@hyperlane-xyz/cli 26.0.0 → 27.1.0

package/bundle/{321.index.js → 617.index.js}

@@ -1,8 +1,8 @@
-export const id = 321;
-export const ids = [321];
+export const id = 617;
+export const ids = [617];
 export const modules = {
 
-/***/ 85321:
+/***/ 8617:
 /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
 
 
@@ -19,1326 +19,12 @@ var sha2 = __webpack_require__(20707);
 var esm_hmac = __webpack_require__(93952);
 // EXTERNAL MODULE: ../../node_modules/.pnpm/@noble+hashes@1.8.0/node_modules/@noble/hashes/esm/utils.js + 1 modules
 var esm_utils = __webpack_require__(2226);
-;// CONCATENATED MODULE: ../../node_modules/.pnpm/@noble+curves@1.9.7/node_modules/@noble/curves/esm/utils.js
-/**
- * Hex, bytes and number utilities.
- * @module
- */
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-
-
-const _0n = /* @__PURE__ */ BigInt(0);
-const _1n = /* @__PURE__ */ BigInt(1);
-function abool(title, value) {
-    if (typeof value !== 'boolean')
-        throw new Error(title + ' boolean expected, got ' + value);
-}
-// tmp name until v2
-function _abool2(value, title = '') {
-    if (typeof value !== 'boolean') {
-        const prefix = title && `"${title}"`;
-        throw new Error(prefix + 'expected boolean, got type=' + typeof value);
-    }
-    return value;
-}
-// tmp name until v2
-/** Asserts something is Uint8Array. */
-function _abytes2(value, length, title = '') {
-    const bytes = (0,esm_utils/* isBytes */.aY)(value);
-    const len = value?.length;
-    const needsLen = length !== undefined;
-    if (!bytes || (needsLen && len !== length)) {
-        const prefix = title && `"${title}" `;
-        const ofLen = needsLen ? ` of length ${length}` : '';
-        const got = bytes ? `length=${len}` : `type=${typeof value}`;
-        throw new Error(prefix + 'expected Uint8Array' + ofLen + ', got ' + got);
-    }
-    return value;
-}
-// Used in weierstrass, der
-function numberToHexUnpadded(num) {
-    const hex = num.toString(16);
-    return hex.length & 1 ? '0' + hex : hex;
-}
-function hexToNumber(hex) {
-    if (typeof hex !== 'string')
-        throw new Error('hex string expected, got ' + typeof hex);
-    return hex === '' ? _0n : BigInt('0x' + hex); // Big Endian
-}
-// BE: Big Endian, LE: Little Endian
-function utils_bytesToNumberBE(bytes) {
-    return hexToNumber((0,esm_utils/* bytesToHex */.My)(bytes));
-}
-function utils_bytesToNumberLE(bytes) {
-    (0,esm_utils/* abytes */.DO)(bytes);
-    return hexToNumber((0,esm_utils/* bytesToHex */.My)(Uint8Array.from(bytes).reverse()));
-}
-function numberToBytesBE(n, len) {
-    return (0,esm_utils/* hexToBytes */.aT)(n.toString(16).padStart(len * 2, '0'));
-}
-function numberToBytesLE(n, len) {
-    return numberToBytesBE(n, len).reverse();
-}
-// Unpadded, rarely used
-function numberToVarBytesBE(n) {
-    return hexToBytes_(numberToHexUnpadded(n));
-}
-/**
- * Takes hex string or Uint8Array, converts to Uint8Array.
- * Validates output length.
- * Will throw error for other types.
- * @param title descriptive title for an error e.g. 'secret key'
- * @param hex hex string or Uint8Array
- * @param expectedLength optional, will compare to result array's length
- * @returns
- */
-function utils_ensureBytes(title, hex, expectedLength) {
-    let res;
-    if (typeof hex === 'string') {
-        try {
-            res = (0,esm_utils/* hexToBytes */.aT)(hex);
-        }
-        catch (e) {
-            throw new Error(title + ' must be hex string or Uint8Array, cause: ' + e);
-        }
-    }
-    else if ((0,esm_utils/* isBytes */.aY)(hex)) {
-        // Uint8Array.from() instead of hash.slice() because node.js Buffer
-        // is instance of Uint8Array, and its slice() creates **mutable** copy
-        res = Uint8Array.from(hex);
-    }
-    else {
-        throw new Error(title + ' must be hex string or Uint8Array');
-    }
-    const len = res.length;
-    if (typeof expectedLength === 'number' && len !== expectedLength)
-        throw new Error(title + ' of length ' + expectedLength + ' expected, got ' + len);
-    return res;
-}
-// Compares 2 u8a-s in kinda constant time
-function equalBytes(a, b) {
-    if (a.length !== b.length)
-        return false;
-    let diff = 0;
-    for (let i = 0; i < a.length; i++)
-        diff |= a[i] ^ b[i];
-    return diff === 0;
-}
-/**
- * Copies Uint8Array. We can't use u8a.slice(), because u8a can be Buffer,
- * and Buffer#slice creates mutable copy. Never use Buffers!
- */
-function copyBytes(bytes) {
-    return Uint8Array.from(bytes);
-}
-/**
- * Decodes 7-bit ASCII string to Uint8Array, throws on non-ascii symbols
- * Should be safe to use for things expected to be ASCII.
- * Returns exact same result as utf8ToBytes for ASCII or throws.
- */
-function asciiToBytes(ascii) {
-    return Uint8Array.from(ascii, (c, i) => {
-        const charCode = c.charCodeAt(0);
-        if (c.length !== 1 || charCode > 127) {
-            throw new Error(`string contains non-ASCII character "${ascii[i]}" with code ${charCode} at position ${i}`);
-        }
-        return charCode;
-    });
-}
-/**
- * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
- */
-// export const utf8ToBytes: typeof utf8ToBytes_ = utf8ToBytes_;
-/**
- * Converts bytes to string using UTF8 encoding.
- * @example bytesToUtf8(Uint8Array.from([97, 98, 99])) // 'abc'
- */
-// export const bytesToUtf8: typeof bytesToUtf8_ = bytesToUtf8_;
-// Is positive bigint
-const isPosBig = (n) => typeof n === 'bigint' && _0n <= n;
-function utils_inRange(n, min, max) {
-    return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
-}
-/**
- * Asserts min <= n < max. NOTE: It's < max and not <= max.
- * @example
- * aInRange('x', x, 1n, 256n); // would assume x is in (1n..255n)
- */
-function aInRange(title, n, min, max) {
-    // Why min <= n < max and not a (min < n < max) OR b (min <= n <= max)?
-    // consider P=256n, min=0n, max=P
-    // - a for min=0 would require -1:          `inRange('x', x, -1n, P)`
-    // - b would commonly require subtraction:  `inRange('x', x, 0n, P - 1n)`
-    // - our way is the cleanest:               `inRange('x', x, 0n, P)
-    if (!utils_inRange(n, min, max))
-        throw new Error('expected valid ' + title + ': ' + min + ' <= n < ' + max + ', got ' + n);
-}
-// Bit operations
-/**
- * Calculates amount of bits in a bigint.
- * Same as `n.toString(2).length`
- * TODO: merge with nLength in modular
- */
-function bitLen(n) {
-    let len;
-    for (len = 0; n > _0n; n >>= _1n, len += 1)
-        ;
-    return len;
-}
-/**
- * Gets single bit at position.
- * NOTE: first bit position is 0 (same as arrays)
- * Same as `!!+Array.from(n.toString(2)).reverse()[pos]`
- */
-function bitGet(n, pos) {
-    return (n >> BigInt(pos)) & _1n;
-}
-/**
- * Sets single bit at position.
- */
-function bitSet(n, pos, value) {
-    return n | ((value ? _1n : _0n) << BigInt(pos));
-}
-/**
- * Calculate mask for N bits. Not using ** operator with bigints because of old engines.
- * Same as BigInt(`0b${Array(i).fill('1').join('')}`)
- */
-const utils_bitMask = (n) => (_1n << BigInt(n)) - _1n;
-/**
- * Minimal HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
- * @returns function that will call DRBG until 2nd arg returns something meaningful
- * @example
- *   const drbg = createHmacDRBG<Key>(32, 32, hmac);
- *   drbg(seed, bytesToKey); // bytesToKey must return Key or undefined
- */
-function createHmacDrbg(hashLen, qByteLen, hmacFn) {
-    if (typeof hashLen !== 'number' || hashLen < 2)
-        throw new Error('hashLen must be a number');
-    if (typeof qByteLen !== 'number' || qByteLen < 2)
-        throw new Error('qByteLen must be a number');
-    if (typeof hmacFn !== 'function')
-        throw new Error('hmacFn must be a function');
-    // Step B, Step C: set hashLen to 8*ceil(hlen/8)
-    const u8n = (len) => new Uint8Array(len); // creates Uint8Array
-    const u8of = (byte) => Uint8Array.of(byte); // another shortcut
-    let v = u8n(hashLen); // Minimal non-full-spec HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
-    let k = u8n(hashLen); // Steps B and C of RFC6979 3.2: set hashLen, in our case always same
-    let i = 0; // Iterations counter, will throw when over 1000
-    const reset = () => {
-        v.fill(1);
-        k.fill(0);
-        i = 0;
-    };
-    const h = (...b) => hmacFn(k, v, ...b); // hmac(k)(v, ...values)
-    const reseed = (seed = u8n(0)) => {
-        // HMAC-DRBG reseed() function. Steps D-G
-        k = h(u8of(0x00), seed); // k = hmac(k || v || 0x00 || seed)
-        v = h(); // v = hmac(k || v)
-        if (seed.length === 0)
-            return;
-        k = h(u8of(0x01), seed); // k = hmac(k || v || 0x01 || seed)
-        v = h(); // v = hmac(k || v)
-    };
-    const gen = () => {
-        // HMAC-DRBG generate() function
-        if (i++ >= 1000)
-            throw new Error('drbg: tried 1000 values');
-        let len = 0;
-        const out = [];
-        while (len < qByteLen) {
-            v = h();
-            const sl = v.slice();
-            out.push(sl);
-            len += v.length;
-        }
-        return (0,esm_utils/* concatBytes */.Id)(...out);
-    };
-    const genUntil = (seed, pred) => {
-        reset();
-        reseed(seed); // Steps D-G
-        let res = undefined; // Step H: grind until k is in [1..n-1]
-        while (!(res = pred(gen())))
-            reseed();
-        reset();
-        return res;
-    };
-    return genUntil;
-}
-// Validating curves and fields
-const validatorFns = {
-    bigint: (val) => typeof val === 'bigint',
-    function: (val) => typeof val === 'function',
-    boolean: (val) => typeof val === 'boolean',
-    string: (val) => typeof val === 'string',
-    stringOrUint8Array: (val) => typeof val === 'string' || (0,esm_utils/* isBytes */.aY)(val),
-    isSafeInteger: (val) => Number.isSafeInteger(val),
-    array: (val) => Array.isArray(val),
-    field: (val, object) => object.Fp.isValid(val),
-    hash: (val) => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
-};
-// type Record<K extends string | number | symbol, T> = { [P in K]: T; }
-function utils_validateObject(object, validators, optValidators = {}) {
-    const checkField = (fieldName, type, isOptional) => {
-        const checkVal = validatorFns[type];
-        if (typeof checkVal !== 'function')
-            throw new Error('invalid validator function');
-        const val = object[fieldName];
-        if (isOptional && val === undefined)
-            return;
-        if (!checkVal(val, object)) {
-            throw new Error('param ' + String(fieldName) + ' is invalid. Expected ' + type + ', got ' + val);
-        }
-    };
-    for (const [fieldName, type] of Object.entries(validators))
-        checkField(fieldName, type, false);
-    for (const [fieldName, type] of Object.entries(optValidators))
-        checkField(fieldName, type, true);
-    return object;
-}
-// validate type tests
-// const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 };
-// const z0 = validateObject(o, { a: 'isSafeInteger' }, { c: 'bigint' }); // Ok!
-// // Should fail type-check
-// const z1 = validateObject(o, { a: 'tmp' }, { c: 'zz' });
-// const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
-// const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
-// const z4 = validateObject(o, { a: 'boolean', z: 'bug' });
-function isHash(val) {
-    return typeof val === 'function' && Number.isSafeInteger(val.outputLen);
-}
-function _validateObject(object, fields, optFields = {}) {
-    if (!object || typeof object !== 'object')
-        throw new Error('expected valid options object');
-    function checkField(fieldName, expectedType, isOpt) {
-        const val = object[fieldName];
-        if (isOpt && val === undefined)
-            return;
-        const current = typeof val;
-        if (current !== expectedType || val === null)
-            throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
-    }
-    Object.entries(fields).forEach(([k, v]) => checkField(k, v, false));
-    Object.entries(optFields).forEach(([k, v]) => checkField(k, v, true));
-}
-/**
- * throws not implemented error
- */
-const notImplemented = () => {
-    throw new Error('not implemented');
-};
-/**
- * Memoizes (caches) computation result.
- * Uses WeakMap: the value is going auto-cleaned by GC after last reference is removed.
- */
-function memoized(fn) {
-    const map = new WeakMap();
-    return (arg, ...args) => {
-        const val = map.get(arg);
-        if (val !== undefined)
-            return val;
-        const computed = fn(arg, ...args);
-        map.set(arg, computed);
-        return computed;
-    };
-}
-//# sourceMappingURL=utils.js.map
-;// CONCATENATED MODULE: ../../node_modules/.pnpm/@noble+curves@1.9.7/node_modules/@noble/curves/esm/abstract/modular.js
-/**
- * Utils for modular division and fields.
- * Field over 11 is a finite (Galois) field is integer number operations `mod 11`.
- * There is no division: it is replaced by modular multiplicative inverse.
- * @module
- */
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-
-// prettier-ignore
-const modular_0n = BigInt(0), modular_1n = BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
-// prettier-ignore
-const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _7n = /* @__PURE__ */ BigInt(7);
-// prettier-ignore
-const _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9), _16n = /* @__PURE__ */ BigInt(16);
-// Calculates a modulo b
-function mod(a, b) {
-    const result = a % b;
-    return result >= modular_0n ? result : b + result;
-}
-/**
- * Efficiently raise num to power and do modular division.
- * Unsafe in some contexts: uses ladder, so can expose bigint bits.
- * @example
- * pow(2n, 6n, 11n) // 64n % 11n == 9n
- */
-function pow(num, power, modulo) {
-    return FpPow(Field(modulo), num, power);
-}
-/** Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` */
-function pow2(x, power, modulo) {
-    let res = x;
-    while (power-- > modular_0n) {
-        res *= res;
-        res %= modulo;
-    }
-    return res;
-}
-/**
- * Inverses number over modulo.
- * Implemented using [Euclidean GCD](https://brilliant.org/wiki/extended-euclidean-algorithm/).
- */
-function invert(number, modulo) {
-    if (number === modular_0n)
-        throw new Error('invert: expected non-zero number');
-    if (modulo <= modular_0n)
-        throw new Error('invert: expected positive modulus, got ' + modulo);
-    // Fermat's little theorem "CT-like" version inv(n) = n^(m-2) mod m is 30x slower.
-    let a = mod(number, modulo);
-    let b = modulo;
-    // prettier-ignore
-    let x = modular_0n, y = modular_1n, u = modular_1n, v = modular_0n;
-    while (a !== modular_0n) {
-        // JIT applies optimization if those two lines follow each other
-        const q = b / a;
-        const r = b % a;
-        const m = x - u * q;
-        const n = y - v * q;
-        // prettier-ignore
-        b = a, a = r, x = u, y = v, u = m, v = n;
-    }
-    const gcd = b;
-    if (gcd !== modular_1n)
-        throw new Error('invert: does not exist');
-    return mod(x, modulo);
-}
-function assertIsSquare(Fp, root, n) {
-    if (!Fp.eql(Fp.sqr(root), n))
-        throw new Error('Cannot find square root');
-}
-// Not all roots are possible! Example which will throw:
-// const NUM =
-// n = 72057594037927816n;
-// Fp = Field(BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'));
-function sqrt3mod4(Fp, n) {
-    const p1div4 = (Fp.ORDER + modular_1n) / _4n;
-    const root = Fp.pow(n, p1div4);
-    assertIsSquare(Fp, root, n);
-    return root;
-}
-function sqrt5mod8(Fp, n) {
-    const p5div8 = (Fp.ORDER - _5n) / _8n;
-    const n2 = Fp.mul(n, _2n);
-    const v = Fp.pow(n2, p5div8);
-    const nv = Fp.mul(n, v);
-    const i = Fp.mul(Fp.mul(nv, _2n), v);
-    const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
-    assertIsSquare(Fp, root, n);
-    return root;
-}
-// Based on RFC9380, Kong algorithm
-// prettier-ignore
-function sqrt9mod16(P) {
-    const Fp_ = Field(P);
-    const tn = tonelliShanks(P);
-    const c1 = tn(Fp_, Fp_.neg(Fp_.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
-    const c2 = tn(Fp_, c1); //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
-    const c3 = tn(Fp_, Fp_.neg(c1)); //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
-    const c4 = (P + _7n) / _16n; //  4. c4 = (q + 7) / 16        # Integer arithmetic
-    return (Fp, n) => {
-        let tv1 = Fp.pow(n, c4); //  1. tv1 = x^c4
-        let tv2 = Fp.mul(tv1, c1); //  2. tv2 = c1 * tv1
-        const tv3 = Fp.mul(tv1, c2); //  3. tv3 = c2 * tv1
-        const tv4 = Fp.mul(tv1, c3); //  4. tv4 = c3 * tv1
-        const e1 = Fp.eql(Fp.sqr(tv2), n); //  5.  e1 = (tv2^2) == x
-        const e2 = Fp.eql(Fp.sqr(tv3), n); //  6.  e2 = (tv3^2) == x
-        tv1 = Fp.cmov(tv1, tv2, e1); //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
-        tv2 = Fp.cmov(tv4, tv3, e2); //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
-        const e3 = Fp.eql(Fp.sqr(tv2), n); //  9.  e3 = (tv2^2) == x
-        const root = Fp.cmov(tv1, tv2, e3); // 10.  z = CMOV(tv1, tv2, e3)   # Select sqrt from tv1 & tv2
-        assertIsSquare(Fp, root, n);
-        return root;
-    };
-}
-/**
- * Tonelli-Shanks square root search algorithm.
- * 1. https://eprint.iacr.org/2012/685.pdf (page 12)
- * 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
- * @param P field order
- * @returns function that takes field Fp (created from P) and number n
- */
-function tonelliShanks(P) {
-    // Initialization (precomputation).
-    // Caching initialization could boost perf by 7%.
-    if (P < _3n)
-        throw new Error('sqrt is not defined for small field');
-    // Factor P - 1 = Q * 2^S, where Q is odd
-    let Q = P - modular_1n;
-    let S = 0;
-    while (Q % _2n === modular_0n) {
-        Q /= _2n;
-        S++;
-    }
-    // Find the first quadratic non-residue Z >= 2
-    let Z = _2n;
-    const _Fp = Field(P);
-    while (FpLegendre(_Fp, Z) === 1) {
-        // Basic primality test for P. After x iterations, chance of
-        // not finding quadratic non-residue is 2^x, so 2^1000.
-        if (Z++ > 1000)
-            throw new Error('Cannot find square root: probably non-prime P');
-    }
-    // Fast-path; usually done before Z, but we do "primality test".
-    if (S === 1)
-        return sqrt3mod4;
-    // Slow-path
-    // TODO: test on Fp2 and others
-    let cc = _Fp.pow(Z, Q); // c = z^Q
-    const Q1div2 = (Q + modular_1n) / _2n;
-    return function tonelliSlow(Fp, n) {
-        if (Fp.is0(n))
-            return n;
-        // Check if n is a quadratic residue using Legendre symbol
-        if (FpLegendre(Fp, n) !== 1)
-            throw new Error('Cannot find square root');
-        // Initialize variables for the main loop
-        let M = S;
-        let c = Fp.mul(Fp.ONE, cc); // c = z^Q, move cc from field _Fp into field Fp
-        let t = Fp.pow(n, Q); // t = n^Q, first guess at the fudge factor
-        let R = Fp.pow(n, Q1div2); // R = n^((Q+1)/2), first guess at the square root
-        // Main loop
-        // while t != 1
-        while (!Fp.eql(t, Fp.ONE)) {
-            if (Fp.is0(t))
-                return Fp.ZERO; // if t=0 return R=0
-            let i = 1;
-            // Find the smallest i >= 1 such that t^(2^i) ≡ 1 (mod P)
-            let t_tmp = Fp.sqr(t); // t^(2^1)
-            while (!Fp.eql(t_tmp, Fp.ONE)) {
-                i++;
-                t_tmp = Fp.sqr(t_tmp); // t^(2^2)...
-                if (i === M)
-                    throw new Error('Cannot find square root');
-            }
-            // Calculate the exponent for b: 2^(M - i - 1)
-            const exponent = modular_1n << BigInt(M - i - 1); // bigint is important
-            const b = Fp.pow(c, exponent); // b = 2^(M - i - 1)
-            // Update variables
-            M = i;
-            c = Fp.sqr(b); // c = b^2
-            t = Fp.mul(t, c); // t = (t * b^2)
-            R = Fp.mul(R, b); // R = R*b
-        }
-        return R;
-    };
-}
-/**
- * Square root for a finite field. Will try optimized versions first:
- *
- * 1. P ≡ 3 (mod 4)
- * 2. P ≡ 5 (mod 8)
- * 3. P ≡ 9 (mod 16)
- * 4. Tonelli-Shanks algorithm
- *
- * Different algorithms can give different roots, it is up to user to decide which one they want.
- * For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
- */
-function FpSqrt(P) {
-    // P ≡ 3 (mod 4) => √n = n^((P+1)/4)
-    if (P % _4n === _3n)
-        return sqrt3mod4;
-    // P ≡ 5 (mod 8) => Atkin algorithm, page 10 of https://eprint.iacr.org/2012/685.pdf
-    if (P % _8n === _5n)
-        return sqrt5mod8;
-    // P ≡ 9 (mod 16) => Kong algorithm, page 11 of https://eprint.iacr.org/2012/685.pdf (algorithm 4)
-    if (P % _16n === _9n)
-        return sqrt9mod16(P);
-    // Tonelli-Shanks algorithm
-    return tonelliShanks(P);
-}
-// Little-endian check for first LE bit (last BE bit);
-const isNegativeLE = (num, modulo) => (mod(num, modulo) & modular_1n) === modular_1n;
-// prettier-ignore
-const FIELD_FIELDS = [
-    'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',
-    'eql', 'add', 'sub', 'mul', 'pow', 'div',
-    'addN', 'subN', 'mulN', 'sqrN'
-];
-function modular_validateField(field) {
-    const initial = {
-        ORDER: 'bigint',
-        MASK: 'bigint',
-        BYTES: 'number',
-        BITS: 'number',
-    };
-    const opts = FIELD_FIELDS.reduce((map, val) => {
-        map[val] = 'function';
-        return map;
-    }, initial);
-    _validateObject(field, opts);
-    // const max = 16384;
-    // if (field.BYTES < 1 || field.BYTES > max) throw new Error('invalid field');
-    // if (field.BITS < 1 || field.BITS > 8 * max) throw new Error('invalid field');
-    return field;
-}
-// Generic field functions
-/**
- * Same as `pow` but for Fp: non-constant-time.
- * Unsafe in some contexts: uses ladder, so can expose bigint bits.
- */
-function FpPow(Fp, num, power) {
-    if (power < modular_0n)
-        throw new Error('invalid exponent, negatives unsupported');
-    if (power === modular_0n)
-        return Fp.ONE;
-    if (power === modular_1n)
-        return num;
-    let p = Fp.ONE;
-    let d = num;
-    while (power > modular_0n) {
-        if (power & modular_1n)
-            p = Fp.mul(p, d);
-        d = Fp.sqr(d);
-        power >>= modular_1n;
-    }
-    return p;
-}
-/**
- * Efficiently invert an array of Field elements.
- * Exception-free. Will return `undefined` for 0 elements.
- * @param passZero map 0 to 0 (instead of undefined)
- */
-function modular_FpInvertBatch(Fp, nums, passZero = false) {
-    const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : undefined);
-    // Walk from first to last, multiply them by each other MOD p
-    const multipliedAcc = nums.reduce((acc, num, i) => {
-        if (Fp.is0(num))
-            return acc;
-        inverted[i] = acc;
-        return Fp.mul(acc, num);
-    }, Fp.ONE);
-    // Invert last element
-    const invertedAcc = Fp.inv(multipliedAcc);
-    // Walk from last to first, multiply them by inverted each other MOD p
-    nums.reduceRight((acc, num, i) => {
-        if (Fp.is0(num))
-            return acc;
-        inverted[i] = Fp.mul(acc, inverted[i]);
-        return Fp.mul(acc, num);
-    }, invertedAcc);
-    return inverted;
-}
-// TODO: remove
-function FpDiv(Fp, lhs, rhs) {
-    return Fp.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, Fp.ORDER) : Fp.inv(rhs));
-}
-/**
- * Legendre symbol.
- * Legendre constant is used to calculate Legendre symbol (a | p)
- * which denotes the value of a^((p-1)/2) (mod p).
- *
- * * (a | p) ≡ 1    if a is a square (mod p), quadratic residue
- * * (a | p) ≡ -1   if a is not a square (mod p), quadratic non residue
- * * (a | p) ≡ 0    if a ≡ 0 (mod p)
- */
-function FpLegendre(Fp, n) {
-    // We can use 3rd argument as optional cache of this value
-    // but seems unneeded for now. The operation is very fast.
-    const p1mod2 = (Fp.ORDER - modular_1n) / _2n;
-    const powered = Fp.pow(n, p1mod2);
-    const yes = Fp.eql(powered, Fp.ONE);
-    const zero = Fp.eql(powered, Fp.ZERO);
-    const no = Fp.eql(powered, Fp.neg(Fp.ONE));
-    if (!yes && !zero && !no)
-        throw new Error('invalid Legendre symbol result');
-    return yes ? 1 : zero ? 0 : -1;
-}
-// This function returns True whenever the value x is a square in the field F.
-function FpIsSquare(Fp, n) {
-    const l = FpLegendre(Fp, n);
-    return l === 1;
-}
-// CURVE.n lengths
-function modular_nLength(n, nBitLength) {
-    // Bit size, byte size of CURVE.n
-    if (nBitLength !== undefined)
-        (0,esm_utils/* anumber */.Fe)(nBitLength);
-    const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
-    const nByteLength = Math.ceil(_nBitLength / 8);
-    return { nBitLength: _nBitLength, nByteLength };
-}
-/**
- * Creates a finite field. Major performance optimizations:
- * * 1. Denormalized operations like mulN instead of mul.
- * * 2. Identical object shape: never add or remove keys.
- * * 3. `Object.freeze`.
- * Fragile: always run a benchmark on a change.
- * Security note: operations don't check 'isValid' for all elements for performance reasons,
- * it is caller responsibility to check this.
- * This is low-level code, please make sure you know what you're doing.
- *
- * Note about field properties:
- * * CHARACTERISTIC p = prime number, number of elements in main subgroup.
- * * ORDER q = similar to cofactor in curves, may be composite `q = p^m`.
- *
- * @param ORDER field order, probably prime, or could be composite
- * @param bitLen how many bits the field consumes
- * @param isLE (default: false) if encoding / decoding should be in little-endian
- * @param redef optional faster redefinitions of sqrt and other methods
- */
-function Field(ORDER, bitLenOrOpts, // TODO: use opts only in v2?
-isLE = false, opts = {}) {
-    if (ORDER <= modular_0n)
-        throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
-    let _nbitLength = undefined;
-    let _sqrt = undefined;
-    let modFromBytes = false;
-    let allowedLengths = undefined;
-    if (typeof bitLenOrOpts === 'object' && bitLenOrOpts != null) {
-        if (opts.sqrt || isLE)
-            throw new Error('cannot specify opts in two arguments');
-        const _opts = bitLenOrOpts;
-        if (_opts.BITS)
-            _nbitLength = _opts.BITS;
-        if (_opts.sqrt)
-            _sqrt = _opts.sqrt;
-        if (typeof _opts.isLE === 'boolean')
-            isLE = _opts.isLE;
-        if (typeof _opts.modFromBytes === 'boolean')
-            modFromBytes = _opts.modFromBytes;
-        allowedLengths = _opts.allowedLengths;
-    }
-    else {
-        if (typeof bitLenOrOpts === 'number')
-            _nbitLength = bitLenOrOpts;
-        if (opts.sqrt)
-            _sqrt = opts.sqrt;
-    }
-    const { nBitLength: BITS, nByteLength: BYTES } = modular_nLength(ORDER, _nbitLength);
-    if (BYTES > 2048)
-        throw new Error('invalid field: expected ORDER of <= 2048 bytes');
-    let sqrtP; // cached sqrtP
-    const f = Object.freeze({
-        ORDER,
-        isLE,
-        BITS,
-        BYTES,
-        MASK: utils_bitMask(BITS),
-        ZERO: modular_0n,
-        ONE: modular_1n,
-        allowedLengths: allowedLengths,
-        create: (num) => mod(num, ORDER),
-        isValid: (num) => {
-            if (typeof num !== 'bigint')
-                throw new Error('invalid field element: expected bigint, got ' + typeof num);
-            return modular_0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
-        },
-        is0: (num) => num === modular_0n,
-        // is valid and invertible
-        isValidNot0: (num) => !f.is0(num) && f.isValid(num),
-        isOdd: (num) => (num & modular_1n) === modular_1n,
-        neg: (num) => mod(-num, ORDER),
-        eql: (lhs, rhs) => lhs === rhs,
-        sqr: (num) => mod(num * num, ORDER),
-        add: (lhs, rhs) => mod(lhs + rhs, ORDER),
-        sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
-        mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
-        pow: (num, power) => FpPow(f, num, power),
-        div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
-        // Same as above, but doesn't normalize
-        sqrN: (num) => num * num,
-        addN: (lhs, rhs) => lhs + rhs,
-        subN: (lhs, rhs) => lhs - rhs,
-        mulN: (lhs, rhs) => lhs * rhs,
-        inv: (num) => invert(num, ORDER),
-        sqrt: _sqrt ||
-            ((n) => {
-                if (!sqrtP)
-                    sqrtP = FpSqrt(ORDER);
-                return sqrtP(f, n);
-            }),
-        toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
-        fromBytes: (bytes, skipValidation = true) => {
-            if (allowedLengths) {
-                if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
-                    throw new Error('Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length);
-                }
-                const padded = new Uint8Array(BYTES);
-                // isLE add 0 to right, !isLE to the left.
-                padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
-                bytes = padded;
-            }
-            if (bytes.length !== BYTES)
-                throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
-            let scalar = isLE ? utils_bytesToNumberLE(bytes) : utils_bytesToNumberBE(bytes);
-            if (modFromBytes)
-                scalar = mod(scalar, ORDER);
-            if (!skipValidation)
-                if (!f.isValid(scalar))
-                    throw new Error('invalid field element: outside of range 0..ORDER');
-            // NOTE: we don't validate scalar here, please use isValid. This done such way because some
-            // protocol may allow non-reduced scalar that reduced later or changed some other way.
-            return scalar;
-        },
-        // TODO: we don't need it here, move out to separate fn
-        invertBatch: (lst) => modular_FpInvertBatch(f, lst),
-        // We can't move this out because Fp6, Fp12 implement it
-        // and it's unclear what to return in there.
-        cmov: (a, b, c) => (c ? b : a),
-    });
-    return Object.freeze(f);
-}
-// Generic random scalar, we can do same for other fields if via Fp2.mul(Fp2.ONE, Fp2.random)?
-// This allows unsafe methods like ignore bias or zero. These unsafe, but often used in different protocols (if deterministic RNG).
-// which mean we cannot force this via opts.
-// Not sure what to do with randomBytes, we can accept it inside opts if wanted.
-// Probably need to export getMinHashLength somewhere?
-// random(bytes?: Uint8Array, unsafeAllowZero = false, unsafeAllowBias = false) {
-//   const LEN = !unsafeAllowBias ? getMinHashLength(ORDER) : BYTES;
-//   if (bytes === undefined) bytes = randomBytes(LEN); // _opts.randomBytes?
-//   const num = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
-//   // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
-//   const reduced = unsafeAllowZero ? mod(num, ORDER) : mod(num, ORDER - _1n) + _1n;
-//   return reduced;
-// },
-function FpSqrtOdd(Fp, elm) {
-    if (!Fp.isOdd)
-        throw new Error("Field doesn't have isOdd");
-    const root = Fp.sqrt(elm);
-    return Fp.isOdd(root) ? root : Fp.neg(root);
-}
-function FpSqrtEven(Fp, elm) {
-    if (!Fp.isOdd)
-        throw new Error("Field doesn't have isOdd");
-    const root = Fp.sqrt(elm);
-    return Fp.isOdd(root) ? Fp.neg(root) : root;
-}
-/**
- * "Constant-time" private key generation utility.
- * Same as mapKeyToField, but accepts less bytes (40 instead of 48 for 32-byte field).
- * Which makes it slightly more biased, less secure.
- * @deprecated use `mapKeyToField` instead
- */
-function hashToPrivateScalar(hash, groupOrder, isLE = false) {
-    hash = ensureBytes('privateHash', hash);
-    const hashLen = hash.length;
-    const minLen = modular_nLength(groupOrder).nByteLength + 8;
-    if (minLen < 24 || hashLen < minLen || hashLen > 1024)
-        throw new Error('hashToPrivateScalar: expected ' + minLen + '-1024 bytes of input, got ' + hashLen);
-    const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
-    return mod(num, groupOrder - modular_1n) + modular_1n;
-}
-/**
- * Returns total number of bytes consumed by the field element.
- * For example, 32 bytes for usual 256-bit weierstrass curve.
- * @param fieldOrder number of field elements, usually CURVE.n
- * @returns byte length of field
- */
-function getFieldBytesLength(fieldOrder) {
-    if (typeof fieldOrder !== 'bigint')
-        throw new Error('field order must be bigint');
-    const bitLength = fieldOrder.toString(2).length;
-    return Math.ceil(bitLength / 8);
-}
-/**
- * Returns minimal amount of bytes that can be safely reduced
- * by field order.
- * Should be 2^-128 for 128-bit curve such as P256.
- * @param fieldOrder number of field elements, usually CURVE.n
- * @returns byte length of target hash
- */
-function getMinHashLength(fieldOrder) {
-    const length = getFieldBytesLength(fieldOrder);
-    return length + Math.ceil(length / 2);
-}
-/**
- * "Constant-time" private key generation utility.
- * Can take (n + n/2) or more bytes of uniform input e.g. from CSPRNG or KDF
- * and convert them into private scalar, with the modulo bias being negligible.
- * Needs at least 48 bytes of input for 32-byte private key.
- * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
- * FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final
- * RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5
- * @param hash hash output from SHA3 or a similar function
- * @param groupOrder size of subgroup - (e.g. secp256k1.CURVE.n)
- * @param isLE interpret hash bytes as LE num
- * @returns valid private scalar
- */
-function mapHashToField(key, fieldOrder, isLE = false) {
-    const len = key.length;
-    const fieldLen = getFieldBytesLength(fieldOrder);
-    const minLen = getMinHashLength(fieldOrder);
-    // No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.
-    if (len < 16 || len < minLen || len > 1024)
-        throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);
-    const num = isLE ? utils_bytesToNumberLE(key) : utils_bytesToNumberBE(key);
-    // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
-    const reduced = mod(num, fieldOrder - modular_1n) + modular_1n;
-    return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
-}
-//# sourceMappingURL=modular.js.map
-;// CONCATENATED MODULE: ../../node_modules/.pnpm/@noble+curves@1.9.7/node_modules/@noble/curves/esm/abstract/curve.js
-/**
- * Methods for elliptic curve multiplication by scalars.
- * Contains wNAF, pippenger.
- * @module
- */
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-
-
-const curve_0n = BigInt(0);
-const curve_1n = BigInt(1);
-function negateCt(condition, item) {
-    const neg = item.negate();
-    return condition ? neg : item;
-}
-/**
- * Takes a bunch of Projective Points but executes only one
- * inversion on all of them. Inversion is very slow operation,
- * so this improves performance massively.
- * Optimization: converts a list of projective points to a list of identical points with Z=1.
- */
-function normalizeZ(c, points) {
-    const invertedZs = modular_FpInvertBatch(c.Fp, points.map((p) => p.Z));
-    return points.map((p, i) => c.fromAffine(p.toAffine(invertedZs[i])));
-}
-function validateW(W, bits) {
-    if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
-        throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
-}
-function calcWOpts(W, scalarBits) {
-    validateW(W, scalarBits);
-    const windows = Math.ceil(scalarBits / W) + 1; // W=8 33. Not 32, because we skip zero
-    const windowSize = 2 ** (W - 1); // W=8 128. Not 256, because we skip zero
-    const maxNumber = 2 ** W; // W=8 256
-    const mask = utils_bitMask(W); // W=8 255 == mask 0b11111111
-    const shiftBy = BigInt(W); // W=8 8
-    return { windows, windowSize, mask, maxNumber, shiftBy };
-}
-function calcOffsets(n, window, wOpts) {
-    const { windowSize, mask, maxNumber, shiftBy } = wOpts;
-    let wbits = Number(n & mask); // extract W bits.
-    let nextN = n >> shiftBy; // shift number by W bits.
-    // What actually happens here:
-    // const highestBit = Number(mask ^ (mask >> 1n));
-    // let wbits2 = wbits - 1; // skip zero
-    // if (wbits2 & highestBit) { wbits2 ^= Number(mask); // (~);
-    // split if bits > max: +224 => 256-32
-    if (wbits > windowSize) {
-        // we skip zero, which means instead of `>= size-1`, we do `> size`
-        wbits -= maxNumber; // -32, can be maxNumber - wbits, but then we need to set isNeg here.
-        nextN += curve_1n; // +256 (carry)
-    }
-    const offsetStart = window * windowSize;
-    const offset = offsetStart + Math.abs(wbits) - 1; // -1 because we skip zero
-    const isZero = wbits === 0; // is current window slice a 0?
-    const isNeg = wbits < 0; // is current window slice negative?
-    const isNegF = window % 2 !== 0; // fake random statement for noise
-    const offsetF = offsetStart; // fake offset for noise
-    return { nextN, offset, isZero, isNeg, isNegF, offsetF };
-}
-function validateMSMPoints(points, c) {
-    if (!Array.isArray(points))
-        throw new Error('array expected');
-    points.forEach((p, i) => {
-        if (!(p instanceof c))
-            throw new Error('invalid point at index ' + i);
-    });
-}
-function validateMSMScalars(scalars, field) {
-    if (!Array.isArray(scalars))
-        throw new Error('array of scalars expected');
-    scalars.forEach((s, i) => {
-        if (!field.isValid(s))
-            throw new Error('invalid scalar at index ' + i);
-    });
-}
-// Since points in different groups cannot be equal (different object constructor),
-// we can have single place to store precomputes.
-// Allows to make points frozen / immutable.
-const pointPrecomputes = new WeakMap();
-const pointWindowSizes = new WeakMap();
-function getW(P) {
-    // To disable precomputes:
-    // return 1;
-    return pointWindowSizes.get(P) || 1;
-}
-function assert0(n) {
-    if (n !== curve_0n)
-        throw new Error('invalid wNAF');
-}
-/**
- * Elliptic curve multiplication of Point by scalar. Fragile.
- * Table generation takes **30MB of ram and 10ms on high-end CPU**,
- * but may take much longer on slow devices. Actual generation will happen on
- * first call of `multiply()`. By default, `BASE` point is precomputed.
- *
- * Scalars should always be less than curve order: this should be checked inside of a curve itself.
- * Creates precomputation tables for fast multiplication:
- * - private scalar is split by fixed size windows of W bits
- * - every window point is collected from window's table & added to accumulator
- * - since windows are different, same point inside tables won't be accessed more than once per calc
- * - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
- * - +1 window is neccessary for wNAF
- * - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
- *
- * @todo Research returning 2d JS array of windows, instead of a single window.
- * This would allow windows to be in different memory locations
- */
-class wNAF {
-    // Parametrized with a given Point class (not individual point)
-    constructor(Point, bits) {
-        this.BASE = Point.BASE;
-        this.ZERO = Point.ZERO;
-        this.Fn = Point.Fn;
-        this.bits = bits;
-    }
-    // non-const time multiplication ladder
-    _unsafeLadder(elm, n, p = this.ZERO) {
-        let d = elm;
-        while (n > curve_0n) {
-            if (n & curve_1n)
-                p = p.add(d);
-            d = d.double();
-            n >>= curve_1n;
-        }
-        return p;
-    }
-    /**
-     * Creates a wNAF precomputation window. Used for caching.
-     * Default window size is set by `utils.precompute()` and is equal to 8.
-     * Number of precomputed points depends on the curve size:
-     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
-     * - 𝑊 is the window size
-     * - 𝑛 is the bitlength of the curve order.
-     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
-     * @param point Point instance
-     * @param W window size
-     * @returns precomputed point tables flattened to a single array
-     */
-    precomputeWindow(point, W) {
-        const { windows, windowSize } = calcWOpts(W, this.bits);
-        const points = [];
-        let p = point;
-        let base = p;
-        for (let window = 0; window < windows; window++) {
-            base = p;
-            points.push(base);
-            // i=1, bc we skip 0
-            for (let i = 1; i < windowSize; i++) {
-                base = base.add(p);
-                points.push(base);
-            }
-            p = base.double();
-        }
-        return points;
-    }
-    /**
-     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
-     * More compact implementation:
-     * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
-     * @returns real and fake (for const-time) points
-     */
-    wNAF(W, precomputes, n) {
-        // Scalar should be smaller than field order
-        if (!this.Fn.isValid(n))
-            throw new Error('invalid scalar');
-        // Accumulators
-        let p = this.ZERO;
-        let f = this.BASE;
-        // This code was first written with assumption that 'f' and 'p' will never be infinity point:
-        // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
-        // there is negate now: it is possible that negated element from low value
-        // would be the same as high element, which will create carry into next window.
-        // It's not obvious how this can fail, but still worth investigating later.
-        const wo = calcWOpts(W, this.bits);
-        for (let window = 0; window < wo.windows; window++) {
-            // (n === _0n) is handled and not early-exited. isEven and offsetF are used for noise
-            const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
-            n = nextN;
-            if (isZero) {
-                // bits are 0: add garbage to fake point
-                // Important part for const-time getPublicKey: add random "noise" point to f.
-                f = f.add(negateCt(isNegF, precomputes[offsetF]));
-            }
-            else {
-                // bits are 1: add to result point
-                p = p.add(negateCt(isNeg, precomputes[offset]));
-            }
-        }
-        assert0(n);
-        // Return both real and fake points: JIT won't eliminate f.
-        // At this point there is a way to F be infinity-point even if p is not,
-        // which makes it less const-time: around 1 bigint multiply.
-        return { p, f };
-    }
-    /**
-     * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
-     * @param acc accumulator point to add result of multiplication
-     * @returns point
-     */
-    wNAFUnsafe(W, precomputes, n, acc = this.ZERO) {
-        const wo = calcWOpts(W, this.bits);
-        for (let window = 0; window < wo.windows; window++) {
-            if (n === curve_0n)
-                break; // Early-exit, skip 0 value
-            const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
-            n = nextN;
-            if (isZero) {
-                // Window bits are 0: skip processing.
-                // Move to next window.
-                continue;
-            }
-            else {
-                const item = precomputes[offset];
-                acc = acc.add(isNeg ? item.negate() : item); // Re-using acc allows to save adds in MSM
-            }
-        }
-        assert0(n);
-        return acc;
-    }
-    getPrecomputes(W, point, transform) {
-        // Calculate precomputes on a first run, reuse them after
-        let comp = pointPrecomputes.get(point);
-        if (!comp) {
-            comp = this.precomputeWindow(point, W);
-            if (W !== 1) {
-                // Doing transform outside of if brings 15% perf hit
-                if (typeof transform === 'function')
-                    comp = transform(comp);
-                pointPrecomputes.set(point, comp);
-            }
-        }
-        return comp;
-    }
-    cached(point, scalar, transform) {
-        const W = getW(point);
-        return this.wNAF(W, this.getPrecomputes(W, point, transform), scalar);
-    }
-    unsafe(point, scalar, transform, prev) {
-        const W = getW(point);
-        if (W === 1)
-            return this._unsafeLadder(point, scalar, prev); // For W=1 ladder is ~x2 faster
-        return this.wNAFUnsafe(W, this.getPrecomputes(W, point, transform), scalar, prev);
-    }
-    // We calculate precomputes for elliptic curve point multiplication
-    // using windowed method. This specifies window size and
-    // stores precomputed values. Usually only base point would be precomputed.
-    createCache(P, W) {
-        validateW(W, this.bits);
-        pointWindowSizes.set(P, W);
-        pointPrecomputes.delete(P);
-    }
-    hasCache(elm) {
-        return getW(elm) !== 1;
-    }
-}
-/**
- * Endomorphism-specific multiplication for Koblitz curves.
- * Cost: 128 dbl, 0-256 adds.
- */
-function mulEndoUnsafe(Point, point, k1, k2) {
-    let acc = point;
-    let p1 = Point.ZERO;
-    let p2 = Point.ZERO;
-    while (k1 > curve_0n || k2 > curve_0n) {
-        if (k1 & curve_1n)
-            p1 = p1.add(acc);
-        if (k2 & curve_1n)
-            p2 = p2.add(acc);
-        acc = acc.double();
-        k1 >>= curve_1n;
-        k2 >>= curve_1n;
-    }
-    return { p1, p2 };
-}
-/**
- * Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
- * 30x faster vs naive addition on L=4096, 10x faster than precomputes.
- * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
- * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
- * @param c Curve Point constructor
- * @param fieldN field over CURVE.N - important that it's not over CURVE.P
- * @param points array of L curve points
- * @param scalars array of L scalars (aka secret keys / bigints)
- */
-function pippenger(c, fieldN, points, scalars) {
-    // If we split scalars by some window (let's say 8 bits), every chunk will only
-    // take 256 buckets even if there are 4096 scalars, also re-uses double.
-    // TODO:
-    // - https://eprint.iacr.org/2024/750.pdf
-    // - https://tches.iacr.org/index.php/TCHES/article/view/10287
-    // 0 is accepted in scalars
-    validateMSMPoints(points, c);
-    validateMSMScalars(scalars, fieldN);
-    const plength = points.length;
-    const slength = scalars.length;
-    if (plength !== slength)
-        throw new Error('arrays of points and scalars must have equal length');
-    // if (plength === 0) throw new Error('array must be of length >= 2');
-    const zero = c.ZERO;
-    const wbits = bitLen(BigInt(plength));
-    let windowSize = 1; // bits
-    if (wbits > 12)
-        windowSize = wbits - 3;
-    else if (wbits > 4)
-        windowSize = wbits - 2;
-    else if (wbits > 0)
-        windowSize = 2;
-    const MASK = utils_bitMask(windowSize);
-    const buckets = new Array(Number(MASK) + 1).fill(zero); // +1 for zero array
-    const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
-    let sum = zero;
-    for (let i = lastBits; i >= 0; i -= windowSize) {
-        buckets.fill(zero);
-        for (let j = 0; j < slength; j++) {
-            const scalar = scalars[j];
-            const wbits = Number((scalar >> BigInt(i)) & MASK);
-            buckets[wbits] = buckets[wbits].add(points[j]);
-        }
-        let resI = zero; // not using this will do small speed-up, but will lose ct
-        // Skip first bucket, because it is zero
-        for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
-            sumI = sumI.add(buckets[j]);
-            resI = resI.add(sumI);
-        }
-        sum = sum.add(resI);
-        if (i !== 0)
-            for (let j = 0; j < windowSize; j++)
-                sum = sum.double();
-    }
-    return sum;
-}
-/**
- * Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
- * @param c Curve Point constructor
- * @param fieldN field over CURVE.N - important that it's not over CURVE.P
- * @param points array of L curve points
- * @returns function which multiplies points with scaars
- */
-function precomputeMSMUnsafe(c, fieldN, points, windowSize) {
-    /**
-     * Performance Analysis of Window-based Precomputation
-     *
-     * Base Case (256-bit scalar, 8-bit window):
-     * - Standard precomputation requires:
-     *   - 31 additions per scalar × 256 scalars = 7,936 ops
-     *   - Plus 255 summary additions = 8,191 total ops
-     *   Note: Summary additions can be optimized via accumulator
-     *
-     * Chunked Precomputation Analysis:
-     * - Using 32 chunks requires:
-     *   - 255 additions per chunk
-     *   - 256 doublings
-     *   - Total: (255 × 32) + 256 = 8,416 ops
-     *
-     * Memory Usage Comparison:
-     * Window Size | Standard Points | Chunked Points
-     * ------------|-----------------|---------------
-     *     4-bit   |     520         |      15
-     *     8-bit   |    4,224        |     255
-     *    10-bit   |   13,824        |   1,023
-     *    16-bit   |  557,056        |  65,535
-     *
-     * Key Advantages:
-     * 1. Enables larger window sizes due to reduced memory overhead
-     * 2. More efficient for smaller scalar counts:
-     *    - 16 chunks: (16 × 255) + 256 = 4,336 ops
-     *    - ~2x faster than standard 8,191 ops
-     *
-     * Limitations:
-     * - Not suitable for plain precomputes (requires 256 constant doublings)
-     * - Performance degrades with larger scalar counts:
-     *   - Optimal for ~256 scalars
-     *   - Less efficient for 4096+ scalars (Pippenger preferred)
-     */
-    validateW(windowSize, fieldN.BITS);
-    validateMSMPoints(points, c);
-    const zero = c.ZERO;
-    const tableSize = 2 ** windowSize - 1; // table size (without zero)
-    const chunks = Math.ceil(fieldN.BITS / windowSize); // chunks of item
-    const MASK = bitMask(windowSize);
-    const tables = points.map((p) => {
-        const res = [];
-        for (let i = 0, acc = p; i < tableSize; i++) {
-            res.push(acc);
-            acc = acc.add(p);
-        }
-        return res;
-    });
-    return (scalars) => {
-        validateMSMScalars(scalars, fieldN);
-        if (scalars.length > points.length)
-            throw new Error('array of scalars must be smaller than array of points');
-        let res = zero;
-        for (let i = 0; i < chunks; i++) {
-            // No need to double if accumulator is still zero.
-            if (res !== zero)
-                for (let j = 0; j < windowSize; j++)
-                    res = res.double();
-            const shiftBy = BigInt(chunks * windowSize - (i + 1) * windowSize);
-            for (let j = 0; j < scalars.length; j++) {
-                const n = scalars[j];
-                const curr = Number((n >> shiftBy) & MASK);
-                if (!curr)
-                    continue; // skip zero scalars chunks
-                res = res.add(tables[j][curr - 1]);
-            }
-        }
-        return res;
-    };
-}
-// TODO: remove
-/** @deprecated */
-function validateBasic(curve) {
-    validateField(curve.Fp);
-    validateObject(curve, {
-        n: 'bigint',
-        h: 'bigint',
-        Gx: 'field',
-        Gy: 'field',
-    }, {
-        nBitLength: 'isSafeInteger',
-        nByteLength: 'isSafeInteger',
-    });
-    // Set defaults
-    return Object.freeze({
-        ...nLength(curve.n, curve.nBitLength),
-        ...curve,
-        ...{ p: curve.Fp.ORDER },
-    });
-}
-function createField(order, field, isLE) {
-    if (field) {
-        if (field.ORDER !== order)
-            throw new Error('Field.ORDER must match order: Fp == p, Fn == n');
-        modular_validateField(field);
-        return field;
-    }
-    else {
-        return Field(order, { isLE });
-    }
-}
-/** Validates CURVE opts and creates fields */
-function _createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
-    if (FpFnLE === undefined)
-        FpFnLE = type === 'edwards';
-    if (!CURVE || typeof CURVE !== 'object')
-        throw new Error(`expected valid ${type} CURVE object`);
-    for (const p of ['p', 'n', 'h']) {
-        const val = CURVE[p];
-        if (!(typeof val === 'bigint' && val > curve_0n))
-            throw new Error(`CURVE.${p} must be positive bigint`);
-    }
-    const Fp = createField(CURVE.p, curveOpts.Fp, FpFnLE);
-    const Fn = createField(CURVE.n, curveOpts.Fn, FpFnLE);
-    const _b = type === 'weierstrass' ? 'b' : 'd';
-    const params = ['Gx', 'Gy', 'a', _b];
-    for (const p of params) {
-        // @ts-ignore
-        if (!Fp.isValid(CURVE[p]))
-            throw new Error(`CURVE.${p} must be valid field element of CURVE.Fp`);
-    }
-    CURVE = Object.freeze(Object.assign({}, CURVE));
-    return { CURVE, Fp, Fn };
-}
-//# sourceMappingURL=curve.js.map
+// EXTERNAL MODULE: ../../node_modules/.pnpm/@noble+curves@1.9.7/node_modules/@noble/curves/esm/utils.js
+var curves_esm_utils = __webpack_require__(99284);
+// EXTERNAL MODULE: ../../node_modules/.pnpm/@noble+curves@1.9.7/node_modules/@noble/curves/esm/abstract/curve.js
+var curve = __webpack_require__(11267);
+// EXTERNAL MODULE: ../../node_modules/.pnpm/@noble+curves@1.9.7/node_modules/@noble/curves/esm/abstract/modular.js
+var modular = __webpack_require__(5194);
 ;// CONCATENATED MODULE: ../../node_modules/.pnpm/@noble+curves@1.9.7/node_modules/@noble/curves/esm/abstract/weierstrass.js
 /**
  * Short Weierstrass curve methods. The formula is: y² = x³ + ax + b.
@@ -1373,7 +59,7 @@ function _createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
 
 
 // We construct basis in such way that den is always positive and equals n, but num sign depends on basis (not on secret value)
-const divNearest = (num, den) => (num + (num >= 0 ? den : -den) / weierstrass_2n) / den;
+const divNearest = (num, den) => (num + (num >= 0 ? den : -den) / _2n) / den;
 /**
  * Splits scalar for GLV endomorphism.
  */
@@ -1388,16 +74,16 @@ function _splitEndoScalar(k, basis, n) {
     // If we do `k1 mod N`, we'll get big scalar (`> sqrt(N)`): so, we do cheaper negation instead.
     let k1 = k - c1 * a1 - c2 * a2;
     let k2 = -c1 * b1 - c2 * b2;
-    const k1neg = k1 < weierstrass_0n;
-    const k2neg = k2 < weierstrass_0n;
+    const k1neg = k1 < _0n;
+    const k2neg = k2 < _0n;
     if (k1neg)
         k1 = -k1;
     if (k2neg)
         k2 = -k2;
     // Double check that resulting scalar less than half bits of N: otherwise wNAF will fail.
     // This should only happen on wrong basises. Also, math inside is too complex and I don't trust it.
-    const MAX_NUM = utils_bitMask(Math.ceil(bitLen(n) / 2)) + weierstrass_1n; // Half bits of N
-    if (k1 < weierstrass_0n || k1 >= MAX_NUM || k2 < weierstrass_0n || k2 >= MAX_NUM) {
+    const MAX_NUM = (0,curves_esm_utils/* bitMask */.OG)(Math.ceil((0,curves_esm_utils/* bitLen */.dJ)(n) / 2)) + _1n; // Half bits of N
+    if (k1 < _0n || k1 >= MAX_NUM || k2 < _0n || k2 >= MAX_NUM) {
         throw new Error('splitScalar (endomorphism): failed, k=' + k);
     }
     return { k1neg, k1, k2neg, k2 };
@@ -1413,8 +99,8 @@ function validateSigOpts(opts, def) {
         // @ts-ignore
         optsn[optName] = opts[optName] === undefined ? def[optName] : opts[optName];
     }
-    _abool2(optsn.lowS, 'lowS');
-    _abool2(optsn.prehash, 'prehash');
+    (0,curves_esm_utils/* _abool2 */.d6)(optsn.lowS, 'lowS');
+    (0,curves_esm_utils/* _abool2 */.d6)(optsn.prehash, 'prehash');
     if (optsn.format !== undefined)
         validateSigFormat(optsn.format);
     return optsn;
@@ -1443,12 +129,12 @@ const DER = {
             if (data.length & 1)
                 throw new E('tlv.encode: unpadded data');
             const dataLen = data.length / 2;
-            const len = numberToHexUnpadded(dataLen);
+            const len = (0,curves_esm_utils/* numberToHexUnpadded */.zW)(dataLen);
             if ((len.length / 2) & 128)
                 throw new E('tlv.encode: long form length too big');
             // length of length with long form flag
-            const lenLen = dataLen > 127 ? numberToHexUnpadded((len.length / 2) | 128) : '';
-            const t = numberToHexUnpadded(tag);
+            const lenLen = dataLen > 127 ? (0,curves_esm_utils/* numberToHexUnpadded */.zW)((len.length / 2) | 128) : '';
+            const t = (0,curves_esm_utils/* numberToHexUnpadded */.zW)(tag);
             return t + lenLen + len + data;
         },
         // v - value, l - left bytes (unparsed)
@@ -1495,9 +181,9 @@ const DER = {
     _int: {
         encode(num) {
             const { Err: E } = DER;
-            if (num < weierstrass_0n)
+            if (num < _0n)
                 throw new E('integer: negative integers are not allowed');
-            let hex = numberToHexUnpadded(num);
+            let hex = (0,curves_esm_utils/* numberToHexUnpadded */.zW)(num);
             // Pad with zero byte if negative flag is present
             if (Number.parseInt(hex[0], 16) & 0b1000)
                 hex = '00' + hex;
@@ -1511,13 +197,13 @@ const DER = {
                 throw new E('invalid signature integer: negative');
             if (data[0] === 0x00 && !(data[1] & 128))
                 throw new E('invalid signature integer: unnecessary leading zero');
-            return utils_bytesToNumberBE(data);
+            return (0,curves_esm_utils/* bytesToNumberBE */.Ph)(data);
         },
     },
     toSig(hex) {
         // parse DER signature
         const { Err: E, _int: int, _tlv: tlv } = DER;
-        const data = utils_ensureBytes('signature', hex);
+        const data = (0,curves_esm_utils/* ensureBytes */.qj)('signature', hex);
         const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);
         if (seqLeftBytes.length)
             throw new E('invalid signature: left bytes after parsing');
@@ -1537,7 +223,7 @@ const DER = {
 };
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
-const weierstrass_0n = BigInt(0), weierstrass_1n = BigInt(1), weierstrass_2n = BigInt(2), weierstrass_3n = BigInt(3), weierstrass_4n = BigInt(4);
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
 function _normFnElement(Fn, key) {
     const { BYTES: expected } = Fn;
     let num;
@@ -1545,7 +231,7 @@ function _normFnElement(Fn, key) {
         num = key;
     }
     else {
-        let bytes = utils_ensureBytes('private key', key);
+        let bytes = (0,curves_esm_utils/* ensureBytes */.qj)('private key', key);
         try {
             num = Fn.fromBytes(bytes);
         }
@@ -1575,11 +261,11 @@ const p256_Point = weierstrass(opts);
 ```
  */
 function weierstrassN(params, extraOpts = {}) {
-    const validated = _createCurveFields('weierstrass', params, extraOpts);
+    const validated = (0,curve/* _createCurveFields */.UT)('weierstrass', params, extraOpts);
     const { Fp, Fn } = validated;
     let CURVE = validated.CURVE;
     const { h: cofactor, n: CURVE_ORDER } = CURVE;
-    _validateObject(extraOpts, {}, {
+    (0,curves_esm_utils/* _validateObject */.DS)(extraOpts, {}, {
         allowInfinityPoint: 'boolean',
         clearCofactor: 'function',
         isTorsionFree: 'function',
@@ -1604,7 +290,7 @@ function weierstrassN(params, extraOpts = {}) {
     function pointToBytes(_c, point, isCompressed) {
         const { x, y } = point.toAffine();
         const bx = Fp.toBytes(x);
-        _abool2(isCompressed, 'isCompressed');
+        (0,curves_esm_utils/* _abool2 */.d6)(isCompressed, 'isCompressed');
         if (isCompressed) {
             assertCompressionIsSupported();
             const hasEvenY = !Fp.isOdd(y);
@@ -1615,7 +301,7 @@ function weierstrassN(params, extraOpts = {}) {
         }
     }
     function pointFromBytes(bytes) {
-        _abytes2(bytes, undefined, 'Point');
+        (0,curves_esm_utils/* _abytes2 */.eV)(bytes, undefined, 'Point');
         const { publicKey: comp, publicKeyUncompressed: uncomp } = lengths; // e.g. for 32-byte: 33, 65
         const length = bytes.length;
         const head = bytes[0];
@@ -1674,7 +360,7 @@ function weierstrassN(params, extraOpts = {}) {
         throw new Error('bad curve params: generator point');
     // Test 2: discriminant Δ part should be non-zero: 4a³ + 27b² != 0.
     // Guarantees curve is genus-1, smooth (non-singular).
-    const _4a3 = Fp.mul(Fp.pow(CURVE.a, weierstrass_3n), weierstrass_4n);
+    const _4a3 = Fp.mul(Fp.pow(CURVE.a, _3n), _4n);
     const _27b2 = Fp.mul(Fp.sqr(CURVE.b), BigInt(27));
     if (Fp.is0(Fp.add(_4a3, _27b2)))
         throw new Error('bad curve params: a or b');
@@ -1697,7 +383,7 @@ function weierstrassN(params, extraOpts = {}) {
     // Converts Projective point to affine (x, y) coordinates.
     // Can accept precomputed Z^-1 - for example, from invertBatch.
     // (X, Y, Z) ∋ (x=X/Z, y=Y/Z)
-    const toAffineMemo = memoized((p, iz) => {
+    const toAffineMemo = (0,curves_esm_utils/* memoized */.x)((p, iz) => {
         const { X, Y, Z } = p;
         // Fast-path for normalized points
         if (Fp.eql(Z, Fp.ONE))
@@ -1718,7 +404,7 @@ function weierstrassN(params, extraOpts = {}) {
     });
     // NOTE: on exception this will crash 'cached' and no value will be set.
     // Otherwise true will be return
-    const assertValidMemo = memoized((p) => {
+    const assertValidMemo = (0,curves_esm_utils/* memoized */.x)((p) => {
         if (p.is0()) {
             // (0, 1, 0) aka ZERO is invalid in most contexts.
             // In BLS, ZERO can be serialized, so we allow it.
@@ -1739,8 +425,8 @@ function weierstrassN(params, extraOpts = {}) {
     });
     function finishEndo(endoBeta, k1p, k2p, k1neg, k2neg) {
         k2p = new Point(Fp.mul(k2p.X, endoBeta), k2p.Y, k2p.Z);
-        k1p = negateCt(k1neg, k1p);
-        k2p = negateCt(k2neg, k2p);
+        k1p = (0,curve/* negateCt */.u0)(k1neg, k1p);
+        k2p = (0,curve/* negateCt */.u0)(k2neg, k2p);
         return k1p.add(k2p);
     }
     /**
@@ -1772,12 +458,12 @@ function weierstrassN(params, extraOpts = {}) {
             return new Point(x, y, Fp.ONE);
         }
         static fromBytes(bytes) {
-            const P = Point.fromAffine(decodePoint(_abytes2(bytes, undefined, 'point')));
+            const P = Point.fromAffine(decodePoint((0,curves_esm_utils/* _abytes2 */.eV)(bytes, undefined, 'point')));
             P.assertValidity();
             return P;
         }
         static fromHex(hex) {
-            return Point.fromBytes(utils_ensureBytes('pointHex', hex));
+            return Point.fromBytes((0,curves_esm_utils/* ensureBytes */.qj)('pointHex', hex));
         }
         get x() {
             return this.toAffine().x;
@@ -1794,7 +480,7 @@ function weierstrassN(params, extraOpts = {}) {
         precompute(windowSize = 8, isLazy = true) {
             wnaf.createCache(this, windowSize);
             if (!isLazy)
-                this.multiply(weierstrass_3n); // random number
+                this.multiply(_3n); // random number
             return this;
         }
         // TODO: return `this`
@@ -1827,7 +513,7 @@ function weierstrassN(params, extraOpts = {}) {
         // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
         double() {
             const { a, b } = CURVE;
-            const b3 = Fp.mul(b, weierstrass_3n);
+            const b3 = Fp.mul(b, _3n);
             const { X: X1, Y: Y1, Z: Z1 } = this;
             let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
             let t0 = Fp.mul(X1, X1); // step 1
@@ -1873,7 +559,7 @@ function weierstrassN(params, extraOpts = {}) {
             const { X: X2, Y: Y2, Z: Z2 } = other;
             let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
             const a = CURVE.a;
-            const b3 = Fp.mul(CURVE.b, weierstrass_3n);
+            const b3 = Fp.mul(CURVE.b, _3n);
             let t0 = Fp.mul(X1, X2); // step 1
             let t1 = Fp.mul(Y1, Y2);
             let t2 = Fp.mul(Z1, Z2);
@@ -1936,7 +622,7 @@ function weierstrassN(params, extraOpts = {}) {
             if (!Fn.isValidNot0(scalar))
                 throw new Error('invalid scalar: out of range'); // 0 is invalid
             let point, fake; // Fake point is used to const-time mult
-            const mul = (n) => wnaf.cached(this, n, (p) => normalizeZ(Point, p));
+            const mul = (n) => wnaf.cached(this, n, (p) => (0,curve/* normalizeZ */.Ak)(Point, p));
             /** See docs for {@link EndomorphismOpts} */
             if (endo) {
                 const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(scalar);
@@ -1951,7 +637,7 @@ function weierstrassN(params, extraOpts = {}) {
                 fake = f;
             }
             // Normalize `z` for both points, but return only real one
-            return normalizeZ(Point, [point, fake])[0];
+            return (0,curve/* normalizeZ */.Ak)(Point, [point, fake])[0];
         }
         /**
          * Non-constant-time multiplication. Uses double-and-add algorithm.
@@ -1963,15 +649,15 @@ function weierstrassN(params, extraOpts = {}) {
             const p = this;
             if (!Fn.isValid(sc))
                 throw new Error('invalid scalar: out of range'); // 0 is valid
-            if (sc === weierstrass_0n || p.is0())
+            if (sc === _0n || p.is0())
                 return Point.ZERO;
-            if (sc === weierstrass_1n)
+            if (sc === _1n)
                 return p; // fast-path
             if (wnaf.hasCache(this))
                 return this.multiply(sc);
             if (endo) {
                 const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(sc);
-                const { p1, p2 } = mulEndoUnsafe(Point, p, k1, k2); // 30% faster vs wnaf.unsafe
+                const { p1, p2 } = (0,curve/* mulEndoUnsafe */.fH)(Point, p, k1, k2); // 30% faster vs wnaf.unsafe
                 return finishEndo(endo.beta, p1, p2, k1neg, k2neg);
             }
             else {
@@ -1995,7 +681,7 @@ function weierstrassN(params, extraOpts = {}) {
          */
         isTorsionFree() {
             const { isTorsionFree } = extraOpts;
-            if (cofactor === weierstrass_1n)
+            if (cofactor === _1n)
                 return true;
             if (isTorsionFree)
                 return isTorsionFree(Point, this);
@@ -2003,7 +689,7 @@ function weierstrassN(params, extraOpts = {}) {
         }
         clearCofactor() {
             const { clearCofactor } = extraOpts;
-            if (cofactor === weierstrass_1n)
+            if (cofactor === _1n)
                 return this; // Fast-path
             if (clearCofactor)
                 return clearCofactor(Point, this);
@@ -2014,7 +700,7 @@ function weierstrassN(params, extraOpts = {}) {
             return this.multiplyUnsafe(cofactor).is0();
         }
         toBytes(isCompressed = true) {
-            _abool2(isCompressed, 'isCompressed');
+            (0,curves_esm_utils/* _abool2 */.d6)(isCompressed, 'isCompressed');
             this.assertValidity();
             return encodePoint(Point, this, isCompressed);
         }
@@ -2041,10 +727,10 @@ function weierstrassN(params, extraOpts = {}) {
             this.precompute(windowSize);
         }
         static normalizeZ(points) {
-            return normalizeZ(Point, points);
+            return (0,curve/* normalizeZ */.Ak)(Point, points);
         }
         static msm(points, scalars) {
-            return pippenger(Point, Fn, points, scalars);
+            return (0,curve/* pippenger */.Xf)(Point, Fn, points, scalars);
         }
         static fromPrivateKey(privateKey) {
             return Point.BASE.multiply(_normFnElement(Fn, privateKey));
@@ -2059,7 +745,7 @@ function weierstrassN(params, extraOpts = {}) {
     // scalar field
     Point.Fn = Fn;
     const bits = Fn.BITS;
-    const wnaf = new wNAF(Point, extraOpts.endo ? Math.ceil(bits / 2) : bits);
+    const wnaf = new curve/* wNAF */.hT(Point, extraOpts.endo ? Math.ceil(bits / 2) : bits);
     Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
     return Point;
 }
@@ -2079,20 +765,20 @@ function pprefix(hasEvenY) {
 function SWUFpSqrtRatio(Fp, Z) {
     // Generic implementation
     const q = Fp.ORDER;
-    let l = weierstrass_0n;
-    for (let o = q - weierstrass_1n; o % weierstrass_2n === weierstrass_0n; o /= weierstrass_2n)
-        l += weierstrass_1n;
+    let l = _0n;
+    for (let o = q - _1n; o % _2n === _0n; o /= _2n)
+        l += _1n;
     const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
     // We need 2n ** c1 and 2n ** (c1-1). We can't use **; but we can use <<.
     // 2n ** c1 == 2n << (c1-1)
-    const _2n_pow_c1_1 = weierstrass_2n << (c1 - weierstrass_1n - weierstrass_1n);
-    const _2n_pow_c1 = _2n_pow_c1_1 * weierstrass_2n;
-    const c2 = (q - weierstrass_1n) / _2n_pow_c1; // 2. c2 = (q - 1) / (2^c1)  # Integer arithmetic
-    const c3 = (c2 - weierstrass_1n) / weierstrass_2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
-    const c4 = _2n_pow_c1 - weierstrass_1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
+    const _2n_pow_c1_1 = _2n << (c1 - _1n - _1n);
+    const _2n_pow_c1 = _2n_pow_c1_1 * _2n;
+    const c2 = (q - _1n) / _2n_pow_c1; // 2. c2 = (q - 1) / (2^c1)  # Integer arithmetic
+    const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
+    const c4 = _2n_pow_c1 - _1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
     const c5 = _2n_pow_c1_1; // 5. c5 = 2^(c1 - 1)                  # Integer arithmetic
     const c6 = Fp.pow(Z, c2); // 6. c6 = Z^c2
-    const c7 = Fp.pow(Z, (c2 + weierstrass_1n) / weierstrass_2n); // 7. c7 = Z^((c2 + 1) / 2)
+    const c7 = Fp.pow(Z, (c2 + _1n) / _2n); // 7. c7 = Z^((c2 + 1) / 2)
     let sqrtRatio = (u, v) => {
         let tv1 = c6; // 1. tv1 = c6
         let tv2 = Fp.pow(v, c4); // 2. tv2 = v^c4
@@ -2111,9 +797,9 @@ function SWUFpSqrtRatio(Fp, Z) {
         tv3 = Fp.cmov(tv2, tv3, isQR); // 15. tv3 = CMOV(tv2, tv3, isQR)
         tv4 = Fp.cmov(tv5, tv4, isQR); // 16. tv4 = CMOV(tv5, tv4, isQR)
         // 17. for i in (c1, c1 - 1, ..., 2):
-        for (let i = c1; i > weierstrass_1n; i--) {
-            let tv5 = i - weierstrass_2n; // 18.    tv5 = i - 2
-            tv5 = weierstrass_2n << (tv5 - weierstrass_1n); // 19.    tv5 = 2^tv5
+        for (let i = c1; i > _1n; i--) {
+            let tv5 = i - _2n; // 18.    tv5 = i - 2
+            tv5 = _2n << (tv5 - _1n); // 19.    tv5 = 2^tv5
             let tvv5 = Fp.pow(tv4, tv5); // 20.    tv5 = tv4^tv5
             const e1 = Fp.eql(tvv5, Fp.ONE); // 21.    e1 = tv5 == 1
             tv2 = Fp.mul(tv3, tv1); // 22.    tv2 = tv3 * tv1
@@ -2124,9 +810,9 @@ function SWUFpSqrtRatio(Fp, Z) {
         }
         return { isValid: isQR, value: tv3 };
     };
-    if (Fp.ORDER % weierstrass_4n === weierstrass_3n) {
+    if (Fp.ORDER % _4n === _3n) {
         // sqrt_ratio_3mod4(u, v)
-        const c1 = (Fp.ORDER - weierstrass_3n) / weierstrass_4n; // 1. c1 = (q - 3) / 4     # Integer arithmetic
+        const c1 = (Fp.ORDER - _3n) / _4n; // 1. c1 = (q - 3) / 4     # Integer arithmetic
         const c2 = Fp.sqrt(Fp.neg(Z)); // 2. c2 = sqrt(-Z)
         sqrtRatio = (u, v) => {
             let tv1 = Fp.sqr(v); // 1. tv1 = v^2
@@ -2207,7 +893,7 @@ function getWLengths(Fp, Fn) {
 function ecdh(Point, ecdhOpts = {}) {
     const { Fn } = Point;
     const randomBytes_ = ecdhOpts.randomBytes || esm_utils/* randomBytes */.po;
-    const lengths = Object.assign(getWLengths(Point.Fp, Fn), { seed: getMinHashLength(Fn.ORDER) });
+    const lengths = Object.assign(getWLengths(Point.Fp, Fn), { seed: (0,modular/* getMinHashLength */.Tp)(Fn.ORDER) });
     function isValidSecretKey(secretKey) {
         try {
             return !!_normFnElement(Fn, secretKey);
@@ -2235,7 +921,7 @@ function ecdh(Point, ecdhOpts = {}) {
      * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
      */
     function randomSecretKey(seed = randomBytes_(lengths.seed)) {
-        return mapHashToField(_abytes2(seed, lengths.seed, 'seed'), Fn.ORDER);
+        return (0,modular/* mapHashToField */.qy)((0,curves_esm_utils/* _abytes2 */.eV)(seed, lengths.seed, 'seed'), Fn.ORDER);
     }
     /**
      * Computes public key for a secret key. Checks for validity of the secret key.
@@ -2260,7 +946,7 @@ function ecdh(Point, ecdhOpts = {}) {
         const { secretKey, publicKey, publicKeyUncompressed } = lengths;
         if (Fn.allowedLengths || secretKey === publicKey)
             return undefined;
-        const l = utils_ensureBytes('key', item).length;
+        const l = (0,curves_esm_utils/* ensureBytes */.qj)('key', item).length;
         return l === publicKey || l === publicKeyUncompressed;
     }
     /**
@@ -2312,7 +998,7 @@ function ecdh(Point, ecdhOpts = {}) {
  */
 function ecdsa(Point, hash, ecdsaOpts = {}) {
     (0,esm_utils/* ahash */.sd)(hash);
-    _validateObject(ecdsaOpts, {}, {
+    (0,curves_esm_utils/* _validateObject */.DS)(ecdsaOpts, {}, {
         hmac: 'function',
         lowS: 'boolean',
         randomBytes: 'function',
@@ -2333,7 +1019,7 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
     };
     const defaultSigOpts_format = 'compact';
     function isBiggerThanHalfOrder(number) {
-        const HALF = CURVE_ORDER >> weierstrass_1n;
+        const HALF = CURVE_ORDER >> _1n;
         return number > HALF;
     }
     function validateRS(title, num) {
@@ -2345,7 +1031,7 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
         validateSigFormat(format);
         const size = lengths.signature;
         const sizer = format === 'compact' ? size : format === 'recovered' ? size + 1 : undefined;
-        return _abytes2(bytes, sizer, `${format} signature`);
+        return (0,curves_esm_utils/* _abytes2 */.eV)(bytes, sizer, `${format} signature`);
     }
     /**
      * ECDSA signature with its (r, s) properties. Supports compact, recovered & DER representations.
@@ -2362,7 +1048,7 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
             validateSigLength(bytes, format);
             let recid;
             if (format === 'der') {
-                const { r, s } = DER.toSig(_abytes2(bytes));
+                const { r, s } = DER.toSig((0,curves_esm_utils/* _abytes2 */.eV)(bytes));
                 return new Signature(r, s);
             }
             if (format === 'recovered') {
@@ -2394,7 +1080,7 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
             // To easily get i, we either need to:
             // a. increase amount of valid recid values (4, 5...); OR
             // b. prohibit non-prime-order signatures (recid > 1).
-            const hasCofactor = CURVE_ORDER * weierstrass_2n < FIELD_ORDER;
+            const hasCofactor = CURVE_ORDER * _2n < FIELD_ORDER;
             if (hasCofactor && rec > 1)
                 throw new Error('recovery id is ambiguous for h>1 curve');
             const radj = rec === 2 || rec === 3 ? r + CURVE_ORDER : r;
@@ -2403,7 +1089,7 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
             const x = Fp.toBytes(radj);
             const R = Point.fromBytes((0,esm_utils/* concatBytes */.Id)(pprefix((rec & 1) === 0), x));
             const ir = Fn.inv(radj); // r^-1
-            const h = bits2int_modN(utils_ensureBytes('msgHash', messageHash)); // Truncate hash
+            const h = bits2int_modN((0,curves_esm_utils/* ensureBytes */.qj)('msgHash', messageHash)); // Truncate hash
             const u1 = Fn.create(-h * ir); // -hr^-1
             const u2 = Fn.create(s * ir); // sr^-1
             // (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1). unsafe is fine: there is no private data.
@@ -2436,10 +1122,10 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
         // TODO: remove
         assertValidity() { }
         static fromCompact(hex) {
-            return Signature.fromBytes(utils_ensureBytes('sig', hex), 'compact');
+            return Signature.fromBytes((0,curves_esm_utils/* ensureBytes */.qj)('sig', hex), 'compact');
         }
         static fromDER(hex) {
-            return Signature.fromBytes(utils_ensureBytes('sig', hex), 'der');
+            return Signature.fromBytes((0,curves_esm_utils/* ensureBytes */.qj)('sig', hex), 'der');
         }
         normalizeS() {
             return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
@@ -2468,7 +1154,7 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
                 throw new Error('input is too large');
             // For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)
             // for some cases, since bytes.length * 8 is not actual bitLength.
-            const num = utils_bytesToNumberBE(bytes); // check for == u8 done here
+            const num = (0,curves_esm_utils/* bytesToNumberBE */.Ph)(bytes); // check for == u8 done here
             const delta = bytes.length * 8 - fnBits; // truncate to nBitLength leftmost bits
             return delta > 0 ? num >> BigInt(delta) : num;
         };
@@ -2477,16 +1163,16 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
             return Fn.create(bits2int(bytes)); // can't use bytesToNumberBE here
         };
     // Pads output with zero as per spec
-    const ORDER_MASK = utils_bitMask(fnBits);
+    const ORDER_MASK = (0,curves_esm_utils/* bitMask */.OG)(fnBits);
     /** Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`. */
     function int2octets(num) {
         // IMPORTANT: the check ensures working for case `Fn.BYTES != Fn.BITS * 8`
-        aInRange('num < 2^' + fnBits, num, weierstrass_0n, ORDER_MASK);
+        (0,curves_esm_utils/* aInRange */.aK)('num < 2^' + fnBits, num, _0n, ORDER_MASK);
         return Fn.toBytes(num);
     }
     function validateMsgAndHash(message, prehash) {
-        _abytes2(message, undefined, 'message');
-        return prehash ? _abytes2(hash(message), undefined, 'prehashed message') : message;
+        (0,curves_esm_utils/* _abytes2 */.eV)(message, undefined, 'message');
+        return prehash ? (0,curves_esm_utils/* _abytes2 */.eV)(hash(message), undefined, 'prehashed message') : message;
     }
     /**
      * Steps A, D of RFC6979 3.2.
@@ -2512,7 +1198,7 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
             // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
             // gen random bytes OR pass as-is
             const e = extraEntropy === true ? randomBytes(lengths.secretKey) : extraEntropy;
-            seedArgs.push(utils_ensureBytes('extraEntropy', e)); // check for being bytes
+            seedArgs.push((0,curves_esm_utils/* ensureBytes */.qj)('extraEntropy', e)); // check for being bytes
         }
         const seed = (0,esm_utils/* concatBytes */.Id)(...seedArgs); // Step D of RFC6979 3.2
         const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!
@@ -2533,12 +1219,12 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
             const ik = Fn.inv(k); // k^-1 mod n
             const q = Point.BASE.multiply(k).toAffine(); // q = k⋅G
             const r = Fn.create(q.x); // r = q.x mod n
-            if (r === weierstrass_0n)
+            if (r === _0n)
                 return;
             const s = Fn.create(ik * Fn.create(m + r * d)); // Not using blinding here, see comment above
-            if (s === weierstrass_0n)
+            if (s === _0n)
                 return;
-            let recovery = (q.x === r ? 0 : 2) | Number(q.y & weierstrass_1n); // recovery bit (2 or 3, when q.x > n)
+            let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n); // recovery bit (2 or 3, when q.x > n)
             let normS = s;
             if (lowS && isBiggerThanHalfOrder(s)) {
                 normS = Fn.neg(s); // if lowS was passed, ensure s is always
@@ -2560,9 +1246,9 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
      * ```
      */
     function sign(message, secretKey, opts = {}) {
-        message = utils_ensureBytes('message', message);
+        message = (0,curves_esm_utils/* ensureBytes */.qj)('message', message);
         const { seed, k2sig } = prepSig(message, secretKey, opts); // Steps A, D of RFC6979 3.2.
-        const drbg = createHmacDrbg(hash.outputLen, Fn.BYTES, hmac);
+        const drbg = (0,curves_esm_utils/* createHmacDrbg */.fg)(hash.outputLen, Fn.BYTES, hmac);
         const sig = drbg(seed, k2sig); // Steps B, C, D, E, F, G
         return sig;
     }
@@ -2582,7 +1268,7 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
         }
         else if (isHex) {
             try {
-                sig = Signature.fromBytes(utils_ensureBytes('sig', sg), 'der');
+                sig = Signature.fromBytes((0,curves_esm_utils/* ensureBytes */.qj)('sig', sg), 'der');
             }
             catch (derError) {
                 if (!(derError instanceof DER.Err))
@@ -2590,7 +1276,7 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
             }
             if (!sig) {
                 try {
-                    sig = Signature.fromBytes(utils_ensureBytes('sig', sg), 'compact');
+                    sig = Signature.fromBytes((0,curves_esm_utils/* ensureBytes */.qj)('sig', sg), 'compact');
                 }
                 catch (error) {
                     return false;
@@ -2616,13 +1302,13 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
      */
     function verify(signature, message, publicKey, opts = {}) {
         const { lowS, prehash, format } = validateSigOpts(opts, defaultSigOpts);
-        publicKey = utils_ensureBytes('publicKey', publicKey);
-        message = validateMsgAndHash(utils_ensureBytes('message', message), prehash);
+        publicKey = (0,curves_esm_utils/* ensureBytes */.qj)('publicKey', publicKey);
+        message = validateMsgAndHash((0,curves_esm_utils/* ensureBytes */.qj)('message', message), prehash);
         if ('strict' in opts)
             throw new Error('options.strict was renamed to lowS');
         const sig = format === undefined
             ? tryParsingSig(signature)
-            : Signature.fromBytes(utils_ensureBytes('sig', signature), format);
+            : Signature.fromBytes((0,curves_esm_utils/* ensureBytes */.qj)('sig', signature), format);
         if (sig === false)
             return false;
         try {
@@ -2683,7 +1369,7 @@ function _weierstrass_legacy_opts_to_new(c) {
     let allowedLengths = c.allowedPrivateKeyLengths
         ? Array.from(new Set(c.allowedPrivateKeyLengths.map((l) => Math.ceil(l / 2))))
         : undefined;
-    const Fn = Field(CURVE.n, {
+    const Fn = (0,modular/* Field */.D0)(CURVE.n, {
         BITS: c.nBitLength,
         allowedLengths: allowedLengths,
         modFromBytes: c.wrapPrivateKey,
@@ -2726,7 +1412,7 @@ function _legacyHelperEquat(Fp, a, b) {
 function _weierstrass_new_output_to_legacy(c, Point) {
     const { Fp, Fn } = Point;
     function isWithinCurveOrder(num) {
-        return inRange(num, weierstrass_1n, Fn.ORDER);
+        return inRange(num, _1n, Fn.ORDER);
     }
     const weierstrassEquation = _legacyHelperEquat(Fp, c.a, c.b);
     return Object.assign({}, {
@@ -2742,7 +1428,7 @@ function _ecdsa_new_output_to_legacy(c, _ecdsa) {
     const Point = _ecdsa.Point;
     return Object.assign({}, _ecdsa, {
         ProjectivePoint: Point,
-        CURVE: Object.assign({}, c, modular_nLength(Point.Fn.ORDER, Point.Fn.BITS)),
+        CURVE: Object.assign({}, c, (0,modular/* nLength */.LH)(Point.Fn.ORDER, Point.Fn.BITS)),
     });
 }
 // _ecdsa_legacy
@@ -2813,9 +1499,9 @@ const p521_CURVE = {
     Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
     Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
 };
-const Fp256 = Field(p256_CURVE.p);
-const Fp384 = Field(p384_CURVE.p);
-const Fp521 = Field(p521_CURVE.p);
+const Fp256 = (0,modular/* Field */.D0)(p256_CURVE.p);
+const Fp384 = (0,modular/* Field */.D0)(p384_CURVE.p);
+const Fp521 = (0,modular/* Field */.D0)(p521_CURVE.p);
 function createSWU(Point, opts) {
     const map = mapToCurveSimpleSWU(Point.Fp, opts);
     return (scalars) => map(scalars[0]);