npm - @gardenfi/utils - Versions diffs - 2.5.3-beta.1 → 2.5.3-beta.2 - Mend

@gardenfi/utils 2.5.3-beta.1 → 2.5.3-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (459) hide show

package/dist/index245.js CHANGED Viewed

@@ -1,203 +1,660 @@
-import { bitLen as M, bitMask as y } from "./index244.js";
-import { validateField as I, Field as z, FpInvertBatch as R } from "./index228.js";
+import { validateBasic as mt, pippenger as bt, wNAF as vt } from "./index247.js";
+import { Field as Bt, mod as wt, getMinHashLength as xt, mapHashToField as St, FpInvertBatch as Rt, invert as Ot } from "./index236.js";
+import { bytesToNumberBE as _, bitMask as At, validateObject as pt, concatBytes as lt, aInRange as W, ensureBytes as F, hexToBytes as dt, isBytes as yt, createHmacDrbg as Tt, memoized as ft, abool as tt, bytesToHex as ut, inRange as gt, numberToHexUnpadded as rt, numberToBytesBE as Et } from "./index246.js";
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const m = BigInt(0), b = BigInt(1);
-function v(r, t) {
-  const e = t.negate();
-  return r ? e : t;
+function ht(m) {
+  m.lowS !== void 0 && tt("lowS", m.lowS), m.prehash !== void 0 && tt("prehash", m.prehash);
 }
-function D(r, t) {
-  const e = R(r.Fp, t.map((n) => n.Z));
-  return t.map((n, i) => r.fromAffine(n.toAffine(e[i])));
-}
-function O(r, t) {
-  if (!Number.isSafeInteger(r) || r <= 0 || r > t)
-    throw new Error("invalid window size, expected [1.." + t + "], got W=" + r);
+function Zt(m) {
+  const r = mt(m);
+  pt(r, {
+    a: "field",
+    b: "field"
+  }, {
+    allowInfinityPoint: "boolean",
+    allowedPrivateKeyLengths: "array",
+    clearCofactor: "function",
+    fromBytes: "function",
+    isTorsionFree: "function",
+    toBytes: "function",
+    wrapPrivateKey: "boolean"
+  });
+  const { endo: t, Fp: b, a: S } = r;
+  if (t) {
+    if (!b.eql(S, b.ZERO))
+      throw new Error("invalid endo: CURVE.a must be 0");
+    if (typeof t != "object" || typeof t.beta != "bigint" || typeof t.splitScalar != "function")
+      throw new Error('invalid endo: expected "beta": bigint and "splitScalar": function');
+  }
+  return Object.freeze({ ...r });
 }
-function F(r, t) {
-  O(r, t);
-  const e = Math.ceil(t / r) + 1, n = 2 ** (r - 1), i = 2 ** r, o = y(r), s = BigInt(r);
-  return { windows: e, windowSize: n, mask: o, maxNumber: i, shiftBy: s };
+class zt extends Error {
+  constructor(r = "") {
+    super(r);
+  }
 }
-function S(r, t, e) {
-  const { windowSize: n, mask: i, maxNumber: o, shiftBy: s } = e;
-  let a = Number(r & i), f = r >> s;
-  a > n && (a -= o, f += b);
-  const c = t * n, d = c + Math.abs(a) - 1, u = a === 0, w = a < 0, h = t % 2 !== 0;
-  return { nextN: f, offset: d, isZero: u, isNeg: w, isNegF: h, offsetF: c };
+const C = {
+  // asn.1 DER encoding utils
+  Err: zt,
+  // Basic building block is TLV (Tag-Length-Value)
+  _tlv: {
+    encode: (m, r) => {
+      const { Err: t } = C;
+      if (m < 0 || m > 256)
+        throw new t("tlv.encode: wrong tag");
+      if (r.length & 1)
+        throw new t("tlv.encode: unpadded data");
+      const b = r.length / 2, S = rt(b);
+      if (S.length / 2 & 128)
+        throw new t("tlv.encode: long form length too big");
+      const N = b > 127 ? rt(S.length / 2 | 128) : "";
+      return rt(m) + N + S + r;
+    },
+    // v - value, l - left bytes (unparsed)
+    decode(m, r) {
+      const { Err: t } = C;
+      let b = 0;
+      if (m < 0 || m > 256)
+        throw new t("tlv.encode: wrong tag");
+      if (r.length < 2 || r[b++] !== m)
+        throw new t("tlv.decode: wrong tlv");
+      const S = r[b++], N = !!(S & 128);
+      let A = 0;
+      if (!N)
+        A = S;
+      else {
+        const x = S & 127;
+        if (!x)
+          throw new t("tlv.decode(long): indefinite length not supported");
+        if (x > 4)
+          throw new t("tlv.decode(long): byte length is too big");
+        const L = r.subarray(b, b + x);
+        if (L.length !== x)
+          throw new t("tlv.decode: length bytes not complete");
+        if (L[0] === 0)
+          throw new t("tlv.decode(long): zero leftmost byte");
+        for (const O of L)
+          A = A << 8 | O;
+        if (b += x, A < 128)
+          throw new t("tlv.decode(long): not minimal encoding");
+      }
+      const V = r.subarray(b, b + A);
+      if (V.length !== A)
+        throw new t("tlv.decode: wrong value length");
+      return { v: V, l: r.subarray(b + A) };
+    }
+  },
+  // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
+  // since we always use positive integers here. It must always be empty:
+  // - add zero byte if exists
+  // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
+  _int: {
+    encode(m) {
+      const { Err: r } = C;
+      if (m < U)
+        throw new r("integer: negative integers are not allowed");
+      let t = rt(m);
+      if (Number.parseInt(t[0], 16) & 8 && (t = "00" + t), t.length & 1)
+        throw new r("unexpected DER parsing assertion: unpadded hex");
+      return t;
+    },
+    decode(m) {
+      const { Err: r } = C;
+      if (m[0] & 128)
+        throw new r("invalid signature integer: negative");
+      if (m[0] === 0 && !(m[1] & 128))
+        throw new r("invalid signature integer: unnecessary leading zero");
+      return _(m);
+    }
+  },
+  toSig(m) {
+    const { Err: r, _int: t, _tlv: b } = C, S = F("signature", m), { v: N, l: A } = b.decode(48, S);
+    if (A.length)
+      throw new r("invalid signature: left bytes after parsing");
+    const { v: V, l: x } = b.decode(2, N), { v: L, l: O } = b.decode(2, x);
+    if (O.length)
+      throw new r("invalid signature: left bytes after parsing");
+    return { r: t.decode(V), s: t.decode(L) };
+  },
+  hexFromSig(m) {
+    const { _tlv: r, _int: t } = C, b = r.encode(2, t.encode(m.r)), S = r.encode(2, t.encode(m.s)), N = b + S;
+    return r.encode(48, N);
+  }
+};
+function ct(m, r) {
+  return ut(Et(m, r));
 }
-function j(r, t) {
-  if (!Array.isArray(r))
-    throw new Error("array expected");
-  r.forEach((e, n) => {
-    if (!(e instanceof t))
-      throw new Error("invalid point at index " + n);
+const U = BigInt(0), R = BigInt(1);
+BigInt(2);
+const at = BigInt(3), Nt = BigInt(4);
+function qt(m) {
+  const r = Zt(m), { Fp: t } = r, b = Bt(r.n, r.nBitLength), S = r.toBytes || ((w, e, i) => {
+    const c = e.toAffine();
+    return lt(Uint8Array.from([4]), t.toBytes(c.x), t.toBytes(c.y));
+  }), N = r.fromBytes || ((w) => {
+    const e = w.subarray(1), i = t.fromBytes(e.subarray(0, t.BYTES)), c = t.fromBytes(e.subarray(t.BYTES, 2 * t.BYTES));
+    return { x: i, y: c };
   });
-}
-function _(r, t) {
-  if (!Array.isArray(r))
-    throw new Error("array of scalars expected");
-  r.forEach((e, n) => {
-    if (!t.isValid(e))
-      throw new Error("invalid scalar at index " + n);
+  function A(w) {
+    const { a: e, b: i } = r, c = t.sqr(w), d = t.mul(c, w);
+    return t.add(t.add(d, t.mul(w, e)), i);
+  }
+  function V(w, e) {
+    const i = t.sqr(e), c = A(w);
+    return t.eql(i, c);
+  }
+  if (!V(r.Gx, r.Gy))
+    throw new Error("bad curve params: generator point");
+  const x = t.mul(t.pow(r.a, at), Nt), L = t.mul(t.sqr(r.b), BigInt(27));
+  if (t.is0(t.add(x, L)))
+    throw new Error("bad curve params: a or b");
+  function O(w) {
+    return gt(w, R, r.n);
+  }
+  function k(w) {
+    const { allowedPrivateKeyLengths: e, nByteLength: i, wrapPrivateKey: c, n: d } = r;
+    if (e && typeof w != "bigint") {
+      if (yt(w) && (w = ut(w)), typeof w != "string" || !e.includes(w.length))
+        throw new Error("invalid private key");
+      w = w.padStart(i * 2, "0");
+    }
+    let y;
+    try {
+      y = typeof w == "bigint" ? w : _(F("private key", w, i));
+    } catch {
+      throw new Error("invalid private key, expected hex or " + i + " bytes, got " + typeof w);
+    }
+    return c && (y = wt(y, d)), W("private key", y, R, d), y;
+  }
+  function et(w) {
+    if (!(w instanceof g))
+      throw new Error("ProjectivePoint expected");
+  }
+  const ot = ft((w, e) => {
+    const { px: i, py: c, pz: d } = w;
+    if (t.eql(d, t.ONE))
+      return { x: i, y: c };
+    const y = w.is0();
+    e == null && (e = y ? t.ONE : t.inv(d));
+    const v = t.mul(i, e), E = t.mul(c, e), a = t.mul(d, e);
+    if (y)
+      return { x: t.ZERO, y: t.ZERO };
+    if (!t.eql(a, t.ONE))
+      throw new Error("invZ was invalid");
+    return { x: v, y: E };
+  }), G = ft((w) => {
+    if (w.is0()) {
+      if (r.allowInfinityPoint && !t.is0(w.py))
+        return;
+      throw new Error("bad point: ZERO");
+    }
+    const { x: e, y: i } = w.toAffine();
+    if (!t.isValid(e) || !t.isValid(i))
+      throw new Error("bad point: x or y not FE");
+    if (!V(e, i))
+      throw new Error("bad point: equation left != right");
+    if (!w.isTorsionFree())
+      throw new Error("bad point: not in prime-order subgroup");
+    return !0;
   });
+  class g {
+    constructor(e, i, c) {
+      if (e == null || !t.isValid(e))
+        throw new Error("x required");
+      if (i == null || !t.isValid(i) || t.is0(i))
+        throw new Error("y required");
+      if (c == null || !t.isValid(c))
+        throw new Error("z required");
+      this.px = e, this.py = i, this.pz = c, Object.freeze(this);
+    }
+    // Does not validate if the point is on-curve.
+    // Use fromHex instead, or call assertValidity() later.
+    static fromAffine(e) {
+      const { x: i, y: c } = e || {};
+      if (!e || !t.isValid(i) || !t.isValid(c))
+        throw new Error("invalid affine point");
+      if (e instanceof g)
+        throw new Error("projective point not allowed");
+      const d = (y) => t.eql(y, t.ZERO);
+      return d(i) && d(c) ? g.ZERO : new g(i, c, t.ONE);
+    }
+    get x() {
+      return this.toAffine().x;
+    }
+    get y() {
+      return this.toAffine().y;
+    }
+    /**
+     * Takes a bunch of Projective Points but executes only one
+     * inversion on all of them. Inversion is very slow operation,
+     * so this improves performance massively.
+     * Optimization: converts a list of projective points to a list of identical points with Z=1.
+     */
+    static normalizeZ(e) {
+      const i = Rt(t, e.map((c) => c.pz));
+      return e.map((c, d) => c.toAffine(i[d])).map(g.fromAffine);
+    }
+    /**
+     * Converts hash string or Uint8Array to Point.
+     * @param hex short/long ECDSA hex
+     */
+    static fromHex(e) {
+      const i = g.fromAffine(N(F("pointHex", e)));
+      return i.assertValidity(), i;
+    }
+    // Multiplies generator point by privateKey.
+    static fromPrivateKey(e) {
+      return g.BASE.multiply(k(e));
+    }
+    // Multiscalar Multiplication
+    static msm(e, i) {
+      return bt(g, b, e, i);
+    }
+    // "Private method", don't use it directly
+    _setWindowSize(e) {
+      j.setWindowSize(this, e);
+    }
+    // A point on curve is valid if it conforms to equation.
+    assertValidity() {
+      G(this);
+    }
+    hasEvenY() {
+      const { y: e } = this.toAffine();
+      if (t.isOdd)
+        return !t.isOdd(e);
+      throw new Error("Field doesn't support isOdd");
+    }
+    /**
+     * Compare one point to another.
+     */
+    equals(e) {
+      et(e);
+      const { px: i, py: c, pz: d } = this, { px: y, py: v, pz: E } = e, a = t.eql(t.mul(i, E), t.mul(y, d)), p = t.eql(t.mul(c, E), t.mul(v, d));
+      return a && p;
+    }
+    /**
+     * Flips point to one corresponding to (x, -y) in Affine coordinates.
+     */
+    negate() {
+      return new g(this.px, t.neg(this.py), this.pz);
+    }
+    // Renes-Costello-Batina exception-free doubling formula.
+    // There is 30% faster Jacobian formula, but it is not complete.
+    // https://eprint.iacr.org/2015/1060, algorithm 3
+    // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
+    double() {
+      const { a: e, b: i } = r, c = t.mul(i, at), { px: d, py: y, pz: v } = this;
+      let E = t.ZERO, a = t.ZERO, p = t.ZERO, l = t.mul(d, d), T = t.mul(y, y), o = t.mul(v, v), n = t.mul(d, y);
+      return n = t.add(n, n), p = t.mul(d, v), p = t.add(p, p), E = t.mul(e, p), a = t.mul(c, o), a = t.add(E, a), E = t.sub(T, a), a = t.add(T, a), a = t.mul(E, a), E = t.mul(n, E), p = t.mul(c, p), o = t.mul(e, o), n = t.sub(l, o), n = t.mul(e, n), n = t.add(n, p), p = t.add(l, l), l = t.add(p, l), l = t.add(l, o), l = t.mul(l, n), a = t.add(a, l), o = t.mul(y, v), o = t.add(o, o), l = t.mul(o, n), E = t.sub(E, l), p = t.mul(o, T), p = t.add(p, p), p = t.add(p, p), new g(E, a, p);
+    }
+    // Renes-Costello-Batina exception-free addition formula.
+    // There is 30% faster Jacobian formula, but it is not complete.
+    // https://eprint.iacr.org/2015/1060, algorithm 1
+    // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
+    add(e) {
+      et(e);
+      const { px: i, py: c, pz: d } = this, { px: y, py: v, pz: E } = e;
+      let a = t.ZERO, p = t.ZERO, l = t.ZERO;
+      const T = r.a, o = t.mul(r.b, at);
+      let n = t.mul(i, y), s = t.mul(c, v), h = t.mul(d, E), u = t.add(i, c), f = t.add(y, v);
+      u = t.mul(u, f), f = t.add(n, s), u = t.sub(u, f), f = t.add(i, d);
+      let B = t.add(y, E);
+      return f = t.mul(f, B), B = t.add(n, h), f = t.sub(f, B), B = t.add(c, d), a = t.add(v, E), B = t.mul(B, a), a = t.add(s, h), B = t.sub(B, a), l = t.mul(T, f), a = t.mul(o, h), l = t.add(a, l), a = t.sub(s, l), l = t.add(s, l), p = t.mul(a, l), s = t.add(n, n), s = t.add(s, n), h = t.mul(T, h), f = t.mul(o, f), s = t.add(s, h), h = t.sub(n, h), h = t.mul(T, h), f = t.add(f, h), n = t.mul(s, f), p = t.add(p, n), n = t.mul(B, f), a = t.mul(u, a), a = t.sub(a, n), n = t.mul(u, s), l = t.mul(B, l), l = t.add(l, n), new g(a, p, l);
+    }
+    subtract(e) {
+      return this.add(e.negate());
+    }
+    is0() {
+      return this.equals(g.ZERO);
+    }
+    wNAF(e) {
+      return j.wNAFCached(this, e, g.normalizeZ);
+    }
+    /**
+     * Non-constant-time multiplication. Uses double-and-add algorithm.
+     * It's faster, but should only be used when you don't care about
+     * an exposed private key e.g. sig verification, which works over *public* keys.
+     */
+    multiplyUnsafe(e) {
+      const { endo: i, n: c } = r;
+      W("scalar", e, U, c);
+      const d = g.ZERO;
+      if (e === U)
+        return d;
+      if (this.is0() || e === R)
+        return this;
+      if (!i || j.hasPrecomputes(this))
+        return j.wNAFCachedUnsafe(this, e, g.normalizeZ);
+      let { k1neg: y, k1: v, k2neg: E, k2: a } = i.splitScalar(e), p = d, l = d, T = this;
+      for (; v > U || a > U; )
+        v & R && (p = p.add(T)), a & R && (l = l.add(T)), T = T.double(), v >>= R, a >>= R;
+      return y && (p = p.negate()), E && (l = l.negate()), l = new g(t.mul(l.px, i.beta), l.py, l.pz), p.add(l);
+    }
+    /**
+     * Constant time multiplication.
+     * Uses wNAF method. Windowed method may be 10% faster,
+     * but takes 2x longer to generate and consumes 2x memory.
+     * Uses precomputes when available.
+     * Uses endomorphism for Koblitz curves.
+     * @param scalar by which the point would be multiplied
+     * @returns New point
+     */
+    multiply(e) {
+      const { endo: i, n: c } = r;
+      W("scalar", e, R, c);
+      let d, y;
+      if (i) {
+        const { k1neg: v, k1: E, k2neg: a, k2: p } = i.splitScalar(e);
+        let { p: l, f: T } = this.wNAF(E), { p: o, f: n } = this.wNAF(p);
+        l = j.constTimeNegate(v, l), o = j.constTimeNegate(a, o), o = new g(t.mul(o.px, i.beta), o.py, o.pz), d = l.add(o), y = T.add(n);
+      } else {
+        const { p: v, f: E } = this.wNAF(e);
+        d = v, y = E;
+      }
+      return g.normalizeZ([d, y])[0];
+    }
+    /**
+     * Efficiently calculate `aP + bQ`. Unsafe, can expose private key, if used incorrectly.
+     * Not using Strauss-Shamir trick: precomputation tables are faster.
+     * The trick could be useful if both P and Q are not G (not in our case).
+     * @returns non-zero affine point
+     */
+    multiplyAndAddUnsafe(e, i, c) {
+      const d = g.BASE, y = (E, a) => a === U || a === R || !E.equals(d) ? E.multiplyUnsafe(a) : E.multiply(a), v = y(this, i).add(y(e, c));
+      return v.is0() ? void 0 : v;
+    }
+    // Converts Projective point to affine (x, y) coordinates.
+    // Can accept precomputed Z^-1 - for example, from invertBatch.
+    // (x, y, z) ∋ (x=x/z, y=y/z)
+    toAffine(e) {
+      return ot(this, e);
+    }
+    isTorsionFree() {
+      const { h: e, isTorsionFree: i } = r;
+      if (e === R)
+        return !0;
+      if (i)
+        return i(g, this);
+      throw new Error("isTorsionFree() has not been declared for the elliptic curve");
+    }
+    clearCofactor() {
+      const { h: e, clearCofactor: i } = r;
+      return e === R ? this : i ? i(g, this) : this.multiplyUnsafe(r.h);
+    }
+    toRawBytes(e = !0) {
+      return tt("isCompressed", e), this.assertValidity(), S(g, this, e);
+    }
+    toHex(e = !0) {
+      return tt("isCompressed", e), ut(this.toRawBytes(e));
+    }
+  }
+  g.BASE = new g(r.Gx, r.Gy, t.ONE), g.ZERO = new g(t.ZERO, t.ONE, t.ZERO);
+  const { endo: nt, nBitLength: q } = r, j = vt(g, nt ? Math.ceil(q / 2) : q);
+  return {
+    CURVE: r,
+    ProjectivePoint: g,
+    normPrivateKeyToScalar: k,
+    weierstrassEquation: A,
+    isWithinCurveOrder: O
+  };
 }
-const E = /* @__PURE__ */ new WeakMap(), B = /* @__PURE__ */ new WeakMap();
-function N(r) {
-  return B.get(r) || 1;
-}
-function Z(r) {
-  if (r !== m)
-    throw new Error("invalid wNAF");
+function Ft(m) {
+  const r = mt(m);
+  return pt(r, {
+    hash: "hash",
+    hmac: "function",
+    randomBytes: "function"
+  }, {
+    bits2int: "function",
+    bits2int_modN: "function",
+    lowS: "boolean"
+  }), Object.freeze({ lowS: !0, ...r });
 }
-class G {
-  // Parametrized with a given Point class (not individual point)
-  constructor(t, e) {
-    this.BASE = t.BASE, this.ZERO = t.ZERO, this.Fn = t.Fn, this.bits = e;
-  }
-  // non-const time multiplication ladder
-  _unsafeLadder(t, e, n = this.ZERO) {
-    let i = t;
-    for (; e > m; )
-      e & b && (n = n.add(i)), i = i.double(), e >>= b;
-    return n;
-  }
-  /**
-   * Creates a wNAF precomputation window. Used for caching.
-   * Default window size is set by `utils.precompute()` and is equal to 8.
-   * Number of precomputed points depends on the curve size:
-   * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
-   * - 𝑊 is the window size
-   * - 𝑛 is the bitlength of the curve order.
-   * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
-   * @param point Point instance
-   * @param W window size
-   * @returns precomputed point tables flattened to a single array
-   */
-  precomputeWindow(t, e) {
-    const { windows: n, windowSize: i } = F(e, this.bits), o = [];
-    let s = t, a = s;
-    for (let f = 0; f < n; f++) {
-      a = s, o.push(a);
-      for (let c = 1; c < i; c++)
-        a = a.add(s), o.push(a);
-      s = a.double();
-    }
-    return o;
-  }
-  /**
-   * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
-   * More compact implementation:
-   * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
-   * @returns real and fake (for const-time) points
-   */
-  wNAF(t, e, n) {
-    if (!this.Fn.isValid(n))
-      throw new Error("invalid scalar");
-    let i = this.ZERO, o = this.BASE;
-    const s = F(t, this.bits);
-    for (let a = 0; a < s.windows; a++) {
-      const { nextN: f, offset: c, isZero: d, isNeg: u, isNegF: w, offsetF: h } = S(n, a, s);
-      n = f, d ? o = o.add(v(w, e[h])) : i = i.add(v(u, e[c]));
-    }
-    return Z(n), { p: i, f: o };
-  }
-  /**
-   * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
-   * @param acc accumulator point to add result of multiplication
-   * @returns point
-   */
-  wNAFUnsafe(t, e, n, i = this.ZERO) {
-    const o = F(t, this.bits);
-    for (let s = 0; s < o.windows && n !== m; s++) {
-      const { nextN: a, offset: f, isZero: c, isNeg: d } = S(n, s, o);
-      if (n = a, !c) {
-        const u = e[f];
-        i = i.add(d ? u.negate() : u);
+function Ht(m) {
+  const r = Ft(m), { Fp: t, n: b, nByteLength: S, nBitLength: N } = r, A = t.BYTES + 1, V = 2 * t.BYTES + 1;
+  function x(o) {
+    return wt(o, b);
+  }
+  function L(o) {
+    return Ot(o, b);
+  }
+  const { ProjectivePoint: O, normPrivateKeyToScalar: k, weierstrassEquation: et, isWithinCurveOrder: ot } = qt({
+    ...r,
+    toBytes(o, n, s) {
+      const h = n.toAffine(), u = t.toBytes(h.x), f = lt;
+      return tt("isCompressed", s), s ? f(Uint8Array.from([n.hasEvenY() ? 2 : 3]), u) : f(Uint8Array.from([4]), u, t.toBytes(h.y));
+    },
+    fromBytes(o) {
+      const n = o.length, s = o[0], h = o.subarray(1);
+      if (n === A && (s === 2 || s === 3)) {
+        const u = _(h);
+        if (!gt(u, R, t.ORDER))
+          throw new Error("Point is not on curve");
+        const f = et(u);
+        let B;
+        try {
+          B = t.sqrt(f);
+        } catch (Y) {
+          const z = Y instanceof Error ? ": " + Y.message : "";
+          throw new Error("Point is not on curve" + z);
+        }
+        const Z = (B & R) === R;
+        return (s & 1) === 1 !== Z && (B = t.neg(B)), { x: u, y: B };
+      } else if (n === V && s === 4) {
+        const u = t.fromBytes(h.subarray(0, t.BYTES)), f = t.fromBytes(h.subarray(t.BYTES, 2 * t.BYTES));
+        return { x: u, y: f };
+      } else {
+        const u = A, f = V;
+        throw new Error("invalid Point, expected length of " + u + ", or uncompressed " + f + ", got " + n);
       }
     }
-    return Z(n), i;
+  });
+  function G(o) {
+    const n = b >> R;
+    return o > n;
   }
-  getPrecomputes(t, e, n) {
-    let i = E.get(e);
-    return i || (i = this.precomputeWindow(e, t), t !== 1 && (typeof n == "function" && (i = n(i)), E.set(e, i))), i;
+  function g(o) {
+    return G(o) ? x(-o) : o;
   }
-  cached(t, e, n) {
-    const i = N(t);
-    return this.wNAF(i, this.getPrecomputes(i, t, n), e);
+  const nt = (o, n, s) => _(o.slice(n, s));
+  class q {
+    constructor(n, s, h) {
+      W("r", n, R, b), W("s", s, R, b), this.r = n, this.s = s, h != null && (this.recovery = h), Object.freeze(this);
+    }
+    // pair (bytes of r, bytes of s)
+    static fromCompact(n) {
+      const s = S;
+      return n = F("compactSignature", n, s * 2), new q(nt(n, 0, s), nt(n, s, 2 * s));
+    }
+    // DER encoded ECDSA signature
+    // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
+    static fromDER(n) {
+      const { r: s, s: h } = C.toSig(F("DER", n));
+      return new q(s, h);
+    }
+    /**
+     * @todo remove
+     * @deprecated
+     */
+    assertValidity() {
+    }
+    addRecoveryBit(n) {
+      return new q(this.r, this.s, n);
+    }
+    recoverPublicKey(n) {
+      const { r: s, s: h, recovery: u } = this, f = d(F("msgHash", n));
+      if (u == null || ![0, 1, 2, 3].includes(u))
+        throw new Error("recovery id invalid");
+      const B = u === 2 || u === 3 ? s + r.n : s;
+      if (B >= t.ORDER)
+        throw new Error("recovery id 2 or 3 invalid");
+      const Z = u & 1 ? "03" : "02", H = O.fromHex(Z + ct(B, t.BYTES)), Y = L(B), z = x(-f * Y), P = x(h * Y), I = O.BASE.multiplyAndAddUnsafe(H, z, P);
+      if (!I)
+        throw new Error("point at infinify");
+      return I.assertValidity(), I;
+    }
+    // Signatures should be low-s, to prevent malleability.
+    hasHighS() {
+      return G(this.s);
+    }
+    normalizeS() {
+      return this.hasHighS() ? new q(this.r, x(-this.s), this.recovery) : this;
+    }
+    // DER-encoded
+    toDERRawBytes() {
+      return dt(this.toDERHex());
+    }
+    toDERHex() {
+      return C.hexFromSig(this);
+    }
+    // padded bytes of r, then padded bytes of s
+    toCompactRawBytes() {
+      return dt(this.toCompactHex());
+    }
+    toCompactHex() {
+      const n = S;
+      return ct(this.r, n) + ct(this.s, n);
+    }
   }
-  unsafe(t, e, n, i) {
-    const o = N(t);
-    return o === 1 ? this._unsafeLadder(t, e, i) : this.wNAFUnsafe(o, this.getPrecomputes(o, t, n), e, i);
+  const j = {
+    isValidPrivateKey(o) {
+      try {
+        return k(o), !0;
+      } catch {
+        return !1;
+      }
+    },
+    normPrivateKeyToScalar: k,
+    /**
+     * Produces cryptographically secure private key from random of size
+     * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
+     */
+    randomPrivateKey: () => {
+      const o = xt(r.n);
+      return St(r.randomBytes(o), r.n);
+    },
+    /**
+     * Creates precompute table for an arbitrary EC point. Makes point "cached".
+     * Allows to massively speed-up `point.multiply(scalar)`.
+     * @returns cached point
+     * @example
+     * const fast = utils.precompute(8, ProjectivePoint.fromHex(someonesPubKey));
+     * fast.multiply(privKey); // much faster ECDH now
+     */
+    precompute(o = 8, n = O.BASE) {
+      return n._setWindowSize(o), n.multiply(BigInt(3)), n;
+    }
+  };
+  function w(o, n = !0) {
+    return O.fromPrivateKey(o).toRawBytes(n);
   }
-  // We calculate precomputes for elliptic curve point multiplication
-  // using windowed method. This specifies window size and
-  // stores precomputed values. Usually only base point would be precomputed.
-  createCache(t, e) {
-    O(e, this.bits), B.set(t, e), E.delete(t);
+  function e(o) {
+    if (typeof o == "bigint")
+      return !1;
+    if (o instanceof O)
+      return !0;
+    const s = F("key", o).length, h = t.BYTES, u = h + 1, f = 2 * h + 1;
+    if (!(r.allowedPrivateKeyLengths || S === u))
+      return s === u || s === f;
   }
-  hasCache(t) {
-    return N(t) !== 1;
+  function i(o, n, s = !0) {
+    if (e(o) === !0)
+      throw new Error("first arg must be private key");
+    if (e(n) === !1)
+      throw new Error("second arg must be public key");
+    return O.fromHex(n).multiply(k(o)).toRawBytes(s);
   }
-}
-function q(r, t, e, n) {
-  let i = t, o = r.ZERO, s = r.ZERO;
-  for (; e > m || n > m; )
-    e & b && (o = o.add(i)), n & b && (s = s.add(i)), i = i.double(), e >>= b, n >>= b;
-  return { p1: o, p2: s };
-}
-function K(r, t, e, n) {
-  j(e, r), _(n, t);
-  const i = e.length, o = n.length;
-  if (i !== o)
-    throw new Error("arrays of points and scalars must have equal length");
-  const s = r.ZERO, a = M(BigInt(i));
-  let f = 1;
-  a > 12 ? f = a - 3 : a > 4 ? f = a - 2 : a > 0 && (f = 2);
-  const c = y(f), d = new Array(Number(c) + 1).fill(s), u = Math.floor((t.BITS - 1) / f) * f;
-  let w = s;
-  for (let h = u; h >= 0; h -= f) {
-    d.fill(s);
-    for (let l = 0; l < o; l++) {
-      const p = n[l], A = Number(p >> BigInt(h) & c);
-      d[A] = d[A].add(e[l]);
-    }
-    let g = s;
-    for (let l = d.length - 1, p = s; l > 0; l--)
-      p = p.add(d[l]), g = g.add(p);
-    if (w = w.add(g), h !== 0)
-      for (let l = 0; l < f; l++)
-        w = w.double();
-  }
-  return w;
-}
-function x(r, t, e) {
-  if (t) {
-    if (t.ORDER !== r)
-      throw new Error("Field.ORDER must match order: Fp == p, Fn == n");
-    return I(t), t;
-  } else
-    return z(r, { isLE: e });
-}
-function P(r, t, e = {}, n) {
-  if (n === void 0 && (n = r === "edwards"), !t || typeof t != "object")
-    throw new Error(`expected valid ${r} CURVE object`);
-  for (const f of ["p", "n", "h"]) {
-    const c = t[f];
-    if (!(typeof c == "bigint" && c > m))
-      throw new Error(`CURVE.${f} must be positive bigint`);
-  }
-  const i = x(t.p, e.Fp, n), o = x(t.n, e.Fn, n), a = ["Gx", "Gy", "a", "b"];
-  for (const f of a)
-    if (!i.isValid(t[f]))
-      throw new Error(`CURVE.${f} must be valid field element of CURVE.Fp`);
-  return t = Object.freeze(Object.assign({}, t)), { CURVE: t, Fp: i, Fn: o };
+  const c = r.bits2int || function(o) {
+    if (o.length > 8192)
+      throw new Error("input is too large");
+    const n = _(o), s = o.length * 8 - N;
+    return s > 0 ? n >> BigInt(s) : n;
+  }, d = r.bits2int_modN || function(o) {
+    return x(c(o));
+  }, y = At(N);
+  function v(o) {
+    return W("num < 2^" + N, o, U, y), Et(o, S);
+  }
+  function E(o, n, s = a) {
+    if (["recovered", "canonical"].some((D) => D in s))
+      throw new Error("sign() legacy options not supported");
+    const { hash: h, randomBytes: u } = r;
+    let { lowS: f, prehash: B, extraEntropy: Z } = s;
+    f == null && (f = !0), o = F("msgHash", o), ht(s), B && (o = F("prehashed msgHash", h(o)));
+    const H = d(o), Y = k(n), z = [v(Y), v(H)];
+    if (Z != null && Z !== !1) {
+      const D = Z === !0 ? u(t.BYTES) : Z;
+      z.push(F("extraEntropy", D));
+    }
+    const P = lt(...z), I = H;
+    function it(D) {
+      const X = c(D);
+      if (!ot(X))
+        return;
+      const st = L(X), Q = O.BASE.multiply(X).toAffine(), K = x(Q.x);
+      if (K === U)
+        return;
+      const J = x(st * x(I + K * Y));
+      if (J === U)
+        return;
+      let $ = (Q.x === K ? 0 : 2) | Number(Q.y & R), M = J;
+      return f && G(J) && (M = g(J), $ ^= 1), new q(K, M, $);
+    }
+    return { seed: P, k2sig: it };
+  }
+  const a = { lowS: r.lowS, prehash: !1 }, p = { lowS: r.lowS, prehash: !1 };
+  function l(o, n, s = a) {
+    const { seed: h, k2sig: u } = E(o, n, s), f = r;
+    return Tt(f.hash.outputLen, f.nByteLength, f.hmac)(h, u);
+  }
+  O.BASE._setWindowSize(8);
+  function T(o, n, s, h = p) {
+    var $;
+    const u = o;
+    n = F("msgHash", n), s = F("publicKey", s);
+    const { lowS: f, prehash: B, format: Z } = h;
+    if (ht(h), "strict" in h)
+      throw new Error("options.strict was renamed to lowS");
+    if (Z !== void 0 && Z !== "compact" && Z !== "der")
+      throw new Error("format must be compact or der");
+    const H = typeof u == "string" || yt(u), Y = !H && !Z && typeof u == "object" && u !== null && typeof u.r == "bigint" && typeof u.s == "bigint";
+    if (!H && !Y)
+      throw new Error("invalid signature, expected Uint8Array, hex string or Signature instance");
+    let z, P;
+    try {
+      if (Y && (z = new q(u.r, u.s)), H) {
+        try {
+          Z !== "compact" && (z = q.fromDER(u));
+        } catch (M) {
+          if (!(M instanceof C.Err))
+            throw M;
+        }
+        !z && Z !== "der" && (z = q.fromCompact(u));
+      }
+      P = O.fromHex(s);
+    } catch {
+      return !1;
+    }
+    if (!z || f && z.hasHighS())
+      return !1;
+    B && (n = r.hash(n));
+    const { r: I, s: it } = z, D = d(n), X = L(it), st = x(D * X), Q = x(I * X), K = ($ = O.BASE.multiplyAndAddUnsafe(P, st, Q)) == null ? void 0 : $.toAffine();
+    return K ? x(K.x) === I : !1;
+  }
+  return {
+    CURVE: r,
+    getPublicKey: w,
+    getSharedSecret: i,
+    sign: l,
+    verify: T,
+    ProjectivePoint: O,
+    Signature: q,
+    utils: j
+  };
 }
 export {
-  P as _createCurveFields,
-  q as mulEndoUnsafe,
-  v as negateCt,
-  D as normalizeZ,
-  K as pippenger,
-  G as wNAF
+  C as DER,
+  zt as DERErr,
+  Ht as weierstrass,
+  qt as weierstrassPoints
 };