CURVE.x, i)) {
        j += 1;
        const F = ell[j];
        f12 = Fp12.multiplyBy014(f12, F[0], Fp2.multiply(F[1], Px), Fp2.multiply(F[2], Py));
      }
      if (i !== 0) f12 = Fp12.square(f12);
    }
    return Fp12.conjugate(f12);
  }
  // bls12-381 is a construction of two curves:
  // 1. Fp: (x, y)
  // 2. Fp₂: ((x₁, x₂+i), (y₁, y₂+i)) - (complex numbers)
  //
  // Bilinear Pairing (ate pairing) is used to combine both elements into a paired one:
  //   Fp₁₂ = e(Fp, Fp2)
  //   where Fp₁₂ = 12-degree polynomial
  // Pairing is used to verify signatures.
  //
  // We are using Fp for private keys (shorter) and Fp2 for signatures (longer).
  // Some projects may prefer to swap this relation, it is not supported for now.
  const htfDefaults = { ...CURVE.htfDefaults };
  function isWithinCurveOrder(num: bigint): boolean {
    return 0 < num && num < CURVE.r;
  }
  const utils = {
    hexToBytes: hexToBytes,
    bytesToHex: bytesToHex,
    mod: mod.mod,
    stringToBytes,
    // TODO: do we need to export it here?
    hashToField: (msg: Uint8Array, count: number, options: Partial<typeof htfDefaults> = {}) =>
      hash_to_field(msg, count, { ...CURVE.htfDefaults, ...options }),
    expandMessageXMD: (msg: Uint8Array, DST: Uint8Array, lenInBytes: number, H = CURVE.hash) =>
      expand_message_xmd(msg, DST, lenInBytes, H),
    /**
     * Can take 40 or more bytes of uniform input e.g. from CSPRNG or KDF
     * and convert them into private key, with the modulo bias being negligible.
     * As per FIPS 186 B.1.1.
     * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
     * @param hash hash output from sha512, or a similar function
     * @returns valid private key
     */
    hashToPrivateKey: (hash: Hex): Uint8Array => {
      hash = ensureBytes(hash);
      if (hash.length < 40 || hash.length > 1024)
        throw new Error('Expected 40-1024 bytes of private key as per FIPS 186');
      //     hashToPrivateScalar(hash, CURVE.r)
      // NOTE: doesn't add +/-1
      const num = mod.mod(bytesToNumberBE(hash), CURVE.r);
      // This should never happen
      if (num === 0n || num === 1n) throw new Error('Invalid private key');
      return numberToBytesBE(num, 32);
    },
    randomBytes: (bytesLength: number = 32): Uint8Array => CURVE.randomBytes(bytesLength),
    // NIST SP 800-56A rev 3, section 5.6.1.2.2
    // https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
    randomPrivateKey: (): Uint8Array => utils.hashToPrivateKey(utils.randomBytes(40)),
    getDSTLabel: () => htfDefaults.DST,
    setDSTLabel(newLabel: string) {
      // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3.1
      if (typeof newLabel !== 'string' || newLabel.length > 2048 || newLabel.length === 0) {
        throw new TypeError('Invalid DST');
      }
      htfDefaults.DST = newLabel;
    },
  };
  function normalizePrivKey(key: PrivKey): bigint {
    let int: bigint;
    if (key instanceof Uint8Array && key.length === 32) int = bytesToNumberBE(key);
    else if (typeof key === 'string' && key.length === 64) int = BigInt(`0x${key}`);
    else if (typeof key === 'number' && key > 0 && Number.isSafeInteger(key)) int = BigInt(key);
    else if (typeof key === 'bigint' && key > 0n) int = key;
    else throw new TypeError('Expected valid private key');
    int = mod.mod(int, CURVE.r);
    if (!isWithinCurveOrder(int)) throw new Error('Private key must be 0 < key < CURVE.r');
    return int;
  }
  // Point on G1 curve: (x, y)
  const G1 = weierstrassPoints({
    n: Fr.ORDER,
    ...CURVE.G1,
  });
  // Sparse multiplication against precomputed coefficients
  // TODO: replace with weakmap?
  type withPairingPrecomputes = { _PPRECOMPUTES: [Fp2, Fp2, Fp2][] | undefined };
  function pairingPrecomputes(point: G2): [Fp2, Fp2, Fp2][] {
    const p = point as G2 & withPairingPrecomputes;
    if (p._PPRECOMPUTES) return p._PPRECOMPUTES;
    p._PPRECOMPUTES = calcPairingPrecomputes(p.x, p.y);
    return p._PPRECOMPUTES;
  }
  function clearPairingPrecomputes(point: G2) {
    const p = point as G2 & withPairingPrecomputes;
    p._PPRECOMPUTES = undefined;
  }
  clearPairingPrecomputes;
  function millerLoopG1(Q: G1, P: G2): Fp12 {
    return millerLoop(pairingPrecomputes(P), [Q.x, Q.y]);
  }
  // Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
  const G2 = weierstrassPoints({
    n: Fr.ORDER,
    ...CURVE.G2,
  });
  const { Signature } = CURVE.G2;
  // Calculates bilinear pairing
  function pairing(P: G1, Q: G2, withFinalExponent: boolean = true): Fp12 {
    if (P.equals(G1.Point.ZERO) || Q.equals(G2.Point.ZERO))
      throw new Error('No pairings at point of Infinity');
    P.assertValidity();
    Q.assertValidity();
    // Performance: 9ms for millerLoop and ~14ms for exp.
    const looped = millerLoopG1(P, Q);
    return withFinalExponent ? Fp12.finalExponentiate(looped) : looped;
  }
  type G1 = typeof G1.Point.BASE;
  type G2 = typeof G2.Point.BASE;
  type G1Hex = Hex | G1;
  type G2Hex = Hex | G2;
  function normP1(point: G1Hex): G1 {
    return point instanceof G1.Point ? (point as G1) : G1.Point.fromHex(point);
  }
  function normP2(point: G2Hex): G2 {
    return point instanceof G2.Point ? point : Signature.decode(point);
  }
  function normP2Hash(point: G2Hex): G2 {
    return point instanceof G2.Point ? point : G2.Point.hashToCurve(point);
  }
  // Multiplies generator by private key.
  // P = pk x G
  function getPublicKey(privateKey: PrivKey): Uint8Array {
    return G1.Point.fromPrivateKey(privateKey).toRawBytes(true);
  }
  // Executes `hashToCurve` on the message and then multiplies the result by private key.
  // S = pk x H(m)
  function sign(message: Hex, privateKey: PrivKey): Uint8Array;
  function sign(message: G2, privateKey: PrivKey): G2;
  function sign(message: G2Hex, privateKey: PrivKey): Uint8Array | G2 {
    const msgPoint = normP2Hash(message);
    msgPoint.assertValidity();
    const sigPoint = msgPoint.multiply(normalizePrivKey(privateKey));
    if (message instanceof G2.Point) return sigPoint;
    return Signature.encode(sigPoint);
  }
  // Checks if pairing of public key & hash is equal to pairing of generator & signature.
  // e(P, H(m)) == e(G, S)
  function verify(signature: G2Hex, message: G2Hex, publicKey: G1Hex): boolean {
    const P = normP1(publicKey);
    const Hm = normP2Hash(message);
    const G = G1.Point.BASE;
    const S = normP2(signature);
    // Instead of doing 2 exponentiations, we use property of billinear maps
    // and do one exp after multiplying 2 points.
    const ePHm = pairing(P.negate(), Hm, false);
    const eGS = pairing(G, S, false);
    const exp = Fp12.finalExponentiate(Fp12.multiply(eGS, ePHm));
    return Fp12.equals(exp, Fp12.ONE);
  }
  // Adds a bunch of public key points together.
  // pk1 + pk2 + pk3 = pkA
  function aggregatePublicKeys(publicKeys: Hex[]): Uint8Array;
  function aggregatePublicKeys(publicKeys: G1[]): G1;
  function aggregatePublicKeys(publicKeys: G1Hex[]): Uint8Array | G1 {
    if (!publicKeys.length) throw new Error('Expected non-empty array');
    const agg = publicKeys
      .map(normP1)
      .reduce((sum, p) => sum.add(G1.JacobianPoint.fromAffine(p)), G1.JacobianPoint.ZERO);
    const aggAffine = agg.toAffine();
    if (publicKeys[0] instanceof G1.Point) {
      aggAffine.assertValidity();
      return aggAffine;
    }
    // toRawBytes ensures point validity
    return aggAffine.toRawBytes(true);
  }
  // Adds a bunch of signature points together.
  function aggregateSignatures(signatures: Hex[]): Uint8Array;
  function aggregateSignatures(signatures: G2[]): G2;
  function aggregateSignatures(signatures: G2Hex[]): Uint8Array | G2 {
    if (!signatures.length) throw new Error('Expected non-empty array');
    const agg = signatures
      .map(normP2)
      .reduce((sum, s) => sum.add(G2.JacobianPoint.fromAffine(s)), G2.JacobianPoint.ZERO);
    const aggAffine = agg.toAffine();
    if (signatures[0] instanceof G2.Point) {
      aggAffine.assertValidity();
      return aggAffine;
    }
    return Signature.encode(aggAffine);
  }
  // https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
  // e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
  function verifyBatch(signature: G2Hex, messages: G2Hex[], publicKeys: G1Hex[]): boolean {
    if (!messages.length) throw new Error('Expected non-empty messages array');
    if (publicKeys.length !== messages.length)
      throw new Error('Pubkey count should equal msg count');
    const sig = normP2(signature);
    const nMessages = messages.map(normP2Hash);
    const nPublicKeys = publicKeys.map(normP1);
    try {
      const paired = [];
      for (const message of new Set(nMessages)) {
        const groupPublicKey = nMessages.reduce(
          (groupPublicKey, subMessage, i) =>
            subMessage === message ? groupPublicKey.add(nPublicKeys[i]) : groupPublicKey,
          G1.Point.ZERO
        );
        // const msg = message instanceof PointG2 ? message : await PointG2.hashToCurve(message);
        // Possible to batch pairing for same msg with different groupPublicKey here
        paired.push(pairing(groupPublicKey, message, false));
      }
      paired.push(pairing(G1.Point.BASE.negate(), sig, false));
      const product = paired.reduce((a, b) => Fp12.multiply(a, b), Fp12.ONE);
      const exp = Fp12.finalExponentiate(product);
      return Fp12.equals(exp, Fp12.ONE);
    } catch {
      return false;
    }
  }
  // Pre-compute points. Refer to README.
  G1.Point.BASE._setWindowSize(4);
  return {
    CURVE,
    Fr,
    Fp,
    Fp2,
    Fp6,
    Fp12,
    G1,
    G2,
    Signature,
    millerLoop,
    calcPairingPrecomputes,
    pairing,
    getPublicKey,
    sign,
    verify,
    aggregatePublicKeys,
    aggregateSignatures,
    verifyBatch,
    utils,
  };
 }
--- a/curve-definitions/src/bls12-381.ts
+++ b/curve-definitions/src/bls12-381.ts
--- a/curve-definitions/src/bn.ts
+++ b/curve-definitions/src/bn.ts
@@ -1,8 +1,8 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { weierstrass } from '@noble/curves/weierstrass';
 import { sha256 } from '@noble/hashes/sha256';
 import { weierstrass } from './abstract/weierstrass.js';
 import { getHash } from './_shortw_utils.js';
-import { Fp } from '@noble/curves/modular';
+import { Fp } from './abstract/modular.js';
 /**
 * bn254 pairing-friendly curve.
 * Previously known as alt_bn_128, when it had 128-bit security.
--- a/curve-definitions/src/ed25519.ts
+++ b/curve-definitions/src/ed25519.ts
@@ -1,9 +1,9 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha512 } from '@noble/hashes/sha512';
 import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { twistedEdwards, ExtendedPointType } from '@noble/curves/edwards';
+import { twistedEdwards, ExtPointType } from './abstract/edwards.js';
-import { montgomery } from '@noble/curves/montgomery';
+import { montgomery } from './abstract/montgomery.js';
-import { mod, pow2, isNegativeLE, Fp as FpFn } from '@noble/curves/modular';
+import { mod, pow2, isNegativeLE, Fp as Field, FpSqrtEven } from './abstract/modular.js';
 import {
  ensureBytes,
  equalBytes,
@@ -11,7 +11,8 @@ import {
  bytesToNumberLE,
  numberToBytesLE,
  Hex,
-} from '@noble/curves/utils';
+} from './abstract/utils.js';
 import * as htf from './abstract/hash-to-curve.js';
 /**
 * ed25519 Twisted Edwards curve with following addons:
@@ -91,6 +92,8 @@ export const ED25519_TORSION_SUBGROUP = [
  'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
 ];
 const Fp = Field(ED25519_P, undefined, true);
 const ED25519_DEF = {
  // Param: a
  a: BigInt(-1),
@@ -98,7 +101,7 @@ const ED25519_DEF = {
  // Negative number is P - number, and division is invert(number, P)
  d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
  // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
-  Fp: FpFn(ED25519_P),
+  Fp,
  // Subgroup order: how many points ed25519 has
  // 2n ** 252n + 27742317777372353535851937790883648493n;
  n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
@@ -148,8 +151,95 @@ export const x25519 = montgomery({
  adjustScalarBytes,
 });
 // Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
 // NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
 // SageMath returns different root first and everything falls apart
 const ELL2_C1 = (Fp.ORDER + BigInt(3)) / BigInt(8); // 1. c1 = (q + 3) / 8       # Integer arithmetic
 const ELL2_C2 = Fp.pow(_2n, ELL2_C1); // 2. c2 = 2^c1
 const ELL2_C3 = Fp.sqrt(Fp.neg(Fp.ONE)); // 3. c3 = sqrt(-1)
 const ELL2_C4 = (Fp.ORDER - BigInt(5)) / BigInt(8); // 4. c4 = (q - 5) / 8       # Integer arithmetic
 const ELL2_J = BigInt(486662);
 // prettier-ignore
 function map_to_curve_elligator2_curve25519(u: bigint) {
  let tv1 = Fp.sqr(u);       //  1.  tv1 = u^2
  tv1 = Fp.mul(tv1, _2n);       //  2.  tv1 = 2 * tv1
  let xd = Fp.add(tv1, Fp.ONE); //  3.   xd = tv1 + 1         # Nonzero: -1 is square (mod p), tv1 is not
  let x1n = Fp.neg(ELL2_J);  //  4.  x1n = -J              # x1 = x1n / xd = -J / (1 + 2 * u^2)
  let tv2 = Fp.sqr(xd);      //  5.  tv2 = xd^2
  let gxd = Fp.mul(tv2, xd);    //  6.  gxd = tv2 * xd        # gxd = xd^3
  let gx1 = Fp.mul(tv1, ELL2_J); //  7.  gx1 = J * tv1         # x1n + J * xd
  gx1 = Fp.mul(gx1, x1n);       //  8.  gx1 = gx1 * x1n       # x1n^2 + J * x1n * xd
  gx1 = Fp.add(gx1, tv2);       //  9.  gx1 = gx1 + tv2       # x1n^2 + J * x1n * xd + xd^2
  gx1 = Fp.mul(gx1, x1n);       //  10. gx1 = gx1 * x1n       # x1n^3 + J * x1n^2 * xd + x1n * xd^2
  let tv3 = Fp.sqr(gxd);     //  11. tv3 = gxd^2
  tv2 = Fp.sqr(tv3);         //  12. tv2 = tv3^2           # gxd^4
  tv3 = Fp.mul(tv3, gxd);       //  13. tv3 = tv3 * gxd       # gxd^3
  tv3 = Fp.mul(tv3, gx1);       //  14. tv3 = tv3 * gx1       # gx1 * gxd^3
  tv2 = Fp.mul(tv2, tv3);       //  15. tv2 = tv2 * tv3       # gx1 * gxd^7
  let y11 = Fp.pow(tv2, ELL2_C4); //  16. y11 = tv2^c4        # (gx1 * gxd^7)^((p - 5) / 8)
  y11 = Fp.mul(y11, tv3);       //  17. y11 = y11 * tv3       # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8)
  let y12 = Fp.mul(y11, ELL2_C3); //  18. y12 = y11 * c3
  tv2 = Fp.sqr(y11);         //  19. tv2 = y11^2
  tv2 = Fp.mul(tv2, gxd);       //  20. tv2 = tv2 * gxd
  let e1 = Fp.eql(tv2, gx1); //  21.  e1 = tv2 == gx1
  let y1 = Fp.cmov(y12, y11, e1); //  22.  y1 = CMOV(y12, y11, e1)  # If g(x1) is square, this is its sqrt
  let x2n = Fp.mul(x1n, tv1);   //  23. x2n = x1n * tv1       # x2 = x2n / xd = 2 * u^2 * x1n / xd
  let y21 = Fp.mul(y11, u);     //  24. y21 = y11 * u
  y21 = Fp.mul(y21, ELL2_C2);   //  25. y21 = y21 * c2
  let y22 = Fp.mul(y21, ELL2_C3); //  26. y22 = y21 * c3
  let gx2 = Fp.mul(gx1, tv1);   //  27. gx2 = gx1 * tv1       # g(x2) = gx2 / gxd = 2 * u^2 * g(x1)
  tv2 = Fp.sqr(y21);         //  28. tv2 = y21^2
  tv2 = Fp.mul(tv2, gxd);       //  29. tv2 = tv2 * gxd
  let e2 = Fp.eql(tv2, gx2); //  30.  e2 = tv2 == gx2
  let y2 = Fp.cmov(y22, y21, e2); //  31.  y2 = CMOV(y22, y21, e2)  # If g(x2) is square, this is its sqrt
  tv2 = Fp.sqr(y1);          //  32. tv2 = y1^2
  tv2 = Fp.mul(tv2, gxd);       //  33. tv2 = tv2 * gxd
  let e3 = Fp.eql(tv2, gx1); //  34.  e3 = tv2 == gx1
  let xn = Fp.cmov(x2n, x1n, e3); //  35.  xn = CMOV(x2n, x1n, e3)  # If e3, x = x1, else x = x2
  let y = Fp.cmov(y2, y1, e3);  //  36.   y = CMOV(y2, y1, e3)    # If e3, y = y1, else y = y2
  let e4 = Fp.isOdd(y);         //  37.  e4 = sgn0(y) == 1        # Fix sign of y
  y = Fp.cmov(y, Fp.neg(y), e3 !== e4); //  38.   y = CMOV(y, -y, e3 XOR e4)
  return { xMn: xn, xMd: xd, yMn: y, yMd: 1n }; //  39. return (xn, xd, y, 1)
 }
 const ELL2_C1_EDWARDS = FpSqrtEven(Fp, Fp.neg(BigInt(486664))); // sgn0(c1) MUST equal 0
 function map_to_curve_elligator2_edwards25519(u: bigint) {
  const { xMn, xMd, yMn, yMd } = map_to_curve_elligator2_curve25519(u); //  1.  (xMn, xMd, yMn, yMd) = map_to_curve_elligator2_curve25519(u)
  let xn = Fp.mul(xMn, yMd); //  2.  xn = xMn * yMd
  xn = Fp.mul(xn, ELL2_C1_EDWARDS); //  3.  xn = xn * c1
  let xd = Fp.mul(xMd, yMn); //  4.  xd = xMd * yMn    # xn / xd = c1 * xM / yM
  let yn = Fp.sub(xMn, xMd); //  5.  yn = xMn - xMd
  let yd = Fp.add(xMn, xMd); //  6.  yd = xMn + xMd    # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
  let tv1 = Fp.mul(xd, yd); //  7. tv1 = xd * yd
  let e = Fp.eql(tv1, Fp.ZERO); //  8.   e = tv1 == 0
  xn = Fp.cmov(xn, Fp.ZERO, e); //  9.  xn = CMOV(xn, 0, e)
  xd = Fp.cmov(xd, Fp.ONE, e); //  10. xd = CMOV(xd, 1, e)
  yn = Fp.cmov(yn, Fp.ONE, e); //  11. yn = CMOV(yn, 1, e)
  yd = Fp.cmov(yd, Fp.ONE, e); //  12. yd = CMOV(yd, 1, e)
  const inv = Fp.invertBatch([xd, yd]); // batch division
  return { x: Fp.mul(xn, inv[0]), y: Fp.mul(yn, inv[1]) }; //  13. return (xn, xd, yn, yd)
 }
 const { hashToCurve, encodeToCurve } = htf.hashToCurve(
  ed25519.ExtendedPoint,
  (scalars: bigint[]) => map_to_curve_elligator2_edwards25519(scalars[0]),
  {
    DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
    encodeDST: 'edwards25519_XMD:SHA-512_ELL2_NU_',
    p: Fp.ORDER,
    m: 1,
    k: 128,
    expand: 'xmd',
    hash: sha512,
  }
 );
 export { hashToCurve, encodeToCurve };
 function assertRstPoint(other: unknown) {
-  if (!(other instanceof RistrettoPoint)) throw new TypeError('RistrettoPoint expected');
+  if (!(other instanceof RistrettoPoint)) throw new Error('RistrettoPoint expected');
 }
 // √(-1) aka √(a) aka 2^((p-1)/4)
 const SQRT_M1 = BigInt(
@@ -176,9 +266,33 @@ const invertSqrt = (number: bigint) => uvRatio(_1n, number);
 const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
 const bytes255ToNumberLE = (bytes: Uint8Array) =>
-  ed25519.utils.mod(bytesToNumberLE(bytes) & MAX_255B);
+  ed25519.CURVE.Fp.create(bytesToNumberLE(bytes) & MAX_255B);
-type ExtendedPoint = ExtendedPointType;
+type ExtendedPoint = ExtPointType;
 // Computes Elligator map for Ristretto
 // https://ristretto.group/formulas/elligator.html
 function calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
  const { d } = ed25519.CURVE;
  const P = ed25519.CURVE.Fp.ORDER;
  const mod = ed25519.CURVE.Fp.create;
  const r = mod(SQRT_M1 * r0 * r0); // 1
  const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
  let c = BigInt(-1); // 3
  const D = mod((c - d * r) * mod(r + d)); // 4
  let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D); // 5
  let s_ = mod(s * r0); // 6
  if (!isNegativeLE(s_, P)) s_ = mod(-s_);
  if (!Ns_D_is_sq) s = s_; // 7
  if (!Ns_D_is_sq) c = r; // 8
  const Nt = mod(c * (r - _1n) * D_MINUS_ONE_SQ - D); // 9
  const s2 = s * s;
  const W0 = mod((s + s) * D); // 10
  const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
  const W2 = mod(_1n - s2); // 12
  const W3 = mod(_1n + s2); // 13
  return new ed25519.ExtendedPoint(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
 }
 /**
 * Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
@@ -194,31 +308,6 @@ export class RistrettoPoint {
  // Private property to discourage combining ExtendedPoint + RistrettoPoint
  // Always use Ristretto encoding/decoding instead.
  constructor(private readonly ep: ExtendedPoint) {}
  // Computes Elligator map for Ristretto
  // https://ristretto.group/formulas/elligator.html
  private static calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
    const { d } = ed25519.CURVE;
    const P = ed25519.CURVE.Fp.ORDER;
    const { mod } = ed25519.utils;
    const r = mod(SQRT_M1 * r0 * r0); // 1
    const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
    let c = BigInt(-1); // 3
    const D = mod((c - d * r) * mod(r + d)); // 4
    let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D); // 5
    let s_ = mod(s * r0); // 6
    if (!isNegativeLE(s_, P)) s_ = mod(-s_);
    if (!Ns_D_is_sq) s = s_; // 7
    if (!Ns_D_is_sq) c = r; // 8
    const Nt = mod(c * (r - _1n) * D_MINUS_ONE_SQ - D); // 9
    const s2 = s * s;
    const W0 = mod((s + s) * D); // 10
    const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
    const W2 = mod(_1n - s2); // 12
    const W3 = mod(_1n + s2); // 13
    return new ed25519.ExtendedPoint(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
  }
  /**
   * Takes uniform output of 64-bit hash function like sha512 and converts it to `RistrettoPoint`.
   * The hash-to-group operation applies Elligator twice and adds the results.
@@ -229,9 +318,9 @@ export class RistrettoPoint {
  static hashToCurve(hex: Hex): RistrettoPoint {
    hex = ensureBytes(hex, 64);
    const r1 = bytes255ToNumberLE(hex.slice(0, 32));
-    const R1 = this.calcElligatorRistrettoMap(r1);
+    const R1 = calcElligatorRistrettoMap(r1);
    const r2 = bytes255ToNumberLE(hex.slice(32, 64));
-    const R2 = this.calcElligatorRistrettoMap(r2);
+    const R2 = calcElligatorRistrettoMap(r2);
    return new RistrettoPoint(R1.add(R2));
  }
@@ -244,7 +333,7 @@ export class RistrettoPoint {
    hex = ensureBytes(hex, 32);
    const { a, d } = ed25519.CURVE;
    const P = ed25519.CURVE.Fp.ORDER;
-    const { mod } = ed25519.utils;
+    const mod = ed25519.CURVE.Fp.create;
    const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
    const s = bytes255ToNumberLE(hex);
    // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
@@ -272,9 +361,9 @@ export class RistrettoPoint {
   * https://ristretto.group/formulas/encoding.html
   */
  toRawBytes(): Uint8Array {
-    let { x, y, z, t } = this.ep;
+    let { ex: x, ey: y, ez: z, et: t } = this.ep;
    const P = ed25519.CURVE.Fp.ORDER;
-    const { mod } = ed25519.utils;
+    const mod = ed25519.CURVE.Fp.create;
    const u1 = mod(mod(z + y) * mod(z - y)); // 1
    const u2 = mod(x * y); // 2
    // Square root always exists
@@ -310,12 +399,12 @@ export class RistrettoPoint {
  // Compare one point to another.
  equals(other: RistrettoPoint): boolean {
    assertRstPoint(other);
-    const a = this.ep;
+    const { ex: X1, ey: Y1 } = this.ep;
-    const b = other.ep;
+    const { ex: X2, ey: Y2 } = this.ep;
-    const { mod } = ed25519.utils;
+    const mod = ed25519.CURVE.Fp.create;
    // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
-    const one = mod(a.x * b.y) === mod(a.y * b.x);
+    const one = mod(X1 * Y2) === mod(Y1 * X2);
-    const two = mod(a.y * b.y) === mod(a.x * b.x);
+    const two = mod(Y1 * Y2) === mod(X1 * X2);
    return one || two;
  }
@@ -329,11 +418,11 @@ export class RistrettoPoint {
    return new RistrettoPoint(this.ep.subtract(other.ep));
  }
-  multiply(scalar: number | bigint): RistrettoPoint {
+  multiply(scalar: bigint): RistrettoPoint {
    return new RistrettoPoint(this.ep.multiply(scalar));
  }
-  multiplyUnsafe(scalar: number | bigint): RistrettoPoint {
+  multiplyUnsafe(scalar: bigint): RistrettoPoint {
    return new RistrettoPoint(this.ep.multiplyUnsafe(scalar));
  }
 }
--- a/src/ed448.ts
+++ b/src/ed448.ts
@@ -0,0 +1,241 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { shake256 } from '@noble/hashes/sha3';
 import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils';
 import { twistedEdwards } from './abstract/edwards.js';
 import { mod, pow2, Fp as Field } from './abstract/modular.js';
 import { montgomery } from './abstract/montgomery.js';
 import * as htf from './abstract/hash-to-curve.js';
 /**
 * Edwards448 (not Ed448-Goldilocks) curve with following addons:
 * * X448 ECDH
 * Conforms to RFC 8032 https://www.rfc-editor.org/rfc/rfc8032.html#section-5.2
 */
 const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
 const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
 const ed448P = BigInt(
  '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439'
 );
 // powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
 // Used for efficient square root calculation.
 // ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
 function ed448_pow_Pminus3div4(x: bigint): bigint {
  const P = ed448P;
  // prettier-ignore
  const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _11n = BigInt(11);
  // prettier-ignore
  const _22n = BigInt(22), _44n = BigInt(44), _88n = BigInt(88), _223n = BigInt(223);
  const b2 = (x * x * x) % P;
  const b3 = (b2 * b2 * x) % P;
  const b6 = (pow2(b3, _3n, P) * b3) % P;
  const b9 = (pow2(b6, _3n, P) * b3) % P;
  const b11 = (pow2(b9, _2n, P) * b2) % P;
  const b22 = (pow2(b11, _11n, P) * b11) % P;
  const b44 = (pow2(b22, _22n, P) * b22) % P;
  const b88 = (pow2(b44, _44n, P) * b44) % P;
  const b176 = (pow2(b88, _88n, P) * b88) % P;
  const b220 = (pow2(b176, _44n, P) * b44) % P;
  const b222 = (pow2(b220, _2n, P) * b2) % P;
  const b223 = (pow2(b222, _1n, P) * x) % P;
  return (pow2(b223, _223n, P) * b222) % P;
 }
 function adjustScalarBytes(bytes: Uint8Array): Uint8Array {
  // Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0, and the most
  // significant bit of the last byte to 1.
  bytes[0] &= 252; // 0b11111100
  // and the most significant bit of the last byte to 1.
  bytes[55] |= 128; // 0b10000000
  // NOTE: is is NOOP for 56 bytes scalars (X25519/X448)
  bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
  return bytes;
 }
 const Fp = Field(ed448P, 456, true);
 const ED448_DEF = {
  // Param: a
  a: BigInt(1),
  // -39081. Negative number is P - number
  d: BigInt(
    '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'
  ),
  // Finite field 𝔽p over which we'll do calculations; 2n ** 448n - 2n ** 224n - 1n
  Fp,
  // Subgroup order: how many points curve has;
  // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
  n: BigInt(
    '181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'
  ),
  nBitLength: 456,
  // Cofactor
  h: BigInt(4),
  // Base point (x, y) aka generator point
  Gx: BigInt(
    '224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'
  ),
  Gy: BigInt(
    '298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'
  ),
  // SHAKE256(dom4(phflag,context)||x, 114)
  hash: shake256_114,
  randomBytes,
  adjustScalarBytes,
  // dom4
  domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
    if (ctx.length > 255) throw new Error(`Context is too big: ${ctx.length}`);
    return concatBytes(
      utf8ToBytes('SigEd448'),
      new Uint8Array([phflag ? 1 : 0, ctx.length]),
      ctx,
      data
    );
  },
  // Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
  // Uses algo from RFC8032 5.1.3.
  uvRatio: (u: bigint, v: bigint): { isValid: boolean; value: bigint } => {
    const P = ed448P;
    // https://datatracker.ietf.org/doc/html/rfc8032#section-5.2.3
    // To compute the square root of (u/v), the first step is to compute the
    //   candidate root x = (u/v)^((p+1)/4).  This can be done using the
    // following trick, to use a single modular powering for both the
    // inversion of v and the square root:
    // x = (u/v)^((p+1)/4)   = u³v(u⁵v³)^((p-3)/4)   (mod p)
    const u2v = mod(u * u * v, P); // u²v
    const u3v = mod(u2v * u, P); // u³v
    const u5v3 = mod(u3v * u2v * v, P); // u⁵v³
    const root = ed448_pow_Pminus3div4(u5v3);
    const x = mod(u3v * root, P);
    // Verify that root is exists
    const x2 = mod(x * x, P); // x²
    // If vx² = u, the recovered x-coordinate is x.  Otherwise, no
    // square root exists, and the decoding fails.
    return { isValid: mod(x2 * v, P) === u, value: x };
  },
 } as const;
 export const ed448 = twistedEdwards(ED448_DEF);
 // NOTE: there is no ed448ctx, since ed448 supports ctx by default
 export const ed448ph = twistedEdwards({ ...ED448_DEF, preHash: shake256_64 });
 export const x448 = montgomery({
  a24: BigInt(39081),
  montgomeryBits: 448,
  nByteLength: 57,
  P: ed448P,
  Gu: '0500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
  powPminus2: (x: bigint): bigint => {
    const P = ed448P;
    const Pminus3div4 = ed448_pow_Pminus3div4(x);
    const Pminus3 = pow2(Pminus3div4, BigInt(2), P);
    return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
  },
  adjustScalarBytes,
  // The 4-isogeny maps between the Montgomery curve and this Edwards
  // curve are:
  //   (u, v) = (y^2/x^2, (2 - x^2 - y^2)*y/x^3)
  //   (x, y) = (4*v*(u^2 - 1)/(u^4 - 2*u^2 + 4*v^2 + 1),
  //             -(u^5 - 2*u^3 - 4*u*v^2 + u)/
  //             (u^5 - 2*u^2*v^2 - 2*u^3 - 2*v^2 + u))
  // xyToU: (p: PointType) => {
  //   const P = ed448P;
  //   const { x, y } = p;
  //   if (x === _0n) throw new Error(`Point with x=0 doesn't have mapping`);
  //   const invX = invert(x * x, P); // x^2
  //   const u = mod(y * y * invX, P); // (y^2/x^2)
  //   return numberToBytesLE(u, 56);
  // },
 });
 // Hash To Curve Elligator2 Map
 const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
 const ELL2_J = BigInt(156326);
 function map_to_curve_elligator2_curve448(u: bigint) {
  let tv1 = Fp.sqr(u); // 1.  tv1 = u^2
  let e1 = Fp.eql(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
  tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
  let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
  let x1n = Fp.neg(ELL2_J); // 5.  x1n = -J
  let tv2 = Fp.sqr(xd); // 6.  tv2 = xd^2
  let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
  let gx1 = Fp.mul(tv1, Fp.neg(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
  gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
  gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
  gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
  let tv3 = Fp.sqr(gxd); // 12. tv3 = gxd^2
  tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
  tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
  let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
  y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
  let x2n = Fp.mul(x1n, Fp.neg(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
  let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
  y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
  tv2 = Fp.sqr(y1); // 20. tv2 = y1^2
  tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
  let e2 = Fp.eql(tv2, gx1); // 22.  e2 = tv2 == gx1
  let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
  let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
  let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
  y = Fp.cmov(y, Fp.neg(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
  return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
 }
 function map_to_curve_elligator2_edwards448(u: bigint) {
  let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
  let xn2 = Fp.sqr(xn); // 2.  xn2 = xn^2
  let xd2 = Fp.sqr(xd); // 3.  xd2 = xd^2
  let xd4 = Fp.sqr(xd2); // 4.  xd4 = xd2^2
  let yn2 = Fp.sqr(yn); // 5.  yn2 = yn^2
  let yd2 = Fp.sqr(yd); // 6.  yd2 = yd^2
  let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
  let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
  xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
  xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
  xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
  xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
  tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
  tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
  let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
  let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
  tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
  let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
  tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
  let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
  let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
  yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
  yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
  tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
  tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
  tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
  tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
  tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
  let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
  tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
  yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
  tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
  let e = Fp.eql(tv1, Fp.ZERO); // 33.   e = tv1 == 0
  xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
  xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
  yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
  yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
  const inv = Fp.invertBatch([xEd, yEd]); // batch division
  return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
 }
 const { hashToCurve, encodeToCurve } = htf.hashToCurve(
  ed448.ExtendedPoint,
  (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]),
  {
    DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
    encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
    p: Fp.ORDER,
    m: 1,
    k: 224,
    expand: 'xof',
    hash: shake256,
  }
 );
 export { hashToCurve, encodeToCurve };
--- a/src/edwards.ts
+++ b/src/edwards.ts
@@ -1,682 +0,0 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Implementation of Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
 // Differences from @noble/ed25519 1.7:
 // 1. Different field element lengths in ed448:
 //   EDDSA (RFC8032) is 456 bits / 57 bytes, ECDH (RFC7748) is 448 bits / 56 bytes
 // 2. Different addition formula (doubling is same)
 // 3. uvRatio differs between curves (half-expected, not only pow fn changes)
 // 4. Point decompression code is different too (unexpected), now using generalized formula
 // 5. Domain function was no-op for ed25519, but adds some data even with empty context for ed448
 import * as mod from './modular.js';
 import {
  bytesToHex,
  concatBytes,
  ensureBytes,
  numberToBytesLE,
  bytesToNumberLE,
  hashToPrivateScalar,
  BasicCurve,
  validateOpts as utilOpts,
  Hex,
  PrivKey,
 } from './utils.js'; // TODO: import * as u from './utils.js'?
 import { Group, GroupConstructor, wNAF } from './group.js';
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
 const _8n = BigInt(8);
 export type CHash = {
  (message: Uint8Array | string): Uint8Array;
  blockLen: number;
  outputLen: number;
  create(): any;
 };
 export type CurveType = BasicCurve<bigint> & {
  // Params: a, d
  a: bigint;
  d: bigint;
  // Hashes
  hash: CHash; // Because we need outputLen for DRBG
  randomBytes: (bytesLength?: number) => Uint8Array;
  adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array;
  domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
  uvRatio?: (u: bigint, v: bigint) => { isValid: boolean; value: bigint };
  preHash?: CHash;
 };
 // Should be separate from overrides, since overrides can use information about curve (for example nBits)
 function validateOpts(curve: CurveType) {
  const opts = utilOpts(curve);
  if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
    throw new Error('Invalid hash function');
  for (const i of ['a', 'd'] as const) {
    if (typeof opts[i] !== 'bigint')
      throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
  }
  for (const fn of ['randomBytes'] as const) {
    if (typeof opts[fn] !== 'function') throw new Error(`Invalid ${fn} function`);
  }
  for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio'] as const) {
    if (opts[fn] === undefined) continue; // Optional
    if (typeof opts[fn] !== 'function') throw new Error(`Invalid ${fn} function`);
  }
  // Set defaults
  return Object.freeze({ ...opts } as const);
 }
 // Instance
 export interface SignatureType {
  readonly r: PointType;
  readonly s: bigint;
  assertValidity(): SignatureType;
  toRawBytes(): Uint8Array;
  toHex(): string;
 }
 // Static methods
 export type SignatureConstructor = {
  new (r: PointType, s: bigint): SignatureType;
  fromHex(hex: Hex): SignatureType;
 };
 // Instance
 export interface ExtendedPointType extends Group<ExtendedPointType> {
  readonly x: bigint;
  readonly y: bigint;
  readonly z: bigint;
  readonly t: bigint;
  multiply(scalar: number | bigint, affinePoint?: PointType): ExtendedPointType;
  multiplyUnsafe(scalar: number | bigint): ExtendedPointType;
  isSmallOrder(): boolean;
  isTorsionFree(): boolean;
  toAffine(invZ?: bigint): PointType;
 }
 // Static methods
 export interface ExtendedPointConstructor extends GroupConstructor<ExtendedPointType> {
  new (x: bigint, y: bigint, z: bigint, t: bigint): ExtendedPointType;
  fromAffine(p: PointType): ExtendedPointType;
  toAffineBatch(points: ExtendedPointType[]): PointType[];
  normalizeZ(points: ExtendedPointType[]): ExtendedPointType[];
 }
 // Instance
 export interface PointType extends Group<PointType> {
  readonly x: bigint;
  readonly y: bigint;
  _setWindowSize(windowSize: number): void;
  toRawBytes(isCompressed?: boolean): Uint8Array;
  toHex(isCompressed?: boolean): string;
  isTorsionFree(): boolean;
 }
 // Static methods
 export interface PointConstructor extends GroupConstructor<PointType> {
  new (x: bigint, y: bigint): PointType;
  fromHex(hex: Hex): PointType;
  fromPrivateKey(privateKey: PrivKey): PointType;
 }
 export type PubKey = Hex | PointType;
 export type SigType = Hex | SignatureType;
 export type CurveFn = {
  CURVE: ReturnType<typeof validateOpts>;
  getPublicKey: (privateKey: PrivKey, isCompressed?: boolean) => Uint8Array;
  sign: (message: Hex, privateKey: Hex) => Uint8Array;
  verify: (sig: SigType, message: Hex, publicKey: PubKey) => boolean;
  Point: PointConstructor;
  ExtendedPoint: ExtendedPointConstructor;
  Signature: SignatureConstructor;
  utils: {
    mod: (a: bigint) => bigint;
    invert: (number: bigint) => bigint;
    randomPrivateKey: () => Uint8Array;
    getExtendedPublicKey: (key: PrivKey) => {
      head: Uint8Array;
      prefix: Uint8Array;
      scalar: bigint;
      point: PointType;
      pointBytes: Uint8Array;
    };
  };
 };
 // NOTE: it is not generic twisted curve for now, but ed25519/ed448 generic implementation
 export function twistedEdwards(curveDef: CurveType): CurveFn {
  const CURVE = validateOpts(curveDef) as ReturnType<typeof validateOpts>;
  const Fp = CURVE.Fp as mod.Field<bigint>;
  const CURVE_ORDER = CURVE.n;
  const fieldLen = Fp.BYTES; // 32 (length of one field element)
  if (fieldLen > 2048) throw new Error('Field lengths over 2048 are not supported');
  const groupLen = CURVE.nByteLength;
  // (2n ** 256n).toString(16);
  const maxGroupElement = _2n ** BigInt(groupLen * 8); // previous POW_2_256
  // Function overrides
  const { randomBytes } = CURVE;
  const modP = Fp.create;
  // sqrt(u/v)
  function _uvRatio(u: bigint, v: bigint) {
    try {
      const value = Fp.sqrt(u * Fp.invert(v));
      return { isValid: true, value };
    } catch (e) {
      return { isValid: false, value: _0n };
    }
  }
  const uvRatio = CURVE.uvRatio || _uvRatio;
  const _adjustScalarBytes = (bytes: Uint8Array) => bytes; // NOOP
  const adjustScalarBytes = CURVE.adjustScalarBytes || _adjustScalarBytes;
  function _domain(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
    if (ctx.length || phflag) throw new Error('Contexts/pre-hash are not supported');
    return data;
  }
  const domain = CURVE.domain || _domain; // NOOP
  /**
   * Extended Point works in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z, t=xy).
   * Default Point works in affine coordinates: (x, y)
   * https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
   */
  class ExtendedPoint implements ExtendedPointType {
    constructor(readonly x: bigint, readonly y: bigint, readonly z: bigint, readonly t: bigint) {}
    static BASE = new ExtendedPoint(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
    static ZERO = new ExtendedPoint(_0n, _1n, _1n, _0n);
    static fromAffine(p: Point): ExtendedPoint {
      if (!(p instanceof Point)) {
        throw new TypeError('ExtendedPoint#fromAffine: expected Point');
      }
      if (p.equals(Point.ZERO)) return ExtendedPoint.ZERO;
      return new ExtendedPoint(p.x, p.y, _1n, modP(p.x * p.y));
    }
    // Takes a bunch of Jacobian Points but executes only one
    // invert on all of them. invert is very slow operation,
    // so this improves performance massively.
    static toAffineBatch(points: ExtendedPoint[]): Point[] {
      const toInv = Fp.invertBatch(points.map((p) => p.z));
      return points.map((p, i) => p.toAffine(toInv[i]));
    }
    static normalizeZ(points: ExtendedPoint[]): ExtendedPoint[] {
      return this.toAffineBatch(points).map(this.fromAffine);
    }
    // Compare one point to another.
    equals(other: ExtendedPoint): boolean {
      assertExtPoint(other);
      const { x: X1, y: Y1, z: Z1 } = this;
      const { x: X2, y: Y2, z: Z2 } = other;
      const X1Z2 = modP(X1 * Z2);
      const X2Z1 = modP(X2 * Z1);
      const Y1Z2 = modP(Y1 * Z2);
      const Y2Z1 = modP(Y2 * Z1);
      return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
    }
    // Inverses point to one corresponding to (x, -y) in Affine coordinates.
    negate(): ExtendedPoint {
      return new ExtendedPoint(modP(-this.x), this.y, this.z, modP(-this.t));
    }
    // Fast algo for doubling Extended Point.
    // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
    // Cost: 4M + 4S + 1*a + 6add + 1*2.
    double(): ExtendedPoint {
      const { a } = CURVE;
      const { x: X1, y: Y1, z: Z1 } = this;
      const A = modP(X1 * X1); // A = X12
      const B = modP(Y1 * Y1); // B = Y12
      const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12
      const D = modP(a * A); // D = a*A
      const x1y1 = X1 + Y1;
      const E = modP(modP(x1y1 * x1y1) - A - B); // E = (X1+Y1)2-A-B
      const G = D + B; // G = D+B
      const F = G - C; // F = G-C
      const H = D - B; // H = D-B
      const X3 = modP(E * F); // X3 = E*F
      const Y3 = modP(G * H); // Y3 = G*H
      const T3 = modP(E * H); // T3 = E*H
      const Z3 = modP(F * G); // Z3 = F*G
      return new ExtendedPoint(X3, Y3, Z3, T3);
    }
    // Fast algo for adding 2 Extended Points.
    // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
    // Cost: 9M + 1*a + 1*d + 7add.
    add(other: ExtendedPoint) {
      assertExtPoint(other);
      const { a, d } = CURVE;
      const { x: X1, y: Y1, z: Z1, t: T1 } = this;
      const { x: X2, y: Y2, z: Z2, t: T2 } = other;
      // Faster algo for adding 2 Extended Points when curve's a=-1.
      // http://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-add-2008-hwcd-4
      // Cost: 8M + 8add + 2*2.
      // Note: It does not check whether the `other` point is valid.
      if (a === BigInt(-1)) {
        const A = modP((Y1 - X1) * (Y2 + X2));
        const B = modP((Y1 + X1) * (Y2 - X2));
        const F = modP(B - A);
        if (F === _0n) return this.double(); // Same point.
        const C = modP(Z1 * _2n * T2);
        const D = modP(T1 * _2n * Z2);
        const E = D + C;
        const G = B + A;
        const H = D - C;
        const X3 = modP(E * F);
        const Y3 = modP(G * H);
        const T3 = modP(E * H);
        const Z3 = modP(F * G);
        return new ExtendedPoint(X3, Y3, Z3, T3);
      }
      const A = modP(X1 * X2); // A = X1*X2
      const B = modP(Y1 * Y2); // B = Y1*Y2
      const C = modP(T1 * d * T2); // C = T1*d*T2
      const D = modP(Z1 * Z2); // D = Z1*Z2
      const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B
      // TODO: do we need to check for same point here? Looks like working without it
      const F = D - C; // F = D-C
      const G = D + C; // G = D+C
      const H = modP(B - a * A); // H = B-a*A
      const X3 = modP(E * F); // X3 = E*F
      const Y3 = modP(G * H); // Y3 = G*H
      const T3 = modP(E * H); // T3 = E*H
      const Z3 = modP(F * G); // Z3 = F*G
      return new ExtendedPoint(X3, Y3, Z3, T3);
    }
    subtract(other: ExtendedPoint): ExtendedPoint {
      return this.add(other.negate());
    }
    private wNAF(n: bigint, affinePoint?: Point): ExtendedPoint {
      if (!affinePoint && this.equals(ExtendedPoint.BASE)) affinePoint = Point.BASE;
      const W = (affinePoint && affinePoint._WINDOW_SIZE) || 1;
      let precomputes = affinePoint && pointPrecomputes.get(affinePoint);
      if (!precomputes) {
        precomputes = wnaf.precomputeWindow(this, W) as ExtendedPoint[];
        if (affinePoint && W !== 1) {
          precomputes = ExtendedPoint.normalizeZ(precomputes);
          pointPrecomputes.set(affinePoint, precomputes);
        }
      }
      const { p, f } = wnaf.wNAF(W, precomputes, n);
      return ExtendedPoint.normalizeZ([p, f])[0];
    }
    // Constant time multiplication.
    // Uses wNAF method. Windowed method may be 10% faster,
    // but takes 2x longer to generate and consumes 2x memory.
    multiply(scalar: number | bigint, affinePoint?: Point): ExtendedPoint {
      return this.wNAF(normalizeScalar(scalar, CURVE_ORDER), affinePoint);
    }
    // Non-constant-time multiplication. Uses double-and-add algorithm.
    // It's faster, but should only be used when you don't care about
    // an exposed private key e.g. sig verification.
    // Allows scalar bigger than curve order, but less than 2^256
    multiplyUnsafe(scalar: number | bigint): ExtendedPoint {
      let n = normalizeScalar(scalar, CURVE_ORDER, false);
      const G = ExtendedPoint.BASE;
      const P0 = ExtendedPoint.ZERO;
      if (n === _0n) return P0;
      if (this.equals(P0) || n === _1n) return this;
      if (this.equals(G)) return this.wNAF(n);
      return wnaf.unsafeLadder(this, n);
    }
    // Multiplies point by cofactor and checks if the result is 0.
    isSmallOrder(): boolean {
      return this.multiplyUnsafe(CURVE.h).equals(ExtendedPoint.ZERO);
    }
    // Multiplies point by a very big scalar n and checks if the result is 0.
    isTorsionFree(): boolean {
      return this.multiplyUnsafe(CURVE_ORDER).equals(ExtendedPoint.ZERO);
    }
    // Converts Extended point to default (x, y) coordinates.
    // Can accept precomputed Z^-1 - for example, from invertBatch.
    toAffine(invZ?: bigint): Point {
      const { x, y, z } = this;
      const is0 = this.equals(ExtendedPoint.ZERO);
      if (invZ == null) invZ = is0 ? _8n : (Fp.invert(z) as bigint); // 8 was chosen arbitrarily
      const ax = modP(x * invZ);
      const ay = modP(y * invZ);
      const zz = modP(z * invZ);
      if (is0) return Point.ZERO;
      if (zz !== _1n) throw new Error('invZ was invalid');
      return new Point(ax, ay);
    }
  }
  const wnaf = wNAF(ExtendedPoint, groupLen * 8);
  function assertExtPoint(other: unknown) {
    if (!(other instanceof ExtendedPoint)) throw new TypeError('ExtendedPoint expected');
  }
  // Stores precomputed values for points.
  const pointPrecomputes = new WeakMap<Point, ExtendedPoint[]>();
  /**
   * Default Point works in affine coordinates: (x, y)
   */
  class Point implements PointType {
    // Base point aka generator
    // public_key = Point.BASE * private_key
    static BASE: Point = new Point(CURVE.Gx, CURVE.Gy);
    // Identity point aka point at infinity
    // point = point + zero_point
    static ZERO: Point = new Point(_0n, _1n);
    // We calculate precomputes for elliptic curve point multiplication
    // using windowed method. This specifies window size and
    // stores precomputed values. Usually only base point would be precomputed.
    _WINDOW_SIZE?: number;
    constructor(readonly x: bigint, readonly y: bigint) {}
    // "Private method", don't use it directly.
    _setWindowSize(windowSize: number) {
      this._WINDOW_SIZE = windowSize;
      pointPrecomputes.delete(this);
    }
    // Converts hash string or Uint8Array to Point.
    // Uses algo from RFC8032 5.1.3.
    static fromHex(hex: Hex, strict = true) {
      const { d, a } = CURVE;
      hex = ensureBytes(hex, fieldLen);
      // 1.  First, interpret the string as an integer in little-endian
      // representation. Bit 255 of this number is the least significant
      // bit of the x-coordinate and denote this value x_0.  The
      // y-coordinate is recovered simply by clearing this bit.  If the
      // resulting value is >= p, decoding fails.
      const normed = hex.slice();
      const lastByte = hex[fieldLen - 1];
      normed[fieldLen - 1] = lastByte & ~0x80;
      const y = bytesToNumberLE(normed);
      if (strict && y >= Fp.ORDER) throw new Error('Expected 0 < hex < P');
      if (!strict && y >= maxGroupElement) throw new Error('Expected 0 < hex < 2**256');
      // 2.  To recover the x-coordinate, the curve equation implies
      // Ed25519: x² = (y² - 1) / (d y² + 1) (mod p).
      // Ed448: x² = (y² - 1) / (d y² - 1) (mod p).
      // For generic case:
      // a*x²+y²=1+d*x²*y²
      // -> y²-1 = d*x²*y²-a*x²
      // -> y²-1 = x² (d*y²-a)
      // -> x² = (y²-1) / (d*y²-a)
      // The denominator is always non-zero mod p.  Let u = y² - 1 and v = d y² + 1.
      const y2 = modP(y * y);
      const u = modP(y2 - _1n);
      const v = modP(d * y2 - a);
      let { isValid, value: x } = uvRatio(u, v);
      if (!isValid) throw new Error('Point.fromHex: invalid y coordinate');
      // 4.  Finally, use the x_0 bit to select the right square root.  If
      // x = 0, and x_0 = 1, decoding fails.  Otherwise, if x_0 != x mod
      // 2, set x <-- p - x.  Return the decoded point (x,y).
      const isXOdd = (x & _1n) === _1n;
      const isLastByteOdd = (lastByte & 0x80) !== 0;
      if (isLastByteOdd !== isXOdd) x = modP(-x);
      return new Point(x, y);
    }
    static fromPrivateKey(privateKey: PrivKey) {
      return getExtendedPublicKey(privateKey).point;
    }
    // There can always be only two x values (x, -x) for any y
    // When compressing point, it's enough to only store its y coordinate
    // and use the last byte to encode sign of x.
    toRawBytes(): Uint8Array {
      const bytes = numberToBytesLE(this.y, fieldLen);
      bytes[fieldLen - 1] |= this.x & _1n ? 0x80 : 0;
      return bytes;
    }
    // Same as toRawBytes, but returns string.
    toHex(): string {
      return bytesToHex(this.toRawBytes());
    }
    isTorsionFree(): boolean {
      return ExtendedPoint.fromAffine(this).isTorsionFree();
    }
    equals(other: Point): boolean {
      if (!(other instanceof Point)) throw new TypeError('Point#equals: expected Point');
      return this.x === other.x && this.y === other.y;
    }
    negate(): Point {
      return new Point(modP(-this.x), this.y);
    }
    double(): Point {
      return ExtendedPoint.fromAffine(this).double().toAffine();
    }
    add(other: Point) {
      return ExtendedPoint.fromAffine(this).add(ExtendedPoint.fromAffine(other)).toAffine();
    }
    subtract(other: Point) {
      return this.add(other.negate());
    }
    /**
     * Constant time multiplication.
     * @param scalar Big-Endian number
     * @returns new point
     */
    multiply(scalar: number | bigint): Point {
      return ExtendedPoint.fromAffine(this).multiply(scalar, this).toAffine();
    }
  }
  /**
   * EDDSA signature.
   */
  class Signature implements SignatureType {
    constructor(readonly r: Point, readonly s: bigint) {
      this.assertValidity();
    }
    static fromHex(hex: Hex) {
      const bytes = ensureBytes(hex, 2 * fieldLen);
      const r = Point.fromHex(bytes.slice(0, fieldLen), false);
      const s = bytesToNumberLE(bytes.slice(fieldLen, 2 * fieldLen));
      return new Signature(r, s);
    }
    assertValidity() {
      const { r, s } = this;
      if (!(r instanceof Point)) throw new Error('Expected Point instance');
      // 0 <= s < l
      normalizeScalar(s, CURVE_ORDER, false);
      return this;
    }
    toRawBytes() {
      return concatBytes(this.r.toRawBytes(), numberToBytesLE(this.s, fieldLen));
    }
    toHex() {
      return bytesToHex(this.toRawBytes());
    }
  }
  // Little-endian SHA512 with modulo n
  function modlLE(hash: Uint8Array): bigint {
    return mod.mod(bytesToNumberLE(hash), CURVE_ORDER);
  }
  /**
   * Checks for num to be in range:
   * For strict == true:  `0 <  num < max`.
   * For strict == false: `0 <= num < max`.
   * Converts non-float safe numbers to bigints.
   */
  function normalizeScalar(num: number | bigint, max: bigint, strict = true): bigint {
    if (!max) throw new TypeError('Specify max value');
    if (typeof num === 'number' && Number.isSafeInteger(num)) num = BigInt(num);
    if (typeof num === 'bigint' && num < max) {
      if (strict) {
        if (_0n < num) return num;
      } else {
        if (_0n <= num) return num;
      }
    }
    throw new TypeError('Expected valid scalar: 0 < scalar < max');
  }
  function checkPrivateKey(key: PrivKey) {
    // Normalize bigint / number / string to Uint8Array
    key =
      typeof key === 'bigint' || typeof key === 'number'
        ? numberToBytesLE(normalizeScalar(key, maxGroupElement), groupLen)
        : ensureBytes(key);
    if (key.length !== groupLen) throw new Error(`Expected ${groupLen} bytes, got ${key.length}`);
    return key;
  }
  // Takes 64 bytes
  function getKeyFromHash(hashed: Uint8Array) {
    // First 32 bytes of 64b uniformingly random input are taken,
    // clears 3 bits of it to produce a random field element.
    const head = adjustScalarBytes(hashed.slice(0, groupLen));
    // Second 32 bytes is called key prefix (5.1.6)
    const prefix = hashed.slice(groupLen, 2 * groupLen);
    // The actual private scalar
    const scalar = modlLE(head);
    // Point on Edwards curve aka public key
    const point = Point.BASE.multiply(scalar);
    const pointBytes = point.toRawBytes();
    return { head, prefix, scalar, point, pointBytes };
  }
  /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
  function getExtendedPublicKey(key: PrivKey) {
    return getKeyFromHash(CURVE.hash(checkPrivateKey(key)));
  }
  /**
   * Calculates ed25519 public key. RFC8032 5.1.5
   * 1. private key is hashed with sha512, then first 32 bytes are taken from the hash
   * 2. 3 least significant bits of the first byte are cleared
   */
  function getPublicKey(privateKey: PrivKey): Uint8Array {
    return getExtendedPublicKey(privateKey).pointBytes;
  }
  const EMPTY = new Uint8Array();
  function hashDomainToScalar(message: Uint8Array, context: Hex = EMPTY) {
    context = ensureBytes(context);
    return modlLE(CURVE.hash(domain(message, context, !!CURVE.preHash)));
  }
  /** Signs message with privateKey. RFC8032 5.1.6 */
  function sign(message: Hex, privateKey: Hex, context?: Hex): Uint8Array {
    message = ensureBytes(message);
    if (CURVE.preHash) message = CURVE.preHash(message);
    const { prefix, scalar, pointBytes } = getExtendedPublicKey(privateKey);
    const r = hashDomainToScalar(concatBytes(prefix, message), context);
    const R = Point.BASE.multiply(r); // R = rG
    const k = hashDomainToScalar(concatBytes(R.toRawBytes(), pointBytes, message), context); // k = hash(R+P+msg)
    const s = mod.mod(r + k * scalar, CURVE_ORDER); // s = r + kp
    return new Signature(R, s).toRawBytes();
  }
  /**
   * Verifies EdDSA signature against message and public key.
   * An extended group equation is checked.
   * RFC8032 5.1.7
   * Compliant with ZIP215:
   * 0 <= sig.R/publicKey < 2**256 (can be >= curve.P)
   * 0 <= sig.s < l
   * Not compliant with RFC8032: it's not possible to comply to both ZIP & RFC at the same time.
   */
  function verify(sig: SigType, message: Hex, publicKey: PubKey, context?: Hex): boolean {
    message = ensureBytes(message);
    if (CURVE.preHash) message = CURVE.preHash(message);
    // When hex is passed, we check public key fully.
    // When Point instance is passed, we assume it has already been checked, for performance.
    // If user passes Point/Sig instance, we assume it has been already verified.
    // We don't check its equations for performance. We do check for valid bounds for s though
    // We always check for: a) s bounds. b) hex validity
    if (publicKey instanceof Point) {
      // ignore
    } else if (publicKey instanceof Uint8Array || typeof publicKey === 'string') {
      publicKey = Point.fromHex(publicKey, false);
    } else {
      throw new Error(`Invalid publicKey: ${publicKey}`);
    }
    if (sig instanceof Signature) sig.assertValidity();
    else if (sig instanceof Uint8Array || typeof sig === 'string') sig = Signature.fromHex(sig);
    else throw new Error(`Wrong signature: ${sig}`);
    const { r, s } = sig;
    const SB = ExtendedPoint.BASE.multiplyUnsafe(s);
    const k = hashDomainToScalar(
      concatBytes(r.toRawBytes(), publicKey.toRawBytes(), message),
      context
    );
    const kA = ExtendedPoint.fromAffine(publicKey).multiplyUnsafe(k);
    const RkA = ExtendedPoint.fromAffine(r).add(kA);
    // [8][S]B = [8]R + [8][k]A'
    return RkA.subtract(SB).multiplyUnsafe(CURVE.h).equals(ExtendedPoint.ZERO);
  }
  // Enable precomputes. Slows down first publicKey computation by 20ms.
  Point.BASE._setWindowSize(8);
  const utils = {
    getExtendedPublicKey,
    mod: modP,
    invert: Fp.invert,
    /**
     * Not needed for ed25519 private keys. Needed if you use scalars directly (rare).
     */
    hashToPrivateScalar: (hash: Hex): bigint => hashToPrivateScalar(hash, CURVE_ORDER, true),
    /**
     * ed25519 private keys are uniform 32-bit strings. We do not need to check for
     * modulo bias like we do in secp256k1 randomPrivateKey()
     */
    randomPrivateKey: (): Uint8Array => randomBytes(fieldLen),
    /**
     * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
     * values. This slows down first getPublicKey() by milliseconds (see Speed section),
     * but allows to speed-up subsequent getPublicKey() calls up to 20x.
     * @param windowSize 2, 4, 8, 16
     */
    precompute(windowSize = 8, point = Point.BASE): Point {
      const cached = point.equals(Point.BASE) ? point : new Point(point.x, point.y);
      cached._setWindowSize(windowSize);
      cached.multiply(_2n);
      return cached;
    },
  };
  return {
    CURVE,
    getPublicKey,
    sign,
    verify,
    ExtendedPoint,
    Point,
    Signature,
    utils,
  };
 }
--- a/src/hashToCurve.ts
+++ b/src/hashToCurve.ts
@@ -1,131 +0,0 @@
 import { CHash, concatBytes } from './utils.js';
 import * as mod from './modular.js';
 export type htfOpts = {
  // DST: a domain separation tag
  // defined in section 2.2.5
  DST: string;
  // p: the characteristic of F
  //    where F is a finite field of characteristic p and order q = p^m
  p: bigint;
  // m: the extension degree of F, m >= 1
  //     where F is a finite field of characteristic p and order q = p^m
  m: number;
  // k: the target security level for the suite in bits
  // defined in section 5.1
  k: number;
  // option to use a message that has already been processed by
  // expand_message_xmd
  expand: boolean;
  // Hash functions for: expand_message_xmd is appropriate for use with a
  // wide range of hash functions, including SHA-2, SHA-3, BLAKE2, and others.
  // BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247
  hash: CHash;
 };
 export function validateHTFOpts(opts: htfOpts) {
  if (typeof opts.DST !== 'string') throw new Error('Invalid htf/DST');
  if (typeof opts.p !== 'bigint') throw new Error('Invalid htf/p');
  if (typeof opts.m !== 'number') throw new Error('Invalid htf/m');
  if (typeof opts.k !== 'number') throw new Error('Invalid htf/k');
  if (typeof opts.expand !== 'boolean') throw new Error('Invalid htf/expand');
  if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
    throw new Error('Invalid htf/hash function');
 }
 // UTF8 to ui8a
 export function stringToBytes(str: string) {
  const bytes = new Uint8Array(str.length);
  for (let i = 0; i < str.length; i++) bytes[i] = str.charCodeAt(i);
  return bytes;
 }
 // Octet Stream to Integer (bytesToNumberBE)
 function os2ip(bytes: Uint8Array): bigint {
  let result = 0n;
  for (let i = 0; i < bytes.length; i++) {
    result <<= 8n;
    result += BigInt(bytes[i]);
  }
  return result;
 }
 // Integer to Octet Stream
 function i2osp(value: number, length: number): Uint8Array {
  if (value < 0 || value >= 1 << (8 * length)) {
    throw new Error(`bad I2OSP call: value=${value} length=${length}`);
  }
  const res = Array.from({ length }).fill(0) as number[];
  for (let i = length - 1; i >= 0; i--) {
    res[i] = value & 0xff;
    value >>>= 8;
  }
  return new Uint8Array(res);
 }
 function strxor(a: Uint8Array, b: Uint8Array): Uint8Array {
  const arr = new Uint8Array(a.length);
  for (let i = 0; i < a.length; i++) {
    arr[i] = a[i] ^ b[i];
  }
  return arr;
 }
 // Produces a uniformly random byte string using a cryptographic hash function H that outputs b bits
 // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.4.1
 export function expand_message_xmd(
  msg: Uint8Array,
  DST: Uint8Array,
  lenInBytes: number,
  H: CHash
 ): Uint8Array {
  // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5.3.3
  if (DST.length > 255) DST = H(concatBytes(stringToBytes('H2C-OVERSIZE-DST-'), DST));
  const b_in_bytes = H.outputLen;
  const r_in_bytes = b_in_bytes * 2;
  const ell = Math.ceil(lenInBytes / b_in_bytes);
  if (ell > 255) throw new Error('Invalid xmd length');
  const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
  const Z_pad = i2osp(0, r_in_bytes);
  const l_i_b_str = i2osp(lenInBytes, 2);
  const b = new Array<Uint8Array>(ell);
  const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
  b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));
  for (let i = 1; i <= ell; i++) {
    const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
    b[i] = H(concatBytes(...args));
  }
  const pseudo_random_bytes = concatBytes(...b);
  return pseudo_random_bytes.slice(0, lenInBytes);
 }
 // hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
 // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3
 // Inputs:
 // msg - a byte string containing the message to hash.
 // count - the number of elements of F to output.
 // Outputs:
 // [u_0, ..., u_(count - 1)], a list of field elements.
 export function hash_to_field(msg: Uint8Array, count: number, options: htfOpts): bigint[][] {
  // if options is provided but incomplete, fill any missing fields with the
  // value in hftDefaults (ie hash to G2).
  const log2p = options.p.toString(2).length;
  const L = Math.ceil((log2p + options.k) / 8); // section 5.1 of ietf draft link above
  const len_in_bytes = count * options.m * L;
  const DST = stringToBytes(options.DST);
  let pseudo_random_bytes = msg;
  if (options.expand) {
    pseudo_random_bytes = expand_message_xmd(msg, DST, len_in_bytes, options.hash);
  }
  const u = new Array(count);
  for (let i = 0; i < count; i++) {
    const e = new Array(options.m);
    for (let j = 0; j < options.m; j++) {
      const elm_offset = L * (j + i * options.m);
      const tv = pseudo_random_bytes.subarray(elm_offset, elm_offset + L);
      e[j] = mod.mod(os2ip(tv), options.p);
    }
    u[i] = e;
  }
  return u;
 }
--- a/curve-definitions/src/index.ts
+++ b/curve-definitions/src/index.ts
--- a/curve-definitions/src/jubjub.ts
+++ b/curve-definitions/src/jubjub.ts
@@ -1,13 +1,14 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
+import { sha512 } from '@noble/hashes/sha512';
 import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { twistedEdwards } from '@noble/curves/edwards';
+import { twistedEdwards } from './abstract/edwards.js';
 import { blake2s } from '@noble/hashes/blake2s';
-import { Fp } from '@noble/curves/modular';
+import { Fp } from './abstract/modular.js';
 /**
 * jubjub Twisted Edwards curve.
 * https://neuromancer.sk/std/other/JubJub
 * jubjub does not use EdDSA, so `hash`/sha512 params are passed because interface expects them.
 */
 export const jubjub = twistedEdwards({
@@ -15,16 +16,16 @@ export const jubjub = twistedEdwards({
  a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
  d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
  // Finite field 𝔽p over which we'll do calculations
  // Same value as bls12-381 Fr (not Fp)
  Fp: Fp(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')),
-  // Subgroup order: how many points ed25519 has
+  // Subgroup order: how many points curve has
  // 2n ** 252n + 27742317777372353535851937790883648493n;
  n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
  // Cofactor
  h: BigInt(8),
  // Base point (x, y) aka generator point
  Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
  Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
-  hash: sha256,
+  hash: sha512,
  randomBytes,
 } as const);
@@ -38,7 +39,7 @@ export function groupHash(tag: Uint8Array, personalization: Uint8Array) {
  h.update(GH_FIRST_BLOCK);
  h.update(tag);
  // NOTE: returns ExtendedPoint, in case it will be multiplied later
-  let p = jubjub.ExtendedPoint.fromAffine(jubjub.Point.fromHex(h.digest()));
+  let p = jubjub.ExtendedPoint.fromHex(h.digest());
  // NOTE: cannot replace with isSmallOrder, returns Point*8
  p = p.multiply(jubjub.CURVE.h);
  if (p.equals(jubjub.ExtendedPoint.ZERO)) throw new Error('Point has small order');
--- a/src/modular.ts
+++ b/src/modular.ts
@@ -1,301 +0,0 @@
 /*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import * as utils from './utils.js';
 // Utilities for modular arithmetics
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
 // Calculates a modulo b
 export function mod(a: bigint, b: bigint): bigint {
  const result = a % b;
  return result >= _0n ? result : b + result;
 }
 /**
 * Efficiently exponentiate num to power and do modular division.
 * Unsafe in some contexts: uses ladder, so can expose bigint bits.
 * @example
 * powMod(2n, 6n, 11n) // 64n % 11n == 9n
 */
 // TODO: use field version && remove
 export function pow(num: bigint, power: bigint, modulo: bigint): bigint {
  if (modulo <= _0n || power < _0n) throw new Error('Expected power/modulo > 0');
  if (modulo === _1n) return _0n;
  let res = _1n;
  while (power > _0n) {
    if (power & _1n) res = (res * num) % modulo;
    num = (num * num) % modulo;
    power >>= _1n;
  }
  return res;
 }
 // Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
 // TODO: Fp version?
 export function pow2(x: bigint, power: bigint, modulo: bigint): bigint {
  let res = x;
  while (power-- > _0n) {
    res *= res;
    res %= modulo;
  }
  return res;
 }
 // Inverses number over modulo
 export function invert(number: bigint, modulo: bigint): bigint {
  if (number === _0n || modulo <= _0n) {
    throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
  }
  // Eucledian GCD https://brilliant.org/wiki/extended-euclidean-algorithm/
  let a = mod(number, modulo);
  let b = modulo;
  // prettier-ignore
  let x = _0n, y = _1n, u = _1n, v = _0n;
  while (a !== _0n) {
    const q = b / a;
    const r = b % a;
    const m = x - u * q;
    const n = y - v * q;
    // prettier-ignore
    b = a, a = r, x = u, y = v, u = m, v = n;
  }
  const gcd = b;
  if (gcd !== _1n) throw new Error('invert: does not exist');
  return mod(x, modulo);
 }
 /**
 * Calculates Legendre symbol (a | p), which denotes the value of a^((p-1)/2) (mod p).
 * * (a | p) ≡ 1    if a is a square (mod p)
 * * (a | p) ≡ -1   if a is not a square (mod p)
 * * (a | p) ≡ 0    if a ≡ 0 (mod p)
 */
 export function legendre(num: bigint, fieldPrime: bigint): bigint {
  return pow(num, (fieldPrime - _1n) / _2n, fieldPrime);
 }
 /**
 * Calculates square root of a number in a finite field.
 */
 // TODO: rewrite as generic Fp function && remove bls versions
 export function sqrt(number: bigint, modulo: bigint): bigint {
  // prettier-ignore
  const _3n = BigInt(3), _4n = BigInt(4), _5n = BigInt(5), _8n = BigInt(8);
  const n = number;
  const P = modulo;
  const p1div4 = (P + _1n) / _4n;
  // P ≡ 3 (mod 4)
  // sqrt n = n^((P+1)/4)
  if (P % _4n === _3n) {
    // Not all roots possible!
    // const ORDER =
    //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
    // const NUM = 72057594037927816n;
    // TODO: fix sqrtMod in secp256k1
    const root = pow(n, p1div4, P);
    if (mod(root * root, modulo) !== number) throw new Error('Cannot find square root');
    return root;
  }
  // P ≡ 5 (mod 8)
  if (P % _8n === _5n) {
    const n2 = mod(n * _2n, P);
    const v = pow(n2, (P - _5n) / _8n, P);
    const nv = mod(n * v, P);
    const i = mod(_2n * nv * v, P);
    const r = mod(nv * (i - _1n), P);
    return r;
  }
  // Other cases: Tonelli-Shanks algorithm
  if (legendre(n, P) !== _1n) throw new Error('Cannot find square root');
  let q: bigint, s: number, z: bigint;
  for (q = P - _1n, s = 0; q % _2n === _0n; q /= _2n, s++);
  if (s === 1) return pow(n, p1div4, P);
  for (z = _2n; z < P && legendre(z, P) !== P - _1n; z++);
  let c = pow(z, q, P);
  let r = pow(n, (q + _1n) / _2n, P);
  let t = pow(n, q, P);
  let t2 = _0n;
  while (mod(t - _1n, P) !== _0n) {
    t2 = mod(t * t, P);
    let i;
    for (i = 1; i < s; i++) {
      if (mod(t2 - _1n, P) === _0n) break;
      t2 = mod(t2 * t2, P);
    }
    let b = pow(c, BigInt(1 << (s - i - 1)), P);
    r = mod(r * b, P);
    c = mod(b * b, P);
    t = mod(t * c, P);
    s = i;
  }
  return r;
 }
 // Little-endian check for first LE bit (last BE bit);
 export const isNegativeLE = (num: bigint, modulo: bigint) => (mod(num, modulo) & _1n) === _1n;
 // Currently completly inconsistent naming:
 // - readable: add, mul, sqr, sqrt, inv, div, pow, eq, sub
 // - unreadable mess: addition, multiply, square, squareRoot, inversion, divide, power, equals, subtract
 export interface Field<T> {
  ORDER: bigint;
  BYTES: number;
  BITS: number;
  MASK: bigint;
  ZERO: T;
  ONE: T;
  // 1-arg
  create: (num: T) => T;
  isValid: (num: T) => boolean;
  isZero: (num: T) => boolean;
  negate(num: T): T;
  invert(num: T): T;
  sqrt(num: T): T;
  square(num: T): T;
  // 2-args
  equals(lhs: T, rhs: T): boolean;
  add(lhs: T, rhs: T): T;
  subtract(lhs: T, rhs: T): T;
  multiply(lhs: T, rhs: T | bigint): T;
  pow(lhs: T, power: bigint): T;
  div(lhs: T, rhs: T | bigint): T;
  // N for NonNormalized (for now)
  addN(lhs: T, rhs: T): T;
  subtractN(lhs: T, rhs: T): T;
  multiplyN(lhs: T, rhs: T | bigint): T;
  squareN(num: T): T;
  // Optional
  isOdd?(num: T): boolean; // Odd instead of even since we have it for Fp2
  legendre?(num: T): T;
  pow(lhs: T, power: bigint): T;
  invertBatch: (lst: T[]) => T[];
  toBytes(num: T): Uint8Array;
  fromBytes(bytes: Uint8Array): T;
 }
 // prettier-ignore
 const FIELD_FIELDS = [
  'create', 'isValid', 'isZero', 'negate', 'invert', 'sqrt', 'square',
  'equals', 'add', 'subtract', 'multiply', 'pow', 'div',
  'addN', 'subtractN', 'multiplyN', 'squareN'
 ] as const;
 export function validateField<T>(field: Field<T>) {
  for (const i of ['ORDER', 'MASK'] as const) {
    if (typeof field[i] !== 'bigint')
      throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
  }
  for (const i of ['BYTES', 'BITS'] as const) {
    if (typeof field[i] !== 'number')
      throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
  }
  for (const i of FIELD_FIELDS) {
    if (typeof field[i] !== 'function')
      throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
  }
 }
 // Generic field functions
 export function FpPow<T>(f: Field<T>, num: T, power: bigint): T {
  // Should have same speed as pow for bigints
  // TODO: benchmark!
  if (power < _0n) throw new Error('Expected power > 0');
  if (power === _0n) return f.ONE;
  if (power === _1n) return num;
  let p = f.ONE;
  let d = num;
  while (power > _0n) {
    if (power & _1n) p = f.multiply(p, d);
    d = f.square(d);
    power >>= 1n;
  }
  return p;
 }
 export function FpInvertBatch<T>(f: Field<T>, nums: T[]): T[] {
  const tmp = new Array(nums.length);
  // Walk from first to last, multiply them by each other MOD p
  const lastMultiplied = nums.reduce((acc, num, i) => {
    if (f.isZero(num)) return acc;
    tmp[i] = acc;
    return f.multiply(acc, num);
  }, f.ONE);
  // Invert last element
  const inverted = f.invert(lastMultiplied);
  // Walk from last to first, multiply them by inverted each other MOD p
  nums.reduceRight((acc, num, i) => {
    if (f.isZero(num)) return acc;
    tmp[i] = f.multiply(acc, tmp[i]);
    return f.multiply(acc, num);
  }, inverted);
  return tmp;
 }
 export function FpDiv<T>(f: Field<T>, lhs: T, rhs: T | bigint): T {
  return f.multiply(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.invert(rhs));
 }
 // NOTE: very fragile, always bench. Major performance points:
 // - NonNormalized ops
 // - Object.freeze
 // - same shape of object (don't add/remove keys)
 export function Fp(
  ORDER: bigint,
  bitLen?: number,
  isLE = false,
  redef: Partial<Field<bigint>> = {}
 ): Readonly<Field<bigint>> {
  if (ORDER <= _0n) throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`);
  const { nBitLength: BITS, nByteLength: BYTES } = utils.nLength(ORDER, bitLen);
  if (BYTES > 2048) throw new Error('Field lengths over 2048 bytes are not supported');
  const sqrtP = (num: bigint) => sqrt(num, ORDER);
  const f: Field<bigint> = Object.freeze({
    ORDER,
    BITS,
    BYTES,
    MASK: utils.bitMask(BITS),
    ZERO: _0n,
    ONE: _1n,
    create: (num) => mod(num, ORDER),
    isValid: (num) => {
      if (typeof num !== 'bigint')
        throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
      return _0n <= num && num < ORDER;
    },
    isZero: (num) => num === _0n,
    isOdd: (num) => (num & _1n) === _1n,
    negate: (num) => mod(-num, ORDER),
    equals: (lhs, rhs) => lhs === rhs,
    square: (num) => mod(num * num, ORDER),
    add: (lhs, rhs) => mod(lhs + rhs, ORDER),
    subtract: (lhs, rhs) => mod(lhs - rhs, ORDER),
    multiply: (lhs, rhs) => mod(lhs * rhs, ORDER),
    pow: (num, power) => FpPow(f, num, power),
    div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
    // Same as above, but doesn't normalize
    squareN: (num) => num * num,
    addN: (lhs, rhs) => lhs + rhs,
    subtractN: (lhs, rhs) => lhs - rhs,
    multiplyN: (lhs, rhs) => lhs * rhs,
    invert: (num) => invert(num, ORDER),
    sqrt: redef.sqrt || sqrtP,
    invertBatch: (lst) => FpInvertBatch(f, lst),
    toBytes: (num) =>
      isLE ? utils.numberToBytesLE(num, BYTES) : utils.numberToBytesBE(num, BYTES),
    fromBytes: (bytes) => {
      if (bytes.length !== BYTES)
        throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
      return isLE ? utils.bytesToNumberLE(bytes) : utils.bytesToNumberBE(bytes);
    },
  } as Field<bigint>);
  return Object.freeze(f);
 }
--- a/curve-definitions/src/p192.ts
+++ b/curve-definitions/src/p192.ts
@@ -1,7 +1,7 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { sha256 } from '@noble/hashes/sha256';
-import { Fp } from '@noble/curves/modular';
+import { Fp } from './abstract/modular.js';
 // NIST secp192r1 aka P192
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/secg/secp192r1
--- a/curve-definitions/src/p224.ts
+++ b/curve-definitions/src/p224.ts
@@ -1,7 +1,7 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
-import { sha256 } from '@noble/hashes/sha256';
+import { sha224 } from '@noble/hashes/sha256';
-import { Fp } from '@noble/curves/modular';
+import { Fp } from './abstract/modular.js';
 // NIST secp224r1 aka P224
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-224
@@ -10,7 +10,7 @@ export const P224 = createCurve(
    // Params: a, b
    a: BigInt('0xfffffffffffffffffffffffffffffffefffffffffffffffffffffffe'),
    b: BigInt('0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4'),
-    // Field over which we'll do calculations; 2n**224n - 2n**96n + 1n
+    // Field over which we'll do calculations;
    Fp: Fp(BigInt('0xffffffffffffffffffffffffffffffff000000000000000000000001')),
    // Curve order, total count of valid points in the field
    n: BigInt('0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d'),
@@ -20,6 +20,6 @@ export const P224 = createCurve(
    h: BigInt(1),
    lowS: false,
  } as const,
-  sha256 // TODO: replace with sha224 when new @noble/hashes released
+  sha224
 );
 export const secp224r1 = P224;
--- a/src/p256.ts
+++ b/src/p256.ts
@@ -0,0 +1,53 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { sha256 } from '@noble/hashes/sha256';
 import { Fp as Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 import * as htf from './abstract/hash-to-curve.js';
 // NIST secp256r1 aka P256
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
 // Field over which we'll do calculations; 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
 const Fp = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
 const CURVE_A = Fp.create(BigInt('-3'));
 const CURVE_B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
 const mapSWU = mapToCurveSimpleSWU(Fp, {
  A: CURVE_A,
  B: CURVE_B,
  Z: Fp.create(BigInt('-10')),
 });
 export const P256 = createCurve(
  {
    // Params: a, b
    a: CURVE_A,
    b: CURVE_B,
    Fp,
    // Curve order, total count of valid points in the field
    n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
    // Base point (x, y) aka generator point
    Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
    Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
    h: BigInt(1),
    lowS: false,
  } as const,
  sha256
 );
 export const secp256r1 = P256;
 const { hashToCurve, encodeToCurve } = htf.hashToCurve(
  secp256r1.ProjectivePoint,
  (scalars: bigint[]) => mapSWU(scalars[0]),
  {
    DST: 'P256_XMD:SHA-256_SSWU_RO_',
    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
    p: Fp.ORDER,
    m: 1,
    k: 128,
    expand: 'xmd',
    hash: sha256,
  }
 );
 export { hashToCurve, encodeToCurve };
--- a/src/p384.ts
+++ b/src/p384.ts
@@ -0,0 +1,57 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { sha384 } from '@noble/hashes/sha512';
 import { Fp as Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 import * as htf from './abstract/hash-to-curve.js';
 // NIST secp384r1 aka P384
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
 // Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
 // prettier-ignore
 const P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');
 const Fp = Field(P);
 const CURVE_A = Fp.create(BigInt('-3'));
 // prettier-ignore
 const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
 const mapSWU = mapToCurveSimpleSWU(Fp, {
  A: CURVE_A,
  B: CURVE_B,
  Z: Fp.create(BigInt('-12')),
 });
 // prettier-ignore
 export const P384 = createCurve({
    // Params: a, b
    a: CURVE_A,
    b: CURVE_B,
    // Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
    Fp,
    // Curve order, total count of valid points in the field.
    n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
    // Base point (x, y) aka generator point
    Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
    Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
    h: BigInt(1),
    lowS: false,
  } as const,
  sha384
 );
 export const secp384r1 = P384;
 const { hashToCurve, encodeToCurve } = htf.hashToCurve(
  secp384r1.ProjectivePoint,
  (scalars: bigint[]) => mapSWU(scalars[0]),
  {
    DST: 'P384_XMD:SHA-384_SSWU_RO_',
    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
    p: Fp.ORDER,
    m: 1,
    k: 192,
    expand: 'xmd',
    hash: sha384,
  }
 );
 export { hashToCurve, encodeToCurve };
--- a/src/p521.ts
+++ b/src/p521.ts
@@ -0,0 +1,57 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { sha512 } from '@noble/hashes/sha512';
 import { Fp as Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 import * as htf from './abstract/hash-to-curve.js';
 // NIST secp521r1 aka P521
 // Note that it's 521, which differs from 512 of its hash function.
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
 // Field over which we'll do calculations; 2n**521n - 1n
 // prettier-ignore
 const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
 const Fp = Field(P);
 const CURVE_A = Fp.create(BigInt('-3'));
 // prettier-ignore
 const CURVE_B = BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00');
 const mapSWU = mapToCurveSimpleSWU(Fp, {
  A: CURVE_A,
  B: CURVE_B,
  Z: Fp.create(BigInt('-4')),
 });
 // prettier-ignore
 export const P521 = createCurve({
  // Params: a, b
  a: CURVE_A,
  b: CURVE_B,
  Fp,
  // Curve order, total count of valid points in the field
  n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
  // Base point (x, y) aka generator point
  Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
  Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
  h: BigInt(1),
  lowS: false,
  allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
 } as const, sha512);
 export const secp521r1 = P521;
 const { hashToCurve, encodeToCurve } = htf.hashToCurve(
  secp521r1.ProjectivePoint,
  (scalars: bigint[]) => mapSWU(scalars[0]),
  {
    DST: 'P521_XMD:SHA-512_SSWU_RO_',
    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
    p: Fp.ORDER,
    m: 1,
    k: 256,
    expand: 'xmd',
    hash: sha512,
  }
 );
 export { hashToCurve, encodeToCurve };
--- a/curve-definitions/src/pasta.ts
+++ b/curve-definitions/src/pasta.ts
@@ -1,11 +1,11 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha256';
-import { weierstrass } from '@noble/curves/weierstrass';
+import { weierstrass } from './abstract/weierstrass.js';
 import { getHash } from './_shortw_utils.js';
-import * as mod from '@noble/curves/modular';
+import * as mod from './abstract/modular.js';
-const p = BigInt('0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001');
+export const p = BigInt('0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001');
-const q = BigInt('0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001');
+export const q = BigInt('0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001');
 // https://neuromancer.sk/std/other/Pallas
 export const pallas = weierstrass({
--- a/src/secp256k1.ts
+++ b/src/secp256k1.ts
@@ -0,0 +1,278 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha256';
 import { Fp as Field, mod, pow2 } from './abstract/modular.js';
 import { createCurve } from './_shortw_utils.js';
 import { ProjPointType as PointType, mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 import {
  ensureBytes,
  concatBytes,
  Hex,
  bytesToNumberBE as bytesToInt,
  PrivKey,
  numberToBytesBE,
 } from './abstract/utils.js';
 import { randomBytes } from '@noble/hashes/utils';
 import * as htf from './abstract/hash-to-curve.js';
 /**
 * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
 * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
 * Should always be used for Projective's double-and-add multiplication.
 * For affines cached multiplication, it trades off 1/2 init time & 1/3 ram for 20% perf hit.
 * https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
 */
 const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
 const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
 const _1n = BigInt(1);
 const _2n = BigInt(2);
 const divNearest = (a: bigint, b: bigint) => (a + b / _2n) / b;
 /**
 * √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.
 * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
 */
 function sqrtMod(y: bigint): bigint {
  const P = secp256k1P;
  // prettier-ignore
  const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11), _22n = BigInt(22);
  // prettier-ignore
  const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
  const b2 = (y * y * y) % P; // x^3, 11
  const b3 = (b2 * b2 * y) % P; // x^7
  const b6 = (pow2(b3, _3n, P) * b3) % P;
  const b9 = (pow2(b6, _3n, P) * b3) % P;
  const b11 = (pow2(b9, _2n, P) * b2) % P;
  const b22 = (pow2(b11, _11n, P) * b11) % P;
  const b44 = (pow2(b22, _22n, P) * b22) % P;
  const b88 = (pow2(b44, _44n, P) * b44) % P;
  const b176 = (pow2(b88, _88n, P) * b88) % P;
  const b220 = (pow2(b176, _44n, P) * b44) % P;
  const b223 = (pow2(b220, _3n, P) * b3) % P;
  const t1 = (pow2(b223, _23n, P) * b22) % P;
  const t2 = (pow2(t1, _6n, P) * b2) % P;
  const root = pow2(t2, _2n, P);
  if (!Fp.eql(Fp.sqr(root), y)) throw new Error('Cannot find square root');
  return root;
 }
 const Fp = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
 type Fp = bigint;
 export const secp256k1 = createCurve(
  {
    // Params: a, b
    // Seem to be rigid https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
    a: BigInt(0),
    b: BigInt(7),
    // Field over which we'll do calculations;
    // 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
    Fp,
    // Curve order, total count of valid points in the field
    n: secp256k1N,
    // Base point (x, y) aka generator point
    Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
    Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
    h: BigInt(1),
    // Alllow only low-S signatures by default in sign() and verify()
    lowS: true,
    endo: {
      // Params taken from https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
      beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
      splitScalar: (k: bigint) => {
        const n = secp256k1N;
        const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');
        const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
        const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
        const b2 = a1;
        const POW_2_128 = BigInt('0x100000000000000000000000000000000'); // (2n**128n).toString(16)
        const c1 = divNearest(b2 * k, n);
        const c2 = divNearest(-b1 * k, n);
        let k1 = mod(k - c1 * a1 - c2 * a2, n);
        let k2 = mod(-c1 * b1 - c2 * b2, n);
        const k1neg = k1 > POW_2_128;
        const k2neg = k2 > POW_2_128;
        if (k1neg) k1 = n - k1;
        if (k2neg) k2 = n - k2;
        if (k1 > POW_2_128 || k2 > POW_2_128) {
          throw new Error('splitScalar: Endomorphism failed, k=' + k);
        }
        return { k1neg, k1, k2neg, k2 };
      },
    },
  },
  sha256
 );
 // Schnorr signatures are superior to ECDSA from above.
 // Below is Schnorr-specific code as per BIP0340.
 // https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
 const _0n = BigInt(0);
 const fe = (x: bigint) => typeof x === 'bigint' && _0n < x && x < secp256k1P;
 const ge = (x: bigint) => typeof x === 'bigint' && _0n < x && x < secp256k1N;
 const TAGS = {
  challenge: 'BIP0340/challenge',
  aux: 'BIP0340/aux',
  nonce: 'BIP0340/nonce',
 } as const;
 /** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
 const TAGGED_HASH_PREFIXES: { [tag: string]: Uint8Array } = {};
 function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array {
  let tagP = TAGGED_HASH_PREFIXES[tag];
  if (tagP === undefined) {
    const tagH = sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
    tagP = concatBytes(tagH, tagH);
    TAGGED_HASH_PREFIXES[tag] = tagP;
  }
  return sha256(concatBytes(tagP, ...messages));
 }
 const pointToBytes = (point: PointType<bigint>) => point.toRawBytes(true).slice(1);
 const numTo32b = (n: bigint) => numberToBytesBE(n, 32);
 const modN = (x: bigint) => mod(x, secp256k1N);
 const Point = secp256k1.ProjectivePoint;
 const GmulAdd = (Q: PointType<bigint>, a: bigint, b: bigint) =>
  Point.BASE.multiplyAndAddUnsafe(Q, a, b);
 const hex32ToInt = (key: Hex) => bytesToInt(ensureBytes(key, 32));
 function schnorrGetExtPubKey(priv: PrivKey) {
  let d = typeof priv === 'bigint' ? priv : hex32ToInt(priv);
  const point = Point.fromPrivateKey(d); // P = d'⋅G; 0 < d' < n check is done inside
  const scalar = point.hasEvenY() ? d : modN(-d); // d = d' if has_even_y(P), otherwise d = n-d'
  return { point, scalar, bytes: pointToBytes(point) };
 }
 function lift_x(x: bigint): PointType<bigint> {
  if (!fe(x)) throw new Error('bad x: need 0 < x < p'); // Fail if x ≥ p.
  const c = mod(x * x * x + BigInt(7), secp256k1P); // Let c = x³ + 7 mod p.
  let y = sqrtMod(c); // Let y = c^(p+1)/4 mod p.
  if (y % 2n !== 0n) y = mod(-y, secp256k1P); // Return the unique point P such that x(P) = x and
  const p = new Point(x, y, _1n); // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
  p.assertValidity();
  return p;
 }
 function challenge(...args: Uint8Array[]): bigint {
  return modN(bytesToInt(taggedHash(TAGS.challenge, ...args)));
 }
 // Schnorr's pubkey is just `x` of Point (BIP340)
 function schnorrGetPublicKey(privateKey: Hex): Uint8Array {
  return schnorrGetExtPubKey(privateKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)
 }
 // Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
 // auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous
 function schnorrSign(
  message: Hex,
  privateKey: PrivKey,
  auxRand: Hex = randomBytes(32)
 ): Uint8Array {
  if (message == null) throw new Error(`sign: Expected valid message, not "${message}"`);
  const m = ensureBytes(message); // checks for isWithinCurveOrder
  const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey);
  const a = ensureBytes(auxRand, 32); // Auxiliary random data a: a 32-byte array
  const t = numTo32b(d ^ bytesToInt(taggedHash(TAGS.aux, a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
  const rand = taggedHash(TAGS.nonce, t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
  const k_ = modN(bytesToInt(rand)); // Let k' = int(rand) mod n
  if (k_ === _0n) throw new Error('sign failed: k is zero'); // Fail if k' = 0.
  const { point: R, bytes: rx, scalar: k } = schnorrGetExtPubKey(k_); // Let R = k'⋅G.
  const e = challenge(rx, px, m); // Let e = int(hash/challenge(bytes(R) || bytes(P) || m)) mod n.
  const sig = new Uint8Array(64); // Let sig = bytes(R) || bytes((k + ed) mod n).
  sig.set(numTo32b(R.px), 0);
  sig.set(numTo32b(modN(k + e * d)), 32);
  // If Verify(bytes(P), m, sig) (see below) returns failure, abort
  if (!schnorrVerify(sig, m, px)) throw new Error('sign: Invalid signature produced');
  return sig;
 }
 /**
 * Verifies Schnorr signature synchronously.
 */
 function schnorrVerify(signature: Hex, message: Hex, publicKey: Hex): boolean {
  try {
    const P = lift_x(hex32ToInt(publicKey)); // P = lift_x(int(pk)); fail if that fails
    const sig = ensureBytes(signature, 64);
    const r = bytesToInt(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
    if (!fe(r)) return false;
    const s = bytesToInt(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
    if (!ge(s)) return false;
    const m = ensureBytes(message);
    const e = challenge(numTo32b(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m)) mod n
    const R = GmulAdd(P, s, modN(-e)); // R = s⋅G - e⋅P
    if (!R || !R.hasEvenY() || R.toAffine().x !== r) return false; // -eP == (n-e)P
    return true; // Fail if is_infinite(R) / not has_even_y(R) / x(R) ≠ r.
  } catch (error) {
    return false;
  }
 }
 export const schnorr = {
  getPublicKey: schnorrGetPublicKey,
  sign: schnorrSign,
  verify: schnorrVerify,
  utils: {
    getExtendedPublicKey: schnorrGetExtPubKey,
    lift_x,
    pointToBytes,
    numberToBytesBE,
    bytesToNumberBE: bytesToInt,
    taggedHash,
    mod,
  },
 };
 const isoMap = htf.isogenyMap(
  Fp,
  [
    // xNum
    [
      '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
      '0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581',
      '0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262',
      '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c',
    ],
    // xDen
    [
      '0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b',
      '0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14',
      '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
    ],
    // yNum
    [
      '0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c',
      '0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3',
      '0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931',
      '0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84',
    ],
    // yDen
    [
      '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b',
      '0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573',
      '0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f',
      '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
    ],
  ].map((i) => i.map((j) => BigInt(j))) as [Fp[], Fp[], Fp[], Fp[]]
 );
 const mapSWU = mapToCurveSimpleSWU(Fp, {
  A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
  B: BigInt('1771'),
  Z: Fp.create(BigInt('-11')),
 });
 const { hashToCurve, encodeToCurve } = htf.hashToCurve(
  secp256k1.ProjectivePoint,
  (scalars: bigint[]) => {
    const { x, y } = mapSWU(Fp.create(scalars[0]));
    return isoMap(x, y);
  },
  {
    DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
    encodeDST: 'secp256k1_XMD:SHA-256_SSWU_NU_',
    p: Fp.ORDER,
    m: 1,
    k: 128,
    expand: 'xmd',
    hash: sha256,
  }
 );
 export { hashToCurve, encodeToCurve };
--- a/curve-definitions/src/stark.ts
+++ b/curve-definitions/src/stark.ts
@@ -1,14 +1,14 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { keccak_256 } from '@noble/hashes/sha3';
 import { sha256 } from '@noble/hashes/sha256';
-import { hmac } from '@noble/hashes/hmac';
+import { weierstrass, ProjPointType } from './abstract/weierstrass.js';
-import { concatBytes, randomBytes } from '@noble/hashes/utils';
+import * as cutils from './abstract/utils.js';
-import { weierstrass, JacobianPointType } from '@noble/curves/weierstrass';
+import { Fp, mod, Field, validateField } from './abstract/modular.js';
 import * as cutils from '@noble/curves/utils';
 import { Fp } from '@noble/curves/modular';
 import { getHash } from './_shortw_utils.js';
 import * as poseidon from './abstract/poseidon.js';
 import { utf8ToBytes } from '@noble/hashes/utils';
-type JacobianPoint = JacobianPointType<bigint>;
+type ProjectivePoint = ProjPointType<bigint>;
 // Stark-friendly elliptic curve
 // https://docs.starkware.co/starkex/stark-curve.html
@@ -16,6 +16,15 @@ const CURVE_N = BigInt(
  '3618502788666131213697322783095070105526743751716087489154079457884512865583'
 );
 const nBitLength = 252;
 // Copy-pasted from weierstrass.ts
 function bits2int(bytes: Uint8Array): bigint {
  const delta = bytes.length * 8 - nBitLength;
  const num = cutils.bytesToNumberBE(bytes);
  return delta > 0 ? num >> BigInt(delta) : num;
 }
 function bits2int_modN(bytes: Uint8Array): bigint {
  return mod(bits2int(bytes), CURVE_N);
 }
 export const starkCurve = weierstrass({
  // Params: a, b
  a: BigInt(1),
@@ -33,31 +42,27 @@ export const starkCurve = weierstrass({
  // Default options
  lowS: false,
  ...getHash(sha256),
-  truncateHash: (hash: Uint8Array, truncateOnly = false): bigint => {
+  // Custom truncation routines for stark curve
-    // TODO: cleanup, ugly code
+  bits2int: (bytes: Uint8Array): bigint => {
-    // Fix truncation
+    while (bytes[0] === 0) bytes = bytes.subarray(1);
-    if (!truncateOnly) {
+    return bits2int(bytes);
-      let hashS = bytesToNumber0x(hash).toString(16);
+  },
-      if (hashS.length === 63) {
+  bits2int_modN: (bytes: Uint8Array): bigint => {
-        hashS += '0';
+    let hashS = cutils.bytesToNumberBE(bytes).toString(16);
-        hash = hexToBytes0x(hashS);
+    if (hashS.length === 63) {
-      }
+      hashS += '0';
      bytes = hexToBytes0x(hashS);
    }
    // Truncate zero bytes on left (compat with elliptic)
-    while (hash[0] === 0) hash = hash.subarray(1);
+    while (bytes[0] === 0) bytes = bytes.subarray(1);
-    const byteLength = hash.length;
+    return bits2int_modN(bytes);
    const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
    let h = hash.length ? bytesToNumber0x(hash) : 0n;
    if (delta > 0) h = h >> BigInt(delta);
    if (!truncateOnly && h >= CURVE_N) h -= CURVE_N;
    return h;
  },
 });
 // Custom Starknet type conversion functions that can handle 0x and unpadded hex
 function hexToBytes0x(hex: string): Uint8Array {
  if (typeof hex !== 'string') {
-    throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
+    throw new Error('hexToBytes: expected string, got ' + typeof hex);
  }
  hex = strip0x(hex);
  if (hex.length & 1) hex = '0' + hex; // padding
@@ -74,7 +79,7 @@ function hexToBytes0x(hex: string): Uint8Array {
 }
 function hexToNumber0x(hex: string): bigint {
  if (typeof hex !== 'string') {
-    throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
+    throw new Error('hexToNumber: expected string, got ' + typeof hex);
  }
  // Big Endian
  // TODO: strip vs no strip?
@@ -90,16 +95,16 @@ function ensureBytes0x(hex: Hex): Uint8Array {
 }
 function normalizePrivateKey(privKey: Hex) {
-  return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(32 * 2, '0');
+  return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(64, '0');
 }
-function getPublicKey0x(privKey: Hex, isCompressed?: boolean) {
+function getPublicKey0x(privKey: Hex, isCompressed = false) {
  return starkCurve.getPublicKey(normalizePrivateKey(privKey), isCompressed);
 }
 function getSharedSecret0x(privKeyA: Hex, pubKeyB: Hex) {
  return starkCurve.getSharedSecret(normalizePrivateKey(privKeyA), pubKeyB);
 }
-function sign0x(msgHash: Hex, privKey: Hex, opts: any) {
+function sign0x(msgHash: Hex, privKey: Hex, opts?: any) {
  if (typeof privKey === 'string') privKey = strip0x(privKey).padStart(64, '0');
  return starkCurve.sign(ensureBytes0x(msgHash), normalizePrivateKey(privKey), opts);
 }
@@ -108,13 +113,12 @@ function verify0x(signature: Hex, msgHash: Hex, pubKey: Hex) {
  return starkCurve.verify(sig, ensureBytes0x(msgHash), ensureBytes0x(pubKey));
 }
-const { CURVE, Point, JacobianPoint, Signature } = starkCurve;
+const { CURVE, ProjectivePoint, Signature } = starkCurve;
 export const utils = starkCurve.utils;
 export {
  CURVE,
  Point,
  Signature,
-  JacobianPoint,
+  ProjectivePoint,
  getPublicKey0x as getPublicKey,
  getSharedSecret0x as getSharedSecret,
  sign0x as sign,
@@ -134,17 +138,18 @@ type Hex = Uint8Array | string;
 function hashKeyWithIndex(key: Uint8Array, index: number) {
  let indexHex = cutils.numberToHexUnpadded(index);
  if (indexHex.length & 1) indexHex = '0' + indexHex;
-  return bytesToNumber0x(sha256(cutils.concatBytes(key, hexToBytes0x(indexHex))));
+  return sha256Num(cutils.concatBytes(key, hexToBytes0x(indexHex)));
 }
 export function grindKey(seed: Hex) {
  const _seed = ensureBytes0x(seed);
  const sha256mask = 2n ** 256n;
-  const limit = sha256mask - starkCurve.utils.mod(sha256mask, starkCurve.CURVE.n);
+
  const limit = sha256mask - mod(sha256mask, CURVE_N);
  for (let i = 0; ; i++) {
    const key = hashKeyWithIndex(_seed, i);
    // key should be in [0, limit)
-    if (key < limit) return starkCurve.utils.mod(key, starkCurve.CURVE.n).toString(16);
+    if (key < limit) return mod(key, CURVE_N).toString(16);
  }
 }
@@ -166,45 +171,52 @@ export function getAccountPath(
  ethereumAddress: string,
  index: number
 ) {
-  const layerNum = int31(bytesToNumber0x(sha256(layer)));
+  const layerNum = int31(sha256Num(layer));
-  const applicationNum = int31(bytesToNumber0x(sha256(application)));
+  const applicationNum = int31(sha256Num(application));
  const eth = hexToNumber0x(ethereumAddress);
  return `m/2645'/${layerNum}'/${applicationNum}'/${int31(eth)}'/${int31(eth >> 31n)}'/${index}`;
 }
 // https://docs.starkware.co/starkex/pedersen-hash-function.html
-const PEDERSEN_POINTS = [
+const PEDERSEN_POINTS_AFFINE = [
-  new Point(
+  new ProjectivePoint(
    2089986280348253421170679821480865132823066470938446095505822317253594081284n,
-    1713931329540660377023406109199410414810705867260802078187082345529207694986n
+    1713931329540660377023406109199410414810705867260802078187082345529207694986n,
    1n
  ),
-  new Point(
+  new ProjectivePoint(
    996781205833008774514500082376783249102396023663454813447423147977397232763n,
-    1668503676786377725805489344771023921079126552019160156920634619255970485781n
+    1668503676786377725805489344771023921079126552019160156920634619255970485781n,
    1n
  ),
-  new Point(
+  new ProjectivePoint(
    2251563274489750535117886426533222435294046428347329203627021249169616184184n,
-    1798716007562728905295480679789526322175868328062420237419143593021674992973n
+    1798716007562728905295480679789526322175868328062420237419143593021674992973n,
    1n
  ),
-  new Point(
+  new ProjectivePoint(
    2138414695194151160943305727036575959195309218611738193261179310511854807447n,
-    113410276730064486255102093846540133784865286929052426931474106396135072156n
+    113410276730064486255102093846540133784865286929052426931474106396135072156n,
    1n
  ),
-  new Point(
+  new ProjectivePoint(
    2379962749567351885752724891227938183011949129833673362440656643086021394946n,
-    776496453633298175483985398648758586525933812536653089401905292063708816422n
+    776496453633298175483985398648758586525933812536653089401905292063708816422n,
    1n
  ),
 ];
 // for (const p of PEDERSEN_POINTS) p._setWindowSize(8);
-const PEDERSEN_POINTS_JACOBIAN = PEDERSEN_POINTS.map(JacobianPoint.fromAffine);
+const PEDERSEN_POINTS = PEDERSEN_POINTS_AFFINE;
-function pedersenPrecompute(p1: JacobianPoint, p2: JacobianPoint): JacobianPoint[] {
+function pedersenPrecompute(p1: ProjectivePoint, p2: ProjectivePoint): ProjectivePoint[] {
-  const out: JacobianPoint[] = [];
+  const out: ProjectivePoint[] = [];
  let p = p1;
  for (let i = 0; i < 248; i++) {
    out.push(p);
    p = p.double();
  }
  // NOTE: we cannot use wNAF here, because last 4 bits will require full 248 bits multiplication
  // We can add support for this to wNAF, but it will complicate wNAF.
  p = p2;
  for (let i = 0; i < 4; i++) {
    out.push(p);
@@ -212,14 +224,8 @@ function pedersenPrecompute(p1: JacobianPoint, p2: JacobianPoint): JacobianPoint
  }
  return out;
 }
-const PEDERSEN_POINTS1 = pedersenPrecompute(
+const PEDERSEN_POINTS1 = pedersenPrecompute(PEDERSEN_POINTS[1], PEDERSEN_POINTS[2]);
-  PEDERSEN_POINTS_JACOBIAN[1],
+const PEDERSEN_POINTS2 = pedersenPrecompute(PEDERSEN_POINTS[3], PEDERSEN_POINTS[4]);
  PEDERSEN_POINTS_JACOBIAN[2]
 );
 const PEDERSEN_POINTS2 = pedersenPrecompute(
  PEDERSEN_POINTS_JACOBIAN[3],
  PEDERSEN_POINTS_JACOBIAN[4]
 );
 type PedersenArg = Hex | bigint | number;
 function pedersenArg(arg: PedersenArg): bigint {
@@ -235,11 +241,11 @@ function pedersenArg(arg: PedersenArg): bigint {
  return value;
 }
-function pedersenSingle(point: JacobianPoint, value: PedersenArg, constants: JacobianPoint[]) {
+function pedersenSingle(point: ProjectivePoint, value: PedersenArg, constants: ProjectivePoint[]) {
  let x = pedersenArg(value);
  for (let j = 0; j < 252; j++) {
    const pt = constants[j];
-    if (pt.x === point.x) throw new Error('Same point');
+    if (pt.px === point.px) throw new Error('Same point');
    if ((x & 1n) !== 0n) point = point.add(pt);
    x >>= 1n;
  }
@@ -248,10 +254,10 @@ function pedersenSingle(point: JacobianPoint, value: PedersenArg, constants: Jac
 // shift_point + x_low * P_0 + x_high * P1 + y_low * P2  + y_high * P3
 export function pedersen(x: PedersenArg, y: PedersenArg) {
-  let point: JacobianPoint = PEDERSEN_POINTS_JACOBIAN[0];
+  let point: ProjectivePoint = PEDERSEN_POINTS[0];
  point = pedersenSingle(point, x, PEDERSEN_POINTS1);
  point = pedersenSingle(point, y, PEDERSEN_POINTS2);
-  return bytesToHexEth(point.toAffine().toRawBytes(true).slice(1));
+  return bytesToHexEth(point.toRawBytes(true).slice(1));
 }
 export function hashChain(data: PedersenArg[], fn = pedersen) {
@@ -266,5 +272,85 @@ export function hashChain(data: PedersenArg[], fn = pedersen) {
 export const computeHashOnElements = (data: PedersenArg[], fn = pedersen) =>
  [0, ...data, data.length].reduce((x, y) => fn(x, y));
-const MASK_250 = 2n ** 250n - 1n;
+const MASK_250 = cutils.bitMask(250);
-export const keccak = (data: Uint8Array) => bytesToNumber0x(keccak_256(data)) & MASK_250;
+export const keccak = (data: Uint8Array): bigint => bytesToNumber0x(keccak_256(data)) & MASK_250;
 const sha256Num = (data: Uint8Array | string): bigint => cutils.bytesToNumberBE(sha256(data));
 // Poseidon hash
 export const Fp253 = Fp(
  BigInt('14474011154664525231415395255581126252639794253786371766033694892385558855681')
 ); // 2^253 + 2^199 + 1
 export const Fp251 = Fp(
  BigInt('3618502788666131213697322783095070105623107215331596699973092056135872020481')
 ); // 2^251 + 17 * 2^192 + 1
 function poseidonRoundConstant(Fp: Field<bigint>, name: string, idx: number) {
  const val = Fp.fromBytes(sha256(utf8ToBytes(`${name}${idx}`)));
  return Fp.create(val);
 }
 // NOTE: doesn't check eiginvalues and possible can create unsafe matrix. But any filtration here will break compatibility with starknet
 // Please use only if you really know what you doing.
 // https://eprint.iacr.org/2019/458.pdf Section 2.3 (Avoiding Insecure Matrices)
 export function _poseidonMDS(Fp: Field<bigint>, name: string, m: number, attempt = 0) {
  const x_values: bigint[] = [];
  const y_values: bigint[] = [];
  for (let i = 0; i < m; i++) {
    x_values.push(poseidonRoundConstant(Fp, `${name}x`, attempt * m + i));
    y_values.push(poseidonRoundConstant(Fp, `${name}y`, attempt * m + i));
  }
  if (new Set([...x_values, ...y_values]).size !== 2 * m)
    throw new Error('X and Y values are not distinct');
  return x_values.map((x) => y_values.map((y) => Fp.inv(Fp.sub(x, y))));
 }
 const MDS_SMALL = [
  [3, 1, 1],
  [1, -1, 1],
  [1, 1, -2],
 ].map((i) => i.map(BigInt));
 export type PoseidonOpts = {
  Fp: Field<bigint>;
  rate: number;
  capacity: number;
  roundsFull: number;
  roundsPartial: number;
 };
 export function poseidonBasic(opts: PoseidonOpts, mds: bigint[][]) {
  validateField(opts.Fp);
  if (!Number.isSafeInteger(opts.rate) || !Number.isSafeInteger(opts.capacity))
    throw new Error(`Wrong poseidon opts: ${opts}`);
  const m = opts.rate + opts.capacity;
  const rounds = opts.roundsFull + opts.roundsPartial;
  const roundConstants = [];
  for (let i = 0; i < rounds; i++) {
    const row = [];
    for (let j = 0; j < m; j++) row.push(poseidonRoundConstant(opts.Fp, 'Hades', m * i + j));
    roundConstants.push(row);
  }
  return poseidon.poseidon({
    ...opts,
    t: m,
    sboxPower: 3,
    reversePartialPowIdx: true, // Why?!
    mds,
    roundConstants,
  });
 }
 export function poseidonCreate(opts: PoseidonOpts, mdsAttempt = 0) {
  const m = opts.rate + opts.capacity;
  if (!Number.isSafeInteger(mdsAttempt)) throw new Error(`Wrong mdsAttempt=${mdsAttempt}`);
  return poseidonBasic(opts, _poseidonMDS(opts.Fp, 'HadesMDS', m, mdsAttempt));
 }
 export const poseidonSmall = poseidonBasic(
  { Fp: Fp251, rate: 2, capacity: 1, roundsFull: 8, roundsPartial: 83 },
  MDS_SMALL
 );
 export function poseidonHash(x: bigint, y: bigint, fn = poseidonSmall) {
  return fn([x, y, 2n])[0];
 }
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -1,187 +0,0 @@
 /*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import * as mod from './modular.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
 // We accept hex strings besides Uint8Array for simplicity
 export type Hex = Uint8Array | string;
 // Very few implementations accept numbers, we do it to ease learning curve
 export type PrivKey = Hex | bigint | number;
 export type CHash = {
  (message: Uint8Array | string): Uint8Array;
  blockLen: number;
  outputLen: number;
  create(): any;
 };
 // NOTE: these are generic, even if curve is on some polynominal field (bls), it will still have P/n/h
 // But generator can be different (Fp2/Fp6 for bls?)
 export type BasicCurve<T> = {
  // Field over which we'll do calculations (Fp)
  Fp: mod.Field<T>;
  // Curve order, total count of valid points in the field
  n: bigint;
  // Bit/byte length of curve order
  nBitLength?: number;
  nByteLength?: number;
  // Cofactor
  // NOTE: we can assign default value of 1, but then users will just ignore it, without validating with spec
  // Has not use for now, but nice to have in API
  h: bigint;
  hEff?: bigint; // Number to multiply to clear cofactor
  // Base point (x, y) aka generator point
  Gx: T;
  Gy: T;
  // Wrap private key by curve order (% CURVE.n instead of throwing error)
  wrapPrivateKey?: boolean;
  // Point at infinity is perfectly valid point, but not valid public key.
  // Disabled by default because of compatibility reasons with @noble/secp256k1
  allowInfinityPoint?: boolean;
 };
 export function validateOpts<FP, T>(curve: BasicCurve<FP> & T) {
  mod.validateField(curve.Fp);
  for (const i of ['n', 'h'] as const) {
    if (typeof curve[i] !== 'bigint')
      throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
  }
  if (!curve.Fp.isValid(curve.Gx)) throw new Error('Invalid generator X coordinate Fp element');
  if (!curve.Fp.isValid(curve.Gy)) throw new Error('Invalid generator Y coordinate Fp element');
  for (const i of ['nBitLength', 'nByteLength'] as const) {
    if (curve[i] === undefined) continue; // Optional
    if (!Number.isSafeInteger(curve[i]))
      throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
  }
  // Set defaults
  return Object.freeze({ ...nLength(curve.n, curve.nBitLength), ...curve } as const);
 }
 const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
 export function bytesToHex(uint8a: Uint8Array): string {
  if (!(uint8a instanceof Uint8Array)) throw new Error('Expected Uint8Array');
  // pre-caching improves the speed 6x
  let hex = '';
  for (let i = 0; i < uint8a.length; i++) {
    hex += hexes[uint8a[i]];
  }
  return hex;
 }
 export function numberToHexUnpadded(num: number | bigint): string {
  const hex = num.toString(16);
  return hex.length & 1 ? `0${hex}` : hex;
 }
 export function hexToNumber(hex: string): bigint {
  if (typeof hex !== 'string') {
    throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
  }
  // Big Endian
  return BigInt(`0x${hex}`);
 }
 // Caching slows it down 2-3x
 export function hexToBytes(hex: string): Uint8Array {
  if (typeof hex !== 'string') {
    throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
  }
  if (hex.length % 2) throw new Error('hexToBytes: received invalid unpadded hex ' + hex.length);
  const array = new Uint8Array(hex.length / 2);
  for (let i = 0; i < array.length; i++) {
    const j = i * 2;
    const hexByte = hex.slice(j, j + 2);
    const byte = Number.parseInt(hexByte, 16);
    if (Number.isNaN(byte) || byte < 0) throw new Error('Invalid byte sequence');
    array[i] = byte;
  }
  return array;
 }
 // Big Endian
 export function bytesToNumberBE(bytes: Uint8Array): bigint {
  return hexToNumber(bytesToHex(bytes));
 }
 export function bytesToNumberLE(uint8a: Uint8Array): bigint {
  if (!(uint8a instanceof Uint8Array)) throw new Error('Expected Uint8Array');
  return BigInt('0x' + bytesToHex(Uint8Array.from(uint8a).reverse()));
 }
 export const numberToBytesBE = (n: bigint, len: number) =>
  hexToBytes(n.toString(16).padStart(len * 2, '0'));
 export const numberToBytesLE = (n: bigint, len: number) => numberToBytesBE(n, len).reverse();
 export function ensureBytes(hex: Hex, expectedLength?: number): Uint8Array {
  // Uint8Array.from() instead of hash.slice() because node.js Buffer
  // is instance of Uint8Array, and its slice() creates **mutable** copy
  const bytes = hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes(hex);
  if (typeof expectedLength === 'number' && bytes.length !== expectedLength)
    throw new Error(`Expected ${expectedLength} bytes`);
  return bytes;
 }
 // Copies several Uint8Arrays into one.
 export function concatBytes(...arrays: Uint8Array[]): Uint8Array {
  if (!arrays.every((b) => b instanceof Uint8Array)) throw new Error('Uint8Array list expected');
  if (arrays.length === 1) return arrays[0];
  const length = arrays.reduce((a, arr) => a + arr.length, 0);
  const result = new Uint8Array(length);
  for (let i = 0, pad = 0; i < arrays.length; i++) {
    const arr = arrays[i];
    result.set(arr, pad);
    pad += arr.length;
  }
  return result;
 }
 // CURVE.n lengths
 export function nLength(n: bigint, nBitLength?: number) {
  // Bit size, byte size of CURVE.n
  const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
  const nByteLength = Math.ceil(_nBitLength / 8);
  return { nBitLength: _nBitLength, nByteLength };
 }
 /**
 * Can take (n+8) or more bytes of uniform input e.g. from CSPRNG or KDF
 * and convert them into private scalar, with the modulo bias being neglible.
 * As per FIPS 186 B.4.1.
 * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
 * @param hash hash output from sha512, or a similar function
 * @returns valid private scalar
 */
 export function hashToPrivateScalar(hash: Hex, CURVE_ORDER: bigint, isLE = false): bigint {
  hash = ensureBytes(hash);
  const orderLen = nLength(CURVE_ORDER).nByteLength;
  const minLen = orderLen + 8;
  if (orderLen < 16 || hash.length < minLen || hash.length > 1024)
    throw new Error('Expected valid bytes of private key as per FIPS 186');
  const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
  return mod.mod(num, CURVE_ORDER - _1n) + _1n;
 }
 export function equalBytes(b1: Uint8Array, b2: Uint8Array) {
  // We don't care about timing attacks here
  if (b1.length !== b2.length) return false;
  for (let i = 0; i < b1.length; i++) if (b1[i] !== b2[i]) return false;
  return true;
 }
 // Bit operations
 // Amount of bits inside bigint (Same as n.toString(2).length)
 export function bitLen(n: bigint) {
  let len;
  for (len = 0; n > 0n; n >>= _1n, len += 1);
  return len;
 }
 // Gets single bit at position. NOTE: first bit position is 0 (same as arrays)
 // Same as !!+Array.from(n.toString(2)).reverse()[pos]
 export const bitGet = (n: bigint, pos: number) => (n >> BigInt(pos)) & 1n;
 // Sets single bit at position
 export const bitSet = (n: bigint, pos: number, value: boolean) =>
  n | ((value ? _1n : _0n) << BigInt(pos));
 // Return mask for N bits (Same as BigInt(`0b${Array(i).fill('1').join('')}`))
 // Not using ** operator with bigints for old engines.
 export const bitMask = (n: number) => (_2n << BigInt(n - 1)) - _1n;
--- a/src/weierstrass.ts
+++ b/src/weierstrass.ts
--- a/test/basic.test.js
+++ b/test/basic.test.js
@@ -0,0 +1,658 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should, describe } from 'micro-should';
 import * as fc from 'fast-check';
 import * as mod from '../lib/esm/abstract/modular.js';
 import { bytesToHex as toHex } from '../lib/esm/abstract/utils.js';
 // Generic tests for all curves in package
 import { secp192r1 } from '../lib/esm/p192.js';
 import { secp224r1 } from '../lib/esm/p224.js';
 import { secp256r1 } from '../lib/esm/p256.js';
 import { secp384r1 } from '../lib/esm/p384.js';
 import { secp521r1 } from '../lib/esm/p521.js';
 import { secp256k1 } from '../lib/esm/secp256k1.js';
 import { ed25519, ed25519ctx, ed25519ph } from '../lib/esm/ed25519.js';
 import { ed448, ed448ph } from '../lib/esm/ed448.js';
 import { starkCurve } from '../lib/esm/stark.js';
 import { pallas, vesta } from '../lib/esm/pasta.js';
 import { bn254 } from '../lib/esm/bn.js';
 import { jubjub } from '../lib/esm/jubjub.js';
 import { bls12_381 } from '../lib/esm/bls12-381.js';
 // Fields tests
 const FIELDS = {
  secp192r1: { Fp: [secp192r1.CURVE.Fp] },
  secp224r1: { Fp: [secp224r1.CURVE.Fp] },
  secp256r1: { Fp: [secp256r1.CURVE.Fp] },
  secp521r1: { Fp: [secp521r1.CURVE.Fp] },
  secp256k1: { Fp: [secp256k1.CURVE.Fp] },
  stark: { Fp: [starkCurve.CURVE.Fp] },
  jubjub: { Fp: [jubjub.CURVE.Fp] },
  ed25519: { Fp: [ed25519.CURVE.Fp] },
  ed448: { Fp: [ed448.CURVE.Fp] },
  bn254: { Fp: [bn254.CURVE.Fp] },
  pallas: { Fp: [pallas.CURVE.Fp] },
  vesta: { Fp: [vesta.CURVE.Fp] },
  bls12: {
    Fp: [bls12_381.CURVE.Fp],
    Fp2: [
      bls12_381.CURVE.Fp2,
      fc.array(fc.bigInt(1n, bls12_381.CURVE.Fp.ORDER - 1n), {
        minLength: 2,
        maxLength: 2,
      }),
      (Fp2, num) => Fp2.fromBigTuple([num[0], num[1]]),
    ],
    // Fp6: [bls12_381.CURVE.Fp6],
    Fp12: [
      bls12_381.CURVE.Fp12,
      fc.array(fc.bigInt(1n, bls12_381.CURVE.Fp.ORDER - 1n), {
        minLength: 12,
        maxLength: 12,
      }),
      (Fp12, num) => Fp12.fromBigTwelve(num),
    ],
  },
 };
 for (const c in FIELDS) {
  const curve = FIELDS[c];
  for (const f in curve) {
    const Fp = curve[f][0];
    const name = `${c}/${f}:`;
    const FC_BIGINT = curve[f][1] ? curve[f][1] : fc.bigInt(1n, Fp.ORDER - 1n);
    const create = curve[f][2] ? curve[f][2].bind(null, Fp) : (num) => Fp.create(num);
    describe(name, () => {
      should('equality', () => {
        fc.assert(
          fc.property(FC_BIGINT, (num) => {
            const a = create(num);
            const b = create(num);
            deepStrictEqual(Fp.eql(a, b), true);
            deepStrictEqual(Fp.eql(b, a), true);
          })
        );
      });
      should('non-equality', () => {
        fc.assert(
          fc.property(FC_BIGINT, FC_BIGINT, (num1, num2) => {
            const a = create(num1);
            const b = create(num2);
            deepStrictEqual(Fp.eql(a, b), num1 === num2);
            deepStrictEqual(Fp.eql(b, a), num1 === num2);
          })
        );
      });
      should('add/subtract/commutativity', () => {
        fc.assert(
          fc.property(FC_BIGINT, FC_BIGINT, (num1, num2) => {
            const a = create(num1);
            const b = create(num2);
            deepStrictEqual(Fp.add(a, b), Fp.add(b, a));
          })
        );
      });
      should('add/subtract/associativity', () => {
        fc.assert(
          fc.property(FC_BIGINT, FC_BIGINT, FC_BIGINT, (num1, num2, num3) => {
            const a = create(num1);
            const b = create(num2);
            const c = create(num3);
            deepStrictEqual(Fp.add(a, Fp.add(b, c)), Fp.add(Fp.add(a, b), c));
          })
        );
      });
      should('add/subtract/x+0=x', () => {
        fc.assert(
          fc.property(FC_BIGINT, (num) => {
            const a = create(num);
            deepStrictEqual(Fp.add(a, Fp.ZERO), a);
          })
        );
      });
      should('add/subtract/x-0=x', () => {
        fc.assert(
          fc.property(FC_BIGINT, (num) => {
            const a = create(num);
            deepStrictEqual(Fp.sub(a, Fp.ZERO), a);
            deepStrictEqual(Fp.sub(a, a), Fp.ZERO);
          })
        );
      });
      should('add/subtract/negate equality', () => {
        fc.assert(
          fc.property(FC_BIGINT, (num1) => {
            const a = create(num1);
            const b = create(num1);
            deepStrictEqual(Fp.sub(Fp.ZERO, a), Fp.neg(a));
            deepStrictEqual(Fp.sub(a, b), Fp.add(a, Fp.neg(b)));
            deepStrictEqual(Fp.sub(a, b), Fp.add(a, Fp.mul(b, Fp.create(-1n))));
          })
        );
      });
      should('add/subtract/negate', () => {
        fc.assert(
          fc.property(FC_BIGINT, (num) => {
            const a = create(num);
            deepStrictEqual(Fp.neg(a), Fp.sub(Fp.ZERO, a));
            deepStrictEqual(Fp.neg(a), Fp.mul(a, Fp.create(-1n)));
          })
        );
      });
      should('negate(0)', () => {
        deepStrictEqual(Fp.neg(Fp.ZERO), Fp.ZERO);
      });
      should('multiply/commutativity', () => {
        fc.assert(
          fc.property(FC_BIGINT, FC_BIGINT, (num1, num2) => {
            const a = create(num1);
            const b = create(num2);
            deepStrictEqual(Fp.mul(a, b), Fp.mul(b, a));
          })
        );
      });
      should('multiply/associativity', () => {
        fc.assert(
          fc.property(FC_BIGINT, FC_BIGINT, FC_BIGINT, (num1, num2, num3) => {
            const a = create(num1);
            const b = create(num2);
            const c = create(num3);
            deepStrictEqual(Fp.mul(a, Fp.mul(b, c)), Fp.mul(Fp.mul(a, b), c));
          })
        );
      });
      should('multiply/distributivity', () => {
        fc.assert(
          fc.property(FC_BIGINT, FC_BIGINT, FC_BIGINT, (num1, num2, num3) => {
            const a = create(num1);
            const b = create(num2);
            const c = create(num3);
            deepStrictEqual(Fp.mul(a, Fp.add(b, c)), Fp.add(Fp.mul(b, a), Fp.mul(c, a)));
          })
        );
      });
      should('multiply/add equality', () => {
        fc.assert(
          fc.property(FC_BIGINT, (num) => {
            const a = create(num);
            deepStrictEqual(Fp.mul(a, 0n), Fp.ZERO);
            deepStrictEqual(Fp.mul(a, Fp.ZERO), Fp.ZERO);
            deepStrictEqual(Fp.mul(a, 1n), a);
            deepStrictEqual(Fp.mul(a, Fp.ONE), a);
            deepStrictEqual(Fp.mul(a, 2n), Fp.add(a, a));
            deepStrictEqual(Fp.mul(a, 3n), Fp.add(Fp.add(a, a), a));
            deepStrictEqual(Fp.mul(a, 4n), Fp.add(Fp.add(Fp.add(a, a), a), a));
          })
        );
      });
      should('multiply/square equality', () => {
        fc.assert(
          fc.property(FC_BIGINT, (num) => {
            const a = create(num);
            deepStrictEqual(Fp.sqr(a), Fp.mul(a, a));
          })
        );
      });
      should('multiply/pow equality', () => {
        fc.assert(
          fc.property(FC_BIGINT, (num) => {
            const a = create(num);
            deepStrictEqual(Fp.pow(a, 0n), Fp.ONE);
            deepStrictEqual(Fp.pow(a, 1n), a);
            deepStrictEqual(Fp.pow(a, 2n), Fp.mul(a, a));
            deepStrictEqual(Fp.pow(a, 3n), Fp.mul(Fp.mul(a, a), a));
          })
        );
      });
      should('square(0)', () => {
        deepStrictEqual(Fp.sqr(Fp.ZERO), Fp.ZERO);
        deepStrictEqual(Fp.mul(Fp.ZERO, Fp.ZERO), Fp.ZERO);
      });
      should('square(1)', () => {
        deepStrictEqual(Fp.sqr(Fp.ONE), Fp.ONE);
        deepStrictEqual(Fp.mul(Fp.ONE, Fp.ONE), Fp.ONE);
      });
      should('square(-1)', () => {
        const minus1 = Fp.neg(Fp.ONE);
        deepStrictEqual(Fp.sqr(minus1), Fp.ONE);
        deepStrictEqual(Fp.mul(minus1, minus1), Fp.ONE);
      });
      const isSquare = mod.FpIsSquare(Fp);
      // Not implemented
      if (Fp !== bls12_381.CURVE.Fp12) {
        should('multiply/sqrt', () => {
          fc.assert(
            fc.property(FC_BIGINT, (num) => {
              const a = create(num);
              let root;
              try {
                root = Fp.sqrt(a);
              } catch (e) {
                deepStrictEqual(isSquare(a), false);
                return;
              }
              deepStrictEqual(isSquare(a), true);
              deepStrictEqual(Fp.eql(Fp.sqr(root), a), true, 'sqrt(a)^2 == a');
              deepStrictEqual(Fp.eql(Fp.sqr(Fp.neg(root)), a), true, '(-sqrt(a))^2 == a');
            })
          );
        });
        should('sqrt(0)', () => {
          deepStrictEqual(Fp.sqrt(Fp.ZERO), Fp.ZERO);
          const sqrt1 = Fp.sqrt(Fp.ONE);
          deepStrictEqual(
            Fp.eql(sqrt1, Fp.ONE) || Fp.eql(sqrt1, Fp.neg(Fp.ONE)),
            true,
            'sqrt(1) = 1 or -1'
          );
        });
      }
      should('div/division by one equality', () => {
        fc.assert(
          fc.property(FC_BIGINT, (num) => {
            const a = create(num);
            if (Fp.eql(a, Fp.ZERO)) return; // No division by zero
            deepStrictEqual(Fp.div(a, Fp.ONE), a);
            deepStrictEqual(Fp.div(a, a), Fp.ONE);
          })
        );
      });
      should('zero division equality', () => {
        fc.assert(
          fc.property(FC_BIGINT, (num) => {
            const a = create(num);
            deepStrictEqual(Fp.div(Fp.ZERO, a), Fp.ZERO);
          })
        );
      });
      should('div/division distributivity', () => {
        fc.assert(
          fc.property(FC_BIGINT, FC_BIGINT, FC_BIGINT, (num1, num2, num3) => {
            const a = create(num1);
            const b = create(num2);
            const c = create(num3);
            deepStrictEqual(Fp.div(Fp.add(a, b), c), Fp.add(Fp.div(a, c), Fp.div(b, c)));
          })
        );
      });
      should('div/division and multiplication equality', () => {
        fc.assert(
          fc.property(FC_BIGINT, FC_BIGINT, (num1, num2) => {
            const a = create(num1);
            const b = create(num2);
            deepStrictEqual(Fp.div(a, b), Fp.mul(a, Fp.inv(b)));
          })
        );
      });
    });
  }
 }
 // Group tests
 // prettier-ignore
 const CURVES = {
  secp192r1, secp224r1, secp256r1, secp384r1, secp521r1,
  secp256k1,
  ed25519, ed25519ctx, ed25519ph,
  ed448, ed448ph,
  starkCurve,
  pallas, vesta,
  bn254,
  jubjub,
 };
 const NUM_RUNS = 5;
 const getXY = (p) => ({ x: p.x, y: p.y });
 function equal(a, b, comment) {
  deepStrictEqual(a.equals(b), true, `eq(${comment})`);
  if (a.toAffine && b.toAffine) {
    deepStrictEqual(getXY(a.toAffine()), getXY(b.toAffine()), `eqToAffine(${comment})`);
  } else if (!a.toAffine && !b.toAffine) {
    // Already affine
    deepStrictEqual(getXY(a), getXY(b), `eqAffine(${comment})`);
  } else throw new Error('Different point types');
 }
 for (const name in CURVES) {
  const C = CURVES[name];
  const CURVE_ORDER = C.CURVE.n;
  const FC_BIGINT = fc.bigInt(1n + 1n, CURVE_ORDER - 1n);
  // Check that curve doesn't accept points from other curves
  const O = name === 'secp256k1' ? secp256r1 : secp256k1;
  const POINTS = {};
  const OTHER_POINTS = {};
  for (const name of ['Point', 'ProjectivePoint', 'ExtendedPoint', 'ProjectivePoint']) {
    POINTS[name] = C[name];
    OTHER_POINTS[name] = O[name];
  }
  for (const pointName in POINTS) {
    const p = POINTS[pointName];
    const o = OTHER_POINTS[pointName];
    if (!p) continue;
    const G = [p.ZERO, p.BASE];
    for (let i = 2n; i < 10n; i++) G.push(G[1].multiply(i));
    const title = `${name}/${pointName}`;
    describe(title, () => {
      describe('basic group laws', () => {
        // Here we check basic group laws, to verify that points works as group
        should('zero', () => {
          equal(G[0].double(), G[0], '(0*G).double() = 0');
          equal(G[0].add(G[0]), G[0], '0*G + 0*G = 0');
          equal(G[0].subtract(G[0]), G[0], '0*G - 0*G = 0');
          equal(G[0].negate(), G[0], '-0 = 0');
          for (let i = 0; i < G.length; i++) {
            const p = G[i];
            equal(p, p.add(G[0]), `${i}*G + 0 = ${i}*G`);
            equal(G[0].multiply(BigInt(i + 1)), G[0], `${i + 1}*0 = 0`);
          }
        });
        should('one', () => {
          equal(G[1].double(), G[2], '(1*G).double() = 2*G');
          equal(G[1].subtract(G[1]), G[0], '1*G - 1*G = 0');
          equal(G[1].add(G[1]), G[2], '1*G + 1*G = 2*G');
        });
        should('sanity tests', () => {
          equal(G[2].double(), G[4], '(2*G).double() = 4*G');
          equal(G[2].add(G[2]), G[4], '2*G + 2*G = 4*G');
          equal(G[7].add(G[3].negate()), G[4], '7*G - 3*G = 4*G');
        });
        should('add commutativity', () => {
          equal(G[4].add(G[3]), G[3].add(G[4]), '4*G + 3*G = 3*G + 4*G');
          equal(G[4].add(G[3]), G[3].add(G[2]).add(G[2]), '4*G + 3*G = 3*G + 2*G + 2*G');
        });
        should('double', () => {
          equal(G[3].double(), G[6], '(3*G).double() = 6*G');
        });
        should('multiply', () => {
          equal(G[2].multiply(3n), G[6], '(2*G).multiply(3) = 6*G');
        });
        should('add same-point', () => {
          equal(G[3].add(G[3]), G[6], '3*G + 3*G = 6*G');
        });
        should('add same-point negative', () => {
          equal(G[3].add(G[3].negate()), G[0], '3*G + (- 3*G) = 0*G');
          equal(G[3].subtract(G[3]), G[0], '3*G - 3*G = 0*G');
        });
        should('mul by curve order', () => {
          equal(G[1].multiply(CURVE_ORDER - 1n).add(G[1]), G[0], '(N-1)*G + G = 0');
          equal(G[1].multiply(CURVE_ORDER - 1n).add(G[2]), G[1], '(N-1)*G + 2*G = 1*G');
          equal(G[1].multiply(CURVE_ORDER - 2n).add(G[2]), G[0], '(N-2)*G + 2*G = 0');
          const half = CURVE_ORDER / 2n;
          const carry = CURVE_ORDER % 2n === 1n ? G[1] : G[0];
          equal(G[1].multiply(half).double().add(carry), G[0], '((N/2) * G).double() = 0');
        });
        should('inversion', () => {
          const a = 1234n;
          const b = 5678n;
          const c = a * b;
          equal(G[1].multiply(a).multiply(b), G[1].multiply(c), 'a*b*G = c*G');
          const inv = mod.invert(b, CURVE_ORDER);
          equal(G[1].multiply(c).multiply(inv), G[1].multiply(a), 'c*G * (1/b)*G = a*G');
        });
        should('multiply, rand', () =>
          fc.assert(
            fc.property(FC_BIGINT, FC_BIGINT, (a, b) => {
              const c = mod.mod(a + b, CURVE_ORDER);
              if (c === CURVE_ORDER || c < 1n) return;
              const pA = G[1].multiply(a);
              const pB = G[1].multiply(b);
              const pC = G[1].multiply(c);
              equal(pA.add(pB), pB.add(pA), 'pA + pB = pB + pA');
              equal(pA.add(pB), pC, 'pA + pB = pC');
            }),
            { numRuns: NUM_RUNS }
          )
        );
        should('multiply2, rand', () =>
          fc.assert(
            fc.property(FC_BIGINT, FC_BIGINT, (a, b) => {
              const c = mod.mod(a * b, CURVE_ORDER);
              const pA = G[1].multiply(a);
              const pB = G[1].multiply(b);
              equal(pA.multiply(b), pB.multiply(a), 'b*pA = a*pB');
              equal(pA.multiply(b), G[1].multiply(c), 'b*pA = c*G');
            }),
            { numRuns: NUM_RUNS }
          )
        );
      });
      for (const op of ['add', 'subtract']) {
        describe(op, () => {
          should('type check', () => {
            throws(() => G[1][op](0), '0');
            throws(() => G[1][op](0n), '0n');
            G[1][op](G[2]);
            throws(() => G[1][op](CURVE_ORDER), 'CURVE_ORDER');
            throws(() => G[1][op](-123n), '-123n');
            throws(() => G[1][op](123), '123');
            throws(() => G[1][op](123.456), '123.456');
            throws(() => G[1][op](true), 'true');
            throws(() => G[1][op](false), 'false');
            throws(() => G[1][op](null), 'null');
            throws(() => G[1][op](undefined), 'undefined');
            throws(() => G[1][op]('1'), "'1'");
            throws(() => G[1][op]({ x: 1n, y: 1n }), '{ x: 1n, y: 1n }');
            throws(() => G[1][op]({ x: 1n, y: 1n, z: 1n }), '{ x: 1n, y: 1n, z: 1n }');
            throws(
              () => G[1][op]({ x: 1n, y: 1n, z: 1n, t: 1n }),
              '{ x: 1n, y: 1n, z: 1n, t: 1n }'
            );
            throws(() => G[1][op](new Uint8Array([])), 'ui8a([])');
            throws(() => G[1][op](new Uint8Array([0])), 'ui8a([0])');
            throws(() => G[1][op](new Uint8Array([1])), 'ui8a([1])');
            throws(() => G[1][op](new Uint8Array(4096).fill(1)), 'ui8a(4096*[1])');
            // if (G[1].toAffine) throws(() => G[1][op](C.Point.BASE), `Point ${op} ${pointName}`);
            throws(() => G[1][op](o.BASE), `${op}/other curve point`);
          });
        });
      }
      should('equals type check', () => {
        throws(() => G[1].equals(0), '0');
        throws(() => G[1].equals(0n), '0n');
        deepStrictEqual(G[1].equals(G[2]), false, '1*G != 2*G');
        deepStrictEqual(G[1].equals(G[1]), true, '1*G == 1*G');
        deepStrictEqual(G[2].equals(G[2]), true, '2*G == 2*G');
        throws(() => G[1].equals(CURVE_ORDER), 'CURVE_ORDER');
        throws(() => G[1].equals(123.456), '123.456');
        throws(() => G[1].equals(true), 'true');
        throws(() => G[1].equals('1'), "'1'");
        throws(() => G[1].equals({ x: 1n, y: 1n, z: 1n, t: 1n }), '{ x: 1n, y: 1n, z: 1n, t: 1n }');
        throws(() => G[1].equals(new Uint8Array([])), 'ui8a([])');
        throws(() => G[1].equals(new Uint8Array([0])), 'ui8a([0])');
        throws(() => G[1].equals(new Uint8Array([1])), 'ui8a([1])');
        throws(() => G[1].equals(new Uint8Array(4096).fill(1)), 'ui8a(4096*[1])');
        // if (G[1].toAffine) throws(() => G[1].equals(C.Point.BASE), 'Point.equals(${pointName})');
        throws(() => G[1].equals(o.BASE), 'other curve point');
      });
      for (const op of ['multiply', 'multiplyUnsafe']) {
        if (!p.BASE[op]) continue;
        describe(op, () => {
          should('type check', () => {
            if (op !== 'multiplyUnsafe') {
              throws(() => G[1][op](0), '0');
              throws(() => G[1][op](0n), '0n');
            }
            G[1][op](1n);
            G[1][op](CURVE_ORDER - 1n);
            throws(() => G[1][op](G[2]), 'G[2]');
            throws(() => G[1][op](CURVE_ORDER), 'CURVE_ORDER');
            throws(() => G[1][op](CURVE_ORDER + 1n), 'CURVE_ORDER+1');
            throws(() => G[1][op](123.456), '123.456');
            throws(() => G[1][op](true), 'true');
            throws(() => G[1][op]('1'), '1');
            throws(() => G[1][op](new Uint8Array([])), 'ui8a([])');
            throws(() => G[1][op](new Uint8Array([0])), 'ui8a([0])');
            throws(() => G[1][op](new Uint8Array([1])), 'ui8a([1])');
            throws(() => G[1][op](new Uint8Array(4096).fill(1)), 'ui8a(4096*[1])');
            throws(() => G[1][op](o.BASE), 'other curve point');
          });
        });
      }
      // Complex point (Extended/Jacobian/Projective?)
      // if (p.BASE.toAffine && C.Point) {
      //   should('toAffine()', () => {
      //     equal(p.ZERO.toAffine(), C.Point.ZERO, '0 = 0');
      //     equal(p.BASE.toAffine(), C.Point.BASE, '1 = 1');
      //   });
      // }
      // if (p.fromAffine && C.Point) {
      //   should('fromAffine()', () => {
      //     equal(p.ZERO, p.fromAffine(C.Point.ZERO), '0 = 0');
      //     equal(p.BASE, p.fromAffine(C.Point.BASE), '1 = 1');
      //   });
      // }
      // toHex/fromHex (if available)
      if (p.fromHex && p.BASE.toHex) {
        should('fromHex(toHex()) roundtrip', () => {
          fc.assert(
            fc.property(FC_BIGINT, (x) => {
              const hex = p.BASE.multiply(x).toHex();
              deepStrictEqual(p.fromHex(hex).toHex(), hex);
            })
          );
        });
      }
    });
  }
  describe(name, () => {
    // Generic complex things (getPublicKey/sign/verify/getSharedSecret)
    should('.getPublicKey() type check', () => {
      throws(() => C.getPublicKey(0), '0');
      throws(() => C.getPublicKey(0n), '0n');
      throws(() => C.getPublicKey(-123n), '-123n');
      throws(() => C.getPublicKey(123), '123');
      throws(() => C.getPublicKey(123.456), '123.456');
      throws(() => C.getPublicKey(true), 'true');
      throws(() => C.getPublicKey(false), 'false');
      throws(() => C.getPublicKey(null), 'null');
      throws(() => C.getPublicKey(undefined), 'undefined');
      throws(() => C.getPublicKey(''), "''");
      // NOTE: passes because of disabled hex padding checks for starknet, maybe enable?
      // throws(() => C.getPublicKey('1'), "'1'");
      throws(() => C.getPublicKey('key'), "'key'");
      throws(() => C.getPublicKey({}));
      throws(() => C.getPublicKey(new Uint8Array([])));
      throws(() => C.getPublicKey(new Uint8Array([0])));
      throws(() => C.getPublicKey(new Uint8Array([1])));
      throws(() => C.getPublicKey(new Uint8Array(4096).fill(1)));
      throws(() => C.getPublicKey(Array(32).fill(1)));
    });
    should('.verify() should verify random signatures', () =>
      fc.assert(
        fc.property(fc.hexaString({ minLength: 64, maxLength: 64 }), (msg) => {
          const priv = C.utils.randomPrivateKey();
          const pub = C.getPublicKey(priv);
          const sig = C.sign(msg, priv);
          deepStrictEqual(
            C.verify(sig, msg, pub),
            true,
            'priv=${toHex(priv)},pub=${toHex(pub)},msg=${msg}'
          );
        }),
        { numRuns: NUM_RUNS }
      )
    );
    should('.sign() edge cases', () => {
      throws(() => C.sign());
      throws(() => C.sign(''));
      throws(() => C.sign('', ''));
      throws(() => C.sign(new Uint8Array(), new Uint8Array()));
    });
    describe('verify()', () => {
      const msg = '01'.repeat(32);
      should('true for proper signatures', () => {
        const priv = C.utils.randomPrivateKey();
        const sig = C.sign(msg, priv);
        const pub = C.getPublicKey(priv);
        deepStrictEqual(C.verify(sig, msg, pub), true);
      });
      should('false for wrong messages', () => {
        const priv = C.utils.randomPrivateKey();
        const sig = C.sign(msg, priv);
        const pub = C.getPublicKey(priv);
        deepStrictEqual(C.verify(sig, '11'.repeat(32), pub), false);
      });
      should('false for wrong keys', () => {
        const priv = C.utils.randomPrivateKey();
        const sig = C.sign(msg, priv);
        deepStrictEqual(C.verify(sig, msg, C.getPublicKey(C.utils.randomPrivateKey())), false);
      });
    });
    // NOTE: fails for ed, because of empty message. Since we convert it to scalar,
    // need to check what other implementations do. Empty message != new Uint8Array([0]), but what scalar should be in that case?
    // should('should not verify signature with wrong message', () => {
    //   fc.assert(
    //     fc.property(
    //       fc.array(fc.integer({ min: 0x00, max: 0xff })),
    //       fc.array(fc.integer({ min: 0x00, max: 0xff })),
    //       (bytes, wrongBytes) => {
    //         const privKey = C.utils.randomPrivateKey();
    //         const message = new Uint8Array(bytes);
    //         const wrongMessage = new Uint8Array(wrongBytes);
    //         const publicKey = C.getPublicKey(privKey);
    //         const signature = C.sign(message, privKey);
    //         deepStrictEqual(
    //           C.verify(signature, wrongMessage, publicKey),
    //           bytes.toString() === wrongBytes.toString()
    //         );
    //       }
    //     ),
    //     { numRuns: NUM_RUNS }
    //   );
    // });
    if (C.getSharedSecret) {
      should('getSharedSecret() should be commutative', () => {
        for (let i = 0; i < NUM_RUNS; i++) {
          const asec = C.utils.randomPrivateKey();
          const apub = C.getPublicKey(asec);
          const bsec = C.utils.randomPrivateKey();
          const bpub = C.getPublicKey(bsec);
          try {
            deepStrictEqual(C.getSharedSecret(asec, bpub), C.getSharedSecret(bsec, apub));
          } catch (error) {
            console.error('not commutative', { asec, apub, bsec, bpub });
            throw error;
          }
        }
      });
    }
  });
 }
 should('secp224k1 sqrt bug', () => {
  const { Fp } = secp224r1.CURVE;
  const sqrtMinus1 = Fp.sqrt(-1n);
  // Verified against sage
  deepStrictEqual(
    sqrtMinus1,
    23621584063597419797792593680131996961517196803742576047493035507225n
  );
  deepStrictEqual(
    Fp.neg(sqrtMinus1),
    3338362603553219996874421406887633712040719456283732096017030791656n
  );
  deepStrictEqual(Fp.sqr(sqrtMinus1), Fp.create(-1n));
 });
 // ESM is broken.
 import url from 'url';
 if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
  should.run();
 }
--- a/test/bls12-381.test.js
+++ b/test/bls12-381.test.js
--- a/curve-definitions/test/bls12-381/bls12-381-g2-test-vectors.txt
+++ b/curve-definitions/test/bls12-381/bls12-381-g2-test-vectors.txt
--- a/curve-definitions/test/bls12-381/bls12-381-scalar-test-vectors.txt
+++ b/curve-definitions/test/bls12-381/bls12-381-scalar-test-vectors.txt
--- a/curve-definitions/test/bls12-381/go_pairing_vectors/go.mod
+++ b/curve-definitions/test/bls12-381/go_pairing_vectors/go.mod
--- a/curve-definitions/test/bls12-381/go_pairing_vectors/go.sum
+++ b/curve-definitions/test/bls12-381/go_pairing_vectors/go.sum
--- a/curve-definitions/test/bls12-381/go_pairing_vectors/pairing.json
+++ b/curve-definitions/test/bls12-381/go_pairing_vectors/pairing.json
--- a/curve-definitions/test/bls12-381/go_pairing_vectors/t.go
+++ b/curve-definitions/test/bls12-381/go_pairing_vectors/t.go
--- a/curve-definitions/test/bls12-381/zkcrypto/convert.js
+++ b/curve-definitions/test/bls12-381/zkcrypto/convert.js
--- a/curve-definitions/test/bls12-381/zkcrypto/converted.json
+++ b/curve-definitions/test/bls12-381/zkcrypto/converted.json
--- a/curve-definitions/test/bls12-381/zkcrypto/g1_compressed_valid_test_vectors.dat
+++ b/curve-definitions/test/bls12-381/zkcrypto/g1_compressed_valid_test_vectors.dat
--- a/curve-definitions/test/bls12-381/zkcrypto/g1_uncompressed_valid_test_vectors.dat
+++ b/curve-definitions/test/bls12-381/zkcrypto/g1_uncompressed_valid_test_vectors.dat
--- a/curve-definitions/test/bls12-381/zkcrypto/g2_compressed_valid_test_vectors.dat
+++ b/curve-definitions/test/bls12-381/zkcrypto/g2_compressed_valid_test_vectors.dat
--- a/curve-definitions/test/bls12-381/zkcrypto/g2_uncompressed_valid_test_vectors.dat
+++ b/curve-definitions/test/bls12-381/zkcrypto/g2_uncompressed_valid_test_vectors.dat
--- a/test/ed25519.test.js
+++ b/test/ed25519.test.js
@@ -0,0 +1,663 @@
 import { deepEqual, deepStrictEqual, strictEqual, throws } from 'assert';
 import { describe, should } from 'micro-should';
 import * as fc from 'fast-check';
 import {
  ed25519,
  ed25519ctx,
  ed25519ph,
  x25519,
  RistrettoPoint,
  ED25519_TORSION_SUBGROUP,
 } from '../lib/esm/ed25519.js';
 import { readFileSync } from 'fs';
 import { default as zip215 } from './ed25519/zip215.json' assert { type: 'json' };
 import { hexToBytes, bytesToHex, randomBytes } from '@noble/hashes/utils';
 import { numberToBytesLE } from '../lib/esm/abstract/utils.js';
 import { sha512 } from '@noble/hashes/sha512';
 import { default as ed25519vectors } from './wycheproof/eddsa_test.json' assert { type: 'json' };
 import { default as x25519vectors } from './wycheproof/x25519_test.json' assert { type: 'json' };
 describe('ed25519', () => {
  const ed = ed25519;
  const hex = bytesToHex;
  const Point = ed.ExtendedPoint;
  function to32Bytes(numOrStr) {
    let hex = typeof numOrStr === 'string' ? numOrStr : numOrStr.toString(16);
    return hexToBytes(hex.padStart(64, '0'));
  }
  function utf8ToBytes(str) {
    if (typeof str !== 'string') {
      throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
    }
    return new TextEncoder().encode(str);
  }
  ed.utils.precompute(8);
  should('not accept >32byte private keys', () => {
    const invalidPriv =
      100000000000000000000000000000000000009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800073278156000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000n;
    throws(() => ed.getPublicKey(invalidPriv));
  });
  should('verify recent signature', () => {
    fc.assert(
      fc.property(
        fc.hexaString({ minLength: 2, maxLength: 32 }),
        fc.bigInt(2n, ed.CURVE.n),
        (message, privateKey) => {
          const publicKey = ed.getPublicKey(to32Bytes(privateKey));
          const signature = ed.sign(to32Bytes(message), to32Bytes(privateKey));
          deepStrictEqual(publicKey.length, 32);
          deepStrictEqual(signature.length, 64);
          deepStrictEqual(ed.verify(signature, to32Bytes(message), publicKey), true);
        }
      ),
      { numRuns: 5 }
    );
  });
  should('not verify signature with wrong message', () => {
    fc.assert(
      fc.property(
        fc.array(fc.integer({ min: 0x00, max: 0xff })),
        fc.array(fc.integer({ min: 0x00, max: 0xff })),
        fc.bigInt(1n, ed.CURVE.n),
        (bytes, wrongBytes, privateKey) => {
          const privKey = to32Bytes(privateKey);
          const message = new Uint8Array(bytes);
          const wrongMessage = new Uint8Array(wrongBytes);
          const publicKey = ed.getPublicKey(privKey);
          const signature = ed.sign(message, privKey);
          deepStrictEqual(
            ed.verify(signature, wrongMessage, publicKey),
            bytes.toString() === wrongBytes.toString()
          );
        }
      ),
      { numRuns: 5 }
    );
  });
  const privKey = to32Bytes('a665a45920422f9d417e4867ef');
  const wrongPriv = to32Bytes('a675a45920422f9d417e4867ef');
  const msg = hexToBytes('874f9960c5d2b7a9b5fad383e1ba44719ebb743a');
  const wrongMsg = hexToBytes('589d8c7f1da0a24bc07b7381ad48b1cfc211af1c');
  describe('basic methods', () => {
    should('sign and verify', () => {
      const publicKey = ed.getPublicKey(privKey);
      const signature = ed.sign(msg, privKey);
      deepStrictEqual(ed.verify(signature, msg, publicKey), true);
    });
  });
  describe('sync methods', () => {
    should('sign and verify', () => {
      const publicKey = ed.getPublicKey(privKey);
      const signature = ed.sign(msg, privKey);
      deepStrictEqual(ed.verify(signature, msg, publicKey), true);
    });
    should('not verify signature with wrong public key', () => {
      const publicKey = ed.getPublicKey(wrongPriv);
      const signature = ed.sign(msg, privKey);
      deepStrictEqual(ed.verify(signature, msg, publicKey), false);
    });
    should('not verify signature with wrong hash', () => {
      const publicKey = ed.getPublicKey(privKey);
      const signature = ed.sign(msg, privKey);
      deepStrictEqual(ed.verify(signature, wrongMsg, publicKey), false);
    });
  });
  describe('BASE_POINT.multiply()', () => {
    // https://xmr.llcoins.net/addresstests.html
    should('create right publicKey without SHA-512 hashing TEST 1', () => {
      const publicKey =
        Point.BASE.multiply(0x90af56259a4b6bfbc4337980d5d75fbe3c074630368ff3804d33028e5dbfa77n);
      deepStrictEqual(
        publicKey.toHex(),
        '0f3b913371411b27e646b537e888f685bf929ea7aab93c950ed84433f064480d'
      );
    });
    should('create right publicKey without SHA-512 hashing TEST 2', () => {
      const publicKey =
        Point.BASE.multiply(0x364e8711a60780382a5d57b061c126f039940f28a9e91fe039d4d3094d8b88n);
      deepStrictEqual(
        publicKey.toHex(),
        'ad545340b58610f0cd62f17d55af1ab11ecde9c084d5476865ddb4dbda015349'
      );
    });
    should('create right publicKey without SHA-512 hashing TEST 3', () => {
      const publicKey =
        Point.BASE.multiply(0xb9bf90ff3abec042752cac3a07a62f0c16cfb9d32a3fc2305d676ec2d86e941n);
      deepStrictEqual(
        publicKey.toHex(),
        'e097c4415fe85724d522b2e449e8fd78dd40d20097bdc9ae36fe8ec6fe12cb8c'
      );
    });
    should('create right publicKey without SHA-512 hashing TEST 4', () => {
      const publicKey =
        Point.BASE.multiply(0x69d896f02d79524c9878e080308180e2859d07f9f54454e0800e8db0847a46en);
      deepStrictEqual(
        publicKey.toHex(),
        'f12cb7c43b59971395926f278ce7c2eaded9444fbce62ca717564cb508a0db1d'
      );
    });
    should('throw Point#multiply on TEST 5', () => {
      for (const num of [0n, 0, -1n, -1, 1.1]) {
        throws(() => Point.BASE.multiply(num));
      }
    });
  });
  // https://ed25519.cr.yp.to/python/sign.py
  // https://ed25519.cr.yp.to/python/sign.input
  const data = readFileSync('./test/ed25519/vectors.txt', 'utf-8');
  const vectors = data
    .trim()
    .split('\n')
    .map((line) => line.split(':'));
  should('ed25519 official vectors/should match 1024 official vectors', () => {
    for (let i = 0; i < vectors.length; i++) {
      const vector = vectors[i];
      // Extract.
      const priv = vector[0].slice(0, 64);
      const expectedPub = vector[1];
      const msg = vector[2];
      const expectedSignature = vector[3].slice(0, 128);
      // Calculate
      const pub = ed.getPublicKey(to32Bytes(priv));
      deepStrictEqual(hex(pub), expectedPub);
      deepStrictEqual(pub, Point.fromHex(pub).toRawBytes());
      const signature = hex(ed.sign(msg, priv));
      // console.log('vector', i);
      // expect(pub).toBe(expectedPub);
      deepStrictEqual(signature, expectedSignature);
    }
  });
  // https://tools.ietf.org/html/rfc8032#section-7
  should('rfc8032 vectors/should create right signature for 0x9d and empty string', () => {
    const privateKey = '9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60';
    const publicKey = ed.getPublicKey(privateKey);
    const message = '';
    const signature = ed.sign(message, privateKey);
    deepStrictEqual(
      hex(publicKey),
      'd75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a'
    );
    deepStrictEqual(
      hex(signature),
      'e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b'
    );
  });
  should('rfc8032 vectors/should create right signature for 0x4c and 72', () => {
    const privateKey = '4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb';
    const publicKey = ed.getPublicKey(privateKey);
    const message = '72';
    const signature = ed.sign(message, privateKey);
    deepStrictEqual(
      hex(publicKey),
      '3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c'
    );
    deepStrictEqual(
      hex(signature),
      '92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00'
    );
  });
  should('rfc8032 vectors/should create right signature for 0x00 and 5a', () => {
    const privateKey = '002fdd1f7641793ab064bb7aa848f762e7ec6e332ffc26eeacda141ae33b1783';
    const publicKey = ed.getPublicKey(privateKey);
    const message =
      '5ac1dfc324f43e6cb79a87ab0470fa857b51fb944982e19074ca44b1e40082c1d07b92efa7ea55ad42b7c027e0b9e33756d95a2c1796a7c2066811dc41858377d4b835c1688d638884cd2ad8970b74c1a54aadd27064163928a77988b24403aa85af82ceab6b728e554761af7175aeb99215b7421e4474c04d213e01ff03e3529b11077cdf28964b8c49c5649e3a46fa0a09dcd59dcad58b9b922a83210acd5e65065531400234f5e40cddcf9804968e3e9ac6f5c44af65001e158067fc3a660502d13fa8874fa93332138d9606bc41b4cee7edc39d753dae12a873941bb357f7e92a4498847d6605456cb8c0b425a47d7d3ca37e54e903a41e6450a35ebe5237c6f0c1bbbc1fd71fb7cd893d189850295c199b7d88af26bc8548975fda1099ffefee42a52f3428ddff35e0173d3339562507ac5d2c45bbd2c19cfe89b';
    const signature = ed.sign(message, privateKey);
    deepStrictEqual(
      hex(publicKey),
      '77d1d8ebacd13f4e2f8a40e28c4a63bc9ce3bfb69716334bcb28a33eb134086c'
    );
    deepStrictEqual(
      hex(signature),
      '0df3aa0d0999ad3dc580378f52d152700d5b3b057f56a66f92112e441e1cb9123c66f18712c87efe22d2573777296241216904d7cdd7d5ea433928bd2872fa0c'
    );
  });
  should('rfc8032 vectors/should create right signature for 0xf5 and long msg', () => {
    const privateKey = 'f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5';
    const publicKey = ed.getPublicKey(privateKey);
    const message =
      '08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0';
    const signature = ed.sign(message, privateKey);
    deepStrictEqual(
      hex(publicKey),
      '278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e'
    );
    deepStrictEqual(
      hex(signature),
      '0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03'
    );
  });
  // const PRIVATE_KEY = 0xa665a45920422f9d417e4867efn;
  // const MESSAGE = ripemd160(new Uint8Array([97, 98, 99, 100, 101, 102, 103]));
  // prettier-ignore
  // const MESSAGE = new Uint8Array([
  //   135, 79, 153, 96, 197, 210, 183, 169, 181, 250, 211, 131, 225, 186, 68, 113, 158, 187, 116, 58,
  // ]);
  // const WRONG_MESSAGE = ripemd160(new Uint8Array([98, 99, 100, 101, 102, 103]));
  // prettier-ignore
  // const WRONG_MESSAGE = new Uint8Array([
  //   88, 157, 140, 127, 29, 160, 162, 75, 192, 123, 115, 129, 173, 72, 177, 207, 194, 17, 175, 28,
  // ]);
  // // it("should verify just signed message", async () => {
  // //   await fc.assert(fc.asyncProperty(
  // //     fc.hexa(),
  // //     fc.bigInt(2n, ristretto25519.PRIME_ORDER),
  // //     async (message, privateKey) => {
  // //       const publicKey = await ristretto25519.getPublicKey(privateKey);
  // //       const signature = await ristretto25519.sign(message, privateKey);
  // //       expect(publicKey.length).toBe(32);
  // //       expect(signature.length).toBe(64);
  // //       expect(await ristretto25519.verify(signature, message, publicKey)).toBe(true);
  // //     }),
  // //    { numRuns: 1 }
  // //   );
  // // });
  // // it("should not verify sign with wrong message", async () => {
  // //   await fc.assert(fc.asyncProperty(
  // //     fc.array(fc.integer(0x00, 0xff)),
  // //     fc.array(fc.integer(0x00, 0xff)),
  // //     fc.bigInt(2n, ristretto25519.PRIME_ORDER),
  // //     async (bytes, wrongBytes, privateKey) => {
  // //       const message = new Uint8Array(bytes);
  // //       const wrongMessage = new Uint8Array(wrongBytes);
  // //       const publicKey = await ristretto25519.getPublicKey(privateKey);
  // //       const signature = await ristretto25519.sign(message, privateKey);
  // //       expect(await ristretto25519.verify(signature, wrongMessage, publicKey)).toBe(
  // //         bytes.toString() === wrongBytes.toString()
  // //       );
  // //     }),
  // //    { numRuns: 1 }
  // //   );
  // // });
  // // it("should sign and verify", async () => {
  // //   const publicKey = await ristretto25519.getPublicKey(PRIVATE_KEY);
  // //   const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY);
  // //   expect(await ristretto25519.verify(signature, MESSAGE, publicKey)).toBe(true);
  // // });
  // // it("should not verify signature with wrong public key", async () => {
  // //   const publicKey = await ristretto25519.getPublicKey(12);
  // //   const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY);
  // //   expect(await ristretto25519.verify(signature, MESSAGE, publicKey)).toBe(false);
  // // });
  // // it("should not verify signature with wrong hash", async () => {
  // //   const publicKey = await ristretto25519.getPublicKey(PRIVATE_KEY);
  // //   const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY);
  // //   expect(await ristretto25519.verify(signature, WRONG_MESSAGE, publicKey)).toBe(false);
  // // });
  should('ristretto255/should follow the byte encodings of small multiples', () => {
    const encodingsOfSmallMultiples = [
      // This is the identity point
      '0000000000000000000000000000000000000000000000000000000000000000',
      // This is the basepoint
      'e2f2ae0a6abc4e71a884a961c500515f58e30b6aa582dd8db6a65945e08d2d76',
      // These are small multiples of the basepoint
      '6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919',
      '94741f5d5d52755ece4f23f044ee27d5d1ea1e2bd196b462166b16152a9d0259',
      'da80862773358b466ffadfe0b3293ab3d9fd53c5ea6c955358f568322daf6a57',
      'e882b131016b52c1d3337080187cf768423efccbb517bb495ab812c4160ff44e',
      'f64746d3c92b13050ed8d80236a7f0007c3b3f962f5ba793d19a601ebb1df403',
      '44f53520926ec81fbd5a387845beb7df85a96a24ece18738bdcfa6a7822a176d',
      '903293d8f2287ebe10e2374dc1a53e0bc887e592699f02d077d5263cdd55601c',
      '02622ace8f7303a31cafc63f8fc48fdc16e1c8c8d234b2f0d6685282a9076031',
      '20706fd788b2720a1ed2a5dad4952b01f413bcf0e7564de8cdc816689e2db95f',
      'bce83f8ba5dd2fa572864c24ba1810f9522bc6004afe95877ac73241cafdab42',
      'e4549ee16b9aa03099ca208c67adafcafa4c3f3e4e5303de6026e3ca8ff84460',
      'aa52e000df2e16f55fb1032fc33bc42742dad6bd5a8fc0be0167436c5948501f',
      '46376b80f409b29dc2b5f6f0c52591990896e5716f41477cd30085ab7f10301e',
      'e0c418f7c8d9c4cdd7395b93ea124f3ad99021bb681dfc3302a9d99a2e53e64e',
    ];
    let B = RistrettoPoint.BASE;
    let P = RistrettoPoint.ZERO;
    for (const encoded of encodingsOfSmallMultiples) {
      deepStrictEqual(P.toHex(), encoded);
      deepStrictEqual(RistrettoPoint.fromHex(encoded).toHex(), encoded);
      P = P.add(B);
    }
  });
  should('ristretto255/should not convert bad bytes encoding', () => {
    const badEncodings = [
      // These are all bad because they're non-canonical field encodings.
      '00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff',
      'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
      'f3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
      'edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
      // These are all bad because they're negative field elements.
      '0100000000000000000000000000000000000000000000000000000000000000',
      '01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
      'ed57ffd8c914fb201471d1c3d245ce3c746fcbe63a3679d51b6a516ebebe0e20',
      'c34c4e1826e5d403b78e246e88aa051c36ccf0aafebffe137d148a2bf9104562',
      'c940e5a4404157cfb1628b108db051a8d439e1a421394ec4ebccb9ec92a8ac78',
      '47cfc5497c53dc8e61c91d17fd626ffb1c49e2bca94eed052281b510b1117a24',
      'f1c6165d33367351b0da8f6e4511010c68174a03b6581212c71c0e1d026c3c72',
      '87260f7a2f12495118360f02c26a470f450dadf34a413d21042b43b9d93e1309',
      // These are all bad because they give a nonsquare x².
      '26948d35ca62e643e26a83177332e6b6afeb9d08e4268b650f1f5bbd8d81d371',
      '4eac077a713c57b4f4397629a4145982c661f48044dd3f96427d40b147d9742f',
      'de6a7b00deadc788eb6b6c8d20c0ae96c2f2019078fa604fee5b87d6e989ad7b',
      'bcab477be20861e01e4a0e295284146a510150d9817763caf1a6f4b422d67042',
      '2a292df7e32cababbd9de088d1d1abec9fc0440f637ed2fba145094dc14bea08',
      'f4a9e534fc0d216c44b218fa0c42d99635a0127ee2e53c712f70609649fdff22',
      '8268436f8c4126196cf64b3c7ddbda90746a378625f9813dd9b8457077256731',
      '2810e5cbc2cc4d4eece54f61c6f69758e289aa7ab440b3cbeaa21995c2f4232b',
      // These are all bad because they give a negative xy value.
      '3eb858e78f5a7254d8c9731174a94f76755fd3941c0ac93735c07ba14579630e',
      'a45fdc55c76448c049a1ab33f17023edfb2be3581e9c7aade8a6125215e04220',
      'd483fe813c6ba647ebbfd3ec41adca1c6130c2beeee9d9bf065c8d151c5f396e',
      '8a2e1d30050198c65a54483123960ccc38aef6848e1ec8f5f780e8523769ba32',
      '32888462f8b486c68ad7dd9610be5192bbeaf3b443951ac1a8118419d9fa097b',
      '227142501b9d4355ccba290404bde41575b037693cef1f438c47f8fbf35d1165',
      '5c37cc491da847cfeb9281d407efc41e15144c876e0170b499a96a22ed31e01e',
      '445425117cb8c90edcbc7c1cc0e74f747f2c1efa5630a967c64f287792a48a4b',
      // This is s = -1, which causes y = 0.
      'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
    ];
    for (const badBytes of badEncodings) {
      const b = hexToBytes(badBytes);
      throws(() => RistrettoPoint.fromHex(b), badBytes);
    }
  });
  should('ristretto255/should create right points from uniform hash', () => {
    const labels = [
      'Ristretto is traditionally a short shot of espresso coffee',
      'made with the normal amount of ground coffee but extracted with',
      'about half the amount of water in the same amount of time',
      'by using a finer grind.',
      'This produces a concentrated shot of coffee per volume.',
      'Just pulling a normal shot short will produce a weaker shot',
      'and is not a Ristretto as some believe.',
    ];
    const encodedHashToPoints = [
      '3066f82a1a747d45120d1740f14358531a8f04bbffe6a819f86dfe50f44a0a46',
      'f26e5b6f7d362d2d2a94c5d0e7602cb4773c95a2e5c31a64f133189fa76ed61b',
      '006ccd2a9e6867e6a2c5cea83d3302cc9de128dd2a9a57dd8ee7b9d7ffe02826',
      'f8f0c87cf237953c5890aec3998169005dae3eca1fbb04548c635953c817f92a',
      'ae81e7dedf20a497e10c304a765c1767a42d6e06029758d2d7e8ef7cc4c41179',
      'e2705652ff9f5e44d3e841bf1c251cf7dddb77d140870d1ab2ed64f1a9ce8628',
      '80bd07262511cdde4863f8a7434cef696750681cb9510eea557088f76d9e5065',
    ];
    for (let i = 0; i < labels.length; i++) {
      const hash = sha512(utf8ToBytes(labels[i]));
      const point = RistrettoPoint.hashToCurve(hash);
      deepStrictEqual(point.toHex(), encodedHashToPoints[i]);
    }
  });
  should('input immutability: sign/verify are immutable', () => {
    const privateKey = ed.utils.randomPrivateKey();
    const publicKey = ed.getPublicKey(privateKey);
    for (let i = 0; i < 100; i++) {
      let payload = randomBytes(100);
      let signature = ed.sign(payload, privateKey);
      if (!ed.verify(signature, payload, publicKey)) {
        throw new Error('Signature verification failed');
      }
      const signatureCopy = Buffer.alloc(signature.byteLength);
      signatureCopy.set(signature, 0); // <-- breaks
      payload = payload.slice();
      signature = signature.slice();
      if (!ed.verify(signatureCopy, payload, publicKey))
        throw new Error('Copied signature verification failed');
    }
  });
  // https://zips.z.cash/zip-0215
  // Vectors from https://gist.github.com/hdevalence/93ed42d17ecab8e42138b213812c8cc7
  should('ZIP-215 compliance tests/should pass all of them', () => {
    const str = utf8ToBytes('Zcash');
    for (let v of zip215) {
      let noble = false;
      try {
        noble = ed.verify(v.sig_bytes, str, v.vk_bytes);
      } catch (e) {
        noble = false;
      }
      deepStrictEqual(noble, v.valid_zip215, JSON.stringify(v));
    }
  });
  should('ZIP-215 compliance tests/disallows sig.s >= CURVE.n', () => {
    // sig.R = BASE, sig.s = N+1
    const sig =
      '5866666666666666666666666666666666666666666666666666666666666666eed3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010';
    throws(() => ed.verify(sig, 'deadbeef', Point.BASE));
  });
  const rfc7748Mul = [
    {
      scalar: 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4',
      u: 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c',
      outputU: 'c3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552',
    },
    {
      scalar: '4b66e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba0d',
      u: 'e5210f12786811d3f4b7959d0538ae2c31dbe7106fc03c3efc4cd549c715a493',
      outputU: '95cbde9476e8907d7aade45cb4b873f88b595a68799fa152e6f8f7647aac7957',
    },
  ];
  for (let i = 0; i < rfc7748Mul.length; i++) {
    const v = rfc7748Mul[i];
    should(`RFC7748: scalarMult (${i})`, () => {
      deepStrictEqual(hex(x25519.scalarMult(v.scalar, v.u)), v.outputU);
    });
  }
  const rfc7748Iter = [
    { scalar: '422c8e7a6227d7bca1350b3e2bb7279f7897b87bb6854b783c60e80311ae3079', iters: 1 },
    { scalar: '684cf59ba83309552800ef566f2f4d3c1c3887c49360e3875f2eb94d99532c51', iters: 1000 },
    // { scalar: '7c3911e0ab2586fd864497297e575e6f3bc601c0883c30df5f4dd2d24f665424', iters: 1000000 },
  ];
  for (let i = 0; i < rfc7748Iter.length; i++) {
    const { scalar, iters } = rfc7748Iter[i];
    should(`RFC7748: scalarMult iteration (${i})`, () => {
      let k = x25519.Gu;
      for (let i = 0, u = k; i < iters; i++) [k, u] = [x25519.scalarMult(k, u), k];
      deepStrictEqual(hex(k), scalar);
    });
  }
  should('RFC7748 getSharedKey', () => {
    const alicePrivate = '77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a';
    const alicePublic = '8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a';
    const bobPrivate = '5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb';
    const bobPublic = 'de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f';
    const shared = '4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742';
    deepStrictEqual(alicePublic, hex(x25519.getPublicKey(alicePrivate)));
    deepStrictEqual(bobPublic, hex(x25519.getPublicKey(bobPrivate)));
    deepStrictEqual(hex(x25519.scalarMult(alicePrivate, bobPublic)), shared);
    deepStrictEqual(hex(x25519.scalarMult(bobPrivate, alicePublic)), shared);
  });
  // should('X25519/getSharedSecret() should be commutative', () => {
  //   for (let i = 0; i < 512; i++) {
  //     const asec = ed.utils.randomPrivateKey();
  //     const apub = ed.getPublicKey(asec);
  //     const bsec = ed.utils.randomPrivateKey();
  //     const bpub = ed.getPublicKey(bsec);
  //     try {
  //       deepStrictEqual(ed.getSharedSecret(asec, bpub), ed.getSharedSecret(bsec, apub));
  //     } catch (error) {
  //       console.error('not commutative', { asec, apub, bsec, bpub });
  //       throw error;
  //     }
  //   }
  // });
  // should('X25519: should convert base point to montgomery using fromPoint', () => {
  //   deepStrictEqual(
  //     hex(ed.montgomeryCurve.UfromPoint(Point.BASE)),
  //     ed.montgomeryCurve.BASE_POINT_U
  //   );
  // });
  {
    const group = x25519vectors.testGroups[0];
    should(`Wycheproof/X25519`, () => {
      for (let i = 0; i < group.tests.length; i++) {
        const v = group.tests[i];
        const comment = `(${i}, ${v.result}) ${v.comment}`;
        if (v.result === 'valid' || v.result === 'acceptable') {
          try {
            const shared = hex(x25519.scalarMult(v.private, v.public));
            deepStrictEqual(shared, v.shared, comment);
          } catch (e) {
            // We are more strict
            if (e.message.includes('Expected valid scalar')) return;
            if (e.message.includes('Invalid private or public key received')) return;
            throw e;
          }
        } else if (v.result === 'invalid') {
          let failed = false;
          try {
            x25519.scalarMult(v.private, v.public);
          } catch (error) {
            failed = true;
          }
          deepStrictEqual(failed, true, comment);
        } else throw new Error('unknown test result');
      }
    });
  }
  should(`Wycheproof/ED25519`, () => {
    for (let g = 0; g < ed25519vectors.testGroups.length; g++) {
      const group = ed25519vectors.testGroups[g];
      const key = group.key;
      deepStrictEqual(hex(ed.getPublicKey(key.sk)), key.pk, `(${g}, public)`);
      for (let i = 0; i < group.tests.length; i++) {
        const v = group.tests[i];
        const comment = `(${g}/${i}, ${v.result}): ${v.comment}`;
        if (v.result === 'valid' || v.result === 'acceptable') {
          deepStrictEqual(hex(ed.sign(v.msg, key.sk)), v.sig, comment);
          deepStrictEqual(ed.verify(v.sig, v.msg, key.pk), true, comment);
        } else if (v.result === 'invalid') {
          let failed = false;
          try {
            failed = !ed.verify(v.sig, v.msg, key.pk);
          } catch (error) {
            failed = true;
          }
          deepStrictEqual(failed, true, comment);
        } else throw new Error('unknown test result');
      }
    }
  });
  should('Property test issue #1', () => {
    const message = new Uint8Array([12, 12, 12]);
    const signature = ed.sign(message, to32Bytes(1n));
    const publicKey = ed.getPublicKey(to32Bytes(1n)); // <- was 1n
    deepStrictEqual(ed.verify(signature, message, publicKey), true);
  });
  const VECTORS_RFC8032_CTX = [
    {
      secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
      publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
      message: 'f726936d19c800494e3fdaff20b276a8',
      context: '666f6f',
      signature:
        '55a4cc2f70a54e04288c5f4cd1e45a7b' +
        'b520b36292911876cada7323198dd87a' +
        '8b36950b95130022907a7fb7c4e9b2d5' +
        'f6cca685a587b4b21f4b888e4e7edb0d',
    },
    {
      secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
      publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
      message: 'f726936d19c800494e3fdaff20b276a8',
      context: '626172',
      signature:
        'fc60d5872fc46b3aa69f8b5b4351d580' +
        '8f92bcc044606db097abab6dbcb1aee3' +
        '216c48e8b3b66431b5b186d1d28f8ee1' +
        '5a5ca2df6668346291c2043d4eb3e90d',
    },
    {
      secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
      publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
      message: '508e9e6882b979fea900f62adceaca35',
      context: '666f6f',
      signature:
        '8b70c1cc8310e1de20ac53ce28ae6e72' +
        '07f33c3295e03bb5c0732a1d20dc6490' +
        '8922a8b052cf99b7c4fe107a5abb5b2c' +
        '4085ae75890d02df26269d8945f84b0b',
    },
    {
      secretKey: 'ab9c2853ce297ddab85c993b3ae14bcad39b2c682beabc27d6d4eb20711d6560',
      publicKey: '0f1d1274943b91415889152e893d80e93275a1fc0b65fd71b4b0dda10ad7d772',
      message: 'f726936d19c800494e3fdaff20b276a8',
      context: '666f6f',
      signature:
        '21655b5f1aa965996b3f97b3c849eafb' +
        'a922a0a62992f73b3d1b73106a84ad85' +
        'e9b86a7b6005ea868337ff2d20a7f5fb' +
        'd4cd10b0be49a68da2b2e0dc0ad8960f',
    },
  ];
  for (let i = 0; i < VECTORS_RFC8032_CTX.length; i++) {
    const v = VECTORS_RFC8032_CTX[i];
    should(`RFC8032ctx/${i}`, () => {
      deepStrictEqual(hex(ed25519ctx.getPublicKey(v.secretKey)), v.publicKey);
      deepStrictEqual(hex(ed25519ctx.sign(v.message, v.secretKey, v.context)), v.signature);
      deepStrictEqual(ed25519ctx.verify(v.signature, v.message, v.publicKey, v.context), true);
    });
  }
  const VECTORS_RFC8032_PH = [
    {
      secretKey: '833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42',
      publicKey: 'ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf',
      message: '616263',
      signature:
        '98a70222f0b8121aa9d30f813d683f80' +
        '9e462b469c7ff87639499bb94e6dae41' +
        '31f85042463c2a355a2003d062adf5aa' +
        'a10b8c61e636062aaad11c2a26083406',
    },
  ];
  for (let i = 0; i < VECTORS_RFC8032_PH.length; i++) {
    const v = VECTORS_RFC8032_PH[i];
    should(`RFC8032ph/${i}`, () => {
      deepStrictEqual(hex(ed25519ph.getPublicKey(v.secretKey)), v.publicKey);
      deepStrictEqual(hex(ed25519ph.sign(v.message, v.secretKey)), v.signature);
      deepStrictEqual(ed25519ph.verify(v.signature, v.message, v.publicKey), true);
    });
  }
  should('X25519 base point', () => {
    const { y } = ed25519.ExtendedPoint.BASE;
    const { Fp } = ed25519.CURVE;
    const u = Fp.create((y + 1n) * Fp.inv(1n - y));
    deepStrictEqual(hex(numberToBytesLE(u, 32)), x25519.Gu);
  });
  should('isTorsionFree()', () => {
    const orig = ed.utils.getExtendedPublicKey(ed.utils.randomPrivateKey()).point;
    for (const hex of ED25519_TORSION_SUBGROUP.slice(1)) {
      const dirty = orig.add(Point.fromHex(hex));
      const cleared = dirty.clearCofactor();
      strictEqual(orig.isTorsionFree(), true, `orig must be torsionFree: ${hex}`);
      strictEqual(dirty.isTorsionFree(), false, `dirty must not be torsionFree: ${hex}`);
      strictEqual(cleared.isTorsionFree(), true, `cleared must be torsionFree: ${hex}`);
    }
  });
 });
 // ESM is broken.
 import url from 'url';
 if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
  should.run();
 }
--- a/curve-definitions/test/ed25519/vectors.txt
+++ b/curve-definitions/test/ed25519/vectors.txt
--- a/curve-definitions/test/ed25519/zip215.json
+++ b/curve-definitions/test/ed25519/zip215.json
--- a/test/ed448.test.js
+++ b/test/ed448.test.js
@@ -0,0 +1,675 @@
 import { deepStrictEqual, throws } from 'assert';
 import { describe, should } from 'micro-should';
 import * as fc from 'fast-check';
 import { ed448, ed448ph, x448 } from '../lib/esm/ed448.js';
 import { hexToBytes, bytesToHex, randomBytes } from '@noble/hashes/utils';
 import { numberToBytesLE } from '../lib/esm/abstract/utils.js';
 import { default as ed448vectors } from './wycheproof/ed448_test.json' assert { type: 'json' };
 import { default as x448vectors } from './wycheproof/x448_test.json' assert { type: 'json' };
 describe('ed448', () => {
  const ed = ed448;
  const hex = bytesToHex;
  ed.utils.precompute(4);
  const Point = ed.ExtendedPoint;
  should(`Basic`, () => {
    const G1 = Point.BASE.toAffine();
    deepStrictEqual(
      G1.x,
      224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710n
    );
    deepStrictEqual(
      G1.y,
      298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660n
    );
    const G2 = Point.BASE.multiply(2n).toAffine();
    deepStrictEqual(
      G2.x,
      484559149530404593699549205258669689569094240458212040187660132787056912146709081364401144455726350866276831544947397859048262938744149n
    );
    deepStrictEqual(
      G2.y,
      494088759867433727674302672526735089350544552303727723746126484473087719117037293890093462157703888342865036477787453078312060500281069n
    );
    const G3 = Point.BASE.multiply(3n).toAffine();
    deepStrictEqual(
      G3.x,
      23839778817283171003887799738662344287085130522697782688245073320169861206004018274567429238677677920280078599146891901463786155880335n
    );
    deepStrictEqual(
      G3.y,
      636046652612779686502873775776967954190574036985351036782021535703553242737829645273154208057988851307101009474686328623630835377952508n
    );
  });
  should('Basic/decompress', () => {
    const G1 = Point.BASE;
    const G2 = Point.BASE.multiply(2n);
    const G3 = Point.BASE.multiply(3n);
    const points = [G1, G2, G3];
    const getXY = (p) => p.toAffine();
    for (const p of points) deepStrictEqual(getXY(Point.fromHex(p.toHex())), getXY(p));
  });
  const VECTORS_RFC8032 = [
    {
      secretKey:
        '6c82a562cb808d10d632be89c8513ebf' +
        '6c929f34ddfa8c9f63c9960ef6e348a3' +
        '528c8a3fcc2f044e39a3fc5b94492f8f' +
        '032e7549a20098f95b',
      publicKey:
        '5fd7449b59b461fd2ce787ec616ad46a' +
        '1da1342485a70e1f8a0ea75d80e96778' +
        'edf124769b46c7061bd6783df1e50f6c' +
        'd1fa1abeafe8256180',
      message: '',
      signature:
        '533a37f6bbe457251f023c0d88f976ae' +
        '2dfb504a843e34d2074fd823d41a591f' +
        '2b233f034f628281f2fd7a22ddd47d78' +
        '28c59bd0a21bfd3980ff0d2028d4b18a' +
        '9df63e006c5d1c2d345b925d8dc00b41' +
        '04852db99ac5c7cdda8530a113a0f4db' +
        'b61149f05a7363268c71d95808ff2e65' +
        '2600',
    },
    {
      secretKey:
        'c4eab05d357007c632f3dbb48489924d' +
        '552b08fe0c353a0d4a1f00acda2c463a' +
        'fbea67c5e8d2877c5e3bc397a659949e' +
        'f8021e954e0a12274e',
      publicKey:
        '43ba28f430cdff456ae531545f7ecd0a' +
        'c834a55d9358c0372bfa0c6c6798c086' +
        '6aea01eb00742802b8438ea4cb82169c' +
        '235160627b4c3a9480',
      message: '03',
      signature:
        '26b8f91727bd62897af15e41eb43c377' +
        'efb9c610d48f2335cb0bd0087810f435' +
        '2541b143c4b981b7e18f62de8ccdf633' +
        'fc1bf037ab7cd779805e0dbcc0aae1cb' +
        'cee1afb2e027df36bc04dcecbf154336' +
        'c19f0af7e0a6472905e799f1953d2a0f' +
        'f3348ab21aa4adafd1d234441cf807c0' +
        '3a00',
    },
    {
      secretKey:
        'cd23d24f714274e744343237b93290f5' +
        '11f6425f98e64459ff203e8985083ffd' +
        'f60500553abc0e05cd02184bdb89c4cc' +
        'd67e187951267eb328',
      publicKey:
        'dcea9e78f35a1bf3499a831b10b86c90' +
        'aac01cd84b67a0109b55a36e9328b1e3' +
        '65fce161d71ce7131a543ea4cb5f7e9f' +
        '1d8b00696447001400',
      message: '0c3e544074ec63b0265e0c',
      signature:
        '1f0a8888ce25e8d458a21130879b840a' +
        '9089d999aaba039eaf3e3afa090a09d3' +
        '89dba82c4ff2ae8ac5cdfb7c55e94d5d' +
        '961a29fe0109941e00b8dbdeea6d3b05' +
        '1068df7254c0cdc129cbe62db2dc957d' +
        'bb47b51fd3f213fb8698f064774250a5' +
        '028961c9bf8ffd973fe5d5c206492b14' +
        '0e00',
    },
    {
      secretKey:
        '258cdd4ada32ed9c9ff54e63756ae582' +
        'fb8fab2ac721f2c8e676a72768513d93' +
        '9f63dddb55609133f29adf86ec9929dc' +
        'cb52c1c5fd2ff7e21b',
      publicKey:
        '3ba16da0c6f2cc1f30187740756f5e79' +
        '8d6bc5fc015d7c63cc9510ee3fd44adc' +
        '24d8e968b6e46e6f94d19b945361726b' +
        'd75e149ef09817f580',
      message: '64a65f3cdedcdd66811e2915',
      signature:
        '7eeeab7c4e50fb799b418ee5e3197ff6' +
        'bf15d43a14c34389b59dd1a7b1b85b4a' +
        'e90438aca634bea45e3a2695f1270f07' +
        'fdcdf7c62b8efeaf00b45c2c96ba457e' +
        'b1a8bf075a3db28e5c24f6b923ed4ad7' +
        '47c3c9e03c7079efb87cb110d3a99861' +
        'e72003cbae6d6b8b827e4e6c143064ff' +
        '3c00',
    },
    {
      secretKey:
        '7ef4e84544236752fbb56b8f31a23a10' +
        'e42814f5f55ca037cdcc11c64c9a3b29' +
        '49c1bb60700314611732a6c2fea98eeb' +
        'c0266a11a93970100e',
      publicKey:
        'b3da079b0aa493a5772029f0467baebe' +
        'e5a8112d9d3a22532361da294f7bb381' +
        '5c5dc59e176b4d9f381ca0938e13c6c0' +
        '7b174be65dfa578e80',
      message: '64a65f3cdedcdd66811e2915e7',
      signature:
        '6a12066f55331b6c22acd5d5bfc5d712' +
        '28fbda80ae8dec26bdd306743c5027cb' +
        '4890810c162c027468675ecf645a8317' +
        '6c0d7323a2ccde2d80efe5a1268e8aca' +
        '1d6fbc194d3f77c44986eb4ab4177919' +
        'ad8bec33eb47bbb5fc6e28196fd1caf5' +
        '6b4e7e0ba5519234d047155ac727a105' +
        '3100',
    },
    {
      secretKey:
        'd65df341ad13e008567688baedda8e9d' +
        'cdc17dc024974ea5b4227b6530e339bf' +
        'f21f99e68ca6968f3cca6dfe0fb9f4fa' +
        'b4fa135d5542ea3f01',
      publicKey:
        'df9705f58edbab802c7f8363cfe5560a' +
        'b1c6132c20a9f1dd163483a26f8ac53a' +
        '39d6808bf4a1dfbd261b099bb03b3fb5' +
        '0906cb28bd8a081f00',
      message:
        'bd0f6a3747cd561bdddf4640a332461a' +
        '4a30a12a434cd0bf40d766d9c6d458e5' +
        '512204a30c17d1f50b5079631f64eb31' +
        '12182da3005835461113718d1a5ef944',
      signature:
        '554bc2480860b49eab8532d2a533b7d5' +
        '78ef473eeb58c98bb2d0e1ce488a98b1' +
        '8dfde9b9b90775e67f47d4a1c3482058' +
        'efc9f40d2ca033a0801b63d45b3b722e' +
        'f552bad3b4ccb667da350192b61c508c' +
        'f7b6b5adadc2c8d9a446ef003fb05cba' +
        '5f30e88e36ec2703b349ca229c267083' +
        '3900',
    },
    {
      secretKey:
        '2ec5fe3c17045abdb136a5e6a913e32a' +
        'b75ae68b53d2fc149b77e504132d3756' +
        '9b7e766ba74a19bd6162343a21c8590a' +
        'a9cebca9014c636df5',
      publicKey:
        '79756f014dcfe2079f5dd9e718be4171' +
        'e2ef2486a08f25186f6bff43a9936b9b' +
        'fe12402b08ae65798a3d81e22e9ec80e' +
        '7690862ef3d4ed3a00',
      message:
        '15777532b0bdd0d1389f636c5f6b9ba7' +
        '34c90af572877e2d272dd078aa1e567c' +
        'fa80e12928bb542330e8409f31745041' +
        '07ecd5efac61ae7504dabe2a602ede89' +
        'e5cca6257a7c77e27a702b3ae39fc769' +
        'fc54f2395ae6a1178cab4738e543072f' +
        'c1c177fe71e92e25bf03e4ecb72f47b6' +
        '4d0465aaea4c7fad372536c8ba516a60' +
        '39c3c2a39f0e4d832be432dfa9a706a6' +
        'e5c7e19f397964ca4258002f7c0541b5' +
        '90316dbc5622b6b2a6fe7a4abffd9610' +
        '5eca76ea7b98816af0748c10df048ce0' +
        '12d901015a51f189f3888145c03650aa' +
        '23ce894c3bd889e030d565071c59f409' +
        'a9981b51878fd6fc110624dcbcde0bf7' +
        'a69ccce38fabdf86f3bef6044819de11',
      signature:
        'c650ddbb0601c19ca11439e1640dd931' +
        'f43c518ea5bea70d3dcde5f4191fe53f' +
        '00cf966546b72bcc7d58be2b9badef28' +
        '743954e3a44a23f880e8d4f1cfce2d7a' +
        '61452d26da05896f0a50da66a239a8a1' +
        '88b6d825b3305ad77b73fbac0836ecc6' +
        '0987fd08527c1a8e80d5823e65cafe2a' +
        '3d00',
    },
    {
      secretKey:
        '872d093780f5d3730df7c212664b37b8' +
        'a0f24f56810daa8382cd4fa3f77634ec' +
        '44dc54f1c2ed9bea86fafb7632d8be19' +
        '9ea165f5ad55dd9ce8',
      publicKey:
        'a81b2e8a70a5ac94ffdbcc9badfc3feb' +
        '0801f258578bb114ad44ece1ec0e799d' +
        'a08effb81c5d685c0c56f64eecaef8cd' +
        'f11cc38737838cf400',
      message:
        '6ddf802e1aae4986935f7f981ba3f035' +
        '1d6273c0a0c22c9c0e8339168e675412' +
        'a3debfaf435ed651558007db4384b650' +
        'fcc07e3b586a27a4f7a00ac8a6fec2cd' +
        '86ae4bf1570c41e6a40c931db27b2faa' +
        '15a8cedd52cff7362c4e6e23daec0fbc' +
        '3a79b6806e316efcc7b68119bf46bc76' +
        'a26067a53f296dafdbdc11c77f7777e9' +
        '72660cf4b6a9b369a6665f02e0cc9b6e' +
        'dfad136b4fabe723d2813db3136cfde9' +
        'b6d044322fee2947952e031b73ab5c60' +
        '3349b307bdc27bc6cb8b8bbd7bd32321' +
        '9b8033a581b59eadebb09b3c4f3d2277' +
        'd4f0343624acc817804728b25ab79717' +
        '2b4c5c21a22f9c7839d64300232eb66e' +
        '53f31c723fa37fe387c7d3e50bdf9813' +
        'a30e5bb12cf4cd930c40cfb4e1fc6225' +
        '92a49588794494d56d24ea4b40c89fc0' +
        '596cc9ebb961c8cb10adde976a5d602b' +
        '1c3f85b9b9a001ed3c6a4d3b1437f520' +
        '96cd1956d042a597d561a596ecd3d173' +
        '5a8d570ea0ec27225a2c4aaff26306d1' +
        '526c1af3ca6d9cf5a2c98f47e1c46db9' +
        'a33234cfd4d81f2c98538a09ebe76998' +
        'd0d8fd25997c7d255c6d66ece6fa56f1' +
        '1144950f027795e653008f4bd7ca2dee' +
        '85d8e90f3dc315130ce2a00375a318c7' +
        'c3d97be2c8ce5b6db41a6254ff264fa6' +
        '155baee3b0773c0f497c573f19bb4f42' +
        '40281f0b1f4f7be857a4e59d416c06b4' +
        'c50fa09e1810ddc6b1467baeac5a3668' +
        'd11b6ecaa901440016f389f80acc4db9' +
        '77025e7f5924388c7e340a732e554440' +
        'e76570f8dd71b7d640b3450d1fd5f041' +
        '0a18f9a3494f707c717b79b4bf75c984' +
        '00b096b21653b5d217cf3565c9597456' +
        'f70703497a078763829bc01bb1cbc8fa' +
        '04eadc9a6e3f6699587a9e75c94e5bab' +
        '0036e0b2e711392cff0047d0d6b05bd2' +
        'a588bc109718954259f1d86678a579a3' +
        '120f19cfb2963f177aeb70f2d4844826' +
        '262e51b80271272068ef5b3856fa8535' +
        'aa2a88b2d41f2a0e2fda7624c2850272' +
        'ac4a2f561f8f2f7a318bfd5caf969614' +
        '9e4ac824ad3460538fdc25421beec2cc' +
        '6818162d06bbed0c40a387192349db67' +
        'a118bada6cd5ab0140ee273204f628aa' +
        'd1c135f770279a651e24d8c14d75a605' +
        '9d76b96a6fd857def5e0b354b27ab937' +
        'a5815d16b5fae407ff18222c6d1ed263' +
        'be68c95f32d908bd895cd76207ae7264' +
        '87567f9a67dad79abec316f683b17f2d' +
        '02bf07e0ac8b5bc6162cf94697b3c27c' +
        'd1fea49b27f23ba2901871962506520c' +
        '392da8b6ad0d99f7013fbc06c2c17a56' +
        '9500c8a7696481c1cd33e9b14e40b82e' +
        '79a5f5db82571ba97bae3ad3e0479515' +
        'bb0e2b0f3bfcd1fd33034efc6245eddd' +
        '7ee2086ddae2600d8ca73e214e8c2b0b' +
        'db2b047c6a464a562ed77b73d2d841c4' +
        'b34973551257713b753632efba348169' +
        'abc90a68f42611a40126d7cb21b58695' +
        '568186f7e569d2ff0f9e745d0487dd2e' +
        'b997cafc5abf9dd102e62ff66cba87',
      signature:
        'e301345a41a39a4d72fff8df69c98075' +
        'a0cc082b802fc9b2b6bc503f926b65bd' +
        'df7f4c8f1cb49f6396afc8a70abe6d8a' +
        'ef0db478d4c6b2970076c6a0484fe76d' +
        '76b3a97625d79f1ce240e7c576750d29' +
        '5528286f719b413de9ada3e8eb78ed57' +
        '3603ce30d8bb761785dc30dbc320869e' +
        '1a00',
    },
  ];
  describe('RFC8032', () => {
    for (let i = 0; i < VECTORS_RFC8032.length; i++) {
      const v = VECTORS_RFC8032[i];
      should(`${i}`, () => {
        deepStrictEqual(hex(ed.getPublicKey(v.secretKey)), v.publicKey);
        deepStrictEqual(hex(ed.sign(v.message, v.secretKey)), v.signature);
        deepStrictEqual(ed.verify(v.signature, v.message, v.publicKey), true);
      });
    }
  });
  should('not accept >57byte private keys', () => {
    const invalidPriv =
      100000000000000000000000000000000000009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800073278156000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000n;
    throws(() => ed.getPublicKey(invalidPriv));
  });
  function to57Bytes(numOrStr) {
    let hex = typeof numOrStr === 'string' ? numOrStr : numOrStr.toString(16);
    return hexToBytes(hex.padStart(114, '0'));
  }
  should('verify recent signature', () => {
    fc.assert(
      fc.property(
        fc.hexaString({ minLength: 2, maxLength: 57 }),
        fc.bigInt(2n, ed.CURVE.n),
        (message, privateKey) => {
          const publicKey = ed.getPublicKey(to57Bytes(privateKey));
          const signature = ed.sign(to57Bytes(message), to57Bytes(privateKey));
          deepStrictEqual(publicKey.length, 57);
          deepStrictEqual(signature.length, 114);
          deepStrictEqual(ed.verify(signature, to57Bytes(message), publicKey), true);
        }
      ),
      { numRuns: 5 }
    );
  });
  should('not verify signature with wrong message', () => {
    fc.assert(
      fc.property(
        fc.array(fc.integer({ min: 0x00, max: 0xff })),
        fc.array(fc.integer({ min: 0x00, max: 0xff })),
        fc.bigInt(1n, ed.CURVE.n),
        (bytes, wrongBytes, privateKey) => {
          const message = new Uint8Array(bytes);
          const wrongMessage = new Uint8Array(wrongBytes);
          const priv = to57Bytes(privateKey);
          const publicKey = ed.getPublicKey(priv);
          const signature = ed.sign(message, priv);
          deepStrictEqual(
            ed.verify(signature, wrongMessage, publicKey),
            bytes.toString() === wrongBytes.toString()
          );
        }
      ),
      { numRuns: 5 }
    );
  });
  const privKey = to57Bytes('a665a45920422f9d417e4867ef');
  const msg = hexToBytes('874f9960c5d2b7a9b5fad383e1ba44719ebb743a');
  const wrongMsg = hexToBytes('589d8c7f1da0a24bc07b7381ad48b1cfc211af1c');
  describe('basic methods', () => {
    should('sign and verify', () => {
      const publicKey = ed.getPublicKey(privKey);
      const signature = ed.sign(msg, privKey);
      deepStrictEqual(ed.verify(signature, msg, publicKey), true);
    });
    should('not verify signature with wrong public key', () => {
      const publicKey = ed.getPublicKey(ed.utils.randomPrivateKey());
      const signature = ed.sign(msg, privKey);
      deepStrictEqual(ed.verify(signature, msg, publicKey), false);
    });
    should('not verify signature with wrong hash', () => {
      const publicKey = ed.getPublicKey(privKey);
      const signature = ed.sign(msg, privKey);
      deepStrictEqual(ed.verify(signature, wrongMsg, publicKey), false);
    });
  });
  describe('sync methods', () => {
    should('sign and verify', () => {
      const publicKey = ed.getPublicKey(privKey);
      const signature = ed.sign(msg, privKey);
      deepStrictEqual(ed.verify(signature, msg, publicKey), true);
    });
    should('not verify signature with wrong public key', () => {
      const publicKey = ed.getPublicKey(ed.utils.randomPrivateKey());
      const signature = ed.sign(msg, privKey);
      deepStrictEqual(ed.verify(signature, msg, publicKey), false);
    });
    should('not verify signature with wrong hash', () => {
      const publicKey = ed.getPublicKey(privKey);
      const signature = ed.sign(msg, privKey);
      deepStrictEqual(ed.verify(signature, wrongMsg, publicKey), false);
    });
  });
  should('BASE_POINT.multiply() throws in Point#multiply on TEST 5', () => {
    for (const num of [0n, 0, -1n, -1, 1.1]) {
      throws(() => ed.ExtendedPoint.BASE.multiply(num));
    }
  });
  should('input immutability: sign/verify are immutable', () => {
    const privateKey = ed.utils.randomPrivateKey();
    const publicKey = ed.getPublicKey(privateKey);
    for (let i = 0; i < 100; i++) {
      let payload = randomBytes(100);
      let signature = ed.sign(payload, privateKey);
      if (!ed.verify(signature, payload, publicKey)) {
        throw new Error('Signature verification failed');
      }
      const signatureCopy = Buffer.alloc(signature.byteLength);
      signatureCopy.set(signature, 0); // <-- breaks
      payload = payload.slice();
      signature = signature.slice();
      if (!ed.verify(signatureCopy, payload, publicKey))
        throw new Error('Copied signature verification failed');
    }
  });
  describe('wycheproof', () => {
    for (let g = 0; g < ed448vectors.testGroups.length; g++) {
      const group = ed448vectors.testGroups[g];
      const key = group.key;
      should(`ED448(${g}, public)`, () => {
        deepStrictEqual(hex(ed.getPublicKey(key.sk)), key.pk);
      });
      should(`ED448`, () => {
        for (let i = 0; i < group.tests.length; i++) {
          const v = group.tests[i];
          const index = `${g}/${i} ${v.comment}`;
          if (v.result === 'valid' || v.result === 'acceptable') {
            deepStrictEqual(hex(ed.sign(v.msg, key.sk)), v.sig, index);
            deepStrictEqual(ed.verify(v.sig, v.msg, key.pk), true, index);
          } else if (v.result === 'invalid') {
            let failed = false;
            try {
              failed = !ed.verify(v.sig, v.msg, key.pk);
            } catch (error) {
              failed = true;
            }
            deepStrictEqual(failed, true, index);
          } else throw new Error('unknown test result');
        }
      });
    }
  });
  // ECDH
  const rfc7748Mul = [
    {
      scalar:
        '3d262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3',
      u: '06fce640fa3487bfda5f6cf2d5263f8aad88334cbd07437f020f08f9814dc031ddbdc38c19c6da2583fa5429db94ada18aa7a7fb4ef8a086',
      outputU:
        'ce3e4ff95a60dc6697da1db1d85e6afbdf79b50a2412d7546d5f239fe14fbaadeb445fc66a01b0779d98223961111e21766282f73dd96b6f',
    },
    {
      scalar:
        '203d494428b8399352665ddca42f9de8fef600908e0d461cb021f8c538345dd77c3e4806e25f46d3315c44e0a5b4371282dd2c8d5be3095f',
      u: '0fbcc2f993cd56d3305b0b7d9e55d4c1a8fb5dbb52f8e9a1e9b6201b165d015894e56c4d3570bee52fe205e28a78b91cdfbde71ce8d157db',
      outputU:
        '884a02576239ff7a2f2f63b2db6a9ff37047ac13568e1e30fe63c4a7ad1b3ee3a5700df34321d62077e63633c575c1c954514e99da7c179d',
    },
  ];
  describe('RFC7748', () => {
    for (let i = 0; i < rfc7748Mul.length; i++) {
      const v = rfc7748Mul[i];
      should(`scalarMult (${i})`, () => {
        deepStrictEqual(hex(x448.scalarMult(v.scalar, v.u)), v.outputU);
      });
    }
  });
  const rfc7748Iter = [
    {
      scalar:
        '3f482c8a9f19b01e6c46ee9711d9dc14fd4bf67af30765c2ae2b846a4d23a8cd0db897086239492caf350b51f833868b9bc2b3bca9cf4113',
      iters: 1,
    },
    {
      scalar:
        'aa3b4749d55b9daf1e5b00288826c467274ce3ebbdd5c17b975e09d4af6c67cf10d087202db88286e2b79fceea3ec353ef54faa26e219f38',
      iters: 1000,
    },
    // { scalar: '077f453681caca3693198420bbe515cae0002472519b3e67661a7e89cab94695c8f4bcd66e61b9b9c946da8d524de3d69bd9d9d66b997e37', iters: 1000000 },
  ];
  for (let i = 0; i < rfc7748Iter.length; i++) {
    const { scalar, iters } = rfc7748Iter[i];
    should(`RFC7748: scalarMult iteration (${i})`, () => {
      let k = x448.Gu;
      for (let i = 0, u = k; i < iters; i++) [k, u] = [x448.scalarMult(k, u), k];
      deepStrictEqual(hex(k), scalar);
    });
  }
  should('RFC7748 getSharedKey', () => {
    const alicePrivate =
      '9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28dd9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b';
    const alicePublic =
      '9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0';
    const bobPrivate =
      '1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d';
    const bobPublic =
      '3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107bdb0d4f345b43027d8b972fc3e34fb4232a13ca706dcb57aec3dae07bdc1c67bf33609';
    const shared =
      '07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d';
    deepStrictEqual(alicePublic, hex(x448.getPublicKey(alicePrivate)));
    deepStrictEqual(bobPublic, hex(x448.getPublicKey(bobPrivate)));
    deepStrictEqual(hex(x448.scalarMult(alicePrivate, bobPublic)), shared);
    deepStrictEqual(hex(x448.scalarMult(bobPrivate, alicePublic)), shared);
  });
  describe('wycheproof', () => {
    const group = x448vectors.testGroups[0];
    should(`X448`, () => {
      for (let i = 0; i < group.tests.length; i++) {
        const v = group.tests[i];
        const index = `(${i}, ${v.result}) ${v.comment}`;
        if (v.result === 'valid' || v.result === 'acceptable') {
          try {
            const shared = hex(x448.scalarMult(v.private, v.public));
            deepStrictEqual(shared, v.shared, index);
          } catch (e) {
            // We are more strict
            if (e.message.includes('Expected valid scalar')) return;
            if (e.message.includes('Invalid private or public key received')) return;
            if (e.message.includes('Expected 56 bytes')) return;
            throw e;
          }
        } else if (v.result === 'invalid') {
          let failed = false;
          try {
            x448.scalarMult(v.private, v.public);
          } catch (error) {
            failed = true;
          }
          deepStrictEqual(failed, true, index);
        } else throw new Error('unknown test result');
      }
    });
  });
  // should('X448: should convert base point to montgomery using fromPoint', () => {
  //   deepStrictEqual(
  //     hex(ed.montgomeryCurve.UfromPoint(Point.BASE)),
  //     ed.montgomeryCurve.BASE_POINT_U
  //   );
  // });
  // should('X448/getSharedSecret() should be commutative', async () => {
  //   for (let i = 0; i < 512; i++) {
  //     const asec = ed.utils.randomPrivateKey();
  //     const apub = ed.getPublicKey(asec);
  //     const bsec = ed.utils.randomPrivateKey();
  //     const bpub = ed.getPublicKey(bsec);
  //     try {
  //       deepStrictEqual(ed.getSharedSecret(asec, bpub), ed.getSharedSecret(bsec, apub));
  //     } catch (error) {
  //       console.error('not commutative', { asec, apub, bsec, bpub });
  //       throw error;
  //     }
  //   }
  // });
  const VECTORS_RFC8032_CTX = [
    {
      secretKey:
        'c4eab05d357007c632f3dbb48489924d552b08fe0c353a0d4a1f00acda2c463afbea67c5e8d2877c5e3bc397a659949ef8021e954e0a12274e',
      publicKey:
        '43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480',
      message: '03',
      context: '666f6f',
      signature:
        'd4f8f6131770dd46f40867d6fd5d5055' +
        'de43541f8c5e35abbcd001b32a89f7d2' +
        '151f7647f11d8ca2ae279fb842d60721' +
        '7fce6e042f6815ea000c85741de5c8da' +
        '1144a6a1aba7f96de42505d7a7298524' +
        'fda538fccbbb754f578c1cad10d54d0d' +
        '5428407e85dcbc98a49155c13764e66c' +
        '3c00',
    },
  ];
  for (let i = 0; i < VECTORS_RFC8032_CTX.length; i++) {
    const v = VECTORS_RFC8032_CTX[i];
    should(`RFC8032ctx/${i}`, () => {
      deepStrictEqual(hex(ed.getPublicKey(v.secretKey)), v.publicKey);
      deepStrictEqual(hex(ed.sign(v.message, v.secretKey, v.context)), v.signature);
      deepStrictEqual(ed.verify(v.signature, v.message, v.publicKey, v.context), true);
    });
  }
  const VECTORS_RFC8032_PH = [
    {
      secretKey:
        '833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42ef7822e0d5104127dc05d6dbefde69e3ab2cec7c867c6e2c49',
      publicKey:
        '259b71c19f83ef77a7abd26524cbdb3161b590a48f7d17de3ee0ba9c52beb743c09428a131d6b1b57303d90d8132c276d5ed3d5d01c0f53880',
      message: '616263',
      signature:
        '822f6901f7480f3d5f562c592994d969' +
        '3602875614483256505600bbc281ae38' +
        '1f54d6bce2ea911574932f52a4e6cadd' +
        '78769375ec3ffd1b801a0d9b3f4030cd' +
        '433964b6457ea39476511214f97469b5' +
        '7dd32dbc560a9a94d00bff07620464a3' +
        'ad203df7dc7ce360c3cd3696d9d9fab9' +
        '0f00',
    },
    {
      secretKey:
        '833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42ef7822e0d5104127dc05d6dbefde69e3ab2cec7c867c6e2c49',
      publicKey:
        '259b71c19f83ef77a7abd26524cbdb3161b590a48f7d17de3ee0ba9c52beb743c09428a131d6b1b57303d90d8132c276d5ed3d5d01c0f53880',
      message: '616263',
      context: '666f6f',
      signature:
        'c32299d46ec8ff02b54540982814dce9' +
        'a05812f81962b649d528095916a2aa48' +
        '1065b1580423ef927ecf0af5888f90da' +
        '0f6a9a85ad5dc3f280d91224ba9911a3' +
        '653d00e484e2ce232521481c8658df30' +
        '4bb7745a73514cdb9bf3e15784ab7128' +
        '4f8d0704a608c54a6b62d97beb511d13' +
        '2100',
    },
  ];
  for (let i = 0; i < VECTORS_RFC8032_PH.length; i++) {
    const v = VECTORS_RFC8032_PH[i];
    should(`RFC8032ph/${i}`, () => {
      deepStrictEqual(hex(ed448ph.getPublicKey(v.secretKey)), v.publicKey);
      deepStrictEqual(hex(ed448ph.sign(v.message, v.secretKey, v.context)), v.signature);
      deepStrictEqual(ed448ph.verify(v.signature, v.message, v.publicKey, v.context), true);
    });
  }
  should('X448 base point', () => {
    const { x, y } = Point.BASE;
    const { Fp } = ed448.CURVE;
    // const invX = Fp.invert(x * x); // x²
    const u = Fp.div(Fp.create(y * y), Fp.create(x * x)); // (y²/x²)
    // const u = Fp.create(y * y * invX);
    deepStrictEqual(hex(numberToBytesLE(u, 56)), x448.Gu);
  });
 });
 // ESM is broken.
 import url from 'url';
 if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
  should.run();
 }
--- a/curve-definitions/test/fixtures/rfc6979.json
+++ b/curve-definitions/test/fixtures/rfc6979.json
@@ -28,16 +28,16 @@
        "Uy": "EEAB6F3DEBE455E3DBF85416F7030CBD94F34F2D6F232C69F3C1385A",
        "cases": [
            {
-                "k": "AD3029E0278F80643DE33917CE6908C70A8FF50A411F06E41DEDFCDC",
+                "k": "C1D1F2F10881088301880506805FEB4825FE09ACB6816C36991AA06D",
                "message": "sample",
-                "r": "61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BA",
+                "r": "1CDFE6662DDE1E4A1EC4CDEDF6A1F5A2FB7FBD9145C12113E6ABFD3E",
-                "s": "BC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10101"
+                "s": "A6694FD7718A21053F225D3F46197CA699D45006C06F871808F43EBC"
            },
            {
-                "k": "FF86F57924DA248D6E44E8154EB69F0AE2AEBAEE9931D0B5A969F904",
+                "k": "DF8B38D40DCA3E077D0AC520BF56B6D565134D9B5F2EAE0D34900524",
                "message": "test",
-                "r": "AD04DDE87B84747A243A631EA47A1BA6D1FAA059149AD2440DE6FBA6",
+                "r": "C441CE8E261DED634E4CF84910E4C5D1D22C5CF3B732BB204DBEF019",
-                "s": "178D49B1AE90E3D8B629BE3DB5683915F4E8C99FDF6E666CF37ADCFD"
+                "s": "902F42847A63BDC5F6046ADA114953120F99442D76510150F372A3F4"
            }
        ]
    },
--- a/test/hash-to-curve.test.js
+++ b/test/hash-to-curve.test.js
@@ -0,0 +1,153 @@
 import { deepStrictEqual } from 'assert';
 import { describe, should } from 'micro-should';
 import { bytesToHex } from '@noble/hashes/utils';
 // Generic tests for all curves in package
 import { sha256 } from '@noble/hashes/sha256';
 import { sha512 } from '@noble/hashes/sha512';
 import { shake128, shake256 } from '@noble/hashes/sha3';
 import * as secp256r1 from '../lib/esm/p256.js';
 import * as secp384r1 from '../lib/esm/p384.js';
 import * as secp521r1 from '../lib/esm/p521.js';
 import * as ed25519 from '../lib/esm/ed25519.js';
 import * as ed448 from '../lib/esm/ed448.js';
 import * as secp256k1 from '../lib/esm/secp256k1.js';
 import { bls12_381 } from '../lib/esm/bls12-381.js';
 import {
  stringToBytes,
  expand_message_xmd,
  expand_message_xof,
 } from '../lib/esm/abstract/hash-to-curve.js';
 // XMD
 import { default as xmd_sha256_38 } from './hash-to-curve/expand_message_xmd_SHA256_38.json' assert { type: 'json' };
 import { default as xmd_sha256_256 } from './hash-to-curve/expand_message_xmd_SHA256_256.json' assert { type: 'json' };
 import { default as xmd_sha512_38 } from './hash-to-curve/expand_message_xmd_SHA512_38.json' assert { type: 'json' };
 // XOF
 import { default as xof_shake128_36 } from './hash-to-curve/expand_message_xof_SHAKE128_36.json' assert { type: 'json' };
 import { default as xof_shake128_256 } from './hash-to-curve/expand_message_xof_SHAKE128_256.json' assert { type: 'json' };
 import { default as xof_shake256_36 } from './hash-to-curve/expand_message_xof_SHAKE256_36.json' assert { type: 'json' };
 // P256
 import { default as p256_ro } from './hash-to-curve/P256_XMD:SHA-256_SSWU_RO_.json' assert { type: 'json' };
 import { default as p256_nu } from './hash-to-curve/P256_XMD:SHA-256_SSWU_NU_.json' assert { type: 'json' };
 // P384
 import { default as p384_ro } from './hash-to-curve/P384_XMD:SHA-384_SSWU_RO_.json' assert { type: 'json' };
 import { default as p384_nu } from './hash-to-curve/P384_XMD:SHA-384_SSWU_NU_.json' assert { type: 'json' };
 // P521
 import { default as p521_ro } from './hash-to-curve/P521_XMD:SHA-512_SSWU_RO_.json' assert { type: 'json' };
 import { default as p521_nu } from './hash-to-curve/P521_XMD:SHA-512_SSWU_NU_.json' assert { type: 'json' };
 // secp256k1
 import { default as secp256k1_ro } from './hash-to-curve/secp256k1_XMD:SHA-256_SSWU_RO_.json' assert { type: 'json' };
 import { default as secp256k1_nu } from './hash-to-curve/secp256k1_XMD:SHA-256_SSWU_NU_.json' assert { type: 'json' };
 // bls-G1
 import { default as g1_ro } from './hash-to-curve/BLS12381G1_XMD:SHA-256_SSWU_RO_.json' assert { type: 'json' };
 import { default as g1_nu } from './hash-to-curve/BLS12381G1_XMD:SHA-256_SSWU_NU_.json' assert { type: 'json' };
 // bls-G2
 import { default as g2_ro } from './hash-to-curve/BLS12381G2_XMD:SHA-256_SSWU_RO_.json' assert { type: 'json' };
 import { default as g2_nu } from './hash-to-curve/BLS12381G2_XMD:SHA-256_SSWU_NU_.json' assert { type: 'json' };
 // ed25519
 import { default as ed25519_ro } from './hash-to-curve/edwards25519_XMD:SHA-512_ELL2_RO_.json' assert { type: 'json' };
 import { default as ed25519_nu } from './hash-to-curve/edwards25519_XMD:SHA-512_ELL2_NU_.json' assert { type: 'json' };
 // ed448
 import { default as ed448_ro } from './hash-to-curve/edwards448_XOF:SHAKE256_ELL2_RO_.json' assert { type: 'json' };
 import { default as ed448_nu } from './hash-to-curve/edwards448_XOF:SHAKE256_ELL2_NU_.json' assert { type: 'json' };
 function testExpandXMD(hash, vectors) {
  describe(`${vectors.hash}/${vectors.DST.length}`, () => {
    for (let i = 0; i < vectors.tests.length; i++) {
      const t = vectors.tests[i];
      should(`${vectors.hash}/${vectors.DST.length}/${i}`, () => {
        const p = expand_message_xmd(
          stringToBytes(t.msg),
          stringToBytes(vectors.DST),
          t.len_in_bytes,
          hash
        );
        deepStrictEqual(bytesToHex(p), t.uniform_bytes);
      });
    }
  });
 }
 describe('expand_message_xmd', () => {
  testExpandXMD(sha256, xmd_sha256_38);
  testExpandXMD(sha256, xmd_sha256_256);
  testExpandXMD(sha512, xmd_sha512_38);
 });
 function testExpandXOF(hash, vectors) {
  describe(`${vectors.hash}/${vectors.DST.length}`, () => {
    for (let i = 0; i < vectors.tests.length; i++) {
      const t = vectors.tests[i];
      should(`${i}`, () => {
        const p = expand_message_xof(
          stringToBytes(t.msg),
          stringToBytes(vectors.DST),
          +t.len_in_bytes,
          vectors.k,
          hash
        );
        deepStrictEqual(bytesToHex(p), t.uniform_bytes);
      });
    }
  });
 }
 describe('expand_message_xof', () => {
  testExpandXOF(shake128, xof_shake128_36);
  testExpandXOF(shake128, xof_shake128_256);
  testExpandXOF(shake256, xof_shake256_36);
 });
 function stringToFp(s) {
  // bls-G2 support
  if (s.includes(',')) {
    const [c0, c1] = s.split(',').map(BigInt);
    return { c0, c1 };
  }
  return BigInt(s);
 }
 function testCurve(curve, ro, nu) {
  describe(`${ro.curve}/${ro.ciphersuite}`, () => {
    for (let i = 0; i < ro.vectors.length; i++) {
      const t = ro.vectors[i];
      should(`(${i})`, () => {
        const p = curve
          .hashToCurve(stringToBytes(t.msg), {
            DST: ro.dst,
          })
          .toAffine();
        deepStrictEqual(p.x, stringToFp(t.P.x), 'Px');
        deepStrictEqual(p.y, stringToFp(t.P.y), 'Py');
      });
    }
  });
  describe(`${nu.curve}/${nu.ciphersuite}`, () => {
    for (let i = 0; i < nu.vectors.length; i++) {
      const t = nu.vectors[i];
      should(`(${i})`, () => {
        const p = curve
          .encodeToCurve(stringToBytes(t.msg), {
            DST: nu.dst,
          })
          .toAffine();
        deepStrictEqual(p.x, stringToFp(t.P.x), 'Px');
        deepStrictEqual(p.y, stringToFp(t.P.y), 'Py');
      });
    }
  });
 }
 testCurve(secp256r1, p256_ro, p256_nu);
 testCurve(secp384r1, p384_ro, p384_nu);
 testCurve(secp521r1, p521_ro, p521_nu);
 testCurve(bls12_381.hashToCurve.G1, g1_ro, g1_nu);
 testCurve(bls12_381.hashToCurve.G2, g2_ro, g2_nu);
 testCurve(secp256k1, secp256k1_ro, secp256k1_nu);
 testCurve(ed25519, ed25519_ro, ed25519_nu);
 testCurve(ed448, ed448_ro, ed448_nu);
 // ESM is broken.
 import url from 'url';
 if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
  should.run();
 }
--- a/test/hash-to-curve/BLS12381G1_XMD:SHA-256_SSWU_NU_.json
+++ b/test/hash-to-curve/BLS12381G1_XMD:SHA-256_SSWU_NU_.json
@@ -0,0 +1,90 @@
 {
  "L": "0x40",
  "Z": "0xb",
  "ciphersuite": "BLS12381G1_XMD:SHA-256_SSWU_NU_",
  "curve": "BLS12-381 G1",
  "dst": "QUUX-V01-CS02-with-BLS12381G1_XMD:SHA-256_SSWU_NU_",
  "expand": "XMD",
  "field": {
    "m": "0x1",
    "p": "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab"
  },
  "hash": "sha256",
  "k": "0x80",
  "map": {
    "name": "SSWU"
  },
  "randomOracle": false,
  "vectors": [
    {
      "P": {
        "x": "0x184bb665c37ff561a89ec2122dd343f20e0f4cbcaec84e3c3052ea81d1834e192c426074b02ed3dca4e7676ce4ce48ba",
        "y": "0x04407b8d35af4dacc809927071fc0405218f1401a6d15af775810e4e460064bcc9468beeba82fdc751be70476c888bf3"
      },
      "Q": {
        "x": "0x11398d3b324810a1b093f8e35aa8571cced95858207e7f49c4fd74656096d61d8a2f9a23cdb18a4dd11cd1d66f41f709",
        "y": "0x19316b6fb2ba7717355d5d66a361899057e1e84a6823039efc7beccefe09d023fb2713b1c415fcf278eb0c39a89b4f72"
      },
      "msg": "",
      "u": [
        "0x156c8a6a2c184569d69a76be144b5cdc5141d2d2ca4fe341f011e25e3969c55ad9e9b9ce2eb833c81a908e5fa4ac5f03"
      ]
    },
    {
      "P": {
        "x": "0x009769f3ab59bfd551d53a5f846b9984c59b97d6842b20a2c565baa167945e3d026a3755b6345df8ec7e6acb6868ae6d",
        "y": "0x1532c00cf61aa3d0ce3e5aa20c3b531a2abd2c770a790a2613818303c6b830ffc0ecf6c357af3317b9575c567f11cd2c"
      },
      "Q": {
        "x": "0x1998321bc27ff6d71df3051b5aec12ff47363d81a5e9d2dff55f444f6ca7e7d6af45c56fd029c58237c266ef5cda5254",
        "y": "0x034d274476c6307ae584f951c82e7ea85b84f72d28f4d6471732356121af8d62a49bc263e8eb913a6cf6f125995514ee"
      },
      "msg": "abc",
      "u": [
        "0x147e1ed29f06e4c5079b9d14fc89d2820d32419b990c1c7bb7dbea2a36a045124b31ffbde7c99329c05c559af1c6cc82"
      ]
    },
    {
      "P": {
        "x": "0x1974dbb8e6b5d20b84df7e625e2fbfecb2cdb5f77d5eae5fb2955e5ce7313cae8364bc2fff520a6c25619739c6bdcb6a",
        "y": "0x15f9897e11c6441eaa676de141c8d83c37aab8667173cbe1dfd6de74d11861b961dccebcd9d289ac633455dfcc7013a3"
      },
      "Q": {
        "x": "0x17d502fa43bd6a4cad2859049a0c3ecefd60240d129be65da271a4c03a9c38fa78163b9d2a919d2beb57df7d609b4919",
        "y": "0x109019902ae93a8732abecf2ff7fecd2e4e305eb91f41c9c3267f16b6c19de138c7272947f25512745da6c466cdfd1ac"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x04090815ad598a06897dd89bcda860f25837d54e897298ce31e6947378134d3761dc59a572154963e8c954919ecfa82d"
      ]
    },
    {
      "P": {
        "x": "0x0a7a047c4a8397b3446450642c2ac64d7239b61872c9ae7a59707a8f4f950f101e766afe58223b3bff3a19a7f754027c",
        "y": "0x1383aebba1e4327ccff7cf9912bda0dbc77de048b71ef8c8a81111d71dc33c5e3aa6edee9cf6f5fe525d50cc50b77cc9"
      },
      "Q": {
        "x": "0x112eb92dd2b3aa9cd38b08de4bef603f2f9fb0ca226030626a9a2e47ad1e9847fe0a5ed13766c339e38f514bba143b21",
        "y": "0x17542ce2f8d0a54f2c5ba8c4b14e10b22d5bcd7bae2af3c965c8c872b571058c720eac448276c99967ded2bf124490e1"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x08dccd088ca55b8bfbc96fb50bb25c592faa867a8bb78d4e94a8cc2c92306190244532e91feba2b7fed977e3c3bb5a1f"
      ]
    },
    {
      "P": {
        "x": "0x0e7a16a975904f131682edbb03d9560d3e48214c9986bd50417a77108d13dc957500edf96462a3d01e62dc6cd468ef11",
        "y": "0x0ae89e677711d05c30a48d6d75e76ca9fb70fe06c6dd6ff988683d89ccde29ac7d46c53bb97a59b1901abf1db66052db"
      },
      "Q": {
        "x": "0x1775d400a1bacc1c39c355da7e96d2d1c97baa9430c4a3476881f8521c09a01f921f592607961efc99c4cd46bd78ca19",
        "y": "0x1109b5d59f65964315de65a7a143e86eabc053104ed289cf480949317a5685fad7254ff8e7fe6d24d3104e5d55ad6370"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x0dd824886d2123a96447f6c56e3a3fa992fbfefdba17b6673f9f630ff19e4d326529db37e1c1be43f905bf9202e0278d"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/BLS12381G1_XMD:SHA-256_SSWU_RO_.json
+++ b/test/hash-to-curve/BLS12381G1_XMD:SHA-256_SSWU_RO_.json
@@ -0,0 +1,115 @@
 {
  "L": "0x40",
  "Z": "0xb",
  "ciphersuite": "BLS12381G1_XMD:SHA-256_SSWU_RO_",
  "curve": "BLS12-381 G1",
  "dst": "QUUX-V01-CS02-with-BLS12381G1_XMD:SHA-256_SSWU_RO_",
  "expand": "XMD",
  "field": {
    "m": "0x1",
    "p": "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab"
  },
  "hash": "sha256",
  "k": "0x80",
  "map": {
    "name": "SSWU"
  },
  "randomOracle": true,
  "vectors": [
    {
      "P": {
        "x": "0x052926add2207b76ca4fa57a8734416c8dc95e24501772c814278700eed6d1e4e8cf62d9c09db0fac349612b759e79a1",
        "y": "0x08ba738453bfed09cb546dbb0783dbb3a5f1f566ed67bb6be0e8c67e2e81a4cc68ee29813bb7994998f3eae0c9c6a265"
      },
      "Q0": {
        "x": "0x11a3cce7e1d90975990066b2f2643b9540fa40d6137780df4e753a8054d07580db3b7f1f03396333d4a359d1fe3766fe",
        "y": "0x0eeaf6d794e479e270da10fdaf768db4c96b650a74518fc67b04b03927754bac66f3ac720404f339ecdcc028afa091b7"
      },
      "Q1": {
        "x": "0x160003aaf1632b13396dbad518effa00fff532f604de1a7fc2082ff4cb0afa2d63b2c32da1bef2bf6c5ca62dc6b72f9c",
        "y": "0x0d8bb2d14e20cf9f6036152ed386d79189415b6d015a20133acb4e019139b94e9c146aaad5817f866c95d609a361735e"
      },
      "msg": "",
      "u": [
        "0x0ba14bd907ad64a016293ee7c2d276b8eae71f25a4b941eece7b0d89f17f75cb3ae5438a614fb61d6835ad59f29c564f",
        "0x019b9bd7979f12657976de2884c7cce192b82c177c80e0ec604436a7f538d231552f0d96d9f7babe5fa3b19b3ff25ac9"
      ]
    },
    {
      "P": {
        "x": "0x03567bc5ef9c690c2ab2ecdf6a96ef1c139cc0b2f284dca0a9a7943388a49a3aee664ba5379a7655d3c68900be2f6903",
        "y": "0x0b9c15f3fe6e5cf4211f346271d7b01c8f3b28be689c8429c85b67af215533311f0b8dfaaa154fa6b88176c229f2885d"
      },
      "Q0": {
        "x": "0x125435adce8e1cbd1c803e7123f45392dc6e326d292499c2c45c5865985fd74fe8f042ecdeeec5ecac80680d04317d80",
        "y": "0x0e8828948c989126595ee30e4f7c931cbd6f4570735624fd25aef2fa41d3f79cfb4b4ee7b7e55a8ce013af2a5ba20bf2"
      },
      "Q1": {
        "x": "0x11def93719829ecda3b46aa8c31fc3ac9c34b428982b898369608e4f042babee6c77ab9218aad5c87ba785481eff8ae4",
        "y": "0x0007c9cef122ccf2efd233d6eb9bfc680aa276652b0661f4f820a653cec1db7ff69899f8e52b8e92b025a12c822a6ce6"
      },
      "msg": "abc",
      "u": [
        "0x0d921c33f2bad966478a03ca35d05719bdf92d347557ea166e5bba579eea9b83e9afa5c088573c2281410369fbd32951",
        "0x003574a00b109ada2f26a37a91f9d1e740dffd8d69ec0c35e1e9f4652c7dba61123e9dd2e76c655d956e2b3462611139"
      ]
    },
    {
      "P": {
        "x": "0x11e0b079dea29a68f0383ee94fed1b940995272407e3bb916bbf268c263ddd57a6a27200a784cbc248e84f357ce82d98",
        "y": "0x03a87ae2caf14e8ee52e51fa2ed8eefe80f02457004ba4d486d6aa1f517c0889501dc7413753f9599b099ebcbbd2d709"
      },
      "Q0": {
        "x": "0x08834484878c217682f6d09a4b51444802fdba3d7f2df9903a0ddadb92130ebbfa807fffa0eabf257d7b48272410afff",
        "y": "0x0b318f7ecf77f45a0f038e62d7098221d2dbbca2a394164e2e3fe953dc714ac2cde412d8f2d7f0c03b259e6795a2508e"
      },
      "Q1": {
        "x": "0x158418ed6b27e2549f05531a8281b5822b31c3bf3144277fbb977f8d6e2694fedceb7011b3c2b192f23e2a44b2bd106e",
        "y": "0x1879074f344471fac5f839e2b4920789643c075792bec5af4282c73f7941cda5aa77b00085eb10e206171b9787c4169f"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x062d1865eb80ebfa73dcfc45db1ad4266b9f3a93219976a3790ab8d52d3e5f1e62f3b01795e36834b17b70e7b76246d4",
        "0x0cdc3e2f271f29c4ff75020857ce6c5d36008c9b48385ea2f2bf6f96f428a3deb798aa033cd482d1cdc8b30178b08e3a"
      ]
    },
    {
      "P": {
        "x": "0x15f68eaa693b95ccb85215dc65fa81038d69629f70aeee0d0f677cf22285e7bf58d7cb86eefe8f2e9bc3f8cb84fac488",
        "y": "0x1807a1d50c29f430b8cafc4f8638dfeeadf51211e1602a5f184443076715f91bb90a48ba1e370edce6ae1062f5e6dd38"
      },
      "Q0": {
        "x": "0x0cbd7f84ad2c99643fea7a7ac8f52d63d66cefa06d9a56148e58b984b3dd25e1f41ff47154543343949c64f88d48a710",
        "y": "0x052c00e4ed52d000d94881a5638ae9274d3efc8bc77bc0e5c650de04a000b2c334a9e80b85282a00f3148dfdface0865"
      },
      "Q1": {
        "x": "0x06493fb68f0d513af08be0372f849436a787e7b701ae31cb964d968021d6ba6bd7d26a38aaa5a68e8c21a6b17dc8b579",
        "y": "0x02e98f2ccf5802b05ffaac7c20018bc0c0b2fd580216c4aa2275d2909dc0c92d0d0bdc979226adeb57a29933536b6bb4"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x010476f6a060453c0b1ad0b628f3e57c23039ee16eea5e71bb87c3b5419b1255dc0e5883322e563b84a29543823c0e86",
        "0x0b1a912064fb0554b180e07af7e787f1f883a0470759c03c1b6509eb8ce980d1670305ae7b928226bb58fdc0a419f46e"
      ]
    },
    {
      "P": {
        "x": "0x082aabae8b7dedb0e78aeb619ad3bfd9277a2f77ba7fad20ef6aabdc6c31d19ba5a6d12283553294c1825c4b3ca2dcfe",
        "y": "0x05b84ae5a942248eea39e1d91030458c40153f3b654ab7872d779ad1e942856a20c438e8d99bc8abfbf74729ce1f7ac8"
      },
      "Q0": {
        "x": "0x0cf97e6dbd0947857f3e578231d07b309c622ade08f2c08b32ff372bd90db19467b2563cc997d4407968d4ac80e154f8",
        "y": "0x127f0cddf2613058101a5701f4cb9d0861fd6c2a1b8e0afe194fccf586a3201a53874a2761a9ab6d7220c68661a35ab3"
      },
      "Q1": {
        "x": "0x092f1acfa62b05f95884c6791fba989bbe58044ee6355d100973bf9553ade52b47929264e6ae770fb264582d8dce512a",
        "y": "0x028e6d0169a72cfedb737be45db6c401d3adfb12c58c619c82b93a5dfcccef12290de530b0480575ddc8397cda0bbebf"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x0a8ffa7447f6be1c5a2ea4b959c9454b431e29ccc0802bc052413a9c5b4f9aac67a93431bd480d15be1e057c8a08e8c6",
        "0x05d487032f602c90fa7625dbafe0f4a49ef4a6b0b33d7bb349ff4cf5410d297fd6241876e3e77b651cfc8191e40a68b7"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/BLS12381G2_XMD:SHA-256_SSWU_NU_.json
+++ b/test/hash-to-curve/BLS12381G2_XMD:SHA-256_SSWU_NU_.json
@@ -0,0 +1,90 @@
 {
  "L": "0x40",
  "Z": "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaa9,0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaa",
  "ciphersuite": "BLS12381G2_XMD:SHA-256_SSWU_NU_",
  "curve": "BLS12-381 G2",
  "dst": "QUUX-V01-CS02-with-BLS12381G2_XMD:SHA-256_SSWU_NU_",
  "expand": "XMD",
  "field": {
    "m": "0x2",
    "p": "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab"
  },
  "hash": "sha256",
  "k": "0x80",
  "map": {
    "name": "SSWU"
  },
  "randomOracle": false,
  "vectors": [
    {
      "P": {
        "x": "0x00e7f4568a82b4b7dc1f14c6aaa055edf51502319c723c4dc2688c7fe5944c213f510328082396515734b6612c4e7bb7,0x126b855e9e69b1f691f816e48ac6977664d24d99f8724868a184186469ddfd4617367e94527d4b74fc86413483afb35b",
        "y": "0x0caead0fd7b6176c01436833c79d305c78be307da5f6af6c133c47311def6ff1e0babf57a0fb5539fce7ee12407b0a42,0x1498aadcf7ae2b345243e281ae076df6de84455d766ab6fcdaad71fab60abb2e8b980a440043cd305db09d283c895e3d"
      },
      "Q": {
        "x": "0x18ed3794ad43c781816c523776188deafba67ab773189b8f18c49bc7aa841cd81525171f7a5203b2a340579192403bef,0x0727d90785d179e7b5732c8a34b660335fed03b913710b60903cf4954b651ed3466dc3728e21855ae822d4a0f1d06587",
        "y": "0x00764a5cf6c5f61c52c838523460eb2168b5a5b43705e19cb612e006f29b717897facfd15dd1c8874c915f6d53d0342d,0x19290bb9797c12c1d275817aa2605ebe42275b66860f0e4d04487ebc2e47c50b36edd86c685a60c20a2bd584a82b011a"
      },
      "msg": "",
      "u": [
        "0x07355d25caf6e7f2f0cb2812ca0e513bd026ed09dda65b177500fa31714e09ea0ded3a078b526bed3307f804d4b93b04,0x02829ce3c021339ccb5caf3e187f6370e1e2a311dec9b75363117063ab2015603ff52c3d3b98f19c2f65575e99e8b78c"
      ]
    },
    {
      "P": {
        "x": "0x108ed59fd9fae381abfd1d6bce2fd2fa220990f0f837fa30e0f27914ed6e1454db0d1ee957b219f61da6ff8be0d6441f,0x0296238ea82c6d4adb3c838ee3cb2346049c90b96d602d7bb1b469b905c9228be25c627bffee872def773d5b2a2eb57d",
        "y": "0x033f90f6057aadacae7963b0a0b379dd46750c1c94a6357c99b65f63b79e321ff50fe3053330911c56b6ceea08fee656,0x153606c417e59fb331b7ae6bce4fbf7c5190c33ce9402b5ebe2b70e44fca614f3f1382a3625ed5493843d0b0a652fc3f"
      },
      "Q": {
        "x": "0x0f40e1d5025ecef0d850aa0bb7bbeceab21a3d4e85e6bee857805b09693051f5b25428c6be343edba5f14317fcc30143,0x02e0d261f2b9fee88b82804ec83db330caa75fbb12719cfa71ccce1c532dc4e1e79b0a6a281ed8d3817524286c8bc04c",
        "y": "0x0cf4a4adc5c66da0bca4caddc6a57ecd97c8252d7526a8ff478e0dfed816c4d321b5c3039c6683ae9b1e6a3a38c9c0ae,0x11cad1646bb3768c04be2ab2bbe1f80263b7ff6f8f9488f5bc3b6850e5a3e97e20acc583613c69cf3d2bfe8489744ebb"
      },
      "msg": "abc",
      "u": [
        "0x138879a9559e24cecee8697b8b4ad32cced053138ab913b99872772dc753a2967ed50aabc907937aefb2439ba06cc50c,0x0a1ae7999ea9bab1dcc9ef8887a6cb6e8f1e22566015428d220b7eec90ffa70ad1f624018a9ad11e78d588bd3617f9f2"
      ]
    },
    {
      "P": {
        "x": "0x038af300ef34c7759a6caaa4e69363cafeed218a1f207e93b2c70d91a1263d375d6730bd6b6509dcac3ba5b567e85bf3,0x0da75be60fb6aa0e9e3143e40c42796edf15685cafe0279afd2a67c3dff1c82341f17effd402e4f1af240ea90f4b659b",
        "y": "0x19b148cbdf163cf0894f29660d2e7bfb2b68e37d54cc83fd4e6e62c020eaa48709302ef8e746736c0e19342cc1ce3df4,0x0492f4fed741b073e5a82580f7c663f9b79e036b70ab3e51162359cec4e77c78086fe879b65ca7a47d34374c8315ac5e"
      },
      "Q": {
        "x": "0x13a9d4a738a85c9f917c7be36b240915434b58679980010499b9ae8d7a1bf7fbe617a15b3cd6060093f40d18e0f19456,0x16fa88754e7670366a859d6f6899ad765bf5a177abedb2740aacc9252c43f90cd0421373fbd5b2b76bb8f5c4886b5d37",
        "y": "0x0a7fa7d82c46797039398253e8765a4194100b330dfed6d7fbb46d6fbf01e222088779ac336e3675c7a7a0ee05bbb6e3,0x0c6ee170ab766d11fa9457cef53253f2628010b2cffc102b3b28351eb9df6c281d3cfc78e9934769d661b72a5265338d"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x18c16fe362b7dbdfa102e42bdfd3e2f4e6191d479437a59db4eb716986bf08ee1f42634db66bde97d6c16bbfd342b3b8,0x0e37812ce1b146d998d5f92bdd5ada2a31bfd63dfe18311aa91637b5f279dd045763166aa1615e46a50d8d8f475f184e"
      ]
    },
    {
      "P": {
        "x": "0x0c5ae723be00e6c3f0efe184fdc0702b64588fe77dda152ab13099a3bacd3876767fa7bbad6d6fd90b3642e902b208f9,0x12c8c05c1d5fc7bfa847f4d7d81e294e66b9a78bc9953990c358945e1f042eedafce608b67fdd3ab0cb2e6e263b9b1ad",
        "y": "0x04e77ddb3ede41b5ec4396b7421dd916efc68a358a0d7425bddd253547f2fb4830522358491827265dfc5bcc1928a569,0x11c624c56dbe154d759d021eec60fab3d8b852395a89de497e48504366feedd4662d023af447d66926a28076813dd646"
      },
      "Q": {
        "x": "0x0a08b2f639855dfdeaaed972702b109e2241a54de198b2b4cd12ad9f88fa419a6086a58d91fc805de812ea29bee427c2,0x04a7442e4cb8b42ef0f41dac9ee74e65ecad3ce0851f0746dc47568b0e7a8134121ed09ba054509232c49148aef62cda",
        "y": "0x05d60b1f04212b2c87607458f71d770f43973511c260f0540eef3a565f42c7ce59aa1cea684bb2a7bcab84acd2f36c8c,0x1017aa5747ba15505ece266a86b0ca9c712f41a254b76ca04094ca442ce45ecd224bd5544cd16685d0d1b9d156dd0531"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x08d4a0997b9d52fecf99427abb721f0fa779479963315fe21c6445250de7183e3f63bfdf86570da8929489e421d4ee95,0x16cb4ccad91ec95aab070f22043916cd6a59c4ca94097f7f510043d48515526dc8eaaea27e586f09151ae613688d5a89"
      ]
    },
    {
      "P": {
        "x": "0x0ea4e7c33d43e17cc516a72f76437c4bf81d8f4eac69ac355d3bf9b71b8138d55dc10fd458be115afa798b55dac34be1,0x1565c2f625032d232f13121d3cfb476f45275c303a037faa255f9da62000c2c864ea881e2bcddd111edc4a3c0da3e88d",
        "y": "0x043b6f5fe4e52c839148dc66f2b3751e69a0f6ebb3d056d6465d50d4108543ecd956e10fa1640dfd9bc0030cc2558d28,0x0f8991d2a1ad662e7b6f58ab787947f1fa607fce12dde171bc17903b012091b657e15333e11701edcf5b63ba2a561247"
      },
      "Q": {
        "x": "0x19592c812d5a50c5601062faba14c7d670711745311c879de1235a0a11c75aab61327bf2d1725db07ec4d6996a682886,0x0eef4fa41ddc17ed47baf447a2c498548f3c72a02381313d13bef916e240b61ce125539090d62d9fbb14a900bf1b8e90",
        "y": "0x1260d6e0987eae96af9ebe551e08de22b37791d53f4db9e0d59da736e66699735793e853e26362531fe4adf99c1883e3,0x0dbace5df0a4ac4ac2f45d8fdf8aee45484576fdd6efc4f98ab9b9f4112309e628255e183022d98ea5ed6e47ca00306c"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x03f80ce4ff0ca2f576d797a3660e3f65b274285c054feccc3215c879e2c0589d376e83ede13f93c32f05da0f68fd6a10,0x006488a837c5413746d868d1efb7232724da10eca410b07d8b505b9363bdccf0a1fc0029bad07d65b15ccfe6dd25e20d"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/BLS12381G2_XMD:SHA-256_SSWU_RO_.json
+++ b/test/hash-to-curve/BLS12381G2_XMD:SHA-256_SSWU_RO_.json
@@ -0,0 +1,115 @@
 {
  "L": "0x40",
  "Z": "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaa9,0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaa",
  "ciphersuite": "BLS12381G2_XMD:SHA-256_SSWU_RO_",
  "curve": "BLS12-381 G2",
  "dst": "QUUX-V01-CS02-with-BLS12381G2_XMD:SHA-256_SSWU_RO_",
  "expand": "XMD",
  "field": {
    "m": "0x2",
    "p": "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab"
  },
  "hash": "sha256",
  "k": "0x80",
  "map": {
    "name": "SSWU"
  },
  "randomOracle": true,
  "vectors": [
    {
      "P": {
        "x": "0x0141ebfbdca40eb85b87142e130ab689c673cf60f1a3e98d69335266f30d9b8d4ac44c1038e9dcdd5393faf5c41fb78a,0x05cb8437535e20ecffaef7752baddf98034139c38452458baeefab379ba13dff5bf5dd71b72418717047f5b0f37da03d",
        "y": "0x0503921d7f6a12805e72940b963c0cf3471c7b2a524950ca195d11062ee75ec076daf2d4bc358c4b190c0c98064fdd92,0x12424ac32561493f3fe3c260708a12b7c620e7be00099a974e259ddc7d1f6395c3c811cdd19f1e8dbf3e9ecfdcbab8d6"
      },
      "Q0": {
        "x": "0x019ad3fc9c72425a998d7ab1ea0e646a1f6093444fc6965f1cad5a3195a7b1e099c050d57f45e3fa191cc6d75ed7458c,0x171c88b0b0efb5eb2b88913a9e74fe111a4f68867b59db252ce5868af4d1254bfab77ebde5d61cd1a86fb2fe4a5a1c1d",
        "y": "0x0ba10604e62bdd9eeeb4156652066167b72c8d743b050fb4c1016c31b505129374f76e03fa127d6a156213576910fef3,0x0eb22c7a543d3d376e9716a49b72e79a89c9bfe9feee8533ed931cbb5373dde1fbcd7411d8052e02693654f71e15410a"
      },
      "Q1": {
        "x": "0x113d2b9cd4bd98aee53470b27abc658d91b47a78a51584f3d4b950677cfb8a3e99c24222c406128c91296ef6b45608be,0x13855912321c5cb793e9d1e88f6f8d342d49c0b0dbac613ee9e17e3c0b3c97dfbb5a49cc3fb45102fdbaf65e0efe2632",
        "y": "0x0fd3def0b7574a1d801be44fde617162aa2e89da47f464317d9bb5abc3a7071763ce74180883ad7ad9a723a9afafcdca,0x056f617902b3c0d0f78a9a8cbda43a26b65f602f8786540b9469b060db7b38417915b413ca65f875c130bebfaa59790c"
      },
      "msg": "",
      "u": [
        "0x03dbc2cce174e91ba93cbb08f26b917f98194a2ea08d1cce75b2b9cc9f21689d80bd79b594a613d0a68eb807dfdc1cf8,0x05a2acec64114845711a54199ea339abd125ba38253b70a92c876df10598bd1986b739cad67961eb94f7076511b3b39a",
        "0x02f99798e8a5acdeed60d7e18e9120521ba1f47ec090984662846bc825de191b5b7641148c0dbc237726a334473eee94,0x145a81e418d4010cc027a68f14391b30074e89e60ee7a22f87217b2f6eb0c4b94c9115b436e6fa4607e95a98de30a435"
      ]
    },
    {
      "P": {
        "x": "0x02c2d18e033b960562aae3cab37a27ce00d80ccd5ba4b7fe0e7a210245129dbec7780ccc7954725f4168aff2787776e6,0x139cddbccdc5e91b9623efd38c49f81a6f83f175e80b06fc374de9eb4b41dfe4ca3a230ed250fbe3a2acf73a41177fd8",
        "y": "0x1787327b68159716a37440985269cf584bcb1e621d3a7202be6ea05c4cfe244aeb197642555a0645fb87bf7466b2ba48,0x00aa65dae3c8d732d10ecd2c50f8a1baf3001578f71c694e03866e9f3d49ac1e1ce70dd94a733534f106d4cec0eddd16"
      },
      "Q0": {
        "x": "0x12b2e525281b5f4d2276954e84ac4f42cf4e13b6ac4228624e17760faf94ce5706d53f0ca1952f1c5ef75239aeed55ad,0x05d8a724db78e570e34100c0bc4a5fa84ad5839359b40398151f37cff5a51de945c563463c9efbdda569850ee5a53e77",
        "y": "0x02eacdc556d0bdb5d18d22f23dcb086dd106cad713777c7e6407943edbe0b3d1efe391eedf11e977fac55f9b94f2489c,0x04bbe48bfd5814648d0b9e30f0717b34015d45a861425fabc1ee06fdfce36384ae2c808185e693ae97dcde118f34de41"
      },
      "Q1": {
        "x": "0x19f18cc5ec0c2f055e47c802acc3b0e40c337256a208001dde14b25afced146f37ea3d3ce16834c78175b3ed61f3c537,0x15b0dadc256a258b4c68ea43605dffa6d312eef215c19e6474b3e101d33b661dfee43b51abbf96fee68fc6043ac56a58",
        "y": "0x05e47c1781286e61c7ade887512bd9c2cb9f640d3be9cf87ea0bad24bd0ebfe946497b48a581ab6c7d4ca74b5147287f,0x19f98db2f4a1fcdf56a9ced7b320ea9deecf57c8e59236b0dc21f6ee7229aa9705ce9ac7fe7a31c72edca0d92370c096"
      },
      "msg": "abc",
      "u": [
        "0x15f7c0aa8f6b296ab5ff9c2c7581ade64f4ee6f1bf18f55179ff44a2cf355fa53dd2a2158c5ecb17d7c52f63e7195771,0x01c8067bf4c0ba709aa8b9abc3d1cef589a4758e09ef53732d670fd8739a7274e111ba2fcaa71b3d33df2a3a0c8529dd",
        "0x187111d5e088b6b9acfdfad078c4dacf72dcd17ca17c82be35e79f8c372a693f60a033b461d81b025864a0ad051a06e4,0x08b852331c96ed983e497ebc6dee9b75e373d923b729194af8e72a051ea586f3538a6ebb1e80881a082fa2b24df9f566"
      ]
    },
    {
      "P": {
        "x": "0x121982811d2491fde9ba7ed31ef9ca474f0e1501297f68c298e9f4c0028add35aea8bb83d53c08cfc007c1e005723cd0,0x190d119345b94fbd15497bcba94ecf7db2cbfd1e1fe7da034d26cbba169fb3968288b3fafb265f9ebd380512a71c3f2c",
        "y": "0x05571a0f8d3c08d094576981f4a3b8eda0a8e771fcdcc8ecceaf1356a6acf17574518acb506e435b639353c2e14827c8,0x0bb5e7572275c567462d91807de765611490205a941a5a6af3b1691bfe596c31225d3aabdf15faff860cb4ef17c7c3be"
      },
      "Q0": {
        "x": "0x0f48f1ea1318ddb713697708f7327781fb39718971d72a9245b9731faaca4dbaa7cca433d6c434a820c28b18e20ea208,0x06051467c8f85da5ba2540974758f7a1e0239a5981de441fdd87680a995649c211054869c50edbac1f3a86c561ba3162",
        "y": "0x168b3d6df80069dbbedb714d41b32961ad064c227355e1ce5fac8e105de5e49d77f0c64867f3834848f152497eb76333,0x134e0e8331cee8cb12f9c2d0742714ed9eee78a84d634c9a95f6a7391b37125ed48bfc6e90bf3546e99930ff67cc97bc"
      },
      "Q1": {
        "x": "0x004fd03968cd1c99a0dd84551f44c206c84dcbdb78076c5bfee24e89a92c8508b52b88b68a92258403cbe1ea2da3495f,0x1674338ea298281b636b2eb0fe593008d03171195fd6dcd4531e8a1ed1f02a72da238a17a635de307d7d24aa2d969a47",
        "y": "0x0dc7fa13fff6b12558419e0a1e94bfc3cfaf67238009991c5f24ee94b632c3d09e27eca329989aee348a67b50d5e236c,0x169585e164c131103d85324f2d7747b23b91d66ae5d947c449c8194a347969fc6bbd967729768da485ba71868df8aed2"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x0313d9325081b415bfd4e5364efaef392ecf69b087496973b229303e1816d2080971470f7da112c4eb43053130b785e1,0x062f84cb21ed89406890c051a0e8b9cf6c575cf6e8e18ecf63ba86826b0ae02548d83b483b79e48512b82a6c0686df8f",
        "0x1739123845406baa7be5c5dc74492051b6d42504de008c635f3535bb831d478a341420e67dcc7b46b2e8cba5379cca97,0x01897665d9cb5db16a27657760bbea7951f67ad68f8d55f7113f24ba6ddd82caef240a9bfa627972279974894701d975"
      ]
    },
    {
      "P": {
        "x": "0x19a84dd7248a1066f737cc34502ee5555bd3c19f2ecdb3c7d9e24dc65d4e25e50d83f0f77105e955d78f4762d33c17da,0x0934aba516a52d8ae479939a91998299c76d39cc0c035cd18813bec433f587e2d7a4fef038260eef0cef4d02aae3eb91",
        "y": "0x14f81cd421617428bc3b9fe25afbb751d934a00493524bc4e065635b0555084dd54679df1536101b2c979c0152d09192,0x09bcccfa036b4847c9950780733633f13619994394c23ff0b32fa6b795844f4a0673e20282d07bc69641cee04f5e5662"
      },
      "Q0": {
        "x": "0x09eccbc53df677f0e5814e3f86e41e146422834854a224bf5a83a50e4cc0a77bfc56718e8166ad180f53526ea9194b57,0x0c3633943f91daee715277bd644fba585168a72f96ded64fc5a384cce4ec884a4c3c30f08e09cd2129335dc8f67840ec",
        "y": "0x0eb6186a0457d5b12d132902d4468bfeb7315d83320b6c32f1c875f344efcba979952b4aa418589cb01af712f98cc555,0x119e3cf167e69eb16c1c7830e8df88856d48be12e3ff0a40791a5cd2f7221311d4bf13b1847f371f467357b3f3c0b4c7"
      },
      "Q1": {
        "x": "0x0eb3aabc1ddfce17ff18455fcc7167d15ce6b60ddc9eb9b59f8d40ab49420d35558686293d046fc1e42f864b7f60e381,0x198bdfb19d7441ebcca61e8ff774b29d17da16547d2c10c273227a635cacea3f16826322ae85717630f0867539b5ed8b",
        "y": "0x0aaf1dee3adf3ed4c80e481c09b57ea4c705e1b8d25b897f0ceeec3990748716575f92abff22a1c8f4582aff7b872d52,0x0d058d9061ed27d4259848a06c96c5ca68921a5d269b078650c882cb3c2bd424a8702b7a6ee4e0ead9982baf6843e924"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x025820cefc7d06fd38de7d8e370e0da8a52498be9b53cba9927b2ef5c6de1e12e12f188bbc7bc923864883c57e49e253,0x034147b77ce337a52e5948f66db0bab47a8d038e712123bb381899b6ab5ad20f02805601e6104c29df18c254b8618c7b",
        "0x0930315cae1f9a6017c3f0c8f2314baa130e1cf13f6532bff0a8a1790cd70af918088c3db94bda214e896e1543629795,0x10c4df2cacf67ea3cb3108b00d4cbd0b3968031ebc8eac4b1ebcefe84d6b715fde66bef0219951ece29d1facc8a520ef"
      ]
    },
    {
      "P": {
        "x": "0x01a6ba2f9a11fa5598b2d8ace0fbe0a0eacb65deceb476fbbcb64fd24557c2f4b18ecfc5663e54ae16a84f5ab7f62534,0x11fca2ff525572795a801eed17eb12785887c7b63fb77a42be46ce4a34131d71f7a73e95fee3f812aea3de78b4d01569",
        "y": "0x0b6798718c8aed24bc19cb27f866f1c9effcdbf92397ad6448b5c9db90d2b9da6cbabf48adc1adf59a1a28344e79d57e,0x03a47f8e6d1763ba0cad63d6114c0accbef65707825a511b251a660a9b3994249ae4e63fac38b23da0c398689ee2ab52"
      },
      "Q0": {
        "x": "0x17cadf8d04a1a170f8347d42856526a24cc466cb2ddfd506cff01191666b7f944e31244d662c904de5440516a2b09004,0x0d13ba91f2a8b0051cf3279ea0ee63a9f19bc9cb8bfcc7d78b3cbd8cc4fc43ba726774b28038213acf2b0095391c523e",
        "y": "0x17ef19497d6d9246fa94d35575c0f8d06ee02f21a284dbeaa78768cb1e25abd564e3381de87bda26acd04f41181610c5,0x12c3c913ba4ed03c24f0721a81a6be7430f2971ffca8fd1729aafe496bb725807531b44b34b59b3ae5495e5a2dcbd5c8"
      },
      "Q1": {
        "x": "0x16ec57b7fe04c71dfe34fb5ad84dbce5a2dbbd6ee085f1d8cd17f45e8868976fc3c51ad9eeda682c7869024d24579bfd,0x13103f7aace1ae1420d208a537f7d3a9679c287208026e4e3439ab8cd534c12856284d95e27f5e1f33eec2ce656533b0",
        "y": "0x0958b2c4c2c10fcef5a6c59b9e92c4a67b0fae3e2e0f1b6b5edad9c940b8f3524ba9ebbc3f2ceb3cfe377655b3163bd7,0x0ccb594ed8bd14ca64ed9cb4e0aba221be540f25dd0d6ba15a4a4be5d67bcf35df7853b2d8dad3ba245f1ea3697f66aa"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x190b513da3e66fc9a3587b78c76d1d132b1152174d0b83e3c1114066392579a45824c5fa17649ab89299ddd4bda54935,0x12ab625b0fe0ebd1367fe9fac57bb1168891846039b4216b9d94007b674de2d79126870e88aeef54b2ec717a887dcf39",
        "0x0e6a42010cf435fb5bacc156a585e1ea3294cc81d0ceb81924d95040298380b164f702275892cedd81b62de3aba3f6b5,0x117d9a0defc57a33ed208428cb84e54c85a6840e7648480ae428838989d25d97a0af8e3255be62b25c2a85630d2dddd8"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/P256_XMD:SHA-256_SSWU_NU_.json
+++ b/test/hash-to-curve/P256_XMD:SHA-256_SSWU_NU_.json
@@ -0,0 +1,90 @@
 {
  "L": "0x30",
  "Z": "0xffffffff00000001000000000000000000000000fffffffffffffffffffffff5",
  "ciphersuite": "P256_XMD:SHA-256_SSWU_NU_",
  "curve": "NIST P-256",
  "dst": "QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_NU_",
  "expand": "XMD",
  "field": {
    "m": "0x1",
    "p": "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff"
  },
  "hash": "sha256",
  "k": "0x80",
  "map": {
    "name": "SSWU"
  },
  "randomOracle": false,
  "vectors": [
    {
      "P": {
        "x": "0xf871caad25ea3b59c16cf87c1894902f7e7b2c822c3d3f73596c5ace8ddd14d1",
        "y": "0x87b9ae23335bee057b99bac1e68588b18b5691af476234b8971bc4f011ddc99b"
      },
      "Q": {
        "x": "0xf871caad25ea3b59c16cf87c1894902f7e7b2c822c3d3f73596c5ace8ddd14d1",
        "y": "0x87b9ae23335bee057b99bac1e68588b18b5691af476234b8971bc4f011ddc99b"
      },
      "msg": "",
      "u": [
        "0xb22d487045f80e9edcb0ecc8d4bf77833e2bf1f3a54004d7df1d57f4802d311f"
      ]
    },
    {
      "P": {
        "x": "0xfc3f5d734e8dce41ddac49f47dd2b8a57257522a865c124ed02b92b5237befa4",
        "y": "0xfe4d197ecf5a62645b9690599e1d80e82c500b22ac705a0b421fac7b47157866"
      },
      "Q": {
        "x": "0xfc3f5d734e8dce41ddac49f47dd2b8a57257522a865c124ed02b92b5237befa4",
        "y": "0xfe4d197ecf5a62645b9690599e1d80e82c500b22ac705a0b421fac7b47157866"
      },
      "msg": "abc",
      "u": [
        "0xc7f96eadac763e176629b09ed0c11992225b3a5ae99479760601cbd69c221e58"
      ]
    },
    {
      "P": {
        "x": "0xf164c6674a02207e414c257ce759d35eddc7f55be6d7f415e2cc177e5d8faa84",
        "y": "0x3aa274881d30db70485368c0467e97da0e73c18c1d00f34775d012b6fcee7f97"
      },
      "Q": {
        "x": "0xf164c6674a02207e414c257ce759d35eddc7f55be6d7f415e2cc177e5d8faa84",
        "y": "0x3aa274881d30db70485368c0467e97da0e73c18c1d00f34775d012b6fcee7f97"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x314e8585fa92068b3ea2c3bab452d4257b38be1c097d58a21890456c2929614d"
      ]
    },
    {
      "P": {
        "x": "0x324532006312be4f162614076460315f7a54a6f85544da773dc659aca0311853",
        "y": "0x8d8197374bcd52de2acfefc8a54fe2c8d8bebd2a39f16be9b710e4b1af6ef883"
      },
      "Q": {
        "x": "0x324532006312be4f162614076460315f7a54a6f85544da773dc659aca0311853",
        "y": "0x8d8197374bcd52de2acfefc8a54fe2c8d8bebd2a39f16be9b710e4b1af6ef883"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x752d8eaa38cd785a799a31d63d99c2ae4261823b4a367b133b2c6627f48858ab"
      ]
    },
    {
      "P": {
        "x": "0x5c4bad52f81f39c8e8de1260e9a06d72b8b00a0829a8ea004a610b0691bea5d9",
        "y": "0xc801e7c0782af1f74f24fc385a8555da0582032a3ce038de637ccdcb16f7ef7b"
      },
      "Q": {
        "x": "0x5c4bad52f81f39c8e8de1260e9a06d72b8b00a0829a8ea004a610b0691bea5d9",
        "y": "0xc801e7c0782af1f74f24fc385a8555da0582032a3ce038de637ccdcb16f7ef7b"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x0e1527840b9df2dfbef966678ff167140f2b27c4dccd884c25014dce0e41dfa3"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/P256_XMD:SHA-256_SSWU_RO_.json
+++ b/test/hash-to-curve/P256_XMD:SHA-256_SSWU_RO_.json
@@ -0,0 +1,115 @@
 {
  "L": "0x30",
  "Z": "0xffffffff00000001000000000000000000000000fffffffffffffffffffffff5",
  "ciphersuite": "P256_XMD:SHA-256_SSWU_RO_",
  "curve": "NIST P-256",
  "dst": "QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_RO_",
  "expand": "XMD",
  "field": {
    "m": "0x1",
    "p": "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff"
  },
  "hash": "sha256",
  "k": "0x80",
  "map": {
    "name": "SSWU"
  },
  "randomOracle": true,
  "vectors": [
    {
      "P": {
        "x": "0x2c15230b26dbc6fc9a37051158c95b79656e17a1a920b11394ca91c44247d3e4",
        "y": "0x8a7a74985cc5c776cdfe4b1f19884970453912e9d31528c060be9ab5c43e8415"
      },
      "Q0": {
        "x": "0xab640a12220d3ff283510ff3f4b1953d09fad35795140b1c5d64f313967934d5",
        "y": "0xdccb558863804a881d4fff3455716c836cef230e5209594ddd33d85c565b19b1"
      },
      "Q1": {
        "x": "0x51cce63c50d972a6e51c61334f0f4875c9ac1cd2d3238412f84e31da7d980ef5",
        "y": "0xb45d1a36d00ad90e5ec7840a60a4de411917fbe7c82c3949a6e699e5a1b66aac"
      },
      "msg": "",
      "u": [
        "0xad5342c66a6dd0ff080df1da0ea1c04b96e0330dd89406465eeba11582515009",
        "0x8c0f1d43204bd6f6ea70ae8013070a1518b43873bcd850aafa0a9e220e2eea5a"
      ]
    },
    {
      "P": {
        "x": "0x0bb8b87485551aa43ed54f009230450b492fead5f1cc91658775dac4a3388a0f",
        "y": "0x5c41b3d0731a27a7b14bc0bf0ccded2d8751f83493404c84a88e71ffd424212e"
      },
      "Q0": {
        "x": "0x5219ad0ddef3cc49b714145e91b2f7de6ce0a7a7dc7406c7726c7e373c58cb48",
        "y": "0x7950144e52d30acbec7b624c203b1996c99617d0b61c2442354301b191d93ecf"
      },
      "Q1": {
        "x": "0x019b7cb4efcfeaf39f738fe638e31d375ad6837f58a852d032ff60c69ee3875f",
        "y": "0x589a62d2b22357fed5449bc38065b760095ebe6aeac84b01156ee4252715446e"
      },
      "msg": "abc",
      "u": [
        "0xafe47f2ea2b10465cc26ac403194dfb68b7f5ee865cda61e9f3e07a537220af1",
        "0x379a27833b0bfe6f7bdca08e1e83c760bf9a338ab335542704edcd69ce9e46e0"
      ]
    },
    {
      "P": {
        "x": "0x65038ac8f2b1def042a5df0b33b1f4eca6bff7cb0f9c6c1526811864e544ed80",
        "y": "0xcad44d40a656e7aff4002a8de287abc8ae0482b5ae825822bb870d6df9b56ca3"
      },
      "Q0": {
        "x": "0xa17bdf2965eb88074bc01157e644ed409dac97cfcf0c61c998ed0fa45e79e4a2",
        "y": "0x4f1bc80c70d411a3cc1d67aeae6e726f0f311639fee560c7f5a664554e3c9c2e"
      },
      "Q1": {
        "x": "0x7da48bb67225c1a17d452c983798113f47e438e4202219dd0715f8419b274d66",
        "y": "0xb765696b2913e36db3016c47edb99e24b1da30e761a8a3215dc0ec4d8f96e6f9"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x0fad9d125a9477d55cf9357105b0eb3a5c4259809bf87180aa01d651f53d312c",
        "0xb68597377392cd3419d8fcc7d7660948c8403b19ea78bbca4b133c9d2196c0fb"
      ]
    },
    {
      "P": {
        "x": "0x4be61ee205094282ba8a2042bcb48d88dfbb609301c49aa8b078533dc65a0b5d",
        "y": "0x98f8df449a072c4721d241a3b1236d3caccba603f916ca680f4539d2bfb3c29e"
      },
      "Q0": {
        "x": "0xc76aaa823aeadeb3f356909cb08f97eee46ecb157c1f56699b5efebddf0e6398",
        "y": "0x776a6f45f528a0e8d289a4be12c4fab80762386ec644abf2bffb9b627e4352b1"
      },
      "Q1": {
        "x": "0x418ac3d85a5ccc4ea8dec14f750a3a9ec8b85176c95a7022f391826794eb5a75",
        "y": "0xfd6604f69e9d9d2b74b072d14ea13050db72c932815523305cb9e807cc900aff"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x3bbc30446f39a7befad080f4d5f32ed116b9534626993d2cc5033f6f8d805919",
        "0x76bb02db019ca9d3c1e02f0c17f8baf617bbdae5c393a81d9ce11e3be1bf1d33"
      ]
    },
    {
      "P": {
        "x": "0x457ae2981f70ca85d8e24c308b14db22f3e3862c5ea0f652ca38b5e49cd64bc5",
        "y": "0xecb9f0eadc9aeed232dabc53235368c1394c78de05dd96893eefa62b0f4757dc"
      },
      "Q0": {
        "x": "0xd88b989ee9d1295df413d4456c5c850b8b2fb0f5402cc5c4c7e815412e926db8",
        "y": "0xbb4a1edeff506cf16def96afff41b16fc74f6dbd55c2210e5b8f011ba32f4f40"
      },
      "Q1": {
        "x": "0xa281e34e628f3a4d2a53fa87ff973537d68ad4fbc28d3be5e8d9f6a2571c5a4b",
        "y": "0xf6ed88a7aab56a488100e6f1174fa9810b47db13e86be999644922961206e184"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x4ebc95a6e839b1ae3c63b847798e85cb3c12d3817ec6ebc10af6ee51adb29fec",
        "0x4e21af88e22ea80156aff790750121035b3eefaa96b425a8716e0d20b4e269ee"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/P384_XMD:SHA-384_SSWU_NU_.json
+++ b/test/hash-to-curve/P384_XMD:SHA-384_SSWU_NU_.json
@@ -0,0 +1,90 @@
 {
  "L": "0x48",
  "Z": "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffff3",
  "ciphersuite": "P384_XMD:SHA-384_SSWU_NU_",
  "curve": "NIST P-384",
  "dst": "QUUX-V01-CS02-with-P384_XMD:SHA-384_SSWU_NU_",
  "expand": "XMD",
  "field": {
    "m": "0x1",
    "p": "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff"
  },
  "hash": "sha384",
  "k": "0xc0",
  "map": {
    "name": "SSWU"
  },
  "randomOracle": false,
  "vectors": [
    {
      "P": {
        "x": "0xde5a893c83061b2d7ce6a0d8b049f0326f2ada4b966dc7e72927256b033ef61058029a3bfb13c1c7ececd6641881ae20",
        "y": "0x63f46da6139785674da315c1947e06e9a0867f5608cf24724eb3793a1f5b3809ee28eb21a0c64be3be169afc6cdb38ca"
      },
      "Q": {
        "x": "0xde5a893c83061b2d7ce6a0d8b049f0326f2ada4b966dc7e72927256b033ef61058029a3bfb13c1c7ececd6641881ae20",
        "y": "0x63f46da6139785674da315c1947e06e9a0867f5608cf24724eb3793a1f5b3809ee28eb21a0c64be3be169afc6cdb38ca"
      },
      "msg": "",
      "u": [
        "0xbc7dc1b2cdc5d588a66de3276b0f24310d4aca4977efda7d6272e1be25187b001493d267dc53b56183c9e28282368e60"
      ]
    },
    {
      "P": {
        "x": "0x1f08108b87e703c86c872ab3eb198a19f2b708237ac4be53d7929fb4bd5194583f40d052f32df66afe5249c9915d139b",
        "y": "0x1369dc8d5bf038032336b989994874a2270adadb67a7fcc32f0f8824bc5118613f0ac8de04a1041d90ff8a5ad555f96c"
      },
      "Q": {
        "x": "0x1f08108b87e703c86c872ab3eb198a19f2b708237ac4be53d7929fb4bd5194583f40d052f32df66afe5249c9915d139b",
        "y": "0x1369dc8d5bf038032336b989994874a2270adadb67a7fcc32f0f8824bc5118613f0ac8de04a1041d90ff8a5ad555f96c"
      },
      "msg": "abc",
      "u": [
        "0x9de6cf41e6e41c03e4a7784ac5c885b4d1e49d6de390b3cdd5a1ac5dd8c40afb3dfd7bb2686923bab644134483fc1926"
      ]
    },
    {
      "P": {
        "x": "0x4dac31ec8a82ee3c02ba2d7c9fa431f1e59ffe65bf977b948c59e1d813c2d7963c7be81aa6db39e78ff315a10115c0d0",
        "y": "0x845333cdb5702ad5c525e603f302904d6fc84879f0ef2ee2014a6b13edd39131bfd66f7bd7cdc2d9ccf778f0c8892c3f"
      },
      "Q": {
        "x": "0x4dac31ec8a82ee3c02ba2d7c9fa431f1e59ffe65bf977b948c59e1d813c2d7963c7be81aa6db39e78ff315a10115c0d0",
        "y": "0x845333cdb5702ad5c525e603f302904d6fc84879f0ef2ee2014a6b13edd39131bfd66f7bd7cdc2d9ccf778f0c8892c3f"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x84e2d430a5e2543573e58e368af41821ca3ccc97baba7e9aab51a84543d5a0298638a22ceee6090d9d642921112af5b7"
      ]
    },
    {
      "P": {
        "x": "0x13c1f8c52a492183f7c28e379b0475486718a7e3ac1dfef39283b9ce5fb02b73f70c6c1f3dfe0c286b03e2af1af12d1d",
        "y": "0x57e101887e73e40eab8963324ed16c177d55eb89f804ec9df06801579820420b5546b579008df2145fd770f584a1a54c"
      },
      "Q": {
        "x": "0x13c1f8c52a492183f7c28e379b0475486718a7e3ac1dfef39283b9ce5fb02b73f70c6c1f3dfe0c286b03e2af1af12d1d",
        "y": "0x57e101887e73e40eab8963324ed16c177d55eb89f804ec9df06801579820420b5546b579008df2145fd770f584a1a54c"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x504e4d5a529333b9205acaa283107bd1bffde753898f7744161f7dd19ba57fbb6a64214a2e00ddd2613d76cd508ddb30"
      ]
    },
    {
      "P": {
        "x": "0xaf129727a4207a8cb9e9dce656d88f79fce25edbcea350499d65e9bf1204537bdde73c7cefb752a6ed5ebcd44e183302",
        "y": "0xce68a3d5e161b2e6a968e4ddaa9e51504ad1516ec170c7eef3ca6b5327943eca95d90b23b009ba45f58b72906f2a99e2"
      },
      "Q": {
        "x": "0xaf129727a4207a8cb9e9dce656d88f79fce25edbcea350499d65e9bf1204537bdde73c7cefb752a6ed5ebcd44e183302",
        "y": "0xce68a3d5e161b2e6a968e4ddaa9e51504ad1516ec170c7eef3ca6b5327943eca95d90b23b009ba45f58b72906f2a99e2"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x7b01ce9b8c5a60d9fbc202d6dde92822e46915d8c17e03fcb92ece1ed6074d01e149fc9236def40d673de903c1d4c166"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/P384_XMD:SHA-384_SSWU_RO_.json
+++ b/test/hash-to-curve/P384_XMD:SHA-384_SSWU_RO_.json
@@ -0,0 +1,115 @@
 {
  "L": "0x48",
  "Z": "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffff3",
  "ciphersuite": "P384_XMD:SHA-384_SSWU_RO_",
  "curve": "NIST P-384",
  "dst": "QUUX-V01-CS02-with-P384_XMD:SHA-384_SSWU_RO_",
  "expand": "XMD",
  "field": {
    "m": "0x1",
    "p": "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff"
  },
  "hash": "sha384",
  "k": "0xc0",
  "map": {
    "name": "SSWU"
  },
  "randomOracle": true,
  "vectors": [
    {
      "P": {
        "x": "0xeb9fe1b4f4e14e7140803c1d99d0a93cd823d2b024040f9c067a8eca1f5a2eeac9ad604973527a356f3fa3aeff0e4d83",
        "y": "0x0c21708cff382b7f4643c07b105c2eaec2cead93a917d825601e63c8f21f6abd9abc22c93c2bed6f235954b25048bb1a"
      },
      "Q0": {
        "x": "0xe4717e29eef38d862bee4902a7d21b44efb58c464e3e1f0d03894d94de310f8ffc6de86786dd3e15a1541b18d4eb2846",
        "y": "0x6b95a6e639822312298a47526bb77d9cd7bcf76244c991c8cd70075e2ee6e8b9a135c4a37e3c0768c7ca871c0ceb53d4"
      },
      "Q1": {
        "x": "0x509527cfc0750eedc53147e6d5f78596c8a3b7360e0608e2fab0563a1670d58d8ae107c9f04bcf90e89489ace5650efd",
        "y": "0x33337b13cb35e173fdea4cb9e8cce915d836ff57803dbbeb7998aa49d17df2ff09b67031773039d09fbd9305a1566bc4"
      },
      "msg": "",
      "u": [
        "0x25c8d7dc1acd4ee617766693f7f8829396065d1b447eedb155871feffd9c6653279ac7e5c46edb7010a0e4ff64c9f3b4",
        "0x59428be4ed69131df59a0c6a8e188d2d4ece3f1b2a3a02602962b47efa4d7905945b1e2cc80b36aa35c99451073521ac"
      ]
    },
    {
      "P": {
        "x": "0xe02fc1a5f44a7519419dd314e29863f30df55a514da2d655775a81d413003c4d4e7fd59af0826dfaad4200ac6f60abe1",
        "y": "0x01f638d04d98677d65bef99aef1a12a70a4cbb9270ec55248c04530d8bc1f8f90f8a6a859a7c1f1ddccedf8f96d675f6"
      },
      "Q0": {
        "x": "0xfc853b69437aee9a19d5acf96a4ee4c5e04cf7b53406dfaa2afbdd7ad2351b7f554e4bbc6f5db4177d4d44f933a8f6ee",
        "y": "0x7e042547e01834c9043b10f3a8221c4a879cb156f04f72bfccab0c047a304e30f2aa8b2e260d34c4592c0c33dd0c6482"
      },
      "Q1": {
        "x": "0x57912293709b3556b43a2dfb137a315d256d573b82ded120ef8c782d607c05d930d958e50cb6dc1cc480b9afc38c45f1",
        "y": "0xde9387dab0eef0bda219c6f168a92645a84665c4f2137c14270fb424b7532ff84843c3da383ceea24c47fa343c227bb8"
      },
      "msg": "abc",
      "u": [
        "0x53350214cb6bef0b51abb791b1c4209a2b4c16a0c67e1ab1401017fad774cd3b3f9a8bcdf7f6229dd8dd5a075cb149a0",
        "0xc0473083898f63e03f26f14877a2407bd60c75ad491e7d26cbc6cc5ce815654075ec6b6898c7a41d74ceaf720a10c02e"
      ]
    },
    {
      "P": {
        "x": "0xbdecc1c1d870624965f19505be50459d363c71a699a496ab672f9a5d6b78676400926fbceee6fcd1780fe86e62b2aa89",
        "y": "0x57cf1f99b5ee00f3c201139b3bfe4dd30a653193778d89a0accc5e0f47e46e4e4b85a0595da29c9494c1814acafe183c"
      },
      "Q0": {
        "x": "0x0ceece45b73f89844671df962ad2932122e878ad2259e650626924e4e7f132589341dec1480ebcbbbe3509d11fb570b7",
        "y": "0xfafd71a3115298f6be4ae5c6dfc96c400cfb55760f185b7b03f3fa45f3f91eb65d27628b3c705cafd0466fafa54883ce"
      },
      "Q1": {
        "x": "0xdea1be8d3f9be4cbf4fab9d71d549dde76875b5d9b876832313a083ec81e528cbc2a0a1d0596b3bcb0ba77866b129776",
        "y": "0xeb15fe71662214fb03b65541f40d3eb0f4cf5c3b559f647da138c9f9b7484c48a08760e02c16f1992762cb7298fa52cf"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0xaab7fb87238cf6b2ab56cdcca7e028959bb2ea599d34f68484139dde85ec6548a6e48771d17956421bdb7790598ea52e",
        "0x26e8d833552d7844d167833ca5a87c35bcfaa5a0d86023479fb28e5cd6075c18b168bf1f5d2a0ea146d057971336d8d1"
      ]
    },
    {
      "P": {
        "x": "0x03c3a9f401b78c6c36a52f07eeee0ec1289f178adf78448f43a3850e0456f5dd7f7633dd31676d990eda32882ab486c0",
        "y": "0xcc183d0d7bdfd0a3af05f50e16a3f2de4abbc523215bf57c848d5ea662482b8c1f43dc453a93b94a8026db58f3f5d878"
      },
      "Q0": {
        "x": "0x051a22105e0817a35d66196338c8d85bd52690d79bba373ead8a86dd9899411513bb9f75273f6483395a7847fb21edb4",
        "y": "0xf168295c1bbcff5f8b01248e9dbc885335d6d6a04aea960f7384f746ba6502ce477e624151cc1d1392b00df0f5400c06"
      },
      "Q1": {
        "x": "0x6ad7bc8ed8b841efd8ad0765c8a23d0b968ec9aa360a558ff33500f164faa02bee6c704f5f91507c4c5aad2b0dc5b943",
        "y": "0x47313cc0a873ade774048338fc34ca5313f96bbf6ae22ac6ef475d85f03d24792dc6afba8d0b4a70170c1b4f0f716629"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x04c00051b0de6e726d228c85bf243bf5f4789efb512b22b498cde3821db9da667199b74bd5a09a79583c6d353a3bb41c",
        "0x97580f218255f899f9204db64cd15e6a312cb4d8182375d1e5157c8f80f41d6a1a4b77fb1ded9dce56c32058b8d5202b"
      ]
    },
    {
      "P": {
        "x": "0x7b18d210b1f090ac701f65f606f6ca18fb8d081e3bc6cbd937c5604325f1cdea4c15c10a54ef303aabf2ea58bd9947a4",
        "y": "0xea857285a33abb516732915c353c75c576bf82ccc96adb63c094dde580021eddeafd91f8c0bfee6f636528f3d0c47fd2"
      },
      "Q0": {
        "x": "0x42e6666f505e854187186bad3011598d9278b9d6e3e4d2503c3d236381a56748dec5d139c223129b324df53fa147c4df",
        "y": "0x8ee51dbda46413bf621838cc935d18d617881c6f33f3838a79c767a1e5618e34b22f79142df708d2432f75c7366c8512"
      },
      "Q1": {
        "x": "0x4ff01ceeba60484fa1bc0d825fe1e5e383d8f79f1e5bb78e5fb26b7a7ef758153e31e78b9d60ce75c5e32e43869d4e12",
        "y": "0x0f84b978fac8ceda7304b47e229d6037d32062e597dc7a9b95bcd9af441f3c56c619a901d21635f9ec6ab4710b9fcd0e"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x480cb3ac2c389db7f9dac9c396d2647ae946db844598971c26d1afd53912a1491199c0a5902811e4b809c26fcd37a014",
        "0xd28435eb34680e148bf3908536e42231cba9e1f73ae2c6902a222a89db5c49c97db2f8fa4d4cd6e424b17ac60bdb9bb6"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/P521_XMD:SHA-512_SSWU_NU_.json
+++ b/test/hash-to-curve/P521_XMD:SHA-512_SSWU_NU_.json
@@ -0,0 +1,90 @@
 {
  "L": "0x62",
  "Z": "0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffb",
  "ciphersuite": "P521_XMD:SHA-512_SSWU_NU_",
  "curve": "NIST P-521",
  "dst": "QUUX-V01-CS02-with-P521_XMD:SHA-512_SSWU_NU_",
  "expand": "XMD",
  "field": {
    "m": "0x1",
    "p": "0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
  },
  "hash": "sha512",
  "k": "0x100",
  "map": {
    "name": "SSWU"
  },
  "randomOracle": false,
  "vectors": [
    {
      "P": {
        "x": "0x01ec604b4e1e3e4c7449b7a41e366e876655538acf51fd40d08b97be066f7d020634e906b1b6942f9174b417027c953d75fb6ec64b8cee2a3672d4f1987d13974705",
        "y": "0x00944fc439b4aad2463e5c9cfa0b0707af3c9a42e37c5a57bb4ecd12fef9fb21508568aedcdd8d2490472df4bbafd79081c81e99f4da3286eddf19be47e9c4cf0e91"
      },
      "Q": {
        "x": "0x01ec604b4e1e3e4c7449b7a41e366e876655538acf51fd40d08b97be066f7d020634e906b1b6942f9174b417027c953d75fb6ec64b8cee2a3672d4f1987d13974705",
        "y": "0x00944fc439b4aad2463e5c9cfa0b0707af3c9a42e37c5a57bb4ecd12fef9fb21508568aedcdd8d2490472df4bbafd79081c81e99f4da3286eddf19be47e9c4cf0e91"
      },
      "msg": "",
      "u": [
        "0x01e4947fe62a4e47792cee2798912f672fff820b2556282d9843b4b465940d7683a986f93ccb0e9a191fbc09a6e770a564490d2a4ae51b287ca39f69c3d910ba6a4f"
      ]
    },
    {
      "P": {
        "x": "0x00c720ab56aa5a7a4c07a7732a0a4e1b909e32d063ae1b58db5f0eb5e09f08a9884bff55a2bef4668f715788e692c18c1915cd034a6b998311fcf46924ce66a2be9a",
        "y": "0x003570e87f91a4f3c7a56be2cb2a078ffc153862a53d5e03e5dad5bccc6c529b8bab0b7dbb157499e1949e4edab21cf5d10b782bc1e945e13d7421ad8121dbc72b1d"
      },
      "Q": {
        "x": "0x00c720ab56aa5a7a4c07a7732a0a4e1b909e32d063ae1b58db5f0eb5e09f08a9884bff55a2bef4668f715788e692c18c1915cd034a6b998311fcf46924ce66a2be9a",
        "y": "0x003570e87f91a4f3c7a56be2cb2a078ffc153862a53d5e03e5dad5bccc6c529b8bab0b7dbb157499e1949e4edab21cf5d10b782bc1e945e13d7421ad8121dbc72b1d"
      },
      "msg": "abc",
      "u": [
        "0x0019b85ef78596efc84783d42799e80d787591fe7432dee1d9fa2b7651891321be732ddf653fa8fefa34d86fb728db569d36b5b6ed3983945854b2fc2dc6a75aa25b"
      ]
    },
    {
      "P": {
        "x": "0x00bcaf32a968ff7971b3bbd9ce8edfbee1309e2019d7ff373c38387a782b005dce6ceffccfeda5c6511c8f7f312f343f3a891029c5858f45ee0bf370aba25fc990cc",
        "y": "0x00923517e767532d82cb8a0b59705eec2b7779ce05f9181c7d5d5e25694ef8ebd4696343f0bc27006834d2517215ecf79482a84111f50c1bae25044fe1dd77744bbd"
      },
      "Q": {
        "x": "0x00bcaf32a968ff7971b3bbd9ce8edfbee1309e2019d7ff373c38387a782b005dce6ceffccfeda5c6511c8f7f312f343f3a891029c5858f45ee0bf370aba25fc990cc",
        "y": "0x00923517e767532d82cb8a0b59705eec2b7779ce05f9181c7d5d5e25694ef8ebd4696343f0bc27006834d2517215ecf79482a84111f50c1bae25044fe1dd77744bbd"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x01dba0d7fa26a562ee8a9014ebc2cca4d66fd9de036176aca8fc11ef254cd1bc208847ab7701dbca7af328b3f601b11a1737a899575a5c14f4dca5aaca45e9935e07"
      ]
    },
    {
      "P": {
        "x": "0x001ac69014869b6c4ad7aa8c443c255439d36b0e48a0f57b03d6fe9c40a66b4e2eaed2a93390679a5cc44b3a91862b34b673f0e92c83187da02bf3db967d867ce748",
        "y": "0x00d5603d530e4d62b30fccfa1d90c2206654d74291c1db1c25b86a051ee3fffc294e5d56f2e776853406bd09206c63d40f37ad8829524cf89ad70b5d6e0b4a3b7341"
      },
      "Q": {
        "x": "0x001ac69014869b6c4ad7aa8c443c255439d36b0e48a0f57b03d6fe9c40a66b4e2eaed2a93390679a5cc44b3a91862b34b673f0e92c83187da02bf3db967d867ce748",
        "y": "0x00d5603d530e4d62b30fccfa1d90c2206654d74291c1db1c25b86a051ee3fffc294e5d56f2e776853406bd09206c63d40f37ad8829524cf89ad70b5d6e0b4a3b7341"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x00844da980675e1244cb209dcf3ea0aabec23bd54b2cda69fff86eb3acc318bf3d01bae96e9cd6f4c5ceb5539df9a7ad7fcc5e9d54696081ba9782f3a0f6d14987e3"
      ]
    },
    {
      "P": {
        "x": "0x01801de044c517a80443d2bd4f503a9e6866750d2f94a22970f62d721f96e4310e4a828206d9cdeaa8f2d476705cc3bbc490a6165c687668f15ec178a17e3d27349b",
        "y": "0x0068889ea2e1442245fe42bfda9e58266828c0263119f35a61631a3358330f3bb84443fcb54fcd53a1d097fccbe310489b74ee143fc2938959a83a1f7dd4a6fd395b"
      },
      "Q": {
        "x": "0x01801de044c517a80443d2bd4f503a9e6866750d2f94a22970f62d721f96e4310e4a828206d9cdeaa8f2d476705cc3bbc490a6165c687668f15ec178a17e3d27349b",
        "y": "0x0068889ea2e1442245fe42bfda9e58266828c0263119f35a61631a3358330f3bb84443fcb54fcd53a1d097fccbe310489b74ee143fc2938959a83a1f7dd4a6fd395b"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x01aab1fb7e5cd44ba4d9f32353a383cb1bb9eb763ed40b32bdd5f666988970205998c0e44af6e2b5f6f8e48e969b3f649cae3c6ab463e1b274d968d91c02f00cce91"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/P521_XMD:SHA-512_SSWU_RO_.json
+++ b/test/hash-to-curve/P521_XMD:SHA-512_SSWU_RO_.json
@@ -0,0 +1,115 @@
 {
  "L": "0x62",
  "Z": "0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffb",
  "ciphersuite": "P521_XMD:SHA-512_SSWU_RO_",
  "curve": "NIST P-521",
  "dst": "QUUX-V01-CS02-with-P521_XMD:SHA-512_SSWU_RO_",
  "expand": "XMD",
  "field": {
    "m": "0x1",
    "p": "0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
  },
  "hash": "sha512",
  "k": "0x100",
  "map": {
    "name": "SSWU"
  },
  "randomOracle": true,
  "vectors": [
    {
      "P": {
        "x": "0x00fd767cebb2452030358d0e9cf907f525f50920c8f607889a6a35680727f64f4d66b161fafeb2654bea0d35086bec0a10b30b14adef3556ed9f7f1bc23cecc9c088",
        "y": "0x0169ba78d8d851e930680322596e39c78f4fe31b97e57629ef6460ddd68f8763fd7bd767a4e94a80d3d21a3c2ee98347e024fc73ee1c27166dc3fe5eeef782be411d"
      },
      "Q0": {
        "x": "0x00b70ae99b6339fffac19cb9bfde2098b84f75e50ac1e80d6acb954e4534af5f0e9c4a5b8a9c10317b8e6421574bae2b133b4f2b8c6ce4b3063da1d91d34fa2b3a3c",
        "y": "0x007f368d98a4ddbf381fb354de40e44b19e43bb11a1278759f4ea7b485e1b6db33e750507c071250e3e443c1aaed61f2c28541bb54b1b456843eda1eb15ec2a9b36e"
      },
      "Q1": {
        "x": "0x01143d0e9cddcdacd6a9aafe1bcf8d218c0afc45d4451239e821f5d2a56df92be942660b532b2aa59a9c635ae6b30e803c45a6ac871432452e685d661cd41cf67214",
        "y": "0x00ff75515df265e996d702a5380defffab1a6d2bc232234c7bcffa433cd8aa791fbc8dcf667f08818bffa739ae25773b32073213cae9a0f2a917a0b1301a242dda0c"
      },
      "msg": "",
      "u": [
        "0x01e5f09974e5724f25286763f00ce76238c7a6e03dc396600350ee2c4135fb17dc555be99a4a4bae0fd303d4f66d984ed7b6a3ba386093752a855d26d559d69e7e9e",
        "0x00ae593b42ca2ef93ac488e9e09a5fe5a2f6fb330d18913734ff602f2a761fcaaf5f596e790bcc572c9140ec03f6cccc38f767f1c1975a0b4d70b392d95a0c7278aa"
      ]
    },
    {
      "P": {
        "x": "0x002f89a1677b28054b50d15e1f81ed6669b5a2158211118ebdef8a6efc77f8ccaa528f698214e4340155abc1fa08f8f613ef14a043717503d57e267d57155cf784a4",
        "y": "0x010e0be5dc8e753da8ce51091908b72396d3deed14ae166f66d8ebf0a4e7059ead169ea4bead0232e9b700dd380b316e9361cfdba55a08c73545563a80966ecbb86d"
      },
      "Q0": {
        "x": "0x01b254e1c99c835836f0aceebba7d77750c48366ecb07fb658e4f5b76e229ae6ca5d271bb0006ffcc42324e15a6d3daae587f9049de2dbb0494378ffb60279406f56",
        "y": "0x01845f4af72fc2b1a5a2fe966f6a97298614288b456cfc385a425b686048b25c952fbb5674057e1eb055d04568c0679a8e2dda3158dc16ac598dbb1d006f5ad915b0"
      },
      "Q1": {
        "x": "0x007f08e813c620e527c961b717ffc74aac7afccb9158cebc347d5715d5c2214f952c97e194f11d114d80d3481ed766ac0a3dba3eb73f6ff9ccb9304ad10bbd7b4a36",
        "y": "0x0022468f92041f9970a7cc025d71d5b647f822784d29ca7b3bc3b0829d6bb8581e745f8d0cc9dc6279d0450e779ac2275c4c3608064ad6779108a7828ebd9954caeb"
      },
      "msg": "abc",
      "u": [
        "0x003d00c37e95f19f358adeeaa47288ec39998039c3256e13c2a4c00a7cb61a34c8969472960150a27276f2390eb5e53e47ab193351c2d2d9f164a85c6a5696d94fe8",
        "0x01f3cbd3df3893a45a2f1fecdac4d525eb16f345b03e2820d69bc580f5cbe9cb89196fdf720ef933c4c0361fcfe29940fd0db0a5da6bafb0bee8876b589c41365f15"
      ]
    },
    {
      "P": {
        "x": "0x006e200e276a4a81760099677814d7f8794a4a5f3658442de63c18d2244dcc957c645e94cb0754f95fcf103b2aeaf94411847c24187b89fb7462ad3679066337cbc4",
        "y": "0x001dd8dfa9775b60b1614f6f169089d8140d4b3e4012949b52f98db2deff3e1d97bf73a1fa4d437d1dcdf39b6360cc518d8ebcc0f899018206fded7617b654f6b168"
      },
      "Q0": {
        "x": "0x0021482e8622aac14da60e656043f79a6a110cbae5012268a62dd6a152c41594549f373910ebed170ade892dd5a19f5d687fae7095a461d583f8c4295f7aaf8cd7da",
        "y": "0x0177e2d8c6356b7de06e0b5712d8387d529b848748e54a8bc0ef5f1475aa569f8f492fa85c3ad1c5edc51faf7911f11359bfa2a12d2ef0bd73df9cb5abd1b101c8b1"
      },
      "Q1": {
        "x": "0x00abeafb16fdbb5eb95095678d5a65c1f293291dfd20a3751dbe05d0a9bfe2d2eef19449fe59ec32cdd4a4adc3411177c0f2dffd0159438706159a1bbd0567d9b3d0",
        "y": "0x007cc657f847db9db651d91c801741060d63dab4056d0a1d3524e2eb0e819954d8f677aa353bd056244a88f00017e00c3ce8beeedb4382d83d74418bd48930c6c182"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x00183ee1a9bbdc37181b09ec336bcaa34095f91ef14b66b1485c166720523dfb81d5c470d44afcb52a87b704dbc5c9bc9d0ef524dec29884a4795f55c1359945baf3",
        "0x00504064fd137f06c81a7cf0f84aa7e92b6b3d56c2368f0a08f44776aa8930480da1582d01d7f52df31dca35ee0a7876500ece3d8fe0293cd285f790c9881c998d5e"
      ]
    },
    {
      "P": {
        "x": "0x01b264a630bd6555be537b000b99a06761a9325c53322b65bdc41bf196711f9708d58d34b3b90faf12640c27b91c70a507998e55940648caa8e71098bf2bc8d24664",
        "y": "0x01ea9f445bee198b3ee4c812dcf7b0f91e0881f0251aab272a12201fd89b1a95733fd2a699c162b639e9acdcc54fdc2f6536129b6beb0432be01aa8da02df5e59aaa"
      },
      "Q0": {
        "x": "0x0005eac7b0b81e38727efcab1e375f6779aea949c3e409b53a1d37aa2acbac87a7e6ad24aafbf3c52f82f7f0e21b872e88c55e17b7fa21ce08a94ea2121c42c2eb73",
        "y": "0x00a173b6a53a7420dbd61d4a21a7c0a52de7a5c6ce05f31403bef747d16cc8604a039a73bdd6e114340e55dacd6bea8e217ffbadfb8c292afa3e1b2afc839a6ce7bb"
      },
      "Q1": {
        "x": "0x01881e3c193a69e4d88d8180a6879b74782a0bc7e529233e9f84bf7f17d2f319c36920ffba26f9e57a1e045cc7822c834c239593b6e142a694aa00c757b0db79e5e8",
        "y": "0x01558b16d396d866e476e001f2dd0758927655450b84e12f154032c7c2a6db837942cd9f44b814f79b4d729996ced61eec61d85c675139cbffe3fbf071d2c21cfecb"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x0159871e222689aad7694dc4c3480a49807b1eedd9c8cb4ae1b219d5ba51655ea5b38e2e4f56b36bf3e3da44a7b139849d28f598c816fe1bc7ed15893b22f63363c3",
        "0x004ef0cffd475152f3858c0a8ccbdf7902d8261da92744e98df9b7fadb0a5502f29c5086e76e2cf498f47321434a40b1504911552ce44ad7356a04e08729ad9411f5"
      ]
    },
    {
      "P": {
        "x": "0x00c12bc3e28db07b6b4d2a2b1167ab9e26fc2fa85c7b0498a17b0347edf52392856d7e28b8fa7a2dd004611159505835b687ecf1a764857e27e9745848c436ef3925",
        "y": "0x01cd287df9a50c22a9231beb452346720bb163344a41c5f5a24e8335b6ccc595fd436aea89737b1281aecb411eb835f0b939073fdd1dd4d5a2492e91ef4a3c55bcbd"
      },
      "Q0": {
        "x": "0x00041f6eb92af8777260718e4c22328a7d74203350c6c8f5794d99d5789766698f459b83d5068276716f01429934e40af3d1111a22780b1e07e72238d2207e5386be",
        "y": "0x001c712f0182813942b87cab8e72337db017126f52ed797dd234584ac9ae7e80dfe7abea11db02cf1855312eae1447dbaecc9d7e8c880a5e76a39f6258074e1bc2e0"
      },
      "Q1": {
        "x": "0x0125c0b69bcf55eab49280b14f707883405028e05c927cd7625d4e04115bd0e0e6323b12f5d43d0d6d2eff16dbcf244542f84ec058911260dc3bb6512ab5db285fbd",
        "y": "0x008bddfb803b3f4c761458eb5f8a0aee3e1f7f68e9d7424405fa69172919899317fb6ac1d6903a432d967d14e0f80af63e7035aaae0c123e56862ce969456f99f102"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x0033d06d17bc3b9a3efc081a05d65805a14a3050a0dd4dfb4884618eb5c73980a59c5a246b18f58ad022dd3630faa22889fbb8ba1593466515e6ab4aeb7381c26334",
        "0x0092290ab99c3fea1a5b8fb2ca49f859994a04faee3301cefab312d34227f6a2d0c3322cf76861c6a3683bdaa2dd2a6daa5d6906c663e065338b2344d20e313f1114"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/curve25519_XMD:SHA-512_ELL2_NU_.json
+++ b/test/hash-to-curve/curve25519_XMD:SHA-512_ELL2_NU_.json
@@ -0,0 +1,90 @@
 {
  "L": "0x30",
  "Z": "0x2",
  "ciphersuite": "curve25519_XMD:SHA-512_ELL2_NU_",
  "curve": "curve25519",
  "dst": "QUUX-V01-CS02-with-curve25519_XMD:SHA-512_ELL2_NU_",
  "expand": "XMD",
  "field": {
    "m": "0x1",
    "p": "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed"
  },
  "hash": "sha512",
  "k": "0x80",
  "map": {
    "name": "ELL2"
  },
  "randomOracle": false,
  "vectors": [
    {
      "P": {
        "x": "0x1bb913f0c9daefa0b3375378ffa534bda5526c97391952a7789eb976edfe4d08",
        "y": "0x4548368f4f983243e747b62a600840ae7c1dab5c723991f85d3a9768479f3ec4"
      },
      "Q": {
        "x": "0x51125222da5e763d97f3c10fcc92ea6860b9ccbbd2eb1285728f566721c1e65b",
        "y": "0x343d2204f812d3dfc5304a5808c6c0d81a903a5d228b342442aa3c9ba5520a3d"
      },
      "msg": "",
      "u": [
        "0x608d892b641f0328523802a6603427c26e55e6f27e71a91a478148d45b5093cd"
      ]
    },
    {
      "P": {
        "x": "0x7c22950b7d900fa866334262fcaea47a441a578df43b894b4625c9b450f9a026",
        "y": "0x5547bc00e4c09685dcbc6cb6765288b386d8bdcb595fa5a6e3969e08097f0541"
      },
      "Q": {
        "x": "0x7d56d1e08cb0ccb92baf069c18c49bb5a0dcd927eff8dcf75ca921ef7f3e6eeb",
        "y": "0x404d9a7dc25c9c05c44ab9a94590e7c3fe2dcec74533a0b24b188a5d5dacf429"
      },
      "msg": "abc",
      "u": [
        "0x46f5b22494bfeaa7f232cc8d054be68561af50230234d7d1d63d1d9abeca8da5"
      ]
    },
    {
      "P": {
        "x": "0x31ad08a8b0deeb2a4d8b0206ca25f567ab4e042746f792f4b7973f3ae2096c52",
        "y": "0x405070c28e78b4fa269427c82827261991b9718bd6c6e95d627d701a53c30db1"
      },
      "Q": {
        "x": "0x3fbe66b9c9883d79e8407150e7c2a1c8680bee496c62fabe4619a72b3cabe90f",
        "y": "0x08ec476147c9a0a3ff312d303dbbd076abb7551e5fce82b48ab14b433f8d0a7b"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x235fe40c443766ce7e18111c33862d66c3b33267efa50d50f9e8e5d252a40aaa"
      ]
    },
    {
      "P": {
        "x": "0x027877759d155b1997d0d84683a313eb78bdb493271d935b622900459d52ceaa",
        "y": "0x54d691731a53baa30707f4a87121d5169fb5d587d70fb0292b5830dedbec4c18"
      },
      "Q": {
        "x": "0x227e0bb89de700385d19ec40e857db6e6a3e634b1c32962f370d26f84ff19683",
        "y": "0x5f86ff3851d262727326a32c1bf7655a03665830fa7f1b8b1e5a09d85bc66e4a"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x001e92a544463bda9bd04ddbe3d6eed248f82de32f522669efc5ddce95f46f5b"
      ]
    },
    {
      "P": {
        "x": "0x5fd892c0958d1a75f54c3182a18d286efab784e774d1e017ba2fb252998b5dc1",
        "y": "0x750af3c66101737423a4519ac792fb93337bd74ee751f19da4cf1e94f4d6d0b8"
      },
      "Q": {
        "x": "0x3bcd651ee54d5f7b6013898aab251ee8ecc0688166fce6e9548d38472f6bd196",
        "y": "0x1bb36ad9197299f111b4ef21271c41f4b7ecf5543db8bb5931307ebdb2eaa465"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x1a68a1af9f663592291af987203393f707305c7bac9c8d63d6a729bdc553dc19"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/curve25519_XMD:SHA-512_ELL2_RO_.json
+++ b/test/hash-to-curve/curve25519_XMD:SHA-512_ELL2_RO_.json
@@ -0,0 +1,115 @@
 {
  "L": "0x30",
  "Z": "0x2",
  "ciphersuite": "curve25519_XMD:SHA-512_ELL2_RO_",
  "curve": "curve25519",
  "dst": "QUUX-V01-CS02-with-curve25519_XMD:SHA-512_ELL2_RO_",
  "expand": "XMD",
  "field": {
    "m": "0x1",
    "p": "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed"
  },
  "hash": "sha512",
  "k": "0x80",
  "map": {
    "name": "ELL2"
  },
  "randomOracle": true,
  "vectors": [
    {
      "P": {
        "x": "0x2de3780abb67e861289f5749d16d3e217ffa722192d16bbd9d1bfb9d112b98c0",
        "y": "0x3b5dc2a498941a1033d176567d457845637554a2fe7a3507d21abd1c1bd6e878"
      },
      "Q0": {
        "x": "0x36b4df0c864c64707cbf6cf36e9ee2c09a6cb93b28313c169be29561bb904f98",
        "y": "0x6cd59d664fb58c66c892883cd0eb792e52055284dac3907dd756b45d15c3983d"
      },
      "Q1": {
        "x": "0x3fa114783a505c0b2b2fbeef0102853c0b494e7757f2a089d0daae7ed9a0db2b",
        "y": "0x76c0fe7fec932aaafb8eefb42d9cbb32eb931158f469ff3050af15cfdbbeff94"
      },
      "msg": "",
      "u": [
        "0x005fe8a7b8fef0a16c105e6cadf5a6740b3365e18692a9c05bfbb4d97f645a6a",
        "0x1347edbec6a2b5d8c02e058819819bee177077c9d10a4ce165aab0fd0252261a"
      ]
    },
    {
      "P": {
        "x": "0x2b4419f1f2d48f5872de692b0aca72cc7b0a60915dd70bde432e826b6abc526d",
        "y": "0x1b8235f255a268f0a6fa8763e97eb3d22d149343d495da1160eff9703f2d07dd"
      },
      "Q0": {
        "x": "0x16b3d86e056b7970fa00165f6f48d90b619ad618791661b7b5e1ec78be10eac1",
        "y": "0x4ab256422d84c5120b278cbdfc4e1facc5baadffeccecf8ee9bf3946106d50ca"
      },
      "Q1": {
        "x": "0x7ec29ddbf34539c40adfa98fcb39ec36368f47f30e8f888cc7e86f4d46e0c264",
        "y": "0x10d1abc1cae2d34c06e247f2141ba897657fb39f1080d54f09ce0af128067c74"
      },
      "msg": "abc",
      "u": [
        "0x49bed021c7a3748f09fa8cdfcac044089f7829d3531066ac9e74e0994e05bc7d",
        "0x5c36525b663e63389d886105cee7ed712325d5a97e60e140aba7e2ce5ae851b6"
      ]
    },
    {
      "P": {
        "x": "0x68ca1ea5a6acf4e9956daa101709b1eee6c1bb0df1de3b90d4602382a104c036",
        "y": "0x2a375b656207123d10766e68b938b1812a4a6625ff83cb8d5e86f58a4be08353"
      },
      "Q0": {
        "x": "0x71de3dadfe268872326c35ac512164850860567aea0e7325e6b91a98f86533ad",
        "y": "0x26a08b6e9a18084c56f2147bf515414b9b63f1522e1b6c5649f7d4b0324296ec"
      },
      "Q1": {
        "x": "0x5704069021f61e41779e2ba6b932268316d6d2a6f064f997a22fef16d1eaeaca",
        "y": "0x50483c7540f64fb4497619c050f2c7fe55454ec0f0e79870bb44302e34232210"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x6412b7485ba26d3d1b6c290a8e1435b2959f03721874939b21782df17323d160",
        "0x24c7b46c1c6d9a21d32f5707be1380ab82db1054fde82865d5c9e3d968f287b2"
      ]
    },
    {
      "P": {
        "x": "0x096e9c8bae6c06b554c1ee69383bb0e82267e064236b3a30608d4ed20b73ac5a",
        "y": "0x1eb5a62612cafb32b16c3329794645b5b948d9f8ffe501d4e26b073fef6de355"
      },
      "Q0": {
        "x": "0x7a94d45a198fb5daa381f45f2619ab279744efdd8bd8ed587fc5b65d6cea1df0",
        "y": "0x67d44f85d376e64bb7d713585230cdbfafc8e2676f7568e0b6ee59361116a6e1"
      },
      "Q1": {
        "x": "0x30506fb7a32136694abd61b6113770270debe593027a968a01f271e146e60c18",
        "y": "0x7eeee0e706b40c6b5174e551426a67f975ad5a977ee2f01e8e20a6d612458c3b"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x5e123990f11bbb5586613ffabdb58d47f64bb5f2fa115f8ea8df0188e0c9e1b5",
        "0x5e8553eb00438a0bb1e7faa59dec6d8087f9c8011e5fb8ed9df31cb6c0d4ac19"
      ]
    },
    {
      "P": {
        "x": "0x1bc61845a138e912f047b5e70ba9606ba2a447a4dade024c8ef3dd42b7bbc5fe",
        "y": "0x623d05e47b70e25f7f1d51dda6d7c23c9a18ce015fe3548df596ea9e38c69bf1"
      },
      "Q0": {
        "x": "0x02d606e2699b918ee36f2818f2bc5013e437e673c9f9b9cdc15fd0c5ee913970",
        "y": "0x29e9dc92297231ef211245db9e31767996c5625dfbf92e1c8107ef887365de1e"
      },
      "Q1": {
        "x": "0x38920e9b988d1ab7449c0fa9a6058192c0c797bb3d42ac345724341a1aa98745",
        "y": "0x24dcc1be7c4d591d307e89049fd2ed30aae8911245a9d8554bf6032e5aa40d3d"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x20f481e85da7a3bf60ac0fb11ed1d0558fc6f941b3ac5469aa8b56ec883d6d7d",
        "0x017d57fd257e9a78913999a23b52ca988157a81b09c5442501d07fed20869465"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/curve448_XOF:SHAKE256_ELL2_NU_.json
+++ b/test/hash-to-curve/curve448_XOF:SHAKE256_ELL2_NU_.json
@@ -0,0 +1,90 @@
 {
  "L": "0x54",
  "Z": "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
  "ciphersuite": "curve448_XOF:SHAKE256_ELL2_NU_",
  "curve": "curve448",
  "dst": "QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_NU_",
  "expand": "XOF",
  "field": {
    "m": "0x1",
    "p": "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
  },
  "hash": "shake_256",
  "k": "0xe0",
  "map": {
    "name": "ELL2"
  },
  "randomOracle": false,
  "vectors": [
    {
      "P": {
        "x": "0xb65e8dbb279fd656f926f68d463b13ca7a982b32f5da9c7cc58afcf6199e4729863fb75ca9ae3c95c6887d95a5102637a1c5c40ff0aafadc",
        "y": "0xea1ea211cf29eca11c057fe8248181591a19f6ac51d45843a65d4bb8b71bc83a64c771ed7686218a278ef1c5d620f3d26b53162188645453"
      },
      "Q": {
        "x": "0xe6304424de5af3f556d3e645600530c53ad949891c3e60ba041dd5f68a93901beff8440164477d348c13d28e27bfcd360c44c80b4c7d4cea",
        "y": "0x4160a8f2043a347185406a6a7e50973b98b82edbdfa3209b0e1c90118e10eeb45045b0990d4b2b0708a30eca17df40ad53c9100f20c10b44"
      },
      "msg": "",
      "u": [
        "0x242c70f74eac8184116c71630d284cf8a742fc463e710545847ff64d8e9161cb9f599728a18a32dbd8b67c3bec5d64c9b1d2f2cde7b5888d"
      ]
    },
    {
      "P": {
        "x": "0x51aceca4fa95854bbaba58d8a5e17a86c07acadef32e1188cafda26232131800002cc2f27c7aec454e5e0c615bddffb7df6a5f7f0f14793f",
        "y": "0xc590c9246eb28b08dee816d608ef233ea5d76e305dc458774a1e1bd880387e6734219e2018e4aa50a49486dce0ba8740065da37e6cf5212c"
      },
      "Q": {
        "x": "0xde0dc93df9ce7953452f20e270699c1e7dacd5d571c226d77f53b7e3053d16f8a81b1601efb362054e973c8e733b663af93f00cb81baf130",
        "y": "0x8c5bdec6fa6690905f6eff966b0f98f5a8161493bd04976684d4ec1f4512fa8743d86860b2ff2c5d67e9c145fd906f2cb89ff812c6b9883f"
      },
      "msg": "abc",
      "u": [
        "0xef6dcb75b696d325fb36d66b104700df1480c4c17ea9190d447eee1e7e4c9b7f36bbfb8ba7ba7c4cb6b07fed16531c1ac7a26a3618b40b34"
      ]
    },
    {
      "P": {
        "x": "0xc6d65987f146b8d0cb5d2c44e1872ac3af1f458f6a8bd8c232ffe8b9d09496229a5a27f350eb7d97305bcc4e0f38328718352e8e3129ed71",
        "y": "0x4d2f901bf333fdc4135b954f20d59207e9f6a4ecf88ce5af11c892b44f79766ec4ecc9f60d669b95ca8940f39b1b7044140ac2040c1bf659"
      },
      "Q": {
        "x": "0xdc29532761f03c24d57f530da4c24acc4c676d185becaa89fcc083266541fb7f10ecec91dac64a34cd988274633ae25c4d784aee52de47a8",
        "y": "0xa5f6da11259c69f2e07fce6a7b6afec4c25bd2df83426765f9c0704111da24c6a0550d5c7aac7d648d55f7640d50be99c926195e852adaac"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x3012ba5d9b3bb648e4613833a26ecaeadb3e8c8bba07fc90ac3da0375769289c44d3dc87474b23df7f45f9a4030892cda689e343aeeea6ad"
      ]
    },
    {
      "P": {
        "x": "0x9b8d008863beb4a02fb9e4efefd2eba867307fb1c7ce01746115d32e1db551bb254e8e3e4532d5c74a83949a69a60519ecc9178083cbe943",
        "y": "0x346a1fca454d1e67c628437c270ec0f0c4256bb774fe6c0e49de7004ff6d9199e2cd99d8f7575a96aafc4dc8db1811ba0a44317581f41371"
      },
      "Q": {
        "x": "0x512803d89f59c57376e6570cd54c4e901643e089cd9456f549daa4372b8b52679860b68aa8bedfaa88970f15ab6098d5f252083ac98a58c9",
        "y": "0x3d9b6593c7941a20d76161c9a171f1e507495a08f03dfcae33a2ac3602698e46a74d1039b583c984036f590eaa43d20ba5aada3ffb552f77"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0xfe952ac0149f92436bba12ea2e542aa226f4fc074d79ff462c41b327968a649a495a8a93b6c3044af2273456abb5e166ce4fb8c9b10c8c2e"
      ]
    },
    {
      "P": {
        "x": "0x8746dc34799112d1f20acda9d7f722c9abb29b1fb6b7e9e566983843c20bd7c9bfad21b45c5166b808d2f5d44e188f1fdaf29cdee8a72e4c",
        "y": "0x7c1293484c9287c298a1a0600c64347eee8530acf563cd8705e05728274d8cd8101835f8003b6f3b78b5beb28f5be188a3d7bce1ec5a36b1"
      },
      "Q": {
        "x": "0x08aed6480793218034fd3b3b0867943d7e0bd1b6f76b4929e0885bd082b84d4449341da6038bb08229ad9eb7d518dff2c7ea50148e70a4db",
        "y": "0xe00d32244561ebd4b5f4ef70fcac75a06416be0a1c1b304e7bd361a6a6586915bb902a323eaf73cf7738e70d34282f61485395ab2833d2c1"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0xafd3d7ad9d819be7561706e050d4f30b634b203387ab682739365f62cd7393ca2cf18cd07a3d3af8dd163f043ac7457c2eb145b4a56170a9"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/curve448_XOF:SHAKE256_ELL2_RO_.json
+++ b/test/hash-to-curve/curve448_XOF:SHAKE256_ELL2_RO_.json
@@ -0,0 +1,115 @@
 {
  "L": "0x54",
  "Z": "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
  "ciphersuite": "curve448_XOF:SHAKE256_ELL2_RO_",
  "curve": "curve448",
  "dst": "QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_RO_",
  "expand": "XOF",
  "field": {
    "m": "0x1",
    "p": "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
  },
  "hash": "shake_256",
  "k": "0xe0",
  "map": {
    "name": "ELL2"
  },
  "randomOracle": true,
  "vectors": [
    {
      "P": {
        "x": "0x5ea5ff623d27c75e73717514134e73e419f831a875ca9e82915fdfc7069d0a9f8b532cfb32b1d8dd04ddeedbe3fa1d0d681c01e825d6a9ea",
        "y": "0xafadd8de789f8f8e3516efbbe313a7eba364c939ecba00dabf4ced5c563b18e70a284c17d8f46b564c4e6ce11784a3825d941116622128c1"
      },
      "Q0": {
        "x": "0x3ba318806f89c19cc019f51e33eb6b8c038dab892e858ce7c7f2c2ac58618d06146a5fef31e49af49588d4d3db1bcf02bd4e4a733e37065d",
        "y": "0xb30b4cfc2fd14d9d4b70456c0f5c6f6070be551788893d570e7955675a20f6c286d01d6e90d2fb500d2efb8f4e18db7f8268bb9b7fbc5975"
      },
      "Q1": {
        "x": "0xf03a48cf003f63be61ca055fec87c750434da07a15f8aa6210389ff85943b5166484339c8bea1af9fc571313d35ed2fbb779408b760c4cbd",
        "y": "0x23943a33b2954dc54b76a8222faf5b7e18405a41f5ecc61bf1b8df1f9cbfad057307ed0c7b721f19c0390b8ee3a2dec223671f9ff905fda7"
      },
      "msg": "",
      "u": [
        "0xc704c7b3d3b36614cf3eedd0324fe6fe7d1402c50efd16cff89ff63f50938506280d3843478c08e24f7842f4e3ef45f6e3c4897f9d976148",
        "0xc25427dc97fff7a5ad0a78654e2c6c27b1c1127b5b53c7950cd1fd6edd2703646b25f341e73deedfebf022d1d3cecd02b93b4d585ead3ed7"
      ]
    },
    {
      "P": {
        "x": "0x9b2f7ce34878d7cebf34c582db14958308ea09366d1ec71f646411d3de0ae564d082b06f40cd30dfc08d9fb7cb21df390cf207806ad9d0e4",
        "y": "0x138a0eef0a4993ea696152ed7db61f7ddb4e8100573591e7466d61c0c568ecaec939e36a84d276f34c402526d8989a96e99760c4869ed633"
      },
      "Q0": {
        "x": "0x26714783887ec444fbade9ae350dc13e8d5a64150679232560726a73d36e28bd56766d7d0b0899d79c8d1c889ae333f601c57532ff3c4f09",
        "y": "0x080e486f8f5740dbbe82305160cab9fac247b0b22a54d961de675037c3036fa68464c8756478c322ae0aeb9ba386fe626cebb0bcca46840c"
      },
      "Q1": {
        "x": "0x0d9741d10421691a8ebc7778b5f623260fdf8b28ae28d776efcb8e0d5fbb65139a2f828617835f527cb2ca24a8f5fc8e84378343c43d096d",
        "y": "0x54f4c499bf3d5b154511913f9615bd914969b65cfb74508d7ae5a169e9595b7cbcab9a1485e07b2ce426e4fbed052f03842c4313b7dbe39a"
      },
      "msg": "abc",
      "u": [
        "0x2dd95593dfee26fe0d218d3d9a0a23d9e1a262fd1d0b602483d08415213e75e2db3c69b0a5bc89e71bcefc8c723d2b6a0cf263f02ad2aa70",
        "0x272e4c79a1290cc6d2bc4f4f9d31bf7fbe956ca303c04518f117d77c0e9d850796fc3e1e2bcb9c75e8eaaded5e150333cae9931868047c9d"
      ]
    },
    {
      "P": {
        "x": "0xf54ecd14b85a50eeeee0618452df3a75be7bfba11da5118774ae4ea55ac204e153f77285d780c4acee6c96abe3577a0c0b00be6e790cf194",
        "y": "0x935247a64bf78c107069943c7e3ecc52acb27ce4a3230407c8357341685ea2152e8c3da93f8cd77da1bddb5bb759c6e7ae7d516dced42850"
      },
      "Q0": {
        "x": "0x946d91bd50c90ef70743e0dd194bddd68bb630f4e67e5b93e15a9b94e62cb85134467993501759525c1f4fdbf06f10ddaf817847d735e062",
        "y": "0x185cf511262ec1e9b3c3cbdc015ab93df4e71cbe87766917d81c9f3419d480407c1462385122c84982d4dae60c3ae4acce0089e37ad65934"
      },
      "Q1": {
        "x": "0x01778f4797b717cd6f83c193b2dfb92a1606a36ede941b0f6ab0ac71ad0eac756d17604bf054398887da907e41065d3595f178ae802f2087",
        "y": "0xb4ca727d0bda895e0eee7eb3cbc28710fa2e90a73b568cae26bd7c2e73b70a9fa0affe1096f0810198890ed65d8935886b6e60dc4c569dc6"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x6aab71a38391639f27e49eae8b1cb6b7172a1f478190ece293957e7cdb2391e7cc1c4261970d9c1bbf9c3915438f74fbd7eb5cd4d4d17ace",
        "0xc80b8380ca47a3bcbf76caa75cef0e09f3d270d5ee8f676cde11aedf41aaca6741bd81a86232bd336ccb42efad39f06542bc06a67b65909e"
      ]
    },
    {
      "P": {
        "x": "0x5bd67c4f88adf6beb10f7e0d0054659776a55c97b809ec8b3101729e104fd0f684e103792f267fd87cc4afc25a073956ef4f268fb02824d5",
        "y": "0xda1f5cb16a352719e4cb064cf47ba72aeba7752d03e8ca2c56229f419b4ef378785a5af1a53dd7ab4d467c1f92f7b139b3752faf29c96432"
      },
      "Q0": {
        "x": "0xc2d275826d6ad55e41a22318f6b6240f1f862a2e231120ff41eadbec319756032e8cef2a7ac6c10214fa0608c17fcaf61ec2694a8a2b358b",
        "y": "0x93d2e092762b135509840e609d413200df800d99da91d8b82840666cac30e7a3520adbaa4b089bfdc86132e42729f651d022f4782502f12c"
      },
      "Q1": {
        "x": "0x3c0880ece7244036e9a45944a85599f9809d772f770cc237ac41b21aa71615e4f3bb08f64fca618896e4f6cf5bd92e16b89d2cf6e1956bfb",
        "y": "0x45cce4beb96505cac5976b3d2673641e9bcd18d3462bbb453d293e5282740a6389cfeae610adc7bd425c728541ceec83fcc999164af43fb5"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0xcb5c27e51f9c18ee8ffdb6be230f4eb4f2c2481963b2293484f08da2241c1ff59f80978e6defe9d70e34abba2fcbe12dc3a1eb2c5d3d2e4a",
        "0xc895e8afecec5466e126fa70fc4aa784b8009063afb10e3ee06a9b22318256aa8693b0c85b955cf2d6540b8ed71e729af1b8d5ca3b116cd7"
      ]
    },
    {
      "P": {
        "x": "0xea441c10b3636ecedd5c0dfcae96384cc40de8390a0ab648765b4508da12c586d55dc981275776507ebca0e4d1bcaa302bb69dcfa31b3451",
        "y": "0xfee0192d49bcc0c28d954763c2cbe739b9265c4bebe3883803c64971220cfda60b9ac99ad986cd908c0534b260b5cfca46f6c2b0f3f21bda"
      },
      "Q0": {
        "x": "0x4321ab02a9849128691e9b80a5c5576793a218de14885fddccb91f17ceb1646ea00a28b69ad211e1f14f17739612dbde3782319bdf009689",
        "y": "0x1b8a7b539519eec0ea9f7a46a43822e16cba39a439733d6847ac44a806b8adb3e1a75ea48a1228b8937ba85c6cb6ee01046e10cad8953b1e"
      },
      "Q1": {
        "x": "0x126d744da6a14fddec0f78a9cee4571c1320ac7645b600187812e4d7021f98fc4703732c54daec787206e1f34d9dbbf4b292c68160b8bfbd",
        "y": "0x136eebe6020f2389d448923899a1a38a4c8ad74254e0686e91c4f93c1f8f8e1bd619ffb7c1281467882a9c957d22d50f65c5b72b2aee11af"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x8cba93a007bb2c801b1769e026b1fa1640b14a34cf3029db3c7fd6392745d6fec0f7870b5071d6da4402cedbbde28ae4e50ab30e1049a238",
        "0x4223746145069e4b8a981acc3404259d1a2c3ecfed5d864798a89d45f81a2c59e2d40eb1d5f0fe11478cbb2bb30246dd388cb932ad7bb330"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/edwards25519_XMD:SHA-512_ELL2_NU_.json
+++ b/test/hash-to-curve/edwards25519_XMD:SHA-512_ELL2_NU_.json
@@ -0,0 +1,90 @@
 {
  "L": "0x30",
  "Z": "0x2",
  "ciphersuite": "edwards25519_XMD:SHA-512_ELL2_NU_",
  "curve": "edwards25519",
  "dst": "QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_NU_",
  "expand": "XMD",
  "field": {
    "m": "0x1",
    "p": "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed"
  },
  "hash": "sha512",
  "k": "0x80",
  "map": {
    "name": "ELL2"
  },
  "randomOracle": false,
  "vectors": [
    {
      "P": {
        "x": "0x1ff2b70ecf862799e11b7ae744e3489aa058ce805dd323a936375a84695e76da",
        "y": "0x222e314d04a4d5725e9f2aff9fb2a6b69ef375a1214eb19021ceab2d687f0f9b"
      },
      "Q": {
        "x": "0x42836f691d05211ebc65ef8fcf01e0fb6328ec9c4737c26050471e50803022eb",
        "y": "0x22cb4aaa555e23bd460262d2130d6a3c9207aa8bbb85060928beb263d6d42a95"
      },
      "msg": "",
      "u": [
        "0x7f3e7fb9428103ad7f52db32f9df32505d7b427d894c5093f7a0f0374a30641d"
      ]
    },
    {
      "P": {
        "x": "0x5f13cc69c891d86927eb37bd4afc6672360007c63f68a33ab423a3aa040fd2a8",
        "y": "0x67732d50f9a26f73111dd1ed5dba225614e538599db58ba30aaea1f5c827fa42"
      },
      "Q": {
        "x": "0x333e41b61c6dd43af220c1ac34a3663e1cf537f996bab50ab66e33c4bd8e4e19",
        "y": "0x51b6f178eb08c4a782c820e306b82c6e273ab22e258d972cd0c511787b2a3443"
      },
      "msg": "abc",
      "u": [
        "0x09cfa30ad79bd59456594a0f5d3a76f6b71c6787b04de98be5cd201a556e253b"
      ]
    },
    {
      "P": {
        "x": "0x1dd2fefce934ecfd7aae6ec998de088d7dd03316aa1847198aecf699ba6613f1",
        "y": "0x2f8a6c24dd1adde73909cada6a4a137577b0f179d336685c4a955a0a8e1a86fb"
      },
      "Q": {
        "x": "0x55186c242c78e7d0ec5b6c9553f04c6aeef64e69ec2e824472394da32647cfc6",
        "y": "0x5b9ea3c265ee42256a8f724f616307ef38496ef7eba391c08f99f3bea6fa88f0"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x475ccff99225ef90d78cc9338e9f6a6bb7b17607c0c4428937de75d33edba941"
      ]
    },
    {
      "P": {
        "x": "0x35fbdc5143e8a97afd3096f2b843e07df72e15bfca2eaf6879bf97c5d3362f73",
        "y": "0x2af6ff6ef5ebba128b0774f4296cb4c2279a074658b083b8dcca91f57a603450"
      },
      "Q": {
        "x": "0x024b6e1621606dca8071aa97b43dce4040ca78284f2a527dcf5d0fbfac2b07e7",
        "y": "0x5102353883d739bdc9f8a3af650342b171217167dcce34f8db57208ec1dfdbf2"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x049a1c8bd51bcb2aec339f387d1ff51428b88d0763a91bcdf6929814ac95d03d"
      ]
    },
    {
      "P": {
        "x": "0x6e5e1f37e99345887fc12111575fc1c3e36df4b289b8759d23af14d774b66bff",
        "y": "0x2c90c3d39eb18ff291d33441b35f3262cdd307162cc97c31bfcc7a4245891a37"
      },
      "Q": {
        "x": "0x3e6368cff6e88a58e250c54bd27d2c989ae9b3acb6067f2651ad282ab8c21cd9",
        "y": "0x38fb39f1566ca118ae6c7af42810c0bb9767ae5960abb5a8ca792530bfb9447d"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x3cb0178a8137cefa5b79a3a57c858d7eeeaa787b2781be4a362a2f0750d24fa0"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/edwards25519_XMD:SHA-512_ELL2_RO_.json
+++ b/test/hash-to-curve/edwards25519_XMD:SHA-512_ELL2_RO_.json
@@ -0,0 +1,115 @@
 {
  "L": "0x30",
  "Z": "0x2",
  "ciphersuite": "edwards25519_XMD:SHA-512_ELL2_RO_",
  "curve": "edwards25519",
  "dst": "QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_RO_",
  "expand": "XMD",
  "field": {
    "m": "0x1",
    "p": "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed"
  },
  "hash": "sha512",
  "k": "0x80",
  "map": {
    "name": "ELL2"
  },
  "randomOracle": true,
  "vectors": [
    {
      "P": {
        "x": "0x3c3da6925a3c3c268448dcabb47ccde5439559d9599646a8260e47b1e4822fc6",
        "y": "0x09a6c8561a0b22bef63124c588ce4c62ea83a3c899763af26d795302e115dc21"
      },
      "Q0": {
        "x": "0x6549118f65bb617b9e8b438decedc73c496eaed496806d3b2eb9ee60b88e09a7",
        "y": "0x7315bcc8cf47ed68048d22bad602c6680b3382a08c7c5d3f439a973fb4cf9feb"
      },
      "Q1": {
        "x": "0x31dcfc5c58aa1bee6e760bf78cbe71c2bead8cebb2e397ece0f37a3da19c9ed2",
        "y": "0x7876d81474828d8a5928b50c82420b2bd0898d819e9550c5c82c39fc9bafa196"
      },
      "msg": "",
      "u": [
        "0x03fef4813c8cb5f98c6eef88fae174e6e7d5380de2b007799ac7ee712d203f3a",
        "0x780bdddd137290c8f589dc687795aafae35f6b674668d92bf92ae793e6a60c75"
      ]
    },
    {
      "P": {
        "x": "0x608040b42285cc0d72cbb3985c6b04c935370c7361f4b7fbdb1ae7f8c1a8ecad",
        "y": "0x1a8395b88338f22e435bbd301183e7f20a5f9de643f11882fb237f88268a5531"
      },
      "Q0": {
        "x": "0x5c1525bd5d4b4e034512949d187c39d48e8cd84242aa4758956e4adc7d445573",
        "y": "0x2bf426cf7122d1a90abc7f2d108befc2ef415ce8c2d09695a7407240faa01f29"
      },
      "Q1": {
        "x": "0x37b03bba828860c6b459ddad476c83e0f9285787a269df2156219b7e5c86210c",
        "y": "0x285ebf5412f84d0ad7bb4e136729a9ffd2195d5b8e73c0dc85110ce06958f432"
      },
      "msg": "abc",
      "u": [
        "0x5081955c4141e4e7d02ec0e36becffaa1934df4d7a270f70679c78f9bd57c227",
        "0x005bdc17a9b378b6272573a31b04361f21c371b256252ae5463119aa0b925b76"
      ]
    },
    {
      "P": {
        "x": "0x6d7fabf47a2dc03fe7d47f7dddd21082c5fb8f86743cd020f3fb147d57161472",
        "y": "0x53060a3d140e7fbcda641ed3cf42c88a75411e648a1add71217f70ea8ec561a6"
      },
      "Q0": {
        "x": "0x3ac463dd7fddb773b069c5b2b01c0f6b340638f54ee3bd92d452fcec3015b52d",
        "y": "0x7b03ba1e8db9ec0b390d5c90168a6a0b7107156c994c674b61fe696cbeb46baf"
      },
      "Q1": {
        "x": "0x0757e7e904f5e86d2d2f4acf7e01c63827fde2d363985aa7432106f1b3a444ec",
        "y": "0x50026c96930a24961e9d86aa91ea1465398ff8e42015e2ec1fa397d416f6a1c0"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0x285ebaa3be701b79871bcb6e225ecc9b0b32dff2d60424b4c50642636a78d5b3",
        "0x2e253e6a0ef658fedb8e4bd6a62d1544fd6547922acb3598ec6b369760b81b31"
      ]
    },
    {
      "P": {
        "x": "0x5fb0b92acedd16f3bcb0ef83f5c7b7a9466b5f1e0d8d217421878ea3686f8524",
        "y": "0x2eca15e355fcfa39d2982f67ddb0eea138e2994f5956ed37b7f72eea5e89d2f7"
      },
      "Q0": {
        "x": "0x703e69787ea7524541933edf41f94010a201cc841c1cce60205ec38513458872",
        "y": "0x32bb192c4f89106466f0874f5fd56a0d6b6f101cb714777983336c159a9bec75"
      },
      "Q1": {
        "x": "0x0c9077c5c31720ed9413abe59bf49ce768506128d810cb882435aa90f713ef6b",
        "y": "0x7d5aec5210db638c53f050597964b74d6dda4be5b54fa73041bf909ccb3826cb"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x4fedd25431c41f2a606952e2945ef5e3ac905a42cf64b8b4d4a83c533bf321af",
        "0x02f20716a5801b843987097a8276b6d869295b2e11253751ca72c109d37485a9"
      ]
    },
    {
      "P": {
        "x": "0x0efcfde5898a839b00997fbe40d2ebe950bc81181afbd5cd6b9618aa336c1e8c",
        "y": "0x6dc2fc04f266c5c27f236a80b14f92ccd051ef1ff027f26a07f8c0f327d8f995"
      },
      "Q0": {
        "x": "0x21091b2e3f9258c7dfa075e7ae513325a94a3d8a28e1b1cb3b5b6f5d65675592",
        "y": "0x41a33d324c89f570e0682cdf7bdb78852295daf8084c669f2cc9692896ab5026"
      },
      "Q1": {
        "x": "0x4c07ec48c373e39a23bd7954f9e9b66eeab9e5ee1279b867b3d5315aa815454f",
        "y": "0x67ccac7c3cb8d1381242d8d6585c57eabaddbb5dca5243a68a8aeb5477d94b3a"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x6e34e04a5106e9bd59f64aba49601bf09d23b27f7b594e56d5de06df4a4ea33b",
        "0x1c1c2cb59fc053f44b86c5d5eb8c1954b64976d0302d3729ff66e84068f5fd96"
      ]
    }
  ]
 }
--- a/test/hash-to-curve/edwards448_XOF:SHAKE256_ELL2_NU_.json
+++ b/test/hash-to-curve/edwards448_XOF:SHAKE256_ELL2_NU_.json
@@ -0,0 +1,90 @@
 {
  "L": "0x54",
  "Z": "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
  "ciphersuite": "edwards448_XOF:SHAKE256_ELL2_NU_",
  "curve": "edwards448",
  "dst": "QUUX-V01-CS02-with-edwards448_XOF:SHAKE256_ELL2_NU_",
  "expand": "XOF",
  "field": {
    "m": "0x1",
    "p": "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
  },
  "hash": "shake_256",
  "k": "0xe0",
  "map": {
    "name": "ELL2"
  },
  "randomOracle": false,
  "vectors": [
    {
      "P": {
        "x": "0xeb5a1fc376fd73230af2de0f3374087cc7f279f0460114cf0a6c12d6d044c16de34ec2350c34b26bf110377655ab77936869d085406af71e",
        "y": "0xdf5dcea6d42e8f494b279a500d09e895d26ac703d75ca6d118e8ca58bf6f608a2a383f292fce1563ff995dce75aede1fdc8e7c0c737ae9ad"
      },
      "Q": {
        "x": "0x4b2abf8c0fca49d027c2a81bf73bb5990e05f3e76c7ba137cc0b89415ccd55ce7f191cc0c11b0560c1cdc2a8085dd56996079e05a3cd8dde",
        "y": "0x82532f5b0cb3bfb8542d3228d055bfe61129dbeae8bace80cf61f17725e8ec8226a24f0e687f78f01da88e3b2715194a03dca7c0a96bbf04"
      },
      "msg": "",
      "u": [
        "0x1368aefc0416867ea2cfc515416bcbeecc9ec81c4ecbd52ccdb91e06996b3f359bc930eef6743c7a2dd7adb785bc7093ed044efed95086d7"
      ]
    },
    {
      "P": {
        "x": "0x4623a64bceaba3202df76cd8b6e3daf70164f3fcbda6d6e340f7fab5cdf89140d955f722524f5fe4d968fef6ba2853ff4ea086c2f67d8110",
        "y": "0xabaac321a169761a8802ab5b5d10061fec1a83c670ac6bc95954700317ee5f82870120e0e2c5a21b12a0c7ad17ebd343363604c4bcecafd1"
      },
      "Q": {
        "x": "0xb1ca5bef2f157673a210f56c9b0039db8399e4749585abac64f831f74ed1ec5f591928976c687c06d57686bacb98440e77af878349cdf2d2",
        "y": "0x5bbfd6a3730d517b03c3cd9e2eed94af12891334ec090e0495c2edc588e9e10b6f63b03a62076808cbcd6da95adfb5af76c136b2d42e0dac"
      },
      "msg": "abc",
      "u": [
        "0xcda3b0ecfe054c4077007d7300969ec24f4c741300b630ec9188ebab31a5ae0065612ee22d9f793733179ffc2e10c53ca5b539057aafdc2f"
      ]
    },
    {
      "P": {
        "x": "0xe9eb562e76db093baa43a31b7edd04ec4aadcef3389a7b9c58a19cf87f8ae3d154e134b6b3ed45847a741e33df51903da681629a4b8bcc2e",
        "y": "0x0cf6606927ad7eb15dbc193993bc7e4dda744b311a8ec4274c8f738f74f605934582474c79260f60280fe35bd37d4347e59184cbfa12cbc4"
      },
      "Q": {
        "x": "0x958a51e2f02e0dfd3930709010d5d16f869adb9d8a8f7c01139911d206c20cdb7bfb40ee33ba30536a99f49362fa7633d0f417fc3914fe21",
        "y": "0xf4307a36ab6612fa97501497f01afa109733ce85875935551c3ca90f0fa7e0097a8640bb7e5dbcc38ab32b23b748790f2261f2c44c3bf3ba"
      },
      "msg": "abcdef0123456789",
      "u": [
        "0xd36bae98351512c382c7a3e1eba22497574f11fef9867901b1a2700b39fa2cd0d38ed4380387a99162b7ba0240c743f0532ef60d577c413d"
      ]
    },
    {
      "P": {
        "x": "0x122a3234d34b26c69749f23356452bf9501efa2d94859d5ef741fef024156d9d191a03a2ad24c38186f93e02d05572575968b083d8a39738",
        "y": "0xddf55e74eb4414c2c1fa4aa6bc37c4ab470a3fed6bb5af1e43570309b162fb61879bb15f9ea49c712efd42d0a71666430f9f0d4a20505050"
      },
      "Q": {
        "x": "0xe7e1f2d13548ac2c8fcd346e4c63606545bf93652011721e83ac3b64226f77a8823d3881e164bc6ca45505b236e8e3721c028052fcc9ade5",
        "y": "0x7e0f340501bf25f018b9d374c2acbdd43c07261d85a6ef3c855113d4e023634db59a87b8fab9efe04ed1fee302c8a4994e83bdda32bd9c0b"
      },
      "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
      "u": [
        "0x5945744d27122f89da3daf76ab4db9616053df64e25d30ec9a00667ee6710240579c1db8f8ef3386f3f4f413cfb325ac14094d582026a971"
      ]
    },
    {
      "P": {
        "x": "0x221704949b1ce1ab8dd174dc9b8c56fcffa27179569ce9219c0c2fe183d3d23343a4c42a0e2e9d6b9d0feb1df3883ec489b6671d1fa64089",
        "y": "0xebdecfdc87142d1a919034bf22ecfad934c9a85effff14b594ae2c00943ca62a39d6ee3be9df0bb504ce8a9e1669bc6959c42ad6a1d3b686"
      },
      "Q": {
        "x": "0x0fd3bb833c1d7a5b319d1d4117406a23b9aece976186ecb18a11a635e6fbdb920d47e04762b1f2a8c59d2f8435d0fdefe501f544cda23dbf",
        "y": "0xf13b0dad4d5eeb120f2443ac4392f8096a1396f5014ec2a3506a347fef8076a7282035cf619599b1919cf29df5ce87711c11688aab7700a6"
      },
      "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "u": [
        "0x1192e378043f01cedc7ea0209321519213b0184ea0d8575816bcd9182a367823e1eecc2faf1df8f79b24027a4b9bfa208cd320e79bef06ea"
      ]
    }
  ]
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Paul Miller	131f88b504	Release 0.6.1.	2023-01-29 05:14:10 +01:00
Paul Miller	4333e9a686	README	2023-01-29 05:12:58 +01:00
Paul Miller	a60d15ff05	Upgrading guide from other noble libraries	2023-01-29 05:10:58 +01:00
Paul Miller	ceffbc69da	More Schnorr utils	2023-01-29 04:46:38 +01:00
Paul Miller	c75129e629	Use declarative curve field validation	2023-01-28 03:19:46 +01:00
Paul Miller	f39fb80c52	weierstrass: rename normalizePrivateKey to allowedPrivateKeyLengths	2023-01-27 23:45:55 +01:00
Paul Miller	fcd422d246	README updates	2023-01-27 03:48:53 +01:00
Paul Miller	ed9bf89038	stark: isCompressed=false. Update benchmarks	2023-01-27 03:43:18 +01:00
Paul Miller	7262b4219f	Bump micro-should	2023-01-26 08:26:07 +01:00
Paul Miller	02b0b25147	New schnorr exports. Simplify RFC6979 k gen, privkey checks	2023-01-26 08:16:00 +01:00
Paul Miller	79100c2d47	Release 0.6.0.	2023-01-26 06:31:16 +01:00
Paul Miller	4ef2cad685	hash-to-curve: assertValidity	2023-01-26 06:14:12 +01:00
Paul Miller	69b3ab5a57	Shuffle code	2023-01-26 05:46:14 +01:00
Paul Miller	9465e60d30	More refactoring	2023-01-26 05:24:41 +01:00
Paul Miller	0fb78b7097	Rename group to curve. More refactoring	2023-01-26 04:14:21 +01:00
Paul Miller	be0b2a32a5	Fp rename. Edwards refactor. Weierstrass Fn instead of mod	2023-01-26 03:07:45 +01:00
Paul Miller	3d77422731	Restructure tests	2023-01-26 03:06:28 +01:00
Paul Miller	c46914f1bc	weierstrass: remove most private utils	2023-01-25 08:21:48 +01:00
Paul Miller	f250f355e8	Schnorr: remove all private methods	2023-01-25 08:14:53 +01:00
Paul Miller	c095d74673	More schnorr updates	2023-01-25 08:10:05 +01:00
Paul Miller	ac52fea952	Another schnorr adjustment	2023-01-25 07:55:21 +01:00
Paul Miller	f2ee24bee4	schnorr: remove packSig	2023-01-25 07:54:00 +01:00
Paul Miller	cffea91061	Schnorr, weierstrass: refactor	2023-01-25 07:48:53 +01:00
Paul Miller	5fc38fc0e7	weierstrass: prehash option in sign/verify. Remove _normalizePublicKey	2023-01-25 05:45:49 +01:00
Paul Miller	849dc38f3c	Change TypeError to Error	2023-01-25 05:24:22 +01:00
Paul Miller	0422e6ef38	p.x, p.y are now getters executing toAffine()	2023-01-25 04:51:08 +01:00
Paul Miller	21d2438a33	BLS: fix tests. Poseidon: more tests	2023-01-25 00:30:53 +01:00
Paul Miller	cea4696599	BLS tests: remove async	2023-01-25 00:13:39 +01:00
Paul Miller	f14b8d2be5	More AffinePoint fixes	2023-01-25 00:07:25 +01:00
Paul Miller	2ed27da8eb	weierstrass: remove affine Point	2023-01-24 06:42:44 +01:00
Paul Miller	17e5be5f1b	edwards: affine Point removal tests	2023-01-24 05:37:53 +01:00
Paul Miller	a49f0d266e	edwards: remove affine Point, Signature. Stricter types	2023-01-24 05:34:56 +01:00
Paul Miller	bfbcf733e6	Update tests	2023-01-24 04:02:45 +01:00
Paul Miller	7fda6de619	weierstrass: make points compressed by def. Rewrite drbg, k generation.	2023-01-24 04:02:38 +01:00
Paul Miller	2b908ad602	edwards: simplify bounds check	2023-01-24 04:01:28 +01:00
Paul Miller	ceb3f67faa	stark: switch to new weierstrass methods	2023-01-23 23:07:21 +01:00
Paul Miller	a2c87f9c2f	weierstrass: simplify bits2int, remove truncateHash	2023-01-23 23:06:43 +01:00
Paul Miller	e1fd346279	utils: small improvements	2023-01-23 23:06:24 +01:00
Paul Miller	11e78aadbf	Edwards: prohibit number scalars, only allow bigints	2023-01-23 20:28:01 +01:00
Paul Miller	055147f1be	Add poseidon252 snark-friendly hash	2023-01-23 19:41:19 +01:00
Paul Miller	6f99f6042e	weierstrass: bits2int, int2octets, truncateHash now comply with standard	2023-01-21 19:03:39 +01:00
Paul Miller	1e47bf2372	Bump prettier to 2.8.3 because it fails to parse bls	2023-01-21 19:02:58 +01:00
Paul Miller	40530eae0c	hash-to-curve: decrease coupling, improve tree shaking support	2023-01-21 19:02:46 +01:00
Paul Miller	b9482bb17d	Release 0.5.2.	2023-01-13 16:23:52 +01:00
Paul Miller	74475dca68	Fix lint	2023-01-13 16:02:07 +01:00
Paul Miller	f4cf21b9c8	tests: Use describe()	2023-01-13 16:00:13 +01:00
Paul Miller	5312d92b2c	edwards: Fix isTorsionFree()	2023-01-13 15:58:04 +01:00
Paul Miller	d1770c0ac7	Rename test	2023-01-13 01:29:54 +01:00
Paul Miller	2d37edf7d1	Remove utils.mod(), utils.invert()	2023-01-13 01:26:00 +01:00
Paul Miller	36998fede8	Fix sqrt	2023-01-13 01:21:51 +01:00
Paul Miller	83960d445d	Refactor: weierstrass assertValidity and others	2023-01-12 21:18:51 +01:00
Paul Miller	23cc2aa5d1	edwards, montgomery, weierstrass: refactor	2023-01-12 20:40:16 +01:00
Paul Miller	e45d7c2d25	utils: new util; ed448: small adjustment	2023-01-12 20:39:43 +01:00
Paul Miller	bfe929aac3	modular: Tonneli-Shanks refactoring	2023-01-12 20:38:42 +01:00
Paul Miller	069452dbe7	BLS, jubjub refactoring	2023-01-12 20:38:10 +01:00
Paul Miller	2e81f31d2e	ECDSA: signUnhashed(), support for key recovery from bits 2/3	2023-01-08 20:02:04 +01:00
Paul Miller	9f7df0f13b	ECDSA adjustments	2023-01-08 18:46:55 +01:00
Paul Miller	5600629bca	Refactor	2023-01-08 18:02:54 +01:00
Paul Miller	2bd5e9ac16	Release 0.5.1.	2022-12-31 10:31:10 +01:00
Paul Miller	6890c26091	Fix readme toc	2022-12-31 10:29:25 +01:00
Paul Miller	a15e3a93a9	Docs	2022-12-31 10:00:29 +01:00
Paul Miller	910c508da9	hash-to-curve: elligator in 25519, 448. Stark: adjust type	2022-12-31 07:51:29 +01:00
Paul Miller	12da04a2bb	Improve modular math	2022-12-31 07:49:42 +01:00
Paul Miller	cc2c84f040	Improve field tests	2022-12-31 07:49:09 +01:00
Paul Miller	5d42549acc	hash-to-curve: add xmd/xof support	2022-12-31 07:48:13 +01:00
Paul Miller	65d7256b9e	Release 0.5.0.	2022-12-28 08:05:22 +01:00
Paul Miller	d77a98a7aa	README, security	2022-12-28 08:04:55 +01:00
Paul Miller	1bfab42620	Update package.json	2022-12-28 07:57:42 +01:00
Paul Miller	f1ab259941	README	2022-12-28 07:52:04 +01:00
Paul Miller	242ee620c5	Merge packages into one	2022-12-28 07:37:45 +01:00
Paul Miller	d837831d22	Implement hash-to-curve for weierstrass curves, add test vectors	2022-12-28 06:31:41 +01:00
Paul Miller	cae888d942	P224: fix sha224 tests	2022-12-28 06:30:13 +01:00
Paul Miller	1ab77b95dd	Comment	2022-12-28 06:20:08 +01:00
Paul Miller	8b5819b12d	bls12: comments	2022-12-27 05:25:23 +01:00
Paul Miller	4b5560ab4b	secp256k1 tests: remove test skips	2022-12-27 05:25:09 +01:00
Paul Miller	ba121ff24c	README, lint	2022-12-27 03:16:45 +01:00
Paul Miller	0277c01efd	Rename field methods: multiply to mul	2022-12-27 02:17:11 +01:00
Paul Miller	6ffe656871	x25519/x448: swap arguments	2022-12-27 02:02:37 +01:00
Paul Miller	135e69bd7b	Utilize complete formulas for weierstrass curves	2022-12-27 01:27:09 +01:00
Paul Miller	7a34c16c2b	Add some comments, refactor a bit	2022-12-26 05:37:12 +01:00
Paul Miller	458cddcc7f	README	2022-12-24 14:04:06 +01:00
Paul Miller	ccfb8695d5	Fix ed448 import	2022-12-24 04:51:34 +01:00
		`@@ -1 +0,0 @@`
			`throw new Error('Incorrect usage. Import submodules instead');`