Neat.

Some minor notes as an outsider who just spent an hour implementing and
playing with this:

-In several places you have things like "Let k = int(hash(bytes(d) || m))
mod n", but reference code says things like "e = sha256(R[0].to_bytes(32,
byteorder="big") + bytes_point(point_mul(G, seckey)) + msg)", no modulo.
Confusing.

-x is not defined in "The signature is *bytes(x(R)) || bytes(k + ex mod n)*",
apparently it's the private key.

-jacobi function is great at exposing bugs in divmod implementations, due
to the full 256 bit exponent. Add a line about it being something to watch
for?

-"bytes" notation is defined as "turn to bytes" for an integer, but the
same for a point is "take X with prefix and turn to bytes". Confusing,
might be a good idea to name it differently?

-Finally, it would have been nice to have a larger set of test vectors in a
JSON or CSV file, covering all the edge cases.


Artem