@latticexyz/world-module-erc20 2.2.21-041031d271b62a7f41f7c6dc0098c1c0ae222bd5 → 2.2.21-236ef3c7750b954dc7faf23f1d7c8599ce47a30f

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/dist/{ccip-VJWDNI4X.js → ccip-VIBPEQNI.js} +3 -3
  2. package/dist/{chunk-2VXHCW2O.js → chunk-M5FHJZR5.js} +37 -30
  3. package/dist/chunk-M5FHJZR5.js.map +1 -0
  4. package/dist/{chunk-LIWKL347.js → chunk-XE443CMG.js} +305 -249
  5. package/dist/chunk-XE443CMG.js.map +1 -0
  6. package/dist/internal.js +2 -2
  7. package/dist/{secp256k1-XVT662DN.js → secp256k1-QT34R5PW.js} +507 -428
  8. package/dist/secp256k1-QT34R5PW.js.map +1 -0
  9. package/package.json +8 -8
  10. package/dist/chunk-2VXHCW2O.js.map +0 -1
  11. package/dist/chunk-LIWKL347.js.map +0 -1
  12. package/dist/secp256k1-XVT662DN.js.map +0 -1
  13. /package/dist/{ccip-VJWDNI4X.js.map → ccip-VIBPEQNI.js.map} +0 -0
package/dist/{secp256k1-XVT662DN.js → secp256k1-QT34R5PW.js} RENAMED
@@ -1,21 +1,21 @@
1
1
  import {
2
2
  Hash,
3
- bytes,
3
+ abytes,
4
+ aexists,
5
+ ahash,
6
+ aoutput,
4
7
  concatBytes,
5
8
  createView,
6
- exists,
7
- hash,
8
- output,
9
9
  randomBytes,
10
10
  rotr,
11
11
  toBytes,
12
12
  wrapConstructor
13
- } from "./chunk-2VXHCW2O.js";
13
+ } from "./chunk-M5FHJZR5.js";
14
14
  import {
15
15
  __export
16
16
  } from "./chunk-PR4QN5HX.js";
17
17
 
18
- // ../../node_modules/.pnpm/@noble+hashes@1.5.0/node_modules/@noble/hashes/esm/_md.js
18
+ // ../../node_modules/.pnpm/@noble+hashes@1.7.1/node_modules/@noble/hashes/esm/_md.js
19
19
  function setBigUint64(view, byteOffset, value, isLE) {
20
20
  if (typeof view.setBigUint64 === "function")
21
21
  return view.setBigUint64(byteOffset, value, isLE);
@@ -28,8 +28,12 @@ function setBigUint64(view, byteOffset, value, isLE) {
28
28
  view.setUint32(byteOffset + h, wh, isLE);
29
29
  view.setUint32(byteOffset + l, wl, isLE);
30
30
  }
31
- var Chi = (a, b, c) => a & b ^ ~a & c;
32
- var Maj = (a, b, c) => a & b ^ a & c ^ b & c;
31
+ function Chi(a, b, c) {
32
+ return a & b ^ ~a & c;
33
+ }
34
+ function Maj(a, b, c) {
35
+ return a & b ^ a & c ^ b & c;
36
+ }
33
37
  var HashMD = class extends Hash {
34
38
  constructor(blockLen, outputLen, padOffset, isLE) {
35
39
  super();
@@ -45,7 +49,7 @@ var HashMD = class extends Hash {
45
49
  this.view = createView(this.buffer);
46
50
  }
47
51
  update(data) {
48
- exists(this);
52
+ aexists(this);
49
53
  const { view, buffer, blockLen } = this;
50
54
  data = toBytes(data);
51
55
  const len = data.length;
@@ -70,8 +74,8 @@ var HashMD = class extends Hash {
70
74
  return this;
71
75
  }
72
76
  digestInto(out) {
73
- exists(this);
74
- output(out, this);
77
+ aexists(this);
78
+ aoutput(out, this);
75
79
  this.finished = true;
76
80
  const { buffer, view, blockLen, isLE } = this;
77
81
  let { pos } = this;
@@ -117,7 +121,7 @@ var HashMD = class extends Hash {
117
121
  }
118
122
  };
119
123
 
120
- // ../../node_modules/.pnpm/@noble+hashes@1.5.0/node_modules/@noble/hashes/esm/sha256.js
124
+ // ../../node_modules/.pnpm/@noble+hashes@1.7.1/node_modules/@noble/hashes/esm/sha256.js
121
125
  var SHA256_K = /* @__PURE__ */ new Uint32Array([
122
126
  1116352408,
123
127
  1899447441,
@@ -267,39 +271,39 @@ var SHA256 = class extends HashMD {
267
271
  };
268
272
  var sha256 = /* @__PURE__ */ wrapConstructor(() => new SHA256());
269
273
 
270
- // ../../node_modules/.pnpm/@noble+hashes@1.5.0/node_modules/@noble/hashes/esm/hmac.js
274
+ // ../../node_modules/.pnpm/@noble+hashes@1.7.1/node_modules/@noble/hashes/esm/hmac.js
271
275
  var HMAC = class extends Hash {
272
- constructor(hash2, _key) {
276
+ constructor(hash, _key) {
273
277
  super();
274
278
  this.finished = false;
275
279
  this.destroyed = false;
276
- hash(hash2);
280
+ ahash(hash);
277
281
  const key = toBytes(_key);
278
- this.iHash = hash2.create();
282
+ this.iHash = hash.create();
279
283
  if (typeof this.iHash.update !== "function")
280
284
  throw new Error("Expected instance of class which extends utils.Hash");
281
285
  this.blockLen = this.iHash.blockLen;
282
286
  this.outputLen = this.iHash.outputLen;
283
287
  const blockLen = this.blockLen;
284
288
  const pad = new Uint8Array(blockLen);
285
- pad.set(key.length > blockLen ? hash2.create().update(key).digest() : key);
289
+ pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
286
290
  for (let i = 0; i < pad.length; i++)
287
291
  pad[i] ^= 54;
288
292
  this.iHash.update(pad);
289
- this.oHash = hash2.create();
293
+ this.oHash = hash.create();
290
294
  for (let i = 0; i < pad.length; i++)
291
295
  pad[i] ^= 54 ^ 92;
292
296
  this.oHash.update(pad);
293
297
  pad.fill(0);
294
298
  }
295
299
  update(buf) {
296
- exists(this);
300
+ aexists(this);
297
301
  this.iHash.update(buf);
298
302
  return this;
299
303
  }
300
304
  digestInto(out) {
301
- exists(this);
302
- bytes(out, this.outputLen);
305
+ aexists(this);
306
+ abytes(out, this.outputLen);
303
307
  this.finished = true;
304
308
  this.iHash.digestInto(out);
305
309
  this.oHash.update(out);
@@ -329,15 +333,15 @@ var HMAC = class extends Hash {
329
333
  this.iHash.destroy();
330
334
  }
331
335
  };
332
- var hmac = (hash2, key, message) => new HMAC(hash2, key).update(message).digest();
333
- hmac.create = (hash2, key) => new HMAC(hash2, key);
336
+ var hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
337
+ hmac.create = (hash, key) => new HMAC(hash, key);
334
338
 
335
- // ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/abstract/utils.js
339
+ // ../../node_modules/.pnpm/@noble+curves@1.8.1/node_modules/@noble/curves/esm/abstract/utils.js
336
340
  var utils_exports = {};
337
341
  __export(utils_exports, {
338
342
  aInRange: () => aInRange,
339
343
  abool: () => abool,
340
- abytes: () => abytes,
344
+ abytes: () => abytes2,
341
345
  bitGet: () => bitGet,
342
346
  bitLen: () => bitLen,
343
347
  bitMask: () => bitMask,
@@ -366,42 +370,42 @@ var _0n = /* @__PURE__ */ BigInt(0);
366
370
  var _1n = /* @__PURE__ */ BigInt(1);
367
371
  var _2n = /* @__PURE__ */ BigInt(2);
368
372
  function isBytes(a) {
369
- return a instanceof Uint8Array || a != null && typeof a === "object" && a.constructor.name === "Uint8Array";
373
+ return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
370
374
  }
371
- function abytes(item) {
375
+ function abytes2(item) {
372
376
  if (!isBytes(item))
373
377
  throw new Error("Uint8Array expected");
374
378
  }
375
379
  function abool(title, value) {
376
380
  if (typeof value !== "boolean")
377
- throw new Error(`${title} must be valid boolean, got "${value}".`);
381
+ throw new Error(title + " boolean expected, got " + value);
378
382
  }
379
383
  var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0"));
380
- function bytesToHex(bytes2) {
381
- abytes(bytes2);
384
+ function bytesToHex(bytes) {
385
+ abytes2(bytes);
382
386
  let hex = "";
383
- for (let i = 0; i < bytes2.length; i++) {
384
- hex += hexes[bytes2[i]];
387
+ for (let i = 0; i < bytes.length; i++) {
388
+ hex += hexes[bytes[i]];
385
389
  }
386
390
  return hex;
387
391
  }
388
392
  function numberToHexUnpadded(num2) {
389
393
  const hex = num2.toString(16);
390
- return hex.length & 1 ? `0${hex}` : hex;
394
+ return hex.length & 1 ? "0" + hex : hex;
391
395
  }
392
396
  function hexToNumber(hex) {
393
397
  if (typeof hex !== "string")
394
398
  throw new Error("hex string expected, got " + typeof hex);
395
- return BigInt(hex === "" ? "0" : `0x${hex}`);
396
- }
397
- var asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 };
398
- function asciiToBase16(char) {
399
- if (char >= asciis._0 && char <= asciis._9)
400
- return char - asciis._0;
401
- if (char >= asciis._A && char <= asciis._F)
402
- return char - (asciis._A - 10);
403
- if (char >= asciis._a && char <= asciis._f)
404
- return char - (asciis._a - 10);
399
+ return hex === "" ? _0n : BigInt("0x" + hex);
400
+ }
401
+ var asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
402
+ function asciiToBase16(ch) {
403
+ if (ch >= asciis._0 && ch <= asciis._9)
404
+ return ch - asciis._0;
405
+ if (ch >= asciis.A && ch <= asciis.F)
406
+ return ch - (asciis.A - 10);
407
+ if (ch >= asciis.a && ch <= asciis.f)
408
+ return ch - (asciis.a - 10);
405
409
  return;
406
410
  }
407
411
  function hexToBytes(hex) {
@@ -410,7 +414,7 @@ function hexToBytes(hex) {
410
414
  const hl = hex.length;
411
415
  const al = hl / 2;
412
416
  if (hl % 2)
413
- throw new Error("padded hex string expected, got unpadded hex of length " + hl);
417
+ throw new Error("hex string expected, got unpadded hex of length " + hl);
414
418
  const array = new Uint8Array(al);
415
419
  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
416
420
  const n1 = asciiToBase16(hex.charCodeAt(hi));
@@ -423,12 +427,12 @@ function hexToBytes(hex) {
423
427
  }
424
428
  return array;
425
429
  }
426
- function bytesToNumberBE(bytes2) {
427
- return hexToNumber(bytesToHex(bytes2));
430
+ function bytesToNumberBE(bytes) {
431
+ return hexToNumber(bytesToHex(bytes));
428
432
  }
429
- function bytesToNumberLE(bytes2) {
430
- abytes(bytes2);
431
- return hexToNumber(bytesToHex(Uint8Array.from(bytes2).reverse()));
433
+ function bytesToNumberLE(bytes) {
434
+ abytes2(bytes);
435
+ return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
432
436
  }
433
437
  function numberToBytesBE(n, len) {
434
438
  return hexToBytes(n.toString(16).padStart(len * 2, "0"));
@@ -445,23 +449,23 @@ function ensureBytes(title, hex, expectedLength) {
445
449
  try {
446
450
  res = hexToBytes(hex);
447
451
  } catch (e) {
448
- throw new Error(`${title} must be valid hex string, got "${hex}". Cause: ${e}`);
452
+ throw new Error(title + " must be hex string or Uint8Array, cause: " + e);
449
453
  }
450
454
  } else if (isBytes(hex)) {
451
455
  res = Uint8Array.from(hex);
452
456
  } else {
453
- throw new Error(`${title} must be hex string or Uint8Array`);
457
+ throw new Error(title + " must be hex string or Uint8Array");
454
458
  }
455
459
  const len = res.length;
456
460
  if (typeof expectedLength === "number" && len !== expectedLength)
457
- throw new Error(`${title} expected ${expectedLength} bytes, got ${len}`);
461
+ throw new Error(title + " of length " + expectedLength + " expected, got " + len);
458
462
  return res;
459
463
  }
460
464
  function concatBytes2(...arrays) {
461
465
  let sum = 0;
462
466
  for (let i = 0; i < arrays.length; i++) {
463
467
  const a = arrays[i];
464
- abytes(a);
468
+ abytes2(a);
465
469
  sum += a.length;
466
470
  }
467
471
  const res = new Uint8Array(sum);
@@ -482,7 +486,7 @@ function equalBytes(a, b) {
482
486
  }
483
487
  function utf8ToBytes(str) {
484
488
  if (typeof str !== "string")
485
- throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
489
+ throw new Error("string expected");
486
490
  return new Uint8Array(new TextEncoder().encode(str));
487
491
  }
488
492
  var isPosBig = (n) => typeof n === "bigint" && _0n <= n;
@@ -491,7 +495,7 @@ function inRange(n, min, max) {
491
495
  }
492
496
  function aInRange(title, n, min, max) {
493
497
  if (!inRange(n, min, max))
494
- throw new Error(`expected valid ${title}: ${min} <= n < ${max}, got ${typeof n} ${n}`);
498
+ throw new Error("expected valid " + title + ": " + min + " <= n < " + max + ", got " + n);
495
499
  }
496
500
  function bitLen(n) {
497
501
  let len;
@@ -571,12 +575,12 @@ function validateObject(object, validators, optValidators = {}) {
571
575
  const checkField = (fieldName, type, isOptional) => {
572
576
  const checkVal = validatorFns[type];
573
577
  if (typeof checkVal !== "function")
574
- throw new Error(`Invalid validator "${type}", expected function`);
578
+ throw new Error("invalid validator function");
575
579
  const val = object[fieldName];
576
580
  if (isOptional && val === void 0)
577
581
  return;
578
582
  if (!checkVal(val, object)) {
579
- throw new Error(`Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`);
583
+ throw new Error("param " + String(fieldName) + " is invalid. Expected " + type + ", got " + val);
580
584
  }
581
585
  };
582
586
  for (const [fieldName, type] of Object.entries(validators))
@@ -600,23 +604,25 @@ function memoized(fn) {
600
604
  };
601
605
  }
602
606
 
603
- // ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/abstract/modular.js
607
+ // ../../node_modules/.pnpm/@noble+curves@1.8.1/node_modules/@noble/curves/esm/abstract/modular.js
604
608
  var _0n2 = BigInt(0);
605
609
  var _1n2 = BigInt(1);
606
- var _2n2 = BigInt(2);
607
- var _3n = BigInt(3);
608
- var _4n = BigInt(4);
609
- var _5n = BigInt(5);
610
- var _8n = BigInt(8);
611
- var _9n = BigInt(9);
612
- var _16n = BigInt(16);
610
+ var _2n2 = /* @__PURE__ */ BigInt(2);
611
+ var _3n = /* @__PURE__ */ BigInt(3);
612
+ var _4n = /* @__PURE__ */ BigInt(4);
613
+ var _5n = /* @__PURE__ */ BigInt(5);
614
+ var _8n = /* @__PURE__ */ BigInt(8);
615
+ var _9n = /* @__PURE__ */ BigInt(9);
616
+ var _16n = /* @__PURE__ */ BigInt(16);
613
617
  function mod(a, b) {
614
618
  const result = a % b;
615
619
  return result >= _0n2 ? result : b + result;
616
620
  }
617
621
  function pow(num2, power, modulo) {
618
- if (modulo <= _0n2 || power < _0n2)
619
- throw new Error("Expected power/modulo > 0");
622
+ if (power < _0n2)
623
+ throw new Error("invalid exponent, negatives unsupported");
624
+ if (modulo <= _0n2)
625
+ throw new Error("invalid modulus");
620
626
  if (modulo === _1n2)
621
627
  return _0n2;
622
628
  let res = _1n2;
@@ -637,9 +643,10 @@ function pow2(x, power, modulo) {
637
643
  return res;
638
644
  }
639
645
  function invert(number, modulo) {
640
- if (number === _0n2 || modulo <= _0n2) {
641
- throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
642
- }
646
+ if (number === _0n2)
647
+ throw new Error("invert: expected non-zero number");
648
+ if (modulo <= _0n2)
649
+ throw new Error("invert: expected positive modulus, got " + modulo);
643
650
  let a = mod(number, modulo);
644
651
  let b = modulo;
645
652
  let x = _0n2, y = _1n2, u = _1n2, v = _0n2;
@@ -660,38 +667,40 @@ function tonelliShanks(P) {
660
667
  let Q, S, Z;
661
668
  for (Q = P - _1n2, S = 0; Q % _2n2 === _0n2; Q /= _2n2, S++)
662
669
  ;
663
- for (Z = _2n2; Z < P && pow(Z, legendreC, P) !== P - _1n2; Z++)
664
- ;
670
+ for (Z = _2n2; Z < P && pow(Z, legendreC, P) !== P - _1n2; Z++) {
671
+ if (Z > 1e3)
672
+ throw new Error("Cannot find square root: likely non-prime P");
673
+ }
665
674
  if (S === 1) {
666
675
  const p1div4 = (P + _1n2) / _4n;
667
- return function tonelliFast(Fp2, n) {
668
- const root = Fp2.pow(n, p1div4);
669
- if (!Fp2.eql(Fp2.sqr(root), n))
676
+ return function tonelliFast(Fp, n) {
677
+ const root = Fp.pow(n, p1div4);
678
+ if (!Fp.eql(Fp.sqr(root), n))
670
679
  throw new Error("Cannot find square root");
671
680
  return root;
672
681
  };
673
682
  }
674
683
  const Q1div2 = (Q + _1n2) / _2n2;
675
- return function tonelliSlow(Fp2, n) {
676
- if (Fp2.pow(n, legendreC) === Fp2.neg(Fp2.ONE))
684
+ return function tonelliSlow(Fp, n) {
685
+ if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE))
677
686
  throw new Error("Cannot find square root");
678
687
  let r = S;
679
- let g = Fp2.pow(Fp2.mul(Fp2.ONE, Z), Q);
680
- let x = Fp2.pow(n, Q1div2);
681
- let b = Fp2.pow(n, Q);
682
- while (!Fp2.eql(b, Fp2.ONE)) {
683
- if (Fp2.eql(b, Fp2.ZERO))
684
- return Fp2.ZERO;
688
+ let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q);
689
+ let x = Fp.pow(n, Q1div2);
690
+ let b = Fp.pow(n, Q);
691
+ while (!Fp.eql(b, Fp.ONE)) {
692
+ if (Fp.eql(b, Fp.ZERO))
693
+ return Fp.ZERO;
685
694
  let m = 1;
686
- for (let t2 = Fp2.sqr(b); m < r; m++) {
687
- if (Fp2.eql(t2, Fp2.ONE))
695
+ for (let t2 = Fp.sqr(b); m < r; m++) {
696
+ if (Fp.eql(t2, Fp.ONE))
688
697
  break;
689
- t2 = Fp2.sqr(t2);
698
+ t2 = Fp.sqr(t2);
690
699
  }
691
- const ge = Fp2.pow(g, _1n2 << BigInt(r - m - 1));
692
- g = Fp2.sqr(ge);
693
- x = Fp2.mul(x, ge);
694
- b = Fp2.mul(b, g);
700
+ const ge = Fp.pow(g, _1n2 << BigInt(r - m - 1));
701
+ g = Fp.sqr(ge);
702
+ x = Fp.mul(x, ge);
703
+ b = Fp.mul(b, g);
695
704
  r = m;
696
705
  }
697
706
  return x;
@@ -700,22 +709,22 @@ function tonelliShanks(P) {
700
709
  function FpSqrt(P) {
701
710
  if (P % _4n === _3n) {
702
711
  const p1div4 = (P + _1n2) / _4n;
703
- return function sqrt3mod4(Fp2, n) {
704
- const root = Fp2.pow(n, p1div4);
705
- if (!Fp2.eql(Fp2.sqr(root), n))
712
+ return function sqrt3mod4(Fp, n) {
713
+ const root = Fp.pow(n, p1div4);
714
+ if (!Fp.eql(Fp.sqr(root), n))
706
715
  throw new Error("Cannot find square root");
707
716
  return root;
708
717
  };
709
718
  }
710
719
  if (P % _8n === _5n) {
711
720
  const c1 = (P - _5n) / _8n;
712
- return function sqrt5mod8(Fp2, n) {
713
- const n2 = Fp2.mul(n, _2n2);
714
- const v = Fp2.pow(n2, c1);
715
- const nv = Fp2.mul(n, v);
716
- const i = Fp2.mul(Fp2.mul(nv, _2n2), v);
717
- const root = Fp2.mul(nv, Fp2.sub(i, Fp2.ONE));
718
- if (!Fp2.eql(Fp2.sqr(root), n))
721
+ return function sqrt5mod8(Fp, n) {
722
+ const n2 = Fp.mul(n, _2n2);
723
+ const v = Fp.pow(n2, c1);
724
+ const nv = Fp.mul(n, v);
725
+ const i = Fp.mul(Fp.mul(nv, _2n2), v);
726
+ const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
727
+ if (!Fp.eql(Fp.sqr(root), n))
719
728
  throw new Error("Cannot find square root");
720
729
  return root;
721
730
  };
@@ -758,7 +767,7 @@ function validateField(field) {
758
767
  }
759
768
  function FpPow(f, num2, power) {
760
769
  if (power < _0n2)
761
- throw new Error("Expected power > 0");
770
+ throw new Error("invalid exponent, negatives unsupported");
762
771
  if (power === _0n2)
763
772
  return f.ONE;
764
773
  if (power === _1n2)
@@ -797,13 +806,14 @@ function nLength(n, nBitLength) {
797
806
  }
798
807
  function Field(ORDER, bitLen2, isLE = false, redef = {}) {
799
808
  if (ORDER <= _0n2)
800
- throw new Error(`Expected Field ORDER > 0, got ${ORDER}`);
809
+ throw new Error("invalid field: expected ORDER > 0, got " + ORDER);
801
810
  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen2);
802
811
  if (BYTES > 2048)
803
- throw new Error("Field lengths over 2048 bytes are not supported");
804
- const sqrtP = FpSqrt(ORDER);
812
+ throw new Error("invalid field: expected ORDER of <= 2048 bytes");
813
+ let sqrtP;
805
814
  const f = Object.freeze({
806
815
  ORDER,
816
+ isLE,
807
817
  BITS,
808
818
  BYTES,
809
819
  MASK: bitMask(BITS),
@@ -812,7 +822,7 @@ function Field(ORDER, bitLen2, isLE = false, redef = {}) {
812
822
  create: (num2) => mod(num2, ORDER),
813
823
  isValid: (num2) => {
814
824
  if (typeof num2 !== "bigint")
815
- throw new Error(`Invalid field element: expected bigint, got ${typeof num2}`);
825
+ throw new Error("invalid field element: expected bigint, got " + typeof num2);
816
826
  return _0n2 <= num2 && num2 < ORDER;
817
827
  },
818
828
  is0: (num2) => num2 === _0n2,
@@ -831,16 +841,20 @@ function Field(ORDER, bitLen2, isLE = false, redef = {}) {
831
841
  subN: (lhs, rhs) => lhs - rhs,
832
842
  mulN: (lhs, rhs) => lhs * rhs,
833
843
  inv: (num2) => invert(num2, ORDER),
834
- sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
844
+ sqrt: redef.sqrt || ((n) => {
845
+ if (!sqrtP)
846
+ sqrtP = FpSqrt(ORDER);
847
+ return sqrtP(f, n);
848
+ }),
835
849
  invertBatch: (lst) => FpInvertBatch(f, lst),
836
850
  // TODO: do we really need constant cmov?
837
851
  // We don't have const-time bigints anyway, so probably will be not very useful
838
852
  cmov: (a, b, c) => c ? b : a,
839
853
  toBytes: (num2) => isLE ? numberToBytesLE(num2, BYTES) : numberToBytesBE(num2, BYTES),
840
- fromBytes: (bytes2) => {
841
- if (bytes2.length !== BYTES)
842
- throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes2.length}`);
843
- return isLE ? bytesToNumberLE(bytes2) : bytesToNumberBE(bytes2);
854
+ fromBytes: (bytes) => {
855
+ if (bytes.length !== BYTES)
856
+ throw new Error("Field.fromBytes: expected " + BYTES + " bytes, got " + bytes.length);
857
+ return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
844
858
  }
845
859
  });
846
860
  return Object.freeze(f);
@@ -860,37 +874,58 @@ function mapHashToField(key, fieldOrder, isLE = false) {
860
874
  const fieldLen = getFieldBytesLength(fieldOrder);
861
875
  const minLen = getMinHashLength(fieldOrder);
862
876
  if (len < 16 || len < minLen || len > 1024)
863
- throw new Error(`expected ${minLen}-1024 bytes of input, got ${len}`);
864
- const num2 = isLE ? bytesToNumberBE(key) : bytesToNumberLE(key);
877
+ throw new Error("expected " + minLen + "-1024 bytes of input, got " + len);
878
+ const num2 = isLE ? bytesToNumberLE(key) : bytesToNumberBE(key);
865
879
  const reduced = mod(num2, fieldOrder - _1n2) + _1n2;
866
880
  return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
867
881
  }
868
882
 
869
- // ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/abstract/curve.js
883
+ // ../../node_modules/.pnpm/@noble+curves@1.8.1/node_modules/@noble/curves/esm/abstract/curve.js
870
884
  var _0n3 = BigInt(0);
871
885
  var _1n3 = BigInt(1);
886
+ function constTimeNegate(condition, item) {
887
+ const neg = item.negate();
888
+ return condition ? neg : item;
889
+ }
890
+ function validateW(W, bits) {
891
+ if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
892
+ throw new Error("invalid window size, expected [1.." + bits + "], got W=" + W);
893
+ }
894
+ function calcWOpts(W, bits) {
895
+ validateW(W, bits);
896
+ const windows = Math.ceil(bits / W) + 1;
897
+ const windowSize = 2 ** (W - 1);
898
+ return { windows, windowSize };
899
+ }
900
+ function validateMSMPoints(points, c) {
901
+ if (!Array.isArray(points))
902
+ throw new Error("array expected");
903
+ points.forEach((p, i) => {
904
+ if (!(p instanceof c))
905
+ throw new Error("invalid point at index " + i);
906
+ });
907
+ }
908
+ function validateMSMScalars(scalars, field) {
909
+ if (!Array.isArray(scalars))
910
+ throw new Error("array of scalars expected");
911
+ scalars.forEach((s, i) => {
912
+ if (!field.isValid(s))
913
+ throw new Error("invalid scalar at index " + i);
914
+ });
915
+ }
872
916
  var pointPrecomputes = /* @__PURE__ */ new WeakMap();
873
917
  var pointWindowSizes = /* @__PURE__ */ new WeakMap();
918
+ function getW(P) {
919
+ return pointWindowSizes.get(P) || 1;
920
+ }
874
921
  function wNAF(c, bits) {
875
- const constTimeNegate = (condition, item) => {
876
- const neg = item.negate();
877
- return condition ? neg : item;
878
- };
879
- const validateW = (W) => {
880
- if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
881
- throw new Error(`Wrong window size=${W}, should be [1..${bits}]`);
882
- };
883
- const opts = (W) => {
884
- validateW(W);
885
- const windows = Math.ceil(bits / W) + 1;
886
- const windowSize = 2 ** (W - 1);
887
- return { windows, windowSize };
888
- };
889
922
  return {
890
923
  constTimeNegate,
924
+ hasPrecomputes(elm) {
925
+ return getW(elm) !== 1;
926
+ },
891
927
  // non-const time multiplication ladder
892
- unsafeLadder(elm, n) {
893
- let p = c.ZERO;
928
+ unsafeLadder(elm, n, p = c.ZERO) {
894
929
  let d = elm;
895
930
  while (n > _0n3) {
896
931
  if (n & _1n3)
@@ -908,10 +943,12 @@ function wNAF(c, bits) {
908
943
  * - 𝑊 is the window size
909
944
  * - 𝑛 is the bitlength of the curve order.
910
945
  * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
946
+ * @param elm Point instance
947
+ * @param W window size
911
948
  * @returns precomputed point tables flattened to a single array
912
949
  */
913
950
  precomputeWindow(elm, W) {
914
- const { windows, windowSize } = opts(W);
951
+ const { windows, windowSize } = calcWOpts(W, bits);
915
952
  const points = [];
916
953
  let p = elm;
917
954
  let base = p;
@@ -934,7 +971,7 @@ function wNAF(c, bits) {
934
971
  * @returns real and fake (for const-time) points
935
972
  */
936
973
  wNAF(W, precomputes, n) {
937
- const { windows, windowSize } = opts(W);
974
+ const { windows, windowSize } = calcWOpts(W, bits);
938
975
  let p = c.ZERO;
939
976
  let f = c.BASE;
940
977
  const mask = BigInt(2 ** W - 1);
@@ -960,52 +997,88 @@ function wNAF(c, bits) {
960
997
  }
961
998
  return { p, f };
962
999
  },
963
- wNAFCached(P, n, transform) {
964
- const W = pointWindowSizes.get(P) || 1;
1000
+ /**
1001
+ * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
1002
+ * @param W window size
1003
+ * @param precomputes precomputed tables
1004
+ * @param n scalar (we don't check here, but should be less than curve order)
1005
+ * @param acc accumulator point to add result of multiplication
1006
+ * @returns point
1007
+ */
1008
+ wNAFUnsafe(W, precomputes, n, acc = c.ZERO) {
1009
+ const { windows, windowSize } = calcWOpts(W, bits);
1010
+ const mask = BigInt(2 ** W - 1);
1011
+ const maxNumber = 2 ** W;
1012
+ const shiftBy = BigInt(W);
1013
+ for (let window = 0; window < windows; window++) {
1014
+ const offset = window * windowSize;
1015
+ if (n === _0n3)
1016
+ break;
1017
+ let wbits = Number(n & mask);
1018
+ n >>= shiftBy;
1019
+ if (wbits > windowSize) {
1020
+ wbits -= maxNumber;
1021
+ n += _1n3;
1022
+ }
1023
+ if (wbits === 0)
1024
+ continue;
1025
+ let curr = precomputes[offset + Math.abs(wbits) - 1];
1026
+ if (wbits < 0)
1027
+ curr = curr.negate();
1028
+ acc = acc.add(curr);
1029
+ }
1030
+ return acc;
1031
+ },
1032
+ getPrecomputes(W, P, transform) {
965
1033
  let comp = pointPrecomputes.get(P);
966
1034
  if (!comp) {
967
1035
  comp = this.precomputeWindow(P, W);
968
1036
  if (W !== 1)
969
1037
  pointPrecomputes.set(P, transform(comp));
970
1038
  }
971
- return this.wNAF(W, comp, n);
1039
+ return comp;
1040
+ },
1041
+ wNAFCached(P, n, transform) {
1042
+ const W = getW(P);
1043
+ return this.wNAF(W, this.getPrecomputes(W, P, transform), n);
1044
+ },
1045
+ wNAFCachedUnsafe(P, n, transform, prev) {
1046
+ const W = getW(P);
1047
+ if (W === 1)
1048
+ return this.unsafeLadder(P, n, prev);
1049
+ return this.wNAFUnsafe(W, this.getPrecomputes(W, P, transform), n, prev);
972
1050
  },
973
1051
  // We calculate precomputes for elliptic curve point multiplication
974
1052
  // using windowed method. This specifies window size and
975
1053
  // stores precomputed values. Usually only base point would be precomputed.
976
1054
  setWindowSize(P, W) {
977
- validateW(W);
1055
+ validateW(W, bits);
978
1056
  pointWindowSizes.set(P, W);
979
1057
  pointPrecomputes.delete(P);
980
1058
  }
981
1059
  };
982
1060
  }
983
- function pippenger(c, field, points, scalars) {
984
- if (!Array.isArray(points) || !Array.isArray(scalars) || scalars.length !== points.length)
1061
+ function pippenger(c, fieldN, points, scalars) {
1062
+ validateMSMPoints(points, c);
1063
+ validateMSMScalars(scalars, fieldN);
1064
+ if (points.length !== scalars.length)
985
1065
  throw new Error("arrays of points and scalars must have equal length");
986
- scalars.forEach((s, i) => {
987
- if (!field.isValid(s))
988
- throw new Error(`wrong scalar at index ${i}`);
989
- });
990
- points.forEach((p, i) => {
991
- if (!(p instanceof c))
992
- throw new Error(`wrong point at index ${i}`);
993
- });
1066
+ const zero = c.ZERO;
994
1067
  const wbits = bitLen(BigInt(points.length));
995
1068
  const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1;
996
1069
  const MASK = (1 << windowSize) - 1;
997
- const buckets = new Array(MASK + 1).fill(c.ZERO);
998
- const lastBits = Math.floor((field.BITS - 1) / windowSize) * windowSize;
999
- let sum = c.ZERO;
1070
+ const buckets = new Array(MASK + 1).fill(zero);
1071
+ const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
1072
+ let sum = zero;
1000
1073
  for (let i = lastBits; i >= 0; i -= windowSize) {
1001
- buckets.fill(c.ZERO);
1074
+ buckets.fill(zero);
1002
1075
  for (let j = 0; j < scalars.length; j++) {
1003
1076
  const scalar = scalars[j];
1004
1077
  const wbits2 = Number(scalar >> BigInt(i) & BigInt(MASK));
1005
1078
  buckets[wbits2] = buckets[wbits2].add(points[j]);
1006
1079
  }
1007
- let resI = c.ZERO;
1008
- for (let j = buckets.length - 1, sumI = c.ZERO; j > 0; j--) {
1080
+ let resI = zero;
1081
+ for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
1009
1082
  sumI = sumI.add(buckets[j]);
1010
1083
  resI = resI.add(sumI);
1011
1084
  }
@@ -1034,7 +1107,7 @@ function validateBasic(curve) {
1034
1107
  });
1035
1108
  }
1036
1109
 
1037
- // ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/abstract/weierstrass.js
1110
+ // ../../node_modules/.pnpm/@noble+curves@1.8.1/node_modules/@noble/curves/esm/abstract/weierstrass.js
1038
1111
  function validateSigVerOpts(opts) {
1039
1112
  if (opts.lowS !== void 0)
1040
1113
  abool("lowS", opts.lowS);
@@ -1055,25 +1128,26 @@ function validatePointOpts(curve) {
1055
1128
  fromBytes: "function",
1056
1129
  toBytes: "function"
1057
1130
  });
1058
- const { endo, Fp: Fp2, a } = opts;
1131
+ const { endo, Fp, a } = opts;
1059
1132
  if (endo) {
1060
- if (!Fp2.eql(a, Fp2.ZERO)) {
1061
- throw new Error("Endomorphism can only be defined for Koblitz curves that have a=0");
1133
+ if (!Fp.eql(a, Fp.ZERO)) {
1134
+ throw new Error("invalid endomorphism, can only be defined for Koblitz curves that have a=0");
1062
1135
  }
1063
1136
  if (typeof endo !== "object" || typeof endo.beta !== "bigint" || typeof endo.splitScalar !== "function") {
1064
- throw new Error("Expected endomorphism with beta: bigint and splitScalar: function");
1137
+ throw new Error("invalid endomorphism, expected beta: bigint and splitScalar: function");
1065
1138
  }
1066
1139
  }
1067
1140
  return Object.freeze({ ...opts });
1068
1141
  }
1069
1142
  var { bytesToNumberBE: b2n, hexToBytes: h2b } = utils_exports;
1143
+ var DERErr = class extends Error {
1144
+ constructor(m = "") {
1145
+ super(m);
1146
+ }
1147
+ };
1070
1148
  var DER = {
1071
1149
  // asn.1 DER encoding utils
1072
- Err: class DERErr extends Error {
1073
- constructor(m = "") {
1074
- super(m);
1075
- }
1076
- },
1150
+ Err: DERErr,
1077
1151
  // Basic building block is TLV (Tag-Length-Value)
1078
1152
  _tlv: {
1079
1153
  encode: (tag, data) => {
@@ -1087,7 +1161,8 @@ var DER = {
1087
1161
  if (len.length / 2 & 128)
1088
1162
  throw new E("tlv.encode: long form length too big");
1089
1163
  const lenLen = dataLen > 127 ? numberToHexUnpadded(len.length / 2 | 128) : "";
1090
- return `${numberToHexUnpadded(tag)}${lenLen}${len}${data}`;
1164
+ const t = numberToHexUnpadded(tag);
1165
+ return t + lenLen + len + data;
1091
1166
  },
1092
1167
  // v - value, l - left bytes (unparsed)
1093
1168
  decode(tag, data) {
@@ -1138,34 +1213,36 @@ var DER = {
1138
1213
  if (Number.parseInt(hex[0], 16) & 8)
1139
1214
  hex = "00" + hex;
1140
1215
  if (hex.length & 1)
1141
- throw new E("unexpected assertion");
1216
+ throw new E("unexpected DER parsing assertion: unpadded hex");
1142
1217
  return hex;
1143
1218
  },
1144
1219
  decode(data) {
1145
1220
  const { Err: E } = DER;
1146
1221
  if (data[0] & 128)
1147
- throw new E("Invalid signature integer: negative");
1222
+ throw new E("invalid signature integer: negative");
1148
1223
  if (data[0] === 0 && !(data[1] & 128))
1149
- throw new E("Invalid signature integer: unnecessary leading zero");
1224
+ throw new E("invalid signature integer: unnecessary leading zero");
1150
1225
  return b2n(data);
1151
1226
  }
1152
1227
  },
1153
1228
  toSig(hex) {
1154
1229
  const { Err: E, _int: int, _tlv: tlv } = DER;
1155
1230
  const data = typeof hex === "string" ? h2b(hex) : hex;
1156
- abytes(data);
1231
+ abytes2(data);
1157
1232
  const { v: seqBytes, l: seqLeftBytes } = tlv.decode(48, data);
1158
1233
  if (seqLeftBytes.length)
1159
- throw new E("Invalid signature: left bytes after parsing");
1234
+ throw new E("invalid signature: left bytes after parsing");
1160
1235
  const { v: rBytes, l: rLeftBytes } = tlv.decode(2, seqBytes);
1161
1236
  const { v: sBytes, l: sLeftBytes } = tlv.decode(2, rLeftBytes);
1162
1237
  if (sLeftBytes.length)
1163
- throw new E("Invalid signature: left bytes after parsing");
1238
+ throw new E("invalid signature: left bytes after parsing");
1164
1239
  return { r: int.decode(rBytes), s: int.decode(sBytes) };
1165
1240
  },
1166
1241
  hexFromSig(sig) {
1167
1242
  const { _tlv: tlv, _int: int } = DER;
1168
- const seq = `${tlv.encode(2, int.encode(sig.r))}${tlv.encode(2, int.encode(sig.s))}`;
1243
+ const rs = tlv.encode(2, int.encode(sig.r));
1244
+ const ss = tlv.encode(2, int.encode(sig.s));
1245
+ const seq = rs + ss;
1169
1246
  return tlv.encode(48, seq);
1170
1247
  }
1171
1248
  };
@@ -1176,25 +1253,25 @@ var _3n2 = BigInt(3);
1176
1253
  var _4n2 = BigInt(4);
1177
1254
  function weierstrassPoints(opts) {
1178
1255
  const CURVE = validatePointOpts(opts);
1179
- const { Fp: Fp2 } = CURVE;
1256
+ const { Fp } = CURVE;
1180
1257
  const Fn = Field(CURVE.n, CURVE.nBitLength);
1181
1258
  const toBytes2 = CURVE.toBytes || ((_c, point, _isCompressed) => {
1182
1259
  const a = point.toAffine();
1183
- return concatBytes2(Uint8Array.from([4]), Fp2.toBytes(a.x), Fp2.toBytes(a.y));
1260
+ return concatBytes2(Uint8Array.from([4]), Fp.toBytes(a.x), Fp.toBytes(a.y));
1184
1261
  });
1185
- const fromBytes = CURVE.fromBytes || ((bytes2) => {
1186
- const tail = bytes2.subarray(1);
1187
- const x = Fp2.fromBytes(tail.subarray(0, Fp2.BYTES));
1188
- const y = Fp2.fromBytes(tail.subarray(Fp2.BYTES, 2 * Fp2.BYTES));
1262
+ const fromBytes = CURVE.fromBytes || ((bytes) => {
1263
+ const tail = bytes.subarray(1);
1264
+ const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
1265
+ const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
1189
1266
  return { x, y };
1190
1267
  });
1191
1268
  function weierstrassEquation(x) {
1192
1269
  const { a, b } = CURVE;
1193
- const x2 = Fp2.sqr(x);
1194
- const x3 = Fp2.mul(x2, x);
1195
- return Fp2.add(Fp2.add(x3, Fp2.mul(x, a)), b);
1270
+ const x2 = Fp.sqr(x);
1271
+ const x3 = Fp.mul(x2, x);
1272
+ return Fp.add(Fp.add(x3, Fp.mul(x, a)), b);
1196
1273
  }
1197
- if (!Fp2.eql(Fp2.sqr(CURVE.Gy), weierstrassEquation(CURVE.Gx)))
1274
+ if (!Fp.eql(Fp.sqr(CURVE.Gy), weierstrassEquation(CURVE.Gx)))
1198
1275
  throw new Error("bad generator point: equation left != right");
1199
1276
  function isWithinCurveOrder(num2) {
1200
1277
  return inRange(num2, _1n4, CURVE.n);
@@ -1205,14 +1282,14 @@ function weierstrassPoints(opts) {
1205
1282
  if (isBytes(key))
1206
1283
  key = bytesToHex(key);
1207
1284
  if (typeof key !== "string" || !lengths.includes(key.length))
1208
- throw new Error("Invalid key");
1285
+ throw new Error("invalid private key");
1209
1286
  key = key.padStart(nByteLength * 2, "0");
1210
1287
  }
1211
1288
  let num2;
1212
1289
  try {
1213
1290
  num2 = typeof key === "bigint" ? key : bytesToNumberBE(ensureBytes("private key", key, nByteLength));
1214
1291
  } catch (error) {
1215
- throw new Error(`private key must be ${nByteLength} bytes, hex or bigint, not ${typeof key}`);
1292
+ throw new Error("invalid private key, expected hex or " + nByteLength + " bytes, got " + typeof key);
1216
1293
  }
1217
1294
  if (wrapPrivateKey)
1218
1295
  num2 = mod(num2, N);
@@ -1225,32 +1302,32 @@ function weierstrassPoints(opts) {
1225
1302
  }
1226
1303
  const toAffineMemo = memoized((p, iz) => {
1227
1304
  const { px: x, py: y, pz: z } = p;
1228
- if (Fp2.eql(z, Fp2.ONE))
1305
+ if (Fp.eql(z, Fp.ONE))
1229
1306
  return { x, y };
1230
1307
  const is0 = p.is0();
1231
1308
  if (iz == null)
1232
- iz = is0 ? Fp2.ONE : Fp2.inv(z);
1233
- const ax = Fp2.mul(x, iz);
1234
- const ay = Fp2.mul(y, iz);
1235
- const zz = Fp2.mul(z, iz);
1309
+ iz = is0 ? Fp.ONE : Fp.inv(z);
1310
+ const ax = Fp.mul(x, iz);
1311
+ const ay = Fp.mul(y, iz);
1312
+ const zz = Fp.mul(z, iz);
1236
1313
  if (is0)
1237
- return { x: Fp2.ZERO, y: Fp2.ZERO };
1238
- if (!Fp2.eql(zz, Fp2.ONE))
1314
+ return { x: Fp.ZERO, y: Fp.ZERO };
1315
+ if (!Fp.eql(zz, Fp.ONE))
1239
1316
  throw new Error("invZ was invalid");
1240
1317
  return { x: ax, y: ay };
1241
1318
  });
1242
1319
  const assertValidMemo = memoized((p) => {
1243
1320
  if (p.is0()) {
1244
- if (CURVE.allowInfinityPoint && !Fp2.is0(p.py))
1321
+ if (CURVE.allowInfinityPoint && !Fp.is0(p.py))
1245
1322
  return;
1246
1323
  throw new Error("bad point: ZERO");
1247
1324
  }
1248
1325
  const { x, y } = p.toAffine();
1249
- if (!Fp2.isValid(x) || !Fp2.isValid(y))
1326
+ if (!Fp.isValid(x) || !Fp.isValid(y))
1250
1327
  throw new Error("bad point: x or y not FE");
1251
- const left = Fp2.sqr(y);
1328
+ const left = Fp.sqr(y);
1252
1329
  const right = weierstrassEquation(x);
1253
- if (!Fp2.eql(left, right))
1330
+ if (!Fp.eql(left, right))
1254
1331
  throw new Error("bad point: equation left != right");
1255
1332
  if (!p.isTorsionFree())
1256
1333
  throw new Error("bad point: not in prime-order subgroup");
@@ -1261,11 +1338,11 @@ function weierstrassPoints(opts) {
1261
1338
  this.px = px;
1262
1339
  this.py = py;
1263
1340
  this.pz = pz;
1264
- if (px == null || !Fp2.isValid(px))
1341
+ if (px == null || !Fp.isValid(px))
1265
1342
  throw new Error("x required");
1266
- if (py == null || !Fp2.isValid(py))
1343
+ if (py == null || !Fp.isValid(py))
1267
1344
  throw new Error("y required");
1268
- if (pz == null || !Fp2.isValid(pz))
1345
+ if (pz == null || !Fp.isValid(pz))
1269
1346
  throw new Error("z required");
1270
1347
  Object.freeze(this);
1271
1348
  }
@@ -1273,14 +1350,14 @@ function weierstrassPoints(opts) {
1273
1350
  // Use fromHex instead, or call assertValidity() later.
1274
1351
  static fromAffine(p) {
1275
1352
  const { x, y } = p || {};
1276
- if (!p || !Fp2.isValid(x) || !Fp2.isValid(y))
1353
+ if (!p || !Fp.isValid(x) || !Fp.isValid(y))
1277
1354
  throw new Error("invalid affine point");
1278
1355
  if (p instanceof Point2)
1279
1356
  throw new Error("projective point not allowed");
1280
- const is0 = (i) => Fp2.eql(i, Fp2.ZERO);
1357
+ const is0 = (i) => Fp.eql(i, Fp.ZERO);
1281
1358
  if (is0(x) && is0(y))
1282
1359
  return Point2.ZERO;
1283
- return new Point2(x, y, Fp2.ONE);
1360
+ return new Point2(x, y, Fp.ONE);
1284
1361
  }
1285
1362
  get x() {
1286
1363
  return this.toAffine().x;
@@ -1295,7 +1372,7 @@ function weierstrassPoints(opts) {
1295
1372
  * Optimization: converts a list of projective points to a list of identical points with Z=1.
1296
1373
  */
1297
1374
  static normalizeZ(points) {
1298
- const toInv = Fp2.invertBatch(points.map((p) => p.pz));
1375
+ const toInv = Fp.invertBatch(points.map((p) => p.pz));
1299
1376
  return points.map((p, i) => p.toAffine(toInv[i])).map(Point2.fromAffine);
1300
1377
  }
1301
1378
  /**
@@ -1325,8 +1402,8 @@ function weierstrassPoints(opts) {
1325
1402
  }
1326
1403
  hasEvenY() {
1327
1404
  const { y } = this.toAffine();
1328
- if (Fp2.isOdd)
1329
- return !Fp2.isOdd(y);
1405
+ if (Fp.isOdd)
1406
+ return !Fp.isOdd(y);
1330
1407
  throw new Error("Field doesn't support isOdd");
1331
1408
  }
1332
1409
  /**
@@ -1336,15 +1413,15 @@ function weierstrassPoints(opts) {
1336
1413
  assertPrjPoint(other);
1337
1414
  const { px: X1, py: Y1, pz: Z1 } = this;
1338
1415
  const { px: X2, py: Y2, pz: Z2 } = other;
1339
- const U1 = Fp2.eql(Fp2.mul(X1, Z2), Fp2.mul(X2, Z1));
1340
- const U2 = Fp2.eql(Fp2.mul(Y1, Z2), Fp2.mul(Y2, Z1));
1416
+ const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
1417
+ const U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
1341
1418
  return U1 && U2;
1342
1419
  }
1343
1420
  /**
1344
1421
  * Flips point to one corresponding to (x, -y) in Affine coordinates.
1345
1422
  */
1346
1423
  negate() {
1347
- return new Point2(this.px, Fp2.neg(this.py), this.pz);
1424
+ return new Point2(this.px, Fp.neg(this.py), this.pz);
1348
1425
  }
1349
1426
  // Renes-Costello-Batina exception-free doubling formula.
1350
1427
  // There is 30% faster Jacobian formula, but it is not complete.
@@ -1352,40 +1429,40 @@ function weierstrassPoints(opts) {
1352
1429
  // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
1353
1430
  double() {
1354
1431
  const { a, b } = CURVE;
1355
- const b3 = Fp2.mul(b, _3n2);
1432
+ const b3 = Fp.mul(b, _3n2);
1356
1433
  const { px: X1, py: Y1, pz: Z1 } = this;
1357
- let X3 = Fp2.ZERO, Y3 = Fp2.ZERO, Z3 = Fp2.ZERO;
1358
- let t0 = Fp2.mul(X1, X1);
1359
- let t1 = Fp2.mul(Y1, Y1);
1360
- let t2 = Fp2.mul(Z1, Z1);
1361
- let t3 = Fp2.mul(X1, Y1);
1362
- t3 = Fp2.add(t3, t3);
1363
- Z3 = Fp2.mul(X1, Z1);
1364
- Z3 = Fp2.add(Z3, Z3);
1365
- X3 = Fp2.mul(a, Z3);
1366
- Y3 = Fp2.mul(b3, t2);
1367
- Y3 = Fp2.add(X3, Y3);
1368
- X3 = Fp2.sub(t1, Y3);
1369
- Y3 = Fp2.add(t1, Y3);
1370
- Y3 = Fp2.mul(X3, Y3);
1371
- X3 = Fp2.mul(t3, X3);
1372
- Z3 = Fp2.mul(b3, Z3);
1373
- t2 = Fp2.mul(a, t2);
1374
- t3 = Fp2.sub(t0, t2);
1375
- t3 = Fp2.mul(a, t3);
1376
- t3 = Fp2.add(t3, Z3);
1377
- Z3 = Fp2.add(t0, t0);
1378
- t0 = Fp2.add(Z3, t0);
1379
- t0 = Fp2.add(t0, t2);
1380
- t0 = Fp2.mul(t0, t3);
1381
- Y3 = Fp2.add(Y3, t0);
1382
- t2 = Fp2.mul(Y1, Z1);
1383
- t2 = Fp2.add(t2, t2);
1384
- t0 = Fp2.mul(t2, t3);
1385
- X3 = Fp2.sub(X3, t0);
1386
- Z3 = Fp2.mul(t2, t1);
1387
- Z3 = Fp2.add(Z3, Z3);
1388
- Z3 = Fp2.add(Z3, Z3);
1434
+ let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO;
1435
+ let t0 = Fp.mul(X1, X1);
1436
+ let t1 = Fp.mul(Y1, Y1);
1437
+ let t2 = Fp.mul(Z1, Z1);
1438
+ let t3 = Fp.mul(X1, Y1);
1439
+ t3 = Fp.add(t3, t3);
1440
+ Z3 = Fp.mul(X1, Z1);
1441
+ Z3 = Fp.add(Z3, Z3);
1442
+ X3 = Fp.mul(a, Z3);
1443
+ Y3 = Fp.mul(b3, t2);
1444
+ Y3 = Fp.add(X3, Y3);
1445
+ X3 = Fp.sub(t1, Y3);
1446
+ Y3 = Fp.add(t1, Y3);
1447
+ Y3 = Fp.mul(X3, Y3);
1448
+ X3 = Fp.mul(t3, X3);
1449
+ Z3 = Fp.mul(b3, Z3);
1450
+ t2 = Fp.mul(a, t2);
1451
+ t3 = Fp.sub(t0, t2);
1452
+ t3 = Fp.mul(a, t3);
1453
+ t3 = Fp.add(t3, Z3);
1454
+ Z3 = Fp.add(t0, t0);
1455
+ t0 = Fp.add(Z3, t0);
1456
+ t0 = Fp.add(t0, t2);
1457
+ t0 = Fp.mul(t0, t3);
1458
+ Y3 = Fp.add(Y3, t0);
1459
+ t2 = Fp.mul(Y1, Z1);
1460
+ t2 = Fp.add(t2, t2);
1461
+ t0 = Fp.mul(t2, t3);
1462
+ X3 = Fp.sub(X3, t0);
1463
+ Z3 = Fp.mul(t2, t1);
1464
+ Z3 = Fp.add(Z3, Z3);
1465
+ Z3 = Fp.add(Z3, Z3);
1389
1466
  return new Point2(X3, Y3, Z3);
1390
1467
  }
1391
1468
  // Renes-Costello-Batina exception-free addition formula.
@@ -1396,49 +1473,49 @@ function weierstrassPoints(opts) {
1396
1473
  assertPrjPoint(other);
1397
1474
  const { px: X1, py: Y1, pz: Z1 } = this;
1398
1475
  const { px: X2, py: Y2, pz: Z2 } = other;
1399
- let X3 = Fp2.ZERO, Y3 = Fp2.ZERO, Z3 = Fp2.ZERO;
1476
+ let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO;
1400
1477
  const a = CURVE.a;
1401
- const b3 = Fp2.mul(CURVE.b, _3n2);
1402
- let t0 = Fp2.mul(X1, X2);
1403
- let t1 = Fp2.mul(Y1, Y2);
1404
- let t2 = Fp2.mul(Z1, Z2);
1405
- let t3 = Fp2.add(X1, Y1);
1406
- let t4 = Fp2.add(X2, Y2);
1407
- t3 = Fp2.mul(t3, t4);
1408
- t4 = Fp2.add(t0, t1);
1409
- t3 = Fp2.sub(t3, t4);
1410
- t4 = Fp2.add(X1, Z1);
1411
- let t5 = Fp2.add(X2, Z2);
1412
- t4 = Fp2.mul(t4, t5);
1413
- t5 = Fp2.add(t0, t2);
1414
- t4 = Fp2.sub(t4, t5);
1415
- t5 = Fp2.add(Y1, Z1);
1416
- X3 = Fp2.add(Y2, Z2);
1417
- t5 = Fp2.mul(t5, X3);
1418
- X3 = Fp2.add(t1, t2);
1419
- t5 = Fp2.sub(t5, X3);
1420
- Z3 = Fp2.mul(a, t4);
1421
- X3 = Fp2.mul(b3, t2);
1422
- Z3 = Fp2.add(X3, Z3);
1423
- X3 = Fp2.sub(t1, Z3);
1424
- Z3 = Fp2.add(t1, Z3);
1425
- Y3 = Fp2.mul(X3, Z3);
1426
- t1 = Fp2.add(t0, t0);
1427
- t1 = Fp2.add(t1, t0);
1428
- t2 = Fp2.mul(a, t2);
1429
- t4 = Fp2.mul(b3, t4);
1430
- t1 = Fp2.add(t1, t2);
1431
- t2 = Fp2.sub(t0, t2);
1432
- t2 = Fp2.mul(a, t2);
1433
- t4 = Fp2.add(t4, t2);
1434
- t0 = Fp2.mul(t1, t4);
1435
- Y3 = Fp2.add(Y3, t0);
1436
- t0 = Fp2.mul(t5, t4);
1437
- X3 = Fp2.mul(t3, X3);
1438
- X3 = Fp2.sub(X3, t0);
1439
- t0 = Fp2.mul(t3, t1);
1440
- Z3 = Fp2.mul(t5, Z3);
1441
- Z3 = Fp2.add(Z3, t0);
1478
+ const b3 = Fp.mul(CURVE.b, _3n2);
1479
+ let t0 = Fp.mul(X1, X2);
1480
+ let t1 = Fp.mul(Y1, Y2);
1481
+ let t2 = Fp.mul(Z1, Z2);
1482
+ let t3 = Fp.add(X1, Y1);
1483
+ let t4 = Fp.add(X2, Y2);
1484
+ t3 = Fp.mul(t3, t4);
1485
+ t4 = Fp.add(t0, t1);
1486
+ t3 = Fp.sub(t3, t4);
1487
+ t4 = Fp.add(X1, Z1);
1488
+ let t5 = Fp.add(X2, Z2);
1489
+ t4 = Fp.mul(t4, t5);
1490
+ t5 = Fp.add(t0, t2);
1491
+ t4 = Fp.sub(t4, t5);
1492
+ t5 = Fp.add(Y1, Z1);
1493
+ X3 = Fp.add(Y2, Z2);
1494
+ t5 = Fp.mul(t5, X3);
1495
+ X3 = Fp.add(t1, t2);
1496
+ t5 = Fp.sub(t5, X3);
1497
+ Z3 = Fp.mul(a, t4);
1498
+ X3 = Fp.mul(b3, t2);
1499
+ Z3 = Fp.add(X3, Z3);
1500
+ X3 = Fp.sub(t1, Z3);
1501
+ Z3 = Fp.add(t1, Z3);
1502
+ Y3 = Fp.mul(X3, Z3);
1503
+ t1 = Fp.add(t0, t0);
1504
+ t1 = Fp.add(t1, t0);
1505
+ t2 = Fp.mul(a, t2);
1506
+ t4 = Fp.mul(b3, t4);
1507
+ t1 = Fp.add(t1, t2);
1508
+ t2 = Fp.sub(t0, t2);
1509
+ t2 = Fp.mul(a, t2);
1510
+ t4 = Fp.add(t4, t2);
1511
+ t0 = Fp.mul(t1, t4);
1512
+ Y3 = Fp.add(Y3, t0);
1513
+ t0 = Fp.mul(t5, t4);
1514
+ X3 = Fp.mul(t3, X3);
1515
+ X3 = Fp.sub(X3, t0);
1516
+ t0 = Fp.mul(t3, t1);
1517
+ Z3 = Fp.mul(t5, Z3);
1518
+ Z3 = Fp.add(Z3, t0);
1442
1519
  return new Point2(X3, Y3, Z3);
1443
1520
  }
1444
1521
  subtract(other) {
@@ -1456,15 +1533,15 @@ function weierstrassPoints(opts) {
1456
1533
  * an exposed private key e.g. sig verification, which works over *public* keys.
1457
1534
  */
1458
1535
  multiplyUnsafe(sc) {
1459
- aInRange("scalar", sc, _0n4, CURVE.n);
1536
+ const { endo, n: N } = CURVE;
1537
+ aInRange("scalar", sc, _0n4, N);
1460
1538
  const I = Point2.ZERO;
1461
1539
  if (sc === _0n4)
1462
1540
  return I;
1463
- if (sc === _1n4)
1541
+ if (this.is0() || sc === _1n4)
1464
1542
  return this;
1465
- const { endo } = CURVE;
1466
- if (!endo)
1467
- return wnaf.unsafeLadder(this, sc);
1543
+ if (!endo || wnaf.hasPrecomputes(this))
1544
+ return wnaf.wNAFCachedUnsafe(this, sc, Point2.normalizeZ);
1468
1545
  let { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
1469
1546
  let k1p = I;
1470
1547
  let k2p = I;
@@ -1482,7 +1559,7 @@ function weierstrassPoints(opts) {
1482
1559
  k1p = k1p.negate();
1483
1560
  if (k2neg)
1484
1561
  k2p = k2p.negate();
1485
- k2p = new Point2(Fp2.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
1562
+ k2p = new Point2(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
1486
1563
  return k1p.add(k2p);
1487
1564
  }
1488
1565
  /**
@@ -1504,7 +1581,7 @@ function weierstrassPoints(opts) {
1504
1581
  let { p: k2p, f: f2p } = this.wNAF(k2);
1505
1582
  k1p = wnaf.constTimeNegate(k1neg, k1p);
1506
1583
  k2p = wnaf.constTimeNegate(k2neg, k2p);
1507
- k2p = new Point2(Fp2.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
1584
+ k2p = new Point2(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
1508
1585
  point = k1p.add(k2p);
1509
1586
  fake = f1p.add(f2p);
1510
1587
  } else {
@@ -1558,8 +1635,8 @@ function weierstrassPoints(opts) {
1558
1635
  return bytesToHex(this.toRawBytes(isCompressed));
1559
1636
  }
1560
1637
  }
1561
- Point2.BASE = new Point2(CURVE.Gx, CURVE.Gy, Fp2.ONE);
1562
- Point2.ZERO = new Point2(Fp2.ZERO, Fp2.ONE, Fp2.ZERO);
1638
+ Point2.BASE = new Point2(CURVE.Gx, CURVE.Gy, Fp.ONE);
1639
+ Point2.ZERO = new Point2(Fp.ZERO, Fp.ONE, Fp.ZERO);
1563
1640
  const _bits = CURVE.nBitLength;
1564
1641
  const wnaf = wNAF(Point2, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
1565
1642
  return {
@@ -1585,9 +1662,9 @@ function validateOpts(curve) {
1585
1662
  }
1586
1663
  function weierstrass(curveDef) {
1587
1664
  const CURVE = validateOpts(curveDef);
1588
- const { Fp: Fp2, n: CURVE_ORDER } = CURVE;
1589
- const compressedLen = Fp2.BYTES + 1;
1590
- const uncompressedLen = 2 * Fp2.BYTES + 1;
1665
+ const { Fp, n: CURVE_ORDER } = CURVE;
1666
+ const compressedLen = Fp.BYTES + 1;
1667
+ const uncompressedLen = 2 * Fp.BYTES + 1;
1591
1668
  function modN2(a) {
1592
1669
  return mod(a, CURVE_ORDER);
1593
1670
  }
@@ -1598,27 +1675,27 @@ function weierstrass(curveDef) {
1598
1675
  ...CURVE,
1599
1676
  toBytes(_c, point, isCompressed) {
1600
1677
  const a = point.toAffine();
1601
- const x = Fp2.toBytes(a.x);
1678
+ const x = Fp.toBytes(a.x);
1602
1679
  const cat = concatBytes2;
1603
1680
  abool("isCompressed", isCompressed);
1604
1681
  if (isCompressed) {
1605
1682
  return cat(Uint8Array.from([point.hasEvenY() ? 2 : 3]), x);
1606
1683
  } else {
1607
- return cat(Uint8Array.from([4]), x, Fp2.toBytes(a.y));
1684
+ return cat(Uint8Array.from([4]), x, Fp.toBytes(a.y));
1608
1685
  }
1609
1686
  },
1610
- fromBytes(bytes2) {
1611
- const len = bytes2.length;
1612
- const head = bytes2[0];
1613
- const tail = bytes2.subarray(1);
1687
+ fromBytes(bytes) {
1688
+ const len = bytes.length;
1689
+ const head = bytes[0];
1690
+ const tail = bytes.subarray(1);
1614
1691
  if (len === compressedLen && (head === 2 || head === 3)) {
1615
1692
  const x = bytesToNumberBE(tail);
1616
- if (!inRange(x, _1n4, Fp2.ORDER))
1693
+ if (!inRange(x, _1n4, Fp.ORDER))
1617
1694
  throw new Error("Point is not on curve");
1618
1695
  const y2 = weierstrassEquation(x);
1619
1696
  let y;
1620
1697
  try {
1621
- y = Fp2.sqrt(y2);
1698
+ y = Fp.sqrt(y2);
1622
1699
  } catch (sqrtError) {
1623
1700
  const suffix = sqrtError instanceof Error ? ": " + sqrtError.message : "";
1624
1701
  throw new Error("Point is not on curve" + suffix);
@@ -1626,14 +1703,16 @@ function weierstrass(curveDef) {
1626
1703
  const isYOdd = (y & _1n4) === _1n4;
1627
1704
  const isHeadOdd = (head & 1) === 1;
1628
1705
  if (isHeadOdd !== isYOdd)
1629
- y = Fp2.neg(y);
1706
+ y = Fp.neg(y);
1630
1707
  return { x, y };
1631
1708
  } else if (len === uncompressedLen && head === 4) {
1632
- const x = Fp2.fromBytes(tail.subarray(0, Fp2.BYTES));
1633
- const y = Fp2.fromBytes(tail.subarray(Fp2.BYTES, 2 * Fp2.BYTES));
1709
+ const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
1710
+ const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
1634
1711
  return { x, y };
1635
1712
  } else {
1636
- throw new Error(`Point of length ${len} was invalid. Expected ${compressedLen} compressed bytes or ${uncompressedLen} uncompressed bytes`);
1713
+ const cl = compressedLen;
1714
+ const ul = uncompressedLen;
1715
+ throw new Error("invalid Point, expected length of " + cl + ", or uncompressed " + ul + ", got " + len);
1637
1716
  }
1638
1717
  }
1639
1718
  });
@@ -1678,7 +1757,7 @@ function weierstrass(curveDef) {
1678
1757
  if (rec == null || ![0, 1, 2, 3].includes(rec))
1679
1758
  throw new Error("recovery id invalid");
1680
1759
  const radj = rec === 2 || rec === 3 ? r + CURVE.n : r;
1681
- if (radj >= Fp2.ORDER)
1760
+ if (radj >= Fp.ORDER)
1682
1761
  throw new Error("recovery id 2 or 3 invalid");
1683
1762
  const prefix = (rec & 1) === 0 ? "02" : "03";
1684
1763
  const R = Point2.fromHex(prefix + numToNByteStr(radj));
@@ -1768,35 +1847,37 @@ function weierstrass(curveDef) {
1768
1847
  const b = Point2.fromHex(publicB);
1769
1848
  return b.multiply(normPrivateKeyToScalar(privateA)).toRawBytes(isCompressed);
1770
1849
  }
1771
- const bits2int = CURVE.bits2int || function(bytes2) {
1772
- const num2 = bytesToNumberBE(bytes2);
1773
- const delta = bytes2.length * 8 - CURVE.nBitLength;
1850
+ const bits2int = CURVE.bits2int || function(bytes) {
1851
+ if (bytes.length > 8192)
1852
+ throw new Error("input is too large");
1853
+ const num2 = bytesToNumberBE(bytes);
1854
+ const delta = bytes.length * 8 - CURVE.nBitLength;
1774
1855
  return delta > 0 ? num2 >> BigInt(delta) : num2;
1775
1856
  };
1776
- const bits2int_modN = CURVE.bits2int_modN || function(bytes2) {
1777
- return modN2(bits2int(bytes2));
1857
+ const bits2int_modN = CURVE.bits2int_modN || function(bytes) {
1858
+ return modN2(bits2int(bytes));
1778
1859
  };
1779
1860
  const ORDER_MASK = bitMask(CURVE.nBitLength);
1780
1861
  function int2octets(num2) {
1781
- aInRange(`num < 2^${CURVE.nBitLength}`, num2, _0n4, ORDER_MASK);
1862
+ aInRange("num < 2^" + CURVE.nBitLength, num2, _0n4, ORDER_MASK);
1782
1863
  return numberToBytesBE(num2, CURVE.nByteLength);
1783
1864
  }
1784
1865
  function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
1785
1866
  if (["recovered", "canonical"].some((k) => k in opts))
1786
1867
  throw new Error("sign() legacy options not supported");
1787
- const { hash: hash2, randomBytes: randomBytes2 } = CURVE;
1868
+ const { hash, randomBytes: randomBytes2 } = CURVE;
1788
1869
  let { lowS, prehash, extraEntropy: ent } = opts;
1789
1870
  if (lowS == null)
1790
1871
  lowS = true;
1791
1872
  msgHash = ensureBytes("msgHash", msgHash);
1792
1873
  validateSigVerOpts(opts);
1793
1874
  if (prehash)
1794
- msgHash = ensureBytes("prehashed msgHash", hash2(msgHash));
1875
+ msgHash = ensureBytes("prehashed msgHash", hash(msgHash));
1795
1876
  const h1int = bits2int_modN(msgHash);
1796
1877
  const d = normPrivateKeyToScalar(privateKey);
1797
1878
  const seedArgs = [int2octets(d), int2octets(h1int)];
1798
1879
  if (ent != null && ent !== false) {
1799
- const e = ent === true ? randomBytes2(Fp2.BYTES) : ent;
1880
+ const e = ent === true ? randomBytes2(Fp.BYTES) : ent;
1800
1881
  seedArgs.push(ensureBytes("extraEntropy", e));
1801
1882
  }
1802
1883
  const seed = concatBytes2(...seedArgs);
@@ -1836,33 +1917,38 @@ function weierstrass(curveDef) {
1836
1917
  const sg = signature;
1837
1918
  msgHash = ensureBytes("msgHash", msgHash);
1838
1919
  publicKey = ensureBytes("publicKey", publicKey);
1920
+ const { lowS, prehash, format } = opts;
1921
+ validateSigVerOpts(opts);
1839
1922
  if ("strict" in opts)
1840
1923
  throw new Error("options.strict was renamed to lowS");
1841
- validateSigVerOpts(opts);
1842
- const { lowS, prehash } = opts;
1924
+ if (format !== void 0 && format !== "compact" && format !== "der")
1925
+ throw new Error("format must be compact or der");
1926
+ const isHex = typeof sg === "string" || isBytes(sg);
1927
+ const isObj = !isHex && !format && typeof sg === "object" && sg !== null && typeof sg.r === "bigint" && typeof sg.s === "bigint";
1928
+ if (!isHex && !isObj)
1929
+ throw new Error("invalid signature, expected Uint8Array, hex string or Signature instance");
1843
1930
  let _sig = void 0;
1844
1931
  let P;
1845
1932
  try {
1846
- if (typeof sg === "string" || isBytes(sg)) {
1933
+ if (isObj)
1934
+ _sig = new Signature(sg.r, sg.s);
1935
+ if (isHex) {
1847
1936
  try {
1848
- _sig = Signature.fromDER(sg);
1937
+ if (format !== "compact")
1938
+ _sig = Signature.fromDER(sg);
1849
1939
  } catch (derError) {
1850
1940
  if (!(derError instanceof DER.Err))
1851
1941
  throw derError;
1852
- _sig = Signature.fromCompact(sg);
1853
1942
  }
1854
- } else if (typeof sg === "object" && typeof sg.r === "bigint" && typeof sg.s === "bigint") {
1855
- const { r: r2, s: s2 } = sg;
1856
- _sig = new Signature(r2, s2);
1857
- } else {
1858
- throw new Error("PARSE");
1943
+ if (!_sig && format !== "der")
1944
+ _sig = Signature.fromCompact(sg);
1859
1945
  }
1860
1946
  P = Point2.fromHex(publicKey);
1861
1947
  } catch (error) {
1862
- if (error.message === "PARSE")
1863
- throw new Error(`signature must be Signature instance, Uint8Array or hex string`);
1864
1948
  return false;
1865
1949
  }
1950
+ if (!_sig)
1951
+ return false;
1866
1952
  if (lowS && _sig.hasHighS())
1867
1953
  return false;
1868
1954
  if (prehash)
@@ -1889,8 +1975,8 @@ function weierstrass(curveDef) {
1889
1975
  utils
1890
1976
  };
1891
1977
  }
1892
- function SWUFpSqrtRatio(Fp2, Z) {
1893
- const q = Fp2.ORDER;
1978
+ function SWUFpSqrtRatio(Fp, Z) {
1979
+ const q = Fp.ORDER;
1894
1980
  let l = _0n4;
1895
1981
  for (let o = q - _1n4; o % _2n3 === _0n4; o /= _2n3)
1896
1982
  l += _1n4;
@@ -1901,115 +1987,114 @@ function SWUFpSqrtRatio(Fp2, Z) {
1901
1987
  const c3 = (c2 - _1n4) / _2n3;
1902
1988
  const c4 = _2n_pow_c1 - _1n4;
1903
1989
  const c5 = _2n_pow_c1_1;
1904
- const c6 = Fp2.pow(Z, c2);
1905
- const c7 = Fp2.pow(Z, (c2 + _1n4) / _2n3);
1990
+ const c6 = Fp.pow(Z, c2);
1991
+ const c7 = Fp.pow(Z, (c2 + _1n4) / _2n3);
1906
1992
  let sqrtRatio = (u, v) => {
1907
1993
  let tv1 = c6;
1908
- let tv2 = Fp2.pow(v, c4);
1909
- let tv3 = Fp2.sqr(tv2);
1910
- tv3 = Fp2.mul(tv3, v);
1911
- let tv5 = Fp2.mul(u, tv3);
1912
- tv5 = Fp2.pow(tv5, c3);
1913
- tv5 = Fp2.mul(tv5, tv2);
1914
- tv2 = Fp2.mul(tv5, v);
1915
- tv3 = Fp2.mul(tv5, u);
1916
- let tv4 = Fp2.mul(tv3, tv2);
1917
- tv5 = Fp2.pow(tv4, c5);
1918
- let isQR = Fp2.eql(tv5, Fp2.ONE);
1919
- tv2 = Fp2.mul(tv3, c7);
1920
- tv5 = Fp2.mul(tv4, tv1);
1921
- tv3 = Fp2.cmov(tv2, tv3, isQR);
1922
- tv4 = Fp2.cmov(tv5, tv4, isQR);
1994
+ let tv2 = Fp.pow(v, c4);
1995
+ let tv3 = Fp.sqr(tv2);
1996
+ tv3 = Fp.mul(tv3, v);
1997
+ let tv5 = Fp.mul(u, tv3);
1998
+ tv5 = Fp.pow(tv5, c3);
1999
+ tv5 = Fp.mul(tv5, tv2);
2000
+ tv2 = Fp.mul(tv5, v);
2001
+ tv3 = Fp.mul(tv5, u);
2002
+ let tv4 = Fp.mul(tv3, tv2);
2003
+ tv5 = Fp.pow(tv4, c5);
2004
+ let isQR = Fp.eql(tv5, Fp.ONE);
2005
+ tv2 = Fp.mul(tv3, c7);
2006
+ tv5 = Fp.mul(tv4, tv1);
2007
+ tv3 = Fp.cmov(tv2, tv3, isQR);
2008
+ tv4 = Fp.cmov(tv5, tv4, isQR);
1923
2009
  for (let i = c1; i > _1n4; i--) {
1924
2010
  let tv52 = i - _2n3;
1925
2011
  tv52 = _2n3 << tv52 - _1n4;
1926
- let tvv5 = Fp2.pow(tv4, tv52);
1927
- const e1 = Fp2.eql(tvv5, Fp2.ONE);
1928
- tv2 = Fp2.mul(tv3, tv1);
1929
- tv1 = Fp2.mul(tv1, tv1);
1930
- tvv5 = Fp2.mul(tv4, tv1);
1931
- tv3 = Fp2.cmov(tv2, tv3, e1);
1932
- tv4 = Fp2.cmov(tvv5, tv4, e1);
2012
+ let tvv5 = Fp.pow(tv4, tv52);
2013
+ const e1 = Fp.eql(tvv5, Fp.ONE);
2014
+ tv2 = Fp.mul(tv3, tv1);
2015
+ tv1 = Fp.mul(tv1, tv1);
2016
+ tvv5 = Fp.mul(tv4, tv1);
2017
+ tv3 = Fp.cmov(tv2, tv3, e1);
2018
+ tv4 = Fp.cmov(tvv5, tv4, e1);
1933
2019
  }
1934
2020
  return { isValid: isQR, value: tv3 };
1935
2021
  };
1936
- if (Fp2.ORDER % _4n2 === _3n2) {
1937
- const c12 = (Fp2.ORDER - _3n2) / _4n2;
1938
- const c22 = Fp2.sqrt(Fp2.neg(Z));
2022
+ if (Fp.ORDER % _4n2 === _3n2) {
2023
+ const c12 = (Fp.ORDER - _3n2) / _4n2;
2024
+ const c22 = Fp.sqrt(Fp.neg(Z));
1939
2025
  sqrtRatio = (u, v) => {
1940
- let tv1 = Fp2.sqr(v);
1941
- const tv2 = Fp2.mul(u, v);
1942
- tv1 = Fp2.mul(tv1, tv2);
1943
- let y1 = Fp2.pow(tv1, c12);
1944
- y1 = Fp2.mul(y1, tv2);
1945
- const y2 = Fp2.mul(y1, c22);
1946
- const tv3 = Fp2.mul(Fp2.sqr(y1), v);
1947
- const isQR = Fp2.eql(tv3, u);
1948
- let y = Fp2.cmov(y2, y1, isQR);
2026
+ let tv1 = Fp.sqr(v);
2027
+ const tv2 = Fp.mul(u, v);
2028
+ tv1 = Fp.mul(tv1, tv2);
2029
+ let y1 = Fp.pow(tv1, c12);
2030
+ y1 = Fp.mul(y1, tv2);
2031
+ const y2 = Fp.mul(y1, c22);
2032
+ const tv3 = Fp.mul(Fp.sqr(y1), v);
2033
+ const isQR = Fp.eql(tv3, u);
2034
+ let y = Fp.cmov(y2, y1, isQR);
1949
2035
  return { isValid: isQR, value: y };
1950
2036
  };
1951
2037
  }
1952
2038
  return sqrtRatio;
1953
2039
  }
1954
- function mapToCurveSimpleSWU(Fp2, opts) {
1955
- validateField(Fp2);
1956
- if (!Fp2.isValid(opts.A) || !Fp2.isValid(opts.B) || !Fp2.isValid(opts.Z))
2040
+ function mapToCurveSimpleSWU(Fp, opts) {
2041
+ validateField(Fp);
2042
+ if (!Fp.isValid(opts.A) || !Fp.isValid(opts.B) || !Fp.isValid(opts.Z))
1957
2043
  throw new Error("mapToCurveSimpleSWU: invalid opts");
1958
- const sqrtRatio = SWUFpSqrtRatio(Fp2, opts.Z);
1959
- if (!Fp2.isOdd)
2044
+ const sqrtRatio = SWUFpSqrtRatio(Fp, opts.Z);
2045
+ if (!Fp.isOdd)
1960
2046
  throw new Error("Fp.isOdd is not implemented!");
1961
2047
  return (u) => {
1962
2048
  let tv1, tv2, tv3, tv4, tv5, tv6, x, y;
1963
- tv1 = Fp2.sqr(u);
1964
- tv1 = Fp2.mul(tv1, opts.Z);
1965
- tv2 = Fp2.sqr(tv1);
1966
- tv2 = Fp2.add(tv2, tv1);
1967
- tv3 = Fp2.add(tv2, Fp2.ONE);
1968
- tv3 = Fp2.mul(tv3, opts.B);
1969
- tv4 = Fp2.cmov(opts.Z, Fp2.neg(tv2), !Fp2.eql(tv2, Fp2.ZERO));
1970
- tv4 = Fp2.mul(tv4, opts.A);
1971
- tv2 = Fp2.sqr(tv3);
1972
- tv6 = Fp2.sqr(tv4);
1973
- tv5 = Fp2.mul(tv6, opts.A);
1974
- tv2 = Fp2.add(tv2, tv5);
1975
- tv2 = Fp2.mul(tv2, tv3);
1976
- tv6 = Fp2.mul(tv6, tv4);
1977
- tv5 = Fp2.mul(tv6, opts.B);
1978
- tv2 = Fp2.add(tv2, tv5);
1979
- x = Fp2.mul(tv1, tv3);
2049
+ tv1 = Fp.sqr(u);
2050
+ tv1 = Fp.mul(tv1, opts.Z);
2051
+ tv2 = Fp.sqr(tv1);
2052
+ tv2 = Fp.add(tv2, tv1);
2053
+ tv3 = Fp.add(tv2, Fp.ONE);
2054
+ tv3 = Fp.mul(tv3, opts.B);
2055
+ tv4 = Fp.cmov(opts.Z, Fp.neg(tv2), !Fp.eql(tv2, Fp.ZERO));
2056
+ tv4 = Fp.mul(tv4, opts.A);
2057
+ tv2 = Fp.sqr(tv3);
2058
+ tv6 = Fp.sqr(tv4);
2059
+ tv5 = Fp.mul(tv6, opts.A);
2060
+ tv2 = Fp.add(tv2, tv5);
2061
+ tv2 = Fp.mul(tv2, tv3);
2062
+ tv6 = Fp.mul(tv6, tv4);
2063
+ tv5 = Fp.mul(tv6, opts.B);
2064
+ tv2 = Fp.add(tv2, tv5);
2065
+ x = Fp.mul(tv1, tv3);
1980
2066
  const { isValid, value } = sqrtRatio(tv2, tv6);
1981
- y = Fp2.mul(tv1, u);
1982
- y = Fp2.mul(y, value);
1983
- x = Fp2.cmov(x, tv3, isValid);
1984
- y = Fp2.cmov(y, value, isValid);
1985
- const e1 = Fp2.isOdd(u) === Fp2.isOdd(y);
1986
- y = Fp2.cmov(Fp2.neg(y), y, e1);
1987
- x = Fp2.div(x, tv4);
2067
+ y = Fp.mul(tv1, u);
2068
+ y = Fp.mul(y, value);
2069
+ x = Fp.cmov(x, tv3, isValid);
2070
+ y = Fp.cmov(y, value, isValid);
2071
+ const e1 = Fp.isOdd(u) === Fp.isOdd(y);
2072
+ y = Fp.cmov(Fp.neg(y), y, e1);
2073
+ x = Fp.div(x, tv4);
1988
2074
  return { x, y };
1989
2075
  };
1990
2076
  }
1991
2077
 
1992
- // ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/_shortw_utils.js
1993
- function getHash(hash2) {
2078
+ // ../../node_modules/.pnpm/@noble+curves@1.8.1/node_modules/@noble/curves/esm/_shortw_utils.js
2079
+ function getHash(hash) {
1994
2080
  return {
1995
- hash: hash2,
1996
- hmac: (key, ...msgs) => hmac(hash2, key, concatBytes(...msgs)),
2081
+ hash,
2082
+ hmac: (key, ...msgs) => hmac(hash, key, concatBytes(...msgs)),
1997
2083
  randomBytes
1998
2084
  };
1999
2085
  }
2000
2086
  function createCurve(curveDef, defHash) {
2001
- const create = (hash2) => weierstrass({ ...curveDef, ...getHash(hash2) });
2002
- return Object.freeze({ ...create(defHash), create });
2087
+ const create = (hash) => weierstrass({ ...curveDef, ...getHash(hash) });
2088
+ return { ...create(defHash), create };
2003
2089
  }
2004
2090
 
2005
- // ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/abstract/hash-to-curve.js
2091
+ // ../../node_modules/.pnpm/@noble+curves@1.8.1/node_modules/@noble/curves/esm/abstract/hash-to-curve.js
2006
2092
  var os2ip = bytesToNumberBE;
2007
2093
  function i2osp(value, length) {
2008
2094
  anum(value);
2009
2095
  anum(length);
2010
- if (value < 0 || value >= 1 << 8 * length) {
2011
- throw new Error(`bad I2OSP call: value=${value} length=${length}`);
2012
- }
2096
+ if (value < 0 || value >= 1 << 8 * length)
2097
+ throw new Error("invalid I2OSP input: " + value);
2013
2098
  const res = Array.from({ length }).fill(0);
2014
2099
  for (let i = length - 1; i >= 0; i--) {
2015
2100
  res[i] = value & 255;
@@ -2029,8 +2114,8 @@ function anum(item) {
2029
2114
  throw new Error("number expected");
2030
2115
  }
2031
2116
  function expand_message_xmd(msg, DST, lenInBytes, H) {
2032
- abytes(msg);
2033
- abytes(DST);
2117
+ abytes2(msg);
2118
+ abytes2(DST);
2034
2119
  anum(lenInBytes);
2035
2120
  if (DST.length > 255)
2036
2121
  DST = H(concatBytes2(utf8ToBytes("H2C-OVERSIZE-DST-"), DST));
@@ -2052,8 +2137,8 @@ function expand_message_xmd(msg, DST, lenInBytes, H) {
2052
2137
  return pseudo_random_bytes.slice(0, lenInBytes);
2053
2138
  }
2054
2139
  function expand_message_xof(msg, DST, lenInBytes, k, H) {
2055
- abytes(msg);
2056
- abytes(DST);
2140
+ abytes2(msg);
2141
+ abytes2(DST);
2057
2142
  anum(lenInBytes);
2058
2143
  if (DST.length > 255) {
2059
2144
  const dkLen = Math.ceil(2 * k / 8);
@@ -2071,8 +2156,8 @@ function hash_to_field(msg, count, options) {
2071
2156
  k: "isSafeInteger",
2072
2157
  hash: "hash"
2073
2158
  });
2074
- const { p, k, m, hash: hash2, expand, DST: _DST } = options;
2075
- abytes(msg);
2159
+ const { p, k, m, hash, expand, DST: _DST } = options;
2160
+ abytes2(msg);
2076
2161
  anum(count);
2077
2162
  const DST = typeof _DST === "string" ? utf8ToBytes(_DST) : _DST;
2078
2163
  const log2p = p.toString(2).length;
@@ -2080,9 +2165,9 @@ function hash_to_field(msg, count, options) {
2080
2165
  const len_in_bytes = count * m * L;
2081
2166
  let prb;
2082
2167
  if (expand === "xmd") {
2083
- prb = expand_message_xmd(msg, DST, len_in_bytes, hash2);
2168
+ prb = expand_message_xmd(msg, DST, len_in_bytes, hash);
2084
2169
  } else if (expand === "xof") {
2085
- prb = expand_message_xof(msg, DST, len_in_bytes, k, hash2);
2170
+ prb = expand_message_xof(msg, DST, len_in_bytes, k, hash);
2086
2171
  } else if (expand === "_internal_pass") {
2087
2172
  prb = msg;
2088
2173
  } else {
@@ -2137,7 +2222,7 @@ function createHasher(Point2, mapToCurve, def) {
2137
2222
  throw new Error("mapToCurve: expected array of bigints");
2138
2223
  for (const i of scalars)
2139
2224
  if (typeof i !== "bigint")
2140
- throw new Error(`mapToCurve: expected array of bigints, got ${i} in array`);
2225
+ throw new Error("mapToCurve: expected array of bigints");
2141
2226
  const P = Point2.fromAffine(mapToCurve(scalars)).clearCofactor();
2142
2227
  P.assertValidity();
2143
2228
  return P;
@@ -2145,7 +2230,7 @@ function createHasher(Point2, mapToCurve, def) {
2145
2230
  };
2146
2231
  }
2147
2232
 
2148
- // ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/secp256k1.js
2233
+ // ../../node_modules/.pnpm/@noble+curves@1.8.1/node_modules/@noble/curves/esm/secp256k1.js
2149
2234
  var secp256k1P = BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f");
2150
2235
  var secp256k1N = BigInt("0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141");
2151
2236
  var _1n5 = BigInt(1);
@@ -2169,17 +2254,16 @@ function sqrtMod(y) {
2169
2254
  const t1 = pow2(b223, _23n, P) * b22 % P;
2170
2255
  const t2 = pow2(t1, _6n, P) * b2 % P;
2171
2256
  const root = pow2(t2, _2n4, P);
2172
- if (!Fp.eql(Fp.sqr(root), y))
2257
+ if (!Fpk1.eql(Fpk1.sqr(root), y))
2173
2258
  throw new Error("Cannot find square root");
2174
2259
  return root;
2175
2260
  }
2176
- var Fp = Field(secp256k1P, void 0, void 0, { sqrt: sqrtMod });
2261
+ var Fpk1 = Field(secp256k1P, void 0, void 0, { sqrt: sqrtMod });
2177
2262
  var secp256k1 = createCurve({
2178
2263
  a: BigInt(0),
2179
2264
  // equation params: a, b
2180
2265
  b: BigInt(7),
2181
- // Seem to be rigid: bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
2182
- Fp,
2266
+ Fp: Fpk1,
2183
2267
  // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
2184
2268
  n: secp256k1N,
2185
2269
  // Curve order, total count of valid points in the field
@@ -2190,13 +2274,8 @@ var secp256k1 = createCurve({
2190
2274
  // Cofactor
2191
2275
  lowS: true,
2192
2276
  // Allow only low-S signatures by default in sign() and verify()
2193
- /**
2194
- * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
2195
- * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
2196
- * For precomputed wNAF it trades off 1/2 init time & 1/3 ram for 20% perf hit.
2197
- * Explanation: https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
2198
- */
2199
2277
  endo: {
2278
+ // Endomorphism, see above
2200
2279
  beta: BigInt("0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee"),
2201
2280
  splitScalar: (k) => {
2202
2281
  const n = secp256k1N;
@@ -2316,7 +2395,7 @@ var schnorr = /* @__PURE__ */ (() => ({
2316
2395
  mod
2317
2396
  }
2318
2397
  }))();
2319
- var isoMap = /* @__PURE__ */ (() => isogenyMap(Fp, [
2398
+ var isoMap = /* @__PURE__ */ (() => isogenyMap(Fpk1, [
2320
2399
  // xNum
2321
2400
  [
2322
2401
  "0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7",
@@ -2347,18 +2426,18 @@ var isoMap = /* @__PURE__ */ (() => isogenyMap(Fp, [
2347
2426
  // LAST 1
2348
2427
  ]
2349
2428
  ].map((i) => i.map((j) => BigInt(j)))))();
2350
- var mapSWU = /* @__PURE__ */ (() => mapToCurveSimpleSWU(Fp, {
2429
+ var mapSWU = /* @__PURE__ */ (() => mapToCurveSimpleSWU(Fpk1, {
2351
2430
  A: BigInt("0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533"),
2352
2431
  B: BigInt("1771"),
2353
- Z: Fp.create(BigInt("-11"))
2432
+ Z: Fpk1.create(BigInt("-11"))
2354
2433
  }))();
2355
2434
  var htf = /* @__PURE__ */ (() => createHasher(secp256k1.ProjectivePoint, (scalars) => {
2356
- const { x, y } = mapSWU(Fp.create(scalars[0]));
2435
+ const { x, y } = mapSWU(Fpk1.create(scalars[0]));
2357
2436
  return isoMap(x, y);
2358
2437
  }, {
2359
2438
  DST: "secp256k1_XMD:SHA-256_SSWU_RO_",
2360
2439
  encodeDST: "secp256k1_XMD:SHA-256_SSWU_NU_",
2361
- p: Fp.ORDER,
2440
+ p: Fpk1.ORDER,
2362
2441
  m: 1,
2363
2442
  k: 128,
2364
2443
  expand: "xmd",
@@ -2392,4 +2471,4 @@ export {
2392
2471
  @noble/curves/esm/secp256k1.js:
2393
2472
  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
2394
2473
  */
2395
- //# sourceMappingURL=secp256k1-XVT662DN.js.map
2474
+ //# sourceMappingURL=secp256k1-QT34R5PW.js.map