@btc-vision/transaction 1.7.22 → 1.7.24

package/browser/noble-curves.js

@@ -0,0 +1,3316 @@
+import { c as We, e as ln, n as dn, o as Me, p as yt, q as Qe, t as hn, u as Ae, v as yn, w as mn, x as kt, y as bn, z as wn } from "./noble-hashes.js";
+var tt = {}, Ke = {}, nt = {}, rt = {}, _t;
+function Ce() {
+  return _t || (_t = 1, (function(e) {
+    Object.defineProperty(e, "__esModule", { value: !0 }), e.notImplemented = e.bitMask = e.utf8ToBytes = e.randomBytes = e.isBytes = e.hexToBytes = e.concatBytes = e.bytesToUtf8 = e.bytesToHex = e.anumber = e.abytes = void 0, e.abool = m, e._abool2 = g, e._abytes2 = p, e.numberToHexUnpadded = v, e.hexToNumber = U, e.bytesToNumberBE = H, e.bytesToNumberLE = V, e.numberToBytesBE = E, e.numberToBytesLE = b, e.numberToVarBytesBE = S, e.ensureBytes = A, e.equalBytes = M, e.copyBytes = Q, e.asciiToBytes = F, e.inRange = se, e.aInRange = ie, e.bitLen = j, e.bitGet = O, e.bitSet = L, e.createHmacDrbg = K, e.validateObject = z, e.isHash = d, e._validateObject = u, e.memoized = a;
+    const r = /* @__PURE__ */ We();
+    var c = /* @__PURE__ */ We();
+    Object.defineProperty(e, "abytes", { enumerable: !0, get: function() {
+      return c.abytes;
+    } }), Object.defineProperty(e, "anumber", { enumerable: !0, get: function() {
+      return c.anumber;
+    } }), Object.defineProperty(e, "bytesToHex", { enumerable: !0, get: function() {
+      return c.bytesToHex;
+    } }), Object.defineProperty(e, "bytesToUtf8", { enumerable: !0, get: function() {
+      return c.bytesToUtf8;
+    } }), Object.defineProperty(e, "concatBytes", { enumerable: !0, get: function() {
+      return c.concatBytes;
+    } }), Object.defineProperty(e, "hexToBytes", { enumerable: !0, get: function() {
+      return c.hexToBytes;
+    } }), Object.defineProperty(e, "isBytes", { enumerable: !0, get: function() {
+      return c.isBytes;
+    } }), Object.defineProperty(e, "randomBytes", { enumerable: !0, get: function() {
+      return c.randomBytes;
+    } }), Object.defineProperty(e, "utf8ToBytes", { enumerable: !0, get: function() {
+      return c.utf8ToBytes;
+    } });
+    const t = /* @__PURE__ */ BigInt(0), l = /* @__PURE__ */ BigInt(1);
+    function m(i, o) {
+      if (typeof o != "boolean")
+        throw new Error(i + " boolean expected, got " + o);
+    }
+    function g(i, o = "") {
+      if (typeof i != "boolean") {
+        const h = o && `"${o}"`;
+        throw new Error(h + "expected boolean, got type=" + typeof i);
+      }
+      return i;
+    }
+    function p(i, o, h = "") {
+      const w = (0, r.isBytes)(i), s = i?.length, f = o !== void 0;
+      if (!w || f && s !== o) {
+        const y = h && `"${h}" `, B = f ? ` of length ${o}` : "", T = w ? `length=${s}` : `type=${typeof i}`;
+        throw new Error(y + "expected Uint8Array" + B + ", got " + T);
+      }
+      return i;
+    }
+    function v(i) {
+      const o = i.toString(16);
+      return o.length & 1 ? "0" + o : o;
+    }
+    function U(i) {
+      if (typeof i != "string")
+        throw new Error("hex string expected, got " + typeof i);
+      return i === "" ? t : BigInt("0x" + i);
+    }
+    function H(i) {
+      return U((0, r.bytesToHex)(i));
+    }
+    function V(i) {
+      return (0, r.abytes)(i), U((0, r.bytesToHex)(Uint8Array.from(i).reverse()));
+    }
+    function E(i, o) {
+      return (0, r.hexToBytes)(i.toString(16).padStart(o * 2, "0"));
+    }
+    function b(i, o) {
+      return E(i, o).reverse();
+    }
+    function S(i) {
+      return (0, r.hexToBytes)(v(i));
+    }
+    function A(i, o, h) {
+      let w;
+      if (typeof o == "string")
+        try {
+          w = (0, r.hexToBytes)(o);
+        } catch (f) {
+          throw new Error(i + " must be hex string or Uint8Array, cause: " + f);
+        }
+      else if ((0, r.isBytes)(o))
+        w = Uint8Array.from(o);
+      else
+        throw new Error(i + " must be hex string or Uint8Array");
+      const s = w.length;
+      if (typeof h == "number" && s !== h)
+        throw new Error(i + " of length " + h + " expected, got " + s);
+      return w;
+    }
+    function M(i, o) {
+      if (i.length !== o.length)
+        return !1;
+      let h = 0;
+      for (let w = 0; w < i.length; w++)
+        h |= i[w] ^ o[w];
+      return h === 0;
+    }
+    function Q(i) {
+      return Uint8Array.from(i);
+    }
+    function F(i) {
+      return Uint8Array.from(i, (o, h) => {
+        const w = o.charCodeAt(0);
+        if (o.length !== 1 || w > 127)
+          throw new Error(`string contains non-ASCII character "${i[h]}" with code ${w} at position ${h}`);
+        return w;
+      });
+    }
+    const G = (i) => typeof i == "bigint" && t <= i;
+    function se(i, o, h) {
+      return G(i) && G(o) && G(h) && o <= i && i < h;
+    }
+    function ie(i, o, h, w) {
+      if (!se(o, h, w))
+        throw new Error("expected valid " + i + ": " + h + " <= n < " + w + ", got " + o);
+    }
+    function j(i) {
+      let o;
+      for (o = 0; i > t; i >>= l, o += 1)
+        ;
+      return o;
+    }
+    function O(i, o) {
+      return i >> BigInt(o) & l;
+    }
+    function L(i, o, h) {
+      return i | (h ? l : t) << BigInt(o);
+    }
+    const _ = (i) => (l << BigInt(i)) - l;
+    e.bitMask = _;
+    function K(i, o, h) {
+      if (typeof i != "number" || i < 2)
+        throw new Error("hashLen must be a number");
+      if (typeof o != "number" || o < 2)
+        throw new Error("qByteLen must be a number");
+      if (typeof h != "function")
+        throw new Error("hmacFn must be a function");
+      const w = (C) => new Uint8Array(C), s = (C) => Uint8Array.of(C);
+      let f = w(i), y = w(i), B = 0;
+      const T = () => {
+        f.fill(1), y.fill(0), B = 0;
+      }, k = (...C) => h(y, f, ...C), Y = (C = w(0)) => {
+        y = k(s(0), C), f = k(), C.length !== 0 && (y = k(s(1), C), f = k());
+      }, I = () => {
+        if (B++ >= 1e3)
+          throw new Error("drbg: tried 1000 values");
+        let C = 0;
+        const te = [];
+        for (; C < o; ) {
+          f = k();
+          const $ = f.slice();
+          te.push($), C += f.length;
+        }
+        return (0, r.concatBytes)(...te);
+      };
+      return (C, te) => {
+        T(), Y(C);
+        let $;
+        for (; !($ = te(I())); )
+          Y();
+        return T(), $;
+      };
+    }
+    const W = {
+      bigint: (i) => typeof i == "bigint",
+      function: (i) => typeof i == "function",
+      boolean: (i) => typeof i == "boolean",
+      string: (i) => typeof i == "string",
+      stringOrUint8Array: (i) => typeof i == "string" || (0, r.isBytes)(i),
+      isSafeInteger: (i) => Number.isSafeInteger(i),
+      array: (i) => Array.isArray(i),
+      field: (i, o) => o.Fp.isValid(i),
+      hash: (i) => typeof i == "function" && Number.isSafeInteger(i.outputLen)
+    };
+    function z(i, o, h = {}) {
+      const w = (s, f, y) => {
+        const B = W[f];
+        if (typeof B != "function")
+          throw new Error("invalid validator function");
+        const T = i[s];
+        if (!(y && T === void 0) && !B(T, i))
+          throw new Error("param " + String(s) + " is invalid. Expected " + f + ", got " + T);
+      };
+      for (const [s, f] of Object.entries(o))
+        w(s, f, !1);
+      for (const [s, f] of Object.entries(h))
+        w(s, f, !0);
+      return i;
+    }
+    function d(i) {
+      return typeof i == "function" && Number.isSafeInteger(i.outputLen);
+    }
+    function u(i, o, h = {}) {
+      if (!i || typeof i != "object")
+        throw new Error("expected valid options object");
+      function w(s, f, y) {
+        const B = i[s];
+        if (y && B === void 0)
+          return;
+        const T = typeof B;
+        if (T !== f || B === null)
+          throw new Error(`param "${s}" is invalid: expected ${f}, got ${T}`);
+      }
+      Object.entries(o).forEach(([s, f]) => w(s, f, !1)), Object.entries(h).forEach(([s, f]) => w(s, f, !0));
+    }
+    const n = () => {
+      throw new Error("not implemented");
+    };
+    e.notImplemented = n;
+    function a(i) {
+      const o = /* @__PURE__ */ new WeakMap();
+      return (h, ...w) => {
+        const s = o.get(h);
+        if (s !== void 0)
+          return s;
+        const f = i(h, ...w);
+        return o.set(h, f), f;
+      };
+    }
+  })(rt)), rt;
+}
+var Oe = {}, he = {}, St;
+function $e() {
+  if (St) return he;
+  St = 1, Object.defineProperty(he, "__esModule", { value: !0 }), he.isNegativeLE = void 0, he.mod = V, he.pow = E, he.pow2 = b, he.invert = S, he.tonelliShanks = G, he.FpSqrt = se, he.validateField = O, he.FpPow = L, he.FpInvertBatch = _, he.FpDiv = K, he.FpLegendre = W, he.FpIsSquare = z, he.nLength = d, he.Field = u, he.FpSqrtOdd = n, he.FpSqrtEven = a, he.hashToPrivateScalar = i, he.getFieldBytesLength = o, he.getMinHashLength = h, he.mapHashToField = w;
+  const e = /* @__PURE__ */ Ce(), r = BigInt(0), c = BigInt(1), t = /* @__PURE__ */ BigInt(2), l = /* @__PURE__ */ BigInt(3), m = /* @__PURE__ */ BigInt(4), g = /* @__PURE__ */ BigInt(5), p = /* @__PURE__ */ BigInt(7), v = /* @__PURE__ */ BigInt(8), U = /* @__PURE__ */ BigInt(9), H = /* @__PURE__ */ BigInt(16);
+  function V(s, f) {
+    const y = s % f;
+    return y >= r ? y : f + y;
+  }
+  function E(s, f, y) {
+    return L(u(y), s, f);
+  }
+  function b(s, f, y) {
+    let B = s;
+    for (; f-- > r; )
+      B *= B, B %= y;
+    return B;
+  }
+  function S(s, f) {
+    if (s === r)
+      throw new Error("invert: expected non-zero number");
+    if (f <= r)
+      throw new Error("invert: expected positive modulus, got " + f);
+    let y = V(s, f), B = f, T = r, k = c;
+    for (; y !== r; ) {
+      const I = B / y, q = B % y, C = T - k * I;
+      B = y, y = q, T = k, k = C;
+    }
+    if (B !== c)
+      throw new Error("invert: does not exist");
+    return V(T, f);
+  }
+  function A(s, f, y) {
+    if (!s.eql(s.sqr(f), y))
+      throw new Error("Cannot find square root");
+  }
+  function M(s, f) {
+    const y = (s.ORDER + c) / m, B = s.pow(f, y);
+    return A(s, B, f), B;
+  }
+  function Q(s, f) {
+    const y = (s.ORDER - g) / v, B = s.mul(f, t), T = s.pow(B, y), k = s.mul(f, T), Y = s.mul(s.mul(k, t), T), I = s.mul(k, s.sub(Y, s.ONE));
+    return A(s, I, f), I;
+  }
+  function F(s) {
+    const f = u(s), y = G(s), B = y(f, f.neg(f.ONE)), T = y(f, B), k = y(f, f.neg(B)), Y = (s + p) / H;
+    return (I, q) => {
+      let C = I.pow(q, Y), te = I.mul(C, B);
+      const $ = I.mul(C, T), x = I.mul(C, k), X = I.eql(I.sqr(te), q), ae = I.eql(I.sqr($), q);
+      C = I.cmov(C, te, X), te = I.cmov(x, $, ae);
+      const ye = I.eql(I.sqr(te), q), pe = I.cmov(C, te, ye);
+      return A(I, pe, q), pe;
+    };
+  }
+  function G(s) {
+    if (s < l)
+      throw new Error("sqrt is not defined for small field");
+    let f = s - c, y = 0;
+    for (; f % t === r; )
+      f /= t, y++;
+    let B = t;
+    const T = u(s);
+    for (; W(T, B) === 1; )
+      if (B++ > 1e3)
+        throw new Error("Cannot find square root: probably non-prime P");
+    if (y === 1)
+      return M;
+    let k = T.pow(B, f);
+    const Y = (f + c) / t;
+    return function(q, C) {
+      if (q.is0(C))
+        return C;
+      if (W(q, C) !== 1)
+        throw new Error("Cannot find square root");
+      let te = y, $ = q.mul(q.ONE, k), x = q.pow(C, f), X = q.pow(C, Y);
+      for (; !q.eql(x, q.ONE); ) {
+        if (q.is0(x))
+          return q.ZERO;
+        let ae = 1, ye = q.sqr(x);
+        for (; !q.eql(ye, q.ONE); )
+          if (ae++, ye = q.sqr(ye), ae === te)
+            throw new Error("Cannot find square root");
+        const pe = c << BigInt(te - ae - 1), ve = q.pow($, pe);
+        te = ae, $ = q.sqr(ve), x = q.mul(x, $), X = q.mul(X, ve);
+      }
+      return X;
+    };
+  }
+  function se(s) {
+    return s % m === l ? M : s % v === g ? Q : s % H === U ? F(s) : G(s);
+  }
+  const ie = (s, f) => (V(s, f) & c) === c;
+  he.isNegativeLE = ie;
+  const j = [
+    "create",
+    "isValid",
+    "is0",
+    "neg",
+    "inv",
+    "sqrt",
+    "sqr",
+    "eql",
+    "add",
+    "sub",
+    "mul",
+    "pow",
+    "div",
+    "addN",
+    "subN",
+    "mulN",
+    "sqrN"
+  ];
+  function O(s) {
+    const f = {
+      ORDER: "bigint",
+      MASK: "bigint",
+      BYTES: "number",
+      BITS: "number"
+    }, y = j.reduce((B, T) => (B[T] = "function", B), f);
+    return (0, e._validateObject)(s, y), s;
+  }
+  function L(s, f, y) {
+    if (y < r)
+      throw new Error("invalid exponent, negatives unsupported");
+    if (y === r)
+      return s.ONE;
+    if (y === c)
+      return f;
+    let B = s.ONE, T = f;
+    for (; y > r; )
+      y & c && (B = s.mul(B, T)), T = s.sqr(T), y >>= c;
+    return B;
+  }
+  function _(s, f, y = !1) {
+    const B = new Array(f.length).fill(y ? s.ZERO : void 0), T = f.reduce((Y, I, q) => s.is0(I) ? Y : (B[q] = Y, s.mul(Y, I)), s.ONE), k = s.inv(T);
+    return f.reduceRight((Y, I, q) => s.is0(I) ? Y : (B[q] = s.mul(Y, B[q]), s.mul(Y, I)), k), B;
+  }
+  function K(s, f, y) {
+    return s.mul(f, typeof y == "bigint" ? S(y, s.ORDER) : s.inv(y));
+  }
+  function W(s, f) {
+    const y = (s.ORDER - c) / t, B = s.pow(f, y), T = s.eql(B, s.ONE), k = s.eql(B, s.ZERO), Y = s.eql(B, s.neg(s.ONE));
+    if (!T && !k && !Y)
+      throw new Error("invalid Legendre symbol result");
+    return T ? 1 : k ? 0 : -1;
+  }
+  function z(s, f) {
+    return W(s, f) === 1;
+  }
+  function d(s, f) {
+    f !== void 0 && (0, e.anumber)(f);
+    const y = f !== void 0 ? f : s.toString(2).length, B = Math.ceil(y / 8);
+    return { nBitLength: y, nByteLength: B };
+  }
+  function u(s, f, y = !1, B = {}) {
+    if (s <= r)
+      throw new Error("invalid field: expected ORDER > 0, got " + s);
+    let T, k, Y = !1, I;
+    if (typeof f == "object" && f != null) {
+      if (B.sqrt || y)
+        throw new Error("cannot specify opts in two arguments");
+      const x = f;
+      x.BITS && (T = x.BITS), x.sqrt && (k = x.sqrt), typeof x.isLE == "boolean" && (y = x.isLE), typeof x.modFromBytes == "boolean" && (Y = x.modFromBytes), I = x.allowedLengths;
+    } else
+      typeof f == "number" && (T = f), B.sqrt && (k = B.sqrt);
+    const { nBitLength: q, nByteLength: C } = d(s, T);
+    if (C > 2048)
+      throw new Error("invalid field: expected ORDER of <= 2048 bytes");
+    let te;
+    const $ = Object.freeze({
+      ORDER: s,
+      isLE: y,
+      BITS: q,
+      BYTES: C,
+      MASK: (0, e.bitMask)(q),
+      ZERO: r,
+      ONE: c,
+      allowedLengths: I,
+      create: (x) => V(x, s),
+      isValid: (x) => {
+        if (typeof x != "bigint")
+          throw new Error("invalid field element: expected bigint, got " + typeof x);
+        return r <= x && x < s;
+      },
+      is0: (x) => x === r,
+      // is valid and invertible
+      isValidNot0: (x) => !$.is0(x) && $.isValid(x),
+      isOdd: (x) => (x & c) === c,
+      neg: (x) => V(-x, s),
+      eql: (x, X) => x === X,
+      sqr: (x) => V(x * x, s),
+      add: (x, X) => V(x + X, s),
+      sub: (x, X) => V(x - X, s),
+      mul: (x, X) => V(x * X, s),
+      pow: (x, X) => L($, x, X),
+      div: (x, X) => V(x * S(X, s), s),
+      // Same as above, but doesn't normalize
+      sqrN: (x) => x * x,
+      addN: (x, X) => x + X,
+      subN: (x, X) => x - X,
+      mulN: (x, X) => x * X,
+      inv: (x) => S(x, s),
+      sqrt: k || ((x) => (te || (te = se(s)), te($, x))),
+      toBytes: (x) => y ? (0, e.numberToBytesLE)(x, C) : (0, e.numberToBytesBE)(x, C),
+      fromBytes: (x, X = !0) => {
+        if (I) {
+          if (!I.includes(x.length) || x.length > C)
+            throw new Error("Field.fromBytes: expected " + I + " bytes, got " + x.length);
+          const ye = new Uint8Array(C);
+          ye.set(x, y ? 0 : ye.length - x.length), x = ye;
+        }
+        if (x.length !== C)
+          throw new Error("Field.fromBytes: expected " + C + " bytes, got " + x.length);
+        let ae = y ? (0, e.bytesToNumberLE)(x) : (0, e.bytesToNumberBE)(x);
+        if (Y && (ae = V(ae, s)), !X && !$.isValid(ae))
+          throw new Error("invalid field element: outside of range 0..ORDER");
+        return ae;
+      },
+      // TODO: we don't need it here, move out to separate fn
+      invertBatch: (x) => _($, x),
+      // We can't move this out because Fp6, Fp12 implement it
+      // and it's unclear what to return in there.
+      cmov: (x, X, ae) => ae ? X : x
+    });
+    return Object.freeze($);
+  }
+  function n(s, f) {
+    if (!s.isOdd)
+      throw new Error("Field doesn't have isOdd");
+    const y = s.sqrt(f);
+    return s.isOdd(y) ? y : s.neg(y);
+  }
+  function a(s, f) {
+    if (!s.isOdd)
+      throw new Error("Field doesn't have isOdd");
+    const y = s.sqrt(f);
+    return s.isOdd(y) ? s.neg(y) : y;
+  }
+  function i(s, f, y = !1) {
+    s = (0, e.ensureBytes)("privateHash", s);
+    const B = s.length, T = d(f).nByteLength + 8;
+    if (T < 24 || B < T || B > 1024)
+      throw new Error("hashToPrivateScalar: expected " + T + "-1024 bytes of input, got " + B);
+    const k = y ? (0, e.bytesToNumberLE)(s) : (0, e.bytesToNumberBE)(s);
+    return V(k, f - c) + c;
+  }
+  function o(s) {
+    if (typeof s != "bigint")
+      throw new Error("field order must be bigint");
+    const f = s.toString(2).length;
+    return Math.ceil(f / 8);
+  }
+  function h(s) {
+    const f = o(s);
+    return f + Math.ceil(f / 2);
+  }
+  function w(s, f, y = !1) {
+    const B = s.length, T = o(f), k = h(f);
+    if (B < 16 || B < k || B > 1024)
+      throw new Error("expected " + k + "-1024 bytes of input, got " + B);
+    const Y = y ? (0, e.bytesToNumberLE)(s) : (0, e.bytesToNumberBE)(s), I = V(Y, f - c) + c;
+    return y ? (0, e.numberToBytesLE)(I, T) : (0, e.numberToBytesBE)(I, T);
+  }
+  return he;
+}
+var Tt;
+function gn() {
+  if (Tt) return Oe;
+  Tt = 1, Object.defineProperty(Oe, "__esModule", { value: !0 }), Oe.wNAF = void 0, Oe.negateCt = l, Oe.normalizeZ = m, Oe.mulEndoUnsafe = M, Oe.pippenger = Q, Oe.precomputeMSMUnsafe = F, Oe.validateBasic = G, Oe._createCurveFields = ie;
+  const e = /* @__PURE__ */ Ce(), r = /* @__PURE__ */ $e(), c = BigInt(0), t = BigInt(1);
+  function l(j, O) {
+    const L = O.negate();
+    return j ? L : O;
+  }
+  function m(j, O) {
+    const L = (0, r.FpInvertBatch)(j.Fp, O.map((_) => _.Z));
+    return O.map((_, K) => j.fromAffine(_.toAffine(L[K])));
+  }
+  function g(j, O) {
+    if (!Number.isSafeInteger(j) || j <= 0 || j > O)
+      throw new Error("invalid window size, expected [1.." + O + "], got W=" + j);
+  }
+  function p(j, O) {
+    g(j, O);
+    const L = Math.ceil(O / j) + 1, _ = 2 ** (j - 1), K = 2 ** j, W = (0, e.bitMask)(j), z = BigInt(j);
+    return { windows: L, windowSize: _, mask: W, maxNumber: K, shiftBy: z };
+  }
+  function v(j, O, L) {
+    const { windowSize: _, mask: K, maxNumber: W, shiftBy: z } = L;
+    let d = Number(j & K), u = j >> z;
+    d > _ && (d -= W, u += t);
+    const n = O * _, a = n + Math.abs(d) - 1, i = d === 0, o = d < 0, h = O % 2 !== 0;
+    return { nextN: u, offset: a, isZero: i, isNeg: o, isNegF: h, offsetF: n };
+  }
+  function U(j, O) {
+    if (!Array.isArray(j))
+      throw new Error("array expected");
+    j.forEach((L, _) => {
+      if (!(L instanceof O))
+        throw new Error("invalid point at index " + _);
+    });
+  }
+  function H(j, O) {
+    if (!Array.isArray(j))
+      throw new Error("array of scalars expected");
+    j.forEach((L, _) => {
+      if (!O.isValid(L))
+        throw new Error("invalid scalar at index " + _);
+    });
+  }
+  const V = /* @__PURE__ */ new WeakMap(), E = /* @__PURE__ */ new WeakMap();
+  function b(j) {
+    return E.get(j) || 1;
+  }
+  function S(j) {
+    if (j !== c)
+      throw new Error("invalid wNAF");
+  }
+  class A {
+    // Parametrized with a given Point class (not individual point)
+    constructor(O, L) {
+      this.BASE = O.BASE, this.ZERO = O.ZERO, this.Fn = O.Fn, this.bits = L;
+    }
+    // non-const time multiplication ladder
+    _unsafeLadder(O, L, _ = this.ZERO) {
+      let K = O;
+      for (; L > c; )
+        L & t && (_ = _.add(K)), K = K.double(), L >>= t;
+      return _;
+    }
+    /**
+     * Creates a wNAF precomputation window. Used for caching.
+     * Default window size is set by `utils.precompute()` and is equal to 8.
+     * Number of precomputed points depends on the curve size:
+     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+     * - 𝑊 is the window size
+     * - 𝑛 is the bitlength of the curve order.
+     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+     * @param point Point instance
+     * @param W window size
+     * @returns precomputed point tables flattened to a single array
+     */
+    precomputeWindow(O, L) {
+      const { windows: _, windowSize: K } = p(L, this.bits), W = [];
+      let z = O, d = z;
+      for (let u = 0; u < _; u++) {
+        d = z, W.push(d);
+        for (let n = 1; n < K; n++)
+          d = d.add(z), W.push(d);
+        z = d.double();
+      }
+      return W;
+    }
+    /**
+     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
+     * More compact implementation:
+     * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
+     * @returns real and fake (for const-time) points
+     */
+    wNAF(O, L, _) {
+      if (!this.Fn.isValid(_))
+        throw new Error("invalid scalar");
+      let K = this.ZERO, W = this.BASE;
+      const z = p(O, this.bits);
+      for (let d = 0; d < z.windows; d++) {
+        const { nextN: u, offset: n, isZero: a, isNeg: i, isNegF: o, offsetF: h } = v(_, d, z);
+        _ = u, a ? W = W.add(l(o, L[h])) : K = K.add(l(i, L[n]));
+      }
+      return S(_), { p: K, f: W };
+    }
+    /**
+     * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
+     * @param acc accumulator point to add result of multiplication
+     * @returns point
+     */
+    wNAFUnsafe(O, L, _, K = this.ZERO) {
+      const W = p(O, this.bits);
+      for (let z = 0; z < W.windows && _ !== c; z++) {
+        const { nextN: d, offset: u, isZero: n, isNeg: a } = v(_, z, W);
+        if (_ = d, !n) {
+          const i = L[u];
+          K = K.add(a ? i.negate() : i);
+        }
+      }
+      return S(_), K;
+    }
+    getPrecomputes(O, L, _) {
+      let K = V.get(L);
+      return K || (K = this.precomputeWindow(L, O), O !== 1 && (typeof _ == "function" && (K = _(K)), V.set(L, K))), K;
+    }
+    cached(O, L, _) {
+      const K = b(O);
+      return this.wNAF(K, this.getPrecomputes(K, O, _), L);
+    }
+    unsafe(O, L, _, K) {
+      const W = b(O);
+      return W === 1 ? this._unsafeLadder(O, L, K) : this.wNAFUnsafe(W, this.getPrecomputes(W, O, _), L, K);
+    }
+    // We calculate precomputes for elliptic curve point multiplication
+    // using windowed method. This specifies window size and
+    // stores precomputed values. Usually only base point would be precomputed.
+    createCache(O, L) {
+      g(L, this.bits), E.set(O, L), V.delete(O);
+    }
+    hasCache(O) {
+      return b(O) !== 1;
+    }
+  }
+  Oe.wNAF = A;
+  function M(j, O, L, _) {
+    let K = O, W = j.ZERO, z = j.ZERO;
+    for (; L > c || _ > c; )
+      L & t && (W = W.add(K)), _ & t && (z = z.add(K)), K = K.double(), L >>= t, _ >>= t;
+    return { p1: W, p2: z };
+  }
+  function Q(j, O, L, _) {
+    U(L, j), H(_, O);
+    const K = L.length, W = _.length;
+    if (K !== W)
+      throw new Error("arrays of points and scalars must have equal length");
+    const z = j.ZERO, d = (0, e.bitLen)(BigInt(K));
+    let u = 1;
+    d > 12 ? u = d - 3 : d > 4 ? u = d - 2 : d > 0 && (u = 2);
+    const n = (0, e.bitMask)(u), a = new Array(Number(n) + 1).fill(z), i = Math.floor((O.BITS - 1) / u) * u;
+    let o = z;
+    for (let h = i; h >= 0; h -= u) {
+      a.fill(z);
+      for (let s = 0; s < W; s++) {
+        const f = _[s], y = Number(f >> BigInt(h) & n);
+        a[y] = a[y].add(L[s]);
+      }
+      let w = z;
+      for (let s = a.length - 1, f = z; s > 0; s--)
+        f = f.add(a[s]), w = w.add(f);
+      if (o = o.add(w), h !== 0)
+        for (let s = 0; s < u; s++)
+          o = o.double();
+    }
+    return o;
+  }
+  function F(j, O, L, _) {
+    g(_, O.BITS), U(L, j);
+    const K = j.ZERO, W = 2 ** _ - 1, z = Math.ceil(O.BITS / _), d = (0, e.bitMask)(_), u = L.map((n) => {
+      const a = [];
+      for (let i = 0, o = n; i < W; i++)
+        a.push(o), o = o.add(n);
+      return a;
+    });
+    return (n) => {
+      if (H(n, O), n.length > L.length)
+        throw new Error("array of scalars must be smaller than array of points");
+      let a = K;
+      for (let i = 0; i < z; i++) {
+        if (a !== K)
+          for (let h = 0; h < _; h++)
+            a = a.double();
+        const o = BigInt(z * _ - (i + 1) * _);
+        for (let h = 0; h < n.length; h++) {
+          const w = n[h], s = Number(w >> o & d);
+          s && (a = a.add(u[h][s - 1]));
+        }
+      }
+      return a;
+    };
+  }
+  function G(j) {
+    return (0, r.validateField)(j.Fp), (0, e.validateObject)(j, {
+      n: "bigint",
+      h: "bigint",
+      Gx: "field",
+      Gy: "field"
+    }, {
+      nBitLength: "isSafeInteger",
+      nByteLength: "isSafeInteger"
+    }), Object.freeze({
+      ...(0, r.nLength)(j.n, j.nBitLength),
+      ...j,
+      p: j.Fp.ORDER
+    });
+  }
+  function se(j, O, L) {
+    if (O) {
+      if (O.ORDER !== j)
+        throw new Error("Field.ORDER must match order: Fp == p, Fn == n");
+      return (0, r.validateField)(O), O;
+    } else
+      return (0, r.Field)(j, { isLE: L });
+  }
+  function ie(j, O, L = {}, _) {
+    if (_ === void 0 && (_ = j === "edwards"), !O || typeof O != "object")
+      throw new Error(`expected valid ${j} CURVE object`);
+    for (const u of ["p", "n", "h"]) {
+      const n = O[u];
+      if (!(typeof n == "bigint" && n > c))
+        throw new Error(`CURVE.${u} must be positive bigint`);
+    }
+    const K = se(O.p, L.Fp, _), W = se(O.n, L.Fn, _), d = ["Gx", "Gy", "a", j === "weierstrass" ? "b" : "d"];
+    for (const u of d)
+      if (!K.isValid(O[u]))
+        throw new Error(`CURVE.${u} must be valid field element of CURVE.Fp`);
+    return O = Object.freeze(Object.assign({}, O)), { CURVE: O, Fp: K, Fn: W };
+  }
+  return Oe;
+}
+var xt;
+function Ct() {
+  return xt || (xt = 1, (function(e) {
+    Object.defineProperty(e, "__esModule", { value: !0 }), e.DER = e.DERErr = void 0, e._splitEndoScalar = p, e._normFnElement = M, e.weierstrassN = Q, e.SWUFpSqrtRatio = G, e.mapToCurveSimpleSWU = se, e.ecdh = j, e.ecdsa = O, e.weierstrassPoints = L, e._legacyHelperEquat = W, e.weierstrass = u;
+    const r = /* @__PURE__ */ ln(), c = /* @__PURE__ */ We(), t = /* @__PURE__ */ Ce(), l = /* @__PURE__ */ gn(), m = /* @__PURE__ */ $e(), g = (n, a) => (n + (n >= 0 ? a : -a) / b) / a;
+    function p(n, a, i) {
+      const [[o, h], [w, s]] = a, f = g(s * n, i), y = g(-h * n, i);
+      let B = n - f * o - y * w, T = -f * h - y * s;
+      const k = B < V, Y = T < V;
+      k && (B = -B), Y && (T = -T);
+      const I = (0, t.bitMask)(Math.ceil((0, t.bitLen)(i) / 2)) + E;
+      if (B < V || B >= I || T < V || T >= I)
+        throw new Error("splitScalar (endomorphism): failed, k=" + n);
+      return { k1neg: k, k1: B, k2neg: Y, k2: T };
+    }
+    function v(n) {
+      if (!["compact", "recovered", "der"].includes(n))
+        throw new Error('Signature format must be "compact", "recovered", or "der"');
+      return n;
+    }
+    function U(n, a) {
+      const i = {};
+      for (let o of Object.keys(a))
+        i[o] = n[o] === void 0 ? a[o] : n[o];
+      return (0, t._abool2)(i.lowS, "lowS"), (0, t._abool2)(i.prehash, "prehash"), i.format !== void 0 && v(i.format), i;
+    }
+    class H extends Error {
+      constructor(a = "") {
+        super(a);
+      }
+    }
+    e.DERErr = H, e.DER = {
+      // asn.1 DER encoding utils
+      Err: H,
+      // Basic building block is TLV (Tag-Length-Value)
+      _tlv: {
+        encode: (n, a) => {
+          const { Err: i } = e.DER;
+          if (n < 0 || n > 256)
+            throw new i("tlv.encode: wrong tag");
+          if (a.length & 1)
+            throw new i("tlv.encode: unpadded data");
+          const o = a.length / 2, h = (0, t.numberToHexUnpadded)(o);
+          if (h.length / 2 & 128)
+            throw new i("tlv.encode: long form length too big");
+          const w = o > 127 ? (0, t.numberToHexUnpadded)(h.length / 2 | 128) : "";
+          return (0, t.numberToHexUnpadded)(n) + w + h + a;
+        },
+        // v - value, l - left bytes (unparsed)
+        decode(n, a) {
+          const { Err: i } = e.DER;
+          let o = 0;
+          if (n < 0 || n > 256)
+            throw new i("tlv.encode: wrong tag");
+          if (a.length < 2 || a[o++] !== n)
+            throw new i("tlv.decode: wrong tlv");
+          const h = a[o++], w = !!(h & 128);
+          let s = 0;
+          if (!w)
+            s = h;
+          else {
+            const y = h & 127;
+            if (!y)
+              throw new i("tlv.decode(long): indefinite length not supported");
+            if (y > 4)
+              throw new i("tlv.decode(long): byte length is too big");
+            const B = a.subarray(o, o + y);
+            if (B.length !== y)
+              throw new i("tlv.decode: length bytes not complete");
+            if (B[0] === 0)
+              throw new i("tlv.decode(long): zero leftmost byte");
+            for (const T of B)
+              s = s << 8 | T;
+            if (o += y, s < 128)
+              throw new i("tlv.decode(long): not minimal encoding");
+          }
+          const f = a.subarray(o, o + s);
+          if (f.length !== s)
+            throw new i("tlv.decode: wrong value length");
+          return { v: f, l: a.subarray(o + s) };
+        }
+      },
+      // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
+      // since we always use positive integers here. It must always be empty:
+      // - add zero byte if exists
+      // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
+      _int: {
+        encode(n) {
+          const { Err: a } = e.DER;
+          if (n < V)
+            throw new a("integer: negative integers are not allowed");
+          let i = (0, t.numberToHexUnpadded)(n);
+          if (Number.parseInt(i[0], 16) & 8 && (i = "00" + i), i.length & 1)
+            throw new a("unexpected DER parsing assertion: unpadded hex");
+          return i;
+        },
+        decode(n) {
+          const { Err: a } = e.DER;
+          if (n[0] & 128)
+            throw new a("invalid signature integer: negative");
+          if (n[0] === 0 && !(n[1] & 128))
+            throw new a("invalid signature integer: unnecessary leading zero");
+          return (0, t.bytesToNumberBE)(n);
+        }
+      },
+      toSig(n) {
+        const { Err: a, _int: i, _tlv: o } = e.DER, h = (0, t.ensureBytes)("signature", n), { v: w, l: s } = o.decode(48, h);
+        if (s.length)
+          throw new a("invalid signature: left bytes after parsing");
+        const { v: f, l: y } = o.decode(2, w), { v: B, l: T } = o.decode(2, y);
+        if (T.length)
+          throw new a("invalid signature: left bytes after parsing");
+        return { r: i.decode(f), s: i.decode(B) };
+      },
+      hexFromSig(n) {
+        const { _tlv: a, _int: i } = e.DER, o = a.encode(2, i.encode(n.r)), h = a.encode(2, i.encode(n.s)), w = o + h;
+        return a.encode(48, w);
+      }
+    };
+    const V = BigInt(0), E = BigInt(1), b = BigInt(2), S = BigInt(3), A = BigInt(4);
+    function M(n, a) {
+      const { BYTES: i } = n;
+      let o;
+      if (typeof a == "bigint")
+        o = a;
+      else {
+        let h = (0, t.ensureBytes)("private key", a);
+        try {
+          o = n.fromBytes(h);
+        } catch {
+          throw new Error(`invalid private key: expected ui8a of size ${i}, got ${typeof a}`);
+        }
+      }
+      if (!n.isValidNot0(o))
+        throw new Error("invalid private key: out of range [1..N-1]");
+      return o;
+    }
+    function Q(n, a = {}) {
+      const i = (0, l._createCurveFields)("weierstrass", n, a), { Fp: o, Fn: h } = i;
+      let w = i.CURVE;
+      const { h: s, n: f } = w;
+      (0, t._validateObject)(a, {}, {
+        allowInfinityPoint: "boolean",
+        clearCofactor: "function",
+        isTorsionFree: "function",
+        fromBytes: "function",
+        toBytes: "function",
+        endo: "object",
+        wrapPrivateKey: "boolean"
+      });
+      const { endo: y } = a;
+      if (y && (!o.is0(w.a) || typeof y.beta != "bigint" || !Array.isArray(y.basises)))
+        throw new Error('invalid endo: expected "beta": bigint and "basises": array');
+      const B = ie(o, h);
+      function T() {
+        if (!o.isOdd)
+          throw new Error("compression is not supported: Field does not have .isOdd()");
+      }
+      function k(le, Z, N) {
+        const { x: R, y: D } = Z.toAffine(), J = o.toBytes(R);
+        if ((0, t._abool2)(N, "isCompressed"), N) {
+          T();
+          const re = !o.isOdd(D);
+          return (0, t.concatBytes)(F(re), J);
+        } else
+          return (0, t.concatBytes)(Uint8Array.of(4), J, o.toBytes(D));
+      }
+      function Y(le) {
+        (0, t._abytes2)(le, void 0, "Point");
+        const { publicKey: Z, publicKeyUncompressed: N } = B, R = le.length, D = le[0], J = le.subarray(1);
+        if (R === Z && (D === 2 || D === 3)) {
+          const re = o.fromBytes(J);
+          if (!o.isValid(re))
+            throw new Error("bad point: is not on curve, wrong x");
+          const ne = C(re);
+          let ee;
+          try {
+            ee = o.sqrt(ne);
+          } catch (we) {
+            const de = we instanceof Error ? ": " + we.message : "";
+            throw new Error("bad point: is not on curve, sqrt error" + de);
+          }
+          T();
+          const oe = o.isOdd(ee);
+          return (D & 1) === 1 !== oe && (ee = o.neg(ee)), { x: re, y: ee };
+        } else if (R === N && D === 4) {
+          const re = o.BYTES, ne = o.fromBytes(J.subarray(0, re)), ee = o.fromBytes(J.subarray(re, re * 2));
+          if (!te(ne, ee))
+            throw new Error("bad point: is not on curve");
+          return { x: ne, y: ee };
+        } else
+          throw new Error(`bad point: got length ${R}, expected compressed=${Z} or uncompressed=${N}`);
+      }
+      const I = a.toBytes || k, q = a.fromBytes || Y;
+      function C(le) {
+        const Z = o.sqr(le), N = o.mul(Z, le);
+        return o.add(o.add(N, o.mul(le, w.a)), w.b);
+      }
+      function te(le, Z) {
+        const N = o.sqr(Z), R = C(le);
+        return o.eql(N, R);
+      }
+      if (!te(w.Gx, w.Gy))
+        throw new Error("bad curve params: generator point");
+      const $ = o.mul(o.pow(w.a, S), A), x = o.mul(o.sqr(w.b), BigInt(27));
+      if (o.is0(o.add($, x)))
+        throw new Error("bad curve params: a or b");
+      function X(le, Z, N = !1) {
+        if (!o.isValid(Z) || N && o.is0(Z))
+          throw new Error(`bad point coordinate ${le}`);
+        return Z;
+      }
+      function ae(le) {
+        if (!(le instanceof fe))
+          throw new Error("ProjectivePoint expected");
+      }
+      function ye(le) {
+        if (!y || !y.basises)
+          throw new Error("no endo");
+        return p(le, y.basises, h.ORDER);
+      }
+      const pe = (0, t.memoized)((le, Z) => {
+        const { X: N, Y: R, Z: D } = le;
+        if (o.eql(D, o.ONE))
+          return { x: N, y: R };
+        const J = le.is0();
+        Z == null && (Z = J ? o.ONE : o.inv(D));
+        const re = o.mul(N, Z), ne = o.mul(R, Z), ee = o.mul(D, Z);
+        if (J)
+          return { x: o.ZERO, y: o.ZERO };
+        if (!o.eql(ee, o.ONE))
+          throw new Error("invZ was invalid");
+        return { x: re, y: ne };
+      }), ve = (0, t.memoized)((le) => {
+        if (le.is0()) {
+          if (a.allowInfinityPoint && !o.is0(le.Y))
+            return;
+          throw new Error("bad point: ZERO");
+        }
+        const { x: Z, y: N } = le.toAffine();
+        if (!o.isValid(Z) || !o.isValid(N))
+          throw new Error("bad point: x or y not field elements");
+        if (!te(Z, N))
+          throw new Error("bad point: equation left != right");
+        if (!le.isTorsionFree())
+          throw new Error("bad point: not in prime-order subgroup");
+        return !0;
+      });
+      function xe(le, Z, N, R, D) {
+        return N = new fe(o.mul(N.X, le), N.Y, N.Z), Z = (0, l.negateCt)(R, Z), N = (0, l.negateCt)(D, N), Z.add(N);
+      }
+      class fe {
+        /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
+        constructor(Z, N, R) {
+          this.X = X("x", Z), this.Y = X("y", N, !0), this.Z = X("z", R), Object.freeze(this);
+        }
+        static CURVE() {
+          return w;
+        }
+        /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
+        static fromAffine(Z) {
+          const { x: N, y: R } = Z || {};
+          if (!Z || !o.isValid(N) || !o.isValid(R))
+            throw new Error("invalid affine point");
+          if (Z instanceof fe)
+            throw new Error("projective point not allowed");
+          return o.is0(N) && o.is0(R) ? fe.ZERO : new fe(N, R, o.ONE);
+        }
+        static fromBytes(Z) {
+          const N = fe.fromAffine(q((0, t._abytes2)(Z, void 0, "point")));
+          return N.assertValidity(), N;
+        }
+        static fromHex(Z) {
+          return fe.fromBytes((0, t.ensureBytes)("pointHex", Z));
+        }
+        get x() {
+          return this.toAffine().x;
+        }
+        get y() {
+          return this.toAffine().y;
+        }
+        /**
+         *
+         * @param windowSize
+         * @param isLazy true will defer table computation until the first multiplication
+         * @returns
+         */
+        precompute(Z = 8, N = !0) {
+          return Ue.createCache(this, Z), N || this.multiply(S), this;
+        }
+        // TODO: return `this`
+        /** A point on curve is valid if it conforms to equation. */
+        assertValidity() {
+          ve(this);
+        }
+        hasEvenY() {
+          const { y: Z } = this.toAffine();
+          if (!o.isOdd)
+            throw new Error("Field doesn't support isOdd");
+          return !o.isOdd(Z);
+        }
+        /** Compare one point to another. */
+        equals(Z) {
+          ae(Z);
+          const { X: N, Y: R, Z: D } = this, { X: J, Y: re, Z: ne } = Z, ee = o.eql(o.mul(N, ne), o.mul(J, D)), oe = o.eql(o.mul(R, ne), o.mul(re, D));
+          return ee && oe;
+        }
+        /** Flips point to one corresponding to (x, -y) in Affine coordinates. */
+        negate() {
+          return new fe(this.X, o.neg(this.Y), this.Z);
+        }
+        // Renes-Costello-Batina exception-free doubling formula.
+        // There is 30% faster Jacobian formula, but it is not complete.
+        // https://eprint.iacr.org/2015/1060, algorithm 3
+        // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
+        double() {
+          const { a: Z, b: N } = w, R = o.mul(N, S), { X: D, Y: J, Z: re } = this;
+          let ne = o.ZERO, ee = o.ZERO, oe = o.ZERO, ce = o.mul(D, D), we = o.mul(J, J), de = o.mul(re, re), ue = o.mul(D, J);
+          return ue = o.add(ue, ue), oe = o.mul(D, re), oe = o.add(oe, oe), ne = o.mul(Z, oe), ee = o.mul(R, de), ee = o.add(ne, ee), ne = o.sub(we, ee), ee = o.add(we, ee), ee = o.mul(ne, ee), ne = o.mul(ue, ne), oe = o.mul(R, oe), de = o.mul(Z, de), ue = o.sub(ce, de), ue = o.mul(Z, ue), ue = o.add(ue, oe), oe = o.add(ce, ce), ce = o.add(oe, ce), ce = o.add(ce, de), ce = o.mul(ce, ue), ee = o.add(ee, ce), de = o.mul(J, re), de = o.add(de, de), ce = o.mul(de, ue), ne = o.sub(ne, ce), oe = o.mul(de, we), oe = o.add(oe, oe), oe = o.add(oe, oe), new fe(ne, ee, oe);
+        }
+        // Renes-Costello-Batina exception-free addition formula.
+        // There is 30% faster Jacobian formula, but it is not complete.
+        // https://eprint.iacr.org/2015/1060, algorithm 1
+        // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
+        add(Z) {
+          ae(Z);
+          const { X: N, Y: R, Z: D } = this, { X: J, Y: re, Z: ne } = Z;
+          let ee = o.ZERO, oe = o.ZERO, ce = o.ZERO;
+          const we = w.a, de = o.mul(w.b, S);
+          let ue = o.mul(N, J), me = o.mul(R, re), ge = o.mul(D, ne), _e = o.add(N, R), be = o.add(J, re);
+          _e = o.mul(_e, be), be = o.add(ue, me), _e = o.sub(_e, be), be = o.add(N, D);
+          let Ee = o.add(J, ne);
+          return be = o.mul(be, Ee), Ee = o.add(ue, ge), be = o.sub(be, Ee), Ee = o.add(R, D), ee = o.add(re, ne), Ee = o.mul(Ee, ee), ee = o.add(me, ge), Ee = o.sub(Ee, ee), ce = o.mul(we, be), ee = o.mul(de, ge), ce = o.add(ee, ce), ee = o.sub(me, ce), ce = o.add(me, ce), oe = o.mul(ee, ce), me = o.add(ue, ue), me = o.add(me, ue), ge = o.mul(we, ge), be = o.mul(de, be), me = o.add(me, ge), ge = o.sub(ue, ge), ge = o.mul(we, ge), be = o.add(be, ge), ue = o.mul(me, be), oe = o.add(oe, ue), ue = o.mul(Ee, be), ee = o.mul(_e, ee), ee = o.sub(ee, ue), ue = o.mul(_e, me), ce = o.mul(Ee, ce), ce = o.add(ce, ue), new fe(ee, oe, ce);
+        }
+        subtract(Z) {
+          return this.add(Z.negate());
+        }
+        is0() {
+          return this.equals(fe.ZERO);
+        }
+        /**
+         * Constant time multiplication.
+         * Uses wNAF method. Windowed method may be 10% faster,
+         * but takes 2x longer to generate and consumes 2x memory.
+         * Uses precomputes when available.
+         * Uses endomorphism for Koblitz curves.
+         * @param scalar by which the point would be multiplied
+         * @returns New point
+         */
+        multiply(Z) {
+          const { endo: N } = a;
+          if (!h.isValidNot0(Z))
+            throw new Error("invalid scalar: out of range");
+          let R, D;
+          const J = (re) => Ue.cached(this, re, (ne) => (0, l.normalizeZ)(fe, ne));
+          if (N) {
+            const { k1neg: re, k1: ne, k2neg: ee, k2: oe } = ye(Z), { p: ce, f: we } = J(ne), { p: de, f: ue } = J(oe);
+            D = we.add(ue), R = xe(N.beta, ce, de, re, ee);
+          } else {
+            const { p: re, f: ne } = J(Z);
+            R = re, D = ne;
+          }
+          return (0, l.normalizeZ)(fe, [R, D])[0];
+        }
+        /**
+         * Non-constant-time multiplication. Uses double-and-add algorithm.
+         * It's faster, but should only be used when you don't care about
+         * an exposed secret key e.g. sig verification, which works over *public* keys.
+         */
+        multiplyUnsafe(Z) {
+          const { endo: N } = a, R = this;
+          if (!h.isValid(Z))
+            throw new Error("invalid scalar: out of range");
+          if (Z === V || R.is0())
+            return fe.ZERO;
+          if (Z === E)
+            return R;
+          if (Ue.hasCache(this))
+            return this.multiply(Z);
+          if (N) {
+            const { k1neg: D, k1: J, k2neg: re, k2: ne } = ye(Z), { p1: ee, p2: oe } = (0, l.mulEndoUnsafe)(fe, R, J, ne);
+            return xe(N.beta, ee, oe, D, re);
+          } else
+            return Ue.unsafe(R, Z);
+        }
+        multiplyAndAddUnsafe(Z, N, R) {
+          const D = this.multiplyUnsafe(N).add(Z.multiplyUnsafe(R));
+          return D.is0() ? void 0 : D;
+        }
+        /**
+         * Converts Projective point to affine (x, y) coordinates.
+         * @param invertedZ Z^-1 (inverted zero) - optional, precomputation is useful for invertBatch
+         */
+        toAffine(Z) {
+          return pe(this, Z);
+        }
+        /**
+         * Checks whether Point is free of torsion elements (is in prime subgroup).
+         * Always torsion-free for cofactor=1 curves.
+         */
+        isTorsionFree() {
+          const { isTorsionFree: Z } = a;
+          return s === E ? !0 : Z ? Z(fe, this) : Ue.unsafe(this, f).is0();
+        }
+        clearCofactor() {
+          const { clearCofactor: Z } = a;
+          return s === E ? this : Z ? Z(fe, this) : this.multiplyUnsafe(s);
+        }
+        isSmallOrder() {
+          return this.multiplyUnsafe(s).is0();
+        }
+        toBytes(Z = !0) {
+          return (0, t._abool2)(Z, "isCompressed"), this.assertValidity(), I(fe, this, Z);
+        }
+        toHex(Z = !0) {
+          return (0, t.bytesToHex)(this.toBytes(Z));
+        }
+        toString() {
+          return `<Point ${this.is0() ? "ZERO" : this.toHex()}>`;
+        }
+        // TODO: remove
+        get px() {
+          return this.X;
+        }
+        get py() {
+          return this.X;
+        }
+        get pz() {
+          return this.Z;
+        }
+        toRawBytes(Z = !0) {
+          return this.toBytes(Z);
+        }
+        _setWindowSize(Z) {
+          this.precompute(Z);
+        }
+        static normalizeZ(Z) {
+          return (0, l.normalizeZ)(fe, Z);
+        }
+        static msm(Z, N) {
+          return (0, l.pippenger)(fe, h, Z, N);
+        }
+        static fromPrivateKey(Z) {
+          return fe.BASE.multiply(M(h, Z));
+        }
+      }
+      fe.BASE = new fe(w.Gx, w.Gy, o.ONE), fe.ZERO = new fe(o.ZERO, o.ONE, o.ZERO), fe.Fp = o, fe.Fn = h;
+      const Ye = h.BITS, Ue = new l.wNAF(fe, a.endo ? Math.ceil(Ye / 2) : Ye);
+      return fe.BASE.precompute(8), fe;
+    }
+    function F(n) {
+      return Uint8Array.of(n ? 2 : 3);
+    }
+    function G(n, a) {
+      const i = n.ORDER;
+      let o = V;
+      for (let q = i - E; q % b === V; q /= b)
+        o += E;
+      const h = o, w = b << h - E - E, s = w * b, f = (i - E) / s, y = (f - E) / b, B = s - E, T = w, k = n.pow(a, f), Y = n.pow(a, (f + E) / b);
+      let I = (q, C) => {
+        let te = k, $ = n.pow(C, B), x = n.sqr($);
+        x = n.mul(x, C);
+        let X = n.mul(q, x);
+        X = n.pow(X, y), X = n.mul(X, $), $ = n.mul(X, C), x = n.mul(X, q);
+        let ae = n.mul(x, $);
+        X = n.pow(ae, T);
+        let ye = n.eql(X, n.ONE);
+        $ = n.mul(x, Y), X = n.mul(ae, te), x = n.cmov($, x, ye), ae = n.cmov(X, ae, ye);
+        for (let pe = h; pe > E; pe--) {
+          let ve = pe - b;
+          ve = b << ve - E;
+          let xe = n.pow(ae, ve);
+          const fe = n.eql(xe, n.ONE);
+          $ = n.mul(x, te), te = n.mul(te, te), xe = n.mul(ae, te), x = n.cmov($, x, fe), ae = n.cmov(xe, ae, fe);
+        }
+        return { isValid: ye, value: x };
+      };
+      if (n.ORDER % A === S) {
+        const q = (n.ORDER - S) / A, C = n.sqrt(n.neg(a));
+        I = (te, $) => {
+          let x = n.sqr($);
+          const X = n.mul(te, $);
+          x = n.mul(x, X);
+          let ae = n.pow(x, q);
+          ae = n.mul(ae, X);
+          const ye = n.mul(ae, C), pe = n.mul(n.sqr(ae), $), ve = n.eql(pe, te);
+          let xe = n.cmov(ye, ae, ve);
+          return { isValid: ve, value: xe };
+        };
+      }
+      return I;
+    }
+    function se(n, a) {
+      (0, m.validateField)(n);
+      const { A: i, B: o, Z: h } = a;
+      if (!n.isValid(i) || !n.isValid(o) || !n.isValid(h))
+        throw new Error("mapToCurveSimpleSWU: invalid opts");
+      const w = G(n, h);
+      if (!n.isOdd)
+        throw new Error("Field does not have .isOdd()");
+      return (s) => {
+        let f, y, B, T, k, Y, I, q;
+        f = n.sqr(s), f = n.mul(f, h), y = n.sqr(f), y = n.add(y, f), B = n.add(y, n.ONE), B = n.mul(B, o), T = n.cmov(h, n.neg(y), !n.eql(y, n.ZERO)), T = n.mul(T, i), y = n.sqr(B), Y = n.sqr(T), k = n.mul(Y, i), y = n.add(y, k), y = n.mul(y, B), Y = n.mul(Y, T), k = n.mul(Y, o), y = n.add(y, k), I = n.mul(f, B);
+        const { isValid: C, value: te } = w(y, Y);
+        q = n.mul(f, s), q = n.mul(q, te), I = n.cmov(I, B, C), q = n.cmov(q, te, C);
+        const $ = n.isOdd(s) === n.isOdd(q);
+        q = n.cmov(n.neg(q), q, $);
+        const x = (0, m.FpInvertBatch)(n, [T], !0)[0];
+        return I = n.mul(I, x), { x: I, y: q };
+      };
+    }
+    function ie(n, a) {
+      return {
+        secretKey: a.BYTES,
+        publicKey: 1 + n.BYTES,
+        publicKeyUncompressed: 1 + 2 * n.BYTES,
+        publicKeyHasPrefix: !0,
+        signature: 2 * a.BYTES
+      };
+    }
+    function j(n, a = {}) {
+      const { Fn: i } = n, o = a.randomBytes || t.randomBytes, h = Object.assign(ie(n.Fp, i), { seed: (0, m.getMinHashLength)(i.ORDER) });
+      function w(I) {
+        try {
+          return !!M(i, I);
+        } catch {
+          return !1;
+        }
+      }
+      function s(I, q) {
+        const { publicKey: C, publicKeyUncompressed: te } = h;
+        try {
+          const $ = I.length;
+          return q === !0 && $ !== C || q === !1 && $ !== te ? !1 : !!n.fromBytes(I);
+        } catch {
+          return !1;
+        }
+      }
+      function f(I = o(h.seed)) {
+        return (0, m.mapHashToField)((0, t._abytes2)(I, h.seed, "seed"), i.ORDER);
+      }
+      function y(I, q = !0) {
+        return n.BASE.multiply(M(i, I)).toBytes(q);
+      }
+      function B(I) {
+        const q = f(I);
+        return { secretKey: q, publicKey: y(q) };
+      }
+      function T(I) {
+        if (typeof I == "bigint")
+          return !1;
+        if (I instanceof n)
+          return !0;
+        const { secretKey: q, publicKey: C, publicKeyUncompressed: te } = h;
+        if (i.allowedLengths || q === C)
+          return;
+        const $ = (0, t.ensureBytes)("key", I).length;
+        return $ === C || $ === te;
+      }
+      function k(I, q, C = !0) {
+        if (T(I) === !0)
+          throw new Error("first arg must be private key");
+        if (T(q) === !1)
+          throw new Error("second arg must be public key");
+        const te = M(i, I);
+        return n.fromHex(q).multiply(te).toBytes(C);
+      }
+      return Object.freeze({ getPublicKey: y, getSharedSecret: k, keygen: B, Point: n, utils: {
+        isValidSecretKey: w,
+        isValidPublicKey: s,
+        randomSecretKey: f,
+        // TODO: remove
+        isValidPrivateKey: w,
+        randomPrivateKey: f,
+        normPrivateKeyToScalar: (I) => M(i, I),
+        precompute(I = 8, q = n.BASE) {
+          return q.precompute(I, !1);
+        }
+      }, lengths: h });
+    }
+    function O(n, a, i = {}) {
+      (0, c.ahash)(a), (0, t._validateObject)(i, {}, {
+        hmac: "function",
+        lowS: "boolean",
+        randomBytes: "function",
+        bits2int: "function",
+        bits2int_modN: "function"
+      });
+      const o = i.randomBytes || t.randomBytes, h = i.hmac || ((N, ...R) => (0, r.hmac)(a, N, (0, t.concatBytes)(...R))), { Fp: w, Fn: s } = n, { ORDER: f, BITS: y } = s, { keygen: B, getPublicKey: T, getSharedSecret: k, utils: Y, lengths: I } = j(n, i), q = {
+        prehash: !1,
+        lowS: typeof i.lowS == "boolean" ? i.lowS : !1,
+        format: void 0,
+        //'compact' as ECDSASigFormat,
+        extraEntropy: !1
+      }, C = "compact";
+      function te(N) {
+        const R = f >> E;
+        return N > R;
+      }
+      function $(N, R) {
+        if (!s.isValidNot0(R))
+          throw new Error(`invalid signature ${N}: out of range 1..Point.Fn.ORDER`);
+        return R;
+      }
+      function x(N, R) {
+        v(R);
+        const D = I.signature, J = R === "compact" ? D : R === "recovered" ? D + 1 : void 0;
+        return (0, t._abytes2)(N, J, `${R} signature`);
+      }
+      class X {
+        constructor(R, D, J) {
+          this.r = $("r", R), this.s = $("s", D), J != null && (this.recovery = J), Object.freeze(this);
+        }
+        static fromBytes(R, D = C) {
+          x(R, D);
+          let J;
+          if (D === "der") {
+            const { r: oe, s: ce } = e.DER.toSig((0, t._abytes2)(R));
+            return new X(oe, ce);
+          }
+          D === "recovered" && (J = R[0], D = "compact", R = R.subarray(1));
+          const re = s.BYTES, ne = R.subarray(0, re), ee = R.subarray(re, re * 2);
+          return new X(s.fromBytes(ne), s.fromBytes(ee), J);
+        }
+        static fromHex(R, D) {
+          return this.fromBytes((0, t.hexToBytes)(R), D);
+        }
+        addRecoveryBit(R) {
+          return new X(this.r, this.s, R);
+        }
+        recoverPublicKey(R) {
+          const D = w.ORDER, { r: J, s: re, recovery: ne } = this;
+          if (ne == null || ![0, 1, 2, 3].includes(ne))
+            throw new Error("recovery id invalid");
+          if (f * b < D && ne > 1)
+            throw new Error("recovery id is ambiguous for h>1 curve");
+          const oe = ne === 2 || ne === 3 ? J + f : J;
+          if (!w.isValid(oe))
+            throw new Error("recovery id 2 or 3 invalid");
+          const ce = w.toBytes(oe), we = n.fromBytes((0, t.concatBytes)(F((ne & 1) === 0), ce)), de = s.inv(oe), ue = ye((0, t.ensureBytes)("msgHash", R)), me = s.create(-ue * de), ge = s.create(re * de), _e = n.BASE.multiplyUnsafe(me).add(we.multiplyUnsafe(ge));
+          if (_e.is0())
+            throw new Error("point at infinify");
+          return _e.assertValidity(), _e;
+        }
+        // Signatures should be low-s, to prevent malleability.
+        hasHighS() {
+          return te(this.s);
+        }
+        toBytes(R = C) {
+          if (v(R), R === "der")
+            return (0, t.hexToBytes)(e.DER.hexFromSig(this));
+          const D = s.toBytes(this.r), J = s.toBytes(this.s);
+          if (R === "recovered") {
+            if (this.recovery == null)
+              throw new Error("recovery bit must be present");
+            return (0, t.concatBytes)(Uint8Array.of(this.recovery), D, J);
+          }
+          return (0, t.concatBytes)(D, J);
+        }
+        toHex(R) {
+          return (0, t.bytesToHex)(this.toBytes(R));
+        }
+        // TODO: remove
+        assertValidity() {
+        }
+        static fromCompact(R) {
+          return X.fromBytes((0, t.ensureBytes)("sig", R), "compact");
+        }
+        static fromDER(R) {
+          return X.fromBytes((0, t.ensureBytes)("sig", R), "der");
+        }
+        normalizeS() {
+          return this.hasHighS() ? new X(this.r, s.neg(this.s), this.recovery) : this;
+        }
+        toDERRawBytes() {
+          return this.toBytes("der");
+        }
+        toDERHex() {
+          return (0, t.bytesToHex)(this.toBytes("der"));
+        }
+        toCompactRawBytes() {
+          return this.toBytes("compact");
+        }
+        toCompactHex() {
+          return (0, t.bytesToHex)(this.toBytes("compact"));
+        }
+      }
+      const ae = i.bits2int || function(R) {
+        if (R.length > 8192)
+          throw new Error("input is too large");
+        const D = (0, t.bytesToNumberBE)(R), J = R.length * 8 - y;
+        return J > 0 ? D >> BigInt(J) : D;
+      }, ye = i.bits2int_modN || function(R) {
+        return s.create(ae(R));
+      }, pe = (0, t.bitMask)(y);
+      function ve(N) {
+        return (0, t.aInRange)("num < 2^" + y, N, V, pe), s.toBytes(N);
+      }
+      function xe(N, R) {
+        return (0, t._abytes2)(N, void 0, "message"), R ? (0, t._abytes2)(a(N), void 0, "prehashed message") : N;
+      }
+      function fe(N, R, D) {
+        if (["recovered", "canonical"].some((me) => me in D))
+          throw new Error("sign() legacy options not supported");
+        const { lowS: J, prehash: re, extraEntropy: ne } = U(D, q);
+        N = xe(N, re);
+        const ee = ye(N), oe = M(s, R), ce = [ve(oe), ve(ee)];
+        if (ne != null && ne !== !1) {
+          const me = ne === !0 ? o(I.secretKey) : ne;
+          ce.push((0, t.ensureBytes)("extraEntropy", me));
+        }
+        const we = (0, t.concatBytes)(...ce), de = ee;
+        function ue(me) {
+          const ge = ae(me);
+          if (!s.isValidNot0(ge))
+            return;
+          const _e = s.inv(ge), be = n.BASE.multiply(ge).toAffine(), Ee = s.create(be.x);
+          if (Ee === V)
+            return;
+          const Pe = s.create(_e * s.create(de + Ee * oe));
+          if (Pe === V)
+            return;
+          let pt = (be.x === Ee ? 0 : 2) | Number(be.y & E), vt = Pe;
+          return J && te(Pe) && (vt = s.neg(Pe), pt ^= 1), new X(Ee, vt, pt);
+        }
+        return { seed: we, k2sig: ue };
+      }
+      function Ye(N, R, D = {}) {
+        N = (0, t.ensureBytes)("message", N);
+        const { seed: J, k2sig: re } = fe(N, R, D);
+        return (0, t.createHmacDrbg)(a.outputLen, s.BYTES, h)(J, re);
+      }
+      function Ue(N) {
+        let R;
+        const D = typeof N == "string" || (0, t.isBytes)(N), J = !D && N !== null && typeof N == "object" && typeof N.r == "bigint" && typeof N.s == "bigint";
+        if (!D && !J)
+          throw new Error("invalid signature, expected Uint8Array, hex string or Signature instance");
+        if (J)
+          R = new X(N.r, N.s);
+        else if (D) {
+          try {
+            R = X.fromBytes((0, t.ensureBytes)("sig", N), "der");
+          } catch (re) {
+            if (!(re instanceof e.DER.Err))
+              throw re;
+          }
+          if (!R)
+            try {
+              R = X.fromBytes((0, t.ensureBytes)("sig", N), "compact");
+            } catch {
+              return !1;
+            }
+        }
+        return R || !1;
+      }
+      function le(N, R, D, J = {}) {
+        const { lowS: re, prehash: ne, format: ee } = U(J, q);
+        if (D = (0, t.ensureBytes)("publicKey", D), R = xe((0, t.ensureBytes)("message", R), ne), "strict" in J)
+          throw new Error("options.strict was renamed to lowS");
+        const oe = ee === void 0 ? Ue(N) : X.fromBytes((0, t.ensureBytes)("sig", N), ee);
+        if (oe === !1)
+          return !1;
+        try {
+          const ce = n.fromBytes(D);
+          if (re && oe.hasHighS())
+            return !1;
+          const { r: we, s: de } = oe, ue = ye(R), me = s.inv(de), ge = s.create(ue * me), _e = s.create(we * me), be = n.BASE.multiplyUnsafe(ge).add(ce.multiplyUnsafe(_e));
+          return be.is0() ? !1 : s.create(be.x) === we;
+        } catch {
+          return !1;
+        }
+      }
+      function Z(N, R, D = {}) {
+        const { prehash: J } = U(D, q);
+        return R = xe(R, J), X.fromBytes(N, "recovered").recoverPublicKey(R).toBytes();
+      }
+      return Object.freeze({
+        keygen: B,
+        getPublicKey: T,
+        getSharedSecret: k,
+        utils: Y,
+        lengths: I,
+        Point: n,
+        sign: Ye,
+        verify: le,
+        recoverPublicKey: Z,
+        Signature: X,
+        hash: a
+      });
+    }
+    function L(n) {
+      const { CURVE: a, curveOpts: i } = _(n), o = Q(a, i);
+      return z(n, o);
+    }
+    function _(n) {
+      const a = {
+        a: n.a,
+        b: n.b,
+        p: n.Fp.ORDER,
+        n: n.n,
+        h: n.h,
+        Gx: n.Gx,
+        Gy: n.Gy
+      }, i = n.Fp;
+      let o = n.allowedPrivateKeyLengths ? Array.from(new Set(n.allowedPrivateKeyLengths.map((s) => Math.ceil(s / 2)))) : void 0;
+      const h = (0, m.Field)(a.n, {
+        BITS: n.nBitLength,
+        allowedLengths: o,
+        modFromBytes: n.wrapPrivateKey
+      }), w = {
+        Fp: i,
+        Fn: h,
+        allowInfinityPoint: n.allowInfinityPoint,
+        endo: n.endo,
+        isTorsionFree: n.isTorsionFree,
+        clearCofactor: n.clearCofactor,
+        fromBytes: n.fromBytes,
+        toBytes: n.toBytes
+      };
+      return { CURVE: a, curveOpts: w };
+    }
+    function K(n) {
+      const { CURVE: a, curveOpts: i } = _(n), o = {
+        hmac: n.hmac,
+        randomBytes: n.randomBytes,
+        lowS: n.lowS,
+        bits2int: n.bits2int,
+        bits2int_modN: n.bits2int_modN
+      };
+      return { CURVE: a, curveOpts: i, hash: n.hash, ecdsaOpts: o };
+    }
+    function W(n, a, i) {
+      function o(h) {
+        const w = n.sqr(h), s = n.mul(w, h);
+        return n.add(n.add(s, n.mul(h, a)), i);
+      }
+      return o;
+    }
+    function z(n, a) {
+      const { Fp: i, Fn: o } = a;
+      function h(s) {
+        return (0, t.inRange)(s, E, o.ORDER);
+      }
+      const w = W(i, n.a, n.b);
+      return Object.assign({}, {
+        CURVE: n,
+        Point: a,
+        ProjectivePoint: a,
+        normPrivateKeyToScalar: (s) => M(o, s),
+        weierstrassEquation: w,
+        isWithinCurveOrder: h
+      });
+    }
+    function d(n, a) {
+      const i = a.Point;
+      return Object.assign({}, a, {
+        ProjectivePoint: i,
+        CURVE: Object.assign({}, n, (0, m.nLength)(i.Fn.ORDER, i.Fn.BITS))
+      });
+    }
+    function u(n) {
+      const { CURVE: a, curveOpts: i, hash: o, ecdsaOpts: h } = K(n), w = Q(a, i), s = O(w, o, h);
+      return d(n, s);
+    }
+  })(nt)), nt;
+}
+var Ot;
+function En() {
+  if (Ot) return Ke;
+  Ot = 1, Object.defineProperty(Ke, "__esModule", { value: !0 }), Ke.getHash = r, Ke.createCurve = c;
+  const e = /* @__PURE__ */ Ct();
+  function r(t) {
+    return { hash: t };
+  }
+  function c(t, l) {
+    const m = (g) => (0, e.weierstrass)({ ...t, hash: g });
+    return { ...m(l), create: m };
+  }
+  return Ke;
+}
+var ot = {}, Rt;
+function Bn() {
+  return Rt || (Rt = 1, (function(e) {
+    Object.defineProperty(e, "__esModule", { value: !0 }), e._DST_scalar = void 0, e.expand_message_xmd = v, e.expand_message_xof = U, e.hash_to_field = H, e.isogenyMap = V, e.createHasher = E;
+    const r = /* @__PURE__ */ Ce(), c = /* @__PURE__ */ $e(), t = r.bytesToNumberBE;
+    function l(b, S) {
+      if (g(b), g(S), b < 0 || b >= 1 << 8 * S)
+        throw new Error("invalid I2OSP input: " + b);
+      const A = Array.from({ length: S }).fill(0);
+      for (let M = S - 1; M >= 0; M--)
+        A[M] = b & 255, b >>>= 8;
+      return new Uint8Array(A);
+    }
+    function m(b, S) {
+      const A = new Uint8Array(b.length);
+      for (let M = 0; M < b.length; M++)
+        A[M] = b[M] ^ S[M];
+      return A;
+    }
+    function g(b) {
+      if (!Number.isSafeInteger(b))
+        throw new Error("number expected");
+    }
+    function p(b) {
+      if (!(0, r.isBytes)(b) && typeof b != "string")
+        throw new Error("DST must be Uint8Array or string");
+      return typeof b == "string" ? (0, r.utf8ToBytes)(b) : b;
+    }
+    function v(b, S, A, M) {
+      (0, r.abytes)(b), g(A), S = p(S), S.length > 255 && (S = M((0, r.concatBytes)((0, r.utf8ToBytes)("H2C-OVERSIZE-DST-"), S)));
+      const { outputLen: Q, blockLen: F } = M, G = Math.ceil(A / Q);
+      if (A > 65535 || G > 255)
+        throw new Error("expand_message_xmd: invalid lenInBytes");
+      const se = (0, r.concatBytes)(S, l(S.length, 1)), ie = l(0, F), j = l(A, 2), O = new Array(G), L = M((0, r.concatBytes)(ie, b, j, l(0, 1), se));
+      O[0] = M((0, r.concatBytes)(L, l(1, 1), se));
+      for (let K = 1; K <= G; K++) {
+        const W = [m(L, O[K - 1]), l(K + 1, 1), se];
+        O[K] = M((0, r.concatBytes)(...W));
+      }
+      return (0, r.concatBytes)(...O).slice(0, A);
+    }
+    function U(b, S, A, M, Q) {
+      if ((0, r.abytes)(b), g(A), S = p(S), S.length > 255) {
+        const F = Math.ceil(2 * M / 8);
+        S = Q.create({ dkLen: F }).update((0, r.utf8ToBytes)("H2C-OVERSIZE-DST-")).update(S).digest();
+      }
+      if (A > 65535 || S.length > 255)
+        throw new Error("expand_message_xof: invalid lenInBytes");
+      return Q.create({ dkLen: A }).update(b).update(l(A, 2)).update(S).update(l(S.length, 1)).digest();
+    }
+    function H(b, S, A) {
+      (0, r._validateObject)(A, {
+        p: "bigint",
+        m: "number",
+        k: "number",
+        hash: "function"
+      });
+      const { p: M, k: Q, m: F, hash: G, expand: se, DST: ie } = A;
+      if (!(0, r.isHash)(A.hash))
+        throw new Error("expected valid hash");
+      (0, r.abytes)(b), g(S);
+      const j = M.toString(2).length, O = Math.ceil((j + Q) / 8), L = S * F * O;
+      let _;
+      if (se === "xmd")
+        _ = v(b, ie, L, G);
+      else if (se === "xof")
+        _ = U(b, ie, L, Q, G);
+      else if (se === "_internal_pass")
+        _ = b;
+      else
+        throw new Error('expand must be "xmd" or "xof"');
+      const K = new Array(S);
+      for (let W = 0; W < S; W++) {
+        const z = new Array(F);
+        for (let d = 0; d < F; d++) {
+          const u = O * (d + W * F), n = _.subarray(u, u + O);
+          z[d] = (0, c.mod)(t(n), M);
+        }
+        K[W] = z;
+      }
+      return K;
+    }
+    function V(b, S) {
+      const A = S.map((M) => Array.from(M).reverse());
+      return (M, Q) => {
+        const [F, G, se, ie] = A.map((L) => L.reduce((_, K) => b.add(b.mul(_, M), K))), [j, O] = (0, c.FpInvertBatch)(b, [G, ie], !0);
+        return M = b.mul(F, j), Q = b.mul(Q, b.mul(se, O)), { x: M, y: Q };
+      };
+    }
+    e._DST_scalar = (0, r.utf8ToBytes)("HashToScalar-");
+    function E(b, S, A) {
+      if (typeof S != "function")
+        throw new Error("mapToCurve() must be defined");
+      function M(F) {
+        return b.fromAffine(S(F));
+      }
+      function Q(F) {
+        const G = F.clearCofactor();
+        return G.equals(b.ZERO) ? b.ZERO : (G.assertValidity(), G);
+      }
+      return {
+        defaults: A,
+        hashToCurve(F, G) {
+          const se = Object.assign({}, A, G), ie = H(F, 2, se), j = M(ie[0]), O = M(ie[1]);
+          return Q(j.add(O));
+        },
+        encodeToCurve(F, G) {
+          const se = A.encodeDST ? { DST: A.encodeDST } : {}, ie = Object.assign({}, A, se, G), j = H(F, 1, ie), O = M(j[0]);
+          return Q(O);
+        },
+        /** See {@link H2CHasher} */
+        mapToCurve(F) {
+          if (!Array.isArray(F))
+            throw new Error("expected array of bigints");
+          for (const G of F)
+            if (typeof G != "bigint")
+              throw new Error("expected array of bigints");
+          return Q(M(F));
+        },
+        // hash_to_scalar can produce 0: https://www.rfc-editor.org/errata/eid8393
+        // RFC 9380, draft-irtf-cfrg-bbs-signatures-08
+        hashToScalar(F, G) {
+          const se = b.Fn.ORDER, ie = Object.assign({}, A, { p: se, m: 1, DST: e._DST_scalar }, G);
+          return H(F, 1, ie)[0][0];
+        }
+      };
+    }
+  })(ot)), ot;
+}
+var qt;
+function er() {
+  return qt || (qt = 1, (function(e) {
+    Object.defineProperty(e, "__esModule", { value: !0 }), e.encodeToCurve = e.hashToCurve = e.secp256k1_hasher = e.schnorr = e.secp256k1 = void 0;
+    const r = /* @__PURE__ */ dn(), c = /* @__PURE__ */ We(), t = /* @__PURE__ */ En(), l = /* @__PURE__ */ Bn(), m = /* @__PURE__ */ $e(), g = /* @__PURE__ */ Ct(), p = /* @__PURE__ */ Ce(), v = {
+      p: BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f"),
+      n: BigInt("0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141"),
+      h: BigInt(1),
+      a: BigInt(0),
+      b: BigInt(7),
+      Gx: BigInt("0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798"),
+      Gy: BigInt("0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8")
+    }, U = {
+      beta: BigInt("0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee"),
+      basises: [
+        [BigInt("0x3086d221a7d46bcde86c90e49284eb15"), -BigInt("0xe4437ed6010e88286f547fa90abfe4c3")],
+        [BigInt("0x114ca50f7a8e2f3f657c1108d9d44cfd8"), BigInt("0x3086d221a7d46bcde86c90e49284eb15")]
+      ]
+    }, H = /* @__PURE__ */ BigInt(0), V = /* @__PURE__ */ BigInt(1), E = /* @__PURE__ */ BigInt(2);
+    function b(d) {
+      const u = v.p, n = BigInt(3), a = BigInt(6), i = BigInt(11), o = BigInt(22), h = BigInt(23), w = BigInt(44), s = BigInt(88), f = d * d * d % u, y = f * f * d % u, B = (0, m.pow2)(y, n, u) * y % u, T = (0, m.pow2)(B, n, u) * y % u, k = (0, m.pow2)(T, E, u) * f % u, Y = (0, m.pow2)(k, i, u) * k % u, I = (0, m.pow2)(Y, o, u) * Y % u, q = (0, m.pow2)(I, w, u) * I % u, C = (0, m.pow2)(q, s, u) * q % u, te = (0, m.pow2)(C, w, u) * I % u, $ = (0, m.pow2)(te, n, u) * y % u, x = (0, m.pow2)($, h, u) * Y % u, X = (0, m.pow2)(x, a, u) * f % u, ae = (0, m.pow2)(X, E, u);
+      if (!S.eql(S.sqr(ae), d))
+        throw new Error("Cannot find square root");
+      return ae;
+    }
+    const S = (0, m.Field)(v.p, { sqrt: b });
+    e.secp256k1 = (0, t.createCurve)({ ...v, Fp: S, lowS: !0, endo: U }, r.sha256);
+    const A = {};
+    function M(d, ...u) {
+      let n = A[d];
+      if (n === void 0) {
+        const a = (0, r.sha256)((0, p.utf8ToBytes)(d));
+        n = (0, p.concatBytes)(a, a), A[d] = n;
+      }
+      return (0, r.sha256)((0, p.concatBytes)(n, ...u));
+    }
+    const Q = (d) => d.toBytes(!0).slice(1), F = e.secp256k1.Point, G = (d) => d % E === H;
+    function se(d) {
+      const { Fn: u, BASE: n } = F, a = (0, g._normFnElement)(u, d), i = n.multiply(a);
+      return { scalar: G(i.y) ? a : u.neg(a), bytes: Q(i) };
+    }
+    function ie(d) {
+      const u = S;
+      if (!u.isValidNot0(d))
+        throw new Error("invalid x: Fail if x ≥ p");
+      const n = u.create(d * d), a = u.create(n * d + BigInt(7));
+      let i = u.sqrt(a);
+      G(i) || (i = u.neg(i));
+      const o = F.fromAffine({ x: d, y: i });
+      return o.assertValidity(), o;
+    }
+    const j = p.bytesToNumberBE;
+    function O(...d) {
+      return F.Fn.create(j(M("BIP0340/challenge", ...d)));
+    }
+    function L(d) {
+      return se(d).bytes;
+    }
+    function _(d, u, n = (0, c.randomBytes)(32)) {
+      const { Fn: a } = F, i = (0, p.ensureBytes)("message", d), { bytes: o, scalar: h } = se(u), w = (0, p.ensureBytes)("auxRand", n, 32), s = a.toBytes(h ^ j(M("BIP0340/aux", w))), f = M("BIP0340/nonce", s, o, i), { bytes: y, scalar: B } = se(f), T = O(y, o, i), k = new Uint8Array(64);
+      if (k.set(y, 0), k.set(a.toBytes(a.create(B + T * h)), 32), !K(k, i, o))
+        throw new Error("sign: Invalid signature produced");
+      return k;
+    }
+    function K(d, u, n) {
+      const { Fn: a, BASE: i } = F, o = (0, p.ensureBytes)("signature", d, 64), h = (0, p.ensureBytes)("message", u), w = (0, p.ensureBytes)("publicKey", n, 32);
+      try {
+        const s = ie(j(w)), f = j(o.subarray(0, 32));
+        if (!(0, p.inRange)(f, V, v.p))
+          return !1;
+        const y = j(o.subarray(32, 64));
+        if (!(0, p.inRange)(y, V, v.n))
+          return !1;
+        const B = O(a.toBytes(f), Q(s), h), T = i.multiplyUnsafe(y).add(s.multiplyUnsafe(a.neg(B))), { x: k, y: Y } = T.toAffine();
+        return !(T.is0() || !G(Y) || k !== f);
+      } catch {
+        return !1;
+      }
+    }
+    e.schnorr = (() => {
+      const n = (i = (0, c.randomBytes)(48)) => (0, m.mapHashToField)(i, v.n);
+      e.secp256k1.utils.randomSecretKey;
+      function a(i) {
+        const o = n(i);
+        return { secretKey: o, publicKey: L(o) };
+      }
+      return {
+        keygen: a,
+        getPublicKey: L,
+        sign: _,
+        verify: K,
+        Point: F,
+        utils: {
+          randomSecretKey: n,
+          randomPrivateKey: n,
+          taggedHash: M,
+          // TODO: remove
+          lift_x: ie,
+          pointToBytes: Q,
+          numberToBytesBE: p.numberToBytesBE,
+          bytesToNumberBE: p.bytesToNumberBE,
+          mod: m.mod
+        },
+        lengths: {
+          secretKey: 32,
+          publicKey: 32,
+          publicKeyHasPrefix: !1,
+          signature: 64,
+          seed: 48
+        }
+      };
+    })();
+    const W = (0, l.isogenyMap)(S, [
+      // xNum
+      [
+        "0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7",
+        "0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581",
+        "0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262",
+        "0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c"
+      ],
+      // xDen
+      [
+        "0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b",
+        "0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14",
+        "0x0000000000000000000000000000000000000000000000000000000000000001"
+        // LAST 1
+      ],
+      // yNum
+      [
+        "0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c",
+        "0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3",
+        "0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931",
+        "0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84"
+      ],
+      // yDen
+      [
+        "0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b",
+        "0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573",
+        "0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f",
+        "0x0000000000000000000000000000000000000000000000000000000000000001"
+        // LAST 1
+      ]
+    ].map((d) => d.map((u) => BigInt(u)))), z = (0, g.mapToCurveSimpleSWU)(S, {
+      A: BigInt("0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533"),
+      B: BigInt("1771"),
+      Z: S.create(BigInt("-11"))
+    });
+    e.secp256k1_hasher = (0, l.createHasher)(e.secp256k1.Point, (d) => {
+      const { x: u, y: n } = z(S.create(d[0]));
+      return W(u, n);
+    }, {
+      DST: "secp256k1_XMD:SHA-256_SSWU_RO_",
+      encodeDST: "secp256k1_XMD:SHA-256_SSWU_NU_",
+      p: S.ORDER,
+      m: 1,
+      k: 128,
+      expand: "xmd",
+      hash: r.sha256
+    }), e.hashToCurve = e.secp256k1_hasher.hashToCurve, e.encodeToCurve = e.secp256k1_hasher.encodeToCurve;
+  })(tt)), tt;
+}
+var P = {}, It;
+function tr() {
+  if (It) return P;
+  It = 1, Object.defineProperty(P, "__esModule", { value: !0 }), P.isHash = P.validateObject = P.memoized = P.notImplemented = P.createHmacDrbg = P.bitMask = P.bitSet = P.bitGet = P.bitLen = P.aInRange = P.inRange = P.asciiToBytes = P.copyBytes = P.equalBytes = P.ensureBytes = P.numberToVarBytesBE = P.numberToBytesLE = P.numberToBytesBE = P.bytesToNumberLE = P.bytesToNumberBE = P.hexToNumber = P.numberToHexUnpadded = P.abool = P.utf8ToBytes = P.randomBytes = P.isBytes = P.hexToBytes = P.concatBytes = P.bytesToUtf8 = P.bytesToHex = P.anumber = P.abytes = void 0;
+  const e = /* @__PURE__ */ Ce();
+  return P.abytes = e.abytes, P.anumber = e.anumber, P.bytesToHex = e.bytesToHex, P.bytesToUtf8 = e.bytesToUtf8, P.concatBytes = e.concatBytes, P.hexToBytes = e.hexToBytes, P.isBytes = e.isBytes, P.randomBytes = e.randomBytes, P.utf8ToBytes = e.utf8ToBytes, P.abool = e.abool, P.numberToHexUnpadded = e.numberToHexUnpadded, P.hexToNumber = e.hexToNumber, P.bytesToNumberBE = e.bytesToNumberBE, P.bytesToNumberLE = e.bytesToNumberLE, P.numberToBytesBE = e.numberToBytesBE, P.numberToBytesLE = e.numberToBytesLE, P.numberToVarBytesBE = e.numberToVarBytesBE, P.ensureBytes = e.ensureBytes, P.equalBytes = e.equalBytes, P.copyBytes = e.copyBytes, P.asciiToBytes = e.asciiToBytes, P.inRange = e.inRange, P.aInRange = e.aInRange, P.bitLen = e.bitLen, P.bitGet = e.bitGet, P.bitSet = e.bitSet, P.bitMask = e.bitMask, P.createHmacDrbg = e.createHmacDrbg, P.notImplemented = e.notImplemented, P.memoized = e.memoized, P.validateObject = e.validateObject, P.isHash = e.isHash, P;
+}
+function nr(e, r = "") {
+  if (typeof e != "boolean") {
+    const c = r && `"${r}" `;
+    throw new Error(c + "expected boolean, got type=" + typeof e);
+  }
+  return e;
+}
+function mt(e) {
+  if (!Number.isSafeInteger(e) || e < 0 || e > 4294967295)
+    throw new Error("wrong u32 integer:" + e);
+  return e;
+}
+function Kt(e) {
+  return mt(e), (e & e - 1) === 0 && e !== 0;
+}
+function pn(e, r) {
+  mt(e);
+  let c = 0;
+  for (let t = 0; t < r; t++, e >>>= 1)
+    c = c << 1 | e & 1;
+  return c;
+}
+function zt(e) {
+  return mt(e), 31 - Math.clz32(e);
+}
+function Nt(e) {
+  const r = e.length;
+  if (r < 2 || !Kt(r))
+    throw new Error("n must be a power of 2 and greater than 1. Got " + r);
+  const c = zt(r);
+  for (let t = 0; t < r; t++) {
+    const l = pn(t, c);
+    if (t < l) {
+      const m = e[t];
+      e[t] = e[l], e[l] = m;
+    }
+  }
+  return e;
+}
+const rr = (e, r) => {
+  const { N: c, roots: t, dit: l, invertButterflies: m = !1, skipStages: g = 0, brp: p = !0 } = r, v = zt(c);
+  if (!Kt(c))
+    throw new Error("FFT: Polynomial size should be power of two");
+  const U = l !== m;
+  return (H) => {
+    if (H.length !== c)
+      throw new Error("FFT: wrong Polynomial length");
+    l && p && Nt(H);
+    for (let V = 0, E = 1; V < v - g; V++) {
+      const b = l ? V + 1 + g : v - V, S = 1 << b, A = S >> 1, M = c >> b;
+      for (let Q = 0; Q < c; Q += S)
+        for (let F = 0, G = E++; F < A; F++) {
+          const se = m ? l ? c - G : G : F * M, ie = Q + F, j = Q + F + A, O = t[se], L = H[j], _ = H[ie];
+          if (U) {
+            const K = e.mul(L, O);
+            H[ie] = e.add(_, K), H[j] = e.sub(_, K);
+          } else m ? (H[ie] = e.add(L, _), H[j] = e.mul(e.sub(L, _), O)) : (H[ie] = e.add(_, L), H[j] = e.mul(e.sub(_, L), O));
+        }
+    }
+    return !l && p && Nt(H), H;
+  };
+};
+const bt = /* @__PURE__ */ BigInt(0), lt = /* @__PURE__ */ BigInt(1);
+function Je(e, r = "") {
+  if (typeof e != "boolean") {
+    const c = r && `"${r}"`;
+    throw new Error(c + "expected boolean, got type=" + typeof e);
+  }
+  return e;
+}
+function Ze(e, r, c = "") {
+  const t = yt(e), l = e?.length, m = r !== void 0;
+  if (!t || m && l !== r) {
+    const g = c && `"${c}" `, p = m ? ` of length ${r}` : "", v = t ? `length=${l}` : `type=${typeof e}`;
+    throw new Error(g + "expected Uint8Array" + p + ", got " + v);
+  }
+  return e;
+}
+function Xe(e) {
+  const r = e.toString(16);
+  return r.length & 1 ? "0" + r : r;
+}
+function Dt(e) {
+  if (typeof e != "string")
+    throw new Error("hex string expected, got " + typeof e);
+  return e === "" ? bt : BigInt("0x" + e);
+}
+function et(e) {
+  return Dt(Me(e));
+}
+function Yt(e) {
+  return hn(e), Dt(Me(Uint8Array.from(e).reverse()));
+}
+function wt(e, r) {
+  return Qe(e.toString(16).padStart(r * 2, "0"));
+}
+function Pt(e, r) {
+  return wt(e, r).reverse();
+}
+function Se(e, r, c) {
+  let t;
+  if (typeof r == "string")
+    try {
+      t = Qe(r);
+    } catch (l) {
+      throw new Error(e + " must be hex string or Uint8Array, cause: " + l);
+    }
+  else if (yt(r))
+    t = Uint8Array.from(r);
+  else
+    throw new Error(e + " must be hex string or Uint8Array");
+  return t.length, t;
+}
+const st = (e) => typeof e == "bigint" && bt <= e;
+function vn(e, r, c) {
+  return st(e) && st(r) && st(c) && r <= e && e < c;
+}
+function _n(e, r, c, t) {
+  if (!vn(r, c, t))
+    throw new Error("expected valid " + e + ": " + c + " <= n < " + t + ", got " + r);
+}
+function Xt(e) {
+  let r;
+  for (r = 0; e > bt; e >>= lt, r += 1)
+    ;
+  return r;
+}
+const ze = (e) => (lt << BigInt(e)) - lt;
+function Sn(e, r, c) {
+  if (typeof e != "number" || e < 2)
+    throw new Error("hashLen must be a number");
+  if (typeof r != "number" || r < 2)
+    throw new Error("qByteLen must be a number");
+  if (typeof c != "function")
+    throw new Error("hmacFn must be a function");
+  const t = (b) => new Uint8Array(b), l = (b) => Uint8Array.of(b);
+  let m = t(e), g = t(e), p = 0;
+  const v = () => {
+    m.fill(1), g.fill(0), p = 0;
+  }, U = (...b) => c(g, m, ...b), H = (b = t(0)) => {
+    g = U(l(0), b), m = U(), b.length !== 0 && (g = U(l(1), b), m = U());
+  }, V = () => {
+    if (p++ >= 1e3)
+      throw new Error("drbg: tried 1000 values");
+    let b = 0;
+    const S = [];
+    for (; b < r; ) {
+      m = U();
+      const A = m.slice();
+      S.push(A), b += m.length;
+    }
+    return Ae(...S);
+  };
+  return (b, S) => {
+    v(), H(b);
+    let A;
+    for (; !(A = S(V())); )
+      H();
+    return v(), A;
+  };
+}
+function gt(e, r, c = {}) {
+  if (!e || typeof e != "object")
+    throw new Error("expected valid options object");
+  function t(l, m, g) {
+    const p = e[l];
+    if (g && p === void 0)
+      return;
+    const v = typeof p;
+    if (v !== m || p === null)
+      throw new Error(`param "${l}" is invalid: expected ${m}, got ${v}`);
+  }
+  Object.entries(r).forEach(([l, m]) => t(l, m, !1)), Object.entries(c).forEach(([l, m]) => t(l, m, !0));
+}
+function At(e) {
+  const r = /* @__PURE__ */ new WeakMap();
+  return (c, ...t) => {
+    const l = r.get(c);
+    if (l !== void 0)
+      return l;
+    const m = e(c, ...t);
+    return r.set(c, m), m;
+  };
+}
+const Te = BigInt(0), Be = BigInt(1), je = /* @__PURE__ */ BigInt(2), Gt = /* @__PURE__ */ BigInt(3), Wt = /* @__PURE__ */ BigInt(4), Qt = /* @__PURE__ */ BigInt(5), Tn = /* @__PURE__ */ BigInt(7), Jt = /* @__PURE__ */ BigInt(8), xn = /* @__PURE__ */ BigInt(9), Ft = /* @__PURE__ */ BigInt(16);
+function qe(e, r) {
+  const c = e % r;
+  return c >= Te ? c : r + c;
+}
+function Re(e, r, c) {
+  let t = e;
+  for (; r-- > Te; )
+    t *= t, t %= c;
+  return t;
+}
+function Ut(e, r) {
+  if (e === Te)
+    throw new Error("invert: expected non-zero number");
+  if (r <= Te)
+    throw new Error("invert: expected positive modulus, got " + r);
+  let c = qe(e, r), t = r, l = Te, m = Be;
+  for (; c !== Te; ) {
+    const p = t / c, v = t % c, U = l - m * p;
+    t = c, c = v, l = m, m = U;
+  }
+  if (t !== Be)
+    throw new Error("invert: does not exist");
+  return qe(l, r);
+}
+function Et(e, r, c) {
+  if (!e.eql(e.sqr(r), c))
+    throw new Error("Cannot find square root");
+}
+function $t(e, r) {
+  const c = (e.ORDER + Be) / Wt, t = e.pow(r, c);
+  return Et(e, t, r), t;
+}
+function On(e, r) {
+  const c = (e.ORDER - Qt) / Jt, t = e.mul(r, je), l = e.pow(t, c), m = e.mul(r, l), g = e.mul(e.mul(m, je), l), p = e.mul(m, e.sub(g, e.ONE));
+  return Et(e, p, r), p;
+}
+function Rn(e) {
+  const r = De(e), c = en(e), t = c(r, r.neg(r.ONE)), l = c(r, t), m = c(r, r.neg(t)), g = (e + Tn) / Ft;
+  return (p, v) => {
+    let U = p.pow(v, g), H = p.mul(U, t);
+    const V = p.mul(U, l), E = p.mul(U, m), b = p.eql(p.sqr(H), v), S = p.eql(p.sqr(V), v);
+    U = p.cmov(U, H, b), H = p.cmov(E, V, S);
+    const A = p.eql(p.sqr(H), v), M = p.cmov(U, H, A);
+    return Et(p, M, v), M;
+  };
+}
+function en(e) {
+  if (e < Gt)
+    throw new Error("sqrt is not defined for small field");
+  let r = e - Be, c = 0;
+  for (; r % je === Te; )
+    r /= je, c++;
+  let t = je;
+  const l = De(e);
+  for (; Zt(l, t) === 1; )
+    if (t++ > 1e3)
+      throw new Error("Cannot find square root: probably non-prime P");
+  if (c === 1)
+    return $t;
+  let m = l.pow(t, r);
+  const g = (r + Be) / je;
+  return function(v, U) {
+    if (v.is0(U))
+      return U;
+    if (Zt(v, U) !== 1)
+      throw new Error("Cannot find square root");
+    let H = c, V = v.mul(v.ONE, m), E = v.pow(U, r), b = v.pow(U, g);
+    for (; !v.eql(E, v.ONE); ) {
+      if (v.is0(E))
+        return v.ZERO;
+      let S = 1, A = v.sqr(E);
+      for (; !v.eql(A, v.ONE); )
+        if (S++, A = v.sqr(A), S === H)
+          throw new Error("Cannot find square root");
+      const M = Be << BigInt(H - S - 1), Q = v.pow(V, M);
+      H = S, V = v.sqr(Q), E = v.mul(E, V), b = v.mul(b, Q);
+    }
+    return b;
+  };
+}
+function qn(e) {
+  return e % Wt === Gt ? $t : e % Jt === Qt ? On : e % Ft === xn ? Rn(e) : en(e);
+}
+const In = [
+  "create",
+  "isValid",
+  "is0",
+  "neg",
+  "inv",
+  "sqrt",
+  "sqr",
+  "eql",
+  "add",
+  "sub",
+  "mul",
+  "pow",
+  "div",
+  "addN",
+  "subN",
+  "mulN",
+  "sqrN"
+];
+function Nn(e) {
+  const r = {
+    ORDER: "bigint",
+    MASK: "bigint",
+    BYTES: "number",
+    BITS: "number"
+  }, c = In.reduce((t, l) => (t[l] = "function", t), r);
+  return gt(e, c), e;
+}
+function An(e, r, c) {
+  if (c < Te)
+    throw new Error("invalid exponent, negatives unsupported");
+  if (c === Te)
+    return e.ONE;
+  if (c === Be)
+    return r;
+  let t = e.ONE, l = r;
+  for (; c > Te; )
+    c & Be && (t = e.mul(t, l)), l = e.sqr(l), c >>= Be;
+  return t;
+}
+function tn(e, r, c = !1) {
+  const t = new Array(r.length).fill(c ? e.ZERO : void 0), l = r.reduce((g, p, v) => e.is0(p) ? g : (t[v] = g, e.mul(g, p)), e.ONE), m = e.inv(l);
+  return r.reduceRight((g, p, v) => e.is0(p) ? g : (t[v] = e.mul(g, t[v]), e.mul(g, p)), m), t;
+}
+function Zt(e, r) {
+  const c = (e.ORDER - Be) / je, t = e.pow(r, c), l = e.eql(t, e.ONE), m = e.eql(t, e.ZERO), g = e.eql(t, e.neg(e.ONE));
+  if (!l && !m && !g)
+    throw new Error("invalid Legendre symbol result");
+  return l ? 1 : m ? 0 : -1;
+}
+function nn(e, r) {
+  r !== void 0 && yn(r);
+  const c = r !== void 0 ? r : e.toString(2).length, t = Math.ceil(c / 8);
+  return { nBitLength: c, nByteLength: t };
+}
+function De(e, r, c = !1, t = {}) {
+  if (e <= Te)
+    throw new Error("invalid field: expected ORDER > 0, got " + e);
+  let l, m, g = !1, p;
+  if (typeof r == "object" && r != null) {
+    if (t.sqrt || c)
+      throw new Error("cannot specify opts in two arguments");
+    const E = r;
+    E.BITS && (l = E.BITS), E.sqrt && (m = E.sqrt), typeof E.isLE == "boolean" && (c = E.isLE), typeof E.modFromBytes == "boolean" && (g = E.modFromBytes), p = E.allowedLengths;
+  } else
+    typeof r == "number" && (l = r), t.sqrt && (m = t.sqrt);
+  const { nBitLength: v, nByteLength: U } = nn(e, l);
+  if (U > 2048)
+    throw new Error("invalid field: expected ORDER of <= 2048 bytes");
+  let H;
+  const V = Object.freeze({
+    ORDER: e,
+    isLE: c,
+    BITS: v,
+    BYTES: U,
+    MASK: ze(v),
+    ZERO: Te,
+    ONE: Be,
+    allowedLengths: p,
+    create: (E) => qe(E, e),
+    isValid: (E) => {
+      if (typeof E != "bigint")
+        throw new Error("invalid field element: expected bigint, got " + typeof E);
+      return Te <= E && E < e;
+    },
+    is0: (E) => E === Te,
+    // is valid and invertible
+    isValidNot0: (E) => !V.is0(E) && V.isValid(E),
+    isOdd: (E) => (E & Be) === Be,
+    neg: (E) => qe(-E, e),
+    eql: (E, b) => E === b,
+    sqr: (E) => qe(E * E, e),
+    add: (E, b) => qe(E + b, e),
+    sub: (E, b) => qe(E - b, e),
+    mul: (E, b) => qe(E * b, e),
+    pow: (E, b) => An(V, E, b),
+    div: (E, b) => qe(E * Ut(b, e), e),
+    // Same as above, but doesn't normalize
+    sqrN: (E) => E * E,
+    addN: (E, b) => E + b,
+    subN: (E, b) => E - b,
+    mulN: (E, b) => E * b,
+    inv: (E) => Ut(E, e),
+    sqrt: m || ((E) => (H || (H = qn(e)), H(V, E))),
+    toBytes: (E) => c ? Pt(E, U) : wt(E, U),
+    fromBytes: (E, b = !0) => {
+      if (p) {
+        if (!p.includes(E.length) || E.length > U)
+          throw new Error("Field.fromBytes: expected " + p + " bytes, got " + E.length);
+        const A = new Uint8Array(U);
+        A.set(E, c ? 0 : A.length - E.length), E = A;
+      }
+      if (E.length !== U)
+        throw new Error("Field.fromBytes: expected " + U + " bytes, got " + E.length);
+      let S = c ? Yt(E) : et(E);
+      if (g && (S = qe(S, e)), !b && !V.isValid(S))
+        throw new Error("invalid field element: outside of range 0..ORDER");
+      return S;
+    },
+    // TODO: we don't need it here, move out to separate fn
+    invertBatch: (E) => tn(V, E),
+    // We can't move this out because Fp6, Fp12 implement it
+    // and it's unclear what to return in there.
+    cmov: (E, b, S) => S ? b : E
+  });
+  return Object.freeze(V);
+}
+function rn(e) {
+  if (typeof e != "bigint")
+    throw new Error("field order must be bigint");
+  const r = e.toString(2).length;
+  return Math.ceil(r / 8);
+}
+function on(e) {
+  const r = rn(e);
+  return r + Math.ceil(r / 2);
+}
+function Un(e, r, c = !1) {
+  const t = e.length, l = rn(r), m = on(r);
+  if (t < 16 || t < m || t > 1024)
+    throw new Error("expected " + m + "-1024 bytes of input, got " + t);
+  const g = c ? Yt(e) : et(e), p = qe(g, r - Be) + Be;
+  return c ? Pt(p, l) : wt(p, l);
+}
+const ke = BigInt(0), Le = BigInt(1);
+function Fe(e, r) {
+  const c = r.negate();
+  return e ? c : r;
+}
+function it(e, r) {
+  const c = tn(e.Fp, r.map((t) => t.Z));
+  return r.map((t, l) => e.fromAffine(t.toAffine(c[l])));
+}
+function sn(e, r) {
+  if (!Number.isSafeInteger(e) || e <= 0 || e > r)
+    throw new Error("invalid window size, expected [1.." + r + "], got W=" + e);
+}
+function ct(e, r) {
+  sn(e, r);
+  const c = Math.ceil(r / e) + 1, t = 2 ** (e - 1), l = 2 ** e, m = ze(e), g = BigInt(e);
+  return { windows: c, windowSize: t, mask: m, maxNumber: l, shiftBy: g };
+}
+function jt(e, r, c) {
+  const { windowSize: t, mask: l, maxNumber: m, shiftBy: g } = c;
+  let p = Number(e & l), v = e >> g;
+  p > t && (p -= m, v += Le);
+  const U = r * t, H = U + Math.abs(p) - 1, V = p === 0, E = p < 0, b = r % 2 !== 0;
+  return { nextN: v, offset: H, isZero: V, isNeg: E, isNegF: b, offsetF: U };
+}
+function Zn(e, r) {
+  if (!Array.isArray(e))
+    throw new Error("array expected");
+  e.forEach((c, t) => {
+    if (!(c instanceof r))
+      throw new Error("invalid point at index " + t);
+  });
+}
+function jn(e, r) {
+  if (!Array.isArray(e))
+    throw new Error("array of scalars expected");
+  e.forEach((c, t) => {
+    if (!r.isValid(c))
+      throw new Error("invalid scalar at index " + t);
+  });
+}
+const at = /* @__PURE__ */ new WeakMap(), cn = /* @__PURE__ */ new WeakMap();
+function ft(e) {
+  return cn.get(e) || 1;
+}
+function Lt(e) {
+  if (e !== ke)
+    throw new Error("invalid wNAF");
+}
+class Ln {
+  // Parametrized with a given Point class (not individual point)
+  constructor(r, c) {
+    this.BASE = r.BASE, this.ZERO = r.ZERO, this.Fn = r.Fn, this.bits = c;
+  }
+  // non-const time multiplication ladder
+  _unsafeLadder(r, c, t = this.ZERO) {
+    let l = r;
+    for (; c > ke; )
+      c & Le && (t = t.add(l)), l = l.double(), c >>= Le;
+    return t;
+  }
+  /**
+   * Creates a wNAF precomputation window. Used for caching.
+   * Default window size is set by `utils.precompute()` and is equal to 8.
+   * Number of precomputed points depends on the curve size:
+   * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+   * - 𝑊 is the window size
+   * - 𝑛 is the bitlength of the curve order.
+   * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+   * @param point Point instance
+   * @param W window size
+   * @returns precomputed point tables flattened to a single array
+   */
+  precomputeWindow(r, c) {
+    const { windows: t, windowSize: l } = ct(c, this.bits), m = [];
+    let g = r, p = g;
+    for (let v = 0; v < t; v++) {
+      p = g, m.push(p);
+      for (let U = 1; U < l; U++)
+        p = p.add(g), m.push(p);
+      g = p.double();
+    }
+    return m;
+  }
+  /**
+   * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
+   * More compact implementation:
+   * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
+   * @returns real and fake (for const-time) points
+   */
+  wNAF(r, c, t) {
+    if (!this.Fn.isValid(t))
+      throw new Error("invalid scalar");
+    let l = this.ZERO, m = this.BASE;
+    const g = ct(r, this.bits);
+    for (let p = 0; p < g.windows; p++) {
+      const { nextN: v, offset: U, isZero: H, isNeg: V, isNegF: E, offsetF: b } = jt(t, p, g);
+      t = v, H ? m = m.add(Fe(E, c[b])) : l = l.add(Fe(V, c[U]));
+    }
+    return Lt(t), { p: l, f: m };
+  }
+  /**
+   * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
+   * @param acc accumulator point to add result of multiplication
+   * @returns point
+   */
+  wNAFUnsafe(r, c, t, l = this.ZERO) {
+    const m = ct(r, this.bits);
+    for (let g = 0; g < m.windows && t !== ke; g++) {
+      const { nextN: p, offset: v, isZero: U, isNeg: H } = jt(t, g, m);
+      if (t = p, !U) {
+        const V = c[v];
+        l = l.add(H ? V.negate() : V);
+      }
+    }
+    return Lt(t), l;
+  }
+  getPrecomputes(r, c, t) {
+    let l = at.get(c);
+    return l || (l = this.precomputeWindow(c, r), r !== 1 && (typeof t == "function" && (l = t(l)), at.set(c, l))), l;
+  }
+  cached(r, c, t) {
+    const l = ft(r);
+    return this.wNAF(l, this.getPrecomputes(l, r, t), c);
+  }
+  unsafe(r, c, t, l) {
+    const m = ft(r);
+    return m === 1 ? this._unsafeLadder(r, c, l) : this.wNAFUnsafe(m, this.getPrecomputes(m, r, t), c, l);
+  }
+  // We calculate precomputes for elliptic curve point multiplication
+  // using windowed method. This specifies window size and
+  // stores precomputed values. Usually only base point would be precomputed.
+  createCache(r, c) {
+    sn(c, this.bits), cn.set(r, c), at.delete(r);
+  }
+  hasCache(r) {
+    return ft(r) !== 1;
+  }
+}
+function Hn(e, r, c, t) {
+  let l = r, m = e.ZERO, g = e.ZERO;
+  for (; c > ke || t > ke; )
+    c & Le && (m = m.add(l)), t & Le && (g = g.add(l)), l = l.double(), c >>= Le, t >>= Le;
+  return { p1: m, p2: g };
+}
+function Mn(e, r, c, t) {
+  Zn(c, e), jn(t, r);
+  const l = c.length, m = t.length;
+  if (l !== m)
+    throw new Error("arrays of points and scalars must have equal length");
+  const g = e.ZERO, p = Xt(BigInt(l));
+  let v = 1;
+  p > 12 ? v = p - 3 : p > 4 ? v = p - 2 : p > 0 && (v = 2);
+  const U = ze(v), H = new Array(Number(U) + 1).fill(g), V = Math.floor((r.BITS - 1) / v) * v;
+  let E = g;
+  for (let b = V; b >= 0; b -= v) {
+    H.fill(g);
+    for (let A = 0; A < m; A++) {
+      const M = t[A], Q = Number(M >> BigInt(b) & U);
+      H[Q] = H[Q].add(c[A]);
+    }
+    let S = g;
+    for (let A = H.length - 1, M = g; A > 0; A--)
+      M = M.add(H[A]), S = S.add(M);
+    if (E = E.add(S), b !== 0)
+      for (let A = 0; A < v; A++)
+        E = E.double();
+  }
+  return E;
+}
+function Ht(e, r, c) {
+  if (r) {
+    if (r.ORDER !== e)
+      throw new Error("Field.ORDER must match order: Fp == p, Fn == n");
+    return Nn(r), r;
+  } else
+    return De(e, { isLE: c });
+}
+function Vn(e, r, c = {}, t) {
+  if (t === void 0 && (t = e === "edwards"), !r || typeof r != "object")
+    throw new Error(`expected valid ${e} CURVE object`);
+  for (const v of ["p", "n", "h"]) {
+    const U = r[v];
+    if (!(typeof U == "bigint" && U > ke))
+      throw new Error(`CURVE.${v} must be positive bigint`);
+  }
+  const l = Ht(r.p, c.Fp, t), m = Ht(r.n, c.Fn, t), p = ["Gx", "Gy", "a", "b"];
+  for (const v of p)
+    if (!l.isValid(r[v]))
+      throw new Error(`CURVE.${v} must be valid field element of CURVE.Fp`);
+  return r = Object.freeze(Object.assign({}, r)), { CURVE: r, Fp: l, Fn: m };
+}
+const Mt = (e, r) => (e + (e >= 0 ? r : -r) / an) / r;
+function kn(e, r, c) {
+  const [[t, l], [m, g]] = r, p = Mt(g * e, c), v = Mt(-l * e, c);
+  let U = e - p * t - v * m, H = -p * l - v * g;
+  const V = U < Ne, E = H < Ne;
+  V && (U = -U), E && (H = -H);
+  const b = ze(Math.ceil(Xt(c) / 2)) + Ve;
+  if (U < Ne || U >= b || H < Ne || H >= b)
+    throw new Error("splitScalar (endomorphism): failed, k=" + e);
+  return { k1neg: V, k1: U, k2neg: E, k2: H };
+}
+function dt(e) {
+  if (!["compact", "recovered", "der"].includes(e))
+    throw new Error('Signature format must be "compact", "recovered", or "der"');
+  return e;
+}
+function ut(e, r) {
+  const c = {};
+  for (let t of Object.keys(r))
+    c[t] = e[t] === void 0 ? r[t] : e[t];
+  return Je(c.lowS, "lowS"), Je(c.prehash, "prehash"), c.format !== void 0 && dt(c.format), c;
+}
+class Cn extends Error {
+  constructor(r = "") {
+    super(r);
+  }
+}
+const Ie = {
+  // asn.1 DER encoding utils
+  Err: Cn,
+  // Basic building block is TLV (Tag-Length-Value)
+  _tlv: {
+    encode: (e, r) => {
+      const { Err: c } = Ie;
+      if (e < 0 || e > 256)
+        throw new c("tlv.encode: wrong tag");
+      if (r.length & 1)
+        throw new c("tlv.encode: unpadded data");
+      const t = r.length / 2, l = Xe(t);
+      if (l.length / 2 & 128)
+        throw new c("tlv.encode: long form length too big");
+      const m = t > 127 ? Xe(l.length / 2 | 128) : "";
+      return Xe(e) + m + l + r;
+    },
+    // v - value, l - left bytes (unparsed)
+    decode(e, r) {
+      const { Err: c } = Ie;
+      let t = 0;
+      if (e < 0 || e > 256)
+        throw new c("tlv.encode: wrong tag");
+      if (r.length < 2 || r[t++] !== e)
+        throw new c("tlv.decode: wrong tlv");
+      const l = r[t++], m = !!(l & 128);
+      let g = 0;
+      if (!m)
+        g = l;
+      else {
+        const v = l & 127;
+        if (!v)
+          throw new c("tlv.decode(long): indefinite length not supported");
+        if (v > 4)
+          throw new c("tlv.decode(long): byte length is too big");
+        const U = r.subarray(t, t + v);
+        if (U.length !== v)
+          throw new c("tlv.decode: length bytes not complete");
+        if (U[0] === 0)
+          throw new c("tlv.decode(long): zero leftmost byte");
+        for (const H of U)
+          g = g << 8 | H;
+        if (t += v, g < 128)
+          throw new c("tlv.decode(long): not minimal encoding");
+      }
+      const p = r.subarray(t, t + g);
+      if (p.length !== g)
+        throw new c("tlv.decode: wrong value length");
+      return { v: p, l: r.subarray(t + g) };
+    }
+  },
+  // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
+  // since we always use positive integers here. It must always be empty:
+  // - add zero byte if exists
+  // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
+  _int: {
+    encode(e) {
+      const { Err: r } = Ie;
+      if (e < Ne)
+        throw new r("integer: negative integers are not allowed");
+      let c = Xe(e);
+      if (Number.parseInt(c[0], 16) & 8 && (c = "00" + c), c.length & 1)
+        throw new r("unexpected DER parsing assertion: unpadded hex");
+      return c;
+    },
+    decode(e) {
+      const { Err: r } = Ie;
+      if (e[0] & 128)
+        throw new r("invalid signature integer: negative");
+      if (e[0] === 0 && !(e[1] & 128))
+        throw new r("invalid signature integer: unnecessary leading zero");
+      return et(e);
+    }
+  },
+  toSig(e) {
+    const { Err: r, _int: c, _tlv: t } = Ie, l = Se("signature", e), { v: m, l: g } = t.decode(48, l);
+    if (g.length)
+      throw new r("invalid signature: left bytes after parsing");
+    const { v: p, l: v } = t.decode(2, m), { v: U, l: H } = t.decode(2, v);
+    if (H.length)
+      throw new r("invalid signature: left bytes after parsing");
+    return { r: c.decode(p), s: c.decode(U) };
+  },
+  hexFromSig(e) {
+    const { _tlv: r, _int: c } = Ie, t = r.encode(2, c.encode(e.r)), l = r.encode(2, c.encode(e.s)), m = t + l;
+    return r.encode(48, m);
+  }
+}, Ne = BigInt(0), Ve = BigInt(1), an = BigInt(2), Ge = BigInt(3), Kn = BigInt(4);
+function He(e, r) {
+  const { BYTES: c } = e;
+  let t;
+  if (typeof r == "bigint")
+    t = r;
+  else {
+    let l = Se("private key", r);
+    try {
+      t = e.fromBytes(l);
+    } catch {
+      throw new Error(`invalid private key: expected ui8a of size ${c}, got ${typeof r}`);
+    }
+  }
+  if (!e.isValidNot0(t))
+    throw new Error("invalid private key: out of range [1..N-1]");
+  return t;
+}
+function zn(e, r = {}) {
+  const c = Vn("weierstrass", e, r), { Fp: t, Fn: l } = c;
+  let m = c.CURVE;
+  const { h: g, n: p } = m;
+  gt(r, {}, {
+    allowInfinityPoint: "boolean",
+    clearCofactor: "function",
+    isTorsionFree: "function",
+    fromBytes: "function",
+    toBytes: "function",
+    endo: "object",
+    wrapPrivateKey: "boolean"
+  });
+  const { endo: v } = r;
+  if (v && (!t.is0(m.a) || typeof v.beta != "bigint" || !Array.isArray(v.basises)))
+    throw new Error('invalid endo: expected "beta": bigint and "basises": array');
+  const U = un(t, l);
+  function H() {
+    if (!t.isOdd)
+      throw new Error("compression is not supported: Field does not have .isOdd()");
+  }
+  function V(z, d, u) {
+    const { x: n, y: a } = d.toAffine(), i = t.toBytes(n);
+    if (Je(u, "isCompressed"), u) {
+      H();
+      const o = !t.isOdd(a);
+      return Ae(fn(o), i);
+    } else
+      return Ae(Uint8Array.of(4), i, t.toBytes(a));
+  }
+  function E(z) {
+    Ze(z, void 0, "Point");
+    const { publicKey: d, publicKeyUncompressed: u } = U, n = z.length, a = z[0], i = z.subarray(1);
+    if (n === d && (a === 2 || a === 3)) {
+      const o = t.fromBytes(i);
+      if (!t.isValid(o))
+        throw new Error("bad point: is not on curve, wrong x");
+      const h = A(o);
+      let w;
+      try {
+        w = t.sqrt(h);
+      } catch (y) {
+        const B = y instanceof Error ? ": " + y.message : "";
+        throw new Error("bad point: is not on curve, sqrt error" + B);
+      }
+      H();
+      const s = t.isOdd(w);
+      return (a & 1) === 1 !== s && (w = t.neg(w)), { x: o, y: w };
+    } else if (n === u && a === 4) {
+      const o = t.BYTES, h = t.fromBytes(i.subarray(0, o)), w = t.fromBytes(i.subarray(o, o * 2));
+      if (!M(h, w))
+        throw new Error("bad point: is not on curve");
+      return { x: h, y: w };
+    } else
+      throw new Error(`bad point: got length ${n}, expected compressed=${d} or uncompressed=${u}`);
+  }
+  const b = r.toBytes || V, S = r.fromBytes || E;
+  function A(z) {
+    const d = t.sqr(z), u = t.mul(d, z);
+    return t.add(t.add(u, t.mul(z, m.a)), m.b);
+  }
+  function M(z, d) {
+    const u = t.sqr(d), n = A(z);
+    return t.eql(u, n);
+  }
+  if (!M(m.Gx, m.Gy))
+    throw new Error("bad curve params: generator point");
+  const Q = t.mul(t.pow(m.a, Ge), Kn), F = t.mul(t.sqr(m.b), BigInt(27));
+  if (t.is0(t.add(Q, F)))
+    throw new Error("bad curve params: a or b");
+  function G(z, d, u = !1) {
+    if (!t.isValid(d) || u && t.is0(d))
+      throw new Error(`bad point coordinate ${z}`);
+    return d;
+  }
+  function se(z) {
+    if (!(z instanceof _))
+      throw new Error("ProjectivePoint expected");
+  }
+  function ie(z) {
+    if (!v || !v.basises)
+      throw new Error("no endo");
+    return kn(z, v.basises, l.ORDER);
+  }
+  const j = At((z, d) => {
+    const { X: u, Y: n, Z: a } = z;
+    if (t.eql(a, t.ONE))
+      return { x: u, y: n };
+    const i = z.is0();
+    d == null && (d = i ? t.ONE : t.inv(a));
+    const o = t.mul(u, d), h = t.mul(n, d), w = t.mul(a, d);
+    if (i)
+      return { x: t.ZERO, y: t.ZERO };
+    if (!t.eql(w, t.ONE))
+      throw new Error("invZ was invalid");
+    return { x: o, y: h };
+  }), O = At((z) => {
+    if (z.is0()) {
+      if (r.allowInfinityPoint && !t.is0(z.Y))
+        return;
+      throw new Error("bad point: ZERO");
+    }
+    const { x: d, y: u } = z.toAffine();
+    if (!t.isValid(d) || !t.isValid(u))
+      throw new Error("bad point: x or y not field elements");
+    if (!M(d, u))
+      throw new Error("bad point: equation left != right");
+    if (!z.isTorsionFree())
+      throw new Error("bad point: not in prime-order subgroup");
+    return !0;
+  });
+  function L(z, d, u, n, a) {
+    return u = new _(t.mul(u.X, z), u.Y, u.Z), d = Fe(n, d), u = Fe(a, u), d.add(u);
+  }
+  class _ {
+    /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
+    constructor(d, u, n) {
+      this.X = G("x", d), this.Y = G("y", u, !0), this.Z = G("z", n), Object.freeze(this);
+    }
+    static CURVE() {
+      return m;
+    }
+    /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
+    static fromAffine(d) {
+      const { x: u, y: n } = d || {};
+      if (!d || !t.isValid(u) || !t.isValid(n))
+        throw new Error("invalid affine point");
+      if (d instanceof _)
+        throw new Error("projective point not allowed");
+      return t.is0(u) && t.is0(n) ? _.ZERO : new _(u, n, t.ONE);
+    }
+    static fromBytes(d) {
+      const u = _.fromAffine(S(Ze(d, void 0, "point")));
+      return u.assertValidity(), u;
+    }
+    static fromHex(d) {
+      return _.fromBytes(Se("pointHex", d));
+    }
+    get x() {
+      return this.toAffine().x;
+    }
+    get y() {
+      return this.toAffine().y;
+    }
+    /**
+     *
+     * @param windowSize
+     * @param isLazy true will defer table computation until the first multiplication
+     * @returns
+     */
+    precompute(d = 8, u = !0) {
+      return W.createCache(this, d), u || this.multiply(Ge), this;
+    }
+    // TODO: return `this`
+    /** A point on curve is valid if it conforms to equation. */
+    assertValidity() {
+      O(this);
+    }
+    hasEvenY() {
+      const { y: d } = this.toAffine();
+      if (!t.isOdd)
+        throw new Error("Field doesn't support isOdd");
+      return !t.isOdd(d);
+    }
+    /** Compare one point to another. */
+    equals(d) {
+      se(d);
+      const { X: u, Y: n, Z: a } = this, { X: i, Y: o, Z: h } = d, w = t.eql(t.mul(u, h), t.mul(i, a)), s = t.eql(t.mul(n, h), t.mul(o, a));
+      return w && s;
+    }
+    /** Flips point to one corresponding to (x, -y) in Affine coordinates. */
+    negate() {
+      return new _(this.X, t.neg(this.Y), this.Z);
+    }
+    // Renes-Costello-Batina exception-free doubling formula.
+    // There is 30% faster Jacobian formula, but it is not complete.
+    // https://eprint.iacr.org/2015/1060, algorithm 3
+    // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
+    double() {
+      const { a: d, b: u } = m, n = t.mul(u, Ge), { X: a, Y: i, Z: o } = this;
+      let h = t.ZERO, w = t.ZERO, s = t.ZERO, f = t.mul(a, a), y = t.mul(i, i), B = t.mul(o, o), T = t.mul(a, i);
+      return T = t.add(T, T), s = t.mul(a, o), s = t.add(s, s), h = t.mul(d, s), w = t.mul(n, B), w = t.add(h, w), h = t.sub(y, w), w = t.add(y, w), w = t.mul(h, w), h = t.mul(T, h), s = t.mul(n, s), B = t.mul(d, B), T = t.sub(f, B), T = t.mul(d, T), T = t.add(T, s), s = t.add(f, f), f = t.add(s, f), f = t.add(f, B), f = t.mul(f, T), w = t.add(w, f), B = t.mul(i, o), B = t.add(B, B), f = t.mul(B, T), h = t.sub(h, f), s = t.mul(B, y), s = t.add(s, s), s = t.add(s, s), new _(h, w, s);
+    }
+    // Renes-Costello-Batina exception-free addition formula.
+    // There is 30% faster Jacobian formula, but it is not complete.
+    // https://eprint.iacr.org/2015/1060, algorithm 1
+    // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
+    add(d) {
+      se(d);
+      const { X: u, Y: n, Z: a } = this, { X: i, Y: o, Z: h } = d;
+      let w = t.ZERO, s = t.ZERO, f = t.ZERO;
+      const y = m.a, B = t.mul(m.b, Ge);
+      let T = t.mul(u, i), k = t.mul(n, o), Y = t.mul(a, h), I = t.add(u, n), q = t.add(i, o);
+      I = t.mul(I, q), q = t.add(T, k), I = t.sub(I, q), q = t.add(u, a);
+      let C = t.add(i, h);
+      return q = t.mul(q, C), C = t.add(T, Y), q = t.sub(q, C), C = t.add(n, a), w = t.add(o, h), C = t.mul(C, w), w = t.add(k, Y), C = t.sub(C, w), f = t.mul(y, q), w = t.mul(B, Y), f = t.add(w, f), w = t.sub(k, f), f = t.add(k, f), s = t.mul(w, f), k = t.add(T, T), k = t.add(k, T), Y = t.mul(y, Y), q = t.mul(B, q), k = t.add(k, Y), Y = t.sub(T, Y), Y = t.mul(y, Y), q = t.add(q, Y), T = t.mul(k, q), s = t.add(s, T), T = t.mul(C, q), w = t.mul(I, w), w = t.sub(w, T), T = t.mul(I, k), f = t.mul(C, f), f = t.add(f, T), new _(w, s, f);
+    }
+    subtract(d) {
+      return this.add(d.negate());
+    }
+    is0() {
+      return this.equals(_.ZERO);
+    }
+    /**
+     * Constant time multiplication.
+     * Uses wNAF method. Windowed method may be 10% faster,
+     * but takes 2x longer to generate and consumes 2x memory.
+     * Uses precomputes when available.
+     * Uses endomorphism for Koblitz curves.
+     * @param scalar by which the point would be multiplied
+     * @returns New point
+     */
+    multiply(d) {
+      const { endo: u } = r;
+      if (!l.isValidNot0(d))
+        throw new Error("invalid scalar: out of range");
+      let n, a;
+      const i = (o) => W.cached(this, o, (h) => it(_, h));
+      if (u) {
+        const { k1neg: o, k1: h, k2neg: w, k2: s } = ie(d), { p: f, f: y } = i(h), { p: B, f: T } = i(s);
+        a = y.add(T), n = L(u.beta, f, B, o, w);
+      } else {
+        const { p: o, f: h } = i(d);
+        n = o, a = h;
+      }
+      return it(_, [n, a])[0];
+    }
+    /**
+     * Non-constant-time multiplication. Uses double-and-add algorithm.
+     * It's faster, but should only be used when you don't care about
+     * an exposed secret key e.g. sig verification, which works over *public* keys.
+     */
+    multiplyUnsafe(d) {
+      const { endo: u } = r, n = this;
+      if (!l.isValid(d))
+        throw new Error("invalid scalar: out of range");
+      if (d === Ne || n.is0())
+        return _.ZERO;
+      if (d === Ve)
+        return n;
+      if (W.hasCache(this))
+        return this.multiply(d);
+      if (u) {
+        const { k1neg: a, k1: i, k2neg: o, k2: h } = ie(d), { p1: w, p2: s } = Hn(_, n, i, h);
+        return L(u.beta, w, s, a, o);
+      } else
+        return W.unsafe(n, d);
+    }
+    multiplyAndAddUnsafe(d, u, n) {
+      const a = this.multiplyUnsafe(u).add(d.multiplyUnsafe(n));
+      return a.is0() ? void 0 : a;
+    }
+    /**
+     * Converts Projective point to affine (x, y) coordinates.
+     * @param invertedZ Z^-1 (inverted zero) - optional, precomputation is useful for invertBatch
+     */
+    toAffine(d) {
+      return j(this, d);
+    }
+    /**
+     * Checks whether Point is free of torsion elements (is in prime subgroup).
+     * Always torsion-free for cofactor=1 curves.
+     */
+    isTorsionFree() {
+      const { isTorsionFree: d } = r;
+      return g === Ve ? !0 : d ? d(_, this) : W.unsafe(this, p).is0();
+    }
+    clearCofactor() {
+      const { clearCofactor: d } = r;
+      return g === Ve ? this : d ? d(_, this) : this.multiplyUnsafe(g);
+    }
+    isSmallOrder() {
+      return this.multiplyUnsafe(g).is0();
+    }
+    toBytes(d = !0) {
+      return Je(d, "isCompressed"), this.assertValidity(), b(_, this, d);
+    }
+    toHex(d = !0) {
+      return Me(this.toBytes(d));
+    }
+    toString() {
+      return `<Point ${this.is0() ? "ZERO" : this.toHex()}>`;
+    }
+    // TODO: remove
+    get px() {
+      return this.X;
+    }
+    get py() {
+      return this.X;
+    }
+    get pz() {
+      return this.Z;
+    }
+    toRawBytes(d = !0) {
+      return this.toBytes(d);
+    }
+    _setWindowSize(d) {
+      this.precompute(d);
+    }
+    static normalizeZ(d) {
+      return it(_, d);
+    }
+    static msm(d, u) {
+      return Mn(_, l, d, u);
+    }
+    static fromPrivateKey(d) {
+      return _.BASE.multiply(He(l, d));
+    }
+  }
+  _.BASE = new _(m.Gx, m.Gy, t.ONE), _.ZERO = new _(t.ZERO, t.ONE, t.ZERO), _.Fp = t, _.Fn = l;
+  const K = l.BITS, W = new Ln(_, r.endo ? Math.ceil(K / 2) : K);
+  return _.BASE.precompute(8), _;
+}
+function fn(e) {
+  return Uint8Array.of(e ? 2 : 3);
+}
+function un(e, r) {
+  return {
+    secretKey: r.BYTES,
+    publicKey: 1 + e.BYTES,
+    publicKeyUncompressed: 1 + 2 * e.BYTES,
+    publicKeyHasPrefix: !0,
+    signature: 2 * r.BYTES
+  };
+}
+function Dn(e, r = {}) {
+  const { Fn: c } = e, t = r.randomBytes || kt, l = Object.assign(un(e.Fp, c), { seed: on(c.ORDER) });
+  function m(b) {
+    try {
+      return !!He(c, b);
+    } catch {
+      return !1;
+    }
+  }
+  function g(b, S) {
+    const { publicKey: A, publicKeyUncompressed: M } = l;
+    try {
+      const Q = b.length;
+      return S === !0 && Q !== A || S === !1 && Q !== M ? !1 : !!e.fromBytes(b);
+    } catch {
+      return !1;
+    }
+  }
+  function p(b = t(l.seed)) {
+    return Un(Ze(b, l.seed, "seed"), c.ORDER);
+  }
+  function v(b, S = !0) {
+    return e.BASE.multiply(He(c, b)).toBytes(S);
+  }
+  function U(b) {
+    const S = p(b);
+    return { secretKey: S, publicKey: v(S) };
+  }
+  function H(b) {
+    if (typeof b == "bigint")
+      return !1;
+    if (b instanceof e)
+      return !0;
+    const { secretKey: S, publicKey: A, publicKeyUncompressed: M } = l;
+    if (c.allowedLengths || S === A)
+      return;
+    const Q = Se("key", b).length;
+    return Q === A || Q === M;
+  }
+  function V(b, S, A = !0) {
+    if (H(b) === !0)
+      throw new Error("first arg must be private key");
+    if (H(S) === !1)
+      throw new Error("second arg must be public key");
+    const M = He(c, b);
+    return e.fromHex(S).multiply(M).toBytes(A);
+  }
+  return Object.freeze({ getPublicKey: v, getSharedSecret: V, keygen: U, Point: e, utils: {
+    isValidSecretKey: m,
+    isValidPublicKey: g,
+    randomSecretKey: p,
+    // TODO: remove
+    isValidPrivateKey: m,
+    randomPrivateKey: p,
+    normPrivateKeyToScalar: (b) => He(c, b),
+    precompute(b = 8, S = e.BASE) {
+      return S.precompute(b, !1);
+    }
+  }, lengths: l });
+}
+function Yn(e, r, c = {}) {
+  mn(r), gt(c, {}, {
+    hmac: "function",
+    lowS: "boolean",
+    randomBytes: "function",
+    bits2int: "function",
+    bits2int_modN: "function"
+  });
+  const t = c.randomBytes || kt, l = c.hmac || ((u, ...n) => bn(r, u, Ae(...n))), { Fp: m, Fn: g } = e, { ORDER: p, BITS: v } = g, { keygen: U, getPublicKey: H, getSharedSecret: V, utils: E, lengths: b } = Dn(e, c), S = {
+    prehash: !1,
+    lowS: typeof c.lowS == "boolean" ? c.lowS : !1,
+    format: void 0,
+    //'compact' as ECDSASigFormat,
+    extraEntropy: !1
+  }, A = "compact";
+  function M(u) {
+    const n = p >> Ve;
+    return u > n;
+  }
+  function Q(u, n) {
+    if (!g.isValidNot0(n))
+      throw new Error(`invalid signature ${u}: out of range 1..Point.Fn.ORDER`);
+    return n;
+  }
+  function F(u, n) {
+    dt(n);
+    const a = b.signature, i = n === "compact" ? a : n === "recovered" ? a + 1 : void 0;
+    return Ze(u, i, `${n} signature`);
+  }
+  class G {
+    constructor(n, a, i) {
+      this.r = Q("r", n), this.s = Q("s", a), i != null && (this.recovery = i), Object.freeze(this);
+    }
+    static fromBytes(n, a = A) {
+      F(n, a);
+      let i;
+      if (a === "der") {
+        const { r: s, s: f } = Ie.toSig(Ze(n));
+        return new G(s, f);
+      }
+      a === "recovered" && (i = n[0], a = "compact", n = n.subarray(1));
+      const o = g.BYTES, h = n.subarray(0, o), w = n.subarray(o, o * 2);
+      return new G(g.fromBytes(h), g.fromBytes(w), i);
+    }
+    static fromHex(n, a) {
+      return this.fromBytes(Qe(n), a);
+    }
+    addRecoveryBit(n) {
+      return new G(this.r, this.s, n);
+    }
+    recoverPublicKey(n) {
+      const a = m.ORDER, { r: i, s: o, recovery: h } = this;
+      if (h == null || ![0, 1, 2, 3].includes(h))
+        throw new Error("recovery id invalid");
+      if (p * an < a && h > 1)
+        throw new Error("recovery id is ambiguous for h>1 curve");
+      const s = h === 2 || h === 3 ? i + p : i;
+      if (!m.isValid(s))
+        throw new Error("recovery id 2 or 3 invalid");
+      const f = m.toBytes(s), y = e.fromBytes(Ae(fn((h & 1) === 0), f)), B = g.inv(s), T = ie(Se("msgHash", n)), k = g.create(-T * B), Y = g.create(o * B), I = e.BASE.multiplyUnsafe(k).add(y.multiplyUnsafe(Y));
+      if (I.is0())
+        throw new Error("point at infinify");
+      return I.assertValidity(), I;
+    }
+    // Signatures should be low-s, to prevent malleability.
+    hasHighS() {
+      return M(this.s);
+    }
+    toBytes(n = A) {
+      if (dt(n), n === "der")
+        return Qe(Ie.hexFromSig(this));
+      const a = g.toBytes(this.r), i = g.toBytes(this.s);
+      if (n === "recovered") {
+        if (this.recovery == null)
+          throw new Error("recovery bit must be present");
+        return Ae(Uint8Array.of(this.recovery), a, i);
+      }
+      return Ae(a, i);
+    }
+    toHex(n) {
+      return Me(this.toBytes(n));
+    }
+    // TODO: remove
+    assertValidity() {
+    }
+    static fromCompact(n) {
+      return G.fromBytes(Se("sig", n), "compact");
+    }
+    static fromDER(n) {
+      return G.fromBytes(Se("sig", n), "der");
+    }
+    normalizeS() {
+      return this.hasHighS() ? new G(this.r, g.neg(this.s), this.recovery) : this;
+    }
+    toDERRawBytes() {
+      return this.toBytes("der");
+    }
+    toDERHex() {
+      return Me(this.toBytes("der"));
+    }
+    toCompactRawBytes() {
+      return this.toBytes("compact");
+    }
+    toCompactHex() {
+      return Me(this.toBytes("compact"));
+    }
+  }
+  const se = c.bits2int || function(n) {
+    if (n.length > 8192)
+      throw new Error("input is too large");
+    const a = et(n), i = n.length * 8 - v;
+    return i > 0 ? a >> BigInt(i) : a;
+  }, ie = c.bits2int_modN || function(n) {
+    return g.create(se(n));
+  }, j = ze(v);
+  function O(u) {
+    return _n("num < 2^" + v, u, Ne, j), g.toBytes(u);
+  }
+  function L(u, n) {
+    return Ze(u, void 0, "message"), n ? Ze(r(u), void 0, "prehashed message") : u;
+  }
+  function _(u, n, a) {
+    if (["recovered", "canonical"].some((k) => k in a))
+      throw new Error("sign() legacy options not supported");
+    const { lowS: i, prehash: o, extraEntropy: h } = ut(a, S);
+    u = L(u, o);
+    const w = ie(u), s = He(g, n), f = [O(s), O(w)];
+    if (h != null && h !== !1) {
+      const k = h === !0 ? t(b.secretKey) : h;
+      f.push(Se("extraEntropy", k));
+    }
+    const y = Ae(...f), B = w;
+    function T(k) {
+      const Y = se(k);
+      if (!g.isValidNot0(Y))
+        return;
+      const I = g.inv(Y), q = e.BASE.multiply(Y).toAffine(), C = g.create(q.x);
+      if (C === Ne)
+        return;
+      const te = g.create(I * g.create(B + C * s));
+      if (te === Ne)
+        return;
+      let $ = (q.x === C ? 0 : 2) | Number(q.y & Ve), x = te;
+      return i && M(te) && (x = g.neg(te), $ ^= 1), new G(C, x, $);
+    }
+    return { seed: y, k2sig: T };
+  }
+  function K(u, n, a = {}) {
+    u = Se("message", u);
+    const { seed: i, k2sig: o } = _(u, n, a);
+    return Sn(r.outputLen, g.BYTES, l)(i, o);
+  }
+  function W(u) {
+    let n;
+    const a = typeof u == "string" || yt(u), i = !a && u !== null && typeof u == "object" && typeof u.r == "bigint" && typeof u.s == "bigint";
+    if (!a && !i)
+      throw new Error("invalid signature, expected Uint8Array, hex string or Signature instance");
+    if (i)
+      n = new G(u.r, u.s);
+    else if (a) {
+      try {
+        n = G.fromBytes(Se("sig", u), "der");
+      } catch (o) {
+        if (!(o instanceof Ie.Err))
+          throw o;
+      }
+      if (!n)
+        try {
+          n = G.fromBytes(Se("sig", u), "compact");
+        } catch {
+          return !1;
+        }
+    }
+    return n || !1;
+  }
+  function z(u, n, a, i = {}) {
+    const { lowS: o, prehash: h, format: w } = ut(i, S);
+    if (a = Se("publicKey", a), n = L(Se("message", n), h), "strict" in i)
+      throw new Error("options.strict was renamed to lowS");
+    const s = w === void 0 ? W(u) : G.fromBytes(Se("sig", u), w);
+    if (s === !1)
+      return !1;
+    try {
+      const f = e.fromBytes(a);
+      if (o && s.hasHighS())
+        return !1;
+      const { r: y, s: B } = s, T = ie(n), k = g.inv(B), Y = g.create(T * k), I = g.create(y * k), q = e.BASE.multiplyUnsafe(Y).add(f.multiplyUnsafe(I));
+      return q.is0() ? !1 : g.create(q.x) === y;
+    } catch {
+      return !1;
+    }
+  }
+  function d(u, n, a = {}) {
+    const { prehash: i } = ut(a, S);
+    return n = L(n, i), G.fromBytes(u, "recovered").recoverPublicKey(n).toBytes();
+  }
+  return Object.freeze({
+    keygen: U,
+    getPublicKey: H,
+    getSharedSecret: V,
+    utils: E,
+    lengths: b,
+    Point: e,
+    sign: K,
+    verify: z,
+    recoverPublicKey: d,
+    Signature: G,
+    hash: r
+  });
+}
+function Pn(e) {
+  const r = {
+    a: e.a,
+    b: e.b,
+    p: e.Fp.ORDER,
+    n: e.n,
+    h: e.h,
+    Gx: e.Gx,
+    Gy: e.Gy
+  }, c = e.Fp;
+  let t = e.allowedPrivateKeyLengths ? Array.from(new Set(e.allowedPrivateKeyLengths.map((g) => Math.ceil(g / 2)))) : void 0;
+  const l = De(r.n, {
+    BITS: e.nBitLength,
+    allowedLengths: t,
+    modFromBytes: e.wrapPrivateKey
+  }), m = {
+    Fp: c,
+    Fn: l,
+    allowInfinityPoint: e.allowInfinityPoint,
+    endo: e.endo,
+    isTorsionFree: e.isTorsionFree,
+    clearCofactor: e.clearCofactor,
+    fromBytes: e.fromBytes,
+    toBytes: e.toBytes
+  };
+  return { CURVE: r, curveOpts: m };
+}
+function Xn(e) {
+  const { CURVE: r, curveOpts: c } = Pn(e), t = {
+    hmac: e.hmac,
+    randomBytes: e.randomBytes,
+    lowS: e.lowS,
+    bits2int: e.bits2int,
+    bits2int_modN: e.bits2int_modN
+  };
+  return { CURVE: r, curveOpts: c, hash: e.hash, ecdsaOpts: t };
+}
+function Gn(e, r) {
+  const c = r.Point;
+  return Object.assign({}, r, {
+    ProjectivePoint: c,
+    CURVE: Object.assign({}, e, nn(c.Fn.ORDER, c.Fn.BITS))
+  });
+}
+function Wn(e) {
+  const { CURVE: r, curveOpts: c, hash: t, ecdsaOpts: l } = Xn(e), m = zn(r, c), g = Yn(m, t, l);
+  return Gn(e, g);
+}
+function Qn(e, r) {
+  const c = (t) => Wn({ ...e, hash: t });
+  return { ...c(r), create: c };
+}
+const Bt = {
+  p: BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f"),
+  n: BigInt("0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141"),
+  h: BigInt(1),
+  a: BigInt(0),
+  b: BigInt(7),
+  Gx: BigInt("0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798"),
+  Gy: BigInt("0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8")
+}, Jn = {
+  beta: BigInt("0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee"),
+  basises: [
+    [BigInt("0x3086d221a7d46bcde86c90e49284eb15"), -BigInt("0xe4437ed6010e88286f547fa90abfe4c3")],
+    [BigInt("0x114ca50f7a8e2f3f657c1108d9d44cfd8"), BigInt("0x3086d221a7d46bcde86c90e49284eb15")]
+  ]
+}, Vt = /* @__PURE__ */ BigInt(2);
+function Fn(e) {
+  const r = Bt.p, c = BigInt(3), t = BigInt(6), l = BigInt(11), m = BigInt(22), g = BigInt(23), p = BigInt(44), v = BigInt(88), U = e * e * e % r, H = U * U * e % r, V = Re(H, c, r) * H % r, E = Re(V, c, r) * H % r, b = Re(E, Vt, r) * U % r, S = Re(b, l, r) * b % r, A = Re(S, m, r) * S % r, M = Re(A, p, r) * A % r, Q = Re(M, v, r) * M % r, F = Re(Q, p, r) * A % r, G = Re(F, c, r) * H % r, se = Re(G, g, r) * S % r, ie = Re(se, t, r) * U % r, j = Re(ie, Vt, r);
+  if (!ht.eql(ht.sqr(j), e))
+    throw new Error("Cannot find square root");
+  return j;
+}
+const ht = De(Bt.p, { sqrt: Fn }), or = Qn({ ...Bt, Fp: ht, lowS: !0, endo: Jn }, wn);
+export {
+  rr as F,
+  tr as a,
+  $e as b,
+  pn as c,
+  nr as d,
+  et as e,
+  qe as m,
+  er as r,
+  or as s
+};