npm - @coinbase/cdp-hooks - Versions diffs - 0.0.76 → 0.0.77 - Mend

@coinbase/cdp-hooks 0.0.76 → 0.0.77

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (306) hide show

package/dist/esm/index287.js CHANGED Viewed

@@ -1,203 +1,700 @@
-import { bitLen as B, bitMask as z } from "./index285.js";
-import { validateField as Z, Field as O, FpInvertBatch as R } from "./index259.js";
-const g = BigInt(0), h = BigInt(1);
-function b(t, r) {
-  const e = r.negate();
-  return t ? e : r;
+import { hmac as dt } from "./index289.js";
+import { _validateObject as at, bitMask as ft, abool as Q, ensureBytes as z, memoized as nt, createHmacDrbg as ht, bytesToNumberBE as ct, numberToHexUnpadded as M, aInRange as mt } from "./index288.js";
+import { _createCurveFields as wt, wNAF as yt, normalizeZ as pt, pippenger as gt, mulEndoUnsafe as Et, negateCt as ot } from "./index290.js";
+import { Field as bt, mapHashToField as vt, getMinHashLength as Bt } from "./index267.js";
+import { concatBytes as I, abytes as it, bytesToHex as rt, hexToBytes as xt, randomBytes as St, isBytes as Rt } from "./index272.js";
+function st(e) {
+  e.lowS !== void 0 && Q("lowS", e.lowS), e.prehash !== void 0 && Q("prehash", e.prehash);
 }
-function L(t, r, e) {
-  const n = (s) => s.pz, i = R(t.Fp, e.map(n));
-  return e.map((s, f) => s.toAffine(i[f])).map(t.fromAffine);
-}
-function I(t, r) {
-  if (!Number.isSafeInteger(t) || t <= 0 || t > r)
-    throw new Error("invalid window size, expected [1.." + r + "], got W=" + t);
+class Ot extends Error {
+  constructor(i = "") {
+    super(i);
+  }
 }
-function E(t, r) {
-  I(t, r);
-  const e = Math.ceil(r / t) + 1, n = 2 ** (t - 1), i = 2 ** t, o = z(t), s = BigInt(t);
-  return { windows: e, windowSize: n, mask: o, maxNumber: i, shiftBy: s };
+const F = {
+  // asn.1 DER encoding utils
+  Err: Ot,
+  // Basic building block is TLV (Tag-Length-Value)
+  _tlv: {
+    encode: (e, i) => {
+      const { Err: t } = F;
+      if (e < 0 || e > 256)
+        throw new t("tlv.encode: wrong tag");
+      if (i.length & 1)
+        throw new t("tlv.encode: unpadded data");
+      const w = i.length / 2, p = M(w);
+      if (p.length / 2 & 128)
+        throw new t("tlv.encode: long form length too big");
+      const b = w > 127 ? M(p.length / 2 | 128) : "";
+      return M(e) + b + p + i;
+    },
+    // v - value, l - left bytes (unparsed)
+    decode(e, i) {
+      const { Err: t } = F;
+      let w = 0;
+      if (e < 0 || e > 256)
+        throw new t("tlv.encode: wrong tag");
+      if (i.length < 2 || i[w++] !== e)
+        throw new t("tlv.decode: wrong tlv");
+      const p = i[w++], b = !!(p & 128);
+      let u = 0;
+      if (!b)
+        u = p;
+      else {
+        const S = p & 127;
+        if (!S)
+          throw new t("tlv.decode(long): indefinite length not supported");
+        if (S > 4)
+          throw new t("tlv.decode(long): byte length is too big");
+        const N = i.subarray(w, w + S);
+        if (N.length !== S)
+          throw new t("tlv.decode: length bytes not complete");
+        if (N[0] === 0)
+          throw new t("tlv.decode(long): zero leftmost byte");
+        for (const q of N)
+          u = u << 8 | q;
+        if (w += S, u < 128)
+          throw new t("tlv.decode(long): not minimal encoding");
+      }
+      const x = i.subarray(w, w + u);
+      if (x.length !== u)
+        throw new t("tlv.decode: wrong value length");
+      return { v: x, l: i.subarray(w + u) };
+    }
+  },
+  // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
+  // since we always use positive integers here. It must always be empty:
+  // - add zero byte if exists
+  // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
+  _int: {
+    encode(e) {
+      const { Err: i } = F;
+      if (e < U)
+        throw new i("integer: negative integers are not allowed");
+      let t = M(e);
+      if (Number.parseInt(t[0], 16) & 8 && (t = "00" + t), t.length & 1)
+        throw new i("unexpected DER parsing assertion: unpadded hex");
+      return t;
+    },
+    decode(e) {
+      const { Err: i } = F;
+      if (e[0] & 128)
+        throw new i("invalid signature integer: negative");
+      if (e[0] === 0 && !(e[1] & 128))
+        throw new i("invalid signature integer: unnecessary leading zero");
+      return ct(e);
+    }
+  },
+  toSig(e) {
+    const { Err: i, _int: t, _tlv: w } = F, p = z("signature", e), { v: b, l: u } = w.decode(48, p);
+    if (u.length)
+      throw new i("invalid signature: left bytes after parsing");
+    const { v: x, l: S } = w.decode(2, b), { v: N, l: q } = w.decode(2, S);
+    if (q.length)
+      throw new i("invalid signature: left bytes after parsing");
+    return { r: t.decode(x), s: t.decode(N) };
+  },
+  hexFromSig(e) {
+    const { _tlv: i, _int: t } = F, w = i.encode(2, t.encode(e.r)), p = i.encode(2, t.encode(e.s)), b = w + p;
+    return i.encode(48, b);
+  }
+}, U = BigInt(0), k = BigInt(1), At = BigInt(2), W = BigInt(3), Zt = BigInt(4);
+function Tt(e, i, t) {
+  function w(p) {
+    const b = e.sqr(p), u = e.mul(b, p);
+    return e.add(e.add(u, e.mul(p, i)), t);
+  }
+  return w;
 }
-function v(t, r, e) {
-  const { windowSize: n, mask: i, maxNumber: o, shiftBy: s } = e;
-  let f = Number(t & i), a = t >> s;
-  f > n && (f -= o, a += h);
-  const d = r * n, c = d + Math.abs(f) - 1, p = f === 0, l = f < 0, u = r % 2 !== 0;
-  return { nextN: a, offset: c, isZero: p, isNeg: l, isNegF: u, offsetF: d };
+function lt(e, i, t) {
+  const { BYTES: w } = e;
+  function p(b) {
+    let u;
+    if (typeof b == "bigint")
+      u = b;
+    else {
+      let x = z("private key", b);
+      if (i) {
+        if (!i.includes(x.length * 2))
+          throw new Error("invalid private key");
+        const S = new Uint8Array(w);
+        S.set(x, S.length - x.length), x = S;
+      }
+      try {
+        u = e.fromBytes(x);
+      } catch {
+        throw new Error(`invalid private key: expected ui8a of size ${w}, got ${typeof b}`);
+      }
+    }
+    if (t && (u = e.create(u)), !e.isValidNot0(u))
+      throw new Error("invalid private key: out of range [1..N-1]");
+    return u;
+  }
+  return p;
 }
-function j(t, r) {
-  if (!Array.isArray(t))
-    throw new Error("array expected");
-  t.forEach((e, n) => {
-    if (!(e instanceof r))
-      throw new Error("invalid point at index " + n);
+function zt(e, i = {}) {
+  const { Fp: t, Fn: w } = wt("weierstrass", e, i), { h: p, n: b } = e;
+  at(i, {}, {
+    allowInfinityPoint: "boolean",
+    clearCofactor: "function",
+    isTorsionFree: "function",
+    fromBytes: "function",
+    toBytes: "function",
+    endo: "object",
+    wrapPrivateKey: "boolean"
   });
-}
-function _(t, r) {
-  if (!Array.isArray(t))
-    throw new Error("array of scalars expected");
-  t.forEach((e, n) => {
-    if (!r.isValid(e))
-      throw new Error("invalid scalar at index " + n);
+  const { endo: u } = i;
+  if (u && (!t.is0(e.a) || typeof u.beta != "bigint" || typeof u.splitScalar != "function"))
+    throw new Error('invalid endo: expected "beta": bigint and "splitScalar": function');
+  function x() {
+    if (!t.isOdd)
+      throw new Error("compression is not supported: Field does not have .isOdd()");
+  }
+  function S(v, r, s) {
+    const { x: n, y: o } = r.toAffine(), a = t.toBytes(n);
+    if (Q("isCompressed", s), s) {
+      x();
+      const d = !t.isOdd(o);
+      return I(ut(d), a);
+    } else
+      return I(Uint8Array.of(4), a, t.toBytes(o));
+  }
+  function N(v) {
+    it(v);
+    const r = t.BYTES, s = r + 1, n = 2 * r + 1, o = v.length, a = v[0], d = v.subarray(1);
+    if (o === s && (a === 2 || a === 3)) {
+      const c = t.fromBytes(d);
+      if (!t.isValid(c))
+        throw new Error("bad point: is not on curve, wrong x");
+      const l = T(c);
+      let h;
+      try {
+        h = t.sqrt(l);
+      } catch (g) {
+        const m = g instanceof Error ? ": " + g.message : "";
+        throw new Error("bad point: is not on curve, sqrt error" + m);
+      }
+      x();
+      const f = t.isOdd(h);
+      return (a & 1) === 1 !== f && (h = t.neg(h)), { x: c, y: h };
+    } else if (o === n && a === 4) {
+      const c = t.fromBytes(d.subarray(r * 0, r * 1)), l = t.fromBytes(d.subarray(r * 1, r * 2));
+      if (!L(c, l))
+        throw new Error("bad point: is not on curve");
+      return { x: c, y: l };
+    } else
+      throw new Error(`bad point: got length ${o}, expected compressed=${s} or uncompressed=${n}`);
+  }
+  const q = i.toBytes || S, C = i.fromBytes || N, T = Tt(t, e.a, e.b);
+  function L(v, r) {
+    const s = t.sqr(r), n = T(v);
+    return t.eql(s, n);
+  }
+  if (!L(e.Gx, e.Gy))
+    throw new Error("bad curve params: generator point");
+  const J = t.mul(t.pow(e.a, W), Zt), tt = t.mul(t.sqr(e.b), BigInt(27));
+  if (t.is0(t.add(J, tt)))
+    throw new Error("bad curve params: a or b");
+  function K(v, r, s = !1) {
+    if (!t.isValid(r) || s && t.is0(r))
+      throw new Error(`bad point coordinate ${v}`);
+    return r;
+  }
+  function G(v) {
+    if (!(v instanceof y))
+      throw new Error("ProjectivePoint expected");
+  }
+  const X = nt((v, r) => {
+    const { px: s, py: n, pz: o } = v;
+    if (t.eql(o, t.ONE))
+      return { x: s, y: n };
+    const a = v.is0();
+    r == null && (r = a ? t.ONE : t.inv(o));
+    const d = t.mul(s, r), c = t.mul(n, r), l = t.mul(o, r);
+    if (a)
+      return { x: t.ZERO, y: t.ZERO };
+    if (!t.eql(l, t.ONE))
+      throw new Error("invZ was invalid");
+    return { x: d, y: c };
+  }), V = nt((v) => {
+    if (v.is0()) {
+      if (i.allowInfinityPoint && !t.is0(v.py))
+        return;
+      throw new Error("bad point: ZERO");
+    }
+    const { x: r, y: s } = v.toAffine();
+    if (!t.isValid(r) || !t.isValid(s))
+      throw new Error("bad point: x or y not field elements");
+    if (!L(r, s))
+      throw new Error("bad point: equation left != right");
+    if (!v.isTorsionFree())
+      throw new Error("bad point: not in prime-order subgroup");
+    return !0;
   });
-}
-const N = /* @__PURE__ */ new WeakMap(), M = /* @__PURE__ */ new WeakMap();
-function A(t) {
-  return M.get(t) || 1;
-}
-function S(t) {
-  if (t !== g)
-    throw new Error("invalid wNAF");
-}
-function U(t, r) {
-  return {
-    constTimeNegate: b,
-    hasPrecomputes(e) {
-      return A(e) !== 1;
-    },
-    // non-const time multiplication ladder
-    unsafeLadder(e, n, i = t.ZERO) {
-      let o = e;
-      for (; n > g; )
-        n & h && (i = i.add(o)), o = o.double(), n >>= h;
-      return i;
-    },
+  function $(v, r, s, n, o) {
+    return s = new y(t.mul(s.px, v), s.py, s.pz), r = ot(n, r), s = ot(o, s), r.add(s);
+  }
+  class y {
+    /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
+    constructor(r, s, n) {
+      this.px = K("x", r), this.py = K("y", s, !0), this.pz = K("z", n), Object.freeze(this);
+    }
+    /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
+    static fromAffine(r) {
+      const { x: s, y: n } = r || {};
+      if (!r || !t.isValid(s) || !t.isValid(n))
+        throw new Error("invalid affine point");
+      if (r instanceof y)
+        throw new Error("projective point not allowed");
+      return t.is0(s) && t.is0(n) ? y.ZERO : new y(s, n, t.ONE);
+    }
+    get x() {
+      return this.toAffine().x;
+    }
+    get y() {
+      return this.toAffine().y;
+    }
+    static normalizeZ(r) {
+      return pt(y, "pz", r);
+    }
+    static fromBytes(r) {
+      return it(r), y.fromHex(r);
+    }
+    /** Converts hash string or Uint8Array to Point. */
+    static fromHex(r) {
+      const s = y.fromAffine(C(z("pointHex", r)));
+      return s.assertValidity(), s;
+    }
+    /** Multiplies generator point by privateKey. */
+    static fromPrivateKey(r) {
+      const s = lt(w, i.allowedPrivateKeyLengths, i.wrapPrivateKey);
+      return y.BASE.multiply(s(r));
+    }
+    /** Multiscalar Multiplication */
+    static msm(r, s) {
+      return gt(y, w, r, s);
+    }
     /**
-     * Creates a wNAF precomputation window. Used for caching.
-     * Default window size is set by `utils.precompute()` and is equal to 8.
-     * Number of precomputed points depends on the curve size:
-     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
-     * - 𝑊 is the window size
-     * - 𝑛 is the bitlength of the curve order.
-     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
-     * @param elm Point instance
-     * @param W window size
-     * @returns precomputed point tables flattened to a single array
+     *
+     * @param windowSize
+     * @param isLazy true will defer table computation until the first multiplication
+     * @returns
      */
-    precomputeWindow(e, n) {
-      const { windows: i, windowSize: o } = E(n, r), s = [];
-      let f = e, a = f;
-      for (let d = 0; d < i; d++) {
-        a = f, s.push(a);
-        for (let c = 1; c < o; c++)
-          a = a.add(f), s.push(a);
-        f = a.double();
-      }
-      return s;
-    },
+    precompute(r = 8, s = !0) {
+      return _.setWindowSize(this, r), s || this.multiply(W), this;
+    }
+    /** "Private method", don't use it directly */
+    _setWindowSize(r) {
+      this.precompute(r);
+    }
+    // TODO: return `this`
+    /** A point on curve is valid if it conforms to equation. */
+    assertValidity() {
+      V(this);
+    }
+    hasEvenY() {
+      const { y: r } = this.toAffine();
+      if (!t.isOdd)
+        throw new Error("Field doesn't support isOdd");
+      return !t.isOdd(r);
+    }
+    /** Compare one point to another. */
+    equals(r) {
+      G(r);
+      const { px: s, py: n, pz: o } = this, { px: a, py: d, pz: c } = r, l = t.eql(t.mul(s, c), t.mul(a, o)), h = t.eql(t.mul(n, c), t.mul(d, o));
+      return l && h;
+    }
+    /** Flips point to one corresponding to (x, -y) in Affine coordinates. */
+    negate() {
+      return new y(this.px, t.neg(this.py), this.pz);
+    }
+    // Renes-Costello-Batina exception-free doubling formula.
+    // There is 30% faster Jacobian formula, but it is not complete.
+    // https://eprint.iacr.org/2015/1060, algorithm 3
+    // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
+    double() {
+      const { a: r, b: s } = e, n = t.mul(s, W), { px: o, py: a, pz: d } = this;
+      let c = t.ZERO, l = t.ZERO, h = t.ZERO, f = t.mul(o, o), B = t.mul(a, a), g = t.mul(d, d), m = t.mul(o, a);
+      return m = t.add(m, m), h = t.mul(o, d), h = t.add(h, h), c = t.mul(r, h), l = t.mul(n, g), l = t.add(c, l), c = t.sub(B, l), l = t.add(B, l), l = t.mul(c, l), c = t.mul(m, c), h = t.mul(n, h), g = t.mul(r, g), m = t.sub(f, g), m = t.mul(r, m), m = t.add(m, h), h = t.add(f, f), f = t.add(h, f), f = t.add(f, g), f = t.mul(f, m), l = t.add(l, f), g = t.mul(a, d), g = t.add(g, g), f = t.mul(g, m), c = t.sub(c, f), h = t.mul(g, B), h = t.add(h, h), h = t.add(h, h), new y(c, l, h);
+    }
+    // Renes-Costello-Batina exception-free addition formula.
+    // There is 30% faster Jacobian formula, but it is not complete.
+    // https://eprint.iacr.org/2015/1060, algorithm 1
+    // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
+    add(r) {
+      G(r);
+      const { px: s, py: n, pz: o } = this, { px: a, py: d, pz: c } = r;
+      let l = t.ZERO, h = t.ZERO, f = t.ZERO;
+      const B = e.a, g = t.mul(e.b, W);
+      let m = t.mul(s, a), R = t.mul(n, d), O = t.mul(o, c), A = t.add(s, n), E = t.add(a, d);
+      A = t.mul(A, E), E = t.add(m, R), A = t.sub(A, E), E = t.add(s, o);
+      let Z = t.add(a, c);
+      return E = t.mul(E, Z), Z = t.add(m, O), E = t.sub(E, Z), Z = t.add(n, o), l = t.add(d, c), Z = t.mul(Z, l), l = t.add(R, O), Z = t.sub(Z, l), f = t.mul(B, E), l = t.mul(g, O), f = t.add(l, f), l = t.sub(R, f), f = t.add(R, f), h = t.mul(l, f), R = t.add(m, m), R = t.add(R, m), O = t.mul(B, O), E = t.mul(g, E), R = t.add(R, O), O = t.sub(m, O), O = t.mul(B, O), E = t.add(E, O), m = t.mul(R, E), h = t.add(h, m), m = t.mul(Z, E), l = t.mul(A, l), l = t.sub(l, m), m = t.mul(A, R), f = t.mul(Z, f), f = t.add(f, m), new y(l, h, f);
+    }
+    subtract(r) {
+      return this.add(r.negate());
+    }
+    is0() {
+      return this.equals(y.ZERO);
+    }
     /**
-     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
-     * @param W window size
-     * @param precomputes precomputed tables
-     * @param n scalar (we don't check here, but should be less than curve order)
-     * @returns real and fake (for const-time) points
+     * Constant time multiplication.
+     * Uses wNAF method. Windowed method may be 10% faster,
+     * but takes 2x longer to generate and consumes 2x memory.
+     * Uses precomputes when available.
+     * Uses endomorphism for Koblitz curves.
+     * @param scalar by which the point would be multiplied
+     * @returns New point
      */
-    wNAF(e, n, i) {
-      let o = t.ZERO, s = t.BASE;
-      const f = E(e, r);
-      for (let a = 0; a < f.windows; a++) {
-        const { nextN: d, offset: c, isZero: p, isNeg: l, isNegF: u, offsetF: m } = v(i, a, f);
-        i = d, p ? s = s.add(b(u, n[m])) : o = o.add(b(l, n[c]));
+    multiply(r) {
+      const { endo: s } = i;
+      if (!w.isValidNot0(r))
+        throw new Error("invalid scalar: out of range");
+      let n, o;
+      const a = (d) => _.wNAFCached(this, d, y.normalizeZ);
+      if (s) {
+        const { k1neg: d, k1: c, k2neg: l, k2: h } = s.splitScalar(r), { p: f, f: B } = a(c), { p: g, f: m } = a(h);
+        o = B.add(m), n = $(s.beta, f, g, d, l);
+      } else {
+        const { p: d, f: c } = a(r);
+        n = d, o = c;
       }
-      return S(i), { p: o, f: s };
-    },
+      return y.normalizeZ([n, o])[0];
+    }
     /**
-     * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
-     * @param W window size
-     * @param precomputes precomputed tables
-     * @param n scalar (we don't check here, but should be less than curve order)
-     * @param acc accumulator point to add result of multiplication
-     * @returns point
+     * Non-constant-time multiplication. Uses double-and-add algorithm.
+     * It's faster, but should only be used when you don't care about
+     * an exposed private key e.g. sig verification, which works over *public* keys.
      */
-    wNAFUnsafe(e, n, i, o = t.ZERO) {
-      const s = E(e, r);
-      for (let f = 0; f < s.windows && i !== g; f++) {
-        const { nextN: a, offset: d, isZero: c, isNeg: p } = v(i, f, s);
-        if (i = a, !c) {
-          const l = n[d];
-          o = o.add(p ? l.negate() : l);
-        }
+    multiplyUnsafe(r) {
+      const { endo: s } = i, n = this;
+      if (!w.isValid(r))
+        throw new Error("invalid scalar: out of range");
+      if (r === U || n.is0())
+        return y.ZERO;
+      if (r === k)
+        return n;
+      if (_.hasPrecomputes(this))
+        return this.multiply(r);
+      if (s) {
+        const { k1neg: o, k1: a, k2neg: d, k2: c } = s.splitScalar(r), { p1: l, p2: h } = Et(y, n, a, c);
+        return $(s.beta, l, h, o, d);
+      } else
+        return _.wNAFCachedUnsafe(n, r);
+    }
+    multiplyAndAddUnsafe(r, s, n) {
+      const o = this.multiplyUnsafe(s).add(r.multiplyUnsafe(n));
+      return o.is0() ? void 0 : o;
+    }
+    /**
+     * Converts Projective point to affine (x, y) coordinates.
+     * @param invertedZ Z^-1 (inverted zero) - optional, precomputation is useful for invertBatch
+     */
+    toAffine(r) {
+      return X(this, r);
+    }
+    /**
+     * Checks whether Point is free of torsion elements (is in prime subgroup).
+     * Always torsion-free for cofactor=1 curves.
+     */
+    isTorsionFree() {
+      const { isTorsionFree: r } = i;
+      return p === k ? !0 : r ? r(y, this) : _.wNAFCachedUnsafe(this, b).is0();
+    }
+    clearCofactor() {
+      const { clearCofactor: r } = i;
+      return p === k ? this : r ? r(y, this) : this.multiplyUnsafe(p);
+    }
+    toBytes(r = !0) {
+      return Q("isCompressed", r), this.assertValidity(), q(y, this, r);
+    }
+    /** @deprecated use `toBytes` */
+    toRawBytes(r = !0) {
+      return this.toBytes(r);
+    }
+    toHex(r = !0) {
+      return rt(this.toBytes(r));
+    }
+    toString() {
+      return `<Point ${this.is0() ? "ZERO" : this.toHex()}>`;
+    }
+  }
+  y.BASE = new y(e.Gx, e.Gy, t.ONE), y.ZERO = new y(t.ZERO, t.ONE, t.ZERO), y.Fp = t, y.Fn = w;
+  const P = w.BITS, _ = yt(y, i.endo ? Math.ceil(P / 2) : P);
+  return y;
+}
+function ut(e) {
+  return Uint8Array.of(e ? 2 : 3);
+}
+function Nt(e, i, t = {}) {
+  at(i, { hash: "function" }, {
+    hmac: "function",
+    lowS: "boolean",
+    randomBytes: "function",
+    bits2int: "function",
+    bits2int_modN: "function"
+  });
+  const w = i.randomBytes || St, p = i.hmac || ((n, ...o) => dt(i.hash, n, I(...o))), { Fp: b, Fn: u } = e, { ORDER: x, BITS: S } = u;
+  function N(n) {
+    const o = x >> k;
+    return n > o;
+  }
+  function q(n) {
+    return N(n) ? u.neg(n) : n;
+  }
+  function C(n, o) {
+    if (!u.isValidNot0(o))
+      throw new Error(`invalid signature ${n}: out of range 1..CURVE.n`);
+  }
+  class T {
+    constructor(o, a, d) {
+      C("r", o), C("s", a), this.r = o, this.s = a, d != null && (this.recovery = d), Object.freeze(this);
+    }
+    // pair (bytes of r, bytes of s)
+    static fromCompact(o) {
+      const a = u.BYTES, d = z("compactSignature", o, a * 2);
+      return new T(u.fromBytes(d.subarray(0, a)), u.fromBytes(d.subarray(a, a * 2)));
+    }
+    // DER encoded ECDSA signature
+    // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
+    static fromDER(o) {
+      const { r: a, s: d } = F.toSig(z("DER", o));
+      return new T(a, d);
+    }
+    /**
+     * @todo remove
+     * @deprecated
+     */
+    assertValidity() {
+    }
+    addRecoveryBit(o) {
+      return new T(this.r, this.s, o);
+    }
+    // ProjPointType<bigint>
+    recoverPublicKey(o) {
+      const a = b.ORDER, { r: d, s: c, recovery: l } = this;
+      if (l == null || ![0, 1, 2, 3].includes(l))
+        throw new Error("recovery id invalid");
+      if (x * At < a && l > 1)
+        throw new Error("recovery id is ambiguous for h>1 curve");
+      const f = l === 2 || l === 3 ? d + x : d;
+      if (!b.isValid(f))
+        throw new Error("recovery id 2 or 3 invalid");
+      const B = b.toBytes(f), g = e.fromHex(I(ut((l & 1) === 0), B)), m = u.inv(f), R = V(z("msgHash", o)), O = u.create(-R * m), A = u.create(c * m), E = e.BASE.multiplyUnsafe(O).add(g.multiplyUnsafe(A));
+      if (E.is0())
+        throw new Error("point at infinify");
+      return E.assertValidity(), E;
+    }
+    // Signatures should be low-s, to prevent malleability.
+    hasHighS() {
+      return N(this.s);
+    }
+    normalizeS() {
+      return this.hasHighS() ? new T(this.r, u.neg(this.s), this.recovery) : this;
+    }
+    toBytes(o) {
+      if (o === "compact")
+        return I(u.toBytes(this.r), u.toBytes(this.s));
+      if (o === "der")
+        return xt(F.hexFromSig(this));
+      throw new Error("invalid format");
+    }
+    // DER-encoded
+    toDERRawBytes() {
+      return this.toBytes("der");
+    }
+    toDERHex() {
+      return rt(this.toBytes("der"));
+    }
+    // padded bytes of r, then padded bytes of s
+    toCompactRawBytes() {
+      return this.toBytes("compact");
+    }
+    toCompactHex() {
+      return rt(this.toBytes("compact"));
+    }
+  }
+  const L = lt(u, t.allowedPrivateKeyLengths, t.wrapPrivateKey), J = {
+    isValidPrivateKey(n) {
+      try {
+        return L(n), !0;
+      } catch {
+        return !1;
       }
-      return S(i), o;
     },
-    getPrecomputes(e, n, i) {
-      let o = N.get(n);
-      return o || (o = this.precomputeWindow(n, e), e !== 1 && (typeof i == "function" && (o = i(o)), N.set(n, o))), o;
-    },
-    wNAFCached(e, n, i) {
-      const o = A(e);
-      return this.wNAF(o, this.getPrecomputes(o, e, i), n);
-    },
-    wNAFCachedUnsafe(e, n, i, o) {
-      const s = A(e);
-      return s === 1 ? this.unsafeLadder(e, n, o) : this.wNAFUnsafe(s, this.getPrecomputes(s, e, i), n, o);
+    normPrivateKeyToScalar: L,
+    /**
+     * Produces cryptographically secure private key from random of size
+     * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
+     */
+    randomPrivateKey: () => {
+      const n = x;
+      return vt(w(Bt(n)), n);
     },
-    // We calculate precomputes for elliptic curve point multiplication
-    // using windowed method. This specifies window size and
-    // stores precomputed values. Usually only base point would be precomputed.
-    setWindowSize(e, n) {
-      I(n, r), M.set(e, n), N.delete(e);
+    precompute(n = 8, o = e.BASE) {
+      return o.precompute(n, !1);
     }
   };
+  function tt(n, o = !0) {
+    return e.fromPrivateKey(n).toBytes(o);
+  }
+  function K(n) {
+    if (typeof n == "bigint")
+      return !1;
+    if (n instanceof e)
+      return !0;
+    const a = z("key", n).length, d = b.BYTES, c = d + 1, l = 2 * d + 1;
+    if (!(t.allowedPrivateKeyLengths || u.BYTES === c))
+      return a === c || a === l;
+  }
+  function G(n, o, a = !0) {
+    if (K(n) === !0)
+      throw new Error("first arg must be private key");
+    if (K(o) === !1)
+      throw new Error("second arg must be public key");
+    return e.fromHex(o).multiply(L(n)).toBytes(a);
+  }
+  const X = i.bits2int || function(n) {
+    if (n.length > 8192)
+      throw new Error("input is too large");
+    const o = ct(n), a = n.length * 8 - S;
+    return a > 0 ? o >> BigInt(a) : o;
+  }, V = i.bits2int_modN || function(n) {
+    return u.create(X(n));
+  }, $ = ft(S);
+  function y(n) {
+    return mt("num < 2^" + S, n, U, $), u.toBytes(n);
+  }
+  function P(n, o, a = _) {
+    if (["recovered", "canonical"].some((A) => A in a))
+      throw new Error("sign() legacy options not supported");
+    const { hash: d } = i;
+    let { lowS: c, prehash: l, extraEntropy: h } = a;
+    c == null && (c = !0), n = z("msgHash", n), st(a), l && (n = z("prehashed msgHash", d(n)));
+    const f = V(n), B = L(o), g = [y(B), y(f)];
+    if (h != null && h !== !1) {
+      const A = h === !0 ? w(b.BYTES) : h;
+      g.push(z("extraEntropy", A));
+    }
+    const m = I(...g), R = f;
+    function O(A) {
+      const E = X(A);
+      if (!u.isValidNot0(E))
+        return;
+      const Z = u.inv(E), j = e.BASE.multiply(E).toAffine(), Y = u.create(j.x);
+      if (Y === U)
+        return;
+      const H = u.create(Z * u.create(R + Y * B));
+      if (H === U)
+        return;
+      let et = (j.x === Y ? 0 : 2) | Number(j.y & k), D = H;
+      return c && N(H) && (D = q(H), et ^= 1), new T(Y, D, et);
+    }
+    return { seed: m, k2sig: O };
+  }
+  const _ = { lowS: i.lowS, prehash: !1 }, v = { lowS: i.lowS, prehash: !1 };
+  function r(n, o, a = _) {
+    const { seed: d, k2sig: c } = P(n, o, a);
+    return ht(i.hash.outputLen, u.BYTES, p)(d, c);
+  }
+  e.BASE.precompute(8);
+  function s(n, o, a, d = v) {
+    const c = n;
+    o = z("msgHash", o), a = z("publicKey", a), st(d);
+    const { lowS: l, prehash: h, format: f } = d;
+    if ("strict" in d)
+      throw new Error("options.strict was renamed to lowS");
+    if (f !== void 0 && !["compact", "der", "js"].includes(f))
+      throw new Error('format must be "compact", "der" or "js"');
+    const B = typeof c == "string" || Rt(c), g = !B && !f && typeof c == "object" && c !== null && typeof c.r == "bigint" && typeof c.s == "bigint";
+    if (!B && !g)
+      throw new Error("invalid signature, expected Uint8Array, hex string or Signature instance");
+    let m, R;
+    try {
+      if (g)
+        if (f === void 0 || f === "js")
+          m = new T(c.r, c.s);
+        else
+          throw new Error("invalid format");
+      if (B) {
+        try {
+          f !== "compact" && (m = T.fromDER(c));
+        } catch (D) {
+          if (!(D instanceof F.Err))
+            throw D;
+        }
+        !m && f !== "der" && (m = T.fromCompact(c));
+      }
+      R = e.fromHex(a);
+    } catch {
+      return !1;
+    }
+    if (!m || l && m.hasHighS())
+      return !1;
+    h && (o = i.hash(o));
+    const { r: O, s: A } = m, E = V(o), Z = u.inv(A), j = u.create(E * Z), Y = u.create(O * Z), H = e.BASE.multiplyUnsafe(j).add(R.multiplyUnsafe(Y));
+    return H.is0() ? !1 : u.create(H.x) === O;
+  }
+  return Object.freeze({
+    getPublicKey: tt,
+    getSharedSecret: G,
+    sign: r,
+    verify: s,
+    utils: J,
+    Point: e,
+    Signature: T
+  });
 }
-function $(t, r, e, n) {
-  let i = r, o = t.ZERO, s = t.ZERO;
-  for (; e > g || n > g; )
-    e & h && (o = o.add(i)), n & h && (s = s.add(i)), i = i.double(), e >>= h, n >>= h;
-  return { p1: o, p2: s };
+function Ft(e) {
+  const i = {
+    a: e.a,
+    b: e.b,
+    p: e.Fp.ORDER,
+    n: e.n,
+    h: e.h,
+    Gx: e.Gx,
+    Gy: e.Gy
+  }, t = e.Fp, w = bt(i.n, e.nBitLength), p = {
+    Fp: t,
+    Fn: w,
+    allowedPrivateKeyLengths: e.allowedPrivateKeyLengths,
+    allowInfinityPoint: e.allowInfinityPoint,
+    endo: e.endo,
+    wrapPrivateKey: e.wrapPrivateKey,
+    isTorsionFree: e.isTorsionFree,
+    clearCofactor: e.clearCofactor,
+    fromBytes: e.fromBytes,
+    toBytes: e.toBytes
+  };
+  return { CURVE: i, curveOpts: p };
 }
-function D(t, r, e, n) {
-  j(e, t), _(n, r);
-  const i = e.length, o = n.length;
-  if (i !== o)
-    throw new Error("arrays of points and scalars must have equal length");
-  const s = t.ZERO, f = B(BigInt(i));
-  let a = 1;
-  f > 12 ? a = f - 3 : f > 4 ? a = f - 2 : f > 0 && (a = 2);
-  const d = z(a), c = new Array(Number(d) + 1).fill(s), p = Math.floor((r.BITS - 1) / a) * a;
-  let l = s;
-  for (let u = p; u >= 0; u -= a) {
-    c.fill(s);
-    for (let w = 0; w < o; w++) {
-      const F = n[w], y = Number(F >> BigInt(u) & d);
-      c[y] = c[y].add(e[w]);
-    }
-    let m = s;
-    for (let w = c.length - 1, F = s; w > 0; w--)
-      F = F.add(c[w]), m = m.add(F);
-    if (l = l.add(m), u !== 0)
-      for (let w = 0; w < a; w++)
-        l = l.double();
-  }
-  return l;
+function Lt(e) {
+  const { CURVE: i, curveOpts: t } = Ft(e), w = {
+    hash: e.hash,
+    hmac: e.hmac,
+    randomBytes: e.randomBytes,
+    lowS: e.lowS,
+    bits2int: e.bits2int,
+    bits2int_modN: e.bits2int_modN
+  };
+  return { CURVE: i, curveOpts: t, ecdsaOpts: w };
 }
-function x(t, r) {
-  if (r) {
-    if (r.ORDER !== t)
-      throw new Error("Field.ORDER must match order: Fp == p, Fn == n");
-    return Z(r), r;
-  } else
-    return O(t);
+function _t(e, i) {
+  return Object.assign({}, i, {
+    ProjectivePoint: i.Point,
+    CURVE: e
+  });
 }
-function G(t, r, e = {}) {
-  if (!r || typeof r != "object")
-    throw new Error(`expected valid ${t} CURVE object`);
-  for (const f of ["p", "n", "h"]) {
-    const a = r[f];
-    if (!(typeof a == "bigint" && a > g))
-      throw new Error(`CURVE.${f} must be positive bigint`);
-  }
-  const n = x(r.p, e.Fp), i = x(r.n, e.Fn), s = ["Gx", "Gy", "a", "b"];
-  for (const f of s)
-    if (!n.isValid(r[f]))
-      throw new Error(`CURVE.${f} must be valid field element of CURVE.Fp`);
-  return { Fp: n, Fn: i };
+function It(e) {
+  const { CURVE: i, curveOpts: t, ecdsaOpts: w } = Lt(e), p = zt(i, t), b = Nt(p, w, t);
+  return _t(e, b);
 }
 export {
-  G as _createCurveFields,
-  $ as mulEndoUnsafe,
-  b as negateCt,
-  L as normalizeZ,
-  D as pippenger,
-  U as wNAF
+  F as DER,
+  Ot as DERErr,
+  Tt as _legacyHelperEquat,
+  lt as _legacyHelperNormPriv,
+  Nt as ecdsa,
+  It as weierstrass,
+  zt as weierstrassN
 };