Neat.

Some minor notes as an outsider who just spent an hour implementing and playing with this:

-In several places you have things like "Let k = int(hash(bytes(d) || m)) mod n", but reference code says things like "e = sha256(R[0].to_bytes(32, byteorder="big") + bytes_point(point_mul(G, seckey)) + msg)", no modulo. Confusing.

-x is not defined in "The signature is bytes(x(R)) || bytes(k + ex mod n)", apparently it's the private key.

-jacobi function is great at exposing bugs in divmod implementations, due to the full 256 bit exponent. Add a line about it being something to watch for?

-"bytes" notation is defined as "turn to bytes" for an integer, but the same for a point is "take X with prefix and turn to bytes". Confusing, might be a good idea to name it differently?

-Finally, it would have been nice to have a larger set of test vectors in a JSON or CSV file, covering all the edge cases.

Artem