@gardenfi/utils 2.1.2-beta.6 → 2.1.2-beta.7

package/dist/index92.js

@@ -1,175 +1,646 @@
-import { validateField as z, nLength as F } from "./index52.js";
-import { validateObject as x, bitLen as O } from "./index53.js";
+import { validateBasic as mt, wNAF as gt, pippenger as Et } from "./index93.js";
+import { Field as bt, mod as wt, getMinHashLength as vt, mapHashToField as Bt, invert as xt } from "./index54.js";
+import * as St from "./index55.js";
+import { bytesToNumberBE as nt, bitMask as Rt, validateObject as yt, concatBytes as st, ensureBytes as Y, aInRange as Q, bytesToHex as ct, hexToBytes as lt, isBytes as at, createHmacDrbg as Ot, memoized as ut, abool as tt, inRange as pt, abytes as At, numberToHexUnpadded as et, numberToBytesBE as dt } from "./index55.js";
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const I = BigInt(0), p = BigInt(1);
-function m(e, r) {
-  const t = r.negate();
-  return e ? t : r;
+function ft(f) {
+  f.lowS !== void 0 && tt("lowS", f.lowS), f.prehash !== void 0 && tt("prehash", f.prehash);
 }
-function A(e, r) {
-  if (!Number.isSafeInteger(e) || e <= 0 || e > r)
-    throw new Error("invalid window size, expected [1.." + r + "], got W=" + e);
-}
-function b(e, r) {
-  A(e, r);
-  const t = Math.ceil(r / e) + 1, n = 2 ** (e - 1);
-  return { windows: t, windowSize: n };
-}
-function L(e, r) {
-  if (!Array.isArray(e))
-    throw new Error("array expected");
-  e.forEach((t, n) => {
-    if (!(t instanceof r))
-      throw new Error("invalid point at index " + n);
-  });
-}
-function k(e, r) {
-  if (!Array.isArray(e))
-    throw new Error("array of scalars expected");
-  e.forEach((t, n) => {
-    if (!r.isValid(t))
-      throw new Error("invalid scalar at index " + n);
+function Nt(f) {
+  const n = mt(f);
+  yt(n, {
+    a: "field",
+    b: "field"
+  }, {
+    allowedPrivateKeyLengths: "array",
+    wrapPrivateKey: "boolean",
+    isTorsionFree: "function",
+    clearCofactor: "function",
+    allowInfinityPoint: "boolean",
+    fromBytes: "function",
+    toBytes: "function"
   });
+  const { endo: t, Fp: E, a: R } = n;
+  if (t) {
+    if (!E.eql(R, E.ZERO))
+      throw new Error("invalid endomorphism, can only be defined for Koblitz curves that have a=0");
+    if (typeof t != "object" || typeof t.beta != "bigint" || typeof t.splitScalar != "function")
+      throw new Error("invalid endomorphism, expected beta: bigint and splitScalar: function");
+  }
+  return Object.freeze({ ...n });
 }
-const B = /* @__PURE__ */ new WeakMap(), E = /* @__PURE__ */ new WeakMap();
-function S(e) {
-  return E.get(e) || 1;
+const { bytesToNumberBE: Tt, hexToBytes: Zt } = St;
+class qt extends Error {
+  constructor(n = "") {
+    super(n);
+  }
 }
-function v(e, r) {
-  return {
-    constTimeNegate: m,
-    hasPrecomputes(t) {
-      return S(t) !== 1;
+const U = {
+  // asn.1 DER encoding utils
+  Err: qt,
+  // Basic building block is TLV (Tag-Length-Value)
+  _tlv: {
+    encode: (f, n) => {
+      const { Err: t } = U;
+      if (f < 0 || f > 256)
+        throw new t("tlv.encode: wrong tag");
+      if (n.length & 1)
+        throw new t("tlv.encode: unpadded data");
+      const E = n.length / 2, R = et(E);
+      if (R.length / 2 & 128)
+        throw new t("tlv.encode: long form length too big");
+      const Z = E > 127 ? et(R.length / 2 | 128) : "";
+      return et(f) + Z + R + n;
     },
-    // non-const time multiplication ladder
-    unsafeLadder(t, n, i = e.ZERO) {
-      let o = t;
-      for (; n > I; )
-        n & p && (i = i.add(o)), o = o.double(), n >>= p;
-      return i;
+    // v - value, l - left bytes (unparsed)
+    decode(f, n) {
+      const { Err: t } = U;
+      let E = 0;
+      if (f < 0 || f > 256)
+        throw new t("tlv.encode: wrong tag");
+      if (n.length < 2 || n[E++] !== f)
+        throw new t("tlv.decode: wrong tlv");
+      const R = n[E++], Z = !!(R & 128);
+      let B = 0;
+      if (!Z)
+        B = R;
+      else {
+        const S = R & 127;
+        if (!S)
+          throw new t("tlv.decode(long): indefinite length not supported");
+        if (S > 4)
+          throw new t("tlv.decode(long): byte length is too big");
+        const L = n.subarray(E, E + S);
+        if (L.length !== S)
+          throw new t("tlv.decode: length bytes not complete");
+        if (L[0] === 0)
+          throw new t("tlv.decode(long): zero leftmost byte");
+        for (const P of L)
+          B = B << 8 | P;
+        if (E += S, B < 128)
+          throw new t("tlv.decode(long): not minimal encoding");
+      }
+      const H = n.subarray(E, E + B);
+      if (H.length !== B)
+        throw new t("tlv.decode: wrong value length");
+      return { v: H, l: n.subarray(E + B) };
+    }
+  },
+  // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
+  // since we always use positive integers here. It must always be empty:
+  // - add zero byte if exists
+  // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
+  _int: {
+    encode(f) {
+      const { Err: n } = U;
+      if (f < j)
+        throw new n("integer: negative integers are not allowed");
+      let t = et(f);
+      if (Number.parseInt(t[0], 16) & 8 && (t = "00" + t), t.length & 1)
+        throw new n("unexpected DER parsing assertion: unpadded hex");
+      return t;
     },
+    decode(f) {
+      const { Err: n } = U;
+      if (f[0] & 128)
+        throw new n("invalid signature integer: negative");
+      if (f[0] === 0 && !(f[1] & 128))
+        throw new n("invalid signature integer: unnecessary leading zero");
+      return Tt(f);
+    }
+  },
+  toSig(f) {
+    const { Err: n, _int: t, _tlv: E } = U, R = typeof f == "string" ? Zt(f) : f;
+    At(R);
+    const { v: Z, l: B } = E.decode(48, R);
+    if (B.length)
+      throw new n("invalid signature: left bytes after parsing");
+    const { v: H, l: S } = E.decode(2, Z), { v: L, l: P } = E.decode(2, S);
+    if (P.length)
+      throw new n("invalid signature: left bytes after parsing");
+    return { r: t.decode(H), s: t.decode(L) };
+  },
+  hexFromSig(f) {
+    const { _tlv: n, _int: t } = U, E = n.encode(2, t.encode(f.r)), R = n.encode(2, t.encode(f.s)), Z = E + R;
+    return n.encode(48, Z);
+  }
+}, j = BigInt(0), A = BigInt(1);
+BigInt(2);
+const ht = BigInt(3);
+BigInt(4);
+function zt(f) {
+  const n = Nt(f), { Fp: t } = n, E = bt(n.n, n.nBitLength), R = n.toBytes || ((m, e, i) => {
+    const c = e.toAffine();
+    return st(Uint8Array.from([4]), t.toBytes(c.x), t.toBytes(c.y));
+  }), Z = n.fromBytes || ((m) => {
+    const e = m.subarray(1), i = t.fromBytes(e.subarray(0, t.BYTES)), c = t.fromBytes(e.subarray(t.BYTES, 2 * t.BYTES));
+    return { x: i, y: c };
+  });
+  function B(m) {
+    const { a: e, b: i } = n, c = t.sqr(m), u = t.mul(c, m);
+    return t.add(t.add(u, t.mul(m, e)), i);
+  }
+  if (!t.eql(t.sqr(n.Gy), B(n.Gx)))
+    throw new Error("bad generator point: equation left != right");
+  function H(m) {
+    return pt(m, A, n.n);
+  }
+  function S(m) {
+    const { allowedPrivateKeyLengths: e, nByteLength: i, wrapPrivateKey: c, n: u } = n;
+    if (e && typeof m != "bigint") {
+      if (at(m) && (m = ct(m)), typeof m != "string" || !e.includes(m.length))
+        throw new Error("invalid private key");
+      m = m.padStart(i * 2, "0");
+    }
+    let y;
+    try {
+      y = typeof m == "bigint" ? m : nt(Y("private key", m, i));
+    } catch {
+      throw new Error("invalid private key, expected hex or " + i + " bytes, got " + typeof m);
+    }
+    return c && (y = wt(y, u)), Q("private key", y, A, u), y;
+  }
+  function L(m) {
+    if (!(m instanceof w))
+      throw new Error("ProjectivePoint expected");
+  }
+  const P = ut((m, e) => {
+    const { px: i, py: c, pz: u } = m;
+    if (t.eql(u, t.ONE))
+      return { x: i, y: c };
+    const y = m.is0();
+    e == null && (e = y ? t.ONE : t.inv(u));
+    const v = t.mul(i, e), p = t.mul(c, e), a = t.mul(u, e);
+    if (y)
+      return { x: t.ZERO, y: t.ZERO };
+    if (!t.eql(a, t.ONE))
+      throw new Error("invZ was invalid");
+    return { x: v, y: p };
+  }), rt = ut((m) => {
+    if (m.is0()) {
+      if (n.allowInfinityPoint && !t.is0(m.py))
+        return;
+      throw new Error("bad point: ZERO");
+    }
+    const { x: e, y: i } = m.toAffine();
+    if (!t.isValid(e) || !t.isValid(i))
+      throw new Error("bad point: x or y not FE");
+    const c = t.sqr(i), u = B(e);
+    if (!t.eql(c, u))
+      throw new Error("bad point: equation left != right");
+    if (!m.isTorsionFree())
+      throw new Error("bad point: not in prime-order subgroup");
+    return !0;
+  });
+  class w {
+    constructor(e, i, c) {
+      if (this.px = e, this.py = i, this.pz = c, e == null || !t.isValid(e))
+        throw new Error("x required");
+      if (i == null || !t.isValid(i))
+        throw new Error("y required");
+      if (c == null || !t.isValid(c))
+        throw new Error("z required");
+      Object.freeze(this);
+    }
+    // Does not validate if the point is on-curve.
+    // Use fromHex instead, or call assertValidity() later.
+    static fromAffine(e) {
+      const { x: i, y: c } = e || {};
+      if (!e || !t.isValid(i) || !t.isValid(c))
+        throw new Error("invalid affine point");
+      if (e instanceof w)
+        throw new Error("projective point not allowed");
+      const u = (y) => t.eql(y, t.ZERO);
+      return u(i) && u(c) ? w.ZERO : new w(i, c, t.ONE);
+    }
+    get x() {
+      return this.toAffine().x;
+    }
+    get y() {
+      return this.toAffine().y;
+    }
     /**
-     * Creates a wNAF precomputation window. Used for caching.
-     * Default window size is set by `utils.precompute()` and is equal to 8.
-     * Number of precomputed points depends on the curve size:
-     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
-     * - 𝑊 is the window size
-     * - 𝑛 is the bitlength of the curve order.
-     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
-     * @param elm Point instance
-     * @param W window size
-     * @returns precomputed point tables flattened to a single array
+     * Takes a bunch of Projective Points but executes only one
+     * inversion on all of them. Inversion is very slow operation,
+     * so this improves performance massively.
+     * Optimization: converts a list of projective points to a list of identical points with Z=1.
      */
-    precomputeWindow(t, n) {
-      const { windows: i, windowSize: o } = b(n, r), a = [];
-      let c = t, d = c;
-      for (let h = 0; h < i; h++) {
-        d = c, a.push(d);
-        for (let w = 1; w < o; w++)
-          d = d.add(c), a.push(d);
-        c = d.double();
-      }
-      return a;
-    },
+    static normalizeZ(e) {
+      const i = t.invertBatch(e.map((c) => c.pz));
+      return e.map((c, u) => c.toAffine(i[u])).map(w.fromAffine);
+    }
     /**
-     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
-     * @param W window size
-     * @param precomputes precomputed tables
-     * @param n scalar (we don't check here, but should be less than curve order)
-     * @returns real and fake (for const-time) points
+     * Converts hash string or Uint8Array to Point.
+     * @param hex short/long ECDSA hex
      */
-    wNAF(t, n, i) {
-      const { windows: o, windowSize: a } = b(t, r);
-      let c = e.ZERO, d = e.BASE;
-      const h = BigInt(2 ** t - 1), w = 2 ** t, l = BigInt(t);
-      for (let u = 0; u < o; u++) {
-        const s = u * a;
-        let f = Number(i & h);
-        i >>= l, f > a && (f -= w, i += p);
-        const g = s, N = s + Math.abs(f) - 1, y = u % 2 !== 0, M = f < 0;
-        f === 0 ? d = d.add(m(y, n[g])) : c = c.add(m(M, n[N]));
-      }
-      return { p: c, f: d };
-    },
+    static fromHex(e) {
+      const i = w.fromAffine(Z(Y("pointHex", e)));
+      return i.assertValidity(), i;
+    }
+    // Multiplies generator point by privateKey.
+    static fromPrivateKey(e) {
+      return w.BASE.multiply(S(e));
+    }
+    // Multiscalar Multiplication
+    static msm(e, i) {
+      return Et(w, E, e, i);
+    }
+    // "Private method", don't use it directly
+    _setWindowSize(e) {
+      D.setWindowSize(this, e);
+    }
+    // A point on curve is valid if it conforms to equation.
+    assertValidity() {
+      rt(this);
+    }
+    hasEvenY() {
+      const { y: e } = this.toAffine();
+      if (t.isOdd)
+        return !t.isOdd(e);
+      throw new Error("Field doesn't support isOdd");
+    }
     /**
-     * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
-     * @param W window size
-     * @param precomputes precomputed tables
-     * @param n scalar (we don't check here, but should be less than curve order)
-     * @param acc accumulator point to add result of multiplication
-     * @returns point
+     * Compare one point to another.
      */
-    wNAFUnsafe(t, n, i, o = e.ZERO) {
-      const { windows: a, windowSize: c } = b(t, r), d = BigInt(2 ** t - 1), h = 2 ** t, w = BigInt(t);
-      for (let l = 0; l < a; l++) {
-        const u = l * c;
-        if (i === I)
-          break;
-        let s = Number(i & d);
-        if (i >>= w, s > c && (s -= h, i += p), s === 0)
-          continue;
-        let f = n[u + Math.abs(s) - 1];
-        s < 0 && (f = f.negate()), o = o.add(f);
+    equals(e) {
+      L(e);
+      const { px: i, py: c, pz: u } = this, { px: y, py: v, pz: p } = e, a = t.eql(t.mul(i, p), t.mul(y, u)), h = t.eql(t.mul(c, p), t.mul(v, u));
+      return a && h;
+    }
+    /**
+     * Flips point to one corresponding to (x, -y) in Affine coordinates.
+     */
+    negate() {
+      return new w(this.px, t.neg(this.py), this.pz);
+    }
+    // Renes-Costello-Batina exception-free doubling formula.
+    // There is 30% faster Jacobian formula, but it is not complete.
+    // https://eprint.iacr.org/2015/1060, algorithm 3
+    // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
+    double() {
+      const { a: e, b: i } = n, c = t.mul(i, ht), { px: u, py: y, pz: v } = this;
+      let p = t.ZERO, a = t.ZERO, h = t.ZERO, l = t.mul(u, u), N = t.mul(y, y), x = t.mul(v, v), b = t.mul(u, y);
+      return b = t.add(b, b), h = t.mul(u, v), h = t.add(h, h), p = t.mul(e, h), a = t.mul(c, x), a = t.add(p, a), p = t.sub(N, a), a = t.add(N, a), a = t.mul(p, a), p = t.mul(b, p), h = t.mul(c, h), x = t.mul(e, x), b = t.sub(l, x), b = t.mul(e, b), b = t.add(b, h), h = t.add(l, l), l = t.add(h, l), l = t.add(l, x), l = t.mul(l, b), a = t.add(a, l), x = t.mul(y, v), x = t.add(x, x), l = t.mul(x, b), p = t.sub(p, l), h = t.mul(x, N), h = t.add(h, h), h = t.add(h, h), new w(p, a, h);
+    }
+    // Renes-Costello-Batina exception-free addition formula.
+    // There is 30% faster Jacobian formula, but it is not complete.
+    // https://eprint.iacr.org/2015/1060, algorithm 1
+    // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
+    add(e) {
+      L(e);
+      const { px: i, py: c, pz: u } = this, { px: y, py: v, pz: p } = e;
+      let a = t.ZERO, h = t.ZERO, l = t.ZERO;
+      const N = n.a, x = t.mul(n.b, ht);
+      let b = t.mul(i, y), F = t.mul(c, v), r = t.mul(u, p), o = t.add(i, c), s = t.add(y, v);
+      o = t.mul(o, s), s = t.add(b, F), o = t.sub(o, s), s = t.add(i, u);
+      let d = t.add(y, p);
+      return s = t.mul(s, d), d = t.add(b, r), s = t.sub(s, d), d = t.add(c, u), a = t.add(v, p), d = t.mul(d, a), a = t.add(F, r), d = t.sub(d, a), l = t.mul(N, s), a = t.mul(x, r), l = t.add(a, l), a = t.sub(F, l), l = t.add(F, l), h = t.mul(a, l), F = t.add(b, b), F = t.add(F, b), r = t.mul(N, r), s = t.mul(x, s), F = t.add(F, r), r = t.sub(b, r), r = t.mul(N, r), s = t.add(s, r), b = t.mul(F, s), h = t.add(h, b), b = t.mul(d, s), a = t.mul(o, a), a = t.sub(a, b), b = t.mul(o, F), l = t.mul(d, l), l = t.add(l, b), new w(a, h, l);
+    }
+    subtract(e) {
+      return this.add(e.negate());
+    }
+    is0() {
+      return this.equals(w.ZERO);
+    }
+    wNAF(e) {
+      return D.wNAFCached(this, e, w.normalizeZ);
+    }
+    /**
+     * Non-constant-time multiplication. Uses double-and-add algorithm.
+     * It's faster, but should only be used when you don't care about
+     * an exposed private key e.g. sig verification, which works over *public* keys.
+     */
+    multiplyUnsafe(e) {
+      const { endo: i, n: c } = n;
+      Q("scalar", e, j, c);
+      const u = w.ZERO;
+      if (e === j)
+        return u;
+      if (this.is0() || e === A)
+        return this;
+      if (!i || D.hasPrecomputes(this))
+        return D.wNAFCachedUnsafe(this, e, w.normalizeZ);
+      let { k1neg: y, k1: v, k2neg: p, k2: a } = i.splitScalar(e), h = u, l = u, N = this;
+      for (; v > j || a > j; )
+        v & A && (h = h.add(N)), a & A && (l = l.add(N)), N = N.double(), v >>= A, a >>= A;
+      return y && (h = h.negate()), p && (l = l.negate()), l = new w(t.mul(l.px, i.beta), l.py, l.pz), h.add(l);
+    }
+    /**
+     * Constant time multiplication.
+     * Uses wNAF method. Windowed method may be 10% faster,
+     * but takes 2x longer to generate and consumes 2x memory.
+     * Uses precomputes when available.
+     * Uses endomorphism for Koblitz curves.
+     * @param scalar by which the point would be multiplied
+     * @returns New point
+     */
+    multiply(e) {
+      const { endo: i, n: c } = n;
+      Q("scalar", e, A, c);
+      let u, y;
+      if (i) {
+        const { k1neg: v, k1: p, k2neg: a, k2: h } = i.splitScalar(e);
+        let { p: l, f: N } = this.wNAF(p), { p: x, f: b } = this.wNAF(h);
+        l = D.constTimeNegate(v, l), x = D.constTimeNegate(a, x), x = new w(t.mul(x.px, i.beta), x.py, x.pz), u = l.add(x), y = N.add(b);
+      } else {
+        const { p: v, f: p } = this.wNAF(e);
+        u = v, y = p;
       }
-      return o;
-    },
-    getPrecomputes(t, n, i) {
-      let o = B.get(n);
-      return o || (o = this.precomputeWindow(n, t), t !== 1 && B.set(n, i(o))), o;
+      return w.normalizeZ([u, y])[0];
+    }
+    /**
+     * Efficiently calculate `aP + bQ`. Unsafe, can expose private key, if used incorrectly.
+     * Not using Strauss-Shamir trick: precomputation tables are faster.
+     * The trick could be useful if both P and Q are not G (not in our case).
+     * @returns non-zero affine point
+     */
+    multiplyAndAddUnsafe(e, i, c) {
+      const u = w.BASE, y = (p, a) => a === j || a === A || !p.equals(u) ? p.multiplyUnsafe(a) : p.multiply(a), v = y(this, i).add(y(e, c));
+      return v.is0() ? void 0 : v;
+    }
+    // Converts Projective point to affine (x, y) coordinates.
+    // Can accept precomputed Z^-1 - for example, from invertBatch.
+    // (x, y, z) ∋ (x=x/z, y=y/z)
+    toAffine(e) {
+      return P(this, e);
+    }
+    isTorsionFree() {
+      const { h: e, isTorsionFree: i } = n;
+      if (e === A)
+        return !0;
+      if (i)
+        return i(w, this);
+      throw new Error("isTorsionFree() has not been declared for the elliptic curve");
+    }
+    clearCofactor() {
+      const { h: e, clearCofactor: i } = n;
+      return e === A ? this : i ? i(w, this) : this.multiplyUnsafe(n.h);
+    }
+    toRawBytes(e = !0) {
+      return tt("isCompressed", e), this.assertValidity(), R(w, this, e);
+    }
+    toHex(e = !0) {
+      return tt("isCompressed", e), ct(this.toRawBytes(e));
+    }
+  }
+  w.BASE = new w(n.Gx, n.Gy, t.ONE), w.ZERO = new w(t.ZERO, t.ONE, t.ZERO);
+  const X = n.nBitLength, D = gt(w, n.endo ? Math.ceil(X / 2) : X);
+  return {
+    CURVE: n,
+    ProjectivePoint: w,
+    normPrivateKeyToScalar: S,
+    weierstrassEquation: B,
+    isWithinCurveOrder: H
+  };
+}
+function Lt(f) {
+  const n = mt(f);
+  return yt(n, {
+    hash: "hash",
+    hmac: "function",
+    randomBytes: "function"
+  }, {
+    bits2int: "function",
+    bits2int_modN: "function",
+    lowS: "boolean"
+  }), Object.freeze({ lowS: !0, ...n });
+}
+function Yt(f) {
+  const n = Lt(f), { Fp: t, n: E } = n, R = t.BYTES + 1, Z = 2 * t.BYTES + 1;
+  function B(r) {
+    return wt(r, E);
+  }
+  function H(r) {
+    return xt(r, E);
+  }
+  const { ProjectivePoint: S, normPrivateKeyToScalar: L, weierstrassEquation: P, isWithinCurveOrder: rt } = zt({
+    ...n,
+    toBytes(r, o, s) {
+      const d = o.toAffine(), g = t.toBytes(d.x), O = st;
+      return tt("isCompressed", s), s ? O(Uint8Array.from([o.hasEvenY() ? 2 : 3]), g) : O(Uint8Array.from([4]), g, t.toBytes(d.y));
     },
-    wNAFCached(t, n, i) {
-      const o = S(t);
-      return this.wNAF(o, this.getPrecomputes(o, t, i), n);
+    fromBytes(r) {
+      const o = r.length, s = r[0], d = r.subarray(1);
+      if (o === R && (s === 2 || s === 3)) {
+        const g = nt(d);
+        if (!pt(g, A, t.ORDER))
+          throw new Error("Point is not on curve");
+        const O = P(g);
+        let q;
+        try {
+          q = t.sqrt(O);
+        } catch (V) {
+          const z = V instanceof Error ? ": " + V.message : "";
+          throw new Error("Point is not on curve" + z);
+        }
+        const T = (q & A) === A;
+        return (s & 1) === 1 !== T && (q = t.neg(q)), { x: g, y: q };
+      } else if (o === Z && s === 4) {
+        const g = t.fromBytes(d.subarray(0, t.BYTES)), O = t.fromBytes(d.subarray(t.BYTES, 2 * t.BYTES));
+        return { x: g, y: O };
+      } else {
+        const g = R, O = Z;
+        throw new Error("invalid Point, expected length of " + g + ", or uncompressed " + O + ", got " + o);
+      }
+    }
+  }), w = (r) => ct(dt(r, n.nByteLength));
+  function X(r) {
+    const o = E >> A;
+    return r > o;
+  }
+  function D(r) {
+    return X(r) ? B(-r) : r;
+  }
+  const m = (r, o, s) => nt(r.slice(o, s));
+  class e {
+    constructor(o, s, d) {
+      this.r = o, this.s = s, this.recovery = d, this.assertValidity();
+    }
+    // pair (bytes of r, bytes of s)
+    static fromCompact(o) {
+      const s = n.nByteLength;
+      return o = Y("compactSignature", o, s * 2), new e(m(o, 0, s), m(o, s, 2 * s));
+    }
+    // DER encoded ECDSA signature
+    // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
+    static fromDER(o) {
+      const { r: s, s: d } = U.toSig(Y("DER", o));
+      return new e(s, d);
+    }
+    assertValidity() {
+      Q("r", this.r, A, E), Q("s", this.s, A, E);
+    }
+    addRecoveryBit(o) {
+      return new e(this.r, this.s, o);
+    }
+    recoverPublicKey(o) {
+      const { r: s, s: d, recovery: g } = this, O = p(Y("msgHash", o));
+      if (g == null || ![0, 1, 2, 3].includes(g))
+        throw new Error("recovery id invalid");
+      const q = g === 2 || g === 3 ? s + n.n : s;
+      if (q >= t.ORDER)
+        throw new Error("recovery id 2 or 3 invalid");
+      const T = g & 1 ? "03" : "02", C = S.fromHex(T + w(q)), V = H(q), z = B(-O * V), M = B(d * V), K = S.BASE.multiplyAndAddUnsafe(C, z, M);
+      if (!K)
+        throw new Error("point at infinify");
+      return K.assertValidity(), K;
+    }
+    // Signatures should be low-s, to prevent malleability.
+    hasHighS() {
+      return X(this.s);
+    }
+    normalizeS() {
+      return this.hasHighS() ? new e(this.r, B(-this.s), this.recovery) : this;
+    }
+    // DER-encoded
+    toDERRawBytes() {
+      return lt(this.toDERHex());
+    }
+    toDERHex() {
+      return U.hexFromSig({ r: this.r, s: this.s });
+    }
+    // padded bytes of r, then padded bytes of s
+    toCompactRawBytes() {
+      return lt(this.toCompactHex());
+    }
+    toCompactHex() {
+      return w(this.r) + w(this.s);
+    }
+  }
+  const i = {
+    isValidPrivateKey(r) {
+      try {
+        return L(r), !0;
+      } catch {
+        return !1;
+      }
     },
-    wNAFCachedUnsafe(t, n, i, o) {
-      const a = S(t);
-      return a === 1 ? this.unsafeLadder(t, n, o) : this.wNAFUnsafe(a, this.getPrecomputes(a, t, i), n, o);
+    normPrivateKeyToScalar: L,
+    /**
+     * Produces cryptographically secure private key from random of size
+     * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
+     */
+    randomPrivateKey: () => {
+      const r = vt(n.n);
+      return Bt(n.randomBytes(r), n.n);
     },
-    // We calculate precomputes for elliptic curve point multiplication
-    // using windowed method. This specifies window size and
-    // stores precomputed values. Usually only base point would be precomputed.
-    setWindowSize(t, n) {
-      A(n, r), E.set(t, n), B.delete(t);
+    /**
+     * Creates precompute table for an arbitrary EC point. Makes point "cached".
+     * Allows to massively speed-up `point.multiply(scalar)`.
+     * @returns cached point
+     * @example
+     * const fast = utils.precompute(8, ProjectivePoint.fromHex(someonesPubKey));
+     * fast.multiply(privKey); // much faster ECDH now
+     */
+    precompute(r = 8, o = S.BASE) {
+      return o._setWindowSize(r), o.multiply(BigInt(3)), o;
     }
   };
-}
-function Z(e, r, t, n) {
-  if (L(t, e), k(n, r), t.length !== n.length)
-    throw new Error("arrays of points and scalars must have equal length");
-  const i = e.ZERO, o = O(BigInt(t.length)), a = o > 12 ? o - 3 : o > 4 ? o - 2 : o ? 2 : 1, c = (1 << a) - 1, d = new Array(c + 1).fill(i), h = Math.floor((r.BITS - 1) / a) * a;
-  let w = i;
-  for (let l = h; l >= 0; l -= a) {
-    d.fill(i);
-    for (let s = 0; s < n.length; s++) {
-      const f = n[s], g = Number(f >> BigInt(l) & BigInt(c));
-      d[g] = d[g].add(t[s]);
-    }
-    let u = i;
-    for (let s = d.length - 1, f = i; s > 0; s--)
-      f = f.add(d[s]), u = u.add(f);
-    if (w = w.add(u), l !== 0)
-      for (let s = 0; s < a; s++)
-        w = w.double();
-  }
-  return w;
-}
-function U(e) {
-  return z(e.Fp), x(e, {
-    n: "bigint",
-    h: "bigint",
-    Gx: "field",
-    Gy: "field"
-  }, {
-    nBitLength: "isSafeInteger",
-    nByteLength: "isSafeInteger"
-  }), Object.freeze({
-    ...F(e.n, e.nBitLength),
-    ...e,
-    p: e.Fp.ORDER
-  });
+  function c(r, o = !0) {
+    return S.fromPrivateKey(r).toRawBytes(o);
+  }
+  function u(r) {
+    const o = at(r), s = typeof r == "string", d = (o || s) && r.length;
+    return o ? d === R || d === Z : s ? d === 2 * R || d === 2 * Z : r instanceof S;
+  }
+  function y(r, o, s = !0) {
+    if (u(r))
+      throw new Error("first arg must be private key");
+    if (!u(o))
+      throw new Error("second arg must be public key");
+    return S.fromHex(o).multiply(L(r)).toRawBytes(s);
+  }
+  const v = n.bits2int || function(r) {
+    if (r.length > 8192)
+      throw new Error("input is too large");
+    const o = nt(r), s = r.length * 8 - n.nBitLength;
+    return s > 0 ? o >> BigInt(s) : o;
+  }, p = n.bits2int_modN || function(r) {
+    return B(v(r));
+  }, a = Rt(n.nBitLength);
+  function h(r) {
+    return Q("num < 2^" + n.nBitLength, r, j, a), dt(r, n.nByteLength);
+  }
+  function l(r, o, s = N) {
+    if (["recovered", "canonical"].some((k) => k in s))
+      throw new Error("sign() legacy options not supported");
+    const { hash: d, randomBytes: g } = n;
+    let { lowS: O, prehash: q, extraEntropy: T } = s;
+    O == null && (O = !0), r = Y("msgHash", r), ft(s), q && (r = Y("prehashed msgHash", d(r)));
+    const C = p(r), V = L(o), z = [h(V), h(C)];
+    if (T != null && T !== !1) {
+      const k = T === !0 ? g(t.BYTES) : T;
+      z.push(Y("extraEntropy", k));
+    }
+    const M = st(...z), K = C;
+    function ot(k) {
+      const W = v(k);
+      if (!rt(W))
+        return;
+      const it = H(W), $ = S.BASE.multiply(W).toAffine(), I = B($.x);
+      if (I === j)
+        return;
+      const J = B(it * B(K + I * V));
+      if (J === j)
+        return;
+      let _ = ($.x === I ? 0 : 2) | Number($.y & A), G = J;
+      return O && X(J) && (G = D(J), _ ^= 1), new e(I, G, _);
+    }
+    return { seed: M, k2sig: ot };
+  }
+  const N = { lowS: n.lowS, prehash: !1 }, x = { lowS: n.lowS, prehash: !1 };
+  function b(r, o, s = N) {
+    const { seed: d, k2sig: g } = l(r, o, s), O = n;
+    return Ot(O.hash.outputLen, O.nByteLength, O.hmac)(d, g);
+  }
+  S.BASE._setWindowSize(8);
+  function F(r, o, s, d = x) {
+    var _;
+    const g = r;
+    o = Y("msgHash", o), s = Y("publicKey", s);
+    const { lowS: O, prehash: q, format: T } = d;
+    if (ft(d), "strict" in d)
+      throw new Error("options.strict was renamed to lowS");
+    if (T !== void 0 && T !== "compact" && T !== "der")
+      throw new Error("format must be compact or der");
+    const C = typeof g == "string" || at(g), V = !C && !T && typeof g == "object" && g !== null && typeof g.r == "bigint" && typeof g.s == "bigint";
+    if (!C && !V)
+      throw new Error("invalid signature, expected Uint8Array, hex string or Signature instance");
+    let z, M;
+    try {
+      if (V && (z = new e(g.r, g.s)), C) {
+        try {
+          T !== "compact" && (z = e.fromDER(g));
+        } catch (G) {
+          if (!(G instanceof U.Err))
+            throw G;
+        }
+        !z && T !== "der" && (z = e.fromCompact(g));
+      }
+      M = S.fromHex(s);
+    } catch {
+      return !1;
+    }
+    if (!z || O && z.hasHighS())
+      return !1;
+    q && (o = n.hash(o));
+    const { r: K, s: ot } = z, k = p(o), W = H(ot), it = B(k * W), $ = B(K * W), I = (_ = S.BASE.multiplyAndAddUnsafe(M, it, $)) == null ? void 0 : _.toAffine();
+    return I ? B(I.x) === K : !1;
+  }
+  return {
+    CURVE: n,
+    getPublicKey: c,
+    getSharedSecret: y,
+    sign: b,
+    verify: F,
+    ProjectivePoint: S,
+    Signature: e,
+    utils: i
+  };
 }
 export {
-  Z as pippenger,
-  U as validateBasic,
-  v as wNAF
+  U as DER,
+  qt as DERErr,
+  Yt as weierstrass,
+  zt as weierstrassPoints
 };