Release 0.6.4.

README.md

@@ -22,8 +22,7 @@ Package consists of two parts:
 
 Curves incorporate work from previous noble packages
 ([secp256k1](https://github.com/paulmillr/noble-secp256k1),
-[ed25519](https://github.com/paulmillr/noble-ed25519),
+[ed25519](https://github.com/paulmillr/noble-ed25519)),
-[bls12-381](https://github.com/paulmillr/noble-bls12-381)),
 which had security audits and were developed from 2019 to 2022.
 Check out [Upgrading](#upgrading) section if you've used them before.
 
@@ -31,14 +30,14 @@ Check out [Upgrading](#upgrading) section if you've used them before.
 
 > **noble-crypto** — high-security, easily auditable set of contained cryptographic libraries and tools.
 
-- Minimal dependencies, small files
+- Protection against supply chain attacks
 - Easily auditable TypeScript/JS code
 - Supported in all major browsers and stable node.js versions
 - All releases are signed with PGP keys
 - Check out [homepage](https://paulmillr.com/noble/) & all libraries:
-  [curves](https://github.com/paulmillr/noble-curves) ([secp256k1](https://github.com/paulmillr/noble-secp256k1),
+  [curves](https://github.com/paulmillr/noble-curves)
-  [ed25519](https://github.com/paulmillr/noble-ed25519),
+  ([secp256k1](https://github.com/paulmillr/noble-secp256k1),
-  [bls12-381](https://github.com/paulmillr/noble-bls12-381)),
+  [ed25519](https://github.com/paulmillr/noble-ed25519)),
   [hashes](https://github.com/paulmillr/noble-hashes)
 
 ## Usage
@@ -48,23 +47,7 @@ Use NPM in node.js / browser, or include single file from
 
 > npm install @noble/curves
 
-The library does not have an entry point. It allows you to select specific primitives and drop everything else. If you only want to use secp256k1, just use the library with rollup or other bundlers. This is done to make your bundles tiny.
+The library does not have an entry point. It allows you to select specific primitives and drop everything else. If you only want to use secp256k1, just use the library with rollup or other bundlers. This is done to make your bundles tiny. All curves:
-
-```ts
-// Common.js and ECMAScript Modules (ESM)
-import { secp256k1 } from '@noble/curves/secp256k1';
-
-const key = secp256k1.utils.randomPrivateKey();
-const pub = secp256k1.getPublicKey(key);
-const msg = new Uint8Array(32).fill(1);
-const sig = secp256k1.sign(msg, key);
-secp256k1.verify(sig, msg, pub) === true;
-sig.recoverPublicKey(msg) === pub;
-const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
-const shared = secp256k1.getSharedSecret(key, someonesPub);
-```
-
-All curves:
 
 ```ts
 import { secp256k1 } from '@noble/curves/secp256k1';
@@ -80,7 +63,25 @@ import { bn254 } from '@noble/curves/bn';
 import { jubjub } from '@noble/curves/jubjub';
 ```
 
-To define a custom curve, check out API below.
+Every curve can be used in the following way:
+
+```ts
+import { secp256k1 } from '@noble/curves/secp256k1'; // Common.js and ECMAScript Modules (ESM)
+
+const key = secp256k1.utils.randomPrivateKey();
+const pub = secp256k1.getPublicKey(key);
+const msg = new Uint8Array(32).fill(1);
+const sig = secp256k1.sign(msg, key);
+// weierstrass curves should use extraEntropy: https://moderncrypto.org/mail-archive/curves/2017/000925.html
+const sigImprovedSecurity = secp256k1.sign(msg, key, { extraEntropy: true });
+secp256k1.verify(sig, msg, pub) === true;
+// secp, p*, pasta curves allow pub recovery
+sig.recoverPublicKey(msg) === pub;
+const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
+const shared = secp256k1.getSharedSecret(key, someonesPub);
+```
+
+To define a custom curve, check out docs below.
 
 ## API
 
@@ -109,17 +110,20 @@ import * as utils from '@noble/curves/abstract/utils';
 They allow to define a new curve in a few lines of code:
 
 ```ts
-import { Fp } from '@noble/curves/abstract/modular';
+import { Field } from '@noble/curves/abstract/modular';
 import { weierstrass } from '@noble/curves/abstract/weierstrass';
 import { hmac } from '@noble/hashes/hmac';
 import { sha256 } from '@noble/hashes/sha256';
 import { concatBytes, randomBytes } from '@noble/hashes/utils';
 
-const secp256k1 = weierstrass({
+// secq (NOT secp) 256k1: cycle of secp256k1 with Fp/N flipped.
+// https://zcash.github.io/halo2/background/curves.html#cycles-of-curves
+// https://personaelabs.org/posts/spartan-ecdsa
+const secq256k1 = weierstrass({
   a: 0n,
   b: 7n,
-  Fp: Fp(2n ** 256n - 2n ** 32n - 2n ** 9n - 2n ** 8n - 2n ** 7n - 2n ** 6n - 2n ** 4n - 1n),
+  Fp: Field(2n ** 256n - 432420386565659656852420866394968145599n),
-  n: 2n ** 256n - 432420386565659656852420866394968145599n,
+  n: 2n ** 256n - 2n ** 32n - 2n ** 9n - 2n ** 8n - 2n ** 7n - 2n ** 6n - 2n ** 4n - 1n,
   Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n,
   Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n,
   hash: sha256,

package-lock.json

@@ -0,0 +1,179 @@
+{
+  "name": "@noble/curves",
+  "version": "0.6.2",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "@noble/curves",
+      "version": "0.6.2",
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://paulmillr.com/funding/"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "@noble/hashes": "1.2.0"
+      },
+      "devDependencies": {
+        "@scure/base": "~1.1.1",
+        "@scure/bip32": "~1.1.5",
+        "@scure/bip39": "~1.1.1",
+        "@types/node": "18.11.3",
+        "fast-check": "3.0.0",
+        "micro-bmark": "0.3.0",
+        "micro-should": "0.4.0",
+        "prettier": "2.8.3",
+        "typescript": "4.7.3"
+      }
+    },
+    "node_modules/@noble/hashes": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.2.0.tgz",
+      "integrity": "sha512-FZfhjEDbT5GRswV3C6uvLPHMiVD6lQBmpoX5+eSiPaMTXte/IKqI5dykDxzZB/WBeK/CDuQRBWarPdi3FNY2zQ==",
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://paulmillr.com/funding/"
+        }
+      ]
+    },
+    "node_modules/@noble/secp256k1": {
+      "version": "1.7.1",
+      "resolved": "https://registry.npmjs.org/@noble/secp256k1/-/secp256k1-1.7.1.tgz",
+      "integrity": "sha512-hOUk6AyBFmqVrv7k5WAw/LpszxVbj9gGN4JRkIX52fdFAj1UA61KXmZDvqVEm+pOyec3+fIeZB02LYa/pWOArw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://paulmillr.com/funding/"
+        }
+      ]
+    },
+    "node_modules/@scure/base": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@scure/base/-/base-1.1.1.tgz",
+      "integrity": "sha512-ZxOhsSyxYwLJj3pLZCefNitxsj093tb2vq90mp2txoYeBqbcjDjqFhyM8eUjq/uFm6zJ+mUuqxlS2FkuSY1MTA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://paulmillr.com/funding/"
+        }
+      ]
+    },
+    "node_modules/@scure/bip32": {
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/@scure/bip32/-/bip32-1.1.5.tgz",
+      "integrity": "sha512-XyNh1rB0SkEqd3tXcXMi+Xe1fvg+kUIcoRIEujP1Jgv7DqW2r9lg3Ah0NkFaCs9sTkQAQA8kw7xiRXzENi9Rtw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://paulmillr.com/funding/"
+        }
+      ],
+      "dependencies": {
+        "@noble/hashes": "~1.2.0",
+        "@noble/secp256k1": "~1.7.0",
+        "@scure/base": "~1.1.0"
+      }
+    },
+    "node_modules/@scure/bip39": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@scure/bip39/-/bip39-1.1.1.tgz",
+      "integrity": "sha512-t+wDck2rVkh65Hmv280fYdVdY25J9YeEUIgn2LG1WM6gxFkGzcksoDiUkWVpVp3Oex9xGC68JU2dSbUfwZ2jPg==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://paulmillr.com/funding/"
+        }
+      ],
+      "dependencies": {
+        "@noble/hashes": "~1.2.0",
+        "@scure/base": "~1.1.0"
+      }
+    },
+    "node_modules/@types/node": {
+      "version": "18.11.3",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.11.3.tgz",
+      "integrity": "sha512-fNjDQzzOsZeKZu5NATgXUPsaFaTxeRgFXoosrHivTl8RGeV733OLawXsGfEk9a8/tySyZUyiZ6E8LcjPFZ2y1A==",
+      "dev": true
+    },
+    "node_modules/fast-check": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/fast-check/-/fast-check-3.0.0.tgz",
+      "integrity": "sha512-uujtrFJEQQqnIMO52ARwzPcuV4omiL1OJBUBLE9WnNFeu0A97sREXDOmCIHY+Z6KLVcemUf09rWr0q0Xy/Y/Ew==",
+      "dev": true,
+      "dependencies": {
+        "pure-rand": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/fast-check"
+      }
+    },
+    "node_modules/micro-bmark": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/micro-bmark/-/micro-bmark-0.3.0.tgz",
+      "integrity": "sha512-rYu+AtUq8lC3zPCoxkOOtwhgJoMpCDGe0/BXUCkj6+H9f/U/TunH/n/qkN98yh04dCCtDV8Aj9uYO3+DKxYrcw==",
+      "dev": true
+    },
+    "node_modules/micro-should": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/micro-should/-/micro-should-0.4.0.tgz",
+      "integrity": "sha512-Vclj8yrngSYc9Y3dL2C+AdUlTkyx/syWc4R7LYfk4h7+icfF0DoUBGjjUIaEDzZA19RzoI+Hg8rW9IRoNGP0tQ==",
+      "dev": true
+    },
+    "node_modules/prettier": {
+      "version": "2.8.3",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.8.3.tgz",
+      "integrity": "sha512-tJ/oJ4amDihPoufT5sM0Z1SKEuKay8LfVAMlbbhnnkvt6BUserZylqo2PN+p9KeljLr0OHa2rXHU1T8reeoTrw==",
+      "dev": true,
+      "bin": {
+        "prettier": "bin-prettier.js"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      },
+      "funding": {
+        "url": "https://github.com/prettier/prettier?sponsor=1"
+      }
+    },
+    "node_modules/pure-rand": {
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/pure-rand/-/pure-rand-5.0.5.tgz",
+      "integrity": "sha512-BwQpbqxSCBJVpamI6ydzcKqyFmnd5msMWUGvzXLm1aXvusbbgkbOto/EUPM00hjveJEaJtdbhUjKSzWRhQVkaw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://github.com/sponsors/dubzzz"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/fast-check"
+        }
+      ]
+    },
+    "node_modules/typescript": {
+      "version": "4.7.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.7.3.tgz",
+      "integrity": "sha512-WOkT3XYvrpXx4vMMqlD+8R8R37fZkjyLGlxavMc4iB8lrl8L0DeTcHbYgw/v0N/z9wAFsgBhcsF0ruoySS22mA==",
+      "dev": true,
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=4.2.0"
+      }
+    }
+  }
+}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@noble/curves",
-  "version": "0.6.2",
+  "version": "0.6.4",
   "description": "Minimal, auditable JS implementation of elliptic curve cryptography",
   "files": [
     "lib"
@@ -21,19 +21,17 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@noble/hashes": "1.1.5"
+    "@noble/hashes": "1.2.0"
   },
   "devDependencies": {
-    "@rollup/plugin-node-resolve": "13.3.0",
     "@scure/base": "~1.1.1",
-    "@scure/bip32": "~1.1.1",
+    "@scure/bip32": "~1.1.5",
-    "@scure/bip39": "~1.1.0",
+    "@scure/bip39": "~1.1.1",
     "@types/node": "18.11.3",
     "fast-check": "3.0.0",
     "micro-bmark": "0.3.0",
     "micro-should": "0.4.0",
     "prettier": "2.8.3",
-    "rollup": "2.75.5",
     "typescript": "4.7.3"
   },
   "main": "index.js",

src/abstract/curve.ts

@@ -25,8 +25,17 @@ export type GroupConstructor<T> = {
 };
 export type Mapper<T> = (i: T[]) => T[];
 
-// Elliptic curve multiplication of Point by scalar. Complicated and fragile. Uses wNAF method.
+// Elliptic curve multiplication of Point by scalar. Fragile.
-// Windowed method is 10% faster, but takes 2x longer to generate & consumes 2x memory.
+// Scalars should always be less than curve order: this should be checked inside of a curve itself.
+// Creates precomputation tables for fast multiplication:
+// - private scalar is split by fixed size windows of W bits
+// - every window point is collected from window's table & added to accumulator
+// - since windows are different, same point inside tables won't be accessed more than once per calc
+// - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
+// - +1 window is neccessary for wNAF
+// - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
+// TODO: Research returning 2d JS array of windows, instead of a single window. This would allow
+// windows to be in different memory locations
 export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
   const constTimeNegate = (condition: boolean, item: T): T => {
     const neg = item.negate();
@@ -54,8 +63,12 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
     /**
      * Creates a wNAF precomputation window. Used for caching.
      * Default window size is set by `utils.precompute()` and is equal to 8.
-     * Which means we are caching 65536 points: 256 points for every bit from 0 to 256.
+     * Number of precomputed points depends on the curve size:
-     * @returns 65K precomputed points, depending on W
+     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+     * - 𝑊 is the window size
+     * - 𝑛 is the bitlength of the curve order.
+     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+     * @returns precomputed point tables flattened to a single array
      */
     precomputeWindow(elm: T, W: number): Group<T>[] {
       const { windows, windowSize } = opts(W);
@@ -76,14 +89,14 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
     },
 
     /**
-     * Implements w-ary non-adjacent form for calculating ec multiplication.
+     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
      * @param W window size
-     * @param affinePoint optional 2d point to save cached precompute windows on it.
+     * @param precomputes precomputed tables
-     * @param n bits
+     * @param n scalar (we don't check here, but should be less than curve order)
      * @returns real and fake (for const-time) points
      */
     wNAF(W: number, precomputes: T[], n: bigint): { p: T; f: T } {
-      // TODO: maybe check that scalar is less than group order? wNAF will fail otherwise
+      // TODO: maybe check that scalar is less than group order? wNAF behavious is undefined otherwise
       // But need to carefully remove other checks before wNAF. ORDER == bits here
       const { windows, windowSize } = opts(W);
 

src/abstract/hash-to-curve.ts

@@ -1,25 +1,15 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import type { Group, GroupConstructor, AffinePoint } from './curve.js';
 import { mod, Field } from './modular.js';
-import { CHash, Hex, concatBytes, ensureBytes } from './utils.js';
+import { CHash, Hex, concatBytes, ensureBytes, validateObject } from './utils.js';
 
 export type Opts = {
-  // DST: a domain separation tag
+  DST: string; // DST: a domain separation tag, defined in section 2.2.5
-  // defined in section 2.2.5
-  DST: string;
   encodeDST: string;
-  // p: the characteristic of F
+  p: bigint; // characteristic of F, where F is a finite field of characteristic p and order q = p^m
-  //    where F is a finite field of characteristic p and order q = p^m
+  m: number; // extension degree of F, m >= 1
-  p: bigint;
+  k: number; // k: the target security level for the suite in bits, defined in section 5.1
-  // m: the extension degree of F, m >= 1
+  expand?: 'xmd' | 'xof'; // use a message that has already been processed by expand_message_xmd
-  //     where F is a finite field of characteristic p and order q = p^m
-  m: number;
-  // k: the target security level for the suite in bits
-  // defined in section 5.1
-  k: number;
-  // option to use a message that has already been processed by
-  // expand_message_xmd
-  expand?: 'xmd' | 'xof';
   // Hash functions for: expand_message_xmd is appropriate for use with a
   // wide range of hash functions, including SHA-2, SHA-3, BLAKE2, and others.
   // BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247
@@ -27,17 +17,6 @@ export type Opts = {
   hash: CHash;
 };
 
-export function validateOpts(opts: Opts) {
-  if (typeof opts.DST !== 'string') throw new Error('Invalid htf/DST');
-  if (typeof opts.p !== 'bigint') throw new Error('Invalid htf/p');
-  if (typeof opts.m !== 'number') throw new Error('Invalid htf/m');
-  if (typeof opts.k !== 'number') throw new Error('Invalid htf/k');
-  if (opts.expand !== 'xmd' && opts.expand !== 'xof' && opts.expand !== undefined)
-    throw new Error('Invalid htf/expand');
-  if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
-    throw new Error('Invalid htf/hash function');
-}
-
 // Global symbols in both browsers and Node.js since v11
 // See https://github.com/microsoft/TypeScript/issues/31535
 declare const TextEncoder: any;
@@ -195,20 +174,26 @@ export interface H2CPointConstructor<T> extends GroupConstructor<H2CPoint<T>> {
 
 export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
 
-// Separated from initialization opts, so users won't accidentally change per-curve parameters (changing DST is ok!)
+// Separated from initialization opts, so users won't accidentally change per-curve parameters
-export type htfBasicOpts = {
+// (changing DST is ok!)
-  DST: string;
+export type htfBasicOpts = { DST: string };
-};
 
 export function hashToCurve<T>(
   Point: H2CPointConstructor<T>,
   mapToCurve: MapToCurve<T>,
   def: Opts
 ) {
-  validateOpts(def);
+  validateObject(def, {
+    DST: 'string',
+    p: 'bigint',
+    m: 'isSafeInteger',
+    k: 'isSafeInteger',
+    hash: 'hash',
+  });
+  if (def.expand !== 'xmd' && def.expand !== 'xof' && def.expand !== undefined)
+    throw new Error('Invalid htf/expand');
   if (typeof mapToCurve !== 'function')
     throw new Error('hashToCurve: mapToCurve() has not been defined');
-
   return {
     // Encodes byte string to elliptic curve
     // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3

src/abstract/weierstrass.ts

@@ -636,10 +636,11 @@ export type CurveFn = {
   ProjectivePoint: ProjConstructor<bigint>;
   Signature: SignatureConstructor;
   utils: {
-    _normalizePrivateKey: (key: PrivKey) => bigint;
+    normPrivateKeyToScalar: (key: PrivKey) => bigint;
     isValidPrivateKey(privateKey: PrivKey): boolean;
     hashToPrivateKey: (hash: Hex) => Uint8Array;
     randomPrivateKey: () => Uint8Array;
+    precompute: (windowSize?: number, point?: ProjPointType<bigint>) => ProjPointType<bigint>;
   };
 };
 
@@ -858,7 +859,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
         return false;
       }
     },
-    _normalizePrivateKey: normalizePrivateKey,
+    normPrivateKeyToScalar: normalizePrivateKey,
 
     /**
      * Converts some bytes to a valid private key. Needs at least (nBitLength+64) bytes.
@@ -993,7 +994,16 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       const q = Point.BASE.multiply(k).toAffine(); // q = Gk
       const r = modN(q.x); // r = q.x mod n
       if (r === _0n) return;
-      const s = modN(ik * modN(m + modN(d * r))); // s = k^-1(m + rd) mod n
+      // X blinding according to https://tches.iacr.org/index.php/TCHES/article/view/7337/6509
+      // b * m + b * r * d ∈ [0,q−1] exposed via side-channel, but d (private scalar) is not.
+      // NOTE: there is still probable some leak in multiplication, since it is not constant-time
+      const b = ut.bytesToNumberBE(utils.randomPrivateKey()); // random scalar, b ∈ [1,q−1]
+      const bi = invN(b); // b^-1
+      const bdr = modN(b * d * r); // b * d * r
+      const bm = modN(b * m); // b * m
+      const mrx = modN(bi * modN(bdr + bm)); // b^-1(bm + bdr) -> m + rd
+
+      const s = modN(ik * mrx); // s = k^-1(m + rd) mod n
       if (s === _0n) return;
       let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n); // recovery bit (2 or 3, when q.x > n)
       let normS = s;

test/basic.test.js

@@ -239,6 +239,11 @@ for (const c in FIELDS) {
               deepStrictEqual(isSquare(a), true);
               deepStrictEqual(Fp.eql(Fp.sqr(root), a), true, 'sqrt(a)^2 == a');
               deepStrictEqual(Fp.eql(Fp.sqr(Fp.neg(root)), a), true, '(-sqrt(a))^2 == a');
+              // Returns odd/even element
+              deepStrictEqual(Fp.isOdd(mod.FpSqrtOdd(Fp, a)), true);
+              deepStrictEqual(Fp.isOdd(mod.FpSqrtEven(Fp, a)), false);
+              deepStrictEqual(Fp.eql(Fp.sqr(mod.FpSqrtOdd(Fp, a)), a), true);
+              deepStrictEqual(Fp.eql(Fp.sqr(mod.FpSqrtEven(Fp, a)), a), true);
             })
           );
         });
@@ -261,6 +266,9 @@ for (const c in FIELDS) {
             if (Fp.eql(a, Fp.ZERO)) return; // No division by zero
             deepStrictEqual(Fp.div(a, Fp.ONE), a);
             deepStrictEqual(Fp.div(a, a), Fp.ONE);
+            // FpDiv tests
+            deepStrictEqual(mod.FpDiv(Fp, a, Fp.ONE), a);
+            deepStrictEqual(mod.FpDiv(Fp, a, a), Fp.ONE);
           })
         );
       });
@@ -269,6 +277,7 @@ for (const c in FIELDS) {
           fc.property(FC_BIGINT, (num) => {
             const a = create(num);
             deepStrictEqual(Fp.div(Fp.ZERO, a), Fp.ZERO);
+            deepStrictEqual(mod.FpDiv(Fp, Fp.ZERO, a), Fp.ZERO);
           })
         );
       });
@@ -279,6 +288,10 @@ for (const c in FIELDS) {
             const b = create(num2);
             const c = create(num3);
             deepStrictEqual(Fp.div(Fp.add(a, b), c), Fp.add(Fp.div(a, c), Fp.div(b, c)));
+            deepStrictEqual(
+              mod.FpDiv(Fp, Fp.add(a, b), c),
+              Fp.add(mod.FpDiv(Fp, a, c), mod.FpDiv(Fp, b, c))
+            );
           })
         );
       });
@@ -521,8 +534,22 @@ for (const name in CURVES) {
         should('fromHex(toHex()) roundtrip', () => {
           fc.assert(
             fc.property(FC_BIGINT, (x) => {
-              const hex = p.BASE.multiply(x).toHex();
+              const point = p.BASE.multiply(x);
+              const hex = point.toHex();
+              const bytes = point.toRawBytes();
               deepStrictEqual(p.fromHex(hex).toHex(), hex);
+              deepStrictEqual(p.fromHex(bytes).toHex(), hex);
+            })
+          );
+        });
+        should('fromHex(toHex(compressed=true)) roundtrip', () => {
+          fc.assert(
+            fc.property(FC_BIGINT, (x) => {
+              const point = p.BASE.multiply(x);
+              const hex = point.toHex(true);
+              const bytes = point.toRawBytes(true);
+              deepStrictEqual(p.fromHex(hex).toHex(true), hex);
+              deepStrictEqual(p.fromHex(bytes).toHex(true), hex);
             })
           );
         });
@@ -561,7 +588,7 @@ for (const name in CURVES) {
           deepStrictEqual(
             C.verify(sig, msg, pub),
             true,
-            'priv=${toHex(priv)},pub=${toHex(pub)},msg=${msg}'
+            `priv=${toHex(priv)},pub=${toHex(pub)},msg=${msg}`
           );
         }),
         { numRuns: NUM_RUNS }
@@ -605,6 +632,52 @@ for (const name in CURVES) {
         deepStrictEqual(C.verify(sig, msg, C.getPublicKey(C.utils.randomPrivateKey())), false);
       });
     });
+    if (C.Signature) {
+      should('Signature serialization roundtrip', () =>
+        fc.assert(
+          fc.property(fc.hexaString({ minLength: 64, maxLength: 64 }), (msg) => {
+            const priv = C.utils.randomPrivateKey();
+            const sig = C.sign(msg, priv);
+            const sigRS = (sig) => ({ s: sig.s, r: sig.r });
+            // Compact
+            deepStrictEqual(sigRS(C.Signature.fromCompact(sig.toCompactHex())), sigRS(sig));
+            deepStrictEqual(sigRS(C.Signature.fromCompact(sig.toCompactRawBytes())), sigRS(sig));
+            // DER
+            deepStrictEqual(sigRS(C.Signature.fromDER(sig.toDERHex())), sigRS(sig));
+            deepStrictEqual(sigRS(C.Signature.fromDER(sig.toDERRawBytes())), sigRS(sig));
+          }),
+          { numRuns: NUM_RUNS }
+        )
+      );
+      should('Signature.addRecoveryBit/Signature.recoveryPublicKey', () =>
+        fc.assert(
+          fc.property(fc.hexaString({ minLength: 64, maxLength: 64 }), (msg) => {
+            const priv = C.utils.randomPrivateKey();
+            const pub = C.getPublicKey(priv);
+            const sig = C.sign(msg, priv);
+            deepStrictEqual(sig.recoverPublicKey(msg).toRawBytes(), pub);
+            const sig2 = C.Signature.fromCompact(sig.toCompactHex());
+            throws(() => sig2.recoverPublicKey(msg));
+            const sig3 = sig2.addRecoveryBit(sig.recovery);
+            deepStrictEqual(sig3.recoverPublicKey(msg).toRawBytes(), pub);
+          }),
+          { numRuns: NUM_RUNS }
+        )
+      );
+      should('Signature.normalizeS', () =>
+        fc.assert(
+          fc.property(fc.hexaString({ minLength: 64, maxLength: 64 }), (msg) => {
+            const priv = C.utils.randomPrivateKey();
+            const pub = C.getPublicKey(priv);
+            const sig = C.sign(msg, priv);
+            const sig2 = sig.normalizeS();
+            deepStrictEqual(sig2.hasHighS(), false);
+          }),
+          { numRuns: NUM_RUNS }
+        )
+      );
+    }
+
     // NOTE: fails for ed, because of empty message. Since we convert it to scalar,
     // need to check what other implementations do. Empty message != new Uint8Array([0]), but what scalar should be in that case?
     // should('should not verify signature with wrong message', () => {

test/ed25519-addons.test.js

@@ -0,0 +1,290 @@
+import { sha512 } from '@noble/hashes/sha512';
+import { hexToBytes, bytesToHex, randomBytes } from '@noble/hashes/utils';
+import { deepStrictEqual, strictEqual, throws } from 'assert';
+import { describe, should } from 'micro-should';
+import { numberToBytesLE } from '../lib/esm/abstract/utils.js';
+import { default as x25519vectors } from './wycheproof/x25519_test.json' assert { type: 'json' };
+import { ed25519ctx, ed25519ph, RistrettoPoint, x25519 } from '../lib/esm/ed25519.js';
+
+// const ed = ed25519;
+const hex = bytesToHex;
+// const Point = ed.ExtendedPoint;
+
+const VECTORS_RFC8032_CTX = [
+  {
+    secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
+    publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
+    message: 'f726936d19c800494e3fdaff20b276a8',
+    context: '666f6f',
+    signature:
+      '55a4cc2f70a54e04288c5f4cd1e45a7b' +
+      'b520b36292911876cada7323198dd87a' +
+      '8b36950b95130022907a7fb7c4e9b2d5' +
+      'f6cca685a587b4b21f4b888e4e7edb0d',
+  },
+  {
+    secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
+    publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
+    message: 'f726936d19c800494e3fdaff20b276a8',
+    context: '626172',
+    signature:
+      'fc60d5872fc46b3aa69f8b5b4351d580' +
+      '8f92bcc044606db097abab6dbcb1aee3' +
+      '216c48e8b3b66431b5b186d1d28f8ee1' +
+      '5a5ca2df6668346291c2043d4eb3e90d',
+  },
+  {
+    secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
+    publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
+    message: '508e9e6882b979fea900f62adceaca35',
+    context: '666f6f',
+    signature:
+      '8b70c1cc8310e1de20ac53ce28ae6e72' +
+      '07f33c3295e03bb5c0732a1d20dc6490' +
+      '8922a8b052cf99b7c4fe107a5abb5b2c' +
+      '4085ae75890d02df26269d8945f84b0b',
+  },
+  {
+    secretKey: 'ab9c2853ce297ddab85c993b3ae14bcad39b2c682beabc27d6d4eb20711d6560',
+    publicKey: '0f1d1274943b91415889152e893d80e93275a1fc0b65fd71b4b0dda10ad7d772',
+    message: 'f726936d19c800494e3fdaff20b276a8',
+    context: '666f6f',
+    signature:
+      '21655b5f1aa965996b3f97b3c849eafb' +
+      'a922a0a62992f73b3d1b73106a84ad85' +
+      'e9b86a7b6005ea868337ff2d20a7f5fb' +
+      'd4cd10b0be49a68da2b2e0dc0ad8960f',
+  },
+];
+
+describe('RFC8032ctx', () => {
+  for (let i = 0; i < VECTORS_RFC8032_CTX.length; i++) {
+    const v = VECTORS_RFC8032_CTX[i];
+    should(`${i}`, () => {
+      deepStrictEqual(hex(ed25519ctx.getPublicKey(v.secretKey)), v.publicKey);
+      deepStrictEqual(hex(ed25519ctx.sign(v.message, v.secretKey, v.context)), v.signature);
+      deepStrictEqual(ed25519ctx.verify(v.signature, v.message, v.publicKey, v.context), true);
+    });
+  }
+});
+
+const VECTORS_RFC8032_PH = [
+  {
+    secretKey: '833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42',
+    publicKey: 'ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf',
+    message: '616263',
+    signature:
+      '98a70222f0b8121aa9d30f813d683f80' +
+      '9e462b469c7ff87639499bb94e6dae41' +
+      '31f85042463c2a355a2003d062adf5aa' +
+      'a10b8c61e636062aaad11c2a26083406',
+  },
+];
+
+describe('RFC8032ph', () => {
+  for (let i = 0; i < VECTORS_RFC8032_PH.length; i++) {
+    const v = VECTORS_RFC8032_PH[i];
+    should(`${i}`, () => {
+      deepStrictEqual(hex(ed25519ph.getPublicKey(v.secretKey)), v.publicKey);
+      deepStrictEqual(hex(ed25519ph.sign(v.message, v.secretKey)), v.signature);
+      deepStrictEqual(ed25519ph.verify(v.signature, v.message, v.publicKey), true);
+    });
+  }
+});
+
+// x25519
+should('X25519 base point', () => {
+  const { y } = ed25519ph.ExtendedPoint.BASE;
+  const { Fp } = ed25519ph.CURVE;
+  const u = Fp.create((y + 1n) * Fp.inv(1n - y));
+  deepStrictEqual(hex(numberToBytesLE(u, 32)), x25519.Gu);
+});
+
+describe('RFC7748', () => {
+  const rfc7748Mul = [
+    {
+      scalar: 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4',
+      u: 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c',
+      outputU: 'c3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552',
+    },
+    {
+      scalar: '4b66e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba0d',
+      u: 'e5210f12786811d3f4b7959d0538ae2c31dbe7106fc03c3efc4cd549c715a493',
+      outputU: '95cbde9476e8907d7aade45cb4b873f88b595a68799fa152e6f8f7647aac7957',
+    },
+  ];
+  for (let i = 0; i < rfc7748Mul.length; i++) {
+    const v = rfc7748Mul[i];
+    should(`scalarMult (${i})`, () => {
+      deepStrictEqual(hex(x25519.scalarMult(v.scalar, v.u)), v.outputU);
+    });
+  }
+
+  const rfc7748Iter = [
+    { scalar: '422c8e7a6227d7bca1350b3e2bb7279f7897b87bb6854b783c60e80311ae3079', iters: 1 },
+    { scalar: '684cf59ba83309552800ef566f2f4d3c1c3887c49360e3875f2eb94d99532c51', iters: 1000 },
+    // { scalar: '7c3911e0ab2586fd864497297e575e6f3bc601c0883c30df5f4dd2d24f665424', iters: 1000000 },
+  ];
+  for (let i = 0; i < rfc7748Iter.length; i++) {
+    const { scalar, iters } = rfc7748Iter[i];
+    should(`scalarMult iteration (${i})`, () => {
+      let k = x25519.Gu;
+      for (let i = 0, u = k; i < iters; i++) [k, u] = [x25519.scalarMult(k, u), k];
+      deepStrictEqual(hex(k), scalar);
+    });
+  }
+
+  should('getSharedKey', () => {
+    const alicePrivate = '77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a';
+    const alicePublic = '8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a';
+    const bobPrivate = '5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb';
+    const bobPublic = 'de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f';
+    const shared = '4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742';
+    deepStrictEqual(alicePublic, hex(x25519.getPublicKey(alicePrivate)));
+    deepStrictEqual(bobPublic, hex(x25519.getPublicKey(bobPrivate)));
+    deepStrictEqual(hex(x25519.scalarMult(alicePrivate, bobPublic)), shared);
+    deepStrictEqual(hex(x25519.scalarMult(bobPrivate, alicePublic)), shared);
+  });
+});
+describe('Wycheproof', () => {
+  const group = x25519vectors.testGroups[0];
+  should(`X25519`, () => {
+    for (let i = 0; i < group.tests.length; i++) {
+      const v = group.tests[i];
+      const comment = `(${i}, ${v.result}) ${v.comment}`;
+      if (v.result === 'valid' || v.result === 'acceptable') {
+        try {
+          const shared = hex(x25519.scalarMult(v.private, v.public));
+          deepStrictEqual(shared, v.shared, comment);
+        } catch (e) {
+          // We are more strict
+          if (e.message.includes('Expected valid scalar')) return;
+          if (e.message.includes('Invalid private or public key received')) return;
+          throw e;
+        }
+      } else if (v.result === 'invalid') {
+        let failed = false;
+        try {
+          x25519.scalarMult(v.private, v.public);
+        } catch (error) {
+          failed = true;
+        }
+        deepStrictEqual(failed, true, comment);
+      } else throw new Error('unknown test result');
+    }
+  });
+});
+
+function utf8ToBytes(str) {
+  if (typeof str !== 'string') {
+    throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
+  }
+  return new TextEncoder().encode(str);
+}
+
+describe('ristretto255', () => {
+  should('follow the byte encodings of small multiples', () => {
+    const encodingsOfSmallMultiples = [
+      // This is the identity point
+      '0000000000000000000000000000000000000000000000000000000000000000',
+      // This is the basepoint
+      'e2f2ae0a6abc4e71a884a961c500515f58e30b6aa582dd8db6a65945e08d2d76',
+      // These are small multiples of the basepoint
+      '6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919',
+      '94741f5d5d52755ece4f23f044ee27d5d1ea1e2bd196b462166b16152a9d0259',
+      'da80862773358b466ffadfe0b3293ab3d9fd53c5ea6c955358f568322daf6a57',
+      'e882b131016b52c1d3337080187cf768423efccbb517bb495ab812c4160ff44e',
+      'f64746d3c92b13050ed8d80236a7f0007c3b3f962f5ba793d19a601ebb1df403',
+      '44f53520926ec81fbd5a387845beb7df85a96a24ece18738bdcfa6a7822a176d',
+      '903293d8f2287ebe10e2374dc1a53e0bc887e592699f02d077d5263cdd55601c',
+      '02622ace8f7303a31cafc63f8fc48fdc16e1c8c8d234b2f0d6685282a9076031',
+      '20706fd788b2720a1ed2a5dad4952b01f413bcf0e7564de8cdc816689e2db95f',
+      'bce83f8ba5dd2fa572864c24ba1810f9522bc6004afe95877ac73241cafdab42',
+      'e4549ee16b9aa03099ca208c67adafcafa4c3f3e4e5303de6026e3ca8ff84460',
+      'aa52e000df2e16f55fb1032fc33bc42742dad6bd5a8fc0be0167436c5948501f',
+      '46376b80f409b29dc2b5f6f0c52591990896e5716f41477cd30085ab7f10301e',
+      'e0c418f7c8d9c4cdd7395b93ea124f3ad99021bb681dfc3302a9d99a2e53e64e',
+    ];
+    let B = RistrettoPoint.BASE;
+    let P = RistrettoPoint.ZERO;
+    for (const encoded of encodingsOfSmallMultiples) {
+      deepStrictEqual(P.toHex(), encoded);
+      deepStrictEqual(RistrettoPoint.fromHex(encoded).toHex(), encoded);
+      P = P.add(B);
+    }
+  });
+  should('not convert bad bytes encoding', () => {
+    const badEncodings = [
+      // These are all bad because they're non-canonical field encodings.
+      '00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff',
+      'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+      'f3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+      'edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+      // These are all bad because they're negative field elements.
+      '0100000000000000000000000000000000000000000000000000000000000000',
+      '01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+      'ed57ffd8c914fb201471d1c3d245ce3c746fcbe63a3679d51b6a516ebebe0e20',
+      'c34c4e1826e5d403b78e246e88aa051c36ccf0aafebffe137d148a2bf9104562',
+      'c940e5a4404157cfb1628b108db051a8d439e1a421394ec4ebccb9ec92a8ac78',
+      '47cfc5497c53dc8e61c91d17fd626ffb1c49e2bca94eed052281b510b1117a24',
+      'f1c6165d33367351b0da8f6e4511010c68174a03b6581212c71c0e1d026c3c72',
+      '87260f7a2f12495118360f02c26a470f450dadf34a413d21042b43b9d93e1309',
+      // These are all bad because they give a nonsquare x².
+      '26948d35ca62e643e26a83177332e6b6afeb9d08e4268b650f1f5bbd8d81d371',
+      '4eac077a713c57b4f4397629a4145982c661f48044dd3f96427d40b147d9742f',
+      'de6a7b00deadc788eb6b6c8d20c0ae96c2f2019078fa604fee5b87d6e989ad7b',
+      'bcab477be20861e01e4a0e295284146a510150d9817763caf1a6f4b422d67042',
+      '2a292df7e32cababbd9de088d1d1abec9fc0440f637ed2fba145094dc14bea08',
+      'f4a9e534fc0d216c44b218fa0c42d99635a0127ee2e53c712f70609649fdff22',
+      '8268436f8c4126196cf64b3c7ddbda90746a378625f9813dd9b8457077256731',
+      '2810e5cbc2cc4d4eece54f61c6f69758e289aa7ab440b3cbeaa21995c2f4232b',
+      // These are all bad because they give a negative xy value.
+      '3eb858e78f5a7254d8c9731174a94f76755fd3941c0ac93735c07ba14579630e',
+      'a45fdc55c76448c049a1ab33f17023edfb2be3581e9c7aade8a6125215e04220',
+      'd483fe813c6ba647ebbfd3ec41adca1c6130c2beeee9d9bf065c8d151c5f396e',
+      '8a2e1d30050198c65a54483123960ccc38aef6848e1ec8f5f780e8523769ba32',
+      '32888462f8b486c68ad7dd9610be5192bbeaf3b443951ac1a8118419d9fa097b',
+      '227142501b9d4355ccba290404bde41575b037693cef1f438c47f8fbf35d1165',
+      '5c37cc491da847cfeb9281d407efc41e15144c876e0170b499a96a22ed31e01e',
+      '445425117cb8c90edcbc7c1cc0e74f747f2c1efa5630a967c64f287792a48a4b',
+      // This is s = -1, which causes y = 0.
+      'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+    ];
+    for (const badBytes of badEncodings) {
+      const b = hexToBytes(badBytes);
+      throws(() => RistrettoPoint.fromHex(b), badBytes);
+    }
+  });
+  should('create right points from uniform hash', () => {
+    const labels = [
+      'Ristretto is traditionally a short shot of espresso coffee',
+      'made with the normal amount of ground coffee but extracted with',
+      'about half the amount of water in the same amount of time',
+      'by using a finer grind.',
+      'This produces a concentrated shot of coffee per volume.',
+      'Just pulling a normal shot short will produce a weaker shot',
+      'and is not a Ristretto as some believe.',
+    ];
+    const encodedHashToPoints = [
+      '3066f82a1a747d45120d1740f14358531a8f04bbffe6a819f86dfe50f44a0a46',
+      'f26e5b6f7d362d2d2a94c5d0e7602cb4773c95a2e5c31a64f133189fa76ed61b',
+      '006ccd2a9e6867e6a2c5cea83d3302cc9de128dd2a9a57dd8ee7b9d7ffe02826',
+      'f8f0c87cf237953c5890aec3998169005dae3eca1fbb04548c635953c817f92a',
+      'ae81e7dedf20a497e10c304a765c1767a42d6e06029758d2d7e8ef7cc4c41179',
+      'e2705652ff9f5e44d3e841bf1c251cf7dddb77d140870d1ab2ed64f1a9ce8628',
+      '80bd07262511cdde4863f8a7434cef696750681cb9510eea557088f76d9e5065',
+    ];
+
+    for (let i = 0; i < labels.length; i++) {
+      const hash = sha512(utf8ToBytes(labels[i]));
+      const point = RistrettoPoint.hashToCurve(hash);
+      deepStrictEqual(point.toHex(), encodedHashToPoints[i]);
+    }
+  });
+});
+
+// ESM is broken.
+import url from 'url';
+if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
+  should.run();
+}

test/ed25519.helpers.js

@@ -0,0 +1 @@
+export { ed25519, ED25519_TORSION_SUBGROUP } from '../lib/esm/ed25519.js';

test/ed25519.test.js

@@ -1,21 +1,11 @@
-import { deepEqual, deepStrictEqual, strictEqual, throws } from 'assert';
+import { deepStrictEqual, strictEqual, throws } from 'assert';
-import { describe, should } from 'micro-should';
-import * as fc from 'fast-check';
-import {
-  ed25519,
-  ed25519ctx,
-  ed25519ph,
-  x25519,
-  RistrettoPoint,
-  ED25519_TORSION_SUBGROUP,
-} from '../lib/esm/ed25519.js';
 import { readFileSync } from 'fs';
-import { default as zip215 } from './ed25519/zip215.json' assert { type: 'json' };
 import { hexToBytes, bytesToHex, randomBytes } from '@noble/hashes/utils';
-import { numberToBytesLE } from '../lib/esm/abstract/utils.js';
+import * as fc from 'fast-check';
-import { sha512 } from '@noble/hashes/sha512';
+import { describe, should } from 'micro-should';
+import { ed25519, ED25519_TORSION_SUBGROUP } from './ed25519.helpers.js';
 import { default as ed25519vectors } from './wycheproof/eddsa_test.json' assert { type: 'json' };
-import { default as x25519vectors } from './wycheproof/x25519_test.json' assert { type: 'json' };
+import { default as zip215 } from './ed25519/zip215.json' assert { type: 'json' };
 
 describe('ed25519', () => {
   const ed = ed25519;
@@ -292,104 +282,6 @@ describe('ed25519', () => {
   // //   const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY);
   // //   expect(await ristretto25519.verify(signature, WRONG_MESSAGE, publicKey)).toBe(false);
   // // });
-  should('ristretto255/should follow the byte encodings of small multiples', () => {
-    const encodingsOfSmallMultiples = [
-      // This is the identity point
-      '0000000000000000000000000000000000000000000000000000000000000000',
-      // This is the basepoint
-      'e2f2ae0a6abc4e71a884a961c500515f58e30b6aa582dd8db6a65945e08d2d76',
-      // These are small multiples of the basepoint
-      '6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919',
-      '94741f5d5d52755ece4f23f044ee27d5d1ea1e2bd196b462166b16152a9d0259',
-      'da80862773358b466ffadfe0b3293ab3d9fd53c5ea6c955358f568322daf6a57',
-      'e882b131016b52c1d3337080187cf768423efccbb517bb495ab812c4160ff44e',
-      'f64746d3c92b13050ed8d80236a7f0007c3b3f962f5ba793d19a601ebb1df403',
-      '44f53520926ec81fbd5a387845beb7df85a96a24ece18738bdcfa6a7822a176d',
-      '903293d8f2287ebe10e2374dc1a53e0bc887e592699f02d077d5263cdd55601c',
-      '02622ace8f7303a31cafc63f8fc48fdc16e1c8c8d234b2f0d6685282a9076031',
-      '20706fd788b2720a1ed2a5dad4952b01f413bcf0e7564de8cdc816689e2db95f',
-      'bce83f8ba5dd2fa572864c24ba1810f9522bc6004afe95877ac73241cafdab42',
-      'e4549ee16b9aa03099ca208c67adafcafa4c3f3e4e5303de6026e3ca8ff84460',
-      'aa52e000df2e16f55fb1032fc33bc42742dad6bd5a8fc0be0167436c5948501f',
-      '46376b80f409b29dc2b5f6f0c52591990896e5716f41477cd30085ab7f10301e',
-      'e0c418f7c8d9c4cdd7395b93ea124f3ad99021bb681dfc3302a9d99a2e53e64e',
-    ];
-    let B = RistrettoPoint.BASE;
-    let P = RistrettoPoint.ZERO;
-    for (const encoded of encodingsOfSmallMultiples) {
-      deepStrictEqual(P.toHex(), encoded);
-      deepStrictEqual(RistrettoPoint.fromHex(encoded).toHex(), encoded);
-      P = P.add(B);
-    }
-  });
-  should('ristretto255/should not convert bad bytes encoding', () => {
-    const badEncodings = [
-      // These are all bad because they're non-canonical field encodings.
-      '00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff',
-      'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
-      'f3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
-      'edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
-      // These are all bad because they're negative field elements.
-      '0100000000000000000000000000000000000000000000000000000000000000',
-      '01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
-      'ed57ffd8c914fb201471d1c3d245ce3c746fcbe63a3679d51b6a516ebebe0e20',
-      'c34c4e1826e5d403b78e246e88aa051c36ccf0aafebffe137d148a2bf9104562',
-      'c940e5a4404157cfb1628b108db051a8d439e1a421394ec4ebccb9ec92a8ac78',
-      '47cfc5497c53dc8e61c91d17fd626ffb1c49e2bca94eed052281b510b1117a24',
-      'f1c6165d33367351b0da8f6e4511010c68174a03b6581212c71c0e1d026c3c72',
-      '87260f7a2f12495118360f02c26a470f450dadf34a413d21042b43b9d93e1309',
-      // These are all bad because they give a nonsquare x².
-      '26948d35ca62e643e26a83177332e6b6afeb9d08e4268b650f1f5bbd8d81d371',
-      '4eac077a713c57b4f4397629a4145982c661f48044dd3f96427d40b147d9742f',
-      'de6a7b00deadc788eb6b6c8d20c0ae96c2f2019078fa604fee5b87d6e989ad7b',
-      'bcab477be20861e01e4a0e295284146a510150d9817763caf1a6f4b422d67042',
-      '2a292df7e32cababbd9de088d1d1abec9fc0440f637ed2fba145094dc14bea08',
-      'f4a9e534fc0d216c44b218fa0c42d99635a0127ee2e53c712f70609649fdff22',
-      '8268436f8c4126196cf64b3c7ddbda90746a378625f9813dd9b8457077256731',
-      '2810e5cbc2cc4d4eece54f61c6f69758e289aa7ab440b3cbeaa21995c2f4232b',
-      // These are all bad because they give a negative xy value.
-      '3eb858e78f5a7254d8c9731174a94f76755fd3941c0ac93735c07ba14579630e',
-      'a45fdc55c76448c049a1ab33f17023edfb2be3581e9c7aade8a6125215e04220',
-      'd483fe813c6ba647ebbfd3ec41adca1c6130c2beeee9d9bf065c8d151c5f396e',
-      '8a2e1d30050198c65a54483123960ccc38aef6848e1ec8f5f780e8523769ba32',
-      '32888462f8b486c68ad7dd9610be5192bbeaf3b443951ac1a8118419d9fa097b',
-      '227142501b9d4355ccba290404bde41575b037693cef1f438c47f8fbf35d1165',
-      '5c37cc491da847cfeb9281d407efc41e15144c876e0170b499a96a22ed31e01e',
-      '445425117cb8c90edcbc7c1cc0e74f747f2c1efa5630a967c64f287792a48a4b',
-      // This is s = -1, which causes y = 0.
-      'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
-    ];
-    for (const badBytes of badEncodings) {
-      const b = hexToBytes(badBytes);
-      throws(() => RistrettoPoint.fromHex(b), badBytes);
-    }
-  });
-  should('ristretto255/should create right points from uniform hash', () => {
-    const labels = [
-      'Ristretto is traditionally a short shot of espresso coffee',
-      'made with the normal amount of ground coffee but extracted with',
-      'about half the amount of water in the same amount of time',
-      'by using a finer grind.',
-      'This produces a concentrated shot of coffee per volume.',
-      'Just pulling a normal shot short will produce a weaker shot',
-      'and is not a Ristretto as some believe.',
-    ];
-    const encodedHashToPoints = [
-      '3066f82a1a747d45120d1740f14358531a8f04bbffe6a819f86dfe50f44a0a46',
-      'f26e5b6f7d362d2d2a94c5d0e7602cb4773c95a2e5c31a64f133189fa76ed61b',
-      '006ccd2a9e6867e6a2c5cea83d3302cc9de128dd2a9a57dd8ee7b9d7ffe02826',
-      'f8f0c87cf237953c5890aec3998169005dae3eca1fbb04548c635953c817f92a',
-      'ae81e7dedf20a497e10c304a765c1767a42d6e06029758d2d7e8ef7cc4c41179',
-      'e2705652ff9f5e44d3e841bf1c251cf7dddb77d140870d1ab2ed64f1a9ce8628',
-      '80bd07262511cdde4863f8a7434cef696750681cb9510eea557088f76d9e5065',
-    ];
-
-    for (let i = 0; i < labels.length; i++) {
-      const hash = sha512(utf8ToBytes(labels[i]));
-      const point = RistrettoPoint.hashToCurve(hash);
-      deepStrictEqual(point.toHex(), encodedHashToPoints[i]);
-    }
-  });
 
   should('input immutability: sign/verify are immutable', () => {
     const privateKey = ed.utils.randomPrivateKey();
@@ -432,51 +324,6 @@ describe('ed25519', () => {
     throws(() => ed.verify(sig, 'deadbeef', Point.BASE));
   });
 
-  const rfc7748Mul = [
-    {
-      scalar: 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4',
-      u: 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c',
-      outputU: 'c3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552',
-    },
-    {
-      scalar: '4b66e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba0d',
-      u: 'e5210f12786811d3f4b7959d0538ae2c31dbe7106fc03c3efc4cd549c715a493',
-      outputU: '95cbde9476e8907d7aade45cb4b873f88b595a68799fa152e6f8f7647aac7957',
-    },
-  ];
-  for (let i = 0; i < rfc7748Mul.length; i++) {
-    const v = rfc7748Mul[i];
-    should(`RFC7748: scalarMult (${i})`, () => {
-      deepStrictEqual(hex(x25519.scalarMult(v.scalar, v.u)), v.outputU);
-    });
-  }
-
-  const rfc7748Iter = [
-    { scalar: '422c8e7a6227d7bca1350b3e2bb7279f7897b87bb6854b783c60e80311ae3079', iters: 1 },
-    { scalar: '684cf59ba83309552800ef566f2f4d3c1c3887c49360e3875f2eb94d99532c51', iters: 1000 },
-    // { scalar: '7c3911e0ab2586fd864497297e575e6f3bc601c0883c30df5f4dd2d24f665424', iters: 1000000 },
-  ];
-  for (let i = 0; i < rfc7748Iter.length; i++) {
-    const { scalar, iters } = rfc7748Iter[i];
-    should(`RFC7748: scalarMult iteration (${i})`, () => {
-      let k = x25519.Gu;
-      for (let i = 0, u = k; i < iters; i++) [k, u] = [x25519.scalarMult(k, u), k];
-      deepStrictEqual(hex(k), scalar);
-    });
-  }
-
-  should('RFC7748 getSharedKey', () => {
-    const alicePrivate = '77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a';
-    const alicePublic = '8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a';
-    const bobPrivate = '5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb';
-    const bobPublic = 'de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f';
-    const shared = '4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742';
-    deepStrictEqual(alicePublic, hex(x25519.getPublicKey(alicePrivate)));
-    deepStrictEqual(bobPublic, hex(x25519.getPublicKey(bobPrivate)));
-    deepStrictEqual(hex(x25519.scalarMult(alicePrivate, bobPublic)), shared);
-    deepStrictEqual(hex(x25519.scalarMult(bobPrivate, alicePublic)), shared);
-  });
-
   // should('X25519/getSharedSecret() should be commutative', () => {
   //   for (let i = 0; i < 512; i++) {
   //     const asec = ed.utils.randomPrivateKey();
@@ -499,35 +346,6 @@ describe('ed25519', () => {
   //   );
   // });
 
-  {
-    const group = x25519vectors.testGroups[0];
-    should(`Wycheproof/X25519`, () => {
-      for (let i = 0; i < group.tests.length; i++) {
-        const v = group.tests[i];
-        const comment = `(${i}, ${v.result}) ${v.comment}`;
-        if (v.result === 'valid' || v.result === 'acceptable') {
-          try {
-            const shared = hex(x25519.scalarMult(v.private, v.public));
-            deepStrictEqual(shared, v.shared, comment);
-          } catch (e) {
-            // We are more strict
-            if (e.message.includes('Expected valid scalar')) return;
-            if (e.message.includes('Invalid private or public key received')) return;
-            throw e;
-          }
-        } else if (v.result === 'invalid') {
-          let failed = false;
-          try {
-            x25519.scalarMult(v.private, v.public);
-          } catch (error) {
-            failed = true;
-          }
-          deepStrictEqual(failed, true, comment);
-        } else throw new Error('unknown test result');
-      }
-    });
-  }
-
   should(`Wycheproof/ED25519`, () => {
     for (let g = 0; g < ed25519vectors.testGroups.length; g++) {
       const group = ed25519vectors.testGroups[g];
@@ -559,91 +377,6 @@ describe('ed25519', () => {
     deepStrictEqual(ed.verify(signature, message, publicKey), true);
   });
 
-  const VECTORS_RFC8032_CTX = [
-    {
-      secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
-      publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
-      message: 'f726936d19c800494e3fdaff20b276a8',
-      context: '666f6f',
-      signature:
-        '55a4cc2f70a54e04288c5f4cd1e45a7b' +
-        'b520b36292911876cada7323198dd87a' +
-        '8b36950b95130022907a7fb7c4e9b2d5' +
-        'f6cca685a587b4b21f4b888e4e7edb0d',
-    },
-    {
-      secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
-      publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
-      message: 'f726936d19c800494e3fdaff20b276a8',
-      context: '626172',
-      signature:
-        'fc60d5872fc46b3aa69f8b5b4351d580' +
-        '8f92bcc044606db097abab6dbcb1aee3' +
-        '216c48e8b3b66431b5b186d1d28f8ee1' +
-        '5a5ca2df6668346291c2043d4eb3e90d',
-    },
-    {
-      secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
-      publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
-      message: '508e9e6882b979fea900f62adceaca35',
-      context: '666f6f',
-      signature:
-        '8b70c1cc8310e1de20ac53ce28ae6e72' +
-        '07f33c3295e03bb5c0732a1d20dc6490' +
-        '8922a8b052cf99b7c4fe107a5abb5b2c' +
-        '4085ae75890d02df26269d8945f84b0b',
-    },
-    {
-      secretKey: 'ab9c2853ce297ddab85c993b3ae14bcad39b2c682beabc27d6d4eb20711d6560',
-      publicKey: '0f1d1274943b91415889152e893d80e93275a1fc0b65fd71b4b0dda10ad7d772',
-      message: 'f726936d19c800494e3fdaff20b276a8',
-      context: '666f6f',
-      signature:
-        '21655b5f1aa965996b3f97b3c849eafb' +
-        'a922a0a62992f73b3d1b73106a84ad85' +
-        'e9b86a7b6005ea868337ff2d20a7f5fb' +
-        'd4cd10b0be49a68da2b2e0dc0ad8960f',
-    },
-  ];
-
-  for (let i = 0; i < VECTORS_RFC8032_CTX.length; i++) {
-    const v = VECTORS_RFC8032_CTX[i];
-    should(`RFC8032ctx/${i}`, () => {
-      deepStrictEqual(hex(ed25519ctx.getPublicKey(v.secretKey)), v.publicKey);
-      deepStrictEqual(hex(ed25519ctx.sign(v.message, v.secretKey, v.context)), v.signature);
-      deepStrictEqual(ed25519ctx.verify(v.signature, v.message, v.publicKey, v.context), true);
-    });
-  }
-
-  const VECTORS_RFC8032_PH = [
-    {
-      secretKey: '833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42',
-      publicKey: 'ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf',
-      message: '616263',
-      signature:
-        '98a70222f0b8121aa9d30f813d683f80' +
-        '9e462b469c7ff87639499bb94e6dae41' +
-        '31f85042463c2a355a2003d062adf5aa' +
-        'a10b8c61e636062aaad11c2a26083406',
-    },
-  ];
-
-  for (let i = 0; i < VECTORS_RFC8032_PH.length; i++) {
-    const v = VECTORS_RFC8032_PH[i];
-    should(`RFC8032ph/${i}`, () => {
-      deepStrictEqual(hex(ed25519ph.getPublicKey(v.secretKey)), v.publicKey);
-      deepStrictEqual(hex(ed25519ph.sign(v.message, v.secretKey)), v.signature);
-      deepStrictEqual(ed25519ph.verify(v.signature, v.message, v.publicKey), true);
-    });
-  }
-
-  should('X25519 base point', () => {
-    const { y } = ed25519.ExtendedPoint.BASE;
-    const { Fp } = ed25519.CURVE;
-    const u = Fp.create((y + 1n) * Fp.inv(1n - y));
-    deepStrictEqual(hex(numberToBytesLE(u, 32)), x25519.Gu);
-  });
-
   should('isTorsionFree()', () => {
     const orig = ed.utils.getExtendedPublicKey(ed.utils.randomPrivateKey()).point;
     for (const hex of ED25519_TORSION_SUBGROUP.slice(1)) {

test/index.test.js

@@ -6,6 +6,7 @@ import './nist.test.js';
 import './ed448.test.js';
 import './ed25519.test.js';
 import './secp256k1.test.js';
+import './secp256k1-schnorr.test.js';
 import './stark/index.test.js';
 import './jubjub.test.js';
 import './bls12-381.test.js';

test/secp256k1-schnorr.test.js

@@ -0,0 +1,34 @@
+import { deepStrictEqual, throws } from 'assert';
+import { readFileSync } from 'fs';
+import { should, describe } from 'micro-should';
+import { bytesToHex as hex } from '@noble/hashes/utils';
+import { schnorr } from '../lib/esm/secp256k1.js';
+const schCsv = readFileSync('./test/vectors/schnorr.csv', 'utf-8');
+
+describe('schnorr.sign()', () => {
+  // index,secret key,public key,aux_rand,message,signature,verification result,comment
+  const vectors = schCsv
+    .split('\n')
+    .map((line) => line.split(','))
+    .slice(1, -1);
+  for (let vec of vectors) {
+    const [index, sec, pub, rnd, msg, expSig, passes, comment] = vec;
+    should(`${comment || 'vector ' + index}`, () => {
+      if (sec) {
+        deepStrictEqual(hex(schnorr.getPublicKey(sec)), pub.toLowerCase());
+        const sig = schnorr.sign(msg, sec, rnd);
+        deepStrictEqual(hex(sig), expSig.toLowerCase());
+        deepStrictEqual(schnorr.verify(sig, msg, pub), true);
+      } else {
+        const passed = schnorr.verify(expSig, msg, pub);
+        deepStrictEqual(passed, passes === 'TRUE');
+      }
+    });
+  }
+});
+
+// ESM is broken.
+import url from 'url';
+if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
+  should.run();
+}

test/secp256k1.helpers.js

@@ -0,0 +1,14 @@
+// @ts-ignore
+export { secp256k1 as secp } from '../lib/esm/secp256k1.js';
+import { secp256k1 as _secp } from '../lib/esm/secp256k1.js';
+export { bytesToNumberBE, numberToBytesBE } from '../lib/esm/abstract/utils.js';
+export { mod } from '../lib/esm/abstract/modular.js';
+export const sigFromDER = (der) => {
+  return _secp.Signature.fromDER(der);
+};
+export const sigToDER = (sig) => sig.toDERHex();
+export const selectHash = (secp) => secp.CURVE.hash;
+export const normVerifySig = (s) => _secp.Signature.fromDER(s);
+// export const bytesToNumberBE = secp256k1.utils.bytesToNumberBE;
+// export const numberToBytesBE = secp256k1.utils.numberToBytesBE;
+// export const mod = mod_;

test/secp256k1.test.js

@@ -1,22 +1,21 @@
+import { hexToBytes, bytesToHex as hex } from '@noble/hashes/utils';
+import { deepStrictEqual, throws } from 'assert';
 import * as fc from 'fast-check';
-import { secp256k1, schnorr } from '../lib/esm/secp256k1.js';
-import { Fp } from '../lib/esm/abstract/modular.js';
-import { bytesToNumberBE, ensureBytes, numberToBytesBE } from '../lib/esm/abstract/utils.js';
 import { readFileSync } from 'fs';
+import { should, describe } from 'micro-should';
+// prettier-ignore
+import {
+  secp, sigFromDER, sigToDER, selectHash, normVerifySig, mod, bytesToNumberBE, numberToBytesBE
+} from './secp256k1.helpers.js';
+
 import { default as ecdsa } from './vectors/ecdsa.json' assert { type: 'json' };
 import { default as ecdh } from './vectors/ecdh.json' assert { type: 'json' };
 import { default as privates } from './vectors/privates.json' assert { type: 'json' };
 import { default as points } from './vectors/points.json' assert { type: 'json' };
 import { default as wp } from './vectors/wychenproof.json' assert { type: 'json' };
-import { should, describe } from 'micro-should';
-import { deepStrictEqual, throws } from 'assert';
-import { hexToBytes, bytesToHex } from '@noble/hashes/utils';
 
-const hex = bytesToHex;
-const secp = secp256k1;
 const Point = secp.ProjectivePoint;
 const privatesTxt = readFileSync('./test/vectors/privates-2.txt', 'utf-8');
-const schCsv = readFileSync('./test/vectors/schnorr.csv', 'utf-8');
 
 const FC_BIGINT = fc.bigInt(1n + 1n, secp.CURVE.n - 1n);
 // prettier-ignore
@@ -193,7 +192,7 @@ describe('secp256k1', () => {
       fc.assert(
         fc.property(FC_BIGINT, FC_BIGINT, (r, s) => {
           const sig = new secp.Signature(r, s);
-          deepStrictEqual(secp.Signature.fromDER(sig.toDERHex()), sig);
+          deepStrictEqual(sigFromDER(sigToDER(sig)), sig);
         })
       );
     });
@@ -241,9 +240,9 @@ describe('secp256k1', () => {
       );
       for (const [msg, exp] of CASES) {
         const res = secp.sign(msg, privKey, { extraEntropy: undefined });
-        deepStrictEqual(res.toDERHex(), exp);
+        deepStrictEqual(sigToDER(res), exp);
-        const rs = secp.Signature.fromDER(res.toDERHex()).toCompactHex();
+        const rs = sigFromDER(sigToDER(res)).toCompactHex();
-        deepStrictEqual(secp.Signature.fromCompact(rs).toDERHex(), exp);
+        deepStrictEqual(sigToDER(secp.Signature.fromCompact(rs)), exp);
       }
     });
     should('handle {extraData} option', () => {
@@ -342,7 +341,7 @@ describe('secp256k1', () => {
       const s = 115792089237316195423570985008687907852837564279074904382605163141518161494334n;
       const pub = new Point(x, y, 1n).toRawBytes();
       const sig = new secp.Signature(r, s);
-      deepStrictEqual(secp.verify(sig, msg, pub, { strict: false }), true);
+      deepStrictEqual(secp.verify(sig, msg, pub, { lowS: false }), true);
     });
     should('not verify invalid deterministic signatures with RFC 6979', () => {
       for (const vector of ecdsa.invalid.verify) {
@@ -351,29 +350,6 @@ describe('secp256k1', () => {
       }
     });
   });
-
-  describe('schnorr.sign()', () => {
-    // index,secret key,public key,aux_rand,message,signature,verification result,comment
-    const vectors = schCsv
-      .split('\n')
-      .map((line) => line.split(','))
-      .slice(1, -1);
-    for (let vec of vectors) {
-      const [index, sec, pub, rnd, msg, expSig, passes, comment] = vec;
-      should(`${comment || 'vector ' + index}`, () => {
-        if (sec) {
-          deepStrictEqual(hex(schnorr.getPublicKey(sec)), pub.toLowerCase());
-          const sig = schnorr.sign(msg, sec, rnd);
-          deepStrictEqual(hex(sig), expSig.toLowerCase());
-          deepStrictEqual(schnorr.verify(sig, msg, pub), true);
-        } else {
-          const passed = schnorr.verify(expSig, msg, pub);
-          deepStrictEqual(passed, passes === 'TRUE');
-        }
-      });
-    }
-  });
-
   describe('recoverPublicKey()', () => {
     should('recover public key from recovery bit', () => {
       const message = '00000000000000000000000000000000000000000000000000000000deadbeef';
@@ -404,7 +380,7 @@ describe('secp256k1', () => {
     should('handle RFC 6979 vectors', () => {
       for (const vector of ecdsa.valid) {
         let usig = secp.sign(vector.m, vector.d);
-        let sig = usig.toDERHex();
+        let sig = sigToDER(usig);
         const vpub = secp.getPublicKey(vector.d);
         const recovered = usig.recoverPublicKey(vector.m);
         deepStrictEqual(recovered.toHex(), hex(vpub));
@@ -459,24 +435,25 @@ describe('secp256k1', () => {
   });
 
   describe('tweak utilities (legacy)', () => {
-    const Fn = Fp(secp.CURVE.n);
+    const normal = secp.utils.normPrivateKeyToScalar;
-    const normal = secp.utils._normalizePrivateKey;
     const tweakUtils = {
       privateAdd: (privateKey, tweak) => {
-        return numberToBytesBE(Fn.add(normal(privateKey), normal(tweak)), 32);
+        return numberToBytesBE(mod(normal(privateKey) + normal(tweak), secp.CURVE.n), 32);
       },
 
       privateNegate: (privateKey) => {
-        return numberToBytesBE(Fn.neg(normal(privateKey)), 32);
+        return numberToBytesBE(mod(-normal(privateKey), secp.CURVE.n), 32);
       },
 
       pointAddScalar: (p, tweak, isCompressed) => {
-        // Will throw if tweaked point is at infinity
+        const tweaked = Point.fromHex(p).add(Point.fromPrivateKey(tweak));
-        return Point.fromHex(p).add(Point.fromPrivateKey(tweak)).toRawBytes(isCompressed);
+        if (tweaked.equals(Point.ZERO)) throw new Error('Tweaked point at infinity');
+        return tweaked.toRawBytes(isCompressed);
       },
 
       pointMultiply: (p, tweak, isCompressed) => {
-        const t = bytesToNumberBE(ensureBytes(tweak));
+        if (typeof tweak === 'string') tweak = hexToBytes(tweak);
+        const t = bytesToNumberBE(tweak);
         return Point.fromHex(p).multiply(t).toRawBytes(isCompressed);
       },
     };
@@ -484,20 +461,20 @@ describe('secp256k1', () => {
     should('privateAdd()', () => {
       for (const vector of privates.valid.add) {
         const { a, b, expected } = vector;
-        deepStrictEqual(bytesToHex(tweakUtils.privateAdd(a, b)), expected);
+        deepStrictEqual(hex(tweakUtils.privateAdd(a, b)), expected);
       }
     });
     should('privateNegate()', () => {
       for (const vector of privates.valid.negate) {
         const { a, expected } = vector;
-        deepStrictEqual(bytesToHex(tweakUtils.privateNegate(a)), expected);
+        deepStrictEqual(hex(tweakUtils.privateNegate(a)), expected);
       }
     });
     should('pointAddScalar()', () => {
       for (const vector of points.valid.pointAddScalar) {
         const { description, P, d, expected } = vector;
         const compressed = !!expected && expected.length === 66; // compressed === 33 bytes
-        deepStrictEqual(bytesToHex(tweakUtils.pointAddScalar(P, d, compressed)), expected);
+        deepStrictEqual(hex(tweakUtils.pointAddScalar(P, d, compressed)), expected);
       }
     });
     should('pointAddScalar() invalid', () => {
@@ -509,7 +486,7 @@ describe('secp256k1', () => {
     should('pointMultiply()', () => {
       for (const vector of points.valid.pointMultiply) {
         const { P, d, expected } = vector;
-        deepStrictEqual(bytesToHex(tweakUtils.pointMultiply(P, d, true)), expected);
+        deepStrictEqual(hex(tweakUtils.pointMultiply(P, d, true)), expected);
       }
     });
     should('pointMultiply() invalid', () => {
@@ -525,10 +502,12 @@ describe('secp256k1', () => {
       // const pubKey = Point.fromHex().toRawBytes();
       const pubKey = group.key.uncompressed;
       for (let test of group.tests) {
-        const m = secp.CURVE.hash(hexToBytes(test.msg));
+        const h = selectHash(secp);
+
+        const m = h(hexToBytes(test.msg));
         if (test.result === 'valid' || test.result === 'acceptable') {
-          const verified = secp.verify(test.sig, m, pubKey);
+          const verified = secp.verify(normVerifySig(test.sig), m, pubKey);
-          if (secp.Signature.fromDER(test.sig).hasHighS()) {
+          if (sigFromDER(test.sig).hasHighS()) {
             deepStrictEqual(verified, false);
           } else {
             deepStrictEqual(verified, true);