@hfunlabs/hyperliquid 0.30.0-hfunlabs.1 → 0.30.2-hfunlabs.2

package/script/deps/jsr.io/@noble/curves/2.0.1/src/abstract/curve.d.ts

@@ -0,0 +1,195 @@
+/**
+ * Methods for elliptic curve multiplication by scalars.
+ * Contains wNAF, pippenger.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { type Signer } from '../utils.js';
+import { type IField } from './modular.js';
+export type AffinePoint<T> = {
+    x: T;
+    y: T;
+} & {
+    Z?: never;
+};
+/** Base interface for all elliptic curve Points. */
+export interface CurvePoint<F, P extends CurvePoint<F, P>> {
+    /** Affine x coordinate. Different from projective / extended X coordinate. */
+    x: F;
+    /** Affine y coordinate. Different from projective / extended Y coordinate. */
+    y: F;
+    Z?: F;
+    double(): P;
+    negate(): P;
+    add(other: P): P;
+    subtract(other: P): P;
+    equals(other: P): boolean;
+    multiply(scalar: bigint): P;
+    assertValidity(): void;
+    clearCofactor(): P;
+    is0(): boolean;
+    isTorsionFree(): boolean;
+    isSmallOrder(): boolean;
+    multiplyUnsafe(scalar: bigint): P;
+    /**
+     * Massively speeds up `p.multiply(n)` by using precompute tables (caching). See {@link wNAF}.
+     * @param isLazy calculate cache now. Default (true) ensures it's deferred to first `multiply()`
+     */
+    precompute(windowSize?: number, isLazy?: boolean): P;
+    /** Converts point to 2D xy affine coordinates */
+    toAffine(invertedZ?: F): AffinePoint<F>;
+    toBytes(): Uint8Array;
+    toHex(): string;
+}
+/** Base interface for all elliptic curve Point constructors. */
+export interface CurvePointCons<P extends CurvePoint<any, P>> {
+    [Symbol.hasInstance]: (item: unknown) => boolean;
+    BASE: P;
+    ZERO: P;
+    /** Field for basic curve math */
+    Fp: IField<P_F<P>>;
+    /** Scalar field, for scalars in multiply and others */
+    Fn: IField<bigint>;
+    /** Creates point from x, y. Does NOT validate if the point is valid. Use `.assertValidity()`. */
+    fromAffine(p: AffinePoint<P_F<P>>): P;
+    fromBytes(bytes: Uint8Array): P;
+    fromHex(hex: string): P;
+}
+/** Returns Fp type from Point (P_F<P> == P.F) */
+export type P_F<P extends CurvePoint<any, P>> = P extends CurvePoint<infer F, P> ? F : never;
+/** Returns Fp type from PointCons (PC_F<PC> == PC.P.F) */
+export type PC_F<PC extends CurvePointCons<CurvePoint<any, any>>> = PC['Fp']['ZERO'];
+/** Returns Point type from PointCons (PC_P<PC> == PC.P) */
+export type PC_P<PC extends CurvePointCons<CurvePoint<any, any>>> = PC['ZERO'];
+export type PC_ANY = CurvePointCons<CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, any>>>>>>>>>>>;
+export interface CurveLengths {
+    secretKey?: number;
+    publicKey?: number;
+    publicKeyUncompressed?: number;
+    publicKeyHasPrefix?: boolean;
+    signature?: number;
+    seed?: number;
+}
+export type Mapper<T> = (i: T[]) => T[];
+export declare function negateCt<T extends {
+    negate: () => T;
+}>(condition: boolean, item: T): T;
+/**
+ * Takes a bunch of Projective Points but executes only one
+ * inversion on all of them. Inversion is very slow operation,
+ * so this improves performance massively.
+ * Optimization: converts a list of projective points to a list of identical points with Z=1.
+ */
+export declare function normalizeZ<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(c: PC, points: P[]): P[];
+/**
+ * Elliptic curve multiplication of Point by scalar. Fragile.
+ * Table generation takes **30MB of ram and 10ms on high-end CPU**,
+ * but may take much longer on slow devices. Actual generation will happen on
+ * first call of `multiply()`. By default, `BASE` point is precomputed.
+ *
+ * Scalars should always be less than curve order: this should be checked inside of a curve itself.
+ * Creates precomputation tables for fast multiplication:
+ * - private scalar is split by fixed size windows of W bits
+ * - every window point is collected from window's table & added to accumulator
+ * - since windows are different, same point inside tables won't be accessed more than once per calc
+ * - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
+ * - +1 window is neccessary for wNAF
+ * - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
+ *
+ * @todo Research returning 2d JS array of windows, instead of a single window.
+ * This would allow windows to be in different memory locations
+ */
+export declare class wNAF<PC extends PC_ANY> {
+    private readonly BASE;
+    private readonly ZERO;
+    private readonly Fn;
+    readonly bits: number;
+    constructor(Point: PC, bits: number);
+    _unsafeLadder(elm: PC_P<PC>, n: bigint, p?: PC_P<PC>): PC_P<PC>;
+    /**
+     * Creates a wNAF precomputation window. Used for caching.
+     * Default window size is set by `utils.precompute()` and is equal to 8.
+     * Number of precomputed points depends on the curve size:
+     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+     * - 𝑊 is the window size
+     * - 𝑛 is the bitlength of the curve order.
+     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+     * @param point Point instance
+     * @param W window size
+     * @returns precomputed point tables flattened to a single array
+     */
+    private precomputeWindow;
+    /**
+     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
+     * More compact implementation:
+     * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
+     * @returns real and fake (for const-time) points
+     */
+    private wNAF;
+    /**
+     * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
+     * @param acc accumulator point to add result of multiplication
+     * @returns point
+     */
+    private wNAFUnsafe;
+    private getPrecomputes;
+    cached(point: PC_P<PC>, scalar: bigint, transform?: Mapper<PC_P<PC>>): {
+        p: PC_P<PC>;
+        f: PC_P<PC>;
+    };
+    unsafe(point: PC_P<PC>, scalar: bigint, transform?: Mapper<PC_P<PC>>, prev?: PC_P<PC>): PC_P<PC>;
+    createCache(P: PC_P<PC>, W: number): void;
+    hasCache(elm: PC_P<PC>): boolean;
+}
+/**
+ * Endomorphism-specific multiplication for Koblitz curves.
+ * Cost: 128 dbl, 0-256 adds.
+ */
+export declare function mulEndoUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(Point: PC, point: P, k1: bigint, k2: bigint): {
+    p1: P;
+    p2: P;
+};
+/**
+ * Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
+ * 30x faster vs naive addition on L=4096, 10x faster than precomputes.
+ * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
+ * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
+ * @param c Curve Point constructor
+ * @param fieldN field over CURVE.N - important that it's not over CURVE.P
+ * @param points array of L curve points
+ * @param scalars array of L scalars (aka secret keys / bigints)
+ */
+export declare function pippenger<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(c: PC, points: P[], scalars: bigint[]): P;
+/**
+ * Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
+ * @param c Curve Point constructor
+ * @param fieldN field over CURVE.N - important that it's not over CURVE.P
+ * @param points array of L curve points
+ * @returns function which multiplies points with scaars
+ */
+export declare function precomputeMSMUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(c: PC, points: P[], windowSize: number): (scalars: bigint[]) => P;
+export type ValidCurveParams<T> = {
+    p: bigint;
+    n: bigint;
+    h: bigint;
+    a: T;
+    b?: T;
+    d?: T;
+    Gx: T;
+    Gy: T;
+};
+export type FpFn<T> = {
+    Fp: IField<T>;
+    Fn: IField<bigint>;
+};
+/** Validates CURVE opts and creates fields */
+export declare function createCurveFields<T>(type: 'weierstrass' | 'edwards', CURVE: ValidCurveParams<T>, curveOpts?: Partial<FpFn<T>>, FpFnLE?: boolean): FpFn<T> & {
+    CURVE: ValidCurveParams<T>;
+};
+type KeygenFn = (seed?: Uint8Array, isCompressed?: boolean) => {
+    secretKey: Uint8Array;
+    publicKey: Uint8Array;
+};
+export declare function createKeygen(randomSecretKey: Function, getPublicKey: Signer['getPublicKey']): KeygenFn;
+export {};
+//# sourceMappingURL=curve.d.ts.map

package/script/deps/jsr.io/@noble/curves/2.0.1/src/abstract/curve.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"curve.d.ts","sourceRoot":"","sources":["../../../../../../../../src/deps/jsr.io/@noble/curves/2.0.1/src/abstract/curve.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,sEAAsE;AACtE,OAAO,EAAmB,KAAK,MAAM,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAuC,KAAK,MAAM,EAAE,MAAM,cAAc,CAAC;AAKhF,MAAM,MAAM,WAAW,CAAC,CAAC,IAAI;IAC3B,CAAC,EAAE,CAAC,CAAC;IACL,CAAC,EAAE,CAAC,CAAC;CACN,GAAG;IAAE,CAAC,CAAC,EAAE,KAAK,CAAA;CAAE,CAAC;AAUlB,oDAAoD;AACpD,MAAM,WAAW,UAAU,CAAC,CAAC,EAAE,CAAC,SAAS,UAAU,CAAC,CAAC,EAAE,CAAC,CAAC;IACvD,8EAA8E;IAC9E,CAAC,EAAE,CAAC,CAAC;IACL,8EAA8E;IAC9E,CAAC,EAAE,CAAC,CAAC;IACL,CAAC,CAAC,EAAE,CAAC,CAAC;IACN,MAAM,IAAI,CAAC,CAAC;IACZ,MAAM,IAAI,CAAC,CAAC;IACZ,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC;IACjB,QAAQ,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC;IACtB,MAAM,CAAC,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,CAAC;IAC5B,cAAc,IAAI,IAAI,CAAC;IACvB,aAAa,IAAI,CAAC,CAAC;IACnB,GAAG,IAAI,OAAO,CAAC;IACf,aAAa,IAAI,OAAO,CAAC;IACzB,YAAY,IAAI,OAAO,CAAC;IACxB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,CAAC;IAClC;;;OAGG;IACH,UAAU,CAAC,UAAU,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;IACrD,iDAAiD;IACjD,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IACxC,OAAO,IAAI,UAAU,CAAC;IACtB,KAAK,IAAI,MAAM,CAAC;CACjB;AAED,gEAAgE;AAChE,MAAM,WAAW,cAAc,CAAC,CAAC,SAAS,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC;IAC1D,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,OAAO,CAAC;IACjD,IAAI,EAAE,CAAC,CAAC;IACR,IAAI,EAAE,CAAC,CAAC;IACR,iCAAiC;IACjC,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACnB,uDAAuD;IACvD,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACnB,iGAAiG;IACjG,UAAU,CAAC,CAAC,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACtC,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,CAAC,CAAC;IAChC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,CAAC,CAAC;CACzB;AAaD,iDAAiD;AACjD,MAAM,MAAM,GAAG,CAAC,CAAC,SAAS,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;AAC7F,0DAA0D;AAC1D,MAAM,MAAM,IAAI,CAAC,EAAE,SAAS,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC;AACrF,2DAA2D;AAC3D,MAAM,MAAM,IAAI,CAAC,EAAE,SAAS,cAAc,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;AAgB/E,MAAM,MAAM,MAAM,GAAG,cAAc,CACjC,UAAU,CAAC,GAAG,EACd,UAAU,CAAC,GAAG,EACd,UAAU,CAAC,GAAG,EACd,UAAU,CAAC,GAAG,EACd,UAAU,CAAC,GAAG,EACd,UAAU,CAAC,GAAG,EACd,UAAU,CAAC,GAAG,EACd,UAAU,CAAC,GAAG,EACd,UAAU,CAAC,GAAG,EACd,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CACnB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACV,CAAC;AAEF,MAAM,WAAW,YAAY;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,MAAM,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;AAExC,wBAAgB,QAAQ,CAAC,CAAC,SAAS;IAAE,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,CAGtF;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,CAAC,SAAS,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,SAAS,cAAc,CAAC,CAAC,CAAC,EACnF,CAAC,EAAE,EAAE,EACL,MAAM,EAAE,CAAC,EAAE,GACV,CAAC,EAAE,CAML;AAgFD;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,IAAI,CAAC,EAAE,SAAS,MAAM;IACjC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAW;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAW;IAChC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAW;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAGV,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM;IAQnC,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,GAAE,IAAI,CAAC,EAAE,CAAa,GAAG,IAAI,CAAC,EAAE,CAAC;IAU1E;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,gBAAgB;IAkBxB;;;;;OAKG;IACH,OAAO,CAAC,IAAI;IAgCZ;;;;OAIG;IACH,OAAO,CAAC,UAAU;IAwBlB,OAAO,CAAC,cAAc;IActB,MAAM,CACJ,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC,EACf,MAAM,EAAE,MAAM,EACd,SAAS,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,GAC3B;QAAE,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAAC,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,CAAA;KAAE;IAK/B,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC;IAShG,WAAW,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI;IAMzC,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,CAAC,GAAG,OAAO;CAGjC;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,SAAS,cAAc,CAAC,CAAC,CAAC,EACtF,KAAK,EAAE,EAAE,EACT,KAAK,EAAE,CAAC,EACR,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,GACT;IAAE,EAAE,EAAE,CAAC,CAAC;IAAC,EAAE,EAAE,CAAC,CAAA;CAAE,CAYlB;AAED;;;;;;;;;GASG;AACH,wBAAgB,SAAS,CAAC,CAAC,SAAS,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,SAAS,cAAc,CAAC,CAAC,CAAC,EAClF,CAAC,EAAE,EAAE,EACL,MAAM,EAAE,CAAC,EAAE,EACX,OAAO,EAAE,MAAM,EAAE,GAChB,CAAC,CAyCH;AACD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,SAAS,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,SAAS,cAAc,CAAC,CAAC,CAAC,EAC5F,CAAC,EAAE,EAAE,EACL,MAAM,EAAE,CAAC,EAAE,EACX,UAAU,EAAE,MAAM,GACjB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAqE1B;AAED,MAAM,MAAM,gBAAgB,CAAC,CAAC,IAAI;IAChC,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,CAAC,CAAC;IACL,CAAC,CAAC,EAAE,CAAC,CAAC;IACN,CAAC,CAAC,EAAE,CAAC,CAAC;IACN,EAAE,EAAE,CAAC,CAAC;IACN,EAAE,EAAE,CAAC,CAAC;CACP,CAAC;AAWF,MAAM,MAAM,IAAI,CAAC,CAAC,IAAI;IAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAA;CAAE,CAAC;AAE5D,8CAA8C;AAC9C,wBAAgB,iBAAiB,CAAC,CAAC,EACjC,IAAI,EAAE,aAAa,GAAG,SAAS,EAC/B,KAAK,EAAE,gBAAgB,CAAC,CAAC,CAAC,EAC1B,SAAS,GAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAM,EAChC,MAAM,CAAC,EAAE,OAAO,GACf,IAAI,CAAC,CAAC,CAAC,GAAG;IAAE,KAAK,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAA;CAAE,CAmB1C;AAED,KAAK,QAAQ,GAAG,CACd,IAAI,CAAC,EAAE,UAAU,EACjB,YAAY,CAAC,EAAE,OAAO,KACnB;IAAE,SAAS,EAAE,UAAU,CAAC;IAAC,SAAS,EAAE,UAAU,CAAA;CAAE,CAAC;AACtD,wBAAgB,YAAY,CAC1B,eAAe,EAAE,QAAQ,EACzB,YAAY,EAAE,MAAM,CAAC,cAAc,CAAC,GACnC,QAAQ,CAKV"}

package/script/deps/jsr.io/@noble/curves/2.0.1/src/abstract/curve.js

@@ -0,0 +1,468 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.wNAF = void 0;
+exports.negateCt = negateCt;
+exports.normalizeZ = normalizeZ;
+exports.mulEndoUnsafe = mulEndoUnsafe;
+exports.pippenger = pippenger;
+exports.precomputeMSMUnsafe = precomputeMSMUnsafe;
+exports.createCurveFields = createCurveFields;
+exports.createKeygen = createKeygen;
+/**
+ * Methods for elliptic curve multiplication by scalars.
+ * Contains wNAF, pippenger.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const utils_js_1 = require("../utils.js");
+const modular_js_1 = require("./modular.js");
+const _0n = /* @__PURE__ */ BigInt(0);
+const _1n = /* @__PURE__ */ BigInt(1);
+function negateCt(condition, item) {
+    const neg = item.negate();
+    return condition ? neg : item;
+}
+/**
+ * Takes a bunch of Projective Points but executes only one
+ * inversion on all of them. Inversion is very slow operation,
+ * so this improves performance massively.
+ * Optimization: converts a list of projective points to a list of identical points with Z=1.
+ */
+function normalizeZ(c, points) {
+    const invertedZs = (0, modular_js_1.FpInvertBatch)(c.Fp, points.map((p) => p.Z));
+    return points.map((p, i) => c.fromAffine(p.toAffine(invertedZs[i])));
+}
+function validateW(W, bits) {
+    if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
+        throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
+}
+function calcWOpts(W, scalarBits) {
+    validateW(W, scalarBits);
+    const windows = Math.ceil(scalarBits / W) + 1; // W=8 33. Not 32, because we skip zero
+    const windowSize = 2 ** (W - 1); // W=8 128. Not 256, because we skip zero
+    const maxNumber = 2 ** W; // W=8 256
+    const mask = (0, utils_js_1.bitMask)(W); // W=8 255 == mask 0b11111111
+    const shiftBy = BigInt(W); // W=8 8
+    return { windows, windowSize, mask, maxNumber, shiftBy };
+}
+function calcOffsets(n, window, wOpts) {
+    const { windowSize, mask, maxNumber, shiftBy } = wOpts;
+    let wbits = Number(n & mask); // extract W bits.
+    let nextN = n >> shiftBy; // shift number by W bits.
+    // What actually happens here:
+    // const highestBit = Number(mask ^ (mask >> 1n));
+    // let wbits2 = wbits - 1; // skip zero
+    // if (wbits2 & highestBit) { wbits2 ^= Number(mask); // (~);
+    // split if bits > max: +224 => 256-32
+    if (wbits > windowSize) {
+        // we skip zero, which means instead of `>= size-1`, we do `> size`
+        wbits -= maxNumber; // -32, can be maxNumber - wbits, but then we need to set isNeg here.
+        nextN += _1n; // +256 (carry)
+    }
+    const offsetStart = window * windowSize;
+    const offset = offsetStart + Math.abs(wbits) - 1; // -1 because we skip zero
+    const isZero = wbits === 0; // is current window slice a 0?
+    const isNeg = wbits < 0; // is current window slice negative?
+    const isNegF = window % 2 !== 0; // fake random statement for noise
+    const offsetF = offsetStart; // fake offset for noise
+    return { nextN, offset, isZero, isNeg, isNegF, offsetF };
+}
+function validateMSMPoints(points, c) {
+    if (!Array.isArray(points))
+        throw new Error('array expected');
+    points.forEach((p, i) => {
+        if (!(p instanceof c))
+            throw new Error('invalid point at index ' + i);
+    });
+}
+function validateMSMScalars(scalars, field) {
+    if (!Array.isArray(scalars))
+        throw new Error('array of scalars expected');
+    scalars.forEach((s, i) => {
+        if (!field.isValid(s))
+            throw new Error('invalid scalar at index ' + i);
+    });
+}
+// Since points in different groups cannot be equal (different object constructor),
+// we can have single place to store precomputes.
+// Allows to make points frozen / immutable.
+const pointPrecomputes = new WeakMap();
+const pointWindowSizes = new WeakMap();
+function getW(P) {
+    // To disable precomputes:
+    // return 1;
+    return pointWindowSizes.get(P) || 1;
+}
+function assert0(n) {
+    if (n !== _0n)
+        throw new Error('invalid wNAF');
+}
+/**
+ * Elliptic curve multiplication of Point by scalar. Fragile.
+ * Table generation takes **30MB of ram and 10ms on high-end CPU**,
+ * but may take much longer on slow devices. Actual generation will happen on
+ * first call of `multiply()`. By default, `BASE` point is precomputed.
+ *
+ * Scalars should always be less than curve order: this should be checked inside of a curve itself.
+ * Creates precomputation tables for fast multiplication:
+ * - private scalar is split by fixed size windows of W bits
+ * - every window point is collected from window's table & added to accumulator
+ * - since windows are different, same point inside tables won't be accessed more than once per calc
+ * - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
+ * - +1 window is neccessary for wNAF
+ * - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
+ *
+ * @todo Research returning 2d JS array of windows, instead of a single window.
+ * This would allow windows to be in different memory locations
+ */
+class wNAF {
+    BASE;
+    ZERO;
+    Fn;
+    bits;
+    // Parametrized with a given Point class (not individual point)
+    constructor(Point, bits) {
+        this.BASE = Point.BASE;
+        this.ZERO = Point.ZERO;
+        this.Fn = Point.Fn;
+        this.bits = bits;
+    }
+    // non-const time multiplication ladder
+    _unsafeLadder(elm, n, p = this.ZERO) {
+        let d = elm;
+        while (n > _0n) {
+            if (n & _1n)
+                p = p.add(d);
+            d = d.double();
+            n >>= _1n;
+        }
+        return p;
+    }
+    /**
+     * Creates a wNAF precomputation window. Used for caching.
+     * Default window size is set by `utils.precompute()` and is equal to 8.
+     * Number of precomputed points depends on the curve size:
+     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+     * - 𝑊 is the window size
+     * - 𝑛 is the bitlength of the curve order.
+     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+     * @param point Point instance
+     * @param W window size
+     * @returns precomputed point tables flattened to a single array
+     */
+    precomputeWindow(point, W) {
+        const { windows, windowSize } = calcWOpts(W, this.bits);
+        const points = [];
+        let p = point;
+        let base = p;
+        for (let window = 0; window < windows; window++) {
+            base = p;
+            points.push(base);
+            // i=1, bc we skip 0
+            for (let i = 1; i < windowSize; i++) {
+                base = base.add(p);
+                points.push(base);
+            }
+            p = base.double();
+        }
+        return points;
+    }
+    /**
+     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
+     * More compact implementation:
+     * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
+     * @returns real and fake (for const-time) points
+     */
+    wNAF(W, precomputes, n) {
+        // Scalar should be smaller than field order
+        if (!this.Fn.isValid(n))
+            throw new Error('invalid scalar');
+        // Accumulators
+        let p = this.ZERO;
+        let f = this.BASE;
+        // This code was first written with assumption that 'f' and 'p' will never be infinity point:
+        // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
+        // there is negate now: it is possible that negated element from low value
+        // would be the same as high element, which will create carry into next window.
+        // It's not obvious how this can fail, but still worth investigating later.
+        const wo = calcWOpts(W, this.bits);
+        for (let window = 0; window < wo.windows; window++) {
+            // (n === _0n) is handled and not early-exited. isEven and offsetF are used for noise
+            const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
+            n = nextN;
+            if (isZero) {
+                // bits are 0: add garbage to fake point
+                // Important part for const-time getPublicKey: add random "noise" point to f.
+                f = f.add(negateCt(isNegF, precomputes[offsetF]));
+            }
+            else {
+                // bits are 1: add to result point
+                p = p.add(negateCt(isNeg, precomputes[offset]));
+            }
+        }
+        assert0(n);
+        // Return both real and fake points: JIT won't eliminate f.
+        // At this point there is a way to F be infinity-point even if p is not,
+        // which makes it less const-time: around 1 bigint multiply.
+        return { p, f };
+    }
+    /**
+     * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
+     * @param acc accumulator point to add result of multiplication
+     * @returns point
+     */
+    wNAFUnsafe(W, precomputes, n, acc = this.ZERO) {
+        const wo = calcWOpts(W, this.bits);
+        for (let window = 0; window < wo.windows; window++) {
+            if (n === _0n)
+                break; // Early-exit, skip 0 value
+            const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
+            n = nextN;
+            if (isZero) {
+                // Window bits are 0: skip processing.
+                // Move to next window.
+                continue;
+            }
+            else {
+                const item = precomputes[offset];
+                acc = acc.add(isNeg ? item.negate() : item); // Re-using acc allows to save adds in MSM
+            }
+        }
+        assert0(n);
+        return acc;
+    }
+    getPrecomputes(W, point, transform) {
+        // Calculate precomputes on a first run, reuse them after
+        let comp = pointPrecomputes.get(point);
+        if (!comp) {
+            comp = this.precomputeWindow(point, W);
+            if (W !== 1) {
+                // Doing transform outside of if brings 15% perf hit
+                if (typeof transform === 'function')
+                    comp = transform(comp);
+                pointPrecomputes.set(point, comp);
+            }
+        }
+        return comp;
+    }
+    cached(point, scalar, transform) {
+        const W = getW(point);
+        return this.wNAF(W, this.getPrecomputes(W, point, transform), scalar);
+    }
+    unsafe(point, scalar, transform, prev) {
+        const W = getW(point);
+        if (W === 1)
+            return this._unsafeLadder(point, scalar, prev); // For W=1 ladder is ~x2 faster
+        return this.wNAFUnsafe(W, this.getPrecomputes(W, point, transform), scalar, prev);
+    }
+    // We calculate precomputes for elliptic curve point multiplication
+    // using windowed method. This specifies window size and
+    // stores precomputed values. Usually only base point would be precomputed.
+    createCache(P, W) {
+        validateW(W, this.bits);
+        pointWindowSizes.set(P, W);
+        pointPrecomputes.delete(P);
+    }
+    hasCache(elm) {
+        return getW(elm) !== 1;
+    }
+}
+exports.wNAF = wNAF;
+/**
+ * Endomorphism-specific multiplication for Koblitz curves.
+ * Cost: 128 dbl, 0-256 adds.
+ */
+function mulEndoUnsafe(Point, point, k1, k2) {
+    let acc = point;
+    let p1 = Point.ZERO;
+    let p2 = Point.ZERO;
+    while (k1 > _0n || k2 > _0n) {
+        if (k1 & _1n)
+            p1 = p1.add(acc);
+        if (k2 & _1n)
+            p2 = p2.add(acc);
+        acc = acc.double();
+        k1 >>= _1n;
+        k2 >>= _1n;
+    }
+    return { p1, p2 };
+}
+/**
+ * Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
+ * 30x faster vs naive addition on L=4096, 10x faster than precomputes.
+ * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
+ * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
+ * @param c Curve Point constructor
+ * @param fieldN field over CURVE.N - important that it's not over CURVE.P
+ * @param points array of L curve points
+ * @param scalars array of L scalars (aka secret keys / bigints)
+ */
+function pippenger(c, points, scalars) {
+    // If we split scalars by some window (let's say 8 bits), every chunk will only
+    // take 256 buckets even if there are 4096 scalars, also re-uses double.
+    // TODO:
+    // - https://eprint.iacr.org/2024/750.pdf
+    // - https://tches.iacr.org/index.php/TCHES/article/view/10287
+    // 0 is accepted in scalars
+    const fieldN = c.Fn;
+    validateMSMPoints(points, c);
+    validateMSMScalars(scalars, fieldN);
+    const plength = points.length;
+    const slength = scalars.length;
+    if (plength !== slength)
+        throw new Error('arrays of points and scalars must have equal length');
+    // if (plength === 0) throw new Error('array must be of length >= 2');
+    const zero = c.ZERO;
+    const wbits = (0, utils_js_1.bitLen)(BigInt(plength));
+    let windowSize = 1; // bits
+    if (wbits > 12)
+        windowSize = wbits - 3;
+    else if (wbits > 4)
+        windowSize = wbits - 2;
+    else if (wbits > 0)
+        windowSize = 2;
+    const MASK = (0, utils_js_1.bitMask)(windowSize);
+    const buckets = new Array(Number(MASK) + 1).fill(zero); // +1 for zero array
+    const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
+    let sum = zero;
+    for (let i = lastBits; i >= 0; i -= windowSize) {
+        buckets.fill(zero);
+        for (let j = 0; j < slength; j++) {
+            const scalar = scalars[j];
+            const wbits = Number((scalar >> BigInt(i)) & MASK);
+            buckets[wbits] = buckets[wbits].add(points[j]);
+        }
+        let resI = zero; // not using this will do small speed-up, but will lose ct
+        // Skip first bucket, because it is zero
+        for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
+            sumI = sumI.add(buckets[j]);
+            resI = resI.add(sumI);
+        }
+        sum = sum.add(resI);
+        if (i !== 0)
+            for (let j = 0; j < windowSize; j++)
+                sum = sum.double();
+    }
+    return sum;
+}
+/**
+ * Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
+ * @param c Curve Point constructor
+ * @param fieldN field over CURVE.N - important that it's not over CURVE.P
+ * @param points array of L curve points
+ * @returns function which multiplies points with scaars
+ */
+function precomputeMSMUnsafe(c, points, windowSize) {
+    /**
+     * Performance Analysis of Window-based Precomputation
+     *
+     * Base Case (256-bit scalar, 8-bit window):
+     * - Standard precomputation requires:
+     *   - 31 additions per scalar × 256 scalars = 7,936 ops
+     *   - Plus 255 summary additions = 8,191 total ops
+     *   Note: Summary additions can be optimized via accumulator
+     *
+     * Chunked Precomputation Analysis:
+     * - Using 32 chunks requires:
+     *   - 255 additions per chunk
+     *   - 256 doublings
+     *   - Total: (255 × 32) + 256 = 8,416 ops
+     *
+     * Memory Usage Comparison:
+     * Window Size | Standard Points | Chunked Points
+     * ------------|-----------------|---------------
+     *     4-bit   |     520         |      15
+     *     8-bit   |    4,224        |     255
+     *    10-bit   |   13,824        |   1,023
+     *    16-bit   |  557,056        |  65,535
+     *
+     * Key Advantages:
+     * 1. Enables larger window sizes due to reduced memory overhead
+     * 2. More efficient for smaller scalar counts:
+     *    - 16 chunks: (16 × 255) + 256 = 4,336 ops
+     *    - ~2x faster than standard 8,191 ops
+     *
+     * Limitations:
+     * - Not suitable for plain precomputes (requires 256 constant doublings)
+     * - Performance degrades with larger scalar counts:
+     *   - Optimal for ~256 scalars
+     *   - Less efficient for 4096+ scalars (Pippenger preferred)
+     */
+    const fieldN = c.Fn;
+    validateW(windowSize, fieldN.BITS);
+    validateMSMPoints(points, c);
+    const zero = c.ZERO;
+    const tableSize = 2 ** windowSize - 1; // table size (without zero)
+    const chunks = Math.ceil(fieldN.BITS / windowSize); // chunks of item
+    const MASK = (0, utils_js_1.bitMask)(windowSize);
+    const tables = points.map((p) => {
+        const res = [];
+        for (let i = 0, acc = p; i < tableSize; i++) {
+            res.push(acc);
+            acc = acc.add(p);
+        }
+        return res;
+    });
+    return (scalars) => {
+        validateMSMScalars(scalars, fieldN);
+        if (scalars.length > points.length)
+            throw new Error('array of scalars must be smaller than array of points');
+        let res = zero;
+        for (let i = 0; i < chunks; i++) {
+            // No need to double if accumulator is still zero.
+            if (res !== zero)
+                for (let j = 0; j < windowSize; j++)
+                    res = res.double();
+            const shiftBy = BigInt(chunks * windowSize - (i + 1) * windowSize);
+            for (let j = 0; j < scalars.length; j++) {
+                const n = scalars[j];
+                const curr = Number((n >> shiftBy) & MASK);
+                if (!curr)
+                    continue; // skip zero scalars chunks
+                res = res.add(tables[j][curr - 1]);
+            }
+        }
+        return res;
+    };
+}
+function createField(order, field, isLE) {
+    if (field) {
+        if (field.ORDER !== order)
+            throw new Error('Field.ORDER must match order: Fp == p, Fn == n');
+        (0, modular_js_1.validateField)(field);
+        return field;
+    }
+    else {
+        return (0, modular_js_1.Field)(order, { isLE });
+    }
+}
+/** Validates CURVE opts and creates fields */
+function createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
+    if (FpFnLE === undefined)
+        FpFnLE = type === 'edwards';
+    if (!CURVE || typeof CURVE !== 'object')
+        throw new Error(`expected valid ${type} CURVE object`);
+    for (const p of ['p', 'n', 'h']) {
+        const val = CURVE[p];
+        if (!(typeof val === 'bigint' && val > _0n))
+            throw new Error(`CURVE.${p} must be positive bigint`);
+    }
+    const Fp = createField(CURVE.p, curveOpts.Fp, FpFnLE);
+    const Fn = createField(CURVE.n, curveOpts.Fn, FpFnLE);
+    const _b = type === 'weierstrass' ? 'b' : 'd';
+    const params = ['Gx', 'Gy', 'a', _b];
+    for (const p of params) {
+        // @ts-ignore
+        if (!Fp.isValid(CURVE[p]))
+            throw new Error(`CURVE.${p} must be valid field element of CURVE.Fp`);
+    }
+    CURVE = Object.freeze(Object.assign({}, CURVE));
+    return { CURVE, Fp, Fn };
+}
+function createKeygen(randomSecretKey, getPublicKey) {
+    return function keygen(seed) {
+        const secretKey = randomSecretKey(seed);
+        return { secretKey, publicKey: getPublicKey(secretKey) };
+    };
+}
+//# sourceMappingURL=curve.js.map