npm - @bonfida/spl-name-service - Versions diffs - 3.0.19 → 3.0.21 - Mend

@bonfida/spl-name-service 3.0.19 → 3.0.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (329) hide show

package/dist/cjs/node_modules/@noble/curves/esm/abstract/edwards.js CHANGED Viewed

@@ -1,4 +1,4 @@
-"use strict";var t=require("./curve.js"),e=require("./modular.js"),n=require("./utils.js");
+"use strict";var t=require("../utils.js"),e=require("./curve.js"),r=require("./modular.js"),n=require("../../../hashes/esm/utils.js");
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const r=BigInt(0),i=BigInt(1),s=BigInt(2),o=BigInt(8),a={zip215:!0};exports.twistedEdwards=function(u){const c=function(e){const r=t.validateBasic(e);return n.validateObject(e,{hash:"function",a:"bigint",d:"bigint",randomBytes:"function"},{adjustScalarBytes:"function",domain:"function",uvRatio:"function",mapToCurve:"function"}),Object.freeze({...r})}(u),{Fp:l,n:f,prehash:y,hash:d,randomBytes:h,nByteLength:m,h:p}=c,x=s<<BigInt(8*m)-i,B=l.create,w=e.Field(c.n,c.nBitLength);if(!function(t,e){const n=l.sqr(t),r=l.sqr(e),i=l.add(l.mul(c.a,n),r),s=l.add(l.ONE,l.mul(c.d,l.mul(n,r)));return l.eql(i,s)}(c.Gx,c.Gy))throw new Error("bad curve params: generator point");const E=c.uvRatio||((t,e)=>{try{return{isValid:!0,value:l.sqrt(t*l.inv(e))}}catch(t){return{isValid:!1,value:r}}}),g=c.adjustScalarBytes||(t=>t),b=c.domain||((t,e,r)=>{if(n.abool("phflag",r),e.length||r)throw new Error("Contexts/pre-hash are not supported");return t});function z(t,e,s=!1){const o=s?i:r;n.aInRange("coordinate "+t,e,o,x)}function v(t){if(!(t instanceof A))throw new Error("ExtendedPoint expected")}const R=n.memoized(((t,e)=>{const{ex:n,ey:s,ez:a}=t,u=t.is0();null==e&&(e=u?o:l.inv(a));const c=B(n*e),f=B(s*e),y=B(a*e);if(u)return{x:r,y:i};if(y!==i)throw new Error("invZ was invalid");return{x:c,y:f}})),S=n.memoized((t=>{const{a:e,d:n}=c;if(t.is0())throw new Error("bad point: ZERO");const{ex:r,ey:i,ez:s,et:o}=t,a=B(r*r),u=B(i*i),l=B(s*s),f=B(l*l),y=B(a*e);if(B(l*B(y+u))!==B(f+B(n*B(a*u))))throw new Error("bad point: equation left != right (1)");if(B(r*i)!==B(s*o))throw new Error("bad point: equation left != right (2)");return!0}));class A{constructor(t,e,n,r){z("x",t),z("y",e),z("z",n,!0),z("t",r),this.ex=t,this.ey=e,this.ez=n,this.et=r,Object.freeze(this)}get x(){return this.toAffine().x}get y(){return this.toAffine().y}static fromAffine(t){if(t instanceof A)throw new Error("extended point not allowed");const{x:e,y:n}=t||{};return z("x",e),z("y",n),new A(e,n,i,B(e*n))}static normalizeZ(t){const n=e.FpInvertBatch(l,t.map((t=>t.ez)));return t.map(((t,e)=>t.toAffine(n[e]))).map(A.fromAffine)}static msm(e,n){return t.pippenger(A,w,e,n)}_setWindowSize(t){q.setWindowSize(this,t)}assertValidity(){S(this)}equals(t){v(t);const{ex:e,ey:n,ez:r}=this,{ex:i,ey:s,ez:o}=t,a=B(e*o),u=B(i*r),c=B(n*o),l=B(s*r);return a===u&&c===l}is0(){return this.equals(A.ZERO)}negate(){return new A(B(-this.ex),this.ey,this.ez,B(-this.et))}double(){const{a:t}=c,{ex:e,ey:n,ez:r}=this,i=B(e*e),o=B(n*n),a=B(s*B(r*r)),u=B(t*i),l=e+n,f=B(B(l*l)-i-o),y=u+o,d=y-a,h=u-o,m=B(f*d),p=B(y*h),x=B(f*h),w=B(d*y);return new A(m,p,w,x)}add(t){v(t);const{a:e,d:n}=c,{ex:r,ey:i,ez:s,et:o}=this,{ex:a,ey:u,ez:l,et:f}=t,y=B(r*a),d=B(i*u),h=B(o*n*f),m=B(s*l),p=B((r+i)*(a+u)-y-d),x=m-h,w=m+h,E=B(d-e*y),g=B(p*x),b=B(w*E),z=B(p*E),R=B(x*w);return new A(g,b,R,z)}subtract(t){return this.add(t.negate())}wNAF(t){return q.wNAFCached(this,t,A.normalizeZ)}multiply(t){const e=t;n.aInRange("scalar",e,i,f);const{p:r,f:s}=this.wNAF(e);return A.normalizeZ([r,s])[0]}multiplyUnsafe(t,e=A.ZERO){const s=t;return n.aInRange("scalar",s,r,f),s===r?O:this.is0()||s===i?this:q.wNAFCachedUnsafe(this,s,A.normalizeZ,e)}isSmallOrder(){return this.multiplyUnsafe(p).is0()}isTorsionFree(){return q.unsafeLadder(this,f).is0()}toAffine(t){return R(this,t)}clearCofactor(){const{h:t}=c;return t===i?this:this.multiplyUnsafe(t)}static fromHex(t,e=!1){const{d:s,a:o}=c,a=l.BYTES;t=n.ensureBytes("pointHex",t,a),n.abool("zip215",e);const u=t.slice(),f=t[a-1];u[a-1]=-129&f;const y=n.bytesToNumberLE(u),d=e?x:l.ORDER;n.aInRange("pointHex.y",y,r,d);const h=B(y*y),m=B(h-i),p=B(s*h-o);let{isValid:w,value:g}=E(m,p);if(!w)throw new Error("Point.fromHex: invalid y coordinate");const b=(g&i)===i,z=!!(128&f);if(!e&&g===r&&z)throw new Error("Point.fromHex: x=0 and x_0=1");return z!==b&&(g=B(-g)),A.fromAffine({x:g,y:y})}static fromPrivateKey(t){const{scalar:e}=F(t);return T.multiply(e)}toRawBytes(){const{x:t,y:e}=this.toAffine(),r=n.numberToBytesLE(e,l.BYTES);return r[r.length-1]|=t&i?128:0,r}toHex(){return n.bytesToHex(this.toRawBytes())}}A.BASE=new A(c.Gx,c.Gy,i,B(c.Gx*c.Gy)),A.ZERO=new A(r,i,i,r);const{BASE:T,ZERO:O}=A,q=t.wNAF(A,8*m);function I(t){return e.mod(t,f)}function Z(t){return I(n.bytesToNumberLE(t))}function F(t){const e=l.BYTES;t=n.ensureBytes("private key",t,e);const r=n.ensureBytes("hashed private key",d(t),2*e),i=g(r.slice(0,e));return{head:i,prefix:r.slice(e,2*e),scalar:Z(i)}}function H(t){const{head:e,prefix:n,scalar:r}=F(t),i=T.multiply(r),s=i.toRawBytes();return{head:e,prefix:n,scalar:r,point:i,pointBytes:s}}function N(t=Uint8Array.of(),...e){const r=n.concatBytes(...e);return Z(d(b(r,n.ensureBytes("context",t),!!y)))}const j=a;return T._setWindowSize(8),{CURVE:c,getPublicKey:function(t){return H(t).pointBytes},sign:function(t,e,i={}){t=n.ensureBytes("message",t),y&&(t=y(t));const{prefix:s,scalar:o,pointBytes:a}=H(e),u=N(i.context,s,t),c=T.multiply(u).toRawBytes(),d=I(u+N(i.context,c,a,t)*o);n.aInRange("signature.s",d,r,f);const h=n.concatBytes(c,n.numberToBytesLE(d,l.BYTES));return n.ensureBytes("result",h,2*l.BYTES)},verify:function(t,e,r,i=j){const{context:s,zip215:o}=i,a=l.BYTES;t=n.ensureBytes("signature",t,2*a),e=n.ensureBytes("message",e),r=n.ensureBytes("publicKey",r,a),void 0!==o&&n.abool("zip215",o),y&&(e=y(e));const u=n.bytesToNumberLE(t.slice(a,2*a));let c,f,d;try{c=A.fromHex(r,o),f=A.fromHex(t.slice(0,a),o),d=T.multiplyUnsafe(u)}catch(t){return!1}if(!o&&c.isSmallOrder())return!1;const h=N(s,f.toRawBytes(),c.toRawBytes(),e);return f.add(c.multiplyUnsafe(h)).subtract(d).clearCofactor().equals(A.ZERO)},ExtendedPoint:A,utils:{getExtendedPublicKey:H,randomPrivateKey:()=>h(l.BYTES),precompute:(t=8,e=A.BASE)=>(e._setWindowSize(t),e.multiply(BigInt(3)),e)}}};
+const s=BigInt(0),i=BigInt(1),o=BigInt(2),a=BigInt(8);function u(r,u={}){const c=e._createCurveFields("edwards",r,u,u.FpFnLE),{Fp:y,Fn:d}=c;let l=c.CURVE;const{h:h}=l;t._validateObject(u,{},{uvRatio:"function"});const f=o<<BigInt(8*d.BYTES)-i,p=t=>y.create(t),m=u.uvRatio||((t,e)=>{try{return{isValid:!0,value:y.sqrt(y.div(t,e))}}catch(t){return{isValid:!1,value:s}}});if(!function(t,e,r,n){const s=t.sqr(r),i=t.sqr(n),o=t.add(t.mul(e.a,s),i),a=t.add(t.ONE,t.mul(e.d,t.mul(s,i)));return t.eql(o,a)}(y,l,l.Gx,l.Gy))throw new Error("bad curve params: generator point");function B(e,r,n=!1){const o=n?i:s;return t.aInRange("coordinate "+e,r,o,f),r}function w(t){if(!(t instanceof b))throw new Error("ExtendedPoint expected")}const E=t.memoized((t,e)=>{const{X:r,Y:n,Z:o}=t,u=t.is0();null==e&&(e=u?a:y.inv(o));const c=p(r*e),d=p(n*e),l=y.mul(o,e);if(u)return{x:s,y:i};if(l!==i)throw new Error("invZ was invalid");return{x:c,y:d}}),g=t.memoized(t=>{const{a:e,d:r}=l;if(t.is0())throw new Error("bad point: ZERO");const{X:n,Y:s,Z:i,T:o}=t,a=p(n*n),u=p(s*s),c=p(i*i),y=p(c*c),d=p(a*e);if(p(c*p(d+u))!==p(y+p(r*p(a*u))))throw new Error("bad point: equation left != right (1)");if(p(n*s)!==p(i*o))throw new Error("bad point: equation left != right (2)");return!0});class b{constructor(t,e,r,n){this.X=B("x",t),this.Y=B("y",e),this.Z=B("z",r,!0),this.T=B("t",n),Object.freeze(this)}static CURVE(){return l}static fromAffine(t){if(t instanceof b)throw new Error("extended point not allowed");const{x:e,y:r}=t||{};return B("x",e),B("y",r),new b(e,r,i,p(e*r))}static fromBytes(e,r=!1){const n=y.BYTES,{a:o,d:a}=l;e=t.copyBytes(t._abytes2(e,n,"point")),t._abool2(r,"zip215");const u=t.copyBytes(e),c=e[n-1];u[n-1]=-129&c;const d=t.bytesToNumberLE(u),h=r?f:y.ORDER;t.aInRange("point.y",d,s,h);const B=p(d*d),w=p(B-i),E=p(a*B-o);let{isValid:g,value:x}=m(w,E);if(!g)throw new Error("bad point: invalid y coordinate");const v=(x&i)===i,S=!!(128&c);if(!r&&x===s&&S)throw new Error("bad point: x=0 and x_0=1");return S!==v&&(x=p(-x)),b.fromAffine({x:x,y:d})}static fromHex(e,r=!1){return b.fromBytes(t.ensureBytes("point",e),r)}get x(){return this.toAffine().x}get y(){return this.toAffine().y}precompute(t=8,e=!0){return x.createCache(this,t),e||this.multiply(o),this}assertValidity(){g(this)}equals(t){w(t);const{X:e,Y:r,Z:n}=this,{X:s,Y:i,Z:o}=t,a=p(e*o),u=p(s*n),c=p(r*o),y=p(i*n);return a===u&&c===y}is0(){return this.equals(b.ZERO)}negate(){return new b(p(-this.X),this.Y,this.Z,p(-this.T))}double(){const{a:t}=l,{X:e,Y:r,Z:n}=this,s=p(e*e),i=p(r*r),a=p(o*p(n*n)),u=p(t*s),c=e+r,y=p(p(c*c)-s-i),d=u+i,h=d-a,f=u-i,m=p(y*h),B=p(d*f),w=p(y*f),E=p(h*d);return new b(m,B,E,w)}add(t){w(t);const{a:e,d:r}=l,{X:n,Y:s,Z:i,T:o}=this,{X:a,Y:u,Z:c,T:y}=t,d=p(n*a),h=p(s*u),f=p(o*r*y),m=p(i*c),B=p((n+s)*(a+u)-d-h),E=m-f,g=m+f,x=p(h-e*d),v=p(B*E),S=p(g*x),R=p(B*x),Z=p(E*g);return new b(v,S,Z,R)}subtract(t){return this.add(t.negate())}multiply(t){if(!d.isValidNot0(t))throw new Error("invalid scalar: expected 1 <= sc < curve.n");const{p:r,f:n}=x.cached(this,t,t=>e.normalizeZ(b,t));return e.normalizeZ(b,[r,n])[0]}multiplyUnsafe(t,r=b.ZERO){if(!d.isValid(t))throw new Error("invalid scalar: expected 0 <= sc < curve.n");return t===s?b.ZERO:this.is0()||t===i?this:x.unsafe(this,t,t=>e.normalizeZ(b,t),r)}isSmallOrder(){return this.multiplyUnsafe(h).is0()}isTorsionFree(){return x.unsafe(this,l.n).is0()}toAffine(t){return E(this,t)}clearCofactor(){return h===i?this:this.multiplyUnsafe(h)}toBytes(){const{x:t,y:e}=this.toAffine(),r=y.toBytes(e);return r[r.length-1]|=t&i?128:0,r}toHex(){return n.bytesToHex(this.toBytes())}toString(){return`<Point ${this.is0()?"ZERO":this.toHex()}>`}get ex(){return this.X}get ey(){return this.Y}get ez(){return this.Z}get et(){return this.T}static normalizeZ(t){return e.normalizeZ(b,t)}static msm(t,r){return e.pippenger(b,d,t,r)}_setWindowSize(t){this.precompute(t)}toRawBytes(){return this.toBytes()}}b.BASE=new b(l.Gx,l.Gy,i,p(l.Gx*l.Gy)),b.ZERO=new b(s,i,i,s),b.Fp=y,b.Fn=d;const x=new e.wNAF(b,d.BITS);return b.BASE.precompute(8),b}function c(e,r,s={}){if("function"!=typeof r)throw new Error('"hash" function param is required');t._validateObject(s,{},{adjustScalarBytes:"function",randomBytes:"function",domain:"function",prehash:"function",mapToCurve:"function"});const{prehash:o}=s,{BASE:a,Fp:u,Fn:c}=e,y=s.randomBytes||n.randomBytes,d=s.adjustScalarBytes||(t=>t),l=s.domain||((e,r,n)=>{if(t._abool2(n,"phflag"),r.length||n)throw new Error("Contexts/pre-hash are not supported");return e});function h(e){return c.create(t.bytesToNumberLE(e))}function f(e){const{head:n,prefix:s,scalar:i}=function(e){const n=E.secretKey;e=t.ensureBytes("private key",e,n);const s=t.ensureBytes("hashed private key",r(e),2*n),i=d(s.slice(0,n));return{head:i,prefix:s.slice(n,2*n),scalar:h(i)}}(e),o=a.multiply(i),u=o.toBytes();return{head:n,prefix:s,scalar:i,point:o,pointBytes:u}}function p(t){return f(t).pointBytes}function m(e=Uint8Array.of(),...s){const i=n.concatBytes(...s);return h(r(l(i,t.ensureBytes("context",e),!!o)))}const B={zip215:!0};const w=u.BYTES,E={secretKey:w,publicKey:w,signature:2*w,seed:w};function g(e=y(E.seed)){return t._abytes2(e,E.seed,"seed")}const b={getExtendedPublicKey:f,randomSecretKey:g,isValidSecretKey:function(t){return n.isBytes(t)&&t.length===c.BYTES},isValidPublicKey:function(t,r){try{return!!e.fromBytes(t,r)}catch(t){return!1}},toMontgomery(t){const{y:r}=e.fromBytes(t),n=E.publicKey,s=32===n;if(!s&&57!==n)throw new Error("only defined for 25519 and 448");const o=s?u.div(i+r,i-r):u.div(r-i,r+i);return u.toBytes(o)},toMontgomerySecret(e){const n=E.secretKey;t._abytes2(e,n);const s=r(e.subarray(0,n));return d(s).subarray(0,n)},randomPrivateKey:g,precompute:(t=8,r=e.BASE)=>r.precompute(t,!1)};return Object.freeze({keygen:function(t){const e=b.randomSecretKey(t);return{secretKey:e,publicKey:p(e)}},getPublicKey:p,sign:function(e,r,s={}){e=t.ensureBytes("message",e),o&&(e=o(e));const{prefix:i,scalar:u,pointBytes:y}=f(r),d=m(s.context,i,e),l=a.multiply(d).toBytes(),h=m(s.context,l,y,e),p=c.create(d+h*u);if(!c.isValid(p))throw new Error("sign failed: invalid s");const B=n.concatBytes(l,c.toBytes(p));return t._abytes2(B,E.signature,"result")},verify:function(r,n,s,i=B){const{context:u,zip215:c}=i,y=E.signature;r=t.ensureBytes("signature",r,y),n=t.ensureBytes("message",n),s=t.ensureBytes("publicKey",s,E.publicKey),void 0!==c&&t._abool2(c,"zip215"),o&&(n=o(n));const d=y/2,l=r.subarray(0,d),h=t.bytesToNumberLE(r.subarray(d,y));let f,p,w;try{f=e.fromBytes(s,c),p=e.fromBytes(l,c),w=a.multiplyUnsafe(h)}catch(t){return!1}if(!c&&f.isSmallOrder())return!1;const g=m(u,p.toBytes(),f.toBytes(),n);return p.add(f.multiplyUnsafe(g)).subtract(w).clearCofactor().is0()},utils:b,Point:e,lengths:E})}exports.eddsa=c,exports.edwards=u,exports.twistedEdwards=function(t){const{CURVE:e,curveOpts:n,hash:s,eddsaOpts:i}=function(t){const e={a:t.a,d:t.d,p:t.Fp.ORDER,n:t.n,h:t.h,Gx:t.Gx,Gy:t.Gy},n={Fp:t.Fp,Fn:r.Field(e.n,t.nBitLength,!0),uvRatio:t.uvRatio},s={randomBytes:t.randomBytes,adjustScalarBytes:t.adjustScalarBytes,domain:t.domain,prehash:t.prehash,mapToCurve:t.mapToCurve};return{CURVE:e,curveOpts:n,hash:t.hash,eddsaOpts:s}}(t);return function(t,e){const r=e.Point;return Object.assign({},e,{ExtendedPoint:r,CURVE:t,nBitLength:r.Fn.BITS,nByteLength:r.Fn.BYTES})}(t,c(u(e,n),s,i))};
 //# sourceMappingURL=edwards.js.map

package/dist/cjs/node_modules/@noble/curves/esm/abstract/edwards.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"edwards.js","sources":["../../../../../../../node_modules/@noble/curves/esm/abstract/edwards.js"],"sourcesContent":["/*\n Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².\n * For design rationale of types / exports, see weierstrass module documentation.\n * @module\n /\n/! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) /\n// prettier-ignore\nimport { pippenger, validateBasic, wNAF } from \"./curve.js\";\nimport { Field, FpInvertBatch, mod } from \"./modular.js\";\n// prettier-ignore\nimport { abool, aInRange, bytesToHex, bytesToNumberLE, concatBytes, ensureBytes, memoized, numberToBytesLE, validateObject } from \"./utils.js\";\n// Be friendly to bad ECMAScript parsers by not using bigint literals\n// prettier-ignore\nconst _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);\n// verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:\nconst VERIFY_DEFAULT = { zip215: true };\nfunction validateOpts(curve) {\n const opts = validateBasic(curve);\n validateObject(curve, {\n hash: 'function',\n a: 'bigint',\n d: 'bigint',\n randomBytes: 'function',\n }, {\n adjustScalarBytes: 'function',\n domain: 'function',\n uvRatio: 'function',\n mapToCurve: 'function',\n });\n // Set defaults\n return Object.freeze({ ...opts });\n}\n/\n Creates Twisted Edwards curve with EdDSA signatures.\n * @example\n * import { Field } from '@noble/curves/abstract/modular';\n * // Before that, define BigInt-s: a, d, p, n, Gx, Gy, h\n * const curve = twistedEdwards({ a, d, Fp: Field(p), n, Gx, Gy, h })\n /\nexport function twistedEdwards(curveDef) {\n const CURVE = validateOpts(curveDef);\n const { Fp, n: CURVE_ORDER, prehash: prehash, hash: cHash, randomBytes, nByteLength, h: cofactor, } = CURVE;\n // Important:\n // There are some places where Fp.BYTES is used instead of nByteLength.\n // So far, everything has been tested with curves of Fp.BYTES == nByteLength.\n // TODO: test and find curves which behave otherwise.\n const MASK = _2n << (BigInt(nByteLength 8) - _1n);\n const modP = Fp.create; // Function overrides\n const Fn = Field(CURVE.n, CURVE.nBitLength);\n function isEdValidXY(x, y) {\n const x2 = Fp.sqr(x);\n const y2 = Fp.sqr(y);\n const left = Fp.add(Fp.mul(CURVE.a, x2), y2);\n const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));\n return Fp.eql(left, right);\n }\n // Validate whether the passed curve params are valid.\n // equation ax² + y² = 1 + dx²y² should work for generator point.\n if (!isEdValidXY(CURVE.Gx, CURVE.Gy))\n throw new Error('bad curve params: generator point');\n // sqrt(u/v)\n const uvRatio = CURVE.uvRatio \|\|\n ((u, v) => {\n try {\n return { isValid: true, value: Fp.sqrt(u * Fp.inv(v)) };\n }\n catch (e) {\n return { isValid: false, value: _0n };\n }\n });\n const adjustScalarBytes = CURVE.adjustScalarBytes \|\| ((bytes) => bytes); // NOOP\n const domain = CURVE.domain \|\|\n ((data, ctx, phflag) => {\n abool('phflag', phflag);\n if (ctx.length \|\| phflag)\n throw new Error('Contexts/pre-hash are not supported');\n return data;\n }); // NOOP\n // 0 <= n < MASK\n // Coordinates larger than Fp.ORDER are allowed for zip215\n function aCoordinate(title, n, banZero = false) {\n const min = banZero ? _1n : _0n;\n aInRange('coordinate ' + title, n, min, MASK);\n }\n function aextpoint(other) {\n if (!(other instanceof Point))\n throw new Error('ExtendedPoint expected');\n }\n // Converts Extended point to default (x, y) coordinates.\n // Can accept precomputed Z^-1 - for example, from invertBatch.\n const toAffineMemo = memoized((p, iz) => {\n const { ex: x, ey: y, ez: z } = p;\n const is0 = p.is0();\n if (iz == null)\n iz = is0 ? _8n : Fp.inv(z); // 8 was chosen arbitrarily\n const ax = modP(x * iz);\n const ay = modP(y * iz);\n const zz = modP(z * iz);\n if (is0)\n return { x: _0n, y: _1n };\n if (zz !== _1n)\n throw new Error('invZ was invalid');\n return { x: ax, y: ay };\n });\n const assertValidMemo = memoized((p) => {\n const { a, d } = CURVE;\n if (p.is0())\n throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?\n // Equation in affine coordinates: ax² + y² = 1 + dx²y²\n // Equation in projective coordinates (X/Z, Y/Z, Z): (aX² + Y²)Z² = Z⁴ + dX²Y²\n const { ex: X, ey: Y, ez: Z, et: T } = p;\n const X2 = modP(X * X); // X²\n const Y2 = modP(Y * Y); // Y²\n const Z2 = modP(Z * Z); // Z²\n const Z4 = modP(Z2 * Z2); // Z⁴\n const aX2 = modP(X2 * a); // aX²\n const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²\n const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²\n if (left !== right)\n throw new Error('bad point: equation left != right (1)');\n // In Extended coordinates we also have T, which is xy=T/Z: check XY == ZT\n const XY = modP(X Y);\n const ZT = modP(Z * T);\n if (XY !== ZT)\n throw new Error('bad point: equation left != right (2)');\n return true;\n });\n // Extended Point works in extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z, T=xy).\n // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates\n class Point {\n constructor(ex, ey, ez, et) {\n aCoordinate('x', ex);\n aCoordinate('y', ey);\n aCoordinate('z', ez, true);\n aCoordinate('t', et);\n this.ex = ex;\n this.ey = ey;\n this.ez = ez;\n this.et = et;\n Object.freeze(this);\n }\n get x() {\n return this.toAffine().x;\n }\n get y() {\n return this.toAffine().y;\n }\n static fromAffine(p) {\n if (p instanceof Point)\n throw new Error('extended point not allowed');\n const { x, y } = p \|\| {};\n aCoordinate('x', x);\n aCoordinate('y', y);\n return new Point(x, y, _1n, modP(x * y));\n }\n static normalizeZ(points) {\n const toInv = FpInvertBatch(Fp, points.map((p) => p.ez));\n return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);\n }\n // Multiscalar Multiplication\n static msm(points, scalars) {\n return pippenger(Point, Fn, points, scalars);\n }\n // \"Private method\", don't use it directly\n _setWindowSize(windowSize) {\n wnaf.setWindowSize(this, windowSize);\n }\n // Not required for fromHex(), which always creates valid points.\n // Could be useful for fromAffine().\n assertValidity() {\n assertValidMemo(this);\n }\n // Compare one point to another.\n equals(other) {\n aextpoint(other);\n const { ex: X1, ey: Y1, ez: Z1 } = this;\n const { ex: X2, ey: Y2, ez: Z2 } = other;\n const X1Z2 = modP(X1 * Z2);\n const X2Z1 = modP(X2 * Z1);\n const Y1Z2 = modP(Y1 * Z2);\n const Y2Z1 = modP(Y2 * Z1);\n return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;\n }\n is0() {\n return this.equals(Point.ZERO);\n }\n negate() {\n // Flips point sign to a negative one (-x, y in affine coords)\n return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et));\n }\n // Fast algo for doubling Extended Point.\n // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd\n // Cost: 4M + 4S + 1a + 6add + 12.\n double() {\n const { a } = CURVE;\n const { ex: X1, ey: Y1, ez: Z1 } = this;\n const A = modP(X1 * X1); // A = X12\n const B = modP(Y1 * Y1); // B = Y12\n const C = modP(_2n * modP(Z1 * Z1)); // C = 2Z12\n const D = modP(a A); // D = aA\n const x1y1 = X1 + Y1;\n const E = modP(modP(x1y1 x1y1) - A - B); // E = (X1+Y1)2-A-B\n const G = D + B; // G = D+B\n const F = G - C; // F = G-C\n const H = D - B; // H = D-B\n const X3 = modP(E * F); // X3 = EF\n const Y3 = modP(G H); // Y3 = GH\n const T3 = modP(E H); // T3 = EH\n const Z3 = modP(F G); // Z3 = FG\n return new Point(X3, Y3, Z3, T3);\n }\n // Fast algo for adding 2 Extended Points.\n // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd\n // Cost: 9M + 1a + 1d + 7add.\n add(other) {\n aextpoint(other);\n const { a, d } = CURVE;\n const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;\n const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;\n const A = modP(X1 X2); // A = X1X2\n const B = modP(Y1 Y2); // B = Y1Y2\n const C = modP(T1 d * T2); // C = T1dT2\n const D = modP(Z1 * Z2); // D = Z1Z2\n const E = modP((X1 + Y1) (X2 + Y2) - A - B); // E = (X1+Y1)(X2+Y2)-A-B\n const F = D - C; // F = D-C\n const G = D + C; // G = D+C\n const H = modP(B - a A); // H = B-aA\n const X3 = modP(E F); // X3 = EF\n const Y3 = modP(G H); // Y3 = GH\n const T3 = modP(E H); // T3 = EH\n const Z3 = modP(F G); // Z3 = FG\n return new Point(X3, Y3, Z3, T3);\n }\n subtract(other) {\n return this.add(other.negate());\n }\n wNAF(n) {\n return wnaf.wNAFCached(this, n, Point.normalizeZ);\n }\n // Constant-time multiplication.\n multiply(scalar) {\n const n = scalar;\n aInRange('scalar', n, _1n, CURVE_ORDER); // 1 <= scalar < L\n const { p, f } = this.wNAF(n);\n return Point.normalizeZ([p, f])[0];\n }\n // Non-constant-time multiplication. Uses double-and-add algorithm.\n // It's faster, but should only be used when you don't care about\n // an exposed private key e.g. sig verification.\n // Does NOT allow scalars higher than CURVE.n.\n // Accepts optional accumulator to merge with multiply (important for sparse scalars)\n multiplyUnsafe(scalar, acc = Point.ZERO) {\n const n = scalar;\n aInRange('scalar', n, _0n, CURVE_ORDER); // 0 <= scalar < L\n if (n === _0n)\n return I;\n if (this.is0() \|\| n === _1n)\n return this;\n return wnaf.wNAFCachedUnsafe(this, n, Point.normalizeZ, acc);\n }\n // Checks if point is of small order.\n // If you add something to small order point, you will have \"dirty\"\n // point with torsion component.\n // Multiplies point by cofactor and checks if the result is 0.\n isSmallOrder() {\n return this.multiplyUnsafe(cofactor).is0();\n }\n // Multiplies point by curve order and checks if the result is 0.\n // Returns `false` is the point is dirty.\n isTorsionFree() {\n return wnaf.unsafeLadder(this, CURVE_ORDER).is0();\n }\n // Converts Extended point to default (x, y) coordinates.\n // Can accept precomputed Z^-1 - for example, from invertBatch.\n toAffine(iz) {\n return toAffineMemo(this, iz);\n }\n clearCofactor() {\n const { h: cofactor } = CURVE;\n if (cofactor === _1n)\n return this;\n return this.multiplyUnsafe(cofactor);\n }\n // Converts hash string or Uint8Array to Point.\n // Uses algo from RFC8032 5.1.3.\n static fromHex(hex, zip215 = false) {\n const { d, a } = CURVE;\n const len = Fp.BYTES;\n hex = ensureBytes('pointHex', hex, len); // copy hex to a new array\n abool('zip215', zip215);\n const normed = hex.slice(); // copy again, we'll manipulate it\n const lastByte = hex[len - 1]; // select last byte\n normed[len - 1] = lastByte & ~0x80; // clear last bit\n const y = bytesToNumberLE(normed);\n // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.\n // RFC8032 prohibits >= p, but ZIP215 doesn't\n // zip215=true: 0 <= y < MASK (2^256 for ed25519)\n // zip215=false: 0 <= y < P (2^255-19 for ed25519)\n const max = zip215 ? MASK : Fp.ORDER;\n aInRange('pointHex.y', y, _0n, max);\n // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:\n // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)\n const y2 = modP(y y); // denominator is always non-0 mod p.\n const u = modP(y2 - _1n); // u = y² - 1\n const v = modP(d * y2 - a); // v = d y² + 1.\n let { isValid, value: x } = uvRatio(u, v); // √(u/v)\n if (!isValid)\n throw new Error('Point.fromHex: invalid y coordinate');\n const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper\n const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit\n if (!zip215 && x === _0n && isLastByteOdd)\n // if x=0 and x_0 = 1, fail\n throw new Error('Point.fromHex: x=0 and x_0=1');\n if (isLastByteOdd !== isXOdd)\n x = modP(-x); // if x_0 != x mod 2, set x = p-x\n return Point.fromAffine({ x, y });\n }\n static fromPrivateKey(privKey) {\n const { scalar } = getPrivateScalar(privKey);\n return G.multiply(scalar); // reduced one call of `toRawBytes`\n }\n toRawBytes() {\n const { x, y } = this.toAffine();\n const bytes = numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)\n bytes[bytes.length - 1] \|= x & _1n ? 0x80 : 0; // when compressing, it's enough to store y\n return bytes; // and use the last byte to encode sign of x\n }\n toHex() {\n return bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.\n }\n }\n // base / generator point\n Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));\n // zero / infinity / identity point\n Point.ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0\n const { BASE: G, ZERO: I } = Point;\n const wnaf = wNAF(Point, nByteLength * 8);\n function modN(a) {\n return mod(a, CURVE_ORDER);\n }\n // Little-endian SHA512 with modulo n\n function modN_LE(hash) {\n return modN(bytesToNumberLE(hash));\n }\n // Get the hashed private scalar per RFC8032 5.1.5\n function getPrivateScalar(key) {\n const len = Fp.BYTES;\n key = ensureBytes('private key', key, len);\n // Hash private key with curve's hash function to produce uniformingly random input\n // Check byte lengths: ensure(64, h(ensure(32, key)))\n const hashed = ensureBytes('hashed private key', cHash(key), 2 * len);\n const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE\n const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)\n const scalar = modN_LE(head); // The actual private scalar\n return { head, prefix, scalar };\n }\n // Convenience method that creates public key from scalar. RFC8032 5.1.5\n function getExtendedPublicKey(key) {\n const { head, prefix, scalar } = getPrivateScalar(key);\n const point = G.multiply(scalar); // Point on Edwards curve aka public key\n const pointBytes = point.toRawBytes(); // Uint8Array representation\n return { head, prefix, scalar, point, pointBytes };\n }\n // Calculates EdDSA pub key. RFC8032 5.1.5. Privkey is hashed. Use first half with 3 bits cleared\n function getPublicKey(privKey) {\n return getExtendedPublicKey(privKey).pointBytes;\n }\n // int('LE', SHA512(dom2(F, C) \|\| msgs)) mod N\n function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {\n const msg = concatBytes(...msgs);\n return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));\n }\n /** Signs message with privateKey. RFC8032 5.1.6 /\n function sign(msg, privKey, options = {}) {\n msg = ensureBytes('message', msg);\n if (prehash)\n msg = prehash(msg); // for ed25519ph etc.\n const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);\n const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) \|\| prefix \|\| PH(M)\n const R = G.multiply(r).toRawBytes(); // R = rG\n const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R \|\| A \|\| PH(M)\n const s = modN(r + k scalar); // S = (r + k * s) mod L\n aInRange('signature.s', s, _0n, CURVE_ORDER); // 0 <= s < l\n const res = concatBytes(R, numberToBytesLE(s, Fp.BYTES));\n return ensureBytes('result', res, Fp.BYTES * 2); // 64-byte signature\n }\n const verifyOpts = VERIFY_DEFAULT;\n /*\n Verifies EdDSA signature against message and public key. RFC8032 5.1.7.\n * An extended group equation is checked.\n /\n function verify(sig, msg, publicKey, options = verifyOpts) {\n const { context, zip215 } = options;\n const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.\n sig = ensureBytes('signature', sig, 2 len); // An extended group equation is checked.\n msg = ensureBytes('message', msg);\n publicKey = ensureBytes('publicKey', publicKey, len);\n if (zip215 !== undefined)\n abool('zip215', zip215);\n if (prehash)\n msg = prehash(msg); // for ed25519ph, etc\n const s = bytesToNumberLE(sig.slice(len, 2 * len));\n let A, R, SB;\n try {\n // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.\n // zip215=true: 0 <= y < MASK (2^256 for ed25519)\n // zip215=false: 0 <= y < P (2^255-19 for ed25519)\n A = Point.fromHex(publicKey, zip215);\n R = Point.fromHex(sig.slice(0, len), zip215);\n SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside\n }\n catch (error) {\n return false;\n }\n if (!zip215 && A.isSmallOrder())\n return false;\n const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);\n const RkA = R.add(A.multiplyUnsafe(k));\n // Extended group equation\n // [8][S]B = [8]R + [8][k]A'\n return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);\n }\n G._setWindowSize(8); // Enable precomputes. Slows down first publicKey computation by 20ms.\n const utils = {\n getExtendedPublicKey,\n /** ed25519 priv keys are uniform 32b. No need to check for modulo bias, like in secp256k1. /\n randomPrivateKey: () => randomBytes(Fp.BYTES),\n /\n We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT\n * values. This slows down first getPublicKey() by milliseconds (see Speed section),\n * but allows to speed-up subsequent getPublicKey() calls up to 20x.\n * @param windowSize 2, 4, 8, 16\n */\n precompute(windowSize = 8, point = Point.BASE) {\n point._setWindowSize(windowSize);\n point.multiply(BigInt(3));\n return point;\n },\n };\n return {\n CURVE,\n getPublicKey,\n sign,\n verify,\n ExtendedPoint: Point,\n utils,\n };\n}\n//# sourceMappingURL=edwards.js.map"],"names":["_0n","BigInt","_1n","_2n","_8n","VERIFY_DEFAULT","zip215","curveDef","CURVE","curve","opts","validateBasic","validateObject","hash","a","d","randomBytes","adjustScalarBytes","domain","uvRatio","mapToCurve","Object","freeze","validateOpts","Fp","n","CURVE_ORDER","prehash","cHash","nByteLength","h","cofactor","MASK","modP","create","Fn","Field","nBitLength","x","y","x2","sqr","y2","left","add","mul","right","ONE","eql","isEdValidXY","Gx","Gy","Error","u","v","isValid","value","sqrt","inv","e","bytes","data","ctx","phflag","abool","length","aCoordinate","title","banZero","min","aInRange","aextpoint","other","Point","toAffineMemo","memoized","p","iz","ex","ey","ez","z","is0","ax","ay","zz","assertValidMemo","X","Y","Z","et","T","X2","Y2","Z2","Z4","aX2","constructor","this","toAffine","fromAffine","normalizeZ","points","toInv","FpInvertBatch","map","i","msm","scalars","pippenger","_setWindowSize","windowSize","wnaf","setWindowSize","assertValidity","equals","X1","Y1","Z1","X1Z2","X2Z1","Y1Z2","Y2Z1","ZERO","negate","double","A","B","C","D","x1y1","E","G","F","H","X3","Y3","T3","Z3","T1","T2","subtract","wNAF","wNAFCached","multiply","scalar","f","multiplyUnsafe","acc","I","wNAFCachedUnsafe","isSmallOrder","isTorsionFree","unsafeLadder","clearCofactor","fromHex","hex","len","BYTES","ensureBytes","normed","slice","lastByte","bytesToNumberLE","max","ORDER","isXOdd","isLastByteOdd","fromPrivateKey","privKey","getPrivateScalar","toRawBytes","numberToBytesLE","toHex","bytesToHex","BASE","modN","mod","modN_LE","key","hashed","head","prefix","getExtendedPublicKey","point","pointBytes","hashDomainToScalar","context","Uint8Array","of","msgs","msg","concatBytes","verifyOpts","getPublicKey","sign","options","r","R","s","res","verify","sig","publicKey","undefined","SB","error","k","ExtendedPoint","utils","randomPrivateKey","precompute"],"mappings":";;AAqBA,MAAMA,EAAMC,OAAO,GAAIC,EAAMD,OAAO,GAAIE,EAAMF,OAAO,GAAIG,EAAMH,OAAO,GAkBhEI,EAAiB,CAAEC,QAAQ,0BAsF3B,SAAyBC,GAC7B,MAAMC,EArFR,SAAsBC,GACpB,MAAMC,EAAOC,EAAaA,cAACF,GAiB3B,OAhBAG,EAAAA,eACEH,EACA,CACEI,KAAM,WACNC,EAAG,SACHC,EAAG,SACHC,YAAa,YAEf,CACEC,kBAAmB,WACnBC,OAAQ,WACRC,QAAS,WACTC,WAAY,aAITC,OAAOC,OAAO,IAAKZ,GAC5B,CAkEgBa,CAAahB,IACrBiB,GACJA,EACAC,EAAGC,EACHC,QAASA,EACTd,KAAMe,EAAKZ,YACXA,EAAWa,YACXA,EACAC,EAAGC,GACDvB,EAKEwB,EAAO7B,GAAQF,OAAqB,EAAd4B,GAAmB3B,EACzC+B,EAAOT,EAAGU,OACVC,EAAKC,EAAAA,MAAM5B,EAAMiB,EAAGjB,EAAM6B,YAYhC,IAVA,SAAqBC,EAAWC,GAC9B,MAAMC,EAAKhB,EAAGiB,IAAIH,GACZI,EAAKlB,EAAGiB,IAAIF,GACZI,EAAOnB,EAAGoB,IAAIpB,EAAGqB,IAAIrC,EAAMM,EAAG0B,GAAKE,GACnCI,EAAQtB,EAAGoB,IAAIpB,EAAGuB,IAAKvB,EAAGqB,IAAIrC,EAAMO,EAAGS,EAAGqB,IAAIL,EAAIE,KACxD,OAAOlB,EAAGwB,IAAIL,EAAMG,EACtB,CAIKG,CAAYzC,EAAM0C,GAAI1C,EAAM2C,IAAK,MAAM,IAAIC,MAAM,qCAGtD,MAAMjC,EACJX,EAAMW,SAAO,EACXkC,EAAWC,KACX,IACE,MAAO,CAAEC,SAAS,EAAMC,MAAOhC,EAAGiC,KAAKJ,EAAI7B,EAAGkC,IAAIJ,IACnD,CAAC,MAAOK,GACP,MAAO,CAAEJ,SAAS,EAAOC,MAAOxD,EAClC,CACD,GACGiB,EAAoBT,EAAMS,mBAAiB,CAAM2C,GAAsBA,GACvE1C,EACJV,EAAMU,QACL,EAAC2C,EAAkBC,EAAiBC,KAEnC,GADAC,EAAKA,MAAC,SAAUD,GACZD,EAAIG,QAAUF,EAAQ,MAAM,IAAIX,MAAM,uCAC1C,OAAOS,CACR,GAGH,SAASK,EAAYC,EAAe1C,EAAW2C,GAAU,GACvD,MAAMC,EAAMD,EAAUlE,EAAMF,EAC5BsE,EAAAA,SAAS,cAAgBH,EAAO1C,EAAG4C,EAAKrC,EAC1C,CAEA,SAASuC,EAAUC,GACjB,KAAMA,aAAiBC,GAAQ,MAAM,IAAIrB,MAAM,yBACjD,CAGA,MAAMsB,EAAeC,EAAAA,UAAS,CAACC,EAAUC,KACvC,MAAQC,GAAIxC,EAAGyC,GAAIxC,EAAGyC,GAAIC,GAAML,EAC1BM,EAAMN,EAAEM,MACJ,MAANL,IAAYA,EAAKK,EAAM9E,EAAOoB,EAAGkC,IAAIuB,IACzC,MAAME,EAAKlD,EAAKK,EAAIuC,GACdO,EAAKnD,EAAKM,EAAIsC,GACdQ,EAAKpD,EAAKgD,EAAIJ,GACpB,GAAIK,EAAK,MAAO,CAAE5C,EAAGtC,EAAKuC,EAAGrC,GAC7B,GAAImF,IAAOnF,EAAK,MAAM,IAAIkD,MAAM,oBAChC,MAAO,CAAEd,EAAG6C,EAAI5C,EAAG6C,EAAI,IAEnBE,EAAkBX,EAAQA,UAAEC,IAChC,MAAM9D,EAAEA,EAACC,EAAEA,GAAMP,EACjB,GAAIoE,EAAEM,MAAO,MAAM,IAAI9B,MAAM,mBAG7B,MAAQ0B,GAAIS,EAAGR,GAAIS,EAAGR,GAAIS,EAAGC,GAAIC,GAAMf,EACjCgB,EAAK3D,EAAKsD,EAAIA,GACdM,EAAK5D,EAAKuD,EAAIA,GACdM,EAAK7D,EAAKwD,EAAIA,GACdM,EAAK9D,EAAK6D,EAAKA,GACfE,EAAM/D,EAAK2D,EAAK9E,GAGtB,GAFamB,EAAK6D,EAAK7D,EAAK+D,EAAMH,MACpB5D,EAAK8D,EAAK9D,EAAKlB,EAAIkB,EAAK2D,EAAKC,KACvB,MAAM,IAAIzC,MAAM,yCAIpC,GAFWnB,EAAKsD,EAAIC,KACTvD,EAAKwD,EAAIE,GACL,MAAM,IAAIvC,MAAM,yCAC/B,OAAO,CAAI,IAKb,MAAMqB,EAUJwB,WAAAA,CAAYnB,EAAYC,EAAYC,EAAYU,GAC9CxB,EAAY,IAAKY,GACjBZ,EAAY,IAAKa,GACjBb,EAAY,IAAKc,GAAI,GACrBd,EAAY,IAAKwB,GACjBQ,KAAKpB,GAAKA,EACVoB,KAAKnB,GAAKA,EACVmB,KAAKlB,GAAKA,EACVkB,KAAKR,GAAKA,EACVrE,OAAOC,OAAO4E,KAChB,CAEA,KAAI5D,GACF,OAAO4D,KAAKC,WAAW7D,CACzB,CACA,KAAIC,GACF,OAAO2D,KAAKC,WAAW5D,CACzB,CAEA,iBAAO6D,CAAWxB,GAChB,GAAIA,aAAaH,EAAO,MAAM,IAAIrB,MAAM,8BACxC,MAAMd,EAAEA,EAACC,EAAEA,GAAMqC,GAAK,CAAE,EAGxB,OAFAV,EAAY,IAAK5B,GACjB4B,EAAY,IAAK3B,GACV,IAAIkC,EAAMnC,EAAGC,EAAGrC,EAAK+B,EAAKK,EAAIC,GACvC,CACA,iBAAO8D,CAAWC,GAChB,MAAMC,EAAQC,EAAaA,cACzBhF,EACA8E,EAAOG,KAAK7B,GAAMA,EAAEI,MAEtB,OAAOsB,EAAOG,KAAI,CAAC7B,EAAG8B,IAAM9B,EAAEuB,SAASI,EAAMG,MAAKD,IAAIhC,EAAM2B,WAC9D,CAEA,UAAOO,CAAIL,EAAiBM,GAC1B,OAAOC,EAASA,UAACpC,EAAOtC,EAAImE,EAAQM,EACtC,CAGAE,cAAAA,CAAeC,GACbC,EAAKC,cAAcf,KAAMa,EAC3B,CAGAG,cAAAA,GACE5B,EAAgBY,KAClB,CAGAiB,MAAAA,CAAO3C,GACLD,EAAUC,GACV,MAAQM,GAAIsC,EAAIrC,GAAIsC,EAAIrC,GAAIsC,GAAOpB,MAC3BpB,GAAIc,EAAIb,GAAIc,EAAIb,GAAIc,GAAOtB,EAC7B+C,EAAOtF,EAAKmF,EAAKtB,GACjB0B,EAAOvF,EAAK2D,EAAK0B,GACjBG,EAAOxF,EAAKoF,EAAKvB,GACjB4B,EAAOzF,EAAK4D,EAAKyB,GACvB,OAAOC,IAASC,GAAQC,IAASC,CACnC,CAEAxC,GAAAA,GACE,OAAOgB,KAAKiB,OAAO1C,EAAMkD,KAC3B,CAEAC,MAAAA,GAEE,OAAO,IAAInD,EAAMxC,GAAMiE,KAAKpB,IAAKoB,KAAKnB,GAAImB,KAAKlB,GAAI/C,GAAMiE,KAAKR,IAChE,CAKAmC,MAAAA,GACE,MAAM/G,EAAEA,GAAMN,GACNsE,GAAIsC,EAAIrC,GAAIsC,EAAIrC,GAAIsC,GAAOpB,KAC7B4B,EAAI7F,EAAKmF,EAAKA,GACdW,EAAI9F,EAAKoF,EAAKA,GACdW,EAAI/F,EAAK9B,EAAM8B,EAAKqF,EAAKA,IACzBW,EAAIhG,EAAKnB,EAAIgH,GACbI,EAAOd,EAAKC,EACZc,EAAIlG,EAAKA,EAAKiG,EAAOA,GAAQJ,EAAIC,GACjCK,EAAIH,EAAIF,EACRM,EAAID,EAAIJ,EACRM,EAAIL,EAAIF,EACRQ,EAAKtG,EAAKkG,EAAIE,GACdG,EAAKvG,EAAKmG,EAAIE,GACdG,EAAKxG,EAAKkG,EAAIG,GACdI,EAAKzG,EAAKoG,EAAID,GACpB,OAAO,IAAI3D,EAAM8D,EAAIC,EAAIE,EAAID,EAC/B,CAKA7F,GAAAA,CAAI4B,GACFD,EAAUC,GACV,MAAM1D,EAAEA,EAACC,EAAEA,GAAMP,GACTsE,GAAIsC,EAAIrC,GAAIsC,EAAIrC,GAAIsC,EAAI5B,GAAIiD,GAAOzC,MACnCpB,GAAIc,EAAIb,GAAIc,EAAIb,GAAIc,EAAIJ,GAAIkD,GAAOpE,EACrCsD,EAAI7F,EAAKmF,EAAKxB,GACdmC,EAAI9F,EAAKoF,EAAKxB,GACdmC,EAAI/F,EAAK0G,EAAK5H,EAAI6H,GAClBX,EAAIhG,EAAKqF,EAAKxB,GACdqC,EAAIlG,GAAMmF,EAAKC,IAAOzB,EAAKC,GAAMiC,EAAIC,GACrCM,EAAIJ,EAAID,EACRI,EAAIH,EAAID,EACRM,EAAIrG,EAAK8F,EAAIjH,EAAIgH,GACjBS,EAAKtG,EAAKkG,EAAIE,GACdG,EAAKvG,EAAKmG,EAAIE,GACdG,EAAKxG,EAAKkG,EAAIG,GACdI,EAAKzG,EAAKoG,EAAID,GACpB,OAAO,IAAI3D,EAAM8D,EAAIC,EAAIE,EAAID,EAC/B,CAEAI,QAAAA,CAASrE,GACP,OAAO0B,KAAKtD,IAAI4B,EAAMoD,SACxB,CAEQkB,IAAAA,CAAKrH,GACX,OAAOuF,EAAK+B,WAAW7C,KAAMzE,EAAGgD,EAAM4B,WACxC,CAGA2C,QAAAA,CAASC,GACP,MAAMxH,EAAIwH,EACV3E,EAAAA,SAAS,SAAU7C,EAAGvB,EAAKwB,GAC3B,MAAMkD,EAAEA,EAACsE,EAAEA,GAAMhD,KAAK4C,KAAKrH,GAC3B,OAAOgD,EAAM4B,WAAW,CAACzB,EAAGsE,IAAI,EAClC,CAOAC,cAAAA,CAAeF,EAAgBG,EAAM3E,EAAMkD,MACzC,MAAMlG,EAAIwH,EAEV,OADA3E,EAAAA,SAAS,SAAU7C,EAAGzB,EAAK0B,GACvBD,IAAMzB,EAAYqJ,EAClBnD,KAAKhB,OAASzD,IAAMvB,EAAYgG,KAC7Bc,EAAKsC,iBAAiBpD,KAAMzE,EAAGgD,EAAM4B,WAAY+C,EAC1D,CAMAG,YAAAA,GACE,OAAOrD,KAAKiD,eAAepH,GAAUmD,KACvC,CAIAsE,aAAAA,GACE,OAAOxC,EAAKyC,aAAavD,KAAMxE,GAAawD,KAC9C,CAIAiB,QAAAA,CAAStB,GACP,OAAOH,EAAawB,KAAMrB,EAC5B,CAEA6E,aAAAA,GACE,MAAQ5H,EAAGC,GAAavB,EACxB,OAAIuB,IAAa7B,EAAYgG,KACtBA,KAAKiD,eAAepH,EAC7B,CAIA,cAAO4H,CAAQC,EAAUtJ,GAAS,GAChC,MAAMS,EAAEA,EAACD,EAAEA,GAAMN,EACXqJ,EAAMrI,EAAGsI,MACfF,EAAMG,EAAAA,YAAY,WAAYH,EAAKC,GACnC7F,EAAKA,MAAC,SAAU1D,GAChB,MAAM0J,EAASJ,EAAIK,QACbC,EAAWN,EAAIC,EAAM,GAC3BG,EAAOH,EAAM,IAAgB,IAAXK,EAClB,MAAM3H,EAAI4H,EAAeA,gBAACH,GAMpBI,EAAM9J,EAAS0B,EAAOR,EAAG6I,MAC/B/F,EAAAA,SAAS,aAAc/B,EAAGvC,EAAKoK,GAI/B,MAAM1H,EAAKT,EAAKM,EAAIA,GACdc,EAAIpB,EAAKS,EAAKxC,GACdoD,EAAIrB,EAAKlB,EAAI2B,EAAK5B,GACxB,IAAIyC,QAAEA,EAASC,MAAOlB,GAAMnB,EAAQkC,EAAGC,GACvC,IAAKC,EAAS,MAAM,IAAIH,MAAM,uCAC9B,MAAMkH,GAAUhI,EAAIpC,KAASA,EACvBqK,KAA4B,IAAXL,GACvB,IAAK5J,GAAUgC,IAAMtC,GAAOuK,EAE1B,MAAM,IAAInH,MAAM,gCAElB,OADImH,IAAkBD,IAAQhI,EAAIL,GAAMK,IACjCmC,EAAM2B,WAAW,CAAE9D,IAAGC,KAC/B,CACA,qBAAOiI,CAAeC,GACpB,MAAMxB,OAAEA,GAAWyB,EAAiBD,GACpC,OAAOrC,EAAEY,SAASC,EACpB,CACA0B,UAAAA,GACE,MAAMrI,EAAEA,EAACC,EAAEA,GAAM2D,KAAKC,WAChBvC,EAAQgH,EAAeA,gBAACrI,EAAGf,EAAGsI,OAEpC,OADAlG,EAAMA,EAAMK,OAAS,IAAM3B,EAAIpC,EAAM,IAAO,EACrC0D,CACT,CACAiH,KAAAA,GACE,OAAOC,aAAW5E,KAAKyE,aACzB,EA/NgBlG,EAAAsG,KAAO,IAAItG,EAAMjE,EAAM0C,GAAI1C,EAAM2C,GAAIjD,EAAK+B,EAAKzB,EAAM0C,GAAK1C,EAAM2C,KAEhEsB,EAAAkD,KAAO,IAAIlD,EAAMzE,EAAKE,EAAKA,EAAKF,GA+NlD,MAAQ+K,KAAM3C,EAAGT,KAAM0B,GAAM5E,EACvBuC,EAAO8B,EAAIA,KAACrE,EAAqB,EAAd5C,GAEzB,SAASmJ,EAAKlK,GACZ,OAAOmK,EAAGA,IAACnK,EAAGY,EAChB,CAEA,SAASwJ,EAAQrK,GACf,OAAOmK,EAAKb,kBAAgBtJ,GAC9B,CAGA,SAAS6J,EAAiBS,GACxB,MAAMtB,EAAMrI,EAAGsI,MACfqB,EAAMpB,EAAWA,YAAC,cAAeoB,EAAKtB,GAGtC,MAAMuB,EAASrB,EAAAA,YAAY,qBAAsBnI,EAAMuJ,GAAM,EAAItB,GAC3DwB,EAAOpK,EAAkBmK,EAAOnB,MAAM,EAAGJ,IAG/C,MAAO,CAAEwB,OAAMC,OAFAF,EAAOnB,MAAMJ,EAAK,EAAIA,GAEdZ,OADRiC,EAAQG,GAEzB,CAGA,SAASE,EAAqBJ,GAC5B,MAAME,KAAEA,EAAIC,OAAEA,EAAMrC,OAAEA,GAAWyB,EAAiBS,GAC5CK,EAAQpD,EAAEY,SAASC,GACnBwC,EAAaD,EAAMb,aACzB,MAAO,CAAEU,OAAMC,SAAQrC,SAAQuC,QAAOC,aACxC,CAQA,SAASC,EAAmBC,EAAeC,WAAWC,QAASC,GAC7D,MAAMC,EAAMC,iBAAeF,GAC3B,OAAOZ,EAAQtJ,EAAMV,EAAO6K,EAAKhC,EAAAA,YAAY,UAAW4B,KAAYhK,IACtE,CAgBA,MAAMsK,EAAkD5L,EAwDxD,OApBA+H,EAAEtB,eAAe,GAoBV,CACLtG,QACA0L,aAlFF,SAAsBzB,GACpB,OAAOc,EAAqBd,GAASgB,UACvC,EAiFEU,KAxEF,SAAcJ,EAAUtB,EAAc2B,EAA6B,CAAA,GACjEL,EAAMhC,EAAAA,YAAY,UAAWgC,GACzBpK,IAASoK,EAAMpK,EAAQoK,IAC3B,MAAMT,OAAEA,EAAMrC,OAAEA,EAAMwC,WAAEA,GAAeF,EAAqBd,GACtD4B,EAAIX,EAAmBU,EAAQT,QAASL,EAAQS,GAChDO,EAAIlE,EAAEY,SAASqD,GAAG1B,aAElB4B,EAAIvB,EAAKqB,EADLX,EAAmBU,EAAQT,QAASW,EAAGb,EAAYM,GACtC9C,GACvB3E,EAAAA,SAAS,cAAeiI,EAAGvM,EAAK0B,GAChC,MAAM8K,EAAMR,EAAAA,YAAYM,EAAG1B,EAAeA,gBAAC2B,EAAG/K,EAAGsI,QACjD,OAAOC,EAAAA,YAAY,SAAUyC,EAAgB,EAAXhL,EAAGsI,MACvC,EA8DE2C,OAtDF,SAAgBC,EAAUX,EAAUY,EAAgBP,EAAUH,GAC5D,MAAMN,QAAEA,EAAOrL,OAAEA,GAAW8L,EACtBvC,EAAMrI,EAAGsI,MACf4C,EAAM3C,EAAWA,YAAC,YAAa2C,EAAK,EAAI7C,GACxCkC,EAAMhC,EAAAA,YAAY,UAAWgC,GAC7BY,EAAY5C,EAAWA,YAAC,YAAa4C,EAAW9C,QACjC+C,IAAXtM,GAAsB0D,QAAM,SAAU1D,GACtCqB,IAASoK,EAAMpK,EAAQoK,IAE3B,MAAMQ,EAAIpC,EAAAA,gBAAgBuC,EAAIzC,MAAMJ,EAAK,EAAIA,IAC7C,IAAI/B,EAAGwE,EAAGO,EACV,IAIE/E,EAAIrD,EAAMkF,QAAQgD,EAAWrM,GAC7BgM,EAAI7H,EAAMkF,QAAQ+C,EAAIzC,MAAM,EAAGJ,GAAMvJ,GACrCuM,EAAKzE,EAAEe,eAAeoD,EACvB,CAAC,MAAOO,GACP,OAAO,CACT,CACA,IAAKxM,GAAUwH,EAAEyB,eAAgB,OAAO,EAExC,MAAMwD,EAAIrB,EAAmBC,EAASW,EAAE3B,aAAc7C,EAAE6C,aAAcoB,GAItE,OAHYO,EAAE1J,IAAIkF,EAAEqB,eAAe4D,IAGxBlE,SAASgE,GAAInD,gBAAgBvC,OAAO1C,EAAMkD,KACvD,EA2BEqF,cAAevI,EACfwI,MAxBY,CACZ1B,uBAEA2B,iBAAkBA,IAAkBlM,EAAYQ,EAAGsI,OAQnDqD,WAAUA,CAACpG,EAAa,EAAGyE,EAAsB/G,EAAMsG,QACrDS,EAAM1E,eAAeC,GACrByE,EAAMxC,SAAS/I,OAAO,IACfuL,IAYb","x_google_ignoreList":[0]}
1	+ {"version":3,"file":"edwards.js","sources":["../../../../../../../node_modules/@noble/curves/esm/abstract/edwards.js"],"sourcesContent":["/*\n Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².\n * For design rationale of types / exports, see weierstrass module documentation.\n * Untwisted Edwards curves exist, but they aren't used in real-world protocols.\n * @module\n /\n/! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) /\nimport { _validateObject, _abool2 as abool, _abytes2 as abytes, aInRange, bytesToHex, bytesToNumberLE, concatBytes, copyBytes, ensureBytes, isBytes, memoized, notImplemented, randomBytes as randomBytesWeb, } from \"../utils.js\";\nimport { _createCurveFields, normalizeZ, pippenger, wNAF, } from \"./curve.js\";\nimport { Field } from \"./modular.js\";\n// Be friendly to bad ECMAScript parsers by not using bigint literals\n// prettier-ignore\nconst _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);\nfunction isEdValidXY(Fp, CURVE, x, y) {\n const x2 = Fp.sqr(x);\n const y2 = Fp.sqr(y);\n const left = Fp.add(Fp.mul(CURVE.a, x2), y2);\n const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));\n return Fp.eql(left, right);\n}\nexport function edwards(params, extraOpts = {}) {\n const validated = _createCurveFields('edwards', params, extraOpts, extraOpts.FpFnLE);\n const { Fp, Fn } = validated;\n let CURVE = validated.CURVE;\n const { h: cofactor } = CURVE;\n _validateObject(extraOpts, {}, { uvRatio: 'function' });\n // Important:\n // There are some places where Fp.BYTES is used instead of nByteLength.\n // So far, everything has been tested with curves of Fp.BYTES == nByteLength.\n // TODO: test and find curves which behave otherwise.\n const MASK = _2n << (BigInt(Fn.BYTES 8) - _1n);\n const modP = (n) => Fp.create(n); // Function overrides\n // sqrt(u/v)\n const uvRatio = extraOpts.uvRatio \|\|\n ((u, v) => {\n try {\n return { isValid: true, value: Fp.sqrt(Fp.div(u, v)) };\n }\n catch (e) {\n return { isValid: false, value: _0n };\n }\n });\n // Validate whether the passed curve params are valid.\n // equation ax² + y² = 1 + dx²y² should work for generator point.\n if (!isEdValidXY(Fp, CURVE, CURVE.Gx, CURVE.Gy))\n throw new Error('bad curve params: generator point');\n /*\n Asserts coordinate is valid: 0 <= n < MASK.\n * Coordinates >= Fp.ORDER are allowed for zip215.\n /\n function acoord(title, n, banZero = false) {\n const min = banZero ? _1n : _0n;\n aInRange('coordinate ' + title, n, min, MASK);\n return n;\n }\n function aextpoint(other) {\n if (!(other instanceof Point))\n throw new Error('ExtendedPoint expected');\n }\n // Converts Extended point to default (x, y) coordinates.\n // Can accept precomputed Z^-1 - for example, from invertBatch.\n const toAffineMemo = memoized((p, iz) => {\n const { X, Y, Z } = p;\n const is0 = p.is0();\n if (iz == null)\n iz = is0 ? _8n : Fp.inv(Z); // 8 was chosen arbitrarily\n const x = modP(X iz);\n const y = modP(Y * iz);\n const zz = Fp.mul(Z, iz);\n if (is0)\n return { x: _0n, y: _1n };\n if (zz !== _1n)\n throw new Error('invZ was invalid');\n return { x, y };\n });\n const assertValidMemo = memoized((p) => {\n const { a, d } = CURVE;\n if (p.is0())\n throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?\n // Equation in affine coordinates: ax² + y² = 1 + dx²y²\n // Equation in projective coordinates (X/Z, Y/Z, Z): (aX² + Y²)Z² = Z⁴ + dX²Y²\n const { X, Y, Z, T } = p;\n const X2 = modP(X * X); // X²\n const Y2 = modP(Y * Y); // Y²\n const Z2 = modP(Z * Z); // Z²\n const Z4 = modP(Z2 * Z2); // Z⁴\n const aX2 = modP(X2 * a); // aX²\n const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²\n const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²\n if (left !== right)\n throw new Error('bad point: equation left != right (1)');\n // In Extended coordinates we also have T, which is xy=T/Z: check XY == ZT\n const XY = modP(X Y);\n const ZT = modP(Z * T);\n if (XY !== ZT)\n throw new Error('bad point: equation left != right (2)');\n return true;\n });\n // Extended Point works in extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z, T=xy).\n // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates\n class Point {\n constructor(X, Y, Z, T) {\n this.X = acoord('x', X);\n this.Y = acoord('y', Y);\n this.Z = acoord('z', Z, true);\n this.T = acoord('t', T);\n Object.freeze(this);\n }\n static CURVE() {\n return CURVE;\n }\n static fromAffine(p) {\n if (p instanceof Point)\n throw new Error('extended point not allowed');\n const { x, y } = p \|\| {};\n acoord('x', x);\n acoord('y', y);\n return new Point(x, y, _1n, modP(x * y));\n }\n // Uses algo from RFC8032 5.1.3.\n static fromBytes(bytes, zip215 = false) {\n const len = Fp.BYTES;\n const { a, d } = CURVE;\n bytes = copyBytes(abytes(bytes, len, 'point'));\n abool(zip215, 'zip215');\n const normed = copyBytes(bytes); // copy again, we'll manipulate it\n const lastByte = bytes[len - 1]; // select last byte\n normed[len - 1] = lastByte & ~0x80; // clear last bit\n const y = bytesToNumberLE(normed);\n // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.\n // RFC8032 prohibits >= p, but ZIP215 doesn't\n // zip215=true: 0 <= y < MASK (2^256 for ed25519)\n // zip215=false: 0 <= y < P (2^255-19 for ed25519)\n const max = zip215 ? MASK : Fp.ORDER;\n aInRange('point.y', y, _0n, max);\n // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:\n // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)\n const y2 = modP(y * y); // denominator is always non-0 mod p.\n const u = modP(y2 - _1n); // u = y² - 1\n const v = modP(d * y2 - a); // v = d y² + 1.\n let { isValid, value: x } = uvRatio(u, v); // √(u/v)\n if (!isValid)\n throw new Error('bad point: invalid y coordinate');\n const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper\n const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit\n if (!zip215 && x === _0n && isLastByteOdd)\n // if x=0 and x_0 = 1, fail\n throw new Error('bad point: x=0 and x_0=1');\n if (isLastByteOdd !== isXOdd)\n x = modP(-x); // if x_0 != x mod 2, set x = p-x\n return Point.fromAffine({ x, y });\n }\n static fromHex(bytes, zip215 = false) {\n return Point.fromBytes(ensureBytes('point', bytes), zip215);\n }\n get x() {\n return this.toAffine().x;\n }\n get y() {\n return this.toAffine().y;\n }\n precompute(windowSize = 8, isLazy = true) {\n wnaf.createCache(this, windowSize);\n if (!isLazy)\n this.multiply(_2n); // random number\n return this;\n }\n // Useful in fromAffine() - not for fromBytes(), which always created valid points.\n assertValidity() {\n assertValidMemo(this);\n }\n // Compare one point to another.\n equals(other) {\n aextpoint(other);\n const { X: X1, Y: Y1, Z: Z1 } = this;\n const { X: X2, Y: Y2, Z: Z2 } = other;\n const X1Z2 = modP(X1 * Z2);\n const X2Z1 = modP(X2 * Z1);\n const Y1Z2 = modP(Y1 * Z2);\n const Y2Z1 = modP(Y2 * Z1);\n return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;\n }\n is0() {\n return this.equals(Point.ZERO);\n }\n negate() {\n // Flips point sign to a negative one (-x, y in affine coords)\n return new Point(modP(-this.X), this.Y, this.Z, modP(-this.T));\n }\n // Fast algo for doubling Extended Point.\n // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd\n // Cost: 4M + 4S + 1a + 6add + 12.\n double() {\n const { a } = CURVE;\n const { X: X1, Y: Y1, Z: Z1 } = this;\n const A = modP(X1 * X1); // A = X12\n const B = modP(Y1 * Y1); // B = Y12\n const C = modP(_2n * modP(Z1 * Z1)); // C = 2Z12\n const D = modP(a A); // D = aA\n const x1y1 = X1 + Y1;\n const E = modP(modP(x1y1 x1y1) - A - B); // E = (X1+Y1)2-A-B\n const G = D + B; // G = D+B\n const F = G - C; // F = G-C\n const H = D - B; // H = D-B\n const X3 = modP(E * F); // X3 = EF\n const Y3 = modP(G H); // Y3 = GH\n const T3 = modP(E H); // T3 = EH\n const Z3 = modP(F G); // Z3 = FG\n return new Point(X3, Y3, Z3, T3);\n }\n // Fast algo for adding 2 Extended Points.\n // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd\n // Cost: 9M + 1a + 1d + 7add.\n add(other) {\n aextpoint(other);\n const { a, d } = CURVE;\n const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;\n const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;\n const A = modP(X1 X2); // A = X1X2\n const B = modP(Y1 Y2); // B = Y1Y2\n const C = modP(T1 d * T2); // C = T1dT2\n const D = modP(Z1 * Z2); // D = Z1Z2\n const E = modP((X1 + Y1) (X2 + Y2) - A - B); // E = (X1+Y1)(X2+Y2)-A-B\n const F = D - C; // F = D-C\n const G = D + C; // G = D+C\n const H = modP(B - a A); // H = B-aA\n const X3 = modP(E F); // X3 = EF\n const Y3 = modP(G H); // Y3 = GH\n const T3 = modP(E H); // T3 = EH\n const Z3 = modP(F G); // Z3 = FG\n return new Point(X3, Y3, Z3, T3);\n }\n subtract(other) {\n return this.add(other.negate());\n }\n // Constant-time multiplication.\n multiply(scalar) {\n // 1 <= scalar < L\n if (!Fn.isValidNot0(scalar))\n throw new Error('invalid scalar: expected 1 <= sc < curve.n');\n const { p, f } = wnaf.cached(this, scalar, (p) => normalizeZ(Point, p));\n return normalizeZ(Point, [p, f])[0];\n }\n // Non-constant-time multiplication. Uses double-and-add algorithm.\n // It's faster, but should only be used when you don't care about\n // an exposed private key e.g. sig verification.\n // Does NOT allow scalars higher than CURVE.n.\n // Accepts optional accumulator to merge with multiply (important for sparse scalars)\n multiplyUnsafe(scalar, acc = Point.ZERO) {\n // 0 <= scalar < L\n if (!Fn.isValid(scalar))\n throw new Error('invalid scalar: expected 0 <= sc < curve.n');\n if (scalar === _0n)\n return Point.ZERO;\n if (this.is0() \|\| scalar === _1n)\n return this;\n return wnaf.unsafe(this, scalar, (p) => normalizeZ(Point, p), acc);\n }\n // Checks if point is of small order.\n // If you add something to small order point, you will have \"dirty\"\n // point with torsion component.\n // Multiplies point by cofactor and checks if the result is 0.\n isSmallOrder() {\n return this.multiplyUnsafe(cofactor).is0();\n }\n // Multiplies point by curve order and checks if the result is 0.\n // Returns `false` is the point is dirty.\n isTorsionFree() {\n return wnaf.unsafe(this, CURVE.n).is0();\n }\n // Converts Extended point to default (x, y) coordinates.\n // Can accept precomputed Z^-1 - for example, from invertBatch.\n toAffine(invertedZ) {\n return toAffineMemo(this, invertedZ);\n }\n clearCofactor() {\n if (cofactor === _1n)\n return this;\n return this.multiplyUnsafe(cofactor);\n }\n toBytes() {\n const { x, y } = this.toAffine();\n // Fp.toBytes() allows non-canonical encoding of y (>= p).\n const bytes = Fp.toBytes(y);\n // Each y has 2 valid points: (x, y), (x,-y).\n // When compressing, it's enough to store y and use the last byte to encode sign of x\n bytes[bytes.length - 1] \|= x & _1n ? 0x80 : 0;\n return bytes;\n }\n toHex() {\n return bytesToHex(this.toBytes());\n }\n toString() {\n return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;\n }\n // TODO: remove\n get ex() {\n return this.X;\n }\n get ey() {\n return this.Y;\n }\n get ez() {\n return this.Z;\n }\n get et() {\n return this.T;\n }\n static normalizeZ(points) {\n return normalizeZ(Point, points);\n }\n static msm(points, scalars) {\n return pippenger(Point, Fn, points, scalars);\n }\n _setWindowSize(windowSize) {\n this.precompute(windowSize);\n }\n toRawBytes() {\n return this.toBytes();\n }\n }\n // base / generator point\n Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx CURVE.Gy));\n // zero / infinity / identity point\n Point.ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0\n // math field\n Point.Fp = Fp;\n // scalar field\n Point.Fn = Fn;\n const wnaf = new wNAF(Point, Fn.BITS);\n Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.\n return Point;\n}\n/*\n Base class for prime-order points like Ristretto255 and Decaf448.\n * These points eliminate cofactor issues by representing equivalence classes\n * of Edwards curve points.\n /\nexport class PrimeEdwardsPoint {\n constructor(ep) {\n this.ep = ep;\n }\n // Static methods that must be implemented by subclasses\n static fromBytes(_bytes) {\n notImplemented();\n }\n static fromHex(_hex) {\n notImplemented();\n }\n get x() {\n return this.toAffine().x;\n }\n get y() {\n return this.toAffine().y;\n }\n // Common implementations\n clearCofactor() {\n // no-op for prime-order groups\n return this;\n }\n assertValidity() {\n this.ep.assertValidity();\n }\n toAffine(invertedZ) {\n return this.ep.toAffine(invertedZ);\n }\n toHex() {\n return bytesToHex(this.toBytes());\n }\n toString() {\n return this.toHex();\n }\n isTorsionFree() {\n return true;\n }\n isSmallOrder() {\n return false;\n }\n add(other) {\n this.assertSame(other);\n return this.init(this.ep.add(other.ep));\n }\n subtract(other) {\n this.assertSame(other);\n return this.init(this.ep.subtract(other.ep));\n }\n multiply(scalar) {\n return this.init(this.ep.multiply(scalar));\n }\n multiplyUnsafe(scalar) {\n return this.init(this.ep.multiplyUnsafe(scalar));\n }\n double() {\n return this.init(this.ep.double());\n }\n negate() {\n return this.init(this.ep.negate());\n }\n precompute(windowSize, isLazy) {\n return this.init(this.ep.precompute(windowSize, isLazy));\n }\n /* @deprecated use `toBytes` /\n toRawBytes() {\n return this.toBytes();\n }\n}\n/\n Initializes EdDSA signatures over given Edwards curve.\n /\nexport function eddsa(Point, cHash, eddsaOpts = {}) {\n if (typeof cHash !== 'function')\n throw new Error('\"hash\" function param is required');\n _validateObject(eddsaOpts, {}, {\n adjustScalarBytes: 'function',\n randomBytes: 'function',\n domain: 'function',\n prehash: 'function',\n mapToCurve: 'function',\n });\n const { prehash } = eddsaOpts;\n const { BASE, Fp, Fn } = Point;\n const randomBytes = eddsaOpts.randomBytes \|\| randomBytesWeb;\n const adjustScalarBytes = eddsaOpts.adjustScalarBytes \|\| ((bytes) => bytes);\n const domain = eddsaOpts.domain \|\|\n ((data, ctx, phflag) => {\n abool(phflag, 'phflag');\n if (ctx.length \|\| phflag)\n throw new Error('Contexts/pre-hash are not supported');\n return data;\n }); // NOOP\n // Little-endian SHA512 with modulo n\n function modN_LE(hash) {\n return Fn.create(bytesToNumberLE(hash)); // Not Fn.fromBytes: it has length limit\n }\n // Get the hashed private scalar per RFC8032 5.1.5\n function getPrivateScalar(key) {\n const len = lengths.secretKey;\n key = ensureBytes('private key', key, len);\n // Hash private key with curve's hash function to produce uniformingly random input\n // Check byte lengths: ensure(64, h(ensure(32, key)))\n const hashed = ensureBytes('hashed private key', cHash(key), 2 len);\n const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE\n const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)\n const scalar = modN_LE(head); // The actual private scalar\n return { head, prefix, scalar };\n }\n /** Convenience method that creates public key from scalar. RFC8032 5.1.5 /\n function getExtendedPublicKey(secretKey) {\n const { head, prefix, scalar } = getPrivateScalar(secretKey);\n const point = BASE.multiply(scalar); // Point on Edwards curve aka public key\n const pointBytes = point.toBytes();\n return { head, prefix, scalar, point, pointBytes };\n }\n /* Calculates EdDSA pub key. RFC8032 5.1.5. /\n function getPublicKey(secretKey) {\n return getExtendedPublicKey(secretKey).pointBytes;\n }\n // int('LE', SHA512(dom2(F, C) \|\| msgs)) mod N\n function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {\n const msg = concatBytes(...msgs);\n return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));\n }\n /* Signs message with privateKey. RFC8032 5.1.6 /\n function sign(msg, secretKey, options = {}) {\n msg = ensureBytes('message', msg);\n if (prehash)\n msg = prehash(msg); // for ed25519ph etc.\n const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);\n const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) \|\| prefix \|\| PH(M)\n const R = BASE.multiply(r).toBytes(); // R = rG\n const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R \|\| A \|\| PH(M)\n const s = Fn.create(r + k scalar); // S = (r + k * s) mod L\n if (!Fn.isValid(s))\n throw new Error('sign failed: invalid s'); // 0 <= s < L\n const rs = concatBytes(R, Fn.toBytes(s));\n return abytes(rs, lengths.signature, 'result');\n }\n // verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:\n const verifyOpts = { zip215: true };\n /*\n Verifies EdDSA signature against message and public key. RFC8032 5.1.7.\n * An extended group equation is checked.\n /\n function verify(sig, msg, publicKey, options = verifyOpts) {\n const { context, zip215 } = options;\n const len = lengths.signature;\n sig = ensureBytes('signature', sig, len);\n msg = ensureBytes('message', msg);\n publicKey = ensureBytes('publicKey', publicKey, lengths.publicKey);\n if (zip215 !== undefined)\n abool(zip215, 'zip215');\n if (prehash)\n msg = prehash(msg); // for ed25519ph, etc\n const mid = len / 2;\n const r = sig.subarray(0, mid);\n const s = bytesToNumberLE(sig.subarray(mid, len));\n let A, R, SB;\n try {\n // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.\n // zip215=true: 0 <= y < MASK (2^256 for ed25519)\n // zip215=false: 0 <= y < P (2^255-19 for ed25519)\n A = Point.fromBytes(publicKey, zip215);\n R = Point.fromBytes(r, zip215);\n SB = BASE.multiplyUnsafe(s); // 0 <= s < l is done inside\n }\n catch (error) {\n return false;\n }\n if (!zip215 && A.isSmallOrder())\n return false; // zip215 allows public keys of small order\n const k = hashDomainToScalar(context, R.toBytes(), A.toBytes(), msg);\n const RkA = R.add(A.multiplyUnsafe(k));\n // Extended group equation\n // [8][S]B = [8]R + [8][k]A'\n return RkA.subtract(SB).clearCofactor().is0();\n }\n const _size = Fp.BYTES; // 32 for ed25519, 57 for ed448\n const lengths = {\n secretKey: _size,\n publicKey: _size,\n signature: 2 _size,\n seed: _size,\n };\n function randomSecretKey(seed = randomBytes(lengths.seed)) {\n return abytes(seed, lengths.seed, 'seed');\n }\n function keygen(seed) {\n const secretKey = utils.randomSecretKey(seed);\n return { secretKey, publicKey: getPublicKey(secretKey) };\n }\n function isValidSecretKey(key) {\n return isBytes(key) && key.length === Fn.BYTES;\n }\n function isValidPublicKey(key, zip215) {\n try {\n return !!Point.fromBytes(key, zip215);\n }\n catch (error) {\n return false;\n }\n }\n const utils = {\n getExtendedPublicKey,\n randomSecretKey,\n isValidSecretKey,\n isValidPublicKey,\n /*\n Converts ed public key to x public key. Uses formula:\n * - ed25519:\n * - `(u, v) = ((1+y)/(1-y), sqrt(-486664)u/x)`\n - `(x, y) = (sqrt(-486664)u/v, (u-1)/(u+1))`\n - ed448:\n * - `(u, v) = ((y-1)/(y+1), sqrt(156324)u/x)`\n - `(x, y) = (sqrt(156324)u/v, (1+u)/(1-u))`\n /\n toMontgomery(publicKey) {\n const { y } = Point.fromBytes(publicKey);\n const size = lengths.publicKey;\n const is25519 = size === 32;\n if (!is25519 && size !== 57)\n throw new Error('only defined for 25519 and 448');\n const u = is25519 ? Fp.div(_1n + y, _1n - y) : Fp.div(y - _1n, y + _1n);\n return Fp.toBytes(u);\n },\n toMontgomerySecret(secretKey) {\n const size = lengths.secretKey;\n abytes(secretKey, size);\n const hashed = cHash(secretKey.subarray(0, size));\n return adjustScalarBytes(hashed).subarray(0, size);\n },\n /** @deprecated /\n randomPrivateKey: randomSecretKey,\n /* @deprecated */\n precompute(windowSize = 8, point = Point.BASE) {\n return point.precompute(windowSize, false);\n },\n };\n return Object.freeze({\n keygen,\n getPublicKey,\n sign,\n verify,\n utils,\n Point,\n lengths,\n });\n}\nfunction _eddsa_legacy_opts_to_new(c) {\n const CURVE = {\n a: c.a,\n d: c.d,\n p: c.Fp.ORDER,\n n: c.n,\n h: c.h,\n Gx: c.Gx,\n Gy: c.Gy,\n };\n const Fp = c.Fp;\n const Fn = Field(CURVE.n, c.nBitLength, true);\n const curveOpts = { Fp, Fn, uvRatio: c.uvRatio };\n const eddsaOpts = {\n randomBytes: c.randomBytes,\n adjustScalarBytes: c.adjustScalarBytes,\n domain: c.domain,\n prehash: c.prehash,\n mapToCurve: c.mapToCurve,\n };\n return { CURVE, curveOpts, hash: c.hash, eddsaOpts };\n}\nfunction _eddsa_new_output_to_legacy(c, eddsa) {\n const Point = eddsa.Point;\n const legacy = Object.assign({}, eddsa, {\n ExtendedPoint: Point,\n CURVE: c,\n nBitLength: Point.Fn.BITS,\n nByteLength: Point.Fn.BYTES,\n });\n return legacy;\n}\n// TODO: remove. Use eddsa\nexport function twistedEdwards(c) {\n const { CURVE, curveOpts, hash, eddsaOpts } = _eddsa_legacy_opts_to_new(c);\n const Point = edwards(CURVE, curveOpts);\n const EDDSA = eddsa(Point, hash, eddsaOpts);\n return _eddsa_new_output_to_legacy(c, EDDSA);\n}\n//# sourceMappingURL=edwards.js.map"],"names":["_0n","BigInt","_1n","_2n","_8n","edwards","params","extraOpts","validated","_createCurveFields","FpFnLE","Fp","Fn","CURVE","h","cofactor","_validateObject","uvRatio","MASK","BYTES","modP","n","create","u","v","isValid","value","sqrt","div","e","x","y","x2","sqr","y2","left","add","mul","a","right","ONE","d","eql","isEdValidXY","Gx","Gy","Error","acoord","title","banZero","min","aInRange","aextpoint","other","Point","toAffineMemo","memoized","p","iz","X","Y","Z","is0","inv","zz","assertValidMemo","T","X2","Y2","Z2","Z4","aX2","constructor","this","Object","freeze","fromAffine","fromBytes","bytes","zip215","len","copyBytes","abytes","abool","normed","lastByte","bytesToNumberLE","max","ORDER","isXOdd","isLastByteOdd","fromHex","ensureBytes","toAffine","precompute","windowSize","isLazy","wnaf","createCache","multiply","assertValidity","equals","X1","Y1","Z1","X1Z2","X2Z1","Y1Z2","Y2Z1","ZERO","negate","double","A","B","C","D","x1y1","E","G","F","H","X3","Y3","T3","Z3","T1","T2","subtract","scalar","isValidNot0","f","cached","normalizeZ","multiplyUnsafe","acc","unsafe","isSmallOrder","isTorsionFree","invertedZ","clearCofactor","toBytes","length","toHex","bytesToHex","toString","ex","ey","ez","et","points","msm","scalars","pippenger","_setWindowSize","toRawBytes","BASE","wNAF","BITS","eddsa","cHash","eddsaOpts","adjustScalarBytes","randomBytes","domain","prehash","mapToCurve","randomBytesWeb","data","ctx","phflag","modN_LE","hash","getExtendedPublicKey","secretKey","head","prefix","key","lengths","hashed","slice","getPrivateScalar","point","pointBytes","getPublicKey","hashDomainToScalar","context","Uint8Array","of","msgs","msg","concatBytes","verifyOpts","_size","publicKey","signature","seed","randomSecretKey","utils","isValidSecretKey","isBytes","isValidPublicKey","error","toMontgomery","size","is25519","toMontgomerySecret","subarray","randomPrivateKey","keygen","sign","options","r","R","k","s","rs","verify","sig","undefined","mid","SB","c","curveOpts","Field","nBitLength","_eddsa_legacy_opts_to_new","assign","ExtendedPoint","nByteLength","_eddsa_new_output_to_legacy"],"mappings":";;AAuCA,MAAMA,EAAMC,OAAO,GAAIC,EAAMD,OAAO,GAAIE,EAAMF,OAAO,GAAIG,EAAMH,OAAO,GAsKhE,SAAUI,EAAQC,EAAqBC,EAA8B,IACzE,MAAMC,EAAYC,EAAAA,mBAAmB,UAAWH,EAAQC,EAAWA,EAAUG,SACvEC,GAAEA,EAAEC,GAAEA,GAAOJ,EACnB,IAAIK,EAAQL,EAAUK,MACtB,MAAQC,EAAGC,GAAaF,EACxBG,EAAAA,gBAAgBT,EAAW,GAAI,CAAEU,QAAS,aAM1C,MAAMC,EAAOf,GAAQF,OAAkB,EAAXW,EAAGO,OAAajB,EACtCkB,EAAQC,GAAcV,EAAGW,OAAOD,GAGhCJ,EACJV,EAAUU,SAAO,EACfM,EAAWC,KACX,IACE,MAAO,CAAEC,SAAS,EAAMC,MAAOf,EAAGgB,KAAKhB,EAAGiB,IAAIL,EAAGC,IACnD,CAAE,MAAOK,GACP,MAAO,CAAEJ,SAAS,EAAOC,MAAO1B,EAClC,CACD,GAIH,IAnCF,SAAqBW,EAAoBE,EAAoBiB,EAAWC,GACtE,MAAMC,EAAKrB,EAAGsB,IAAIH,GACZI,EAAKvB,EAAGsB,IAAIF,GACZI,EAAOxB,EAAGyB,IAAIzB,EAAG0B,IAAIxB,EAAMyB,EAAGN,GAAKE,GACnCK,EAAQ5B,EAAGyB,IAAIzB,EAAG6B,IAAK7B,EAAG0B,IAAIxB,EAAM4B,EAAG9B,EAAG0B,IAAIL,EAAIE,KACxD,OAAOvB,EAAG+B,IAAIP,EAAMI,EACtB,CA6BOI,CAAYhC,EAAIE,EAAOA,EAAM+B,GAAI/B,EAAMgC,IAC1C,MAAM,IAAIC,MAAM,qCAMlB,SAASC,EAAOC,EAAe3B,EAAW4B,GAAU,GAClD,MAAMC,EAAMD,EAAU/C,EAAMF,EAE5B,OADAmD,EAAAA,SAAS,cAAgBH,EAAO3B,EAAG6B,EAAKhC,GACjCG,CACT,CAEA,SAAS+B,EAAUC,GACjB,KAAMA,aAAiBC,GAAQ,MAAM,IAAIR,MAAM,yBACjD,CAGA,MAAMS,EAAeC,EAAAA,SAAS,CAACC,EAAUC,KACvC,MAAMC,EAAEA,EAACC,EAAEA,EAACC,EAAEA,GAAMJ,EACdK,EAAML,EAAEK,MACJ,MAANJ,IAAYA,EAAKI,EAAM1D,EAAOO,EAAGoD,IAAIF,IACzC,MAAM/B,EAAIV,EAAKuC,EAAID,GACb3B,EAAIX,EAAKwC,EAAIF,GACbM,EAAKrD,EAAG0B,IAAIwB,EAAGH,GACrB,GAAII,EAAK,MAAO,CAAEhC,EAAG9B,EAAK+B,EAAG7B,GAC7B,GAAI8D,IAAO9D,EAAK,MAAM,IAAI4C,MAAM,oBAChC,MAAO,CAAEhB,IAAGC,OAERkC,EAAkBT,EAAAA,SAAUC,IAChC,MAAMnB,EAAEA,EAACG,EAAEA,GAAM5B,EACjB,GAAI4C,EAAEK,MAAO,MAAM,IAAIhB,MAAM,mBAG7B,MAAMa,EAAEA,EAACC,EAAEA,EAACC,EAAEA,EAACK,EAAEA,GAAMT,EACjBU,EAAK/C,EAAKuC,EAAIA,GACdS,EAAKhD,EAAKwC,EAAIA,GACdS,EAAKjD,EAAKyC,EAAIA,GACdS,EAAKlD,EAAKiD,EAAKA,GACfE,EAAMnD,EAAK+C,EAAK7B,GAGtB,GAFalB,EAAKiD,EAAKjD,EAAKmD,EAAMH,MACpBhD,EAAKkD,EAAKlD,EAAKqB,EAAIrB,EAAK+C,EAAKC,KACvB,MAAM,IAAItB,MAAM,yCAIpC,GAFW1B,EAAKuC,EAAIC,KACTxC,EAAKyC,EAAIK,GACL,MAAM,IAAIpB,MAAM,yCAC/B,OAAO,IAKT,MAAMQ,EAeJkB,WAAAA,CAAYb,EAAWC,EAAWC,EAAWK,GAC3CO,KAAKd,EAAIZ,EAAO,IAAKY,GACrBc,KAAKb,EAAIb,EAAO,IAAKa,GACrBa,KAAKZ,EAAId,EAAO,IAAKc,GAAG,GACxBY,KAAKP,EAAInB,EAAO,IAAKmB,GACrBQ,OAAOC,OAAOF,KAChB,CAEA,YAAO5D,GACL,OAAOA,CACT,CAEA,iBAAO+D,CAAWnB,GAChB,GAAIA,aAAaH,EAAO,MAAM,IAAIR,MAAM,8BACxC,MAAMhB,EAAEA,EAACC,EAAEA,GAAM0B,GAAK,CAAA,EAGtB,OAFAV,EAAO,IAAKjB,GACZiB,EAAO,IAAKhB,GACL,IAAIuB,EAAMxB,EAAGC,EAAG7B,EAAKkB,EAAKU,EAAIC,GACvC,CAGA,gBAAO8C,CAAUC,EAAmBC,GAAS,GAC3C,MAAMC,EAAMrE,EAAGQ,OACTmB,EAAEA,EAACG,EAAEA,GAAM5B,EACjBiE,EAAQG,EAAAA,UAAUC,EAAAA,SAAOJ,EAAOE,EAAK,UACrCG,EAAAA,QAAMJ,EAAQ,UACd,MAAMK,EAASH,YAAUH,GACnBO,EAAWP,EAAME,EAAM,GAC7BI,EAAOJ,EAAM,IAAgB,IAAXK,EAClB,MAAMtD,EAAIuD,EAAAA,gBAAgBF,GAMpBG,EAAMR,EAAS7D,EAAOP,EAAG6E,MAC/BrC,EAAAA,SAAS,UAAWpB,EAAG/B,EAAKuF,GAI5B,MAAMrD,EAAKd,EAAKW,EAAIA,GACdR,EAAIH,EAAKc,EAAKhC,GACdsB,EAAIJ,EAAKqB,EAAIP,EAAKI,GACxB,IAAIb,QAAEA,EAASC,MAAOI,GAAMb,EAAQM,EAAGC,GACvC,IAAKC,EAAS,MAAM,IAAIqB,MAAM,mCAC9B,MAAM2C,GAAU3D,EAAI5B,KAASA,EACvBwF,KAA4B,IAAXL,GACvB,IAAKN,GAAUjD,IAAM9B,GAAO0F,EAE1B,MAAM,IAAI5C,MAAM,4BAElB,OADI4C,IAAkBD,IAAQ3D,EAAIV,GAAMU,IACjCwB,EAAMsB,WAAW,CAAE9C,IAAGC,KAC/B,CACA,cAAO4D,CAAQb,EAAmBC,GAAS,GACzC,OAAOzB,EAAMuB,UAAUe,EAAAA,YAAY,QAASd,GAAQC,EACtD,CAEA,KAAIjD,GACF,OAAO2C,KAAKoB,WAAW/D,CACzB,CACA,KAAIC,GACF,OAAO0C,KAAKoB,WAAW9D,CACzB,CAEA+D,UAAAA,CAAWC,EAAqB,EAAGC,GAAS,GAG1C,OAFAC,EAAKC,YAAYzB,KAAMsB,GAClBC,GAAQvB,KAAK0B,SAAShG,GACpBsE,IACT,CAGA2B,cAAAA,GACEnC,EAAgBQ,KAClB,CAGA4B,MAAAA,CAAOhD,GACLD,EAAUC,GACV,MAAQM,EAAG2C,EAAI1C,EAAG2C,EAAI1C,EAAG2C,GAAO/B,MACxBd,EAAGQ,EAAIP,EAAGQ,EAAIP,EAAGQ,GAAOhB,EAC1BoD,EAAOrF,EAAKkF,EAAKjC,GACjBqC,EAAOtF,EAAK+C,EAAKqC,GACjBG,EAAOvF,EAAKmF,EAAKlC,GACjBuC,EAAOxF,EAAKgD,EAAKoC,GACvB,OAAOC,IAASC,GAAQC,IAASC,CACnC,CAEA9C,GAAAA,GACE,OAAOW,KAAK4B,OAAO/C,EAAMuD,KAC3B,CAEAC,MAAAA,GAEE,OAAO,IAAIxD,EAAMlC,GAAMqD,KAAKd,GAAIc,KAAKb,EAAGa,KAAKZ,EAAGzC,GAAMqD,KAAKP,GAC7D,CAKA6C,MAAAA,GACE,MAAMzE,EAAEA,GAAMzB,GACN8C,EAAG2C,EAAI1C,EAAG2C,EAAI1C,EAAG2C,GAAO/B,KAC1BuC,EAAI5F,EAAKkF,EAAKA,GACdW,EAAI7F,EAAKmF,EAAKA,GACdW,EAAI9F,EAAKjB,EAAMiB,EAAKoF,EAAKA,IACzBW,EAAI/F,EAAKkB,EAAI0E,GACbI,EAAOd,EAAKC,EACZc,EAAIjG,EAAKA,EAAKgG,EAAOA,GAAQJ,EAAIC,GACjCK,EAAIH,EAAIF,EACRM,EAAID,EAAIJ,EACRM,EAAIL,EAAIF,EACRQ,EAAKrG,EAAKiG,EAAIE,GACdG,EAAKtG,EAAKkG,EAAIE,GACdG,EAAKvG,EAAKiG,EAAIG,GACdI,EAAKxG,EAAKmG,EAAID,GACpB,OAAO,IAAIhE,EAAMmE,EAAIC,EAAIE,EAAID,EAC/B,CAKAvF,GAAAA,CAAIiB,GACFD,EAAUC,GACV,MAAMf,EAAEA,EAACG,EAAEA,GAAM5B,GACT8C,EAAG2C,EAAI1C,EAAG2C,EAAI1C,EAAG2C,EAAItC,EAAG2D,GAAOpD,MAC/Bd,EAAGQ,EAAIP,EAAGQ,EAAIP,EAAGQ,EAAIH,EAAG4D,GAAOzE,EACjC2D,EAAI5F,EAAKkF,EAAKnC,GACd8C,EAAI7F,EAAKmF,EAAKnC,GACd8C,EAAI9F,EAAKyG,EAAKpF,EAAIqF,GAClBX,EAAI/F,EAAKoF,EAAKnC,GACdgD,EAAIjG,GAAMkF,EAAKC,IAAOpC,EAAKC,GAAM4C,EAAIC,GACrCM,EAAIJ,EAAID,EACRI,EAAIH,EAAID,EACRM,EAAIpG,EAAK6F,EAAI3E,EAAI0E,GACjBS,EAAKrG,EAAKiG,EAAIE,GACdG,EAAKtG,EAAKkG,EAAIE,GACdG,EAAKvG,EAAKiG,EAAIG,GACdI,EAAKxG,EAAKmG,EAAID,GACpB,OAAO,IAAIhE,EAAMmE,EAAIC,EAAIE,EAAID,EAC/B,CAEAI,QAAAA,CAAS1E,GACP,OAAOoB,KAAKrC,IAAIiB,EAAMyD,SACxB,CAGAX,QAAAA,CAAS6B,GAEP,IAAKpH,EAAGqH,YAAYD,GAAS,MAAM,IAAIlF,MAAM,8CAC7C,MAAMW,EAAEA,EAACyE,EAAEA,GAAMjC,EAAKkC,OAAO1D,KAAMuD,EAASvE,GAAM2E,EAAAA,WAAW9E,EAAOG,IACpE,OAAO2E,EAAAA,WAAW9E,EAAO,CAACG,EAAGyE,IAAI,EACnC,CAOAG,cAAAA,CAAeL,EAAgBM,EAAMhF,EAAMuD,MAEzC,IAAKjG,EAAGa,QAAQuG,GAAS,MAAM,IAAIlF,MAAM,8CACzC,OAAIkF,IAAWhI,EAAYsD,EAAMuD,KAC7BpC,KAAKX,OAASkE,IAAW9H,EAAYuE,KAClCwB,EAAKsC,OAAO9D,KAAMuD,EAASvE,GAAM2E,EAAAA,WAAW9E,EAAOG,GAAI6E,EAChE,CAMAE,YAAAA,GACE,OAAO/D,KAAK4D,eAAetH,GAAU+C,KACvC,CAIA2E,aAAAA,GACE,OAAOxC,EAAKsC,OAAO9D,KAAM5D,EAAMQ,GAAGyC,KACpC,CAIA+B,QAAAA,CAAS6C,GACP,OAAOnF,EAAakB,KAAMiE,EAC5B,CAEAC,aAAAA,GACE,OAAI5H,IAAab,EAAYuE,KACtBA,KAAK4D,eAAetH,EAC7B,CAEA6H,OAAAA,GACE,MAAM9G,EAAEA,EAACC,EAAEA,GAAM0C,KAAKoB,WAEhBf,EAAQnE,EAAGiI,QAAQ7G,GAIzB,OADA+C,EAAMA,EAAM+D,OAAS,IAAM/G,EAAI5B,EAAM,IAAO,EACrC4E,CACT,CACAgE,KAAAA,GACE,OAAOC,EAAAA,WAAWtE,KAAKmE,UACzB,CAEAI,QAAAA,GACE,MAAO,UAAUvE,KAAKX,MAAQ,OAASW,KAAKqE,UAC9C,CAGA,MAAIG,GACF,OAAOxE,KAAKd,CACd,CACA,MAAIuF,GACF,OAAOzE,KAAKb,CACd,CACA,MAAIuF,GACF,OAAO1E,KAAKZ,CACd,CACA,MAAIuF,GACF,OAAO3E,KAAKP,CACd,CACA,iBAAOkE,CAAWiB,GAChB,OAAOjB,EAAAA,WAAW9E,EAAO+F,EAC3B,CACA,UAAOC,CAAID,EAAiBE,GAC1B,OAAOC,EAAAA,UAAUlG,EAAO1C,EAAIyI,EAAQE,EACtC,CACAE,cAAAA,CAAe1D,GACbtB,KAAKqB,WAAWC,EAClB,CACA2D,UAAAA,GACE,OAAOjF,KAAKmE,SACd,EArPgBtF,EAAAqG,KAAO,IAAIrG,EAAMzC,EAAM+B,GAAI/B,EAAMgC,GAAI3C,EAAKkB,EAAKP,EAAM+B,GAAK/B,EAAMgC,KAEhES,EAAAuD,KAAO,IAAIvD,EAAMtD,EAAKE,EAAKA,EAAKF,GAEhCsD,EAAA3C,GAAKA,EAEL2C,EAAA1C,GAAKA,EAiPvB,MAAMqF,EAAO,IAAI2D,EAAAA,KAAKtG,EAAO1C,EAAGiJ,MAEhC,OADAvG,EAAMqG,KAAK7D,WAAW,GACfxC,CACT,CAmHM,SAAUwG,EAAMxG,EAAyByG,EAAcC,EAAuB,CAAA,GAClF,GAAqB,mBAAVD,EAAsB,MAAM,IAAIjH,MAAM,qCACjD9B,EAAAA,gBACEgJ,EACA,GACA,CACEC,kBAAmB,WACnBC,YAAa,WACbC,OAAQ,WACRC,QAAS,WACTC,WAAY,aAIhB,MAAMD,QAAEA,GAAYJ,GACdL,KAAEA,EAAIhJ,GAAEA,EAAEC,GAAEA,GAAO0C,EAEnB4G,EAAcF,EAAUE,aAAeI,EAAAA,YACvCL,EAAoBD,EAAUC,mBAAiB,CAAMnF,GAAsBA,GAC3EqF,EACJH,EAAUG,QAAM,EACdI,EAAkBC,EAAiBC,KAEnC,GADAtF,EAAAA,QAAMsF,EAAQ,UACVD,EAAI3B,QAAU4B,EAAQ,MAAM,IAAI3H,MAAM,uCAC1C,OAAOyH,CACR,GAGH,SAASG,EAAQC,GACf,OAAO/J,EAAGU,OAAOgE,kBAAgBqF,GACnC,CAgBA,SAASC,EAAqBC,GAC5B,MAAMC,KAAEA,EAAIC,OAAEA,EAAM/C,OAAEA,GAdxB,SAA0BgD,GACxB,MAAMhG,EAAMiG,EAAQJ,UACpBG,EAAMpF,EAAAA,YAAY,cAAeoF,EAAKhG,GAGtC,MAAMkG,EAAStF,EAAAA,YAAY,qBAAsBmE,EAAMiB,GAAM,EAAIhG,GAC3D8F,EAAOb,EAAkBiB,EAAOC,MAAM,EAAGnG,IAG/C,MAAO,CAAE8F,OAAMC,OAFAG,EAAOC,MAAMnG,EAAK,EAAIA,GAEdgD,OADR0C,EAAQI,GAEzB,CAImCM,CAAiBP,GAC5CQ,EAAQ1B,EAAKxD,SAAS6B,GACtBsD,EAAaD,EAAMzC,UACzB,MAAO,CAAEkC,OAAMC,SAAQ/C,SAAQqD,QAAOC,aACxC,CAGA,SAASC,EAAaV,GACpB,OAAOD,EAAqBC,GAAWS,UACzC,CAGA,SAASE,EAAmBC,EAAeC,WAAWC,QAASC,GAC7D,MAAMC,EAAMC,iBAAeF,GAC3B,OAAOlB,EAAQX,EAAMI,EAAO0B,EAAKjG,EAAAA,YAAY,UAAW6F,KAAYrB,IACtE,CAiBA,MAAM2B,EAAkD,CAAEhH,QAAQ,GAsClE,MAAMiH,EAAQrL,EAAGQ,MACX8J,EAAU,CACdJ,UAAWmB,EACXC,UAAWD,EACXE,UAAW,EAAIF,EACfG,KAAMH,GAER,SAASI,EAAgBD,EAAOjC,EAAYe,EAAQkB,OAClD,OAAOjH,EAAAA,SAAOiH,EAAMlB,EAAQkB,KAAM,OACpC,CAgBA,MAAME,EAAQ,CACZzB,uBACAwB,kBACAE,iBAdF,SAA0BtB,GACxB,OAAOuB,EAAAA,QAAQvB,IAAQA,EAAInC,SAAWjI,EAAGO,KAC3C,EAaEqL,iBAZF,SAA0BxB,EAAiBjG,GACzC,IACE,QAASzB,EAAMuB,UAAUmG,EAAKjG,EAChC,CAAE,MAAO0H,GACP,OAAO,CACT,CACF,EAgBEC,YAAAA,CAAaT,GACX,MAAMlK,EAAEA,GAAMuB,EAAMuB,UAAUoH,GACxBU,EAAO1B,EAAQgB,UACfW,EAAmB,KAATD,EAChB,IAAKC,GAAoB,KAATD,EAAa,MAAM,IAAI7J,MAAM,kCAC7C,MAAMvB,EAAIqL,EAAUjM,EAAGiB,IAAI1B,EAAM6B,EAAG7B,EAAM6B,GAAKpB,EAAGiB,IAAIG,EAAI7B,EAAK6B,EAAI7B,GACnE,OAAOS,EAAGiI,QAAQrH,EACpB,EAEAsL,kBAAAA,CAAmBhC,GACjB,MAAM8B,EAAO1B,EAAQJ,UACrB3F,EAAAA,SAAO2F,EAAW8B,GAClB,MAAMzB,EAASnB,EAAMc,EAAUiC,SAAS,EAAGH,IAC3C,OAAO1C,EAAkBiB,GAAQ4B,SAAS,EAAGH,EAC/C,EAGAI,iBAAkBX,EAElBtG,WAAUA,CAACC,EAAa,EAAGsF,EAAsB/H,EAAMqG,OAC9C0B,EAAMvF,WAAWC,GAAY,IAIxC,OAAOrB,OAAOC,OAAO,CACnBqI,OAtDF,SAAgBb,GACd,MAAMtB,EAAYwB,EAAMD,gBAAgBD,GACxC,MAAO,CAAEtB,YAAWoB,UAAWV,EAAaV,GAC9C,EAoDEU,eACA0B,KAtHF,SAAcpB,EAAUhB,EAAgBqC,EAA6B,CAAA,GACnErB,EAAMjG,EAAAA,YAAY,UAAWiG,GACzBzB,IAASyB,EAAMzB,EAAQyB,IAC3B,MAAMd,OAAEA,EAAM/C,OAAEA,EAAMsD,WAAEA,GAAeV,EAAqBC,GACtDsC,EAAI3B,EAAmB0B,EAAQzB,QAASV,EAAQc,GAChDuB,EAAIzD,EAAKxD,SAASgH,GAAGvE,UACrByE,EAAI7B,EAAmB0B,EAAQzB,QAAS2B,EAAG9B,EAAYO,GACvDyB,EAAI1M,EAAGU,OAAO6L,EAAIE,EAAIrF,GAC5B,IAAKpH,EAAGa,QAAQ6L,GAAI,MAAM,IAAIxK,MAAM,0BACpC,MAAMyK,EAAKzB,EAAAA,YAAYsB,EAAGxM,EAAGgI,QAAQ0E,IACrC,OAAOpI,EAAAA,SAAOqI,EAAItC,EAAQiB,UAAW,SACvC,EA4GEsB,OAnGF,SAAgBC,EAAU5B,EAAUI,EAAgBiB,EAAUnB,GAC5D,MAAMN,QAAEA,EAAO1G,OAAEA,GAAWmI,EACtBlI,EAAMiG,EAAQiB,UACpBuB,EAAM7H,EAAAA,YAAY,YAAa6H,EAAKzI,GACpC6G,EAAMjG,EAAAA,YAAY,UAAWiG,GAC7BI,EAAYrG,EAAAA,YAAY,YAAaqG,EAAWhB,EAAQgB,gBACzCyB,IAAX3I,GAAsBI,UAAMJ,EAAQ,UACpCqF,IAASyB,EAAMzB,EAAQyB,IAE3B,MAAM8B,EAAM3I,EAAM,EACZmI,EAAIM,EAAIX,SAAS,EAAGa,GACpBL,EAAIhI,EAAAA,gBAAgBmI,EAAIX,SAASa,EAAK3I,IAC5C,IAAIgC,EAAGoG,EAAGQ,EACV,IAIE5G,EAAI1D,EAAMuB,UAAUoH,EAAWlH,GAC/BqI,EAAI9J,EAAMuB,UAAUsI,EAAGpI,GACvB6I,EAAKjE,EAAKtB,eAAeiF,EAC3B,CAAE,MAAOb,GACP,OAAO,CACT,CACA,IAAK1H,GAAUiC,EAAEwB,eAAgB,OAAO,EAExC,MAAM6E,EAAI7B,EAAmBC,EAAS2B,EAAExE,UAAW5B,EAAE4B,UAAWiD,GAIhE,OAHYuB,EAAEhL,IAAI4E,EAAEqB,eAAegF,IAGxBtF,SAAS6F,GAAIjF,gBAAgB7E,KAC1C,QAsEEuI,EACA/I,QACA2H,WAEJ,0DAoEM,SAAyB4C,GAC7B,MAAMhN,MAAEA,EAAKiN,UAAEA,EAASnD,KAAEA,EAAIX,UAAEA,GAlClC,SAAmC6D,GACjC,MAAMhN,EAAqB,CACzByB,EAAGuL,EAAEvL,EACLG,EAAGoL,EAAEpL,EACLgB,EAAGoK,EAAElN,GAAG6E,MACRnE,EAAGwM,EAAExM,EACLP,EAAG+M,EAAE/M,EACL8B,GAAIiL,EAAEjL,GACNC,GAAIgL,EAAEhL,IAIFiL,EAA8B,CAAEnN,GAF3BkN,EAAElN,GAE6BC,GAD/BmN,EAAAA,MAAMlN,EAAMQ,EAAGwM,EAAEG,YAAY,GACM/M,QAAS4M,EAAE5M,SACnD+I,EAAuB,CAC3BE,YAAa2D,EAAE3D,YACfD,kBAAmB4D,EAAE5D,kBACrBE,OAAQ0D,EAAE1D,OACVC,QAASyD,EAAEzD,QACXC,WAAYwD,EAAExD,YAEhB,MAAO,CAAExJ,QAAOiN,YAAWnD,KAAMkD,EAAElD,KAAMX,YAC3C,CAagDiE,CAA0BJ,GAGxE,OAfF,SAAqCA,EAAwB/D,GAC3D,MAAMxG,EAAQwG,EAAMxG,MAOpB,OANeoB,OAAOwJ,OAAO,CAAA,EAAIpE,EAAO,CACtCqE,cAAe7K,EACfzC,MAAOgN,EACPG,WAAY1K,EAAM1C,GAAGiJ,KACrBuE,YAAa9K,EAAM1C,GAAGO,OAG1B,CAMSkN,CAA4BR,EADrB/D,EADAzJ,EAAQQ,EAAOiN,GACFnD,EAAMX,GAEnC","x_google_ignoreList":[0]}

package/dist/cjs/node_modules/@noble/curves/esm/abstract/modular.js CHANGED Viewed

@@ -1,4 +1,4 @@
-"use strict";var e=require("../../../hashes/esm/utils.js"),t=require("./utils.js");
+"use strict";var e=require("../utils.js"),t=require("../../../hashes/esm/utils.js");
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const r=BigInt(0),n=BigInt(1),o=BigInt(2),i=BigInt(3),s=BigInt(4),u=BigInt(5),l=BigInt(8);function f(e,t){const n=e%t;return n>=r?n:t+n}function d(e,t){if(e===r)throw new Error("invert: expected non-zero number");if(t<=r)throw new Error("invert: expected positive modulus, got "+t);let o=f(e,t),i=t,s=r,u=n;for(;o!==r;){const e=i%o,t=s-u*(i/o);i=o,o=e,s=u,u=t}if(i!==n)throw new Error("invert: does not exist");return f(s,t)}function c(e,t){const r=(e.ORDER+n)/s,o=e.pow(t,r);if(!e.eql(e.sqr(o),t))throw new Error("Cannot find square root");return o}function E(e,t){const r=(e.ORDER-u)/l,n=e.mul(t,o),i=e.pow(n,r),s=e.mul(t,i),f=e.mul(e.mul(s,o),i),d=e.mul(s,e.sub(f,e.ONE));if(!e.eql(e.sqr(d),t))throw new Error("Cannot find square root");return d}function a(e){if(e<BigInt(3))throw new Error("sqrt is not defined for small field");let t=e-n,i=0;for(;t%o===r;)t/=o,i++;let s=o;const u=b(e);for(;1===h(u,s);)if(s++>1e3)throw new Error("Cannot find square root: probably non-prime P");if(1===i)return c;let l=u.pow(s,t);const f=(t+n)/o;return function(e,r){if(e.is0(r))return r;if(1!==h(e,r))throw new Error("Cannot find square root");let o=i,s=e.mul(e.ONE,l),u=e.pow(r,t),d=e.pow(r,f);for(;!e.eql(u,e.ONE);){if(e.is0(u))return e.ZERO;let t=1,r=e.sqr(u);for(;!e.eql(r,e.ONE);)if(t++,r=e.sqr(r),t===o)throw new Error("Cannot find square root");const i=n<<BigInt(o-t-1),l=e.pow(s,i);o=t,s=e.sqr(l),u=e.mul(u,s),d=e.mul(d,l)}return d}}function w(e){return e%s===i?c:e%l===u?E:a(e)}const p=["create","isValid","is0","neg","inv","sqrt","sqr","eql","add","sub","mul","pow","div","addN","subN","mulN","sqrN"];function g(e,t,o){if(o<r)throw new Error("invalid exponent, negatives unsupported");if(o===r)return e.ONE;if(o===n)return t;let i=e.ONE,s=t;for(;o>r;)o&n&&(i=e.mul(i,s)),s=e.sqr(s),o>>=n;return i}function m(e,t,r=!1){const n=new Array(t.length).fill(r?e.ZERO:void 0),o=t.reduce(((t,r,o)=>e.is0(r)?t:(n[o]=t,e.mul(t,r))),e.ONE),i=e.inv(o);return t.reduceRight(((t,r,o)=>e.is0(r)?t:(n[o]=e.mul(t,n[o]),e.mul(t,r))),i),n}function h(e,t){const r=(e.ORDER-n)/o,i=e.pow(t,r),s=e.eql(i,e.ONE),u=e.eql(i,e.ZERO),l=e.eql(i,e.neg(e.ONE));if(!s&&!u&&!l)throw new Error("invalid Legendre symbol result");return s?1:u?0:-1}function q(t,r){void 0!==r&&e.anumber(r);const n=void 0!==r?r:t.toString(2).length;return{nBitLength:n,nByteLength:Math.ceil(n/8)}}function b(e,o,i=!1,s={}){if(e<=r)throw new Error("invalid field: expected ORDER > 0, got "+e);const{nBitLength:u,nByteLength:l}=q(e,o);if(l>2048)throw new Error("invalid field: expected ORDER of <= 2048 bytes");let c;const E=Object.freeze({ORDER:e,isLE:i,BITS:u,BYTES:l,MASK:t.bitMask(u),ZERO:r,ONE:n,create:t=>f(t,e),isValid:t=>{if("bigint"!=typeof t)throw new Error("invalid field element: expected bigint, got "+typeof t);return r<=t&&t<e},is0:e=>e===r,isOdd:e=>(e&n)===n,neg:t=>f(-t,e),eql:(e,t)=>e===t,sqr:t=>f(t*t,e),add:(t,r)=>f(t+r,e),sub:(t,r)=>f(t-r,e),mul:(t,r)=>f(t*r,e),pow:(e,t)=>g(E,e,t),div:(t,r)=>f(t*d(r,e),e),sqrN:e=>e*e,addN:(e,t)=>e+t,subN:(e,t)=>e-t,mulN:(e,t)=>e*t,inv:t=>d(t,e),sqrt:s.sqrt||(t=>(c||(c=w(e)),c(E,t))),toBytes:e=>i?t.numberToBytesLE(e,l):t.numberToBytesBE(e,l),fromBytes:e=>{if(e.length!==l)throw new Error("Field.fromBytes: expected "+l+" bytes, got "+e.length);return i?t.bytesToNumberLE(e):t.bytesToNumberBE(e)},invertBatch:e=>m(E,e),cmov:(e,t,r)=>r?t:e});return Object.freeze(E)}exports.Field=b,exports.FpInvertBatch=m,exports.FpLegendre=h,exports.FpPow=g,exports.FpSqrt=w,exports.invert=d,exports.isNegativeLE=(e,t)=>(f(e,t)&n)===n,exports.mod=f,exports.nLength=q,exports.pow2=function(e,t,n){let o=e;for(;t-- >r;)o*=o,o%=n;return o},exports.tonelliShanks=a,exports.validateField=function(e){const r=p.reduce(((e,t)=>(e[t]="function",e)),{ORDER:"bigint",MASK:"bigint",BYTES:"isSafeInteger",BITS:"isSafeInteger"});return t.validateObject(e,r)};
+const r=BigInt(0),n=BigInt(1),o=BigInt(2),i=BigInt(3),s=BigInt(4),l=BigInt(5),u=BigInt(7),f=BigInt(8),d=BigInt(9),c=BigInt(16);function w(e,t){const n=e%t;return n>=r?n:t+n}function a(e,t){if(e===r)throw new Error("invert: expected non-zero number");if(t<=r)throw new Error("invert: expected positive modulus, got "+t);let o=w(e,t),i=t,s=r,l=n;for(;o!==r;){const e=i%o,t=s-l*(i/o);i=o,o=e,s=l,l=t}if(i!==n)throw new Error("invert: does not exist");return w(s,t)}function E(e,t,r){if(!e.eql(e.sqr(t),r))throw new Error("Cannot find square root")}function g(e,t){const r=(e.ORDER+n)/s,o=e.pow(t,r);return E(e,o,t),o}function m(e,t){const r=(e.ORDER-l)/f,n=e.mul(t,o),i=e.pow(n,r),s=e.mul(t,i),u=e.mul(e.mul(s,o),i),d=e.mul(s,e.sub(u,e.ONE));return E(e,d,t),d}function p(e){if(e<i)throw new Error("sqrt is not defined for small field");let t=e-n,s=0;for(;t%o===r;)t/=o,s++;let l=o;const u=y(e);for(;1===v(u,l);)if(l++>1e3)throw new Error("Cannot find square root: probably non-prime P");if(1===s)return g;let f=u.pow(l,t);const d=(t+n)/o;return function(e,r){if(e.is0(r))return r;if(1!==v(e,r))throw new Error("Cannot find square root");let o=s,i=e.mul(e.ONE,f),l=e.pow(r,t),u=e.pow(r,d);for(;!e.eql(l,e.ONE);){if(e.is0(l))return e.ZERO;let t=1,r=e.sqr(l);for(;!e.eql(r,e.ONE);)if(t++,r=e.sqr(r),t===o)throw new Error("Cannot find square root");const s=n<<BigInt(o-t-1),f=e.pow(i,s);o=t,i=e.sqr(f),l=e.mul(l,i),u=e.mul(u,f)}return u}}function h(e){return e%s===i?g:e%f===l?m:e%c===d?function(e){const t=y(e),r=p(e),n=r(t,t.neg(t.ONE)),o=r(t,n),i=r(t,t.neg(n)),s=(e+u)/c;return(e,t)=>{let r=e.pow(t,s),l=e.mul(r,n);const u=e.mul(r,o),f=e.mul(r,i),d=e.eql(e.sqr(l),t),c=e.eql(e.sqr(u),t);r=e.cmov(r,l,d),l=e.cmov(f,u,c);const w=e.eql(e.sqr(l),t),a=e.cmov(r,l,w);return E(e,a,t),a}}(e):p(e)}const q=["create","isValid","is0","neg","inv","sqrt","sqr","eql","add","sub","mul","pow","div","addN","subN","mulN","sqrN"];function b(e,t,o){if(o<r)throw new Error("invalid exponent, negatives unsupported");if(o===r)return e.ONE;if(o===n)return t;let i=e.ONE,s=t;for(;o>r;)o&n&&(i=e.mul(i,s)),s=e.sqr(s),o>>=n;return i}function B(e,t,r=!1){const n=new Array(t.length).fill(r?e.ZERO:void 0),o=t.reduce((t,r,o)=>e.is0(r)?t:(n[o]=t,e.mul(t,r)),e.ONE),i=e.inv(o);return t.reduceRight((t,r,o)=>e.is0(r)?t:(n[o]=e.mul(t,n[o]),e.mul(t,r)),i),n}function v(e,t){const r=(e.ORDER-n)/o,i=e.pow(t,r),s=e.eql(i,e.ONE),l=e.eql(i,e.ZERO),u=e.eql(i,e.neg(e.ONE));if(!s&&!l&&!u)throw new Error("invalid Legendre symbol result");return s?1:l?0:-1}function O(e,r){void 0!==r&&t.anumber(r);const n=void 0!==r?r:e.toString(2).length;return{nBitLength:n,nByteLength:Math.ceil(n/8)}}function y(t,o,i=!1,s={}){if(t<=r)throw new Error("invalid field: expected ORDER > 0, got "+t);let l,u,f,d=!1;if("object"==typeof o&&null!=o){if(s.sqrt||i)throw new Error("cannot specify opts in two arguments");const e=o;e.BITS&&(l=e.BITS),e.sqrt&&(u=e.sqrt),"boolean"==typeof e.isLE&&(i=e.isLE),"boolean"==typeof e.modFromBytes&&(d=e.modFromBytes),f=e.allowedLengths}else"number"==typeof o&&(l=o),s.sqrt&&(u=s.sqrt);const{nBitLength:c,nByteLength:E}=O(t,l);if(E>2048)throw new Error("invalid field: expected ORDER of <= 2048 bytes");let g;const m=Object.freeze({ORDER:t,isLE:i,BITS:c,BYTES:E,MASK:e.bitMask(c),ZERO:r,ONE:n,allowedLengths:f,create:e=>w(e,t),isValid:e=>{if("bigint"!=typeof e)throw new Error("invalid field element: expected bigint, got "+typeof e);return r<=e&&e<t},is0:e=>e===r,isValidNot0:e=>!m.is0(e)&&m.isValid(e),isOdd:e=>(e&n)===n,neg:e=>w(-e,t),eql:(e,t)=>e===t,sqr:e=>w(e*e,t),add:(e,r)=>w(e+r,t),sub:(e,r)=>w(e-r,t),mul:(e,r)=>w(e*r,t),pow:(e,t)=>b(m,e,t),div:(e,r)=>w(e*a(r,t),t),sqrN:e=>e*e,addN:(e,t)=>e+t,subN:(e,t)=>e-t,mulN:(e,t)=>e*t,inv:e=>a(e,t),sqrt:u||(e=>(g||(g=h(t)),g(m,e))),toBytes:t=>i?e.numberToBytesLE(t,E):e.numberToBytesBE(t,E),fromBytes:(r,n=!0)=>{if(f){if(!f.includes(r.length)||r.length>E)throw new Error("Field.fromBytes: expected "+f+" bytes, got "+r.length);const e=new Uint8Array(E);e.set(r,i?0:e.length-r.length),r=e}if(r.length!==E)throw new Error("Field.fromBytes: expected "+E+" bytes, got "+r.length);let o=i?e.bytesToNumberLE(r):e.bytesToNumberBE(r);if(d&&(o=w(o,t)),!n&&!m.isValid(o))throw new Error("invalid field element: outside of range 0..ORDER");return o},invertBatch:e=>B(m,e),cmov:(e,t,r)=>r?t:e});return Object.freeze(m)}exports.Field=y,exports.FpInvertBatch=B,exports.FpLegendre=v,exports.FpPow=b,exports.FpSqrt=h,exports.invert=a,exports.isNegativeLE=(e,t)=>(w(e,t)&n)===n,exports.mod=w,exports.nLength=O,exports.pow2=function(e,t,n){let o=e;for(;t-- >r;)o*=o,o%=n;return o},exports.tonelliShanks=p,exports.validateField=function(t){const r=q.reduce((e,t)=>(e[t]="function",e),{ORDER:"bigint",MASK:"bigint",BYTES:"number",BITS:"number"});return e._validateObject(t,r),t};
 //# sourceMappingURL=modular.js.map

package/dist/cjs/node_modules/@noble/curves/esm/abstract/modular.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"modular.js","sources":["../../../../../../../node_modules/@noble/curves/esm/abstract/modular.js"],"sourcesContent":["/*\n Utils for modular division and finite fields.\n * A finite field over 11 is integer number operations `mod 11`.\n * There is no division: it is replaced by modular multiplicative inverse.\n * @module\n /\n/! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) /\nimport { anumber } from '@noble/hashes/utils';\nimport { bitMask, bytesToNumberBE, bytesToNumberLE, ensureBytes, numberToBytesBE, numberToBytesLE, validateObject, } from \"./utils.js\";\n// prettier-ignore\nconst _0n = BigInt(0), _1n = BigInt(1), _2n = / @__PURE__ / BigInt(2), _3n = / @__PURE__ / BigInt(3);\n// prettier-ignore\nconst _4n = / @__PURE__ / BigInt(4), _5n = / @__PURE__ / BigInt(5), _8n = / @__PURE__ / BigInt(8);\n// Calculates a modulo b\nexport function mod(a, b) {\n const result = a % b;\n return result >= _0n ? result : b + result;\n}\n/\n Efficiently raise num to power and do modular division.\n * Unsafe in some contexts: uses ladder, so can expose bigint bits.\n * TODO: remove.\n * @example\n * pow(2n, 6n, 11n) // 64n % 11n == 9n\n /\nexport function pow(num, power, modulo) {\n return FpPow(Field(modulo), num, power);\n}\n/* Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` /\nexport function pow2(x, power, modulo) {\n let res = x;\n while (power-- > _0n) {\n res = res;\n res %= modulo;\n }\n return res;\n}\n/*\n Inverses number over modulo.\n * Implemented using [Euclidean GCD](https://brilliant.org/wiki/extended-euclidean-algorithm/).\n /\nexport function invert(number, modulo) {\n if (number === _0n)\n throw new Error('invert: expected non-zero number');\n if (modulo <= _0n)\n throw new Error('invert: expected positive modulus, got ' + modulo);\n // Fermat's little theorem \"CT-like\" version inv(n) = n^(m-2) mod m is 30x slower.\n let a = mod(number, modulo);\n let b = modulo;\n // prettier-ignore\n let x = _0n, y = _1n, u = _1n, v = _0n;\n while (a !== _0n) {\n // JIT applies optimization if those two lines follow each other\n const q = b / a;\n const r = b % a;\n const m = x - u q;\n const n = y - v * q;\n // prettier-ignore\n b = a, a = r, x = u, y = v, u = m, v = n;\n }\n const gcd = b;\n if (gcd !== _1n)\n throw new Error('invert: does not exist');\n return mod(x, modulo);\n}\n// Not all roots are possible! Example which will throw:\n// const NUM =\n// n = 72057594037927816n;\n// Fp = Field(BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'));\nfunction sqrt3mod4(Fp, n) {\n const p1div4 = (Fp.ORDER + _1n) / _4n;\n const root = Fp.pow(n, p1div4);\n // Throw if root^2 != n\n if (!Fp.eql(Fp.sqr(root), n))\n throw new Error('Cannot find square root');\n return root;\n}\nfunction sqrt5mod8(Fp, n) {\n const p5div8 = (Fp.ORDER - _5n) / _8n;\n const n2 = Fp.mul(n, _2n);\n const v = Fp.pow(n2, p5div8);\n const nv = Fp.mul(n, v);\n const i = Fp.mul(Fp.mul(nv, _2n), v);\n const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));\n if (!Fp.eql(Fp.sqr(root), n))\n throw new Error('Cannot find square root');\n return root;\n}\n// TODO: Commented-out for now. Provide test vectors.\n// Tonelli is too slow for extension fields Fp2.\n// That means we can't use sqrt (c1, c2...) even for initialization constants.\n// if (P % _16n === _9n) return sqrt9mod16;\n// // prettier-ignore\n// function sqrt9mod16<T>(Fp: IField<T>, n: T, p7div16?: bigint) {\n// if (p7div16 === undefined) p7div16 = (Fp.ORDER + BigInt(7)) / _16n;\n// const c1 = Fp.sqrt(Fp.neg(Fp.ONE)); // 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F\n// const c2 = Fp.sqrt(c1); // 2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F\n// const c3 = Fp.sqrt(Fp.neg(c1)); // 3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F\n// const c4 = p7div16; // 4. c4 = (q + 7) / 16 # Integer arithmetic\n// let tv1 = Fp.pow(n, c4); // 1. tv1 = x^c4\n// let tv2 = Fp.mul(c1, tv1); // 2. tv2 = c1 * tv1\n// const tv3 = Fp.mul(c2, tv1); // 3. tv3 = c2 * tv1\n// let tv4 = Fp.mul(c3, tv1); // 4. tv4 = c3 * tv1\n// const e1 = Fp.eql(Fp.sqr(tv2), n); // 5. e1 = (tv2^2) == x\n// const e2 = Fp.eql(Fp.sqr(tv3), n); // 6. e2 = (tv3^2) == x\n// tv1 = Fp.cmov(tv1, tv2, e1); // 7. tv1 = CMOV(tv1, tv2, e1) # Select tv2 if (tv2^2) == x\n// tv2 = Fp.cmov(tv4, tv3, e2); // 8. tv2 = CMOV(tv4, tv3, e2) # Select tv3 if (tv3^2) == x\n// const e3 = Fp.eql(Fp.sqr(tv2), n); // 9. e3 = (tv2^2) == x\n// return Fp.cmov(tv1, tv2, e3); // 10. z = CMOV(tv1, tv2, e3) # Select the sqrt from tv1 and tv2\n// }\n/*\n Tonelli-Shanks square root search algorithm.\n * 1. https://eprint.iacr.org/2012/685.pdf (page 12)\n * 2. Square Roots from 1; 24, 51, 10 to Dan Shanks\n * @param P field order\n * @returns function that takes field Fp (created from P) and number n\n /\nexport function tonelliShanks(P) {\n // Initialization (precomputation).\n if (P < BigInt(3))\n throw new Error('sqrt is not defined for small field');\n // Factor P - 1 = Q 2^S, where Q is odd\n let Q = P - _1n;\n let S = 0;\n while (Q % _2n === _0n) {\n Q /= _2n;\n S++;\n }\n // Find the first quadratic non-residue Z >= 2\n let Z = _2n;\n const _Fp = Field(P);\n while (FpLegendre(_Fp, Z) === 1) {\n // Basic primality test for P. After x iterations, chance of\n // not finding quadratic non-residue is 2^x, so 2^1000.\n if (Z++ > 1000)\n throw new Error('Cannot find square root: probably non-prime P');\n }\n // Fast-path; usually done before Z, but we do \"primality test\".\n if (S === 1)\n return sqrt3mod4;\n // Slow-path\n // TODO: test on Fp2 and others\n let cc = _Fp.pow(Z, Q); // c = z^Q\n const Q1div2 = (Q + _1n) / _2n;\n return function tonelliSlow(Fp, n) {\n if (Fp.is0(n))\n return n;\n // Check if n is a quadratic residue using Legendre symbol\n if (FpLegendre(Fp, n) !== 1)\n throw new Error('Cannot find square root');\n // Initialize variables for the main loop\n let M = S;\n let c = Fp.mul(Fp.ONE, cc); // c = z^Q, move cc from field _Fp into field Fp\n let t = Fp.pow(n, Q); // t = n^Q, first guess at the fudge factor\n let R = Fp.pow(n, Q1div2); // R = n^((Q+1)/2), first guess at the square root\n // Main loop\n // while t != 1\n while (!Fp.eql(t, Fp.ONE)) {\n if (Fp.is0(t))\n return Fp.ZERO; // if t=0 return R=0\n let i = 1;\n // Find the smallest i >= 1 such that t^(2^i) ≡ 1 (mod P)\n let t_tmp = Fp.sqr(t); // t^(2^1)\n while (!Fp.eql(t_tmp, Fp.ONE)) {\n i++;\n t_tmp = Fp.sqr(t_tmp); // t^(2^2)...\n if (i === M)\n throw new Error('Cannot find square root');\n }\n // Calculate the exponent for b: 2^(M - i - 1)\n const exponent = _1n << BigInt(M - i - 1); // bigint is important\n const b = Fp.pow(c, exponent); // b = 2^(M - i - 1)\n // Update variables\n M = i;\n c = Fp.sqr(b); // c = b^2\n t = Fp.mul(t, c); // t = (t * b^2)\n R = Fp.mul(R, b); // R = Rb\n }\n return R;\n };\n}\n/\n Square root for a finite field. Will try optimized versions first:\n \n 1. P ≡ 3 (mod 4)\n * 2. P ≡ 5 (mod 8)\n * 3. Tonelli-Shanks algorithm\n \n Different algorithms can give different roots, it is up to user to decide which one they want.\n * For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).\n /\nexport function FpSqrt(P) {\n // P ≡ 3 (mod 4) => √n = n^((P+1)/4)\n if (P % _4n === _3n)\n return sqrt3mod4;\n // P ≡ 5 (mod 8) => Atkin algorithm, page 10 of https://eprint.iacr.org/2012/685.pdf\n if (P % _8n === _5n)\n return sqrt5mod8;\n // P ≡ 9 (mod 16) not implemented, see above\n // Tonelli-Shanks algorithm\n return tonelliShanks(P);\n}\n// Little-endian check for first LE bit (last BE bit);\nexport const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;\n// prettier-ignore\nconst FIELD_FIELDS = [\n 'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',\n 'eql', 'add', 'sub', 'mul', 'pow', 'div',\n 'addN', 'subN', 'mulN', 'sqrN'\n];\nexport function validateField(field) {\n const initial = {\n ORDER: 'bigint',\n MASK: 'bigint',\n BYTES: 'isSafeInteger',\n BITS: 'isSafeInteger',\n };\n const opts = FIELD_FIELDS.reduce((map, val) => {\n map[val] = 'function';\n return map;\n }, initial);\n return validateObject(field, opts);\n}\n// Generic field functions\n/\n Same as `pow` but for Fp: non-constant-time.\n * Unsafe in some contexts: uses ladder, so can expose bigint bits.\n /\nexport function FpPow(Fp, num, power) {\n if (power < _0n)\n throw new Error('invalid exponent, negatives unsupported');\n if (power === _0n)\n return Fp.ONE;\n if (power === _1n)\n return num;\n let p = Fp.ONE;\n let d = num;\n while (power > _0n) {\n if (power & _1n)\n p = Fp.mul(p, d);\n d = Fp.sqr(d);\n power >>= _1n;\n }\n return p;\n}\n/\n Efficiently invert an array of Field elements.\n * Exception-free. Will return `undefined` for 0 elements.\n * @param passZero map 0 to 0 (instead of undefined)\n /\nexport function FpInvertBatch(Fp, nums, passZero = false) {\n const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : undefined);\n // Walk from first to last, multiply them by each other MOD p\n const multipliedAcc = nums.reduce((acc, num, i) => {\n if (Fp.is0(num))\n return acc;\n inverted[i] = acc;\n return Fp.mul(acc, num);\n }, Fp.ONE);\n // Invert last element\n const invertedAcc = Fp.inv(multipliedAcc);\n // Walk from last to first, multiply them by inverted each other MOD p\n nums.reduceRight((acc, num, i) => {\n if (Fp.is0(num))\n return acc;\n inverted[i] = Fp.mul(acc, inverted[i]);\n return Fp.mul(acc, num);\n }, invertedAcc);\n return inverted;\n}\n// TODO: remove\nexport function FpDiv(Fp, lhs, rhs) {\n return Fp.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, Fp.ORDER) : Fp.inv(rhs));\n}\n/\n Legendre symbol.\n * Legendre constant is used to calculate Legendre symbol (a \| p)\n * which denotes the value of a^((p-1)/2) (mod p).\n \n * (a \| p) ≡ 1 if a is a square (mod p), quadratic residue\n * * (a \| p) ≡ -1 if a is not a square (mod p), quadratic non residue\n * * (a \| p) ≡ 0 if a ≡ 0 (mod p)\n /\nexport function FpLegendre(Fp, n) {\n // We can use 3rd argument as optional cache of this value\n // but seems unneeded for now. The operation is very fast.\n const p1mod2 = (Fp.ORDER - _1n) / _2n;\n const powered = Fp.pow(n, p1mod2);\n const yes = Fp.eql(powered, Fp.ONE);\n const zero = Fp.eql(powered, Fp.ZERO);\n const no = Fp.eql(powered, Fp.neg(Fp.ONE));\n if (!yes && !zero && !no)\n throw new Error('invalid Legendre symbol result');\n return yes ? 1 : zero ? 0 : -1;\n}\n// This function returns True whenever the value x is a square in the field F.\nexport function FpIsSquare(Fp, n) {\n const l = FpLegendre(Fp, n);\n return l === 1;\n}\n// CURVE.n lengths\nexport function nLength(n, nBitLength) {\n // Bit size, byte size of CURVE.n\n if (nBitLength !== undefined)\n anumber(nBitLength);\n const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;\n const nByteLength = Math.ceil(_nBitLength / 8);\n return { nBitLength: _nBitLength, nByteLength };\n}\n/\n Initializes a finite field over prime.\n * Major performance optimizations:\n * * a) denormalized operations like mulN instead of mul\n * * b) same object shape: never add or remove keys\n * * c) Object.freeze\n * Fragile: always run a benchmark on a change.\n * Security note: operations don't check 'isValid' for all elements for performance reasons,\n * it is caller responsibility to check this.\n * This is low-level code, please make sure you know what you're doing.\n * @param ORDER prime positive bigint\n * @param bitLen how many bits the field consumes\n * @param isLE (def: false) if encoding / decoding should be in little-endian\n * @param redef optional faster redefinitions of sqrt and other methods\n /\nexport function Field(ORDER, bitLen, isLE = false, redef = {}) {\n if (ORDER <= _0n)\n throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);\n const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);\n if (BYTES > 2048)\n throw new Error('invalid field: expected ORDER of <= 2048 bytes');\n let sqrtP; // cached sqrtP\n const f = Object.freeze({\n ORDER,\n isLE,\n BITS,\n BYTES,\n MASK: bitMask(BITS),\n ZERO: _0n,\n ONE: _1n,\n create: (num) => mod(num, ORDER),\n isValid: (num) => {\n if (typeof num !== 'bigint')\n throw new Error('invalid field element: expected bigint, got ' + typeof num);\n return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible\n },\n is0: (num) => num === _0n,\n isOdd: (num) => (num & _1n) === _1n,\n neg: (num) => mod(-num, ORDER),\n eql: (lhs, rhs) => lhs === rhs,\n sqr: (num) => mod(num num, ORDER),\n add: (lhs, rhs) => mod(lhs + rhs, ORDER),\n sub: (lhs, rhs) => mod(lhs - rhs, ORDER),\n mul: (lhs, rhs) => mod(lhs * rhs, ORDER),\n pow: (num, power) => FpPow(f, num, power),\n div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),\n // Same as above, but doesn't normalize\n sqrN: (num) => num * num,\n addN: (lhs, rhs) => lhs + rhs,\n subN: (lhs, rhs) => lhs - rhs,\n mulN: (lhs, rhs) => lhs * rhs,\n inv: (num) => invert(num, ORDER),\n sqrt: redef.sqrt \|\|\n ((n) => {\n if (!sqrtP)\n sqrtP = FpSqrt(ORDER);\n return sqrtP(f, n);\n }),\n toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),\n fromBytes: (bytes) => {\n if (bytes.length !== BYTES)\n throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);\n return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);\n },\n // TODO: we don't need it here, move out to separate fn\n invertBatch: (lst) => FpInvertBatch(f, lst),\n // We can't move this out because Fp6, Fp12 implement it\n // and it's unclear what to return in there.\n cmov: (a, b, c) => (c ? b : a),\n });\n return Object.freeze(f);\n}\nexport function FpSqrtOdd(Fp, elm) {\n if (!Fp.isOdd)\n throw new Error(\"Field doesn't have isOdd\");\n const root = Fp.sqrt(elm);\n return Fp.isOdd(root) ? root : Fp.neg(root);\n}\nexport function FpSqrtEven(Fp, elm) {\n if (!Fp.isOdd)\n throw new Error(\"Field doesn't have isOdd\");\n const root = Fp.sqrt(elm);\n return Fp.isOdd(root) ? Fp.neg(root) : root;\n}\n/*\n \"Constant-time\" private key generation utility.\n * Same as mapKeyToField, but accepts less bytes (40 instead of 48 for 32-byte field).\n * Which makes it slightly more biased, less secure.\n * @deprecated use `mapKeyToField` instead\n /\nexport function hashToPrivateScalar(hash, groupOrder, isLE = false) {\n hash = ensureBytes('privateHash', hash);\n const hashLen = hash.length;\n const minLen = nLength(groupOrder).nByteLength + 8;\n if (minLen < 24 \|\| hashLen < minLen \|\| hashLen > 1024)\n throw new Error('hashToPrivateScalar: expected ' + minLen + '-1024 bytes of input, got ' + hashLen);\n const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);\n return mod(num, groupOrder - _1n) + _1n;\n}\n/\n Returns total number of bytes consumed by the field element.\n * For example, 32 bytes for usual 256-bit weierstrass curve.\n * @param fieldOrder number of field elements, usually CURVE.n\n * @returns byte length of field\n /\nexport function getFieldBytesLength(fieldOrder) {\n if (typeof fieldOrder !== 'bigint')\n throw new Error('field order must be bigint');\n const bitLength = fieldOrder.toString(2).length;\n return Math.ceil(bitLength / 8);\n}\n/\n Returns minimal amount of bytes that can be safely reduced\n * by field order.\n * Should be 2^-128 for 128-bit curve such as P256.\n * @param fieldOrder number of field elements, usually CURVE.n\n * @returns byte length of target hash\n /\nexport function getMinHashLength(fieldOrder) {\n const length = getFieldBytesLength(fieldOrder);\n return length + Math.ceil(length / 2);\n}\n/\n \"Constant-time\" private key generation utility.\n * Can take (n + n/2) or more bytes of uniform input e.g. from CSPRNG or KDF\n * and convert them into private scalar, with the modulo bias being negligible.\n * Needs at least 48 bytes of input for 32-byte private key.\n * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/\n * FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final\n * RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5\n * @param hash hash output from SHA3 or a similar function\n * @param groupOrder size of subgroup - (e.g. secp256k1.CURVE.n)\n * @param isLE interpret hash bytes as LE num\n * @returns valid private scalar\n */\nexport function mapHashToField(key, fieldOrder, isLE = false) {\n const len = key.length;\n const fieldLen = getFieldBytesLength(fieldOrder);\n const minLen = getMinHashLength(fieldOrder);\n // No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.\n if (len < 16 \|\| len < minLen \|\| len > 1024)\n throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);\n const num = isLE ? bytesToNumberLE(key) : bytesToNumberBE(key);\n // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0\n const reduced = mod(num, fieldOrder - _1n) + _1n;\n return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);\n}\n//# sourceMappingURL=modular.js.map"],"names":["_0n","BigInt","_1n","_2n","_3n","_4n","_5n","_8n","mod","a","b","result","invert","number","modulo","Error","x","u","r","m","sqrt3mod4","Fp","n","p1div4","ORDER","root","pow","eql","sqr","sqrt5mod8","p5div8","n2","mul","v","nv","i","sub","ONE","tonelliShanks","P","Q","S","Z","_Fp","Field","FpLegendre","cc","Q1div2","is0","M","c","t","R","ZERO","t_tmp","exponent","FpSqrt","FIELD_FIELDS","FpPow","num","power","p","d","FpInvertBatch","nums","passZero","inverted","Array","length","fill","undefined","multipliedAcc","reduce","acc","invertedAcc","inv","reduceRight","p1mod2","powered","yes","zero","no","neg","nLength","nBitLength","anumber","_nBitLength","toString","nByteLength","Math","ceil","bitLen","isLE","redef","BITS","BYTES","sqrtP","f","Object","freeze","MASK","bitMask","create","isValid","isOdd","lhs","rhs","add","div","sqrN","addN","subN","mulN","sqrt","toBytes","numberToBytesLE","numberToBytesBE","fromBytes","bytes","bytesToNumberLE","bytesToNumberBE","invertBatch","lst","cmov","isNegativeLE","res","field","opts","map","val","validateObject"],"mappings":";;AAmBA,MAAMA,EAAMC,OAAO,GAAIC,EAAMD,OAAO,GAAIE,EAAsBF,OAAO,GAAIG,EAAsBH,OAAO,GAEhGI,EAAsBJ,OAAO,GAAIK,EAAsBL,OAAO,GAAIM,EAAsBN,OAAO,GAG/F,SAAUO,EAAIC,EAAWC,GAC7B,MAAMC,EAASF,EAAIC,EACnB,OAAOC,GAAUX,EAAMW,EAASD,EAAIC,CACtC,CA0BM,SAAUC,EAAOC,EAAgBC,GACrC,GAAID,IAAWb,EAAK,MAAM,IAAIe,MAAM,oCACpC,GAAID,GAAUd,EAAK,MAAM,IAAIe,MAAM,0CAA4CD,GAE/E,IAAIL,EAAID,EAAIK,EAAQC,GAChBJ,EAAII,EAEJE,EAAIhB,EAAciB,EAAIf,EAC1B,KAAOO,IAAMT,GAAK,CAEhB,MACMkB,EAAIR,EAAID,EACRU,EAAIH,EAAIC,GAFJP,EAAID,GAKdC,EAAID,EAAGA,EAAIS,EAAGF,EAAIC,EAAUA,EAAIE,CAClC,CAEA,GADYT,IACAR,EAAK,MAAM,IAAIa,MAAM,0BACjC,OAAOP,EAAIQ,EAAGF,EAChB,CAMA,SAASM,EAAaC,EAAeC,GACnC,MAAMC,GAAUF,EAAGG,MAAQtB,GAAOG,EAC5BoB,EAAOJ,EAAGK,IAAIJ,EAAGC,GAEvB,IAAKF,EAAGM,IAAIN,EAAGO,IAAIH,GAAOH,GAAI,MAAM,IAAIP,MAAM,2BAC9C,OAAOU,CACT,CAEA,SAASI,EAAaR,EAAeC,GACnC,MAAMQ,GAAUT,EAAGG,MAAQlB,GAAOC,EAC5BwB,EAAKV,EAAGW,IAAIV,EAAGnB,GACf8B,EAAIZ,EAAGK,IAAIK,EAAID,GACfI,EAAKb,EAAGW,IAAIV,EAAGW,GACfE,EAAId,EAAGW,IAAIX,EAAGW,IAAIE,EAAI/B,GAAM8B,GAC5BR,EAAOJ,EAAGW,IAAIE,EAAIb,EAAGe,IAAID,EAAGd,EAAGgB,MACrC,IAAKhB,EAAGM,IAAIN,EAAGO,IAAIH,GAAOH,GAAI,MAAM,IAAIP,MAAM,2BAC9C,OAAOU,CACT,CAgCM,SAAUa,EAAcC,GAE5B,GAAIA,EAAItC,OAAO,GAAI,MAAM,IAAIc,MAAM,uCAEnC,IAAIyB,EAAID,EAAIrC,EACRuC,EAAI,EACR,KAAOD,EAAIrC,IAAQH,GACjBwC,GAAKrC,EACLsC,IAIF,IAAIC,EAAIvC,EACR,MAAMwC,EAAMC,EAAML,GAClB,KAA8B,IAAvBM,EAAWF,EAAKD,IAGrB,GAAIA,IAAM,IAAM,MAAM,IAAI3B,MAAM,iDAGlC,GAAU,IAAN0B,EAAS,OAAOrB,EAIpB,IAAI0B,EAAKH,EAAIjB,IAAIgB,EAAGF,GACpB,MAAMO,GAAUP,EAAItC,GAAOC,EAC3B,OAAO,SAAwBkB,EAAeC,GAC5C,GAAID,EAAG2B,IAAI1B,GAAI,OAAOA,EAEtB,GAA0B,IAAtBuB,EAAWxB,EAAIC,GAAU,MAAM,IAAIP,MAAM,2BAG7C,IAAIkC,EAAIR,EACJS,EAAI7B,EAAGW,IAAIX,EAAGgB,IAAKS,GACnBK,EAAI9B,EAAGK,IAAIJ,EAAGkB,GACdY,EAAI/B,EAAGK,IAAIJ,EAAGyB,GAIlB,MAAQ1B,EAAGM,IAAIwB,EAAG9B,EAAGgB,MAAM,CACzB,GAAIhB,EAAG2B,IAAIG,GAAI,OAAO9B,EAAGgC,KACzB,IAAIlB,EAAI,EAGJmB,EAAQjC,EAAGO,IAAIuB,GACnB,MAAQ9B,EAAGM,IAAI2B,EAAOjC,EAAGgB,MAGvB,GAFAF,IACAmB,EAAQjC,EAAGO,IAAI0B,GACXnB,IAAMc,EAAG,MAAM,IAAIlC,MAAM,2BAI/B,MAAMwC,EAAWrD,GAAOD,OAAOgD,EAAId,EAAI,GACjCzB,EAAIW,EAAGK,IAAIwB,EAAGK,GAGpBN,EAAId,EACJe,EAAI7B,EAAGO,IAAIlB,GACXyC,EAAI9B,EAAGW,IAAImB,EAAGD,GACdE,EAAI/B,EAAGW,IAAIoB,EAAG1C,EAChB,CACA,OAAO0C,CACR,CACH,CAYM,SAAUI,EAAOjB,GAErB,OAAIA,EAAIlC,IAAQD,EAAYgB,EAExBmB,EAAIhC,IAAQD,EAAYuB,EAGrBS,EAAcC,EACvB,OAiDMkB,EAAe,CACnB,SAAU,UAAW,MAAO,MAAO,MAAO,OAAQ,MAClD,MAAO,MAAO,MAAO,MAAO,MAAO,MACnC,OAAQ,OAAQ,OAAQ,QAsBpB,SAAUC,EAASrC,EAAesC,EAAQC,GAC9C,GAAIA,EAAQ5D,EAAK,MAAM,IAAIe,MAAM,2CACjC,GAAI6C,IAAU5D,EAAK,OAAOqB,EAAGgB,IAC7B,GAAIuB,IAAU1D,EAAK,OAAOyD,EAC1B,IAAIE,EAAIxC,EAAGgB,IACPyB,EAAIH,EACR,KAAOC,EAAQ5D,GACT4D,EAAQ1D,IAAK2D,EAAIxC,EAAGW,IAAI6B,EAAGC,IAC/BA,EAAIzC,EAAGO,IAAIkC,GACXF,IAAU1D,EAEZ,OAAO2D,CACT,CAOM,SAAUE,EAAiB1C,EAAe2C,EAAWC,GAAW,GACpE,MAAMC,EAAW,IAAIC,MAAMH,EAAKI,QAAQC,KAAKJ,EAAW5C,EAAGgC,UAAOiB,GAE5DC,EAAgBP,EAAKQ,QAAO,CAACC,EAAKd,EAAKxB,IACvCd,EAAG2B,IAAIW,GAAac,GACxBP,EAAS/B,GAAKsC,EACPpD,EAAGW,IAAIyC,EAAKd,KAClBtC,EAAGgB,KAEAqC,EAAcrD,EAAGsD,IAAIJ,GAO3B,OALAP,EAAKY,aAAY,CAACH,EAAKd,EAAKxB,IACtBd,EAAG2B,IAAIW,GAAac,GACxBP,EAAS/B,GAAKd,EAAGW,IAAIyC,EAAKP,EAAS/B,IAC5Bd,EAAGW,IAAIyC,EAAKd,KAClBe,GACIR,CACT,CAgBM,SAAUrB,EAAcxB,EAAeC,GAG3C,MAAMuD,GAAUxD,EAAGG,MAAQtB,GAAOC,EAC5B2E,EAAUzD,EAAGK,IAAIJ,EAAGuD,GACpBE,EAAM1D,EAAGM,IAAImD,EAASzD,EAAGgB,KACzB2C,EAAO3D,EAAGM,IAAImD,EAASzD,EAAGgC,MAC1B4B,EAAK5D,EAAGM,IAAImD,EAASzD,EAAG6D,IAAI7D,EAAGgB,MACrC,IAAK0C,IAAQC,IAASC,EAAI,MAAM,IAAIlE,MAAM,kCAC1C,OAAOgE,EAAM,EAAIC,EAAO,GAAM,CAChC,CASM,SAAUG,EACd7D,EACA8D,QAMmBd,IAAfc,GAA0BC,EAAOA,QAACD,GACtC,MAAME,OAA6BhB,IAAfc,EAA2BA,EAAa9D,EAAEiE,SAAS,GAAGnB,OAE1E,MAAO,CAAEgB,WAAYE,EAAaE,YADdC,KAAKC,KAAKJ,EAAc,GAE9C,CAkBM,SAAU1C,EACdpB,EACAmE,EACAC,GAAO,EACPC,EAAiC,IAEjC,GAAIrE,GAASxB,EAAK,MAAM,IAAIe,MAAM,0CAA4CS,GAC9E,MAAQ4D,WAAYU,EAAMN,YAAaO,GAAUZ,EAAQ3D,EAAOmE,GAChE,GAAII,EAAQ,KAAM,MAAM,IAAIhF,MAAM,kDAClC,IAAIiF,EACJ,MAAMC,EAAuBC,OAAOC,OAAO,CACzC3E,QACAoE,OACAE,OACAC,QACAK,KAAMC,EAAOA,QAACP,GACdzC,KAAMrD,EACNqC,IAAKnC,EACLoG,OAAS3C,GAAQnD,EAAImD,EAAKnC,GAC1B+E,QAAU5C,IACR,GAAmB,iBAARA,EACT,MAAM,IAAI5C,MAAM,sDAAwD4C,GAC1E,OAAO3D,GAAO2D,GAAOA,EAAMnC,CAAK,EAElCwB,IAAMW,GAAQA,IAAQ3D,EACtBwG,MAAQ7C,IAASA,EAAMzD,KAASA,EAChCgF,IAAMvB,GAAQnD,GAAKmD,EAAKnC,GACxBG,IAAKA,CAAC8E,EAAKC,IAAQD,IAAQC,EAE3B9E,IAAM+B,GAAQnD,EAAImD,EAAMA,EAAKnC,GAC7BmF,IAAKA,CAACF,EAAKC,IAAQlG,EAAIiG,EAAMC,EAAKlF,GAClCY,IAAKA,CAACqE,EAAKC,IAAQlG,EAAIiG,EAAMC,EAAKlF,GAClCQ,IAAKA,CAACyE,EAAKC,IAAQlG,EAAIiG,EAAMC,EAAKlF,GAClCE,IAAKA,CAACiC,EAAKC,IAAUF,EAAMuC,EAAGtC,EAAKC,GACnCgD,IAAKA,CAACH,EAAKC,IAAQlG,EAAIiG,EAAM7F,EAAO8F,EAAKlF,GAAQA,GAGjDqF,KAAOlD,GAAQA,EAAMA,EACrBmD,KAAMA,CAACL,EAAKC,IAAQD,EAAMC,EAC1BK,KAAMA,CAACN,EAAKC,IAAQD,EAAMC,EAC1BM,KAAMA,CAACP,EAAKC,IAAQD,EAAMC,EAE1B/B,IAAMhB,GAAQ/C,EAAO+C,EAAKnC,GAC1ByF,KACEpB,EAAMoB,MAAI,CACR3F,IACK0E,IAAOA,EAAQxC,EAAOhC,IACpBwE,EAAMC,EAAG3E,KAEpB4F,QAAUvD,GAASiC,EAAOuB,kBAAgBxD,EAAKoC,GAASqB,EAAAA,gBAAgBzD,EAAKoC,GAC7EsB,UAAYC,IACV,GAAIA,EAAMlD,SAAW2B,EACnB,MAAM,IAAIhF,MAAM,6BAA+BgF,EAAQ,eAAiBuB,EAAMlD,QAChF,OAAOwB,EAAO2B,EAAeA,gBAACD,GAASE,EAAAA,gBAAgBF,EAAM,EAG/DG,YAAcC,GAAQ3D,EAAckC,EAAGyB,GAGvCC,KAAMA,CAAClH,EAAGC,EAAGwC,IAAOA,EAAIxC,EAAID,IAE9B,OAAOyF,OAAOC,OAAOF,EACvB,qIA1O4B2B,CAACjE,EAAa7C,KACvCN,EAAImD,EAAK7C,GAAUZ,KAASA,+CA/KzB,SAAec,EAAW4C,EAAe9C,GAC7C,IAAI+G,EAAM7G,EACV,KAAO4C,KAAU5D,GACf6H,GAAOA,EACPA,GAAO/G,EAET,OAAO+G,CACT,gDA0NM,SAA2BC,GAC/B,MAMMC,EAAOtE,EAAae,QAAO,CAACwD,EAAKC,KACrCD,EAAIC,GAAO,WACJD,IARO,CACdxG,MAAO,SACP4E,KAAM,SACNL,MAAO,gBACPD,KAAM,kBAMR,OAAOoC,EAAcA,eAACJ,EAAOC,EAC/B","x_google_ignoreList":[0]}
1	+ {"version":3,"file":"modular.js","sources":["../../../../../../../node_modules/@noble/curves/esm/abstract/modular.js"],"sourcesContent":["/*\n Utils for modular division and fields.\n * Field over 11 is a finite (Galois) field is integer number operations `mod 11`.\n * There is no division: it is replaced by modular multiplicative inverse.\n * @module\n /\n/! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) /\nimport { _validateObject, anumber, bitMask, bytesToNumberBE, bytesToNumberLE, ensureBytes, numberToBytesBE, numberToBytesLE, } from \"../utils.js\";\n// prettier-ignore\nconst _0n = BigInt(0), _1n = BigInt(1), _2n = / @__PURE__ / BigInt(2), _3n = / @__PURE__ / BigInt(3);\n// prettier-ignore\nconst _4n = / @__PURE__ / BigInt(4), _5n = / @__PURE__ / BigInt(5), _7n = / @__PURE__ / BigInt(7);\n// prettier-ignore\nconst _8n = / @__PURE__ / BigInt(8), _9n = / @__PURE__ / BigInt(9), _16n = / @__PURE__ / BigInt(16);\n// Calculates a modulo b\nexport function mod(a, b) {\n const result = a % b;\n return result >= _0n ? result : b + result;\n}\n/\n Efficiently raise num to power and do modular division.\n * Unsafe in some contexts: uses ladder, so can expose bigint bits.\n * @example\n * pow(2n, 6n, 11n) // 64n % 11n == 9n\n /\nexport function pow(num, power, modulo) {\n return FpPow(Field(modulo), num, power);\n}\n/* Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` /\nexport function pow2(x, power, modulo) {\n let res = x;\n while (power-- > _0n) {\n res = res;\n res %= modulo;\n }\n return res;\n}\n/*\n Inverses number over modulo.\n * Implemented using [Euclidean GCD](https://brilliant.org/wiki/extended-euclidean-algorithm/).\n /\nexport function invert(number, modulo) {\n if (number === _0n)\n throw new Error('invert: expected non-zero number');\n if (modulo <= _0n)\n throw new Error('invert: expected positive modulus, got ' + modulo);\n // Fermat's little theorem \"CT-like\" version inv(n) = n^(m-2) mod m is 30x slower.\n let a = mod(number, modulo);\n let b = modulo;\n // prettier-ignore\n let x = _0n, y = _1n, u = _1n, v = _0n;\n while (a !== _0n) {\n // JIT applies optimization if those two lines follow each other\n const q = b / a;\n const r = b % a;\n const m = x - u q;\n const n = y - v * q;\n // prettier-ignore\n b = a, a = r, x = u, y = v, u = m, v = n;\n }\n const gcd = b;\n if (gcd !== _1n)\n throw new Error('invert: does not exist');\n return mod(x, modulo);\n}\nfunction assertIsSquare(Fp, root, n) {\n if (!Fp.eql(Fp.sqr(root), n))\n throw new Error('Cannot find square root');\n}\n// Not all roots are possible! Example which will throw:\n// const NUM =\n// n = 72057594037927816n;\n// Fp = Field(BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'));\nfunction sqrt3mod4(Fp, n) {\n const p1div4 = (Fp.ORDER + _1n) / _4n;\n const root = Fp.pow(n, p1div4);\n assertIsSquare(Fp, root, n);\n return root;\n}\nfunction sqrt5mod8(Fp, n) {\n const p5div8 = (Fp.ORDER - _5n) / _8n;\n const n2 = Fp.mul(n, _2n);\n const v = Fp.pow(n2, p5div8);\n const nv = Fp.mul(n, v);\n const i = Fp.mul(Fp.mul(nv, _2n), v);\n const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));\n assertIsSquare(Fp, root, n);\n return root;\n}\n// Based on RFC9380, Kong algorithm\n// prettier-ignore\nfunction sqrt9mod16(P) {\n const Fp_ = Field(P);\n const tn = tonelliShanks(P);\n const c1 = tn(Fp_, Fp_.neg(Fp_.ONE)); // 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F\n const c2 = tn(Fp_, c1); // 2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F\n const c3 = tn(Fp_, Fp_.neg(c1)); // 3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F\n const c4 = (P + _7n) / _16n; // 4. c4 = (q + 7) / 16 # Integer arithmetic\n return (Fp, n) => {\n let tv1 = Fp.pow(n, c4); // 1. tv1 = x^c4\n let tv2 = Fp.mul(tv1, c1); // 2. tv2 = c1 * tv1\n const tv3 = Fp.mul(tv1, c2); // 3. tv3 = c2 * tv1\n const tv4 = Fp.mul(tv1, c3); // 4. tv4 = c3 * tv1\n const e1 = Fp.eql(Fp.sqr(tv2), n); // 5. e1 = (tv2^2) == x\n const e2 = Fp.eql(Fp.sqr(tv3), n); // 6. e2 = (tv3^2) == x\n tv1 = Fp.cmov(tv1, tv2, e1); // 7. tv1 = CMOV(tv1, tv2, e1) # Select tv2 if (tv2^2) == x\n tv2 = Fp.cmov(tv4, tv3, e2); // 8. tv2 = CMOV(tv4, tv3, e2) # Select tv3 if (tv3^2) == x\n const e3 = Fp.eql(Fp.sqr(tv2), n); // 9. e3 = (tv2^2) == x\n const root = Fp.cmov(tv1, tv2, e3); // 10. z = CMOV(tv1, tv2, e3) # Select sqrt from tv1 & tv2\n assertIsSquare(Fp, root, n);\n return root;\n };\n}\n/*\n Tonelli-Shanks square root search algorithm.\n * 1. https://eprint.iacr.org/2012/685.pdf (page 12)\n * 2. Square Roots from 1; 24, 51, 10 to Dan Shanks\n * @param P field order\n * @returns function that takes field Fp (created from P) and number n\n /\nexport function tonelliShanks(P) {\n // Initialization (precomputation).\n // Caching initialization could boost perf by 7%.\n if (P < _3n)\n throw new Error('sqrt is not defined for small field');\n // Factor P - 1 = Q 2^S, where Q is odd\n let Q = P - _1n;\n let S = 0;\n while (Q % _2n === _0n) {\n Q /= _2n;\n S++;\n }\n // Find the first quadratic non-residue Z >= 2\n let Z = _2n;\n const _Fp = Field(P);\n while (FpLegendre(_Fp, Z) === 1) {\n // Basic primality test for P. After x iterations, chance of\n // not finding quadratic non-residue is 2^x, so 2^1000.\n if (Z++ > 1000)\n throw new Error('Cannot find square root: probably non-prime P');\n }\n // Fast-path; usually done before Z, but we do \"primality test\".\n if (S === 1)\n return sqrt3mod4;\n // Slow-path\n // TODO: test on Fp2 and others\n let cc = _Fp.pow(Z, Q); // c = z^Q\n const Q1div2 = (Q + _1n) / _2n;\n return function tonelliSlow(Fp, n) {\n if (Fp.is0(n))\n return n;\n // Check if n is a quadratic residue using Legendre symbol\n if (FpLegendre(Fp, n) !== 1)\n throw new Error('Cannot find square root');\n // Initialize variables for the main loop\n let M = S;\n let c = Fp.mul(Fp.ONE, cc); // c = z^Q, move cc from field _Fp into field Fp\n let t = Fp.pow(n, Q); // t = n^Q, first guess at the fudge factor\n let R = Fp.pow(n, Q1div2); // R = n^((Q+1)/2), first guess at the square root\n // Main loop\n // while t != 1\n while (!Fp.eql(t, Fp.ONE)) {\n if (Fp.is0(t))\n return Fp.ZERO; // if t=0 return R=0\n let i = 1;\n // Find the smallest i >= 1 such that t^(2^i) ≡ 1 (mod P)\n let t_tmp = Fp.sqr(t); // t^(2^1)\n while (!Fp.eql(t_tmp, Fp.ONE)) {\n i++;\n t_tmp = Fp.sqr(t_tmp); // t^(2^2)...\n if (i === M)\n throw new Error('Cannot find square root');\n }\n // Calculate the exponent for b: 2^(M - i - 1)\n const exponent = _1n << BigInt(M - i - 1); // bigint is important\n const b = Fp.pow(c, exponent); // b = 2^(M - i - 1)\n // Update variables\n M = i;\n c = Fp.sqr(b); // c = b^2\n t = Fp.mul(t, c); // t = (t * b^2)\n R = Fp.mul(R, b); // R = Rb\n }\n return R;\n };\n}\n/\n Square root for a finite field. Will try optimized versions first:\n \n 1. P ≡ 3 (mod 4)\n * 2. P ≡ 5 (mod 8)\n * 3. P ≡ 9 (mod 16)\n * 4. Tonelli-Shanks algorithm\n \n Different algorithms can give different roots, it is up to user to decide which one they want.\n * For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).\n /\nexport function FpSqrt(P) {\n // P ≡ 3 (mod 4) => √n = n^((P+1)/4)\n if (P % _4n === _3n)\n return sqrt3mod4;\n // P ≡ 5 (mod 8) => Atkin algorithm, page 10 of https://eprint.iacr.org/2012/685.pdf\n if (P % _8n === _5n)\n return sqrt5mod8;\n // P ≡ 9 (mod 16) => Kong algorithm, page 11 of https://eprint.iacr.org/2012/685.pdf (algorithm 4)\n if (P % _16n === _9n)\n return sqrt9mod16(P);\n // Tonelli-Shanks algorithm\n return tonelliShanks(P);\n}\n// Little-endian check for first LE bit (last BE bit);\nexport const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;\n// prettier-ignore\nconst FIELD_FIELDS = [\n 'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',\n 'eql', 'add', 'sub', 'mul', 'pow', 'div',\n 'addN', 'subN', 'mulN', 'sqrN'\n];\nexport function validateField(field) {\n const initial = {\n ORDER: 'bigint',\n MASK: 'bigint',\n BYTES: 'number',\n BITS: 'number',\n };\n const opts = FIELD_FIELDS.reduce((map, val) => {\n map[val] = 'function';\n return map;\n }, initial);\n _validateObject(field, opts);\n // const max = 16384;\n // if (field.BYTES < 1 \|\| field.BYTES > max) throw new Error('invalid field');\n // if (field.BITS < 1 \|\| field.BITS > 8 max) throw new Error('invalid field');\n return field;\n}\n// Generic field functions\n/*\n Same as `pow` but for Fp: non-constant-time.\n * Unsafe in some contexts: uses ladder, so can expose bigint bits.\n /\nexport function FpPow(Fp, num, power) {\n if (power < _0n)\n throw new Error('invalid exponent, negatives unsupported');\n if (power === _0n)\n return Fp.ONE;\n if (power === _1n)\n return num;\n let p = Fp.ONE;\n let d = num;\n while (power > _0n) {\n if (power & _1n)\n p = Fp.mul(p, d);\n d = Fp.sqr(d);\n power >>= _1n;\n }\n return p;\n}\n/\n Efficiently invert an array of Field elements.\n * Exception-free. Will return `undefined` for 0 elements.\n * @param passZero map 0 to 0 (instead of undefined)\n /\nexport function FpInvertBatch(Fp, nums, passZero = false) {\n const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : undefined);\n // Walk from first to last, multiply them by each other MOD p\n const multipliedAcc = nums.reduce((acc, num, i) => {\n if (Fp.is0(num))\n return acc;\n inverted[i] = acc;\n return Fp.mul(acc, num);\n }, Fp.ONE);\n // Invert last element\n const invertedAcc = Fp.inv(multipliedAcc);\n // Walk from last to first, multiply them by inverted each other MOD p\n nums.reduceRight((acc, num, i) => {\n if (Fp.is0(num))\n return acc;\n inverted[i] = Fp.mul(acc, inverted[i]);\n return Fp.mul(acc, num);\n }, invertedAcc);\n return inverted;\n}\n// TODO: remove\nexport function FpDiv(Fp, lhs, rhs) {\n return Fp.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, Fp.ORDER) : Fp.inv(rhs));\n}\n/\n Legendre symbol.\n * Legendre constant is used to calculate Legendre symbol (a \| p)\n * which denotes the value of a^((p-1)/2) (mod p).\n \n * (a \| p) ≡ 1 if a is a square (mod p), quadratic residue\n * * (a \| p) ≡ -1 if a is not a square (mod p), quadratic non residue\n * * (a \| p) ≡ 0 if a ≡ 0 (mod p)\n /\nexport function FpLegendre(Fp, n) {\n // We can use 3rd argument as optional cache of this value\n // but seems unneeded for now. The operation is very fast.\n const p1mod2 = (Fp.ORDER - _1n) / _2n;\n const powered = Fp.pow(n, p1mod2);\n const yes = Fp.eql(powered, Fp.ONE);\n const zero = Fp.eql(powered, Fp.ZERO);\n const no = Fp.eql(powered, Fp.neg(Fp.ONE));\n if (!yes && !zero && !no)\n throw new Error('invalid Legendre symbol result');\n return yes ? 1 : zero ? 0 : -1;\n}\n// This function returns True whenever the value x is a square in the field F.\nexport function FpIsSquare(Fp, n) {\n const l = FpLegendre(Fp, n);\n return l === 1;\n}\n// CURVE.n lengths\nexport function nLength(n, nBitLength) {\n // Bit size, byte size of CURVE.n\n if (nBitLength !== undefined)\n anumber(nBitLength);\n const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;\n const nByteLength = Math.ceil(_nBitLength / 8);\n return { nBitLength: _nBitLength, nByteLength };\n}\n/\n Creates a finite field. Major performance optimizations:\n * * 1. Denormalized operations like mulN instead of mul.\n * * 2. Identical object shape: never add or remove keys.\n * * 3. `Object.freeze`.\n * Fragile: always run a benchmark on a change.\n * Security note: operations don't check 'isValid' for all elements for performance reasons,\n * it is caller responsibility to check this.\n * This is low-level code, please make sure you know what you're doing.\n \n Note about field properties:\n * * CHARACTERISTIC p = prime number, number of elements in main subgroup.\n * * ORDER q = similar to cofactor in curves, may be composite `q = p^m`.\n \n @param ORDER field order, probably prime, or could be composite\n * @param bitLen how many bits the field consumes\n * @param isLE (default: false) if encoding / decoding should be in little-endian\n * @param redef optional faster redefinitions of sqrt and other methods\n /\nexport function Field(ORDER, bitLenOrOpts, // TODO: use opts only in v2?\nisLE = false, opts = {}) {\n if (ORDER <= _0n)\n throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);\n let _nbitLength = undefined;\n let _sqrt = undefined;\n let modFromBytes = false;\n let allowedLengths = undefined;\n if (typeof bitLenOrOpts === 'object' && bitLenOrOpts != null) {\n if (opts.sqrt \|\| isLE)\n throw new Error('cannot specify opts in two arguments');\n const _opts = bitLenOrOpts;\n if (_opts.BITS)\n _nbitLength = _opts.BITS;\n if (_opts.sqrt)\n _sqrt = _opts.sqrt;\n if (typeof _opts.isLE === 'boolean')\n isLE = _opts.isLE;\n if (typeof _opts.modFromBytes === 'boolean')\n modFromBytes = _opts.modFromBytes;\n allowedLengths = _opts.allowedLengths;\n }\n else {\n if (typeof bitLenOrOpts === 'number')\n _nbitLength = bitLenOrOpts;\n if (opts.sqrt)\n _sqrt = opts.sqrt;\n }\n const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, _nbitLength);\n if (BYTES > 2048)\n throw new Error('invalid field: expected ORDER of <= 2048 bytes');\n let sqrtP; // cached sqrtP\n const f = Object.freeze({\n ORDER,\n isLE,\n BITS,\n BYTES,\n MASK: bitMask(BITS),\n ZERO: _0n,\n ONE: _1n,\n allowedLengths: allowedLengths,\n create: (num) => mod(num, ORDER),\n isValid: (num) => {\n if (typeof num !== 'bigint')\n throw new Error('invalid field element: expected bigint, got ' + typeof num);\n return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible\n },\n is0: (num) => num === _0n,\n // is valid and invertible\n isValidNot0: (num) => !f.is0(num) && f.isValid(num),\n isOdd: (num) => (num & _1n) === _1n,\n neg: (num) => mod(-num, ORDER),\n eql: (lhs, rhs) => lhs === rhs,\n sqr: (num) => mod(num num, ORDER),\n add: (lhs, rhs) => mod(lhs + rhs, ORDER),\n sub: (lhs, rhs) => mod(lhs - rhs, ORDER),\n mul: (lhs, rhs) => mod(lhs * rhs, ORDER),\n pow: (num, power) => FpPow(f, num, power),\n div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),\n // Same as above, but doesn't normalize\n sqrN: (num) => num * num,\n addN: (lhs, rhs) => lhs + rhs,\n subN: (lhs, rhs) => lhs - rhs,\n mulN: (lhs, rhs) => lhs * rhs,\n inv: (num) => invert(num, ORDER),\n sqrt: _sqrt \|\|\n ((n) => {\n if (!sqrtP)\n sqrtP = FpSqrt(ORDER);\n return sqrtP(f, n);\n }),\n toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),\n fromBytes: (bytes, skipValidation = true) => {\n if (allowedLengths) {\n if (!allowedLengths.includes(bytes.length) \|\| bytes.length > BYTES) {\n throw new Error('Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length);\n }\n const padded = new Uint8Array(BYTES);\n // isLE add 0 to right, !isLE to the left.\n padded.set(bytes, isLE ? 0 : padded.length - bytes.length);\n bytes = padded;\n }\n if (bytes.length !== BYTES)\n throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);\n let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);\n if (modFromBytes)\n scalar = mod(scalar, ORDER);\n if (!skipValidation)\n if (!f.isValid(scalar))\n throw new Error('invalid field element: outside of range 0..ORDER');\n // NOTE: we don't validate scalar here, please use isValid. This done such way because some\n // protocol may allow non-reduced scalar that reduced later or changed some other way.\n return scalar;\n },\n // TODO: we don't need it here, move out to separate fn\n invertBatch: (lst) => FpInvertBatch(f, lst),\n // We can't move this out because Fp6, Fp12 implement it\n // and it's unclear what to return in there.\n cmov: (a, b, c) => (c ? b : a),\n });\n return Object.freeze(f);\n}\n// Generic random scalar, we can do same for other fields if via Fp2.mul(Fp2.ONE, Fp2.random)?\n// This allows unsafe methods like ignore bias or zero. These unsafe, but often used in different protocols (if deterministic RNG).\n// which mean we cannot force this via opts.\n// Not sure what to do with randomBytes, we can accept it inside opts if wanted.\n// Probably need to export getMinHashLength somewhere?\n// random(bytes?: Uint8Array, unsafeAllowZero = false, unsafeAllowBias = false) {\n// const LEN = !unsafeAllowBias ? getMinHashLength(ORDER) : BYTES;\n// if (bytes === undefined) bytes = randomBytes(LEN); // _opts.randomBytes?\n// const num = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);\n// // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0\n// const reduced = unsafeAllowZero ? mod(num, ORDER) : mod(num, ORDER - _1n) + _1n;\n// return reduced;\n// },\nexport function FpSqrtOdd(Fp, elm) {\n if (!Fp.isOdd)\n throw new Error(\"Field doesn't have isOdd\");\n const root = Fp.sqrt(elm);\n return Fp.isOdd(root) ? root : Fp.neg(root);\n}\nexport function FpSqrtEven(Fp, elm) {\n if (!Fp.isOdd)\n throw new Error(\"Field doesn't have isOdd\");\n const root = Fp.sqrt(elm);\n return Fp.isOdd(root) ? Fp.neg(root) : root;\n}\n/*\n \"Constant-time\" private key generation utility.\n * Same as mapKeyToField, but accepts less bytes (40 instead of 48 for 32-byte field).\n * Which makes it slightly more biased, less secure.\n * @deprecated use `mapKeyToField` instead\n /\nexport function hashToPrivateScalar(hash, groupOrder, isLE = false) {\n hash = ensureBytes('privateHash', hash);\n const hashLen = hash.length;\n const minLen = nLength(groupOrder).nByteLength + 8;\n if (minLen < 24 \|\| hashLen < minLen \|\| hashLen > 1024)\n throw new Error('hashToPrivateScalar: expected ' + minLen + '-1024 bytes of input, got ' + hashLen);\n const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);\n return mod(num, groupOrder - _1n) + _1n;\n}\n/\n Returns total number of bytes consumed by the field element.\n * For example, 32 bytes for usual 256-bit weierstrass curve.\n * @param fieldOrder number of field elements, usually CURVE.n\n * @returns byte length of field\n /\nexport function getFieldBytesLength(fieldOrder) {\n if (typeof fieldOrder !== 'bigint')\n throw new Error('field order must be bigint');\n const bitLength = fieldOrder.toString(2).length;\n return Math.ceil(bitLength / 8);\n}\n/\n Returns minimal amount of bytes that can be safely reduced\n * by field order.\n * Should be 2^-128 for 128-bit curve such as P256.\n * @param fieldOrder number of field elements, usually CURVE.n\n * @returns byte length of target hash\n /\nexport function getMinHashLength(fieldOrder) {\n const length = getFieldBytesLength(fieldOrder);\n return length + Math.ceil(length / 2);\n}\n/\n \"Constant-time\" private key generation utility.\n * Can take (n + n/2) or more bytes of uniform input e.g. from CSPRNG or KDF\n * and convert them into private scalar, with the modulo bias being negligible.\n * Needs at least 48 bytes of input for 32-byte private key.\n * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/\n * FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final\n * RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5\n * @param hash hash output from SHA3 or a similar function\n * @param groupOrder size of subgroup - (e.g. secp256k1.CURVE.n)\n * @param isLE interpret hash bytes as LE num\n * @returns valid private scalar\n */\nexport function mapHashToField(key, fieldOrder, isLE = false) {\n const len = key.length;\n const fieldLen = getFieldBytesLength(fieldOrder);\n const minLen = getMinHashLength(fieldOrder);\n // No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.\n if (len < 16 \|\| len < minLen \|\| len > 1024)\n throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);\n const num = isLE ? bytesToNumberLE(key) : bytesToNumberBE(key);\n // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0\n const reduced = mod(num, fieldOrder - _1n) + _1n;\n return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);\n}\n//# sourceMappingURL=modular.js.map"],"names":["_0n","BigInt","_1n","_2n","_3n","_4n","_5n","_7n","_8n","_9n","_16n","mod","a","b","result","invert","number","modulo","Error","x","u","r","m","assertIsSquare","Fp","root","n","eql","sqr","sqrt3mod4","p1div4","ORDER","pow","sqrt5mod8","p5div8","n2","mul","v","nv","i","sub","ONE","tonelliShanks","P","Q","S","Z","_Fp","Field","FpLegendre","cc","Q1div2","is0","M","c","t","R","ZERO","t_tmp","exponent","FpSqrt","Fp_","tn","c1","neg","c2","c3","c4","tv1","tv2","tv3","tv4","e1","e2","cmov","e3","sqrt9mod16","FIELD_FIELDS","FpPow","num","power","p","d","FpInvertBatch","nums","passZero","inverted","Array","length","fill","undefined","multipliedAcc","reduce","acc","invertedAcc","inv","reduceRight","p1mod2","powered","yes","zero","no","nLength","nBitLength","anumber","_nBitLength","toString","nByteLength","Math","ceil","bitLenOrOpts","isLE","opts","_nbitLength","_sqrt","allowedLengths","modFromBytes","sqrt","_opts","BITS","BYTES","sqrtP","f","Object","freeze","MASK","bitMask","create","isValid","isValidNot0","isOdd","lhs","rhs","add","div","sqrN","addN","subN","mulN","toBytes","numberToBytesLE","numberToBytesBE","fromBytes","bytes","skipValidation","includes","padded","Uint8Array","set","scalar","bytesToNumberLE","bytesToNumberBE","invertBatch","lst","isNegativeLE","res","field","map","val","_validateObject"],"mappings":";;AAmBA,MAAMA,EAAMC,OAAO,GAAIC,EAAMD,OAAO,GAAIE,EAAsBF,OAAO,GAAIG,EAAsBH,OAAO,GAEhGI,EAAsBJ,OAAO,GAAIK,EAAsBL,OAAO,GAAIM,EAAsBN,OAAO,GAE/FO,EAAsBP,OAAO,GAAIQ,EAAsBR,OAAO,GAAIS,EAAuBT,OAAO,IAGhG,SAAUU,EAAIC,EAAWC,GAC7B,MAAMC,EAASF,EAAIC,EACnB,OAAOC,GAAUd,EAAMc,EAASD,EAAIC,CACtC,CAyBM,SAAUC,EAAOC,EAAgBC,GACrC,GAAID,IAAWhB,EAAK,MAAM,IAAIkB,MAAM,oCACpC,GAAID,GAAUjB,EAAK,MAAM,IAAIkB,MAAM,0CAA4CD,GAE/E,IAAIL,EAAID,EAAIK,EAAQC,GAChBJ,EAAII,EAEJE,EAAInB,EAAcoB,EAAIlB,EAC1B,KAAOU,IAAMZ,GAAK,CAEhB,MACMqB,EAAIR,EAAID,EACRU,EAAIH,EAAIC,GAFJP,EAAID,GAKdC,EAAID,EAAGA,EAAIS,EAAGF,EAAIC,EAAUA,EAAIE,CAClC,CAEA,GADYT,IACAX,EAAK,MAAM,IAAIgB,MAAM,0BACjC,OAAOP,EAAIQ,EAAGF,EAChB,CAEA,SAASM,EAAkBC,EAAeC,EAASC,GACjD,IAAKF,EAAGG,IAAIH,EAAGI,IAAIH,GAAOC,GAAI,MAAM,IAAIR,MAAM,0BAChD,CAMA,SAASW,EAAaL,EAAeE,GACnC,MAAMI,GAAUN,EAAGO,MAAQ7B,GAAOG,EAC5BoB,EAAOD,EAAGQ,IAAIN,EAAGI,GAEvB,OADAP,EAAeC,EAAIC,EAAMC,GAClBD,CACT,CAEA,SAASQ,EAAaT,EAAeE,GACnC,MAAMQ,GAAUV,EAAGO,MAAQzB,GAAOE,EAC5B2B,EAAKX,EAAGY,IAAIV,EAAGvB,GACfkC,EAAIb,EAAGQ,IAAIG,EAAID,GACfI,EAAKd,EAAGY,IAAIV,EAAGW,GACfE,EAAIf,EAAGY,IAAIZ,EAAGY,IAAIE,EAAInC,GAAMkC,GAC5BZ,EAAOD,EAAGY,IAAIE,EAAId,EAAGgB,IAAID,EAAGf,EAAGiB,MAErC,OADAlB,EAAeC,EAAIC,EAAMC,GAClBD,CACT,CAkCM,SAAUiB,EAAcC,GAG5B,GAAIA,EAAIvC,EAAK,MAAM,IAAIc,MAAM,uCAE7B,IAAI0B,EAAID,EAAIzC,EACR2C,EAAI,EACR,KAAOD,EAAIzC,IAAQH,GACjB4C,GAAKzC,EACL0C,IAIF,IAAIC,EAAI3C,EACR,MAAM4C,EAAMC,EAAML,GAClB,KAA8B,IAAvBM,EAAWF,EAAKD,IAGrB,GAAIA,IAAM,IAAM,MAAM,IAAI5B,MAAM,iDAGlC,GAAU,IAAN2B,EAAS,OAAOhB,EAIpB,IAAIqB,EAAKH,EAAIf,IAAIc,EAAGF,GACpB,MAAMO,GAAUP,EAAI1C,GAAOC,EAC3B,OAAO,SAAwBqB,EAAeE,GAC5C,GAAIF,EAAG4B,IAAI1B,GAAI,OAAOA,EAEtB,GAA0B,IAAtBuB,EAAWzB,EAAIE,GAAU,MAAM,IAAIR,MAAM,2BAG7C,IAAImC,EAAIR,EACJS,EAAI9B,EAAGY,IAAIZ,EAAGiB,IAAKS,GACnBK,EAAI/B,EAAGQ,IAAIN,EAAGkB,GACdY,EAAIhC,EAAGQ,IAAIN,EAAGyB,GAIlB,MAAQ3B,EAAGG,IAAI4B,EAAG/B,EAAGiB,MAAM,CACzB,GAAIjB,EAAG4B,IAAIG,GAAI,OAAO/B,EAAGiC,KACzB,IAAIlB,EAAI,EAGJmB,EAAQlC,EAAGI,IAAI2B,GACnB,MAAQ/B,EAAGG,IAAI+B,EAAOlC,EAAGiB,MAGvB,GAFAF,IACAmB,EAAQlC,EAAGI,IAAI8B,GACXnB,IAAMc,EAAG,MAAM,IAAInC,MAAM,2BAI/B,MAAMyC,EAAWzD,GAAOD,OAAOoD,EAAId,EAAI,GACjC1B,EAAIW,EAAGQ,IAAIsB,EAAGK,GAGpBN,EAAId,EACJe,EAAI9B,EAAGI,IAAIf,GACX0C,EAAI/B,EAAGY,IAAImB,EAAGD,GACdE,EAAIhC,EAAGY,IAAIoB,EAAG3C,EAChB,CACA,OAAO2C,CACT,CACF,CAaM,SAAUI,EAAOjB,GAErB,OAAIA,EAAItC,IAAQD,EAAYyB,EAExBc,EAAInC,IAAQF,EAAY2B,EAExBU,EAAIjC,IAASD,EAjHnB,SAAoBkC,GAClB,MAAMkB,EAAMb,EAAML,GACZmB,EAAKpB,EAAcC,GACnBoB,EAAKD,EAAGD,EAAKA,EAAIG,IAAIH,EAAIpB,MACzBwB,EAAKH,EAAGD,EAAKE,GACbG,EAAKJ,EAAGD,EAAKA,EAAIG,IAAID,IACrBI,GAAMxB,EAAIpC,GAAOG,EACvB,MAAO,CAAIc,EAAeE,KACxB,IAAI0C,EAAM5C,EAAGQ,IAAIN,EAAGyC,GAChBE,EAAM7C,EAAGY,IAAIgC,EAAKL,GACtB,MAAMO,EAAM9C,EAAGY,IAAIgC,EAAKH,GAClBM,EAAM/C,EAAGY,IAAIgC,EAAKF,GAClBM,EAAKhD,EAAGG,IAAIH,EAAGI,IAAIyC,GAAM3C,GACzB+C,EAAKjD,EAAGG,IAAIH,EAAGI,IAAI0C,GAAM5C,GAC/B0C,EAAM5C,EAAGkD,KAAKN,EAAKC,EAAKG,GACxBH,EAAM7C,EAAGkD,KAAKH,EAAKD,EAAKG,GACxB,MAAME,EAAKnD,EAAGG,IAAIH,EAAGI,IAAIyC,GAAM3C,GACzBD,EAAOD,EAAGkD,KAAKN,EAAKC,EAAKM,GAE/B,OADApD,EAAeC,EAAIC,EAAMC,GAClBD,EAEX,CA4F+BmD,CAAWjC,GAEjCD,EAAcC,EACvB,OAmDMkC,EAAe,CACnB,SAAU,UAAW,MAAO,MAAO,MAAO,OAAQ,MAClD,MAAO,MAAO,MAAO,MAAO,MAAO,MACnC,OAAQ,OAAQ,OAAQ,QA0BpB,SAAUC,EAAStD,EAAeuD,EAAQC,GAC9C,GAAIA,EAAQhF,EAAK,MAAM,IAAIkB,MAAM,2CACjC,GAAI8D,IAAUhF,EAAK,OAAOwB,EAAGiB,IAC7B,GAAIuC,IAAU9E,EAAK,OAAO6E,EAC1B,IAAIE,EAAIzD,EAAGiB,IACPyC,EAAIH,EACR,KAAOC,EAAQhF,GACTgF,EAAQ9E,IAAK+E,EAAIzD,EAAGY,IAAI6C,EAAGC,IAC/BA,EAAI1D,EAAGI,IAAIsD,GACXF,IAAU9E,EAEZ,OAAO+E,CACT,CAOM,SAAUE,EAAiB3D,EAAe4D,EAAWC,GAAW,GACpE,MAAMC,EAAW,IAAIC,MAAMH,EAAKI,QAAQC,KAAKJ,EAAW7D,EAAGiC,UAAOiC,GAE5DC,EAAgBP,EAAKQ,OAAO,CAACC,EAAKd,EAAKxC,IACvCf,EAAG4B,IAAI2B,GAAac,GACxBP,EAAS/C,GAAKsD,EACPrE,EAAGY,IAAIyD,EAAKd,IAClBvD,EAAGiB,KAEAqD,EAActE,EAAGuE,IAAIJ,GAO3B,OALAP,EAAKY,YAAY,CAACH,EAAKd,EAAKxC,IACtBf,EAAG4B,IAAI2B,GAAac,GACxBP,EAAS/C,GAAKf,EAAGY,IAAIyD,EAAKP,EAAS/C,IAC5Bf,EAAGY,IAAIyD,EAAKd,IAClBe,GACIR,CACT,CAgBM,SAAUrC,EAAczB,EAAeE,GAG3C,MAAMuE,GAAUzE,EAAGO,MAAQ7B,GAAOC,EAC5B+F,EAAU1E,EAAGQ,IAAIN,EAAGuE,GACpBE,EAAM3E,EAAGG,IAAIuE,EAAS1E,EAAGiB,KACzB2D,EAAO5E,EAAGG,IAAIuE,EAAS1E,EAAGiC,MAC1B4C,EAAK7E,EAAGG,IAAIuE,EAAS1E,EAAGwC,IAAIxC,EAAGiB,MACrC,IAAK0D,IAAQC,IAASC,EAAI,MAAM,IAAInF,MAAM,kCAC1C,OAAOiF,EAAM,EAAIC,EAAO,GAAI,CAC9B,CAUM,SAAUE,EAAQ5E,EAAW6E,QAEdb,IAAfa,GAA0BC,EAAAA,QAAQD,GACtC,MAAME,OAA6Bf,IAAfa,EAA2BA,EAAa7E,EAAEgF,SAAS,GAAGlB,OAE1E,MAAO,CAAEe,WAAYE,EAAaE,YADdC,KAAKC,KAAKJ,EAAc,GAE9C,CA8BM,SAAUzD,EACdjB,EACA+E,EACAC,GAAO,EACPC,EAA0B,IAE1B,GAAIjF,GAAS/B,EAAK,MAAM,IAAIkB,MAAM,0CAA4Ca,GAC9E,IAAIkF,EACAC,EAEAC,EADAC,GAAwB,EAE5B,GAA4B,iBAAjBN,GAA6C,MAAhBA,EAAsB,CAC5D,GAAIE,EAAKK,MAAQN,EAAM,MAAM,IAAI7F,MAAM,wCACvC,MAAMoG,EAAQR,EACVQ,EAAMC,OAAMN,EAAcK,EAAMC,MAChCD,EAAMD,OAAMH,EAAQI,EAAMD,MACJ,kBAAfC,EAAMP,OAAoBA,EAAOO,EAAMP,MAChB,kBAAvBO,EAAMF,eAA4BA,EAAeE,EAAMF,cAClED,EAAiBG,EAAMH,cACzB,KAC8B,iBAAjBL,IAA2BG,EAAcH,GAChDE,EAAKK,OAAMH,EAAQF,EAAKK,MAE9B,MAAQd,WAAYgB,EAAMZ,YAAaa,GAAUlB,EAAQvE,EAAOkF,GAChE,GAAIO,EAAQ,KAAM,MAAM,IAAItG,MAAM,kDAClC,IAAIuG,EACJ,MAAMC,EAAuBC,OAAOC,OAAO,CACzC7F,QACAgF,OACAQ,OACAC,QACAK,KAAMC,EAAAA,QAAQP,GACd9D,KAAMzD,EACNyC,IAAKvC,EACLiH,eAAgBA,EAChBY,OAAShD,GAAQpE,EAAIoE,EAAKhD,GAC1BiG,QAAUjD,IACR,GAAmB,iBAARA,EACT,MAAM,IAAI7D,MAAM,sDAAwD6D,GAC1E,OAAO/E,GAAO+E,GAAOA,EAAMhD,GAE7BqB,IAAM2B,GAAQA,IAAQ/E,EAEtBiI,YAAclD,IAAiB2C,EAAEtE,IAAI2B,IAAQ2C,EAAEM,QAAQjD,GACvDmD,MAAQnD,IAASA,EAAM7E,KAASA,EAChC8D,IAAMe,GAAQpE,GAAKoE,EAAKhD,GACxBJ,IAAKA,CAACwG,EAAKC,IAAQD,IAAQC,EAE3BxG,IAAMmD,GAAQpE,EAAIoE,EAAMA,EAAKhD,GAC7BsG,IAAKA,CAACF,EAAKC,IAAQzH,EAAIwH,EAAMC,EAAKrG,GAClCS,IAAKA,CAAC2F,EAAKC,IAAQzH,EAAIwH,EAAMC,EAAKrG,GAClCK,IAAKA,CAAC+F,EAAKC,IAAQzH,EAAIwH,EAAMC,EAAKrG,GAClCC,IAAKA,CAAC+C,EAAKC,IAAUF,EAAM4C,EAAG3C,EAAKC,GACnCsD,IAAKA,CAACH,EAAKC,IAAQzH,EAAIwH,EAAMpH,EAAOqH,EAAKrG,GAAQA,GAGjDwG,KAAOxD,GAAQA,EAAMA,EACrByD,KAAMA,CAACL,EAAKC,IAAQD,EAAMC,EAC1BK,KAAMA,CAACN,EAAKC,IAAQD,EAAMC,EAC1BM,KAAMA,CAACP,EAAKC,IAAQD,EAAMC,EAE1BrC,IAAMhB,GAAQhE,EAAOgE,EAAKhD,GAC1BsF,KACEH,GAAK,CACHxF,IACK+F,IAAOA,EAAQ7D,EAAO7B,IACpB0F,EAAMC,EAAGhG,KAEpBiH,QAAU5D,GAASgC,EAAO6B,kBAAgB7D,EAAKyC,GAASqB,EAAAA,gBAAgB9D,EAAKyC,GAC7EsB,UAAWA,CAACC,EAAOC,GAAiB,KAClC,GAAI7B,EAAgB,CAClB,IAAKA,EAAe8B,SAASF,EAAMvD,SAAWuD,EAAMvD,OAASgC,EAC3D,MAAM,IAAItG,MACR,6BAA+BiG,EAAiB,eAAiB4B,EAAMvD,QAG3E,MAAM0D,EAAS,IAAIC,WAAW3B,GAE9B0B,EAAOE,IAAIL,EAAOhC,EAAO,EAAImC,EAAO1D,OAASuD,EAAMvD,QACnDuD,EAAQG,CACV,CACA,GAAIH,EAAMvD,SAAWgC,EACnB,MAAM,IAAItG,MAAM,6BAA+BsG,EAAQ,eAAiBuB,EAAMvD,QAChF,IAAI6D,EAAStC,EAAOuC,EAAAA,gBAAgBP,GAASQ,EAAAA,gBAAgBR,GAE7D,GADI3B,IAAciC,EAAS1I,EAAI0I,EAAQtH,KAClCiH,IACEtB,EAAEM,QAAQqB,GAAS,MAAM,IAAInI,MAAM,oDAG1C,OAAOmI,GAGTG,YAAcC,GAAQtE,EAAcuC,EAAG+B,GAGvC/E,KAAMA,CAAC9D,EAAGC,EAAGyC,IAAOA,EAAIzC,EAAID,IAE9B,OAAO+G,OAAOC,OAAOF,EACvB,qIA3R4BgC,CAAC3E,EAAa9D,KACvCN,EAAIoE,EAAK9D,GAAUf,KAASA,+CAvLzB,SAAeiB,EAAW6D,EAAe/D,GAC7C,IAAI0I,EAAMxI,EACV,KAAO6D,KAAUhF,GACf2J,GAAOA,EACPA,GAAO1I,EAET,OAAO0I,CACT,gDAoOM,SAA2BC,GAC/B,MAMM5C,EAAOnC,EAAae,OAAO,CAACiE,EAAKC,KACrCD,EAAIC,GAAO,WACJD,GARO,CACd9H,MAAO,SACP8F,KAAM,SACNL,MAAO,SACPD,KAAM,WAUR,OAJAwC,EAAAA,gBAAgBH,EAAO5C,GAIhB4C,CACT","x_google_ignoreList":[0]}

package/dist/cjs/node_modules/@noble/curves/esm/ed25519.js CHANGED Viewed

@@ -1,4 +1,4 @@
-"use strict";var t=require("../../hashes/esm/sha2.js"),n=require("../../hashes/esm/utils.js"),o=require("./abstract/edwards.js"),s=require("./abstract/modular.js");
+"use strict";var f=require("../../hashes/esm/sha2.js"),t=require("./abstract/edwards.js"),d=require("./abstract/modular.js");
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const i=BigInt("57896044618658097711785492504343953926634992332820282019728792003956564819949"),e=BigInt("19681161376707505956807079304988542015446066515923890162744021073123829784752");BigInt(0);const r=BigInt(1),a=BigInt(2);BigInt(3);const d=BigInt(5),B=BigInt(8);function g(t){return t[0]&=248,t[31]&=127,t[31]|=64,t}function I(t,n){const o=i,B=s.mod(n*n*n,o),g=function(t){const n=BigInt(10),o=BigInt(20),e=BigInt(40),B=BigInt(80),g=i,I=t*t%g*t%g,p=s.pow2(I,a,g)*I%g,u=s.pow2(p,r,g)*t%g,c=s.pow2(u,d,g)*u%g,w=s.pow2(c,n,g)*c%g,m=s.pow2(w,o,g)*w%g,h=s.pow2(m,e,g)*m%g,l=s.pow2(h,B,g)*h%g,_=s.pow2(l,B,g)*h%g,j=s.pow2(_,n,g)*c%g;return{pow_p_5_8:s.pow2(j,a,g)*t%g,b2:I}}(t*s.mod(B*B*n,o)).pow_p_5_8;let I=s.mod(t*B*g,o);const p=s.mod(n*I*I,o),u=I,c=s.mod(I*e,o),w=p===t,m=p===s.mod(-t,o),h=p===s.mod(-t*e,o);return w&&(I=u),(m||h)&&(I=c),s.isNegativeLE(I,o)&&(I=s.mod(-I,o)),{isValid:w||m,value:I}}const p=(()=>s.Field(i,void 0,!0))(),u=(()=>({a:p.create(BigInt(-1)),d:BigInt("37095705934669439343138083508754565189542113879843219016388785533085940283555"),Fp:p,n:BigInt("7237005577332262213973186563042994240857116359379907606001950938285454250989"),h:B,Gx:BigInt("15112221349535400772501151409588531511454012693041857206046113283949847762202"),Gy:BigInt("46316835694926478169428394003475163141307993866256225615783033603165251855960"),hash:t.sha512,randomBytes:n.randomBytes,adjustScalarBytes:g,uvRatio:I}))(),c=(()=>o.twistedEdwards(u))();exports.ed25519=c;
+const e=BigInt(1),n=BigInt(2);BigInt(3);const o=BigInt(5),i=BigInt(8),a=BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed"),s=(()=>({p:a,n:BigInt("0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed"),h:i,a:BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec"),d:BigInt("0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3"),Gx:BigInt("0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a"),Gy:BigInt("0x6666666666666666666666666666666666666666666666666666666666666658")}))();function c(f){return f[0]&=248,f[31]&=127,f[31]|=64,f}const r=BigInt("19681161376707505956807079304988542015446066515923890162744021073123829784752");function p(f,t){const i=a,s=d.mod(t*t*t,i),c=function(f){const t=BigInt(10),i=BigInt(20),s=BigInt(40),c=BigInt(80),r=a,p=f*f%r*f%r,g=d.pow2(p,n,r)*p%r,B=d.pow2(g,e,r)*f%r,I=d.pow2(B,o,r)*B%r,w=d.pow2(I,t,r)*I%r,u=d.pow2(w,i,r)*w%r,m=d.pow2(u,s,r)*u%r,x=d.pow2(m,c,r)*m%r,b=d.pow2(x,c,r)*m%r,h=d.pow2(b,t,r)*I%r;return{pow_p_5_8:d.pow2(h,n,r)*f%r,b2:p}}(f*d.mod(s*s*t,i)).pow_p_5_8;let p=d.mod(f*s*c,i);const g=d.mod(t*p*p,i),B=p,I=d.mod(p*r,i),w=g===f,u=g===d.mod(-f,i),m=g===d.mod(-f*r,i);return w&&(p=B),(u||m)&&(p=I),d.isNegativeLE(p,i)&&(p=d.mod(-p,i)),{isValid:w||u,value:p}}const g=(()=>d.Field(s.p,{isLE:!0}))(),B=(()=>({...s,Fp:g,hash:f.sha512,adjustScalarBytes:c,uvRatio:p}))(),I=(()=>t.twistedEdwards(B))();exports.ed25519=I;
 //# sourceMappingURL=ed25519.js.map