@didcid/cipher 0.1.3

package/dist/cjs/cipher-base-D2GtcXrx.cjs

@@ -0,0 +1,1695 @@
+'use strict';
+
+var bip39 = require('bip39');
+var secp = require('@noble/secp256k1');
+var canonicalizeModule = require('canonicalize');
+
+function _interopNamespaceDefault(e) {
+    var n = Object.create(null);
+    if (e) {
+        Object.keys(e).forEach(function (k) {
+            if (k !== 'default') {
+                var d = Object.getOwnPropertyDescriptor(e, k);
+                Object.defineProperty(n, k, d.get ? d : {
+                    enumerable: true,
+                    get: function () { return e[k]; }
+                });
+            }
+        });
+    }
+    n.default = e;
+    return Object.freeze(n);
+}
+
+var bip39__namespace = /*#__PURE__*/_interopNamespaceDefault(bip39);
+var secp__namespace = /*#__PURE__*/_interopNamespaceDefault(secp);
+
+/**
+ * Class represents both BaseEncoder and MultibaseEncoder meaning it
+ * can be used to encode to multibase or base encode without multibase
+ * prefix.
+ */
+class Encoder {
+    name;
+    prefix;
+    baseEncode;
+    constructor(name, prefix, baseEncode) {
+        this.name = name;
+        this.prefix = prefix;
+        this.baseEncode = baseEncode;
+    }
+    encode(bytes) {
+        if (bytes instanceof Uint8Array) {
+            return `${this.prefix}${this.baseEncode(bytes)}`;
+        }
+        else {
+            throw Error('Unknown type, must be binary type');
+        }
+    }
+}
+/**
+ * Class represents both BaseDecoder and MultibaseDecoder so it could be used
+ * to decode multibases (with matching prefix) or just base decode strings
+ * with corresponding base encoding.
+ */
+class Decoder {
+    name;
+    prefix;
+    baseDecode;
+    prefixCodePoint;
+    constructor(name, prefix, baseDecode) {
+        this.name = name;
+        this.prefix = prefix;
+        const prefixCodePoint = prefix.codePointAt(0);
+        /* c8 ignore next 3 */
+        if (prefixCodePoint === undefined) {
+            throw new Error('Invalid prefix character');
+        }
+        this.prefixCodePoint = prefixCodePoint;
+        this.baseDecode = baseDecode;
+    }
+    decode(text) {
+        if (typeof text === 'string') {
+            if (text.codePointAt(0) !== this.prefixCodePoint) {
+                throw Error(`Unable to decode multibase string ${JSON.stringify(text)}, ${this.name} decoder only supports inputs prefixed with ${this.prefix}`);
+            }
+            return this.baseDecode(text.slice(this.prefix.length));
+        }
+        else {
+            throw Error('Can only multibase decode strings');
+        }
+    }
+    or(decoder) {
+        return or(this, decoder);
+    }
+}
+class ComposedDecoder {
+    decoders;
+    constructor(decoders) {
+        this.decoders = decoders;
+    }
+    or(decoder) {
+        return or(this, decoder);
+    }
+    decode(input) {
+        const prefix = input[0];
+        const decoder = this.decoders[prefix];
+        if (decoder != null) {
+            return decoder.decode(input);
+        }
+        else {
+            throw RangeError(`Unable to decode multibase string ${JSON.stringify(input)}, only inputs prefixed with ${Object.keys(this.decoders)} are supported`);
+        }
+    }
+}
+function or(left, right) {
+    return new ComposedDecoder({
+        ...(left.decoders ?? { [left.prefix]: left }),
+        ...(right.decoders ?? { [right.prefix]: right })
+    });
+}
+class Codec {
+    name;
+    prefix;
+    baseEncode;
+    baseDecode;
+    encoder;
+    decoder;
+    constructor(name, prefix, baseEncode, baseDecode) {
+        this.name = name;
+        this.prefix = prefix;
+        this.baseEncode = baseEncode;
+        this.baseDecode = baseDecode;
+        this.encoder = new Encoder(name, prefix, baseEncode);
+        this.decoder = new Decoder(name, prefix, baseDecode);
+    }
+    encode(input) {
+        return this.encoder.encode(input);
+    }
+    decode(input) {
+        return this.decoder.decode(input);
+    }
+}
+function from({ name, prefix, encode, decode }) {
+    return new Codec(name, prefix, encode, decode);
+}
+function decode(string, alphabetIdx, bitsPerChar, name) {
+    // Count the padding bytes:
+    let end = string.length;
+    while (string[end - 1] === '=') {
+        --end;
+    }
+    // Allocate the output:
+    const out = new Uint8Array((end * bitsPerChar / 8) | 0);
+    // Parse the data:
+    let bits = 0; // Number of bits currently in the buffer
+    let buffer = 0; // Bits waiting to be written out, MSB first
+    let written = 0; // Next byte to write
+    for (let i = 0; i < end; ++i) {
+        // Read one character from the string:
+        const value = alphabetIdx[string[i]];
+        if (value === undefined) {
+            throw new SyntaxError(`Non-${name} character`);
+        }
+        // Append the bits to the buffer:
+        buffer = (buffer << bitsPerChar) | value;
+        bits += bitsPerChar;
+        // Write out some bits if the buffer has a byte's worth:
+        if (bits >= 8) {
+            bits -= 8;
+            out[written++] = 0xff & (buffer >> bits);
+        }
+    }
+    // Verify that we have received just enough bits:
+    if (bits >= bitsPerChar || (0xff & (buffer << (8 - bits))) !== 0) {
+        throw new SyntaxError('Unexpected end of data');
+    }
+    return out;
+}
+function encode(data, alphabet, bitsPerChar) {
+    const pad = alphabet[alphabet.length - 1] === '=';
+    const mask = (1 << bitsPerChar) - 1;
+    let out = '';
+    let bits = 0; // Number of bits currently in the buffer
+    let buffer = 0; // Bits waiting to be written out, MSB first
+    for (let i = 0; i < data.length; ++i) {
+        // Slurp data into the buffer:
+        buffer = (buffer << 8) | data[i];
+        bits += 8;
+        // Write out as much as we can:
+        while (bits > bitsPerChar) {
+            bits -= bitsPerChar;
+            out += alphabet[mask & (buffer >> bits)];
+        }
+    }
+    // Partial character:
+    if (bits !== 0) {
+        out += alphabet[mask & (buffer << (bitsPerChar - bits))];
+    }
+    // Add padding characters until we hit a byte boundary:
+    if (pad) {
+        while (((out.length * bitsPerChar) & 7) !== 0) {
+            out += '=';
+        }
+    }
+    return out;
+}
+function createAlphabetIdx(alphabet) {
+    // Build the character lookup table:
+    const alphabetIdx = {};
+    for (let i = 0; i < alphabet.length; ++i) {
+        alphabetIdx[alphabet[i]] = i;
+    }
+    return alphabetIdx;
+}
+/**
+ * RFC4648 Factory
+ */
+function rfc4648({ name, prefix, bitsPerChar, alphabet }) {
+    const alphabetIdx = createAlphabetIdx(alphabet);
+    return from({
+        prefix,
+        name,
+        encode(input) {
+            return encode(input, alphabet, bitsPerChar);
+        },
+        decode(input) {
+            return decode(input, alphabetIdx, bitsPerChar, name);
+        }
+    });
+}
+
+rfc4648({
+    prefix: 'm',
+    name: 'base64',
+    alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',
+    bitsPerChar: 6
+});
+rfc4648({
+    prefix: 'M',
+    name: 'base64pad',
+    alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',
+    bitsPerChar: 6
+});
+const base64url = rfc4648({
+    prefix: 'u',
+    name: 'base64url',
+    alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_',
+    bitsPerChar: 6
+});
+rfc4648({
+    prefix: 'U',
+    name: 'base64urlpad',
+    alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_=',
+    bitsPerChar: 6
+});
+
+/**
+ * Utilities for hex, bytes, CSPRNG.
+ * @module
+ */
+/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.
+// node.js versions earlier than v19 don't declare it in global scope.
+// For node.js, package.json#exports field mapping rewrites import
+// from `crypto` to `cryptoNode`, which imports native module.
+// Makes the utils un-importable in browsers without a bundler.
+// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.
+/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
+function isBytes$2(a) {
+    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
+}
+/** Asserts something is positive integer. */
+function anumber(n) {
+    if (!Number.isSafeInteger(n) || n < 0)
+        throw new Error('positive integer expected, got ' + n);
+}
+/** Asserts something is Uint8Array. */
+function abytes(b, ...lengths) {
+    if (!isBytes$2(b))
+        throw new Error('Uint8Array expected');
+    if (lengths.length > 0 && !lengths.includes(b.length))
+        throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length);
+}
+/** Asserts something is hash */
+function ahash(h) {
+    if (typeof h !== 'function' || typeof h.create !== 'function')
+        throw new Error('Hash should be wrapped by utils.createHasher');
+    anumber(h.outputLen);
+    anumber(h.blockLen);
+}
+/** Asserts a hash instance has not been destroyed / finished */
+function aexists(instance, checkFinished = true) {
+    if (instance.destroyed)
+        throw new Error('Hash instance has been destroyed');
+    if (checkFinished && instance.finished)
+        throw new Error('Hash#digest() has already been called');
+}
+/** Asserts output is properly-sized byte array */
+function aoutput(out, instance) {
+    abytes(out);
+    const min = instance.outputLen;
+    if (out.length < min) {
+        throw new Error('digestInto() expects output buffer of length at least ' + min);
+    }
+}
+/** Zeroize a byte array. Warning: JS provides no guarantees. */
+function clean(...arrays) {
+    for (let i = 0; i < arrays.length; i++) {
+        arrays[i].fill(0);
+    }
+}
+/** Create DataView of an array for easy byte-level manipulation. */
+function createView$1(arr) {
+    return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+/** The rotate right (circular right shift) operation for uint32 */
+function rotr(word, shift) {
+    return (word << (32 - shift)) | (word >>> shift);
+}
+/**
+ * Converts string to bytes using UTF8 encoding.
+ * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])
+ */
+function utf8ToBytes$1(str) {
+    if (typeof str !== 'string')
+        throw new Error('string expected');
+    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
+}
+/**
+ * Normalizes (non-hex) string or Uint8Array to Uint8Array.
+ * Warning: when Uint8Array is passed, it would NOT get copied.
+ * Keep in mind for future mutable operations.
+ */
+function toBytes$1(data) {
+    if (typeof data === 'string')
+        data = utf8ToBytes$1(data);
+    abytes(data);
+    return data;
+}
+/** For runtime check if class implements interface */
+class Hash {
+}
+/** Wraps hash function, creating an interface on top of it */
+function createHasher(hashCons) {
+    const hashC = (msg) => hashCons().update(toBytes$1(msg)).digest();
+    const tmp = hashCons();
+    hashC.outputLen = tmp.outputLen;
+    hashC.blockLen = tmp.blockLen;
+    hashC.create = () => hashCons();
+    return hashC;
+}
+
+/**
+ * HMAC: RFC2104 message authentication code.
+ * @module
+ */
+class HMAC extends Hash {
+    constructor(hash, _key) {
+        super();
+        this.finished = false;
+        this.destroyed = false;
+        ahash(hash);
+        const key = toBytes$1(_key);
+        this.iHash = hash.create();
+        if (typeof this.iHash.update !== 'function')
+            throw new Error('Expected instance of class which extends utils.Hash');
+        this.blockLen = this.iHash.blockLen;
+        this.outputLen = this.iHash.outputLen;
+        const blockLen = this.blockLen;
+        const pad = new Uint8Array(blockLen);
+        // blockLen can be bigger than outputLen
+        pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
+        for (let i = 0; i < pad.length; i++)
+            pad[i] ^= 0x36;
+        this.iHash.update(pad);
+        // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
+        this.oHash = hash.create();
+        // Undo internal XOR && apply outer XOR
+        for (let i = 0; i < pad.length; i++)
+            pad[i] ^= 0x36 ^ 0x5c;
+        this.oHash.update(pad);
+        clean(pad);
+    }
+    update(buf) {
+        aexists(this);
+        this.iHash.update(buf);
+        return this;
+    }
+    digestInto(out) {
+        aexists(this);
+        abytes(out, this.outputLen);
+        this.finished = true;
+        this.iHash.digestInto(out);
+        this.oHash.update(out);
+        this.oHash.digestInto(out);
+        this.destroy();
+    }
+    digest() {
+        const out = new Uint8Array(this.oHash.outputLen);
+        this.digestInto(out);
+        return out;
+    }
+    _cloneInto(to) {
+        // Create new instance without calling constructor since key already in state and we don't know it.
+        to || (to = Object.create(Object.getPrototypeOf(this), {}));
+        const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
+        to = to;
+        to.finished = finished;
+        to.destroyed = destroyed;
+        to.blockLen = blockLen;
+        to.outputLen = outputLen;
+        to.oHash = oHash._cloneInto(to.oHash);
+        to.iHash = iHash._cloneInto(to.iHash);
+        return to;
+    }
+    clone() {
+        return this._cloneInto();
+    }
+    destroy() {
+        this.destroyed = true;
+        this.oHash.destroy();
+        this.iHash.destroy();
+    }
+}
+/**
+ * HMAC: RFC2104 message authentication code.
+ * @param hash - function that would be used e.g. sha256
+ * @param key - message key
+ * @param message - message data
+ * @example
+ * import { hmac } from '@noble/hashes/hmac';
+ * import { sha256 } from '@noble/hashes/sha2';
+ * const mac1 = hmac(sha256, 'key', 'message');
+ */
+const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
+hmac.create = (hash, key) => new HMAC(hash, key);
+
+/**
+ * Internal Merkle-Damgard hash utils.
+ * @module
+ */
+/** Polyfill for Safari 14. https://caniuse.com/mdn-javascript_builtins_dataview_setbiguint64 */
+function setBigUint64$1(view, byteOffset, value, isLE) {
+    if (typeof view.setBigUint64 === 'function')
+        return view.setBigUint64(byteOffset, value, isLE);
+    const _32n = BigInt(32);
+    const _u32_max = BigInt(0xffffffff);
+    const wh = Number((value >> _32n) & _u32_max);
+    const wl = Number(value & _u32_max);
+    const h = isLE ? 4 : 0;
+    const l = isLE ? 0 : 4;
+    view.setUint32(byteOffset + h, wh, isLE);
+    view.setUint32(byteOffset + l, wl, isLE);
+}
+/** Choice: a ? b : c */
+function Chi(a, b, c) {
+    return (a & b) ^ (~a & c);
+}
+/** Majority function, true if any two inputs is true. */
+function Maj(a, b, c) {
+    return (a & b) ^ (a & c) ^ (b & c);
+}
+/**
+ * Merkle-Damgard hash construction base class.
+ * Could be used to create MD5, RIPEMD, SHA1, SHA2.
+ */
+class HashMD extends Hash {
+    constructor(blockLen, outputLen, padOffset, isLE) {
+        super();
+        this.finished = false;
+        this.length = 0;
+        this.pos = 0;
+        this.destroyed = false;
+        this.blockLen = blockLen;
+        this.outputLen = outputLen;
+        this.padOffset = padOffset;
+        this.isLE = isLE;
+        this.buffer = new Uint8Array(blockLen);
+        this.view = createView$1(this.buffer);
+    }
+    update(data) {
+        aexists(this);
+        data = toBytes$1(data);
+        abytes(data);
+        const { view, buffer, blockLen } = this;
+        const len = data.length;
+        for (let pos = 0; pos < len;) {
+            const take = Math.min(blockLen - this.pos, len - pos);
+            // Fast path: we have at least one block in input, cast it to view and process
+            if (take === blockLen) {
+                const dataView = createView$1(data);
+                for (; blockLen <= len - pos; pos += blockLen)
+                    this.process(dataView, pos);
+                continue;
+            }
+            buffer.set(data.subarray(pos, pos + take), this.pos);
+            this.pos += take;
+            pos += take;
+            if (this.pos === blockLen) {
+                this.process(view, 0);
+                this.pos = 0;
+            }
+        }
+        this.length += data.length;
+        this.roundClean();
+        return this;
+    }
+    digestInto(out) {
+        aexists(this);
+        aoutput(out, this);
+        this.finished = true;
+        // Padding
+        // We can avoid allocation of buffer for padding completely if it
+        // was previously not allocated here. But it won't change performance.
+        const { buffer, view, blockLen, isLE } = this;
+        let { pos } = this;
+        // append the bit '1' to the message
+        buffer[pos++] = 0b10000000;
+        clean(this.buffer.subarray(pos));
+        // we have less than padOffset left in buffer, so we cannot put length in
+        // current block, need process it and pad again
+        if (this.padOffset > blockLen - pos) {
+            this.process(view, 0);
+            pos = 0;
+        }
+        // Pad until full block byte with zeros
+        for (let i = pos; i < blockLen; i++)
+            buffer[i] = 0;
+        // Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that
+        // You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen.
+        // So we just write lowest 64 bits of that value.
+        setBigUint64$1(view, blockLen - 8, BigInt(this.length * 8), isLE);
+        this.process(view, 0);
+        const oview = createView$1(out);
+        const len = this.outputLen;
+        // NOTE: we do division by 4 later, which should be fused in single op with modulo by JIT
+        if (len % 4)
+            throw new Error('_sha2: outputLen should be aligned to 32bit');
+        const outLen = len / 4;
+        const state = this.get();
+        if (outLen > state.length)
+            throw new Error('_sha2: outputLen bigger than state');
+        for (let i = 0; i < outLen; i++)
+            oview.setUint32(4 * i, state[i], isLE);
+    }
+    digest() {
+        const { buffer, outputLen } = this;
+        this.digestInto(buffer);
+        const res = buffer.slice(0, outputLen);
+        this.destroy();
+        return res;
+    }
+    _cloneInto(to) {
+        to || (to = new this.constructor());
+        to.set(...this.get());
+        const { blockLen, buffer, length, finished, destroyed, pos } = this;
+        to.destroyed = destroyed;
+        to.finished = finished;
+        to.length = length;
+        to.pos = pos;
+        if (length % blockLen)
+            to.buffer.set(buffer);
+        return to;
+    }
+    clone() {
+        return this._cloneInto();
+    }
+}
+/**
+ * Initial SHA-2 state: fractional parts of square roots of first 16 primes 2..53.
+ * Check out `test/misc/sha2-gen-iv.js` for recomputation guide.
+ */
+/** Initial SHA256 state. Bits 0..32 of frac part of sqrt of primes 2..19 */
+const SHA256_IV = /* @__PURE__ */ Uint32Array.from([
+    0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
+]);
+
+/**
+ * SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256.
+ * SHA256 is the fastest hash implementable in JS, even faster than Blake3.
+ * Check out [RFC 4634](https://datatracker.ietf.org/doc/html/rfc4634) and
+ * [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
+ * @module
+ */
+/**
+ * Round constants:
+ * First 32 bits of fractional parts of the cube roots of the first 64 primes 2..311)
+ */
+// prettier-ignore
+const SHA256_K = /* @__PURE__ */ Uint32Array.from([
+    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+]);
+/** Reusable temporary buffer. "W" comes straight from spec. */
+const SHA256_W = /* @__PURE__ */ new Uint32Array(64);
+class SHA256 extends HashMD {
+    constructor(outputLen = 32) {
+        super(64, outputLen, 8, false);
+        // We cannot use array here since array allows indexing by variable
+        // which means optimizer/compiler cannot use registers.
+        this.A = SHA256_IV[0] | 0;
+        this.B = SHA256_IV[1] | 0;
+        this.C = SHA256_IV[2] | 0;
+        this.D = SHA256_IV[3] | 0;
+        this.E = SHA256_IV[4] | 0;
+        this.F = SHA256_IV[5] | 0;
+        this.G = SHA256_IV[6] | 0;
+        this.H = SHA256_IV[7] | 0;
+    }
+    get() {
+        const { A, B, C, D, E, F, G, H } = this;
+        return [A, B, C, D, E, F, G, H];
+    }
+    // prettier-ignore
+    set(A, B, C, D, E, F, G, H) {
+        this.A = A | 0;
+        this.B = B | 0;
+        this.C = C | 0;
+        this.D = D | 0;
+        this.E = E | 0;
+        this.F = F | 0;
+        this.G = G | 0;
+        this.H = H | 0;
+    }
+    process(view, offset) {
+        // Extend the first 16 words into the remaining 48 words w[16..63] of the message schedule array
+        for (let i = 0; i < 16; i++, offset += 4)
+            SHA256_W[i] = view.getUint32(offset, false);
+        for (let i = 16; i < 64; i++) {
+            const W15 = SHA256_W[i - 15];
+            const W2 = SHA256_W[i - 2];
+            const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ (W15 >>> 3);
+            const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ (W2 >>> 10);
+            SHA256_W[i] = (s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16]) | 0;
+        }
+        // Compression function main loop, 64 rounds
+        let { A, B, C, D, E, F, G, H } = this;
+        for (let i = 0; i < 64; i++) {
+            const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
+            const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;
+            const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);
+            const T2 = (sigma0 + Maj(A, B, C)) | 0;
+            H = G;
+            G = F;
+            F = E;
+            E = (D + T1) | 0;
+            D = C;
+            C = B;
+            B = A;
+            A = (T1 + T2) | 0;
+        }
+        // Add the compressed chunk to the current hash value
+        A = (A + this.A) | 0;
+        B = (B + this.B) | 0;
+        C = (C + this.C) | 0;
+        D = (D + this.D) | 0;
+        E = (E + this.E) | 0;
+        F = (F + this.F) | 0;
+        G = (G + this.G) | 0;
+        H = (H + this.H) | 0;
+        this.set(A, B, C, D, E, F, G, H);
+    }
+    roundClean() {
+        clean(SHA256_W);
+    }
+    destroy() {
+        this.set(0, 0, 0, 0, 0, 0, 0, 0);
+        clean(this.buffer);
+    }
+}
+/**
+ * SHA2-256 hash function from RFC 4634.
+ *
+ * It is the fastest JS hash, even faster than Blake3.
+ * To break sha256 using birthday attack, attackers need to try 2^128 hashes.
+ * BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
+ */
+const sha256$1 = /* @__PURE__ */ createHasher(() => new SHA256());
+
+/**
+ * SHA2-256 a.k.a. sha256. In JS, it is the fastest hash, even faster than Blake3.
+ *
+ * To break sha256 using birthday attack, attackers need to try 2^128 hashes.
+ * BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
+ *
+ * Check out [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
+ * @module
+ * @deprecated
+ */
+/** @deprecated Use import from `noble/hashes/sha2` module */
+const sha256 = sha256$1;
+
+/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
+// Cast array to different type
+const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
+function isBytes$1(a) {
+    return (a instanceof Uint8Array ||
+        (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));
+}
+// Cast array to view
+const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+// big-endian hardware is rare. Just in case someone still decides to run ciphers:
+// early-throw an error because we don't support BE yet.
+const isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44;
+if (!isLE)
+    throw new Error('Non little-endian hardware is not supported');
+/**
+ * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
+ */
+function utf8ToBytes(str) {
+    if (typeof str !== 'string')
+        throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
+    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
+}
+function bytesToUtf8(bytes) {
+    return new TextDecoder().decode(bytes);
+}
+/**
+ * Normalizes (non-hex) string or Uint8Array to Uint8Array.
+ * Warning: when Uint8Array is passed, it would NOT get copied.
+ * Keep in mind for future mutable operations.
+ */
+function toBytes(data) {
+    if (typeof data === 'string')
+        data = utf8ToBytes(data);
+    else if (isBytes$1(data))
+        data = data.slice();
+    else
+        throw new Error(`expected Uint8Array, got ${typeof data}`);
+    return data;
+}
+/**
+ * Copies several Uint8Arrays into one.
+ */
+function concatBytes(...arrays) {
+    let sum = 0;
+    for (let i = 0; i < arrays.length; i++) {
+        const a = arrays[i];
+        if (!isBytes$1(a))
+            throw new Error('Uint8Array expected');
+        sum += a.length;
+    }
+    const res = new Uint8Array(sum);
+    for (let i = 0, pad = 0; i < arrays.length; i++) {
+        const a = arrays[i];
+        res.set(a, pad);
+        pad += a.length;
+    }
+    return res;
+}
+// Check if object doens't have custom constructor (like Uint8Array/Array)
+const isPlainObject = (obj) => Object.prototype.toString.call(obj) === '[object Object]' && obj.constructor === Object;
+function checkOpts(defaults, opts) {
+    if (opts !== undefined && (typeof opts !== 'object' || !isPlainObject(opts)))
+        throw new Error('options must be object or undefined');
+    const merged = Object.assign(defaults, opts);
+    return merged;
+}
+function ensureBytes(b, len) {
+    if (!isBytes$1(b))
+        throw new Error('Uint8Array expected');
+    if (typeof len === 'number')
+        if (b.length !== len)
+            throw new Error(`Uint8Array length ${len} expected`);
+}
+// Compares 2 u8a-s in kinda constant time
+function equalBytes(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a[i] ^ b[i];
+    return diff === 0;
+}
+const wrapCipher = (params, c) => {
+    Object.assign(c, params);
+    return c;
+};
+// Polyfill for Safari 14
+function setBigUint64(view, byteOffset, value, isLE) {
+    if (typeof view.setBigUint64 === 'function')
+        return view.setBigUint64(byteOffset, value, isLE);
+    const _32n = BigInt(32);
+    const _u32_max = BigInt(0xffffffff);
+    const wh = Number((value >> _32n) & _u32_max);
+    const wl = Number(value & _u32_max);
+    const h = 4 ;
+    const l = 0 ;
+    view.setUint32(byteOffset + h, wh, isLE);
+    view.setUint32(byteOffset + l, wl, isLE);
+}
+
+function number(n) {
+    if (!Number.isSafeInteger(n) || n < 0)
+        throw new Error(`wrong positive integer: ${n}`);
+}
+function bool(b) {
+    if (typeof b !== 'boolean')
+        throw new Error(`boolean expected, not ${b}`);
+}
+// TODO: merge with utils
+function isBytes(a) {
+    return (a != null &&
+        typeof a === 'object' &&
+        (a instanceof Uint8Array || a.constructor.name === 'Uint8Array'));
+}
+function bytes(b, ...lengths) {
+    if (!isBytes(b))
+        throw new Error('Uint8Array expected');
+    if (lengths.length > 0 && !lengths.includes(b.length))
+        throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`);
+}
+function exists(instance, checkFinished = true) {
+    if (instance.destroyed)
+        throw new Error('Hash instance has been destroyed');
+    if (checkFinished && instance.finished)
+        throw new Error('Hash#digest() has already been called');
+}
+function output(out, instance) {
+    bytes(out);
+    const min = instance.outputLen;
+    if (out.length < min) {
+        throw new Error(`digestInto() expects output buffer of length at least ${min}`);
+    }
+}
+
+// Poly1305 is a fast and parallel secret-key message-authentication code.
+// https://cr.yp.to/mac.html, https://cr.yp.to/mac/poly1305-20050329.pdf
+// https://datatracker.ietf.org/doc/html/rfc8439
+// Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna
+const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8);
+class Poly1305 {
+    constructor(key) {
+        this.blockLen = 16;
+        this.outputLen = 16;
+        this.buffer = new Uint8Array(16);
+        this.r = new Uint16Array(10);
+        this.h = new Uint16Array(10);
+        this.pad = new Uint16Array(8);
+        this.pos = 0;
+        this.finished = false;
+        key = toBytes(key);
+        ensureBytes(key, 32);
+        const t0 = u8to16(key, 0);
+        const t1 = u8to16(key, 2);
+        const t2 = u8to16(key, 4);
+        const t3 = u8to16(key, 6);
+        const t4 = u8to16(key, 8);
+        const t5 = u8to16(key, 10);
+        const t6 = u8to16(key, 12);
+        const t7 = u8to16(key, 14);
+        // https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47
+        this.r[0] = t0 & 0x1fff;
+        this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
+        this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03;
+        this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
+        this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff;
+        this.r[5] = (t4 >>> 1) & 0x1ffe;
+        this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
+        this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81;
+        this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
+        this.r[9] = (t7 >>> 5) & 0x007f;
+        for (let i = 0; i < 8; i++)
+            this.pad[i] = u8to16(key, 16 + 2 * i);
+    }
+    process(data, offset, isLast = false) {
+        const hibit = isLast ? 0 : 1 << 11;
+        const { h, r } = this;
+        const r0 = r[0];
+        const r1 = r[1];
+        const r2 = r[2];
+        const r3 = r[3];
+        const r4 = r[4];
+        const r5 = r[5];
+        const r6 = r[6];
+        const r7 = r[7];
+        const r8 = r[8];
+        const r9 = r[9];
+        const t0 = u8to16(data, offset + 0);
+        const t1 = u8to16(data, offset + 2);
+        const t2 = u8to16(data, offset + 4);
+        const t3 = u8to16(data, offset + 6);
+        const t4 = u8to16(data, offset + 8);
+        const t5 = u8to16(data, offset + 10);
+        const t6 = u8to16(data, offset + 12);
+        const t7 = u8to16(data, offset + 14);
+        let h0 = h[0] + (t0 & 0x1fff);
+        let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff);
+        let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff);
+        let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff);
+        let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff);
+        let h5 = h[5] + ((t4 >>> 1) & 0x1fff);
+        let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff);
+        let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff);
+        let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff);
+        let h9 = h[9] + ((t7 >>> 5) | hibit);
+        let c = 0;
+        let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6);
+        c = d0 >>> 13;
+        d0 &= 0x1fff;
+        d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1);
+        c += d0 >>> 13;
+        d0 &= 0x1fff;
+        let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7);
+        c = d1 >>> 13;
+        d1 &= 0x1fff;
+        d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2);
+        c += d1 >>> 13;
+        d1 &= 0x1fff;
+        let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8);
+        c = d2 >>> 13;
+        d2 &= 0x1fff;
+        d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3);
+        c += d2 >>> 13;
+        d2 &= 0x1fff;
+        let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9);
+        c = d3 >>> 13;
+        d3 &= 0x1fff;
+        d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4);
+        c += d3 >>> 13;
+        d3 &= 0x1fff;
+        let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0;
+        c = d4 >>> 13;
+        d4 &= 0x1fff;
+        d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5);
+        c += d4 >>> 13;
+        d4 &= 0x1fff;
+        let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1;
+        c = d5 >>> 13;
+        d5 &= 0x1fff;
+        d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6);
+        c += d5 >>> 13;
+        d5 &= 0x1fff;
+        let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2;
+        c = d6 >>> 13;
+        d6 &= 0x1fff;
+        d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7);
+        c += d6 >>> 13;
+        d6 &= 0x1fff;
+        let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3;
+        c = d7 >>> 13;
+        d7 &= 0x1fff;
+        d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8);
+        c += d7 >>> 13;
+        d7 &= 0x1fff;
+        let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4;
+        c = d8 >>> 13;
+        d8 &= 0x1fff;
+        d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9);
+        c += d8 >>> 13;
+        d8 &= 0x1fff;
+        let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5;
+        c = d9 >>> 13;
+        d9 &= 0x1fff;
+        d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0;
+        c += d9 >>> 13;
+        d9 &= 0x1fff;
+        c = ((c << 2) + c) | 0;
+        c = (c + d0) | 0;
+        d0 = c & 0x1fff;
+        c = c >>> 13;
+        d1 += c;
+        h[0] = d0;
+        h[1] = d1;
+        h[2] = d2;
+        h[3] = d3;
+        h[4] = d4;
+        h[5] = d5;
+        h[6] = d6;
+        h[7] = d7;
+        h[8] = d8;
+        h[9] = d9;
+    }
+    finalize() {
+        const { h, pad } = this;
+        const g = new Uint16Array(10);
+        let c = h[1] >>> 13;
+        h[1] &= 0x1fff;
+        for (let i = 2; i < 10; i++) {
+            h[i] += c;
+            c = h[i] >>> 13;
+            h[i] &= 0x1fff;
+        }
+        h[0] += c * 5;
+        c = h[0] >>> 13;
+        h[0] &= 0x1fff;
+        h[1] += c;
+        c = h[1] >>> 13;
+        h[1] &= 0x1fff;
+        h[2] += c;
+        g[0] = h[0] + 5;
+        c = g[0] >>> 13;
+        g[0] &= 0x1fff;
+        for (let i = 1; i < 10; i++) {
+            g[i] = h[i] + c;
+            c = g[i] >>> 13;
+            g[i] &= 0x1fff;
+        }
+        g[9] -= 1 << 13;
+        let mask = (c ^ 1) - 1;
+        for (let i = 0; i < 10; i++)
+            g[i] &= mask;
+        mask = ~mask;
+        for (let i = 0; i < 10; i++)
+            h[i] = (h[i] & mask) | g[i];
+        h[0] = (h[0] | (h[1] << 13)) & 0xffff;
+        h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff;
+        h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff;
+        h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff;
+        h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff;
+        h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff;
+        h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff;
+        h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff;
+        let f = h[0] + pad[0];
+        h[0] = f & 0xffff;
+        for (let i = 1; i < 8; i++) {
+            f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0;
+            h[i] = f & 0xffff;
+        }
+    }
+    update(data) {
+        exists(this);
+        const { buffer, blockLen } = this;
+        data = toBytes(data);
+        const len = data.length;
+        for (let pos = 0; pos < len;) {
+            const take = Math.min(blockLen - this.pos, len - pos);
+            // Fast path: we have at least one block in input
+            if (take === blockLen) {
+                for (; blockLen <= len - pos; pos += blockLen)
+                    this.process(data, pos);
+                continue;
+            }
+            buffer.set(data.subarray(pos, pos + take), this.pos);
+            this.pos += take;
+            pos += take;
+            if (this.pos === blockLen) {
+                this.process(buffer, 0, false);
+                this.pos = 0;
+            }
+        }
+        return this;
+    }
+    destroy() {
+        this.h.fill(0);
+        this.r.fill(0);
+        this.buffer.fill(0);
+        this.pad.fill(0);
+    }
+    digestInto(out) {
+        exists(this);
+        output(out, this);
+        this.finished = true;
+        const { buffer, h } = this;
+        let { pos } = this;
+        if (pos) {
+            buffer[pos++] = 1;
+            // buffer.subarray(pos).fill(0);
+            for (; pos < 16; pos++)
+                buffer[pos] = 0;
+            this.process(buffer, 0, true);
+        }
+        this.finalize();
+        let opos = 0;
+        for (let i = 0; i < 8; i++) {
+            out[opos++] = h[i] >>> 0;
+            out[opos++] = h[i] >>> 8;
+        }
+        return out;
+    }
+    digest() {
+        const { buffer, outputLen } = this;
+        this.digestInto(buffer);
+        const res = buffer.slice(0, outputLen);
+        this.destroy();
+        return res;
+    }
+}
+function wrapConstructorWithKey(hashCons) {
+    const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest();
+    const tmp = hashCons(new Uint8Array(32));
+    hashC.outputLen = tmp.outputLen;
+    hashC.blockLen = tmp.blockLen;
+    hashC.create = (key) => hashCons(key);
+    return hashC;
+}
+const poly1305 = wrapConstructorWithKey((key) => new Poly1305(key));
+
+// Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers.
+/*
+RFC8439 requires multi-step cipher stream, where
+authKey starts with counter: 0, actual msg with counter: 1.
+
+For this, we need a way to re-use nonce / counter:
+
+    const counter = new Uint8Array(4);
+    chacha(..., counter, ...); // counter is now 1
+    chacha(..., counter, ...); // counter is now 2
+
+This is complicated:
+
+- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB
+- Original papers don't allow mutating counters
+- Counter overflow is undefined [^1]
+- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it
+- Caveat: Cannot be re-used through all cases:
+- * chacha has (counter | nonce)
+- * xchacha has (nonce16 | counter | nonce16)
+- Idea B: separate nonce / counter and provide separate API for counter re-use
+- Caveat: there are different counter sizes depending on an algorithm.
+- salsa & chacha also differ in structures of key & sigma:
+  salsa20:      s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3]
+  chacha:       s(4) | k(8) | ctr(1) | nonce(3)
+  chacha20orig: s(4) | k(8) | ctr(2) | nonce(2)
+- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)`
+- Caveat: we can't re-use counter array
+
+xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal
+(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce).
+
+[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/
+[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2
+*/
+const sigma16 = utf8ToBytes('expand 16-byte k');
+const sigma32 = utf8ToBytes('expand 32-byte k');
+const sigma16_32 = u32(sigma16);
+const sigma32_32 = u32(sigma32);
+function rotl(a, b) {
+    return (a << b) | (a >>> (32 - b));
+}
+// Is byte array aligned to 4 byte offset (u32)?
+function isAligned32(b) {
+    return b.byteOffset % 4 === 0;
+}
+// Salsa and Chacha block length is always 512-bit
+const BLOCK_LEN = 64;
+const BLOCK_LEN32 = 16;
+// new Uint32Array([2**32])   // => Uint32Array(1) [ 0 ]
+// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ]
+const MAX_COUNTER = 2 ** 32 - 1;
+const U32_EMPTY = new Uint32Array();
+function runCipher(core, sigma, key, nonce, data, output, counter, rounds) {
+    const len = data.length;
+    const block = new Uint8Array(BLOCK_LEN);
+    const b32 = u32(block);
+    // Make sure that buffers aligned to 4 bytes
+    const isAligned = isAligned32(data) && isAligned32(output);
+    const d32 = isAligned ? u32(data) : U32_EMPTY;
+    const o32 = isAligned ? u32(output) : U32_EMPTY;
+    for (let pos = 0; pos < len; counter++) {
+        core(sigma, key, nonce, b32, counter, rounds);
+        if (counter >= MAX_COUNTER)
+            throw new Error('arx: counter overflow');
+        const take = Math.min(BLOCK_LEN, len - pos);
+        // aligned to 4 bytes
+        if (isAligned && take === BLOCK_LEN) {
+            const pos32 = pos / 4;
+            if (pos % 4 !== 0)
+                throw new Error('arx: invalid block position');
+            for (let j = 0, posj; j < BLOCK_LEN32; j++) {
+                posj = pos32 + j;
+                o32[posj] = d32[posj] ^ b32[j];
+            }
+            pos += BLOCK_LEN;
+            continue;
+        }
+        for (let j = 0, posj; j < take; j++) {
+            posj = pos + j;
+            output[posj] = data[posj] ^ block[j];
+        }
+        pos += take;
+    }
+}
+function createCipher(core, opts) {
+    const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts);
+    if (typeof core !== 'function')
+        throw new Error('core must be a function');
+    number(counterLength);
+    number(rounds);
+    bool(counterRight);
+    bool(allowShortKeys);
+    return (key, nonce, data, output, counter = 0) => {
+        bytes(key);
+        bytes(nonce);
+        bytes(data);
+        const len = data.length;
+        if (!output)
+            output = new Uint8Array(len);
+        bytes(output);
+        number(counter);
+        if (counter < 0 || counter >= MAX_COUNTER)
+            throw new Error('arx: counter overflow');
+        if (output.length < len)
+            throw new Error(`arx: output (${output.length}) is shorter than data (${len})`);
+        const toClean = [];
+        // Key & sigma
+        // key=16 -> sigma16, k=key|key
+        // key=32 -> sigma32, k=key
+        let l = key.length, k, sigma;
+        if (l === 32) {
+            k = key.slice();
+            toClean.push(k);
+            sigma = sigma32_32;
+        }
+        else if (l === 16 && allowShortKeys) {
+            k = new Uint8Array(32);
+            k.set(key);
+            k.set(key, 16);
+            sigma = sigma16_32;
+            toClean.push(k);
+        }
+        else {
+            throw new Error(`arx: invalid 32-byte key, got length=${l}`);
+        }
+        // Nonce
+        // salsa20:      8   (8-byte counter)
+        // chacha20orig: 8   (8-byte counter)
+        // chacha20:     12  (4-byte counter)
+        // xsalsa20:     24  (16 -> hsalsa,  8 -> old nonce)
+        // xchacha20:    24  (16 -> hchacha, 8 -> old nonce)
+        // Align nonce to 4 bytes
+        if (!isAligned32(nonce)) {
+            nonce = nonce.slice();
+            toClean.push(nonce);
+        }
+        const k32 = u32(k);
+        // hsalsa & hchacha: handle extended nonce
+        if (extendNonceFn) {
+            if (nonce.length !== 24)
+                throw new Error(`arx: extended nonce must be 24 bytes`);
+            extendNonceFn(sigma, k32, u32(nonce.subarray(0, 16)), k32);
+            nonce = nonce.subarray(16);
+        }
+        // Handle nonce counter
+        const nonceNcLen = 16 - counterLength;
+        if (nonceNcLen !== nonce.length)
+            throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`);
+        // Pad counter when nonce is 64 bit
+        if (nonceNcLen !== 12) {
+            const nc = new Uint8Array(12);
+            nc.set(nonce, counterRight ? 0 : 12 - nonce.length);
+            nonce = nc;
+            toClean.push(nonce);
+        }
+        const n32 = u32(nonce);
+        runCipher(core, sigma, k32, n32, data, output, counter, rounds);
+        while (toClean.length > 0)
+            toClean.pop().fill(0);
+        return output;
+    };
+}
+
+// ChaCha20 stream cipher was released in 2008. ChaCha aims to increase
+// the diffusion per round, but had slightly less cryptanalysis.
+// https://cr.yp.to/chacha.html, http://cr.yp.to/chacha/chacha-20080128.pdf
+/**
+ * ChaCha core function.
+ */
+// prettier-ignore
+function chachaCore(s, k, n, out, cnt, rounds = 20) {
+    let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa"   "nd 3"  "2-by"  "te k"
+    y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key      Key     Key     Key
+    y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key      Key     Key     Key
+    y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter  Counter	Nonce   Nonce
+    // Save state to temporary variables
+    let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15;
+    for (let r = 0; r < rounds; r += 2) {
+        x00 = (x00 + x04) | 0;
+        x12 = rotl(x12 ^ x00, 16);
+        x08 = (x08 + x12) | 0;
+        x04 = rotl(x04 ^ x08, 12);
+        x00 = (x00 + x04) | 0;
+        x12 = rotl(x12 ^ x00, 8);
+        x08 = (x08 + x12) | 0;
+        x04 = rotl(x04 ^ x08, 7);
+        x01 = (x01 + x05) | 0;
+        x13 = rotl(x13 ^ x01, 16);
+        x09 = (x09 + x13) | 0;
+        x05 = rotl(x05 ^ x09, 12);
+        x01 = (x01 + x05) | 0;
+        x13 = rotl(x13 ^ x01, 8);
+        x09 = (x09 + x13) | 0;
+        x05 = rotl(x05 ^ x09, 7);
+        x02 = (x02 + x06) | 0;
+        x14 = rotl(x14 ^ x02, 16);
+        x10 = (x10 + x14) | 0;
+        x06 = rotl(x06 ^ x10, 12);
+        x02 = (x02 + x06) | 0;
+        x14 = rotl(x14 ^ x02, 8);
+        x10 = (x10 + x14) | 0;
+        x06 = rotl(x06 ^ x10, 7);
+        x03 = (x03 + x07) | 0;
+        x15 = rotl(x15 ^ x03, 16);
+        x11 = (x11 + x15) | 0;
+        x07 = rotl(x07 ^ x11, 12);
+        x03 = (x03 + x07) | 0;
+        x15 = rotl(x15 ^ x03, 8);
+        x11 = (x11 + x15) | 0;
+        x07 = rotl(x07 ^ x11, 7);
+        x00 = (x00 + x05) | 0;
+        x15 = rotl(x15 ^ x00, 16);
+        x10 = (x10 + x15) | 0;
+        x05 = rotl(x05 ^ x10, 12);
+        x00 = (x00 + x05) | 0;
+        x15 = rotl(x15 ^ x00, 8);
+        x10 = (x10 + x15) | 0;
+        x05 = rotl(x05 ^ x10, 7);
+        x01 = (x01 + x06) | 0;
+        x12 = rotl(x12 ^ x01, 16);
+        x11 = (x11 + x12) | 0;
+        x06 = rotl(x06 ^ x11, 12);
+        x01 = (x01 + x06) | 0;
+        x12 = rotl(x12 ^ x01, 8);
+        x11 = (x11 + x12) | 0;
+        x06 = rotl(x06 ^ x11, 7);
+        x02 = (x02 + x07) | 0;
+        x13 = rotl(x13 ^ x02, 16);
+        x08 = (x08 + x13) | 0;
+        x07 = rotl(x07 ^ x08, 12);
+        x02 = (x02 + x07) | 0;
+        x13 = rotl(x13 ^ x02, 8);
+        x08 = (x08 + x13) | 0;
+        x07 = rotl(x07 ^ x08, 7);
+        x03 = (x03 + x04) | 0;
+        x14 = rotl(x14 ^ x03, 16);
+        x09 = (x09 + x14) | 0;
+        x04 = rotl(x04 ^ x09, 12);
+        x03 = (x03 + x04) | 0;
+        x14 = rotl(x14 ^ x03, 8);
+        x09 = (x09 + x14) | 0;
+        x04 = rotl(x04 ^ x09, 7);
+    }
+    // Write output
+    let oi = 0;
+    out[oi++] = (y00 + x00) | 0;
+    out[oi++] = (y01 + x01) | 0;
+    out[oi++] = (y02 + x02) | 0;
+    out[oi++] = (y03 + x03) | 0;
+    out[oi++] = (y04 + x04) | 0;
+    out[oi++] = (y05 + x05) | 0;
+    out[oi++] = (y06 + x06) | 0;
+    out[oi++] = (y07 + x07) | 0;
+    out[oi++] = (y08 + x08) | 0;
+    out[oi++] = (y09 + x09) | 0;
+    out[oi++] = (y10 + x10) | 0;
+    out[oi++] = (y11 + x11) | 0;
+    out[oi++] = (y12 + x12) | 0;
+    out[oi++] = (y13 + x13) | 0;
+    out[oi++] = (y14 + x14) | 0;
+    out[oi++] = (y15 + x15) | 0;
+}
+/**
+ * hchacha helper method, used primarily in xchacha, to hash
+ * key and nonce into key' and nonce'.
+ * Same as chachaCore, but there doesn't seem to be a way to move the block
+ * out without 25% performance hit.
+ */
+// prettier-ignore
+function hchacha(s, k, i, o32) {
+    let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3];
+    for (let r = 0; r < 20; r += 2) {
+        x00 = (x00 + x04) | 0;
+        x12 = rotl(x12 ^ x00, 16);
+        x08 = (x08 + x12) | 0;
+        x04 = rotl(x04 ^ x08, 12);
+        x00 = (x00 + x04) | 0;
+        x12 = rotl(x12 ^ x00, 8);
+        x08 = (x08 + x12) | 0;
+        x04 = rotl(x04 ^ x08, 7);
+        x01 = (x01 + x05) | 0;
+        x13 = rotl(x13 ^ x01, 16);
+        x09 = (x09 + x13) | 0;
+        x05 = rotl(x05 ^ x09, 12);
+        x01 = (x01 + x05) | 0;
+        x13 = rotl(x13 ^ x01, 8);
+        x09 = (x09 + x13) | 0;
+        x05 = rotl(x05 ^ x09, 7);
+        x02 = (x02 + x06) | 0;
+        x14 = rotl(x14 ^ x02, 16);
+        x10 = (x10 + x14) | 0;
+        x06 = rotl(x06 ^ x10, 12);
+        x02 = (x02 + x06) | 0;
+        x14 = rotl(x14 ^ x02, 8);
+        x10 = (x10 + x14) | 0;
+        x06 = rotl(x06 ^ x10, 7);
+        x03 = (x03 + x07) | 0;
+        x15 = rotl(x15 ^ x03, 16);
+        x11 = (x11 + x15) | 0;
+        x07 = rotl(x07 ^ x11, 12);
+        x03 = (x03 + x07) | 0;
+        x15 = rotl(x15 ^ x03, 8);
+        x11 = (x11 + x15) | 0;
+        x07 = rotl(x07 ^ x11, 7);
+        x00 = (x00 + x05) | 0;
+        x15 = rotl(x15 ^ x00, 16);
+        x10 = (x10 + x15) | 0;
+        x05 = rotl(x05 ^ x10, 12);
+        x00 = (x00 + x05) | 0;
+        x15 = rotl(x15 ^ x00, 8);
+        x10 = (x10 + x15) | 0;
+        x05 = rotl(x05 ^ x10, 7);
+        x01 = (x01 + x06) | 0;
+        x12 = rotl(x12 ^ x01, 16);
+        x11 = (x11 + x12) | 0;
+        x06 = rotl(x06 ^ x11, 12);
+        x01 = (x01 + x06) | 0;
+        x12 = rotl(x12 ^ x01, 8);
+        x11 = (x11 + x12) | 0;
+        x06 = rotl(x06 ^ x11, 7);
+        x02 = (x02 + x07) | 0;
+        x13 = rotl(x13 ^ x02, 16);
+        x08 = (x08 + x13) | 0;
+        x07 = rotl(x07 ^ x08, 12);
+        x02 = (x02 + x07) | 0;
+        x13 = rotl(x13 ^ x02, 8);
+        x08 = (x08 + x13) | 0;
+        x07 = rotl(x07 ^ x08, 7);
+        x03 = (x03 + x04) | 0;
+        x14 = rotl(x14 ^ x03, 16);
+        x09 = (x09 + x14) | 0;
+        x04 = rotl(x04 ^ x09, 12);
+        x03 = (x03 + x04) | 0;
+        x14 = rotl(x14 ^ x03, 8);
+        x09 = (x09 + x14) | 0;
+        x04 = rotl(x04 ^ x09, 7);
+    }
+    let oi = 0;
+    o32[oi++] = x00;
+    o32[oi++] = x01;
+    o32[oi++] = x02;
+    o32[oi++] = x03;
+    o32[oi++] = x12;
+    o32[oi++] = x13;
+    o32[oi++] = x14;
+    o32[oi++] = x15;
+}
+/**
+ * XChaCha eXtended-nonce ChaCha. 24-byte nonce.
+ * With 24-byte nonce, it's safe to use fill it with random (CSPRNG).
+ * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha
+ */
+const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, {
+    counterRight: false,
+    counterLength: 8,
+    extendNonceFn: hchacha,
+    allowShortKeys: false,
+});
+const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
+// Pad to digest size with zeros
+const updatePadded = (h, msg) => {
+    h.update(msg);
+    const left = msg.length % 16;
+    if (left)
+        h.update(ZEROS16.subarray(left));
+};
+const ZEROS32 = /* @__PURE__ */ new Uint8Array(32);
+function computeTag(fn, key, nonce, data, AAD) {
+    const authKey = fn(key, nonce, ZEROS32);
+    const h = poly1305.create(authKey);
+    if (AAD)
+        updatePadded(h, AAD);
+    updatePadded(h, data);
+    const num = new Uint8Array(16);
+    const view = createView(num);
+    setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true);
+    setBigUint64(view, 8, BigInt(data.length), true);
+    h.update(num);
+    const res = h.digest();
+    authKey.fill(0);
+    return res;
+}
+/**
+ * AEAD algorithm from RFC 8439.
+ * Salsa20 and chacha (RFC 8439) use poly1305 differently.
+ * We could have composed them similar to:
+ * https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250
+ * But it's hard because of authKey:
+ * In salsa20, authKey changes position in salsa stream.
+ * In chacha, authKey can't be computed inside computeTag, it modifies the counter.
+ */
+const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
+    const tagLength = 16;
+    ensureBytes(key, 32);
+    ensureBytes(nonce);
+    return {
+        encrypt: (plaintext, output) => {
+            const plength = plaintext.length;
+            const clength = plength + tagLength;
+            if (output) {
+                ensureBytes(output, clength);
+            }
+            else {
+                output = new Uint8Array(clength);
+            }
+            xorStream(key, nonce, plaintext, output, 1);
+            const tag = computeTag(xorStream, key, nonce, output.subarray(0, -tagLength), AAD);
+            output.set(tag, plength); // append tag
+            return output;
+        },
+        decrypt: (ciphertext, output) => {
+            const clength = ciphertext.length;
+            const plength = clength - tagLength;
+            if (clength < tagLength)
+                throw new Error(`encrypted data must be at least ${tagLength} bytes`);
+            if (output) {
+                ensureBytes(output, plength);
+            }
+            else {
+                output = new Uint8Array(plength);
+            }
+            const data = ciphertext.subarray(0, -tagLength);
+            const passedTag = ciphertext.subarray(-tagLength);
+            const tag = computeTag(xorStream, key, nonce, data, AAD);
+            if (!equalBytes(passedTag, tag))
+                throw new Error('invalid tag');
+            xorStream(key, nonce, data, output, 1);
+            return output;
+        },
+    };
+};
+/**
+ * XChaCha20-Poly1305 extended-nonce chacha.
+ * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha
+ * With 24-byte nonce, it's safe to use fill it with random (CSPRNG).
+ */
+const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20));
+
+const crypto = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
+
+// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.
+// node.js versions earlier than v19 don't declare it in global scope.
+// For node.js, package.js on#exports field mapping rewrites import
+// from `crypto` to `cryptoNode`, which imports native module.
+// Makes the utils un-importable in browsers without a bundler.
+// Once node.js 18 is deprecated, we can just drop the import.
+/**
+ * Secure PRNG. Uses `crypto.getRandomValues`, which defers to OS.
+ */
+function randomBytes(bytesLength = 32) {
+    if (crypto && typeof crypto.getRandomValues === 'function') {
+        return crypto.getRandomValues(new Uint8Array(bytesLength));
+    }
+    throw new Error('crypto.getRandomValues must be defined');
+}
+// Uses CSPRG for nonce, nonce injected in ciphertext
+function managedNonce(fn) {
+    number(fn.nonceLength);
+    return ((key, ...args) => ({
+        encrypt: (plaintext, ...argsEnc) => {
+            const { nonceLength } = fn;
+            const nonce = randomBytes(nonceLength);
+            const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc);
+            const out = concatBytes(nonce, ciphertext);
+            ciphertext.fill(0);
+            return out;
+        },
+        decrypt: (ciphertext, ...argsDec) => {
+            const { nonceLength } = fn;
+            const nonce = ciphertext.subarray(0, nonceLength);
+            const data = ciphertext.subarray(nonceLength);
+            return fn(key, nonce, ...args).decrypt(data, ...argsDec);
+        },
+    }));
+}
+// // Type tests
+// import { siv, gcm, ctr, ecb, cbc } from '../aes.js';
+// import { xsalsa20poly1305 } from '../salsa.js';
+// import { chacha20poly1305, xchacha20poly1305 } from '../chacha.js';
+// const wsiv = managedNonce(siv);
+// const wgcm = managedNonce(gcm);
+// const wctr = managedNonce(ctr);
+// const wcbc = managedNonce(cbc);
+// const wsalsapoly = managedNonce(xsalsa20poly1305);
+// const wchacha = managedNonce(chacha20poly1305);
+// const wxchacha = managedNonce(xchacha20poly1305);
+// // should fail
+// const wcbc2 = managedNonce(managedNonce(cbc));
+// const wecb = managedNonce(ecb);
+
+const canonicalize = canonicalizeModule;
+// Polyfill for synchronous signatures
+secp__namespace.etc.hmacSha256Sync = (k, ...m) => hmac(sha256, k, secp__namespace.etc.concatBytes(...m));
+class CipherBase {
+    generateMnemonic() {
+        return bip39__namespace.generateMnemonic();
+    }
+    generateJwk(privateKeyBytes) {
+        const compressedPublicKeyBytes = secp__namespace.getPublicKey(privateKeyBytes);
+        const compressedPublicKeyHex = secp__namespace.etc.bytesToHex(compressedPublicKeyBytes);
+        const curvePoints = secp__namespace.ProjectivePoint.fromHex(compressedPublicKeyHex);
+        const uncompressedPublicKeyBytes = curvePoints.toRawBytes(false);
+        const d = base64url.baseEncode(privateKeyBytes);
+        const x = base64url.baseEncode(uncompressedPublicKeyBytes.subarray(1, 33));
+        const y = base64url.baseEncode(uncompressedPublicKeyBytes.subarray(33, 65));
+        const publicJwk = {
+            kty: 'EC',
+            crv: 'secp256k1',
+            x,
+            y
+        };
+        const privateJwk = { ...publicJwk, d };
+        return { publicJwk, privateJwk };
+    }
+    generateRandomJwk() {
+        const privKey = secp__namespace.utils.randomPrivateKey();
+        return this.generateJwk(privKey);
+    }
+    convertJwkToCompressedBytes(jwk) {
+        const xBytes = base64url.baseDecode(jwk.x);
+        const yBytes = base64url.baseDecode(jwk.y);
+        const prefix = yBytes[yBytes.length - 1] % 2 === 0 ? 0x02 : 0x03;
+        return new Uint8Array([prefix, ...xBytes]);
+    }
+    hashMessage(msg) {
+        const hash = sha256(msg);
+        return Buffer.from(hash).toString('hex');
+    }
+    canonicalizeJSON(json) {
+        return canonicalize(json);
+    }
+    hashJSON(json) {
+        return this.hashMessage(this.canonicalizeJSON(json));
+    }
+    signHash(msgHash, privateJwk) {
+        const privKey = base64url.baseDecode(privateJwk.d);
+        const signature = secp__namespace.sign(msgHash, privKey);
+        return signature.toCompactHex();
+    }
+    verifySig(msgHash, sigHex, publicJwk) {
+        const compressedPublicKeyBytes = this.convertJwkToCompressedBytes(publicJwk);
+        const signature = secp__namespace.Signature.fromCompact(sigHex);
+        return secp__namespace.verify(signature, msgHash, compressedPublicKeyBytes);
+    }
+    encryptBytes(pubKey, privKey, data) {
+        const priv = base64url.baseDecode(privKey.d);
+        const pub = this.convertJwkToCompressedBytes(pubKey);
+        const ss = secp__namespace.getSharedSecret(priv, pub);
+        const key = ss.slice(0, 32);
+        const chacha = managedNonce(xchacha20poly1305)(key);
+        const ciphertext = chacha.encrypt(data);
+        return base64url.baseEncode(ciphertext);
+    }
+    decryptBytes(pubKey, privKey, ciphertext) {
+        const priv = base64url.baseDecode(privKey.d);
+        const pub = this.convertJwkToCompressedBytes(pubKey);
+        const ss = secp__namespace.getSharedSecret(priv, pub);
+        const key = ss.slice(0, 32);
+        const chacha = managedNonce(xchacha20poly1305)(key);
+        const cipherdata = base64url.baseDecode(ciphertext);
+        return chacha.decrypt(cipherdata);
+    }
+    encryptMessage(pubKey, privKey, message) {
+        const data = utf8ToBytes(message);
+        return this.encryptBytes(pubKey, privKey, data);
+    }
+    decryptMessage(pubKey, privKey, ciphertext) {
+        const data = this.decryptBytes(pubKey, privKey, ciphertext);
+        return bytesToUtf8(data);
+    }
+    hasLeadingZeroBits(hexHash, bits) {
+        const binary = BigInt('0x' + hexHash).toString(2).padStart(hexHash.length * 4, '0');
+        return binary.startsWith('0'.repeat(bits));
+    }
+    addProofOfWork(obj, difficulty) {
+        if (!Number.isInteger(difficulty) || difficulty < 0 || difficulty > 256) {
+            throw new Error('Invalid difficulty: must be an integer between 0 and 256.');
+        }
+        let nonce = 0;
+        while (true) {
+            const candidate = {
+                ...obj,
+                pow: {
+                    nonce: nonce.toString(16),
+                    difficulty,
+                }
+            };
+            const hash = this.hashJSON(candidate);
+            if (this.hasLeadingZeroBits(hash, difficulty)) {
+                return candidate;
+            }
+            nonce++;
+        }
+    }
+    checkProofOfWork(obj) {
+        if (!obj ||
+            typeof obj !== 'object' ||
+            !('pow' in obj) ||
+            typeof obj.pow !== 'object' ||
+            typeof obj.pow.nonce !== 'string' ||
+            typeof obj.pow.difficulty !== 'number') {
+            return false;
+        }
+        const hash = this.hashJSON(obj);
+        return this.hasLeadingZeroBits(hash, obj.pow.difficulty);
+    }
+}
+
+exports.CipherBase = CipherBase;
+exports.base64url = base64url;