@latticexyz/world-module-erc20 2.2.23-c9a7e15b89f6e4486abcb46c3a75c213741816a4 → 2.2.23-cd0fa57c590233c5f099d6e469c46c6b51e2c46d

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (191) hide show
  1. package/dist/{_esm-4QBXERIC.js → _esm-GD2BESU2.js} +36 -34
  2. package/dist/{_esm-4QBXERIC.js.map → _esm-GD2BESU2.js.map} +1 -1
  3. package/dist/{ccip-POWS7KFG.js → ccip-YKKDCE4N.js} +3 -3
  4. package/dist/{chunk-Y6LDJZ7L.js → chunk-EPZFKNND.js} +36 -235
  5. package/dist/chunk-EPZFKNND.js.map +1 -0
  6. package/dist/{chunk-5LBWQX65.js → chunk-OBYRQQ4V.js} +168 -135
  7. package/dist/chunk-OBYRQQ4V.js.map +1 -0
  8. package/dist/internal.js +2 -2
  9. package/dist/{secp256k1-QCGY4Z6Q.js → secp256k1-ELJ5HZRX.js} +1302 -909
  10. package/dist/secp256k1-ELJ5HZRX.js.map +1 -0
  11. package/out/AccessControl.sol/AccessControl.json +1 -1
  12. package/out/AccessManagementSystem.sol/AccessManagementSystem.json +1 -1
  13. package/out/Allowances.sol/Allowances.json +1 -1
  14. package/out/BalanceTransferSystem.sol/BalanceTransferSystem.json +1 -1
  15. package/out/Balances.sol/Balances.json +1 -1
  16. package/out/Base.sol/CommonBase.json +1 -1
  17. package/out/Base.sol/ScriptBase.json +1 -1
  18. package/out/Base.sol/TestBase.json +1 -1
  19. package/out/BatchCallSystem.sol/BatchCallSystem.json +1 -1
  20. package/out/Bytes.sol/Bytes.json +1 -1
  21. package/out/Constants.sol/ERC20TableNames.json +1 -1
  22. package/out/Constants.sol/ModuleConstants.json +1 -1
  23. package/out/Constants.sol/PausableTableNames.json +1 -1
  24. package/out/DecodeSlice.sol/DecodeSlice.json +1 -1
  25. package/out/Delegation.sol/Delegation.json +1 -1
  26. package/out/ERC165Checker.sol/ERC165Checker.json +1 -1
  27. package/out/ERC20BaseTest.t.sol/ERC20BehaviorTest.abi.json +55 -5
  28. package/out/ERC20BaseTest.t.sol/ERC20BehaviorTest.abi.json.d.ts +55 -5
  29. package/out/ERC20BaseTest.t.sol/ERC20BehaviorTest.json +1 -1
  30. package/out/ERC20BaseTest.t.sol/ERC20Test.abi.json +55 -5
  31. package/out/ERC20BaseTest.t.sol/ERC20Test.abi.json.d.ts +55 -5
  32. package/out/ERC20BaseTest.t.sol/ERC20Test.json +1 -1
  33. package/out/ERC20BaseTest.t.sol/MockERC20Base.json +1 -1
  34. package/out/ERC20Burnable.sol/ERC20Burnable.json +1 -1
  35. package/out/ERC20Burnable.t.sol/ERC20BurnableTest.abi.json +55 -5
  36. package/out/ERC20Burnable.t.sol/ERC20BurnableTest.abi.json.d.ts +55 -5
  37. package/out/ERC20Burnable.t.sol/ERC20BurnableTest.json +1 -1
  38. package/out/ERC20Burnable.t.sol/MockERC20Burnable.json +1 -1
  39. package/out/ERC20Metadata.sol/ERC20Metadata.json +1 -1
  40. package/out/ERC20Module.sol/ERC20Module.json +1 -1
  41. package/out/ERC20Module.sol/ERC20ModuleLib.json +1 -1
  42. package/out/ERC20Module.t.sol/ERC20ModuleTest.abi.json +55 -5
  43. package/out/ERC20Module.t.sol/ERC20ModuleTest.abi.json.d.ts +55 -5
  44. package/out/ERC20Module.t.sol/ERC20ModuleTest.json +1 -1
  45. package/out/ERC20Module.t.sol/TestConstants.json +1 -1
  46. package/out/ERC20Pausable.sol/ERC20Pausable.json +1 -1
  47. package/out/ERC20Pausable.t.sol/ERC20PausableTest.abi.json +55 -5
  48. package/out/ERC20Pausable.t.sol/ERC20PausableTest.abi.json.d.ts +55 -5
  49. package/out/ERC20Pausable.t.sol/ERC20PausableTest.json +1 -1
  50. package/out/ERC20Pausable.t.sol/MockERC20Pausable.json +1 -1
  51. package/out/ERC20PausableBurnable.sol/ERC20PausableBurnable.json +1 -1
  52. package/out/ERC20Registry.sol/ERC20Registry.json +1 -1
  53. package/out/EncodeArray.sol/EncodeArray.json +1 -1
  54. package/out/EncodedLengths.sol/EncodedLengthsInstance.json +1 -1
  55. package/out/EncodedLengths.sol/EncodedLengthsLib.json +1 -1
  56. package/out/FieldLayout.sol/FieldLayoutInstance.json +1 -1
  57. package/out/FieldLayout.sol/FieldLayoutLib.json +1 -1
  58. package/out/FunctionSelectors.sol/FunctionSelectors.json +1 -1
  59. package/out/FunctionSignatures.sol/FunctionSignatures.json +1 -1
  60. package/out/GasReporter.sol/GasReporter.abi.json +55 -5
  61. package/out/GasReporter.sol/GasReporter.abi.json.d.ts +55 -5
  62. package/out/GasReporter.sol/GasReporter.json +1 -1
  63. package/out/Hook.sol/HookInstance.json +1 -1
  64. package/out/Hook.sol/HookLib.json +1 -1
  65. package/out/Hooks.sol/Hooks.json +1 -1
  66. package/out/IAccessManagementSystem.sol/IAccessManagementSystem.json +1 -1
  67. package/out/IBalanceTransferSystem.sol/IBalanceTransferSystem.json +1 -1
  68. package/out/IBaseWorld.sol/IBaseWorld.json +1 -1
  69. package/out/IBatchCallSystem.sol/IBatchCallSystem.json +1 -1
  70. package/out/IDelegationControl.sol/IDelegationControl.json +1 -1
  71. package/out/IERC165.sol/IERC165.json +1 -1
  72. package/out/IERC20.sol/IERC20.json +1 -1
  73. package/out/IERC20Errors.sol/IERC20Errors.json +1 -1
  74. package/out/IERC20Events.sol/IERC20Events.json +1 -1
  75. package/out/IERC20Metadata.sol/IERC20Metadata.json +1 -1
  76. package/out/IEncodedLengthsErrors.sol/IEncodedLengthsErrors.json +1 -1
  77. package/out/IFieldLayoutErrors.sol/IFieldLayoutErrors.json +1 -1
  78. package/out/IModule.sol/IModule.json +1 -1
  79. package/out/IModuleErrors.sol/IModuleErrors.json +1 -1
  80. package/out/IModuleInstallationSystem.sol/IModuleInstallationSystem.json +1 -1
  81. package/out/IMulticall3.sol/IMulticall3.json +1 -1
  82. package/out/IRegistrationSystem.sol/IRegistrationSystem.json +1 -1
  83. package/out/ISchemaErrors.sol/ISchemaErrors.json +1 -1
  84. package/out/ISliceErrors.sol/ISliceErrors.json +1 -1
  85. package/out/IStore.sol/IStore.json +1 -1
  86. package/out/IStoreErrors.sol/IStoreErrors.json +1 -1
  87. package/out/IStoreEvents.sol/IStoreEvents.json +1 -1
  88. package/out/IStoreHook.sol/IStoreHook.json +1 -1
  89. package/out/IStoreKernel.sol/IStoreKernel.json +1 -1
  90. package/out/IStoreRead.sol/IStoreRead.json +1 -1
  91. package/out/IStoreRegistration.sol/IStoreRegistration.json +1 -1
  92. package/out/IStoreWrite.sol/IStoreWrite.json +1 -1
  93. package/out/ISystemHook.sol/ISystemHook.json +1 -1
  94. package/out/IWorldContextConsumer.sol/IWorldContextConsumer.json +1 -1
  95. package/out/IWorldErrors.sol/IWorldErrors.json +1 -1
  96. package/out/IWorldEvents.sol/IWorldEvents.json +1 -1
  97. package/out/IWorldKernel.sol/IWorldCall.json +1 -1
  98. package/out/IWorldKernel.sol/IWorldKernel.json +1 -1
  99. package/out/IWorldKernel.sol/IWorldModuleInstallation.json +1 -1
  100. package/out/IWorldRegistrationSystem.sol/IWorldRegistrationSystem.json +1 -1
  101. package/out/InitModule.sol/InitModule.json +1 -1
  102. package/out/InitModuleAddress.sol/InitModuleAddress.json +1 -1
  103. package/out/InstalledModules.sol/InstalledModules.json +1 -1
  104. package/out/LimitedCallContext.sol/LimitedCallContext.json +1 -1
  105. package/out/MUDERC20.sol/MUDERC20.json +1 -1
  106. package/out/Memory.sol/Memory.json +1 -1
  107. package/out/Module.sol/Module.json +1 -1
  108. package/out/ModuleInstallationSystem.sol/ModuleInstallationSystem.json +1 -1
  109. package/out/NamespaceDelegationControl.sol/NamespaceDelegationControl.json +1 -1
  110. package/out/NamespaceOwner.sol/NamespaceOwner.json +1 -1
  111. package/out/Owner.sol/Owner.json +1 -1
  112. package/out/Pausable.sol/Pausable.json +1 -1
  113. package/out/Paused.sol/Paused.json +1 -1
  114. package/out/RegistrationSystem.sol/RegistrationSystem.json +1 -1
  115. package/out/ResourceAccess.sol/ResourceAccess.json +1 -1
  116. package/out/ResourceId.sol/ResourceIdInstance.json +1 -1
  117. package/out/ResourceId.sol/ResourceIdLib.json +1 -1
  118. package/out/ResourceIds.sol/ResourceIds.json +1 -1
  119. package/out/Schema.sol/SchemaInstance.json +1 -1
  120. package/out/Schema.sol/SchemaLib.json +1 -1
  121. package/out/Slice.sol/SliceInstance.json +1 -1
  122. package/out/Slice.sol/SliceLib.json +1 -1
  123. package/out/StdAssertions.sol/StdAssertions.abi.json +1 -14
  124. package/out/StdAssertions.sol/StdAssertions.abi.json.d.ts +1 -14
  125. package/out/StdAssertions.sol/StdAssertions.json +1 -1
  126. package/out/StdChains.sol/StdChains.json +1 -1
  127. package/out/StdCheats.sol/StdCheats.json +1 -1
  128. package/out/StdCheats.sol/StdCheatsSafe.json +1 -1
  129. package/out/StdConstants.sol/StdConstants.json +1 -0
  130. package/out/StdError.sol/stdError.json +1 -1
  131. package/out/StdInvariant.sol/StdInvariant.abi.json +54 -4
  132. package/out/StdInvariant.sol/StdInvariant.abi.json.d.ts +54 -4
  133. package/out/StdInvariant.sol/StdInvariant.json +1 -1
  134. package/out/StdJson.sol/stdJson.json +1 -1
  135. package/out/StdMath.sol/stdMath.json +1 -1
  136. package/out/StdStorage.sol/stdStorage.json +1 -1
  137. package/out/StdStorage.sol/stdStorageSafe.json +1 -1
  138. package/out/StdStyle.sol/StdStyle.json +1 -1
  139. package/out/StdToml.sol/stdToml.abi.json +1 -0
  140. package/out/StdToml.sol/stdToml.json +1 -0
  141. package/out/StdUtils.sol/StdUtils.json +1 -1
  142. package/out/Storage.sol/Storage.json +1 -1
  143. package/out/StoreCore.sol/StoreCore.json +1 -1
  144. package/out/StoreCore.sol/StoreCoreInternal.json +1 -1
  145. package/out/StoreHooks.sol/StoreHooks.json +1 -1
  146. package/out/StoreKernel.sol/StoreKernel.json +1 -1
  147. package/out/StoreRead.sol/StoreRead.json +1 -1
  148. package/out/StoreRegistrationSystem.sol/StoreRegistrationSystem.json +1 -1
  149. package/out/StoreSwitch.sol/StoreSwitch.json +1 -1
  150. package/out/System.sol/System.json +1 -1
  151. package/out/SystemCall.sol/SystemCall.json +1 -1
  152. package/out/SystemHooks.sol/SystemHooks.json +1 -1
  153. package/out/SystemRegistry.sol/SystemRegistry.json +1 -1
  154. package/out/Systems.sol/Systems.json +1 -1
  155. package/out/Tables.sol/Tables.json +1 -1
  156. package/out/Test.sol/Test.abi.json +55 -5
  157. package/out/Test.sol/Test.abi.json.d.ts +55 -5
  158. package/out/Test.sol/Test.json +1 -1
  159. package/out/TightCoder.sol/TightCoder.json +1 -1
  160. package/out/TotalSupply.sol/TotalSupply.json +1 -1
  161. package/out/UserDelegationControl.sol/UserDelegationControl.json +1 -1
  162. package/out/Vm.sol/Vm.abi.json +9682 -1821
  163. package/out/Vm.sol/Vm.abi.json.d.ts +9682 -1821
  164. package/out/Vm.sol/Vm.json +1 -1
  165. package/out/Vm.sol/VmSafe.abi.json +8012 -1351
  166. package/out/Vm.sol/VmSafe.abi.json.d.ts +8012 -1351
  167. package/out/Vm.sol/VmSafe.json +1 -1
  168. package/out/World.sol/World.json +1 -1
  169. package/out/WorldConsumer.sol/WorldConsumer.json +1 -1
  170. package/out/WorldContext.sol/WorldContextConsumer.json +1 -1
  171. package/out/WorldContext.sol/WorldContextConsumerLib.json +1 -1
  172. package/out/WorldContext.sol/WorldContextProviderLib.json +1 -1
  173. package/out/WorldRegistrationSystem.sol/WorldRegistrationSystem.json +1 -1
  174. package/out/WorldResourceId.sol/WorldResourceIdInstance.json +1 -1
  175. package/out/WorldResourceId.sol/WorldResourceIdLib.json +1 -1
  176. package/out/build-info/{a3739bdd1db68693cb6fcb64b58f8d25.json → 1f2980d4a7abc468e53c40b0d75e350c.json} +1 -1
  177. package/out/console.sol/console.json +1 -1
  178. package/out/constants.sol/LayoutOffsets.json +1 -1
  179. package/out/safeconsole.sol/safeconsole.json +1 -1
  180. package/out/src/IERC165.sol/IERC165.json +1 -1
  181. package/out/tables/Balances.sol/Balances.json +1 -1
  182. package/package.json +9 -10
  183. package/dist/chunk-5LBWQX65.js.map +0 -1
  184. package/dist/chunk-Y6LDJZ7L.js.map +0 -1
  185. package/dist/secp256k1-QCGY4Z6Q.js.map +0 -1
  186. package/out/console2.sol/console2.json +0 -1
  187. package/out/test.sol/DSTest.abi.json +0 -296
  188. package/out/test.sol/DSTest.abi.json.d.ts +0 -298
  189. package/out/test.sol/DSTest.json +0 -1
  190. /package/dist/{ccip-POWS7KFG.js.map → ccip-YKKDCE4N.js.map} +0 -0
  191. /package/out/{console2.sol/console2.abi.json → StdConstants.sol/StdConstants.abi.json} +0 -0
package/dist/{secp256k1-QCGY4Z6Q.js → secp256k1-ELJ5HZRX.js} RENAMED
@@ -1,38 +1,22 @@
1
1
  import {
2
2
  Hash,
3
- aInRange,
4
- abool,
5
3
  abytes,
6
- abytes2,
7
4
  aexists,
8
5
  ahash,
9
6
  anumber,
10
7
  aoutput,
11
- bitLen,
12
- bitMask,
13
8
  bytesToHex,
14
- bytesToNumberBE,
15
- bytesToNumberLE,
16
9
  clean,
17
10
  concatBytes,
18
- concatBytes2,
19
11
  createHasher,
20
- createHmacDrbg,
21
12
  createView,
22
- ensureBytes,
23
13
  hexToBytes,
24
- inRange,
25
14
  isBytes,
26
- memoized,
27
- numberToBytesBE,
28
- numberToBytesLE,
29
- numberToHexUnpadded,
30
15
  randomBytes,
31
16
  rotr,
32
17
  toBytes,
33
- utf8ToBytes,
34
- validateObject
35
- } from "./chunk-Y6LDJZ7L.js";
18
+ utf8ToBytes
19
+ } from "./chunk-EPZFKNND.js";
36
20
  import "./chunk-PR4QN5HX.js";
37
21
 
38
22
  // ../../node_modules/.pnpm/@noble+hashes@1.8.0/node_modules/@noble/hashes/esm/_md.js
@@ -363,35 +347,194 @@ var HMAC = class extends Hash {
363
347
  var hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
364
348
  hmac.create = (hash, key) => new HMAC(hash, key);
365
349
 
366
- // ../../node_modules/.pnpm/@noble+curves@1.9.1/node_modules/@noble/curves/esm/abstract/modular.js
367
- var _0n = BigInt(0);
368
- var _1n = BigInt(1);
350
+ // ../../node_modules/.pnpm/@noble+curves@1.9.6/node_modules/@noble/curves/esm/utils.js
351
+ var _0n = /* @__PURE__ */ BigInt(0);
352
+ var _1n = /* @__PURE__ */ BigInt(1);
353
+ function _abool2(value, title = "") {
354
+ if (typeof value !== "boolean") {
355
+ const prefix = title && `"${title}"`;
356
+ throw new Error(prefix + "expected boolean, got type=" + typeof value);
357
+ }
358
+ return value;
359
+ }
360
+ function _abytes2(value, length, title = "") {
361
+ const bytes = isBytes(value);
362
+ const len = value?.length;
363
+ const needsLen = length !== void 0;
364
+ if (!bytes || needsLen && len !== length) {
365
+ const prefix = title && `"${title}" `;
366
+ const ofLen = needsLen ? ` of length ${length}` : "";
367
+ const got = bytes ? `length=${len}` : `type=${typeof value}`;
368
+ throw new Error(prefix + "expected Uint8Array" + ofLen + ", got " + got);
369
+ }
370
+ return value;
371
+ }
372
+ function numberToHexUnpadded(num2) {
373
+ const hex = num2.toString(16);
374
+ return hex.length & 1 ? "0" + hex : hex;
375
+ }
376
+ function hexToNumber(hex) {
377
+ if (typeof hex !== "string")
378
+ throw new Error("hex string expected, got " + typeof hex);
379
+ return hex === "" ? _0n : BigInt("0x" + hex);
380
+ }
381
+ function bytesToNumberBE(bytes) {
382
+ return hexToNumber(bytesToHex(bytes));
383
+ }
384
+ function bytesToNumberLE(bytes) {
385
+ abytes(bytes);
386
+ return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
387
+ }
388
+ function numberToBytesBE(n, len) {
389
+ return hexToBytes(n.toString(16).padStart(len * 2, "0"));
390
+ }
391
+ function numberToBytesLE(n, len) {
392
+ return numberToBytesBE(n, len).reverse();
393
+ }
394
+ function ensureBytes(title, hex, expectedLength) {
395
+ let res;
396
+ if (typeof hex === "string") {
397
+ try {
398
+ res = hexToBytes(hex);
399
+ } catch (e) {
400
+ throw new Error(title + " must be hex string or Uint8Array, cause: " + e);
401
+ }
402
+ } else if (isBytes(hex)) {
403
+ res = Uint8Array.from(hex);
404
+ } else {
405
+ throw new Error(title + " must be hex string or Uint8Array");
406
+ }
407
+ const len = res.length;
408
+ if (typeof expectedLength === "number" && len !== expectedLength)
409
+ throw new Error(title + " of length " + expectedLength + " expected, got " + len);
410
+ return res;
411
+ }
412
+ var isPosBig = (n) => typeof n === "bigint" && _0n <= n;
413
+ function inRange(n, min, max) {
414
+ return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
415
+ }
416
+ function aInRange(title, n, min, max) {
417
+ if (!inRange(n, min, max))
418
+ throw new Error("expected valid " + title + ": " + min + " <= n < " + max + ", got " + n);
419
+ }
420
+ function bitLen(n) {
421
+ let len;
422
+ for (len = 0; n > _0n; n >>= _1n, len += 1)
423
+ ;
424
+ return len;
425
+ }
426
+ var bitMask = (n) => (_1n << BigInt(n)) - _1n;
427
+ function createHmacDrbg(hashLen, qByteLen, hmacFn) {
428
+ if (typeof hashLen !== "number" || hashLen < 2)
429
+ throw new Error("hashLen must be a number");
430
+ if (typeof qByteLen !== "number" || qByteLen < 2)
431
+ throw new Error("qByteLen must be a number");
432
+ if (typeof hmacFn !== "function")
433
+ throw new Error("hmacFn must be a function");
434
+ const u8n = (len) => new Uint8Array(len);
435
+ const u8of = (byte) => Uint8Array.of(byte);
436
+ let v = u8n(hashLen);
437
+ let k = u8n(hashLen);
438
+ let i = 0;
439
+ const reset = () => {
440
+ v.fill(1);
441
+ k.fill(0);
442
+ i = 0;
443
+ };
444
+ const h = (...b) => hmacFn(k, v, ...b);
445
+ const reseed = (seed = u8n(0)) => {
446
+ k = h(u8of(0), seed);
447
+ v = h();
448
+ if (seed.length === 0)
449
+ return;
450
+ k = h(u8of(1), seed);
451
+ v = h();
452
+ };
453
+ const gen = () => {
454
+ if (i++ >= 1e3)
455
+ throw new Error("drbg: tried 1000 values");
456
+ let len = 0;
457
+ const out = [];
458
+ while (len < qByteLen) {
459
+ v = h();
460
+ const sl = v.slice();
461
+ out.push(sl);
462
+ len += v.length;
463
+ }
464
+ return concatBytes(...out);
465
+ };
466
+ const genUntil = (seed, pred) => {
467
+ reset();
468
+ reseed(seed);
469
+ let res = void 0;
470
+ while (!(res = pred(gen())))
471
+ reseed();
472
+ reset();
473
+ return res;
474
+ };
475
+ return genUntil;
476
+ }
477
+ function isHash(val) {
478
+ return typeof val === "function" && Number.isSafeInteger(val.outputLen);
479
+ }
480
+ function _validateObject(object, fields, optFields = {}) {
481
+ if (!object || typeof object !== "object")
482
+ throw new Error("expected valid options object");
483
+ function checkField(fieldName, expectedType, isOpt) {
484
+ const val = object[fieldName];
485
+ if (isOpt && val === void 0)
486
+ return;
487
+ const current = typeof val;
488
+ if (current !== expectedType || val === null)
489
+ throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
490
+ }
491
+ Object.entries(fields).forEach(([k, v]) => checkField(k, v, false));
492
+ Object.entries(optFields).forEach(([k, v]) => checkField(k, v, true));
493
+ }
494
+ function memoized(fn) {
495
+ const map = /* @__PURE__ */ new WeakMap();
496
+ return (arg, ...args) => {
497
+ const val = map.get(arg);
498
+ if (val !== void 0)
499
+ return val;
500
+ const computed = fn(arg, ...args);
501
+ map.set(arg, computed);
502
+ return computed;
503
+ };
504
+ }
505
+
506
+ // ../../node_modules/.pnpm/@noble+curves@1.9.6/node_modules/@noble/curves/esm/abstract/modular.js
507
+ var _0n2 = BigInt(0);
508
+ var _1n2 = BigInt(1);
369
509
  var _2n = /* @__PURE__ */ BigInt(2);
370
510
  var _3n = /* @__PURE__ */ BigInt(3);
371
511
  var _4n = /* @__PURE__ */ BigInt(4);
372
512
  var _5n = /* @__PURE__ */ BigInt(5);
513
+ var _7n = /* @__PURE__ */ BigInt(7);
373
514
  var _8n = /* @__PURE__ */ BigInt(8);
515
+ var _9n = /* @__PURE__ */ BigInt(9);
516
+ var _16n = /* @__PURE__ */ BigInt(16);
374
517
  function mod(a, b) {
375
518
  const result = a % b;
376
- return result >= _0n ? result : b + result;
519
+ return result >= _0n2 ? result : b + result;
377
520
  }
378
521
  function pow2(x, power, modulo) {
379
522
  let res = x;
380
- while (power-- > _0n) {
523
+ while (power-- > _0n2) {
381
524
  res *= res;
382
525
  res %= modulo;
383
526
  }
384
527
  return res;
385
528
  }
386
529
  function invert(number, modulo) {
387
- if (number === _0n)
530
+ if (number === _0n2)
388
531
  throw new Error("invert: expected non-zero number");
389
- if (modulo <= _0n)
532
+ if (modulo <= _0n2)
390
533
  throw new Error("invert: expected positive modulus, got " + modulo);
391
534
  let a = mod(number, modulo);
392
535
  let b = modulo;
393
- let x = _0n, y = _1n, u = _1n, v = _0n;
394
- while (a !== _0n) {
536
+ let x = _0n2, y = _1n2, u = _1n2, v = _0n2;
537
+ while (a !== _0n2) {
395
538
  const q = b / a;
396
539
  const r = b % a;
397
540
  const m = x - u * q;
@@ -399,15 +542,18 @@ function invert(number, modulo) {
399
542
  b = a, a = r, x = u, y = v, u = m, v = n;
400
543
  }
401
544
  const gcd = b;
402
- if (gcd !== _1n)
545
+ if (gcd !== _1n2)
403
546
  throw new Error("invert: does not exist");
404
547
  return mod(x, modulo);
405
548
  }
406
- function sqrt3mod4(Fp, n) {
407
- const p1div4 = (Fp.ORDER + _1n) / _4n;
408
- const root = Fp.pow(n, p1div4);
549
+ function assertIsSquare(Fp, root, n) {
409
550
  if (!Fp.eql(Fp.sqr(root), n))
410
551
  throw new Error("Cannot find square root");
552
+ }
553
+ function sqrt3mod4(Fp, n) {
554
+ const p1div4 = (Fp.ORDER + _1n2) / _4n;
555
+ const root = Fp.pow(n, p1div4);
556
+ assertIsSquare(Fp, root, n);
411
557
  return root;
412
558
  }
413
559
  function sqrt5mod8(Fp, n) {
@@ -417,16 +563,37 @@ function sqrt5mod8(Fp, n) {
417
563
  const nv = Fp.mul(n, v);
418
564
  const i = Fp.mul(Fp.mul(nv, _2n), v);
419
565
  const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
420
- if (!Fp.eql(Fp.sqr(root), n))
421
- throw new Error("Cannot find square root");
566
+ assertIsSquare(Fp, root, n);
422
567
  return root;
423
568
  }
569
+ function sqrt9mod16(P) {
570
+ const Fp_ = Field(P);
571
+ const tn = tonelliShanks(P);
572
+ const c1 = tn(Fp_, Fp_.neg(Fp_.ONE));
573
+ const c2 = tn(Fp_, c1);
574
+ const c3 = tn(Fp_, Fp_.neg(c1));
575
+ const c4 = (P + _7n) / _16n;
576
+ return (Fp, n) => {
577
+ let tv1 = Fp.pow(n, c4);
578
+ let tv2 = Fp.mul(tv1, c1);
579
+ const tv3 = Fp.mul(tv1, c2);
580
+ const tv4 = Fp.mul(tv1, c3);
581
+ const e1 = Fp.eql(Fp.sqr(tv2), n);
582
+ const e2 = Fp.eql(Fp.sqr(tv3), n);
583
+ tv1 = Fp.cmov(tv1, tv2, e1);
584
+ tv2 = Fp.cmov(tv4, tv3, e2);
585
+ const e3 = Fp.eql(Fp.sqr(tv2), n);
586
+ const root = Fp.cmov(tv1, tv2, e3);
587
+ assertIsSquare(Fp, root, n);
588
+ return root;
589
+ };
590
+ }
424
591
  function tonelliShanks(P) {
425
- if (P < BigInt(3))
592
+ if (P < _3n)
426
593
  throw new Error("sqrt is not defined for small field");
427
- let Q = P - _1n;
594
+ let Q = P - _1n2;
428
595
  let S = 0;
429
- while (Q % _2n === _0n) {
596
+ while (Q % _2n === _0n2) {
430
597
  Q /= _2n;
431
598
  S++;
432
599
  }
@@ -439,7 +606,7 @@ function tonelliShanks(P) {
439
606
  if (S === 1)
440
607
  return sqrt3mod4;
441
608
  let cc = _Fp.pow(Z, Q);
442
- const Q1div2 = (Q + _1n) / _2n;
609
+ const Q1div2 = (Q + _1n2) / _2n;
443
610
  return function tonelliSlow(Fp, n) {
444
611
  if (Fp.is0(n))
445
612
  return n;
@@ -460,7 +627,7 @@ function tonelliShanks(P) {
460
627
  if (i === M)
461
628
  throw new Error("Cannot find square root");
462
629
  }
463
- const exponent = _1n << BigInt(M - i - 1);
630
+ const exponent = _1n2 << BigInt(M - i - 1);
464
631
  const b = Fp.pow(c, exponent);
465
632
  M = i;
466
633
  c = Fp.sqr(b);
@@ -475,6 +642,8 @@ function FpSqrt(P) {
475
642
  return sqrt3mod4;
476
643
  if (P % _8n === _5n)
477
644
  return sqrt5mod8;
645
+ if (P % _16n === _9n)
646
+ return sqrt9mod16(P);
478
647
  return tonelliShanks(P);
479
648
  }
480
649
  var FIELD_FIELDS = [
@@ -500,29 +669,30 @@ function validateField(field) {
500
669
  const initial = {
501
670
  ORDER: "bigint",
502
671
  MASK: "bigint",
503
- BYTES: "isSafeInteger",
504
- BITS: "isSafeInteger"
672
+ BYTES: "number",
673
+ BITS: "number"
505
674
  };
506
675
  const opts = FIELD_FIELDS.reduce((map, val) => {
507
676
  map[val] = "function";
508
677
  return map;
509
678
  }, initial);
510
- return validateObject(field, opts);
679
+ _validateObject(field, opts);
680
+ return field;
511
681
  }
512
682
  function FpPow(Fp, num2, power) {
513
- if (power < _0n)
683
+ if (power < _0n2)
514
684
  throw new Error("invalid exponent, negatives unsupported");
515
- if (power === _0n)
685
+ if (power === _0n2)
516
686
  return Fp.ONE;
517
- if (power === _1n)
687
+ if (power === _1n2)
518
688
  return num2;
519
689
  let p = Fp.ONE;
520
690
  let d = num2;
521
- while (power > _0n) {
522
- if (power & _1n)
691
+ while (power > _0n2) {
692
+ if (power & _1n2)
523
693
  p = Fp.mul(p, d);
524
694
  d = Fp.sqr(d);
525
- power >>= _1n;
695
+ power >>= _1n2;
526
696
  }
527
697
  return p;
528
698
  }
@@ -544,7 +714,7 @@ function FpInvertBatch(Fp, nums, passZero = false) {
544
714
  return inverted;
545
715
  }
546
716
  function FpLegendre(Fp, n) {
547
- const p1mod2 = (Fp.ORDER - _1n) / _2n;
717
+ const p1mod2 = (Fp.ORDER - _1n2) / _2n;
548
718
  const powered = Fp.pow(n, p1mod2);
549
719
  const yes = Fp.eql(powered, Fp.ONE);
550
720
  const zero = Fp.eql(powered, Fp.ZERO);
@@ -560,10 +730,33 @@ function nLength(n, nBitLength) {
560
730
  const nByteLength = Math.ceil(_nBitLength / 8);
561
731
  return { nBitLength: _nBitLength, nByteLength };
562
732
  }
563
- function Field(ORDER, bitLen2, isLE = false, redef = {}) {
564
- if (ORDER <= _0n)
733
+ function Field(ORDER, bitLenOrOpts, isLE = false, opts = {}) {
734
+ if (ORDER <= _0n2)
565
735
  throw new Error("invalid field: expected ORDER > 0, got " + ORDER);
566
- const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen2);
736
+ let _nbitLength = void 0;
737
+ let _sqrt = void 0;
738
+ let modFromBytes = false;
739
+ let allowedLengths = void 0;
740
+ if (typeof bitLenOrOpts === "object" && bitLenOrOpts != null) {
741
+ if (opts.sqrt || isLE)
742
+ throw new Error("cannot specify opts in two arguments");
743
+ const _opts = bitLenOrOpts;
744
+ if (_opts.BITS)
745
+ _nbitLength = _opts.BITS;
746
+ if (_opts.sqrt)
747
+ _sqrt = _opts.sqrt;
748
+ if (typeof _opts.isLE === "boolean")
749
+ isLE = _opts.isLE;
750
+ if (typeof _opts.modFromBytes === "boolean")
751
+ modFromBytes = _opts.modFromBytes;
752
+ allowedLengths = _opts.allowedLengths;
753
+ } else {
754
+ if (typeof bitLenOrOpts === "number")
755
+ _nbitLength = bitLenOrOpts;
756
+ if (opts.sqrt)
757
+ _sqrt = opts.sqrt;
758
+ }
759
+ const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, _nbitLength);
567
760
  if (BYTES > 2048)
568
761
  throw new Error("invalid field: expected ORDER of <= 2048 bytes");
569
762
  let sqrtP;
@@ -573,16 +766,19 @@ function Field(ORDER, bitLen2, isLE = false, redef = {}) {
573
766
  BITS,
574
767
  BYTES,
575
768
  MASK: bitMask(BITS),
576
- ZERO: _0n,
577
- ONE: _1n,
769
+ ZERO: _0n2,
770
+ ONE: _1n2,
771
+ allowedLengths,
578
772
  create: (num2) => mod(num2, ORDER),
579
773
  isValid: (num2) => {
580
774
  if (typeof num2 !== "bigint")
581
775
  throw new Error("invalid field element: expected bigint, got " + typeof num2);
582
- return _0n <= num2 && num2 < ORDER;
776
+ return _0n2 <= num2 && num2 < ORDER;
583
777
  },
584
- is0: (num2) => num2 === _0n,
585
- isOdd: (num2) => (num2 & _1n) === _1n,
778
+ is0: (num2) => num2 === _0n2,
779
+ // is valid and invertible
780
+ isValidNot0: (num2) => !f.is0(num2) && f.isValid(num2),
781
+ isOdd: (num2) => (num2 & _1n2) === _1n2,
586
782
  neg: (num2) => mod(-num2, ORDER),
587
783
  eql: (lhs, rhs) => lhs === rhs,
588
784
  sqr: (num2) => mod(num2 * num2, ORDER),
@@ -597,16 +793,31 @@ function Field(ORDER, bitLen2, isLE = false, redef = {}) {
597
793
  subN: (lhs, rhs) => lhs - rhs,
598
794
  mulN: (lhs, rhs) => lhs * rhs,
599
795
  inv: (num2) => invert(num2, ORDER),
600
- sqrt: redef.sqrt || ((n) => {
796
+ sqrt: _sqrt || ((n) => {
601
797
  if (!sqrtP)
602
798
  sqrtP = FpSqrt(ORDER);
603
799
  return sqrtP(f, n);
604
800
  }),
605
801
  toBytes: (num2) => isLE ? numberToBytesLE(num2, BYTES) : numberToBytesBE(num2, BYTES),
606
- fromBytes: (bytes) => {
802
+ fromBytes: (bytes, skipValidation = true) => {
803
+ if (allowedLengths) {
804
+ if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
805
+ throw new Error("Field.fromBytes: expected " + allowedLengths + " bytes, got " + bytes.length);
806
+ }
807
+ const padded = new Uint8Array(BYTES);
808
+ padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
809
+ bytes = padded;
810
+ }
607
811
  if (bytes.length !== BYTES)
608
812
  throw new Error("Field.fromBytes: expected " + BYTES + " bytes, got " + bytes.length);
609
- return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
813
+ let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
814
+ if (modFromBytes)
815
+ scalar = mod(scalar, ORDER);
816
+ if (!skipValidation) {
817
+ if (!f.isValid(scalar))
818
+ throw new Error("invalid field element: outside of range 0..ORDER");
819
+ }
820
+ return scalar;
610
821
  },
611
822
  // TODO: we don't need it here, move out to separate fn
612
823
  invertBatch: (lst) => FpInvertBatch(f, lst),
@@ -633,17 +844,21 @@ function mapHashToField(key, fieldOrder, isLE = false) {
633
844
  if (len < 16 || len < minLen || len > 1024)
634
845
  throw new Error("expected " + minLen + "-1024 bytes of input, got " + len);
635
846
  const num2 = isLE ? bytesToNumberLE(key) : bytesToNumberBE(key);
636
- const reduced = mod(num2, fieldOrder - _1n) + _1n;
847
+ const reduced = mod(num2, fieldOrder - _1n2) + _1n2;
637
848
  return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
638
849
  }
639
850
 
640
- // ../../node_modules/.pnpm/@noble+curves@1.9.1/node_modules/@noble/curves/esm/abstract/curve.js
641
- var _0n2 = BigInt(0);
642
- var _1n2 = BigInt(1);
643
- function constTimeNegate(condition, item) {
851
+ // ../../node_modules/.pnpm/@noble+curves@1.9.6/node_modules/@noble/curves/esm/abstract/curve.js
852
+ var _0n3 = BigInt(0);
853
+ var _1n3 = BigInt(1);
854
+ function negateCt(condition, item) {
644
855
  const neg = item.negate();
645
856
  return condition ? neg : item;
646
857
  }
858
+ function normalizeZ(c, points) {
859
+ const invertedZs = FpInvertBatch(c.Fp, points.map((p) => p.Z));
860
+ return points.map((p, i) => c.fromAffine(p.toAffine(invertedZs[i])));
861
+ }
647
862
  function validateW(W, bits) {
648
863
  if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
649
864
  throw new Error("invalid window size, expected [1.." + bits + "], got W=" + W);
@@ -663,7 +878,7 @@ function calcOffsets(n, window, wOpts) {
663
878
  let nextN = n >> shiftBy;
664
879
  if (wbits > windowSize) {
665
880
  wbits -= maxNumber;
666
- nextN += _1n2;
881
+ nextN += _1n3;
667
882
  }
668
883
  const offsetStart = window * windowSize;
669
884
  const offset = offsetStart + Math.abs(wbits) - 1;
@@ -694,125 +909,151 @@ var pointWindowSizes = /* @__PURE__ */ new WeakMap();
694
909
  function getW(P) {
695
910
  return pointWindowSizes.get(P) || 1;
696
911
  }
697
- function wNAF(c, bits) {
698
- return {
699
- constTimeNegate,
700
- hasPrecomputes(elm) {
701
- return getW(elm) !== 1;
702
- },
703
- // non-const time multiplication ladder
704
- unsafeLadder(elm, n, p = c.ZERO) {
705
- let d = elm;
706
- while (n > _0n2) {
707
- if (n & _1n2)
708
- p = p.add(d);
709
- d = d.double();
710
- n >>= _1n2;
711
- }
712
- return p;
713
- },
714
- /**
715
- * Creates a wNAF precomputation window. Used for caching.
716
- * Default window size is set by `utils.precompute()` and is equal to 8.
717
- * Number of precomputed points depends on the curve size:
718
- * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
719
- * - 𝑊 is the window size
720
- * - 𝑛 is the bitlength of the curve order.
721
- * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
722
- * @param elm Point instance
723
- * @param W window size
724
- * @returns precomputed point tables flattened to a single array
725
- */
726
- precomputeWindow(elm, W) {
727
- const { windows, windowSize } = calcWOpts(W, bits);
728
- const points = [];
729
- let p = elm;
730
- let base = p;
731
- for (let window = 0; window < windows; window++) {
732
- base = p;
912
+ function assert0(n) {
913
+ if (n !== _0n3)
914
+ throw new Error("invalid wNAF");
915
+ }
916
+ var wNAF = class {
917
+ // Parametrized with a given Point class (not individual point)
918
+ constructor(Point, bits) {
919
+ this.BASE = Point.BASE;
920
+ this.ZERO = Point.ZERO;
921
+ this.Fn = Point.Fn;
922
+ this.bits = bits;
923
+ }
924
+ // non-const time multiplication ladder
925
+ _unsafeLadder(elm, n, p = this.ZERO) {
926
+ let d = elm;
927
+ while (n > _0n3) {
928
+ if (n & _1n3)
929
+ p = p.add(d);
930
+ d = d.double();
931
+ n >>= _1n3;
932
+ }
933
+ return p;
934
+ }
935
+ /**
936
+ * Creates a wNAF precomputation window. Used for caching.
937
+ * Default window size is set by `utils.precompute()` and is equal to 8.
938
+ * Number of precomputed points depends on the curve size:
939
+ * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
940
+ * - 𝑊 is the window size
941
+ * - 𝑛 is the bitlength of the curve order.
942
+ * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
943
+ * @param point Point instance
944
+ * @param W window size
945
+ * @returns precomputed point tables flattened to a single array
946
+ */
947
+ precomputeWindow(point, W) {
948
+ const { windows, windowSize } = calcWOpts(W, this.bits);
949
+ const points = [];
950
+ let p = point;
951
+ let base = p;
952
+ for (let window = 0; window < windows; window++) {
953
+ base = p;
954
+ points.push(base);
955
+ for (let i = 1; i < windowSize; i++) {
956
+ base = base.add(p);
733
957
  points.push(base);
734
- for (let i = 1; i < windowSize; i++) {
735
- base = base.add(p);
736
- points.push(base);
737
- }
738
- p = base.double();
739
958
  }
740
- return points;
741
- },
742
- /**
743
- * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
744
- * @param W window size
745
- * @param precomputes precomputed tables
746
- * @param n scalar (we don't check here, but should be less than curve order)
747
- * @returns real and fake (for const-time) points
748
- */
749
- wNAF(W, precomputes, n) {
750
- let p = c.ZERO;
751
- let f = c.BASE;
752
- const wo = calcWOpts(W, bits);
753
- for (let window = 0; window < wo.windows; window++) {
754
- const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
755
- n = nextN;
756
- if (isZero) {
757
- f = f.add(constTimeNegate(isNegF, precomputes[offsetF]));
758
- } else {
759
- p = p.add(constTimeNegate(isNeg, precomputes[offset]));
760
- }
959
+ p = base.double();
960
+ }
961
+ return points;
962
+ }
963
+ /**
964
+ * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
965
+ * More compact implementation:
966
+ * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
967
+ * @returns real and fake (for const-time) points
968
+ */
969
+ wNAF(W, precomputes, n) {
970
+ if (!this.Fn.isValid(n))
971
+ throw new Error("invalid scalar");
972
+ let p = this.ZERO;
973
+ let f = this.BASE;
974
+ const wo = calcWOpts(W, this.bits);
975
+ for (let window = 0; window < wo.windows; window++) {
976
+ const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
977
+ n = nextN;
978
+ if (isZero) {
979
+ f = f.add(negateCt(isNegF, precomputes[offsetF]));
980
+ } else {
981
+ p = p.add(negateCt(isNeg, precomputes[offset]));
761
982
  }
762
- return { p, f };
763
- },
764
- /**
765
- * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
766
- * @param W window size
767
- * @param precomputes precomputed tables
768
- * @param n scalar (we don't check here, but should be less than curve order)
769
- * @param acc accumulator point to add result of multiplication
770
- * @returns point
771
- */
772
- wNAFUnsafe(W, precomputes, n, acc = c.ZERO) {
773
- const wo = calcWOpts(W, bits);
774
- for (let window = 0; window < wo.windows; window++) {
775
- if (n === _0n2)
776
- break;
777
- const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
778
- n = nextN;
779
- if (isZero) {
780
- continue;
781
- } else {
782
- const item = precomputes[offset];
783
- acc = acc.add(isNeg ? item.negate() : item);
784
- }
983
+ }
984
+ assert0(n);
985
+ return { p, f };
986
+ }
987
+ /**
988
+ * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
989
+ * @param acc accumulator point to add result of multiplication
990
+ * @returns point
991
+ */
992
+ wNAFUnsafe(W, precomputes, n, acc = this.ZERO) {
993
+ const wo = calcWOpts(W, this.bits);
994
+ for (let window = 0; window < wo.windows; window++) {
995
+ if (n === _0n3)
996
+ break;
997
+ const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
998
+ n = nextN;
999
+ if (isZero) {
1000
+ continue;
1001
+ } else {
1002
+ const item = precomputes[offset];
1003
+ acc = acc.add(isNeg ? item.negate() : item);
785
1004
  }
786
- return acc;
787
- },
788
- getPrecomputes(W, P, transform) {
789
- let comp = pointPrecomputes.get(P);
790
- if (!comp) {
791
- comp = this.precomputeWindow(P, W);
792
- if (W !== 1)
793
- pointPrecomputes.set(P, transform(comp));
1005
+ }
1006
+ assert0(n);
1007
+ return acc;
1008
+ }
1009
+ getPrecomputes(W, point, transform) {
1010
+ let comp = pointPrecomputes.get(point);
1011
+ if (!comp) {
1012
+ comp = this.precomputeWindow(point, W);
1013
+ if (W !== 1) {
1014
+ if (typeof transform === "function")
1015
+ comp = transform(comp);
1016
+ pointPrecomputes.set(point, comp);
794
1017
  }
795
- return comp;
796
- },
797
- wNAFCached(P, n, transform) {
798
- const W = getW(P);
799
- return this.wNAF(W, this.getPrecomputes(W, P, transform), n);
800
- },
801
- wNAFCachedUnsafe(P, n, transform, prev) {
802
- const W = getW(P);
803
- if (W === 1)
804
- return this.unsafeLadder(P, n, prev);
805
- return this.wNAFUnsafe(W, this.getPrecomputes(W, P, transform), n, prev);
806
- },
807
- // We calculate precomputes for elliptic curve point multiplication
808
- // using windowed method. This specifies window size and
809
- // stores precomputed values. Usually only base point would be precomputed.
810
- setWindowSize(P, W) {
811
- validateW(W, bits);
812
- pointWindowSizes.set(P, W);
813
- pointPrecomputes.delete(P);
814
1018
  }
815
- };
1019
+ return comp;
1020
+ }
1021
+ cached(point, scalar, transform) {
1022
+ const W = getW(point);
1023
+ return this.wNAF(W, this.getPrecomputes(W, point, transform), scalar);
1024
+ }
1025
+ unsafe(point, scalar, transform, prev) {
1026
+ const W = getW(point);
1027
+ if (W === 1)
1028
+ return this._unsafeLadder(point, scalar, prev);
1029
+ return this.wNAFUnsafe(W, this.getPrecomputes(W, point, transform), scalar, prev);
1030
+ }
1031
+ // We calculate precomputes for elliptic curve point multiplication
1032
+ // using windowed method. This specifies window size and
1033
+ // stores precomputed values. Usually only base point would be precomputed.
1034
+ createCache(P, W) {
1035
+ validateW(W, this.bits);
1036
+ pointWindowSizes.set(P, W);
1037
+ pointPrecomputes.delete(P);
1038
+ }
1039
+ hasCache(elm) {
1040
+ return getW(elm) !== 1;
1041
+ }
1042
+ };
1043
+ function mulEndoUnsafe(Point, point, k1, k2) {
1044
+ let acc = point;
1045
+ let p1 = Point.ZERO;
1046
+ let p2 = Point.ZERO;
1047
+ while (k1 > _0n3 || k2 > _0n3) {
1048
+ if (k1 & _1n3)
1049
+ p1 = p1.add(acc);
1050
+ if (k2 & _1n3)
1051
+ p2 = p2.add(acc);
1052
+ acc = acc.double();
1053
+ k1 >>= _1n3;
1054
+ k2 >>= _1n3;
1055
+ }
1056
+ return { p1, p2 };
816
1057
  }
817
1058
  function pippenger(c, fieldN, points, scalars) {
818
1059
  validateMSMPoints(points, c);
@@ -853,55 +1094,73 @@ function pippenger(c, fieldN, points, scalars) {
853
1094
  }
854
1095
  return sum;
855
1096
  }
856
- function validateBasic(curve) {
857
- validateField(curve.Fp);
858
- validateObject(curve, {
859
- n: "bigint",
860
- h: "bigint",
861
- Gx: "field",
862
- Gy: "field"
863
- }, {
864
- nBitLength: "isSafeInteger",
865
- nByteLength: "isSafeInteger"
866
- });
867
- return Object.freeze({
868
- ...nLength(curve.n, curve.nBitLength),
869
- ...curve,
870
- ...{ p: curve.Fp.ORDER }
871
- });
1097
+ function createField(order, field, isLE) {
1098
+ if (field) {
1099
+ if (field.ORDER !== order)
1100
+ throw new Error("Field.ORDER must match order: Fp == p, Fn == n");
1101
+ validateField(field);
1102
+ return field;
1103
+ } else {
1104
+ return Field(order, { isLE });
1105
+ }
1106
+ }
1107
+ function _createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
1108
+ if (FpFnLE === void 0)
1109
+ FpFnLE = type === "edwards";
1110
+ if (!CURVE || typeof CURVE !== "object")
1111
+ throw new Error(`expected valid ${type} CURVE object`);
1112
+ for (const p of ["p", "n", "h"]) {
1113
+ const val = CURVE[p];
1114
+ if (!(typeof val === "bigint" && val > _0n3))
1115
+ throw new Error(`CURVE.${p} must be positive bigint`);
1116
+ }
1117
+ const Fp = createField(CURVE.p, curveOpts.Fp, FpFnLE);
1118
+ const Fn = createField(CURVE.n, curveOpts.Fn, FpFnLE);
1119
+ const _b = type === "weierstrass" ? "b" : "d";
1120
+ const params = ["Gx", "Gy", "a", _b];
1121
+ for (const p of params) {
1122
+ if (!Fp.isValid(CURVE[p]))
1123
+ throw new Error(`CURVE.${p} must be valid field element of CURVE.Fp`);
1124
+ }
1125
+ CURVE = Object.freeze(Object.assign({}, CURVE));
1126
+ return { CURVE, Fp, Fn };
872
1127
  }
873
1128
 
874
- // ../../node_modules/.pnpm/@noble+curves@1.9.1/node_modules/@noble/curves/esm/abstract/weierstrass.js
875
- function validateSigVerOpts(opts) {
876
- if (opts.lowS !== void 0)
877
- abool("lowS", opts.lowS);
878
- if (opts.prehash !== void 0)
879
- abool("prehash", opts.prehash);
880
- }
881
- function validatePointOpts(curve) {
882
- const opts = validateBasic(curve);
883
- validateObject(opts, {
884
- a: "field",
885
- b: "field"
886
- }, {
887
- allowInfinityPoint: "boolean",
888
- allowedPrivateKeyLengths: "array",
889
- clearCofactor: "function",
890
- fromBytes: "function",
891
- isTorsionFree: "function",
892
- toBytes: "function",
893
- wrapPrivateKey: "boolean"
894
- });
895
- const { endo, Fp, a } = opts;
896
- if (endo) {
897
- if (!Fp.eql(a, Fp.ZERO)) {
898
- throw new Error("invalid endo: CURVE.a must be 0");
899
- }
900
- if (typeof endo !== "object" || typeof endo.beta !== "bigint" || typeof endo.splitScalar !== "function") {
901
- throw new Error('invalid endo: expected "beta": bigint and "splitScalar": function');
902
- }
1129
+ // ../../node_modules/.pnpm/@noble+curves@1.9.6/node_modules/@noble/curves/esm/abstract/weierstrass.js
1130
+ var divNearest = (num2, den) => (num2 + (num2 >= 0 ? den : -den) / _2n2) / den;
1131
+ function _splitEndoScalar(k, basis, n) {
1132
+ const [[a1, b1], [a2, b2]] = basis;
1133
+ const c1 = divNearest(b2 * k, n);
1134
+ const c2 = divNearest(-b1 * k, n);
1135
+ let k1 = k - c1 * a1 - c2 * a2;
1136
+ let k2 = -c1 * b1 - c2 * b2;
1137
+ const k1neg = k1 < _0n4;
1138
+ const k2neg = k2 < _0n4;
1139
+ if (k1neg)
1140
+ k1 = -k1;
1141
+ if (k2neg)
1142
+ k2 = -k2;
1143
+ const MAX_NUM = bitMask(Math.ceil(bitLen(n) / 2)) + _1n4;
1144
+ if (k1 < _0n4 || k1 >= MAX_NUM || k2 < _0n4 || k2 >= MAX_NUM) {
1145
+ throw new Error("splitScalar (endomorphism): failed, k=" + k);
903
1146
  }
904
- return Object.freeze({ ...opts });
1147
+ return { k1neg, k1, k2neg, k2 };
1148
+ }
1149
+ function validateSigFormat(format) {
1150
+ if (!["compact", "recovered", "der"].includes(format))
1151
+ throw new Error('Signature format must be "compact", "recovered", or "der"');
1152
+ return format;
1153
+ }
1154
+ function validateSigOpts(opts, def) {
1155
+ const optsn = {};
1156
+ for (let optName of Object.keys(def)) {
1157
+ optsn[optName] = opts[optName] === void 0 ? def[optName] : opts[optName];
1158
+ }
1159
+ _abool2(optsn.lowS, "lowS");
1160
+ _abool2(optsn.prehash, "prehash");
1161
+ if (optsn.format !== void 0)
1162
+ validateSigFormat(optsn.format);
1163
+ return optsn;
905
1164
  }
906
1165
  var DERErr = class extends Error {
907
1166
  constructor(m = "") {
@@ -970,7 +1229,7 @@ var DER = {
970
1229
  _int: {
971
1230
  encode(num2) {
972
1231
  const { Err: E } = DER;
973
- if (num2 < _0n3)
1232
+ if (num2 < _0n4)
974
1233
  throw new E("integer: negative integers are not allowed");
975
1234
  let hex = numberToHexUnpadded(num2);
976
1235
  if (Number.parseInt(hex[0], 16) & 8)
@@ -1008,33 +1267,106 @@ var DER = {
1008
1267
  return tlv.encode(48, seq);
1009
1268
  }
1010
1269
  };
1011
- function numToSizedHex(num2, size) {
1012
- return bytesToHex(numberToBytesBE(num2, size));
1013
- }
1014
- var _0n3 = BigInt(0);
1015
- var _1n3 = BigInt(1);
1270
+ var _0n4 = BigInt(0);
1271
+ var _1n4 = BigInt(1);
1016
1272
  var _2n2 = BigInt(2);
1017
1273
  var _3n2 = BigInt(3);
1018
1274
  var _4n2 = BigInt(4);
1019
- function weierstrassPoints(opts) {
1020
- const CURVE = validatePointOpts(opts);
1021
- const { Fp } = CURVE;
1022
- const Fn = Field(CURVE.n, CURVE.nBitLength);
1023
- const toBytes2 = CURVE.toBytes || ((_c, point, _isCompressed) => {
1024
- const a = point.toAffine();
1025
- return concatBytes2(Uint8Array.from([4]), Fp.toBytes(a.x), Fp.toBytes(a.y));
1275
+ function _normFnElement(Fn, key) {
1276
+ const { BYTES: expected } = Fn;
1277
+ let num2;
1278
+ if (typeof key === "bigint") {
1279
+ num2 = key;
1280
+ } else {
1281
+ let bytes = ensureBytes("private key", key);
1282
+ try {
1283
+ num2 = Fn.fromBytes(bytes);
1284
+ } catch (error) {
1285
+ throw new Error(`invalid private key: expected ui8a of size ${expected}, got ${typeof key}`);
1286
+ }
1287
+ }
1288
+ if (!Fn.isValidNot0(num2))
1289
+ throw new Error("invalid private key: out of range [1..N-1]");
1290
+ return num2;
1291
+ }
1292
+ function weierstrassN(params, extraOpts = {}) {
1293
+ const validated = _createCurveFields("weierstrass", params, extraOpts);
1294
+ const { Fp, Fn } = validated;
1295
+ let CURVE = validated.CURVE;
1296
+ const { h: cofactor, n: CURVE_ORDER } = CURVE;
1297
+ _validateObject(extraOpts, {}, {
1298
+ allowInfinityPoint: "boolean",
1299
+ clearCofactor: "function",
1300
+ isTorsionFree: "function",
1301
+ fromBytes: "function",
1302
+ toBytes: "function",
1303
+ endo: "object",
1304
+ wrapPrivateKey: "boolean"
1026
1305
  });
1027
- const fromBytes = CURVE.fromBytes || ((bytes) => {
1306
+ const { endo } = extraOpts;
1307
+ if (endo) {
1308
+ if (!Fp.is0(CURVE.a) || typeof endo.beta !== "bigint" || !Array.isArray(endo.basises)) {
1309
+ throw new Error('invalid endo: expected "beta": bigint and "basises": array');
1310
+ }
1311
+ }
1312
+ const lengths = getWLengths(Fp, Fn);
1313
+ function assertCompressionIsSupported() {
1314
+ if (!Fp.isOdd)
1315
+ throw new Error("compression is not supported: Field does not have .isOdd()");
1316
+ }
1317
+ function pointToBytes2(_c, point, isCompressed) {
1318
+ const { x, y } = point.toAffine();
1319
+ const bx = Fp.toBytes(x);
1320
+ _abool2(isCompressed, "isCompressed");
1321
+ if (isCompressed) {
1322
+ assertCompressionIsSupported();
1323
+ const hasEvenY = !Fp.isOdd(y);
1324
+ return concatBytes(pprefix(hasEvenY), bx);
1325
+ } else {
1326
+ return concatBytes(Uint8Array.of(4), bx, Fp.toBytes(y));
1327
+ }
1328
+ }
1329
+ function pointFromBytes(bytes) {
1330
+ _abytes2(bytes, void 0, "Point");
1331
+ const { publicKey: comp, publicKeyUncompressed: uncomp } = lengths;
1332
+ const length = bytes.length;
1333
+ const head = bytes[0];
1028
1334
  const tail = bytes.subarray(1);
1029
- const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
1030
- const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
1031
- return { x, y };
1032
- });
1335
+ if (length === comp && (head === 2 || head === 3)) {
1336
+ const x = Fp.fromBytes(tail);
1337
+ if (!Fp.isValid(x))
1338
+ throw new Error("bad point: is not on curve, wrong x");
1339
+ const y2 = weierstrassEquation(x);
1340
+ let y;
1341
+ try {
1342
+ y = Fp.sqrt(y2);
1343
+ } catch (sqrtError) {
1344
+ const err = sqrtError instanceof Error ? ": " + sqrtError.message : "";
1345
+ throw new Error("bad point: is not on curve, sqrt error" + err);
1346
+ }
1347
+ assertCompressionIsSupported();
1348
+ const isYOdd = Fp.isOdd(y);
1349
+ const isHeadOdd = (head & 1) === 1;
1350
+ if (isHeadOdd !== isYOdd)
1351
+ y = Fp.neg(y);
1352
+ return { x, y };
1353
+ } else if (length === uncomp && head === 4) {
1354
+ const L = Fp.BYTES;
1355
+ const x = Fp.fromBytes(tail.subarray(0, L));
1356
+ const y = Fp.fromBytes(tail.subarray(L, L * 2));
1357
+ if (!isValidXY(x, y))
1358
+ throw new Error("bad point: is not on curve");
1359
+ return { x, y };
1360
+ } else {
1361
+ throw new Error(`bad point: got length ${length}, expected compressed=${comp} or uncompressed=${uncomp}`);
1362
+ }
1363
+ }
1364
+ const encodePoint = extraOpts.toBytes || pointToBytes2;
1365
+ const decodePoint = extraOpts.fromBytes || pointFromBytes;
1033
1366
  function weierstrassEquation(x) {
1034
- const { a, b } = CURVE;
1035
1367
  const x2 = Fp.sqr(x);
1036
1368
  const x3 = Fp.mul(x2, x);
1037
- return Fp.add(Fp.add(x3, Fp.mul(x, a)), b);
1369
+ return Fp.add(Fp.add(x3, Fp.mul(x, CURVE.a)), CURVE.b);
1038
1370
  }
1039
1371
  function isValidXY(x, y) {
1040
1372
  const left = Fp.sqr(y);
@@ -1047,89 +1379,86 @@ function weierstrassPoints(opts) {
1047
1379
  const _27b2 = Fp.mul(Fp.sqr(CURVE.b), BigInt(27));
1048
1380
  if (Fp.is0(Fp.add(_4a3, _27b2)))
1049
1381
  throw new Error("bad curve params: a or b");
1050
- function isWithinCurveOrder(num2) {
1051
- return inRange(num2, _1n3, CURVE.n);
1052
- }
1053
- function normPrivateKeyToScalar(key) {
1054
- const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n: N } = CURVE;
1055
- if (lengths && typeof key !== "bigint") {
1056
- if (isBytes(key))
1057
- key = bytesToHex(key);
1058
- if (typeof key !== "string" || !lengths.includes(key.length))
1059
- throw new Error("invalid private key");
1060
- key = key.padStart(nByteLength * 2, "0");
1061
- }
1062
- let num2;
1063
- try {
1064
- num2 = typeof key === "bigint" ? key : bytesToNumberBE(ensureBytes("private key", key, nByteLength));
1065
- } catch (error) {
1066
- throw new Error("invalid private key, expected hex or " + nByteLength + " bytes, got " + typeof key);
1067
- }
1068
- if (wrapPrivateKey)
1069
- num2 = mod(num2, N);
1070
- aInRange("private key", num2, _1n3, N);
1071
- return num2;
1382
+ function acoord(title, n, banZero = false) {
1383
+ if (!Fp.isValid(n) || banZero && Fp.is0(n))
1384
+ throw new Error(`bad point coordinate ${title}`);
1385
+ return n;
1072
1386
  }
1073
1387
  function aprjpoint(other) {
1074
- if (!(other instanceof Point2))
1388
+ if (!(other instanceof Point))
1075
1389
  throw new Error("ProjectivePoint expected");
1076
1390
  }
1391
+ function splitEndoScalarN(k) {
1392
+ if (!endo || !endo.basises)
1393
+ throw new Error("no endo");
1394
+ return _splitEndoScalar(k, endo.basises, Fn.ORDER);
1395
+ }
1077
1396
  const toAffineMemo = memoized((p, iz) => {
1078
- const { px: x, py: y, pz: z } = p;
1079
- if (Fp.eql(z, Fp.ONE))
1080
- return { x, y };
1397
+ const { X, Y, Z } = p;
1398
+ if (Fp.eql(Z, Fp.ONE))
1399
+ return { x: X, y: Y };
1081
1400
  const is0 = p.is0();
1082
1401
  if (iz == null)
1083
- iz = is0 ? Fp.ONE : Fp.inv(z);
1084
- const ax = Fp.mul(x, iz);
1085
- const ay = Fp.mul(y, iz);
1086
- const zz = Fp.mul(z, iz);
1402
+ iz = is0 ? Fp.ONE : Fp.inv(Z);
1403
+ const x = Fp.mul(X, iz);
1404
+ const y = Fp.mul(Y, iz);
1405
+ const zz = Fp.mul(Z, iz);
1087
1406
  if (is0)
1088
1407
  return { x: Fp.ZERO, y: Fp.ZERO };
1089
1408
  if (!Fp.eql(zz, Fp.ONE))
1090
1409
  throw new Error("invZ was invalid");
1091
- return { x: ax, y: ay };
1410
+ return { x, y };
1092
1411
  });
1093
1412
  const assertValidMemo = memoized((p) => {
1094
1413
  if (p.is0()) {
1095
- if (CURVE.allowInfinityPoint && !Fp.is0(p.py))
1414
+ if (extraOpts.allowInfinityPoint && !Fp.is0(p.Y))
1096
1415
  return;
1097
1416
  throw new Error("bad point: ZERO");
1098
1417
  }
1099
1418
  const { x, y } = p.toAffine();
1100
1419
  if (!Fp.isValid(x) || !Fp.isValid(y))
1101
- throw new Error("bad point: x or y not FE");
1420
+ throw new Error("bad point: x or y not field elements");
1102
1421
  if (!isValidXY(x, y))
1103
1422
  throw new Error("bad point: equation left != right");
1104
1423
  if (!p.isTorsionFree())
1105
1424
  throw new Error("bad point: not in prime-order subgroup");
1106
1425
  return true;
1107
1426
  });
1108
- class Point2 {
1109
- constructor(px, py, pz) {
1110
- if (px == null || !Fp.isValid(px))
1111
- throw new Error("x required");
1112
- if (py == null || !Fp.isValid(py) || Fp.is0(py))
1113
- throw new Error("y required");
1114
- if (pz == null || !Fp.isValid(pz))
1115
- throw new Error("z required");
1116
- this.px = px;
1117
- this.py = py;
1118
- this.pz = pz;
1427
+ function finishEndo(endoBeta, k1p, k2p, k1neg, k2neg) {
1428
+ k2p = new Point(Fp.mul(k2p.X, endoBeta), k2p.Y, k2p.Z);
1429
+ k1p = negateCt(k1neg, k1p);
1430
+ k2p = negateCt(k2neg, k2p);
1431
+ return k1p.add(k2p);
1432
+ }
1433
+ class Point {
1434
+ /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
1435
+ constructor(X, Y, Z) {
1436
+ this.X = acoord("x", X);
1437
+ this.Y = acoord("y", Y, true);
1438
+ this.Z = acoord("z", Z);
1119
1439
  Object.freeze(this);
1120
1440
  }
1121
- // Does not validate if the point is on-curve.
1122
- // Use fromHex instead, or call assertValidity() later.
1441
+ static CURVE() {
1442
+ return CURVE;
1443
+ }
1444
+ /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
1123
1445
  static fromAffine(p) {
1124
1446
  const { x, y } = p || {};
1125
1447
  if (!p || !Fp.isValid(x) || !Fp.isValid(y))
1126
1448
  throw new Error("invalid affine point");
1127
- if (p instanceof Point2)
1449
+ if (p instanceof Point)
1128
1450
  throw new Error("projective point not allowed");
1129
- const is0 = (i) => Fp.eql(i, Fp.ZERO);
1130
- if (is0(x) && is0(y))
1131
- return Point2.ZERO;
1132
- return new Point2(x, y, Fp.ONE);
1451
+ if (Fp.is0(x) && Fp.is0(y))
1452
+ return Point.ZERO;
1453
+ return new Point(x, y, Fp.ONE);
1454
+ }
1455
+ static fromBytes(bytes) {
1456
+ const P = Point.fromAffine(decodePoint(_abytes2(bytes, void 0, "point")));
1457
+ P.assertValidity();
1458
+ return P;
1459
+ }
1460
+ static fromHex(hex) {
1461
+ return Point.fromBytes(ensureBytes("pointHex", hex));
1133
1462
  }
1134
1463
  get x() {
1135
1464
  return this.toAffine().x;
@@ -1138,62 +1467,40 @@ function weierstrassPoints(opts) {
1138
1467
  return this.toAffine().y;
1139
1468
  }
1140
1469
  /**
1141
- * Takes a bunch of Projective Points but executes only one
1142
- * inversion on all of them. Inversion is very slow operation,
1143
- * so this improves performance massively.
1144
- * Optimization: converts a list of projective points to a list of identical points with Z=1.
1145
- */
1146
- static normalizeZ(points) {
1147
- const toInv = FpInvertBatch(Fp, points.map((p) => p.pz));
1148
- return points.map((p, i) => p.toAffine(toInv[i])).map(Point2.fromAffine);
1149
- }
1150
- /**
1151
- * Converts hash string or Uint8Array to Point.
1152
- * @param hex short/long ECDSA hex
1470
+ *
1471
+ * @param windowSize
1472
+ * @param isLazy true will defer table computation until the first multiplication
1473
+ * @returns
1153
1474
  */
1154
- static fromHex(hex) {
1155
- const P = Point2.fromAffine(fromBytes(ensureBytes("pointHex", hex)));
1156
- P.assertValidity();
1157
- return P;
1158
- }
1159
- // Multiplies generator point by privateKey.
1160
- static fromPrivateKey(privateKey) {
1161
- return Point2.BASE.multiply(normPrivateKeyToScalar(privateKey));
1162
- }
1163
- // Multiscalar Multiplication
1164
- static msm(points, scalars) {
1165
- return pippenger(Point2, Fn, points, scalars);
1166
- }
1167
- // "Private method", don't use it directly
1168
- _setWindowSize(windowSize) {
1169
- wnaf.setWindowSize(this, windowSize);
1475
+ precompute(windowSize = 8, isLazy = true) {
1476
+ wnaf.createCache(this, windowSize);
1477
+ if (!isLazy)
1478
+ this.multiply(_3n2);
1479
+ return this;
1170
1480
  }
1171
- // A point on curve is valid if it conforms to equation.
1481
+ // TODO: return `this`
1482
+ /** A point on curve is valid if it conforms to equation. */
1172
1483
  assertValidity() {
1173
1484
  assertValidMemo(this);
1174
1485
  }
1175
1486
  hasEvenY() {
1176
1487
  const { y } = this.toAffine();
1177
- if (Fp.isOdd)
1178
- return !Fp.isOdd(y);
1179
- throw new Error("Field doesn't support isOdd");
1488
+ if (!Fp.isOdd)
1489
+ throw new Error("Field doesn't support isOdd");
1490
+ return !Fp.isOdd(y);
1180
1491
  }
1181
- /**
1182
- * Compare one point to another.
1183
- */
1492
+ /** Compare one point to another. */
1184
1493
  equals(other) {
1185
1494
  aprjpoint(other);
1186
- const { px: X1, py: Y1, pz: Z1 } = this;
1187
- const { px: X2, py: Y2, pz: Z2 } = other;
1495
+ const { X: X1, Y: Y1, Z: Z1 } = this;
1496
+ const { X: X2, Y: Y2, Z: Z2 } = other;
1188
1497
  const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
1189
1498
  const U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
1190
1499
  return U1 && U2;
1191
1500
  }
1192
- /**
1193
- * Flips point to one corresponding to (x, -y) in Affine coordinates.
1194
- */
1501
+ /** Flips point to one corresponding to (x, -y) in Affine coordinates. */
1195
1502
  negate() {
1196
- return new Point2(this.px, Fp.neg(this.py), this.pz);
1503
+ return new Point(this.X, Fp.neg(this.Y), this.Z);
1197
1504
  }
1198
1505
  // Renes-Costello-Batina exception-free doubling formula.
1199
1506
  // There is 30% faster Jacobian formula, but it is not complete.
@@ -1202,7 +1509,7 @@ function weierstrassPoints(opts) {
1202
1509
  double() {
1203
1510
  const { a, b } = CURVE;
1204
1511
  const b3 = Fp.mul(b, _3n2);
1205
- const { px: X1, py: Y1, pz: Z1 } = this;
1512
+ const { X: X1, Y: Y1, Z: Z1 } = this;
1206
1513
  let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO;
1207
1514
  let t0 = Fp.mul(X1, X1);
1208
1515
  let t1 = Fp.mul(Y1, Y1);
@@ -1235,7 +1542,7 @@ function weierstrassPoints(opts) {
1235
1542
  Z3 = Fp.mul(t2, t1);
1236
1543
  Z3 = Fp.add(Z3, Z3);
1237
1544
  Z3 = Fp.add(Z3, Z3);
1238
- return new Point2(X3, Y3, Z3);
1545
+ return new Point(X3, Y3, Z3);
1239
1546
  }
1240
1547
  // Renes-Costello-Batina exception-free addition formula.
1241
1548
  // There is 30% faster Jacobian formula, but it is not complete.
@@ -1243,8 +1550,8 @@ function weierstrassPoints(opts) {
1243
1550
  // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
1244
1551
  add(other) {
1245
1552
  aprjpoint(other);
1246
- const { px: X1, py: Y1, pz: Z1 } = this;
1247
- const { px: X2, py: Y2, pz: Z2 } = other;
1553
+ const { X: X1, Y: Y1, Z: Z1 } = this;
1554
+ const { X: X2, Y: Y2, Z: Z2 } = other;
1248
1555
  let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO;
1249
1556
  const a = CURVE.a;
1250
1557
  const b3 = Fp.mul(CURVE.b, _3n2);
@@ -1288,51 +1595,13 @@ function weierstrassPoints(opts) {
1288
1595
  t0 = Fp.mul(t3, t1);
1289
1596
  Z3 = Fp.mul(t5, Z3);
1290
1597
  Z3 = Fp.add(Z3, t0);
1291
- return new Point2(X3, Y3, Z3);
1598
+ return new Point(X3, Y3, Z3);
1292
1599
  }
1293
1600
  subtract(other) {
1294
1601
  return this.add(other.negate());
1295
1602
  }
1296
1603
  is0() {
1297
- return this.equals(Point2.ZERO);
1298
- }
1299
- wNAF(n) {
1300
- return wnaf.wNAFCached(this, n, Point2.normalizeZ);
1301
- }
1302
- /**
1303
- * Non-constant-time multiplication. Uses double-and-add algorithm.
1304
- * It's faster, but should only be used when you don't care about
1305
- * an exposed private key e.g. sig verification, which works over *public* keys.
1306
- */
1307
- multiplyUnsafe(sc) {
1308
- const { endo: endo2, n: N } = CURVE;
1309
- aInRange("scalar", sc, _0n3, N);
1310
- const I = Point2.ZERO;
1311
- if (sc === _0n3)
1312
- return I;
1313
- if (this.is0() || sc === _1n3)
1314
- return this;
1315
- if (!endo2 || wnaf.hasPrecomputes(this))
1316
- return wnaf.wNAFCachedUnsafe(this, sc, Point2.normalizeZ);
1317
- let { k1neg, k1, k2neg, k2 } = endo2.splitScalar(sc);
1318
- let k1p = I;
1319
- let k2p = I;
1320
- let d = this;
1321
- while (k1 > _0n3 || k2 > _0n3) {
1322
- if (k1 & _1n3)
1323
- k1p = k1p.add(d);
1324
- if (k2 & _1n3)
1325
- k2p = k2p.add(d);
1326
- d = d.double();
1327
- k1 >>= _1n3;
1328
- k2 >>= _1n3;
1329
- }
1330
- if (k1neg)
1331
- k1p = k1p.negate();
1332
- if (k2neg)
1333
- k2p = k2p.negate();
1334
- k2p = new Point2(Fp.mul(k2p.px, endo2.beta), k2p.py, k2p.pz);
1335
- return k1p.add(k2p);
1604
+ return this.equals(Point.ZERO);
1336
1605
  }
1337
1606
  /**
1338
1607
  * Constant time multiplication.
@@ -1344,432 +1613,145 @@ function weierstrassPoints(opts) {
1344
1613
  * @returns New point
1345
1614
  */
1346
1615
  multiply(scalar) {
1347
- const { endo: endo2, n: N } = CURVE;
1348
- aInRange("scalar", scalar, _1n3, N);
1616
+ const { endo: endo2 } = extraOpts;
1617
+ if (!Fn.isValidNot0(scalar))
1618
+ throw new Error("invalid scalar: out of range");
1349
1619
  let point, fake;
1620
+ const mul = (n) => wnaf.cached(this, n, (p) => normalizeZ(Point, p));
1350
1621
  if (endo2) {
1351
- const { k1neg, k1, k2neg, k2 } = endo2.splitScalar(scalar);
1352
- let { p: k1p, f: f1p } = this.wNAF(k1);
1353
- let { p: k2p, f: f2p } = this.wNAF(k2);
1354
- k1p = wnaf.constTimeNegate(k1neg, k1p);
1355
- k2p = wnaf.constTimeNegate(k2neg, k2p);
1356
- k2p = new Point2(Fp.mul(k2p.px, endo2.beta), k2p.py, k2p.pz);
1357
- point = k1p.add(k2p);
1358
- fake = f1p.add(f2p);
1622
+ const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(scalar);
1623
+ const { p: k1p, f: k1f } = mul(k1);
1624
+ const { p: k2p, f: k2f } = mul(k2);
1625
+ fake = k1f.add(k2f);
1626
+ point = finishEndo(endo2.beta, k1p, k2p, k1neg, k2neg);
1359
1627
  } else {
1360
- const { p, f } = this.wNAF(scalar);
1628
+ const { p, f } = mul(scalar);
1361
1629
  point = p;
1362
1630
  fake = f;
1363
1631
  }
1364
- return Point2.normalizeZ([point, fake])[0];
1632
+ return normalizeZ(Point, [point, fake])[0];
1365
1633
  }
1366
1634
  /**
1367
- * Efficiently calculate `aP + bQ`. Unsafe, can expose private key, if used incorrectly.
1368
- * Not using Strauss-Shamir trick: precomputation tables are faster.
1369
- * The trick could be useful if both P and Q are not G (not in our case).
1370
- * @returns non-zero affine point
1635
+ * Non-constant-time multiplication. Uses double-and-add algorithm.
1636
+ * It's faster, but should only be used when you don't care about
1637
+ * an exposed secret key e.g. sig verification, which works over *public* keys.
1371
1638
  */
1639
+ multiplyUnsafe(sc) {
1640
+ const { endo: endo2 } = extraOpts;
1641
+ const p = this;
1642
+ if (!Fn.isValid(sc))
1643
+ throw new Error("invalid scalar: out of range");
1644
+ if (sc === _0n4 || p.is0())
1645
+ return Point.ZERO;
1646
+ if (sc === _1n4)
1647
+ return p;
1648
+ if (wnaf.hasCache(this))
1649
+ return this.multiply(sc);
1650
+ if (endo2) {
1651
+ const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(sc);
1652
+ const { p1, p2 } = mulEndoUnsafe(Point, p, k1, k2);
1653
+ return finishEndo(endo2.beta, p1, p2, k1neg, k2neg);
1654
+ } else {
1655
+ return wnaf.unsafe(p, sc);
1656
+ }
1657
+ }
1372
1658
  multiplyAndAddUnsafe(Q, a, b) {
1373
- const G = Point2.BASE;
1374
- const mul = (P, a2) => a2 === _0n3 || a2 === _1n3 || !P.equals(G) ? P.multiplyUnsafe(a2) : P.multiply(a2);
1375
- const sum = mul(this, a).add(mul(Q, b));
1659
+ const sum = this.multiplyUnsafe(a).add(Q.multiplyUnsafe(b));
1376
1660
  return sum.is0() ? void 0 : sum;
1377
1661
  }
1378
- // Converts Projective point to affine (x, y) coordinates.
1379
- // Can accept precomputed Z^-1 - for example, from invertBatch.
1380
- // (x, y, z) (x=x/z, y=y/z)
1381
- toAffine(iz) {
1382
- return toAffineMemo(this, iz);
1662
+ /**
1663
+ * Converts Projective point to affine (x, y) coordinates.
1664
+ * @param invertedZ Z^-1 (inverted zero) - optional, precomputation is useful for invertBatch
1665
+ */
1666
+ toAffine(invertedZ) {
1667
+ return toAffineMemo(this, invertedZ);
1383
1668
  }
1669
+ /**
1670
+ * Checks whether Point is free of torsion elements (is in prime subgroup).
1671
+ * Always torsion-free for cofactor=1 curves.
1672
+ */
1384
1673
  isTorsionFree() {
1385
- const { h: cofactor, isTorsionFree } = CURVE;
1386
- if (cofactor === _1n3)
1674
+ const { isTorsionFree } = extraOpts;
1675
+ if (cofactor === _1n4)
1387
1676
  return true;
1388
1677
  if (isTorsionFree)
1389
- return isTorsionFree(Point2, this);
1390
- throw new Error("isTorsionFree() has not been declared for the elliptic curve");
1678
+ return isTorsionFree(Point, this);
1679
+ return wnaf.unsafe(this, CURVE_ORDER).is0();
1391
1680
  }
1392
1681
  clearCofactor() {
1393
- const { h: cofactor, clearCofactor } = CURVE;
1394
- if (cofactor === _1n3)
1682
+ const { clearCofactor } = extraOpts;
1683
+ if (cofactor === _1n4)
1395
1684
  return this;
1396
1685
  if (clearCofactor)
1397
- return clearCofactor(Point2, this);
1398
- return this.multiplyUnsafe(CURVE.h);
1686
+ return clearCofactor(Point, this);
1687
+ return this.multiplyUnsafe(cofactor);
1399
1688
  }
1400
- toRawBytes(isCompressed = true) {
1401
- abool("isCompressed", isCompressed);
1689
+ isSmallOrder() {
1690
+ return this.multiplyUnsafe(cofactor).is0();
1691
+ }
1692
+ toBytes(isCompressed = true) {
1693
+ _abool2(isCompressed, "isCompressed");
1402
1694
  this.assertValidity();
1403
- return toBytes2(Point2, this, isCompressed);
1695
+ return encodePoint(Point, this, isCompressed);
1404
1696
  }
1405
1697
  toHex(isCompressed = true) {
1406
- abool("isCompressed", isCompressed);
1407
- return bytesToHex(this.toRawBytes(isCompressed));
1698
+ return bytesToHex(this.toBytes(isCompressed));
1408
1699
  }
1409
- }
1410
- Point2.BASE = new Point2(CURVE.Gx, CURVE.Gy, Fp.ONE);
1411
- Point2.ZERO = new Point2(Fp.ZERO, Fp.ONE, Fp.ZERO);
1412
- const { endo, nBitLength } = CURVE;
1413
- const wnaf = wNAF(Point2, endo ? Math.ceil(nBitLength / 2) : nBitLength);
1414
- return {
1415
- CURVE,
1416
- ProjectivePoint: Point2,
1417
- normPrivateKeyToScalar,
1418
- weierstrassEquation,
1419
- isWithinCurveOrder
1420
- };
1421
- }
1422
- function validateOpts(curve) {
1423
- const opts = validateBasic(curve);
1424
- validateObject(opts, {
1425
- hash: "hash",
1426
- hmac: "function",
1427
- randomBytes: "function"
1428
- }, {
1429
- bits2int: "function",
1430
- bits2int_modN: "function",
1431
- lowS: "boolean"
1432
- });
1433
- return Object.freeze({ lowS: true, ...opts });
1434
- }
1435
- function weierstrass(curveDef) {
1436
- const CURVE = validateOpts(curveDef);
1437
- const { Fp, n: CURVE_ORDER, nByteLength, nBitLength } = CURVE;
1438
- const compressedLen = Fp.BYTES + 1;
1439
- const uncompressedLen = 2 * Fp.BYTES + 1;
1440
- function modN2(a) {
1441
- return mod(a, CURVE_ORDER);
1442
- }
1443
- function invN(a) {
1444
- return invert(a, CURVE_ORDER);
1445
- }
1446
- const { ProjectivePoint: Point2, normPrivateKeyToScalar, weierstrassEquation, isWithinCurveOrder } = weierstrassPoints({
1447
- ...CURVE,
1448
- toBytes(_c, point, isCompressed) {
1449
- const a = point.toAffine();
1450
- const x = Fp.toBytes(a.x);
1451
- const cat = concatBytes2;
1452
- abool("isCompressed", isCompressed);
1453
- if (isCompressed) {
1454
- return cat(Uint8Array.from([point.hasEvenY() ? 2 : 3]), x);
1455
- } else {
1456
- return cat(Uint8Array.from([4]), x, Fp.toBytes(a.y));
1457
- }
1458
- },
1459
- fromBytes(bytes) {
1460
- const len = bytes.length;
1461
- const head = bytes[0];
1462
- const tail = bytes.subarray(1);
1463
- if (len === compressedLen && (head === 2 || head === 3)) {
1464
- const x = bytesToNumberBE(tail);
1465
- if (!inRange(x, _1n3, Fp.ORDER))
1466
- throw new Error("Point is not on curve");
1467
- const y2 = weierstrassEquation(x);
1468
- let y;
1469
- try {
1470
- y = Fp.sqrt(y2);
1471
- } catch (sqrtError) {
1472
- const suffix = sqrtError instanceof Error ? ": " + sqrtError.message : "";
1473
- throw new Error("Point is not on curve" + suffix);
1474
- }
1475
- const isYOdd = (y & _1n3) === _1n3;
1476
- const isHeadOdd = (head & 1) === 1;
1477
- if (isHeadOdd !== isYOdd)
1478
- y = Fp.neg(y);
1479
- return { x, y };
1480
- } else if (len === uncompressedLen && head === 4) {
1481
- const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
1482
- const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
1483
- return { x, y };
1484
- } else {
1485
- const cl = compressedLen;
1486
- const ul = uncompressedLen;
1487
- throw new Error("invalid Point, expected length of " + cl + ", or uncompressed " + ul + ", got " + len);
1488
- }
1700
+ toString() {
1701
+ return `<Point ${this.is0() ? "ZERO" : this.toHex()}>`;
1489
1702
  }
1490
- });
1491
- function isBiggerThanHalfOrder(number) {
1492
- const HALF = CURVE_ORDER >> _1n3;
1493
- return number > HALF;
1494
- }
1495
- function normalizeS(s) {
1496
- return isBiggerThanHalfOrder(s) ? modN2(-s) : s;
1497
- }
1498
- const slcNum = (b, from, to) => bytesToNumberBE(b.slice(from, to));
1499
- class Signature {
1500
- constructor(r, s, recovery) {
1501
- aInRange("r", r, _1n3, CURVE_ORDER);
1502
- aInRange("s", s, _1n3, CURVE_ORDER);
1503
- this.r = r;
1504
- this.s = s;
1505
- if (recovery != null)
1506
- this.recovery = recovery;
1507
- Object.freeze(this);
1508
- }
1509
- // pair (bytes of r, bytes of s)
1510
- static fromCompact(hex) {
1511
- const l = nByteLength;
1512
- hex = ensureBytes("compactSignature", hex, l * 2);
1513
- return new Signature(slcNum(hex, 0, l), slcNum(hex, l, 2 * l));
1514
- }
1515
- // DER encoded ECDSA signature
1516
- // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
1517
- static fromDER(hex) {
1518
- const { r, s } = DER.toSig(ensureBytes("DER", hex));
1519
- return new Signature(r, s);
1703
+ // TODO: remove
1704
+ get px() {
1705
+ return this.X;
1520
1706
  }
1521
- /**
1522
- * @todo remove
1523
- * @deprecated
1524
- */
1525
- assertValidity() {
1707
+ get py() {
1708
+ return this.X;
1526
1709
  }
1527
- addRecoveryBit(recovery) {
1528
- return new Signature(this.r, this.s, recovery);
1710
+ get pz() {
1711
+ return this.Z;
1529
1712
  }
1530
- recoverPublicKey(msgHash) {
1531
- const { r, s, recovery: rec } = this;
1532
- const h = bits2int_modN(ensureBytes("msgHash", msgHash));
1533
- if (rec == null || ![0, 1, 2, 3].includes(rec))
1534
- throw new Error("recovery id invalid");
1535
- const radj = rec === 2 || rec === 3 ? r + CURVE.n : r;
1536
- if (radj >= Fp.ORDER)
1537
- throw new Error("recovery id 2 or 3 invalid");
1538
- const prefix = (rec & 1) === 0 ? "02" : "03";
1539
- const R = Point2.fromHex(prefix + numToSizedHex(radj, Fp.BYTES));
1540
- const ir = invN(radj);
1541
- const u1 = modN2(-h * ir);
1542
- const u2 = modN2(s * ir);
1543
- const Q = Point2.BASE.multiplyAndAddUnsafe(R, u1, u2);
1544
- if (!Q)
1545
- throw new Error("point at infinify");
1546
- Q.assertValidity();
1547
- return Q;
1548
- }
1549
- // Signatures should be low-s, to prevent malleability.
1550
- hasHighS() {
1551
- return isBiggerThanHalfOrder(this.s);
1552
- }
1553
- normalizeS() {
1554
- return this.hasHighS() ? new Signature(this.r, modN2(-this.s), this.recovery) : this;
1555
- }
1556
- // DER-encoded
1557
- toDERRawBytes() {
1558
- return hexToBytes(this.toDERHex());
1559
- }
1560
- toDERHex() {
1561
- return DER.hexFromSig(this);
1562
- }
1563
- // padded bytes of r, then padded bytes of s
1564
- toCompactRawBytes() {
1565
- return hexToBytes(this.toCompactHex());
1566
- }
1567
- toCompactHex() {
1568
- const l = nByteLength;
1569
- return numToSizedHex(this.r, l) + numToSizedHex(this.s, l);
1570
- }
1571
- }
1572
- const utils = {
1573
- isValidPrivateKey(privateKey) {
1574
- try {
1575
- normPrivateKeyToScalar(privateKey);
1576
- return true;
1577
- } catch (error) {
1578
- return false;
1579
- }
1580
- },
1581
- normPrivateKeyToScalar,
1582
- /**
1583
- * Produces cryptographically secure private key from random of size
1584
- * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
1585
- */
1586
- randomPrivateKey: () => {
1587
- const length = getMinHashLength(CURVE.n);
1588
- return mapHashToField(CURVE.randomBytes(length), CURVE.n);
1589
- },
1590
- /**
1591
- * Creates precompute table for an arbitrary EC point. Makes point "cached".
1592
- * Allows to massively speed-up `point.multiply(scalar)`.
1593
- * @returns cached point
1594
- * @example
1595
- * const fast = utils.precompute(8, ProjectivePoint.fromHex(someonesPubKey));
1596
- * fast.multiply(privKey); // much faster ECDH now
1597
- */
1598
- precompute(windowSize = 8, point = Point2.BASE) {
1599
- point._setWindowSize(windowSize);
1600
- point.multiply(BigInt(3));
1601
- return point;
1713
+ toRawBytes(isCompressed = true) {
1714
+ return this.toBytes(isCompressed);
1602
1715
  }
1603
- };
1604
- function getPublicKey(privateKey, isCompressed = true) {
1605
- return Point2.fromPrivateKey(privateKey).toRawBytes(isCompressed);
1606
- }
1607
- function isProbPub(item) {
1608
- if (typeof item === "bigint")
1609
- return false;
1610
- if (item instanceof Point2)
1611
- return true;
1612
- const arr = ensureBytes("key", item);
1613
- const len = arr.length;
1614
- const fpl = Fp.BYTES;
1615
- const compLen = fpl + 1;
1616
- const uncompLen = 2 * fpl + 1;
1617
- if (CURVE.allowedPrivateKeyLengths || nByteLength === compLen) {
1618
- return void 0;
1619
- } else {
1620
- return len === compLen || len === uncompLen;
1716
+ _setWindowSize(windowSize) {
1717
+ this.precompute(windowSize);
1621
1718
  }
1622
- }
1623
- function getSharedSecret(privateA, publicB, isCompressed = true) {
1624
- if (isProbPub(privateA) === true)
1625
- throw new Error("first arg must be private key");
1626
- if (isProbPub(publicB) === false)
1627
- throw new Error("second arg must be public key");
1628
- const b = Point2.fromHex(publicB);
1629
- return b.multiply(normPrivateKeyToScalar(privateA)).toRawBytes(isCompressed);
1630
- }
1631
- const bits2int = CURVE.bits2int || function(bytes) {
1632
- if (bytes.length > 8192)
1633
- throw new Error("input is too large");
1634
- const num2 = bytesToNumberBE(bytes);
1635
- const delta = bytes.length * 8 - nBitLength;
1636
- return delta > 0 ? num2 >> BigInt(delta) : num2;
1637
- };
1638
- const bits2int_modN = CURVE.bits2int_modN || function(bytes) {
1639
- return modN2(bits2int(bytes));
1640
- };
1641
- const ORDER_MASK = bitMask(nBitLength);
1642
- function int2octets(num2) {
1643
- aInRange("num < 2^" + nBitLength, num2, _0n3, ORDER_MASK);
1644
- return numberToBytesBE(num2, nByteLength);
1645
- }
1646
- function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
1647
- if (["recovered", "canonical"].some((k) => k in opts))
1648
- throw new Error("sign() legacy options not supported");
1649
- const { hash, randomBytes: randomBytes2 } = CURVE;
1650
- let { lowS, prehash, extraEntropy: ent } = opts;
1651
- if (lowS == null)
1652
- lowS = true;
1653
- msgHash = ensureBytes("msgHash", msgHash);
1654
- validateSigVerOpts(opts);
1655
- if (prehash)
1656
- msgHash = ensureBytes("prehashed msgHash", hash(msgHash));
1657
- const h1int = bits2int_modN(msgHash);
1658
- const d = normPrivateKeyToScalar(privateKey);
1659
- const seedArgs = [int2octets(d), int2octets(h1int)];
1660
- if (ent != null && ent !== false) {
1661
- const e = ent === true ? randomBytes2(Fp.BYTES) : ent;
1662
- seedArgs.push(ensureBytes("extraEntropy", e));
1719
+ static normalizeZ(points) {
1720
+ return normalizeZ(Point, points);
1663
1721
  }
1664
- const seed = concatBytes2(...seedArgs);
1665
- const m = h1int;
1666
- function k2sig(kBytes) {
1667
- const k = bits2int(kBytes);
1668
- if (!isWithinCurveOrder(k))
1669
- return;
1670
- const ik = invN(k);
1671
- const q = Point2.BASE.multiply(k).toAffine();
1672
- const r = modN2(q.x);
1673
- if (r === _0n3)
1674
- return;
1675
- const s = modN2(ik * modN2(m + r * d));
1676
- if (s === _0n3)
1677
- return;
1678
- let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n3);
1679
- let normS = s;
1680
- if (lowS && isBiggerThanHalfOrder(s)) {
1681
- normS = normalizeS(s);
1682
- recovery ^= 1;
1683
- }
1684
- return new Signature(r, normS, recovery);
1722
+ static msm(points, scalars) {
1723
+ return pippenger(Point, Fn, points, scalars);
1685
1724
  }
1686
- return { seed, k2sig };
1687
- }
1688
- const defaultSigOpts = { lowS: CURVE.lowS, prehash: false };
1689
- const defaultVerOpts = { lowS: CURVE.lowS, prehash: false };
1690
- function sign(msgHash, privKey, opts = defaultSigOpts) {
1691
- const { seed, k2sig } = prepSig(msgHash, privKey, opts);
1692
- const C = CURVE;
1693
- const drbg = createHmacDrbg(C.hash.outputLen, C.nByteLength, C.hmac);
1694
- return drbg(seed, k2sig);
1695
- }
1696
- Point2.BASE._setWindowSize(8);
1697
- function verify(signature, msgHash, publicKey, opts = defaultVerOpts) {
1698
- const sg = signature;
1699
- msgHash = ensureBytes("msgHash", msgHash);
1700
- publicKey = ensureBytes("publicKey", publicKey);
1701
- const { lowS, prehash, format } = opts;
1702
- validateSigVerOpts(opts);
1703
- if ("strict" in opts)
1704
- throw new Error("options.strict was renamed to lowS");
1705
- if (format !== void 0 && format !== "compact" && format !== "der")
1706
- throw new Error("format must be compact or der");
1707
- const isHex = typeof sg === "string" || isBytes(sg);
1708
- const isObj = !isHex && !format && typeof sg === "object" && sg !== null && typeof sg.r === "bigint" && typeof sg.s === "bigint";
1709
- if (!isHex && !isObj)
1710
- throw new Error("invalid signature, expected Uint8Array, hex string or Signature instance");
1711
- let _sig = void 0;
1712
- let P;
1713
- try {
1714
- if (isObj)
1715
- _sig = new Signature(sg.r, sg.s);
1716
- if (isHex) {
1717
- try {
1718
- if (format !== "compact")
1719
- _sig = Signature.fromDER(sg);
1720
- } catch (derError) {
1721
- if (!(derError instanceof DER.Err))
1722
- throw derError;
1723
- }
1724
- if (!_sig && format !== "der")
1725
- _sig = Signature.fromCompact(sg);
1726
- }
1727
- P = Point2.fromHex(publicKey);
1728
- } catch (error) {
1729
- return false;
1725
+ static fromPrivateKey(privateKey) {
1726
+ return Point.BASE.multiply(_normFnElement(Fn, privateKey));
1730
1727
  }
1731
- if (!_sig)
1732
- return false;
1733
- if (lowS && _sig.hasHighS())
1734
- return false;
1735
- if (prehash)
1736
- msgHash = CURVE.hash(msgHash);
1737
- const { r, s } = _sig;
1738
- const h = bits2int_modN(msgHash);
1739
- const is = invN(s);
1740
- const u1 = modN2(h * is);
1741
- const u2 = modN2(r * is);
1742
- const R = Point2.BASE.multiplyAndAddUnsafe(P, u1, u2)?.toAffine();
1743
- if (!R)
1744
- return false;
1745
- const v = modN2(R.x);
1746
- return v === r;
1747
1728
  }
1748
- return {
1749
- CURVE,
1750
- getPublicKey,
1751
- getSharedSecret,
1752
- sign,
1753
- verify,
1754
- ProjectivePoint: Point2,
1755
- Signature,
1756
- utils
1757
- };
1729
+ Point.BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
1730
+ Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO);
1731
+ Point.Fp = Fp;
1732
+ Point.Fn = Fn;
1733
+ const bits = Fn.BITS;
1734
+ const wnaf = new wNAF(Point, extraOpts.endo ? Math.ceil(bits / 2) : bits);
1735
+ Point.BASE.precompute(8);
1736
+ return Point;
1737
+ }
1738
+ function pprefix(hasEvenY) {
1739
+ return Uint8Array.of(hasEvenY ? 2 : 3);
1758
1740
  }
1759
1741
  function SWUFpSqrtRatio(Fp, Z) {
1760
1742
  const q = Fp.ORDER;
1761
- let l = _0n3;
1762
- for (let o = q - _1n3; o % _2n2 === _0n3; o /= _2n2)
1763
- l += _1n3;
1743
+ let l = _0n4;
1744
+ for (let o = q - _1n4; o % _2n2 === _0n4; o /= _2n2)
1745
+ l += _1n4;
1764
1746
  const c1 = l;
1765
- const _2n_pow_c1_1 = _2n2 << c1 - _1n3 - _1n3;
1747
+ const _2n_pow_c1_1 = _2n2 << c1 - _1n4 - _1n4;
1766
1748
  const _2n_pow_c1 = _2n_pow_c1_1 * _2n2;
1767
- const c2 = (q - _1n3) / _2n_pow_c1;
1768
- const c3 = (c2 - _1n3) / _2n2;
1769
- const c4 = _2n_pow_c1 - _1n3;
1749
+ const c2 = (q - _1n4) / _2n_pow_c1;
1750
+ const c3 = (c2 - _1n4) / _2n2;
1751
+ const c4 = _2n_pow_c1 - _1n4;
1770
1752
  const c5 = _2n_pow_c1_1;
1771
1753
  const c6 = Fp.pow(Z, c2);
1772
- const c7 = Fp.pow(Z, (c2 + _1n3) / _2n2);
1754
+ const c7 = Fp.pow(Z, (c2 + _1n4) / _2n2);
1773
1755
  let sqrtRatio = (u, v) => {
1774
1756
  let tv1 = c6;
1775
1757
  let tv2 = Fp.pow(v, c4);
@@ -1787,9 +1769,9 @@ function SWUFpSqrtRatio(Fp, Z) {
1787
1769
  tv5 = Fp.mul(tv4, tv1);
1788
1770
  tv3 = Fp.cmov(tv2, tv3, isQR);
1789
1771
  tv4 = Fp.cmov(tv5, tv4, isQR);
1790
- for (let i = c1; i > _1n3; i--) {
1772
+ for (let i = c1; i > _1n4; i--) {
1791
1773
  let tv52 = i - _2n2;
1792
- tv52 = _2n2 << tv52 - _1n3;
1774
+ tv52 = _2n2 << tv52 - _1n4;
1793
1775
  let tvv5 = Fp.pow(tv4, tv52);
1794
1776
  const e1 = Fp.eql(tvv5, Fp.ONE);
1795
1777
  tv2 = Fp.mul(tv3, tv1);
@@ -1820,28 +1802,29 @@ function SWUFpSqrtRatio(Fp, Z) {
1820
1802
  }
1821
1803
  function mapToCurveSimpleSWU(Fp, opts) {
1822
1804
  validateField(Fp);
1823
- if (!Fp.isValid(opts.A) || !Fp.isValid(opts.B) || !Fp.isValid(opts.Z))
1805
+ const { A, B, Z } = opts;
1806
+ if (!Fp.isValid(A) || !Fp.isValid(B) || !Fp.isValid(Z))
1824
1807
  throw new Error("mapToCurveSimpleSWU: invalid opts");
1825
- const sqrtRatio = SWUFpSqrtRatio(Fp, opts.Z);
1808
+ const sqrtRatio = SWUFpSqrtRatio(Fp, Z);
1826
1809
  if (!Fp.isOdd)
1827
- throw new Error("Fp.isOdd is not implemented!");
1810
+ throw new Error("Field does not have .isOdd()");
1828
1811
  return (u) => {
1829
1812
  let tv1, tv2, tv3, tv4, tv5, tv6, x, y;
1830
1813
  tv1 = Fp.sqr(u);
1831
- tv1 = Fp.mul(tv1, opts.Z);
1814
+ tv1 = Fp.mul(tv1, Z);
1832
1815
  tv2 = Fp.sqr(tv1);
1833
1816
  tv2 = Fp.add(tv2, tv1);
1834
1817
  tv3 = Fp.add(tv2, Fp.ONE);
1835
- tv3 = Fp.mul(tv3, opts.B);
1836
- tv4 = Fp.cmov(opts.Z, Fp.neg(tv2), !Fp.eql(tv2, Fp.ZERO));
1837
- tv4 = Fp.mul(tv4, opts.A);
1818
+ tv3 = Fp.mul(tv3, B);
1819
+ tv4 = Fp.cmov(Z, Fp.neg(tv2), !Fp.eql(tv2, Fp.ZERO));
1820
+ tv4 = Fp.mul(tv4, A);
1838
1821
  tv2 = Fp.sqr(tv3);
1839
1822
  tv6 = Fp.sqr(tv4);
1840
- tv5 = Fp.mul(tv6, opts.A);
1823
+ tv5 = Fp.mul(tv6, A);
1841
1824
  tv2 = Fp.add(tv2, tv5);
1842
1825
  tv2 = Fp.mul(tv2, tv3);
1843
1826
  tv6 = Fp.mul(tv6, tv4);
1844
- tv5 = Fp.mul(tv6, opts.B);
1827
+ tv5 = Fp.mul(tv6, B);
1845
1828
  tv2 = Fp.add(tv2, tv5);
1846
1829
  x = Fp.mul(tv1, tv3);
1847
1830
  const { isValid, value } = sqrtRatio(tv2, tv6);
@@ -1856,21 +1839,415 @@ function mapToCurveSimpleSWU(Fp, opts) {
1856
1839
  return { x, y };
1857
1840
  };
1858
1841
  }
1859
-
1860
- // ../../node_modules/.pnpm/@noble+curves@1.9.1/node_modules/@noble/curves/esm/_shortw_utils.js
1861
- function getHash(hash) {
1842
+ function getWLengths(Fp, Fn) {
1862
1843
  return {
1863
- hash,
1864
- hmac: (key, ...msgs) => hmac(hash, key, concatBytes(...msgs)),
1865
- randomBytes
1844
+ secretKey: Fn.BYTES,
1845
+ publicKey: 1 + Fp.BYTES,
1846
+ publicKeyUncompressed: 1 + 2 * Fp.BYTES,
1847
+ publicKeyHasPrefix: true,
1848
+ signature: 2 * Fn.BYTES
1849
+ };
1850
+ }
1851
+ function ecdh(Point, ecdhOpts = {}) {
1852
+ const { Fn } = Point;
1853
+ const randomBytes_ = ecdhOpts.randomBytes || randomBytes;
1854
+ const lengths = Object.assign(getWLengths(Point.Fp, Fn), { seed: getMinHashLength(Fn.ORDER) });
1855
+ function isValidSecretKey(secretKey) {
1856
+ try {
1857
+ return !!_normFnElement(Fn, secretKey);
1858
+ } catch (error) {
1859
+ return false;
1860
+ }
1861
+ }
1862
+ function isValidPublicKey(publicKey, isCompressed) {
1863
+ const { publicKey: comp, publicKeyUncompressed } = lengths;
1864
+ try {
1865
+ const l = publicKey.length;
1866
+ if (isCompressed === true && l !== comp)
1867
+ return false;
1868
+ if (isCompressed === false && l !== publicKeyUncompressed)
1869
+ return false;
1870
+ return !!Point.fromBytes(publicKey);
1871
+ } catch (error) {
1872
+ return false;
1873
+ }
1874
+ }
1875
+ function randomSecretKey(seed = randomBytes_(lengths.seed)) {
1876
+ return mapHashToField(_abytes2(seed, lengths.seed, "seed"), Fn.ORDER);
1877
+ }
1878
+ function getPublicKey(secretKey, isCompressed = true) {
1879
+ return Point.BASE.multiply(_normFnElement(Fn, secretKey)).toBytes(isCompressed);
1880
+ }
1881
+ function keygen(seed) {
1882
+ const secretKey = randomSecretKey(seed);
1883
+ return { secretKey, publicKey: getPublicKey(secretKey) };
1884
+ }
1885
+ function isProbPub(item) {
1886
+ if (typeof item === "bigint")
1887
+ return false;
1888
+ if (item instanceof Point)
1889
+ return true;
1890
+ const { secretKey, publicKey, publicKeyUncompressed } = lengths;
1891
+ if (Fn.allowedLengths || secretKey === publicKey)
1892
+ return void 0;
1893
+ const l = ensureBytes("key", item).length;
1894
+ return l === publicKey || l === publicKeyUncompressed;
1895
+ }
1896
+ function getSharedSecret(secretKeyA, publicKeyB, isCompressed = true) {
1897
+ if (isProbPub(secretKeyA) === true)
1898
+ throw new Error("first arg must be private key");
1899
+ if (isProbPub(publicKeyB) === false)
1900
+ throw new Error("second arg must be public key");
1901
+ const s = _normFnElement(Fn, secretKeyA);
1902
+ const b = Point.fromHex(publicKeyB);
1903
+ return b.multiply(s).toBytes(isCompressed);
1904
+ }
1905
+ const utils = {
1906
+ isValidSecretKey,
1907
+ isValidPublicKey,
1908
+ randomSecretKey,
1909
+ // TODO: remove
1910
+ isValidPrivateKey: isValidSecretKey,
1911
+ randomPrivateKey: randomSecretKey,
1912
+ normPrivateKeyToScalar: (key) => _normFnElement(Fn, key),
1913
+ precompute(windowSize = 8, point = Point.BASE) {
1914
+ return point.precompute(windowSize, false);
1915
+ }
1916
+ };
1917
+ return Object.freeze({ getPublicKey, getSharedSecret, keygen, Point, utils, lengths });
1918
+ }
1919
+ function ecdsa(Point, hash, ecdsaOpts = {}) {
1920
+ ahash(hash);
1921
+ _validateObject(ecdsaOpts, {}, {
1922
+ hmac: "function",
1923
+ lowS: "boolean",
1924
+ randomBytes: "function",
1925
+ bits2int: "function",
1926
+ bits2int_modN: "function"
1927
+ });
1928
+ const randomBytes2 = ecdsaOpts.randomBytes || randomBytes;
1929
+ const hmac2 = ecdsaOpts.hmac || ((key, ...msgs) => hmac(hash, key, concatBytes(...msgs)));
1930
+ const { Fp, Fn } = Point;
1931
+ const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
1932
+ const { keygen, getPublicKey, getSharedSecret, utils, lengths } = ecdh(Point, ecdsaOpts);
1933
+ const defaultSigOpts = {
1934
+ prehash: false,
1935
+ lowS: typeof ecdsaOpts.lowS === "boolean" ? ecdsaOpts.lowS : false,
1936
+ format: void 0,
1937
+ //'compact' as ECDSASigFormat,
1938
+ extraEntropy: false
1939
+ };
1940
+ const defaultSigOpts_format = "compact";
1941
+ function isBiggerThanHalfOrder(number) {
1942
+ const HALF = CURVE_ORDER >> _1n4;
1943
+ return number > HALF;
1944
+ }
1945
+ function validateRS(title, num2) {
1946
+ if (!Fn.isValidNot0(num2))
1947
+ throw new Error(`invalid signature ${title}: out of range 1..Point.Fn.ORDER`);
1948
+ return num2;
1949
+ }
1950
+ function validateSigLength(bytes, format) {
1951
+ validateSigFormat(format);
1952
+ const size = lengths.signature;
1953
+ const sizer = format === "compact" ? size : format === "recovered" ? size + 1 : void 0;
1954
+ return _abytes2(bytes, sizer, `${format} signature`);
1955
+ }
1956
+ class Signature {
1957
+ constructor(r, s, recovery) {
1958
+ this.r = validateRS("r", r);
1959
+ this.s = validateRS("s", s);
1960
+ if (recovery != null)
1961
+ this.recovery = recovery;
1962
+ Object.freeze(this);
1963
+ }
1964
+ static fromBytes(bytes, format = defaultSigOpts_format) {
1965
+ validateSigLength(bytes, format);
1966
+ let recid;
1967
+ if (format === "der") {
1968
+ const { r: r2, s: s2 } = DER.toSig(_abytes2(bytes));
1969
+ return new Signature(r2, s2);
1970
+ }
1971
+ if (format === "recovered") {
1972
+ recid = bytes[0];
1973
+ format = "compact";
1974
+ bytes = bytes.subarray(1);
1975
+ }
1976
+ const L = Fn.BYTES;
1977
+ const r = bytes.subarray(0, L);
1978
+ const s = bytes.subarray(L, L * 2);
1979
+ return new Signature(Fn.fromBytes(r), Fn.fromBytes(s), recid);
1980
+ }
1981
+ static fromHex(hex, format) {
1982
+ return this.fromBytes(hexToBytes(hex), format);
1983
+ }
1984
+ addRecoveryBit(recovery) {
1985
+ return new Signature(this.r, this.s, recovery);
1986
+ }
1987
+ recoverPublicKey(messageHash) {
1988
+ const FIELD_ORDER = Fp.ORDER;
1989
+ const { r, s, recovery: rec } = this;
1990
+ if (rec == null || ![0, 1, 2, 3].includes(rec))
1991
+ throw new Error("recovery id invalid");
1992
+ const hasCofactor = CURVE_ORDER * _2n2 < FIELD_ORDER;
1993
+ if (hasCofactor && rec > 1)
1994
+ throw new Error("recovery id is ambiguous for h>1 curve");
1995
+ const radj = rec === 2 || rec === 3 ? r + CURVE_ORDER : r;
1996
+ if (!Fp.isValid(radj))
1997
+ throw new Error("recovery id 2 or 3 invalid");
1998
+ const x = Fp.toBytes(radj);
1999
+ const R = Point.fromBytes(concatBytes(pprefix((rec & 1) === 0), x));
2000
+ const ir = Fn.inv(radj);
2001
+ const h = bits2int_modN(ensureBytes("msgHash", messageHash));
2002
+ const u1 = Fn.create(-h * ir);
2003
+ const u2 = Fn.create(s * ir);
2004
+ const Q = Point.BASE.multiplyUnsafe(u1).add(R.multiplyUnsafe(u2));
2005
+ if (Q.is0())
2006
+ throw new Error("point at infinify");
2007
+ Q.assertValidity();
2008
+ return Q;
2009
+ }
2010
+ // Signatures should be low-s, to prevent malleability.
2011
+ hasHighS() {
2012
+ return isBiggerThanHalfOrder(this.s);
2013
+ }
2014
+ toBytes(format = defaultSigOpts_format) {
2015
+ validateSigFormat(format);
2016
+ if (format === "der")
2017
+ return hexToBytes(DER.hexFromSig(this));
2018
+ const r = Fn.toBytes(this.r);
2019
+ const s = Fn.toBytes(this.s);
2020
+ if (format === "recovered") {
2021
+ if (this.recovery == null)
2022
+ throw new Error("recovery bit must be present");
2023
+ return concatBytes(Uint8Array.of(this.recovery), r, s);
2024
+ }
2025
+ return concatBytes(r, s);
2026
+ }
2027
+ toHex(format) {
2028
+ return bytesToHex(this.toBytes(format));
2029
+ }
2030
+ // TODO: remove
2031
+ assertValidity() {
2032
+ }
2033
+ static fromCompact(hex) {
2034
+ return Signature.fromBytes(ensureBytes("sig", hex), "compact");
2035
+ }
2036
+ static fromDER(hex) {
2037
+ return Signature.fromBytes(ensureBytes("sig", hex), "der");
2038
+ }
2039
+ normalizeS() {
2040
+ return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
2041
+ }
2042
+ toDERRawBytes() {
2043
+ return this.toBytes("der");
2044
+ }
2045
+ toDERHex() {
2046
+ return bytesToHex(this.toBytes("der"));
2047
+ }
2048
+ toCompactRawBytes() {
2049
+ return this.toBytes("compact");
2050
+ }
2051
+ toCompactHex() {
2052
+ return bytesToHex(this.toBytes("compact"));
2053
+ }
2054
+ }
2055
+ const bits2int = ecdsaOpts.bits2int || function bits2int_def(bytes) {
2056
+ if (bytes.length > 8192)
2057
+ throw new Error("input is too large");
2058
+ const num2 = bytesToNumberBE(bytes);
2059
+ const delta = bytes.length * 8 - fnBits;
2060
+ return delta > 0 ? num2 >> BigInt(delta) : num2;
2061
+ };
2062
+ const bits2int_modN = ecdsaOpts.bits2int_modN || function bits2int_modN_def(bytes) {
2063
+ return Fn.create(bits2int(bytes));
1866
2064
  };
2065
+ const ORDER_MASK = bitMask(fnBits);
2066
+ function int2octets(num2) {
2067
+ aInRange("num < 2^" + fnBits, num2, _0n4, ORDER_MASK);
2068
+ return Fn.toBytes(num2);
2069
+ }
2070
+ function validateMsgAndHash(message, prehash) {
2071
+ _abytes2(message, void 0, "message");
2072
+ return prehash ? _abytes2(hash(message), void 0, "prehashed message") : message;
2073
+ }
2074
+ function prepSig(message, privateKey, opts) {
2075
+ if (["recovered", "canonical"].some((k) => k in opts))
2076
+ throw new Error("sign() legacy options not supported");
2077
+ const { lowS, prehash, extraEntropy } = validateSigOpts(opts, defaultSigOpts);
2078
+ message = validateMsgAndHash(message, prehash);
2079
+ const h1int = bits2int_modN(message);
2080
+ const d = _normFnElement(Fn, privateKey);
2081
+ const seedArgs = [int2octets(d), int2octets(h1int)];
2082
+ if (extraEntropy != null && extraEntropy !== false) {
2083
+ const e = extraEntropy === true ? randomBytes2(lengths.secretKey) : extraEntropy;
2084
+ seedArgs.push(ensureBytes("extraEntropy", e));
2085
+ }
2086
+ const seed = concatBytes(...seedArgs);
2087
+ const m = h1int;
2088
+ function k2sig(kBytes) {
2089
+ const k = bits2int(kBytes);
2090
+ if (!Fn.isValidNot0(k))
2091
+ return;
2092
+ const ik = Fn.inv(k);
2093
+ const q = Point.BASE.multiply(k).toAffine();
2094
+ const r = Fn.create(q.x);
2095
+ if (r === _0n4)
2096
+ return;
2097
+ const s = Fn.create(ik * Fn.create(m + r * d));
2098
+ if (s === _0n4)
2099
+ return;
2100
+ let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n4);
2101
+ let normS = s;
2102
+ if (lowS && isBiggerThanHalfOrder(s)) {
2103
+ normS = Fn.neg(s);
2104
+ recovery ^= 1;
2105
+ }
2106
+ return new Signature(r, normS, recovery);
2107
+ }
2108
+ return { seed, k2sig };
2109
+ }
2110
+ function sign(message, secretKey, opts = {}) {
2111
+ message = ensureBytes("message", message);
2112
+ const { seed, k2sig } = prepSig(message, secretKey, opts);
2113
+ const drbg = createHmacDrbg(hash.outputLen, Fn.BYTES, hmac2);
2114
+ const sig = drbg(seed, k2sig);
2115
+ return sig;
2116
+ }
2117
+ function tryParsingSig(sg) {
2118
+ let sig = void 0;
2119
+ const isHex = typeof sg === "string" || isBytes(sg);
2120
+ const isObj = !isHex && sg !== null && typeof sg === "object" && typeof sg.r === "bigint" && typeof sg.s === "bigint";
2121
+ if (!isHex && !isObj)
2122
+ throw new Error("invalid signature, expected Uint8Array, hex string or Signature instance");
2123
+ if (isObj) {
2124
+ sig = new Signature(sg.r, sg.s);
2125
+ } else if (isHex) {
2126
+ try {
2127
+ sig = Signature.fromBytes(ensureBytes("sig", sg), "der");
2128
+ } catch (derError) {
2129
+ if (!(derError instanceof DER.Err))
2130
+ throw derError;
2131
+ }
2132
+ if (!sig) {
2133
+ try {
2134
+ sig = Signature.fromBytes(ensureBytes("sig", sg), "compact");
2135
+ } catch (error) {
2136
+ return false;
2137
+ }
2138
+ }
2139
+ }
2140
+ if (!sig)
2141
+ return false;
2142
+ return sig;
2143
+ }
2144
+ function verify(signature, message, publicKey, opts = {}) {
2145
+ const { lowS, prehash, format } = validateSigOpts(opts, defaultSigOpts);
2146
+ publicKey = ensureBytes("publicKey", publicKey);
2147
+ message = validateMsgAndHash(ensureBytes("message", message), prehash);
2148
+ if ("strict" in opts)
2149
+ throw new Error("options.strict was renamed to lowS");
2150
+ const sig = format === void 0 ? tryParsingSig(signature) : Signature.fromBytes(ensureBytes("sig", signature), format);
2151
+ if (sig === false)
2152
+ return false;
2153
+ try {
2154
+ const P = Point.fromBytes(publicKey);
2155
+ if (lowS && sig.hasHighS())
2156
+ return false;
2157
+ const { r, s } = sig;
2158
+ const h = bits2int_modN(message);
2159
+ const is = Fn.inv(s);
2160
+ const u1 = Fn.create(h * is);
2161
+ const u2 = Fn.create(r * is);
2162
+ const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2));
2163
+ if (R.is0())
2164
+ return false;
2165
+ const v = Fn.create(R.x);
2166
+ return v === r;
2167
+ } catch (e) {
2168
+ return false;
2169
+ }
2170
+ }
2171
+ function recoverPublicKey(signature, message, opts = {}) {
2172
+ const { prehash } = validateSigOpts(opts, defaultSigOpts);
2173
+ message = validateMsgAndHash(message, prehash);
2174
+ return Signature.fromBytes(signature, "recovered").recoverPublicKey(message).toBytes();
2175
+ }
2176
+ return Object.freeze({
2177
+ keygen,
2178
+ getPublicKey,
2179
+ getSharedSecret,
2180
+ utils,
2181
+ lengths,
2182
+ Point,
2183
+ sign,
2184
+ verify,
2185
+ recoverPublicKey,
2186
+ Signature,
2187
+ hash
2188
+ });
1867
2189
  }
2190
+ function _weierstrass_legacy_opts_to_new(c) {
2191
+ const CURVE = {
2192
+ a: c.a,
2193
+ b: c.b,
2194
+ p: c.Fp.ORDER,
2195
+ n: c.n,
2196
+ h: c.h,
2197
+ Gx: c.Gx,
2198
+ Gy: c.Gy
2199
+ };
2200
+ const Fp = c.Fp;
2201
+ let allowedLengths = c.allowedPrivateKeyLengths ? Array.from(new Set(c.allowedPrivateKeyLengths.map((l) => Math.ceil(l / 2)))) : void 0;
2202
+ const Fn = Field(CURVE.n, {
2203
+ BITS: c.nBitLength,
2204
+ allowedLengths,
2205
+ modFromBytes: c.wrapPrivateKey
2206
+ });
2207
+ const curveOpts = {
2208
+ Fp,
2209
+ Fn,
2210
+ allowInfinityPoint: c.allowInfinityPoint,
2211
+ endo: c.endo,
2212
+ isTorsionFree: c.isTorsionFree,
2213
+ clearCofactor: c.clearCofactor,
2214
+ fromBytes: c.fromBytes,
2215
+ toBytes: c.toBytes
2216
+ };
2217
+ return { CURVE, curveOpts };
2218
+ }
2219
+ function _ecdsa_legacy_opts_to_new(c) {
2220
+ const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
2221
+ const ecdsaOpts = {
2222
+ hmac: c.hmac,
2223
+ randomBytes: c.randomBytes,
2224
+ lowS: c.lowS,
2225
+ bits2int: c.bits2int,
2226
+ bits2int_modN: c.bits2int_modN
2227
+ };
2228
+ return { CURVE, curveOpts, hash: c.hash, ecdsaOpts };
2229
+ }
2230
+ function _ecdsa_new_output_to_legacy(c, _ecdsa) {
2231
+ const Point = _ecdsa.Point;
2232
+ return Object.assign({}, _ecdsa, {
2233
+ ProjectivePoint: Point,
2234
+ CURVE: Object.assign({}, c, nLength(Point.Fn.ORDER, Point.Fn.BITS))
2235
+ });
2236
+ }
2237
+ function weierstrass(c) {
2238
+ const { CURVE, curveOpts, hash, ecdsaOpts } = _ecdsa_legacy_opts_to_new(c);
2239
+ const Point = weierstrassN(CURVE, curveOpts);
2240
+ const signs = ecdsa(Point, hash, ecdsaOpts);
2241
+ return _ecdsa_new_output_to_legacy(c, signs);
2242
+ }
2243
+
2244
+ // ../../node_modules/.pnpm/@noble+curves@1.9.6/node_modules/@noble/curves/esm/_shortw_utils.js
1868
2245
  function createCurve(curveDef, defHash) {
1869
- const create = (hash) => weierstrass({ ...curveDef, ...getHash(hash) });
2246
+ const create = (hash) => weierstrass({ ...curveDef, hash });
1870
2247
  return { ...create(defHash), create };
1871
2248
  }
1872
2249
 
1873
- // ../../node_modules/.pnpm/@noble+curves@1.9.1/node_modules/@noble/curves/esm/abstract/hash-to-curve.js
2250
+ // ../../node_modules/.pnpm/@noble+curves@1.9.6/node_modules/@noble/curves/esm/abstract/hash-to-curve.js
1874
2251
  var os2ip = bytesToNumberBE;
1875
2252
  function i2osp(value, length) {
1876
2253
  anum(value);
@@ -1895,33 +2272,38 @@ function anum(item) {
1895
2272
  if (!Number.isSafeInteger(item))
1896
2273
  throw new Error("number expected");
1897
2274
  }
2275
+ function normDST(DST) {
2276
+ if (!isBytes(DST) && typeof DST !== "string")
2277
+ throw new Error("DST must be Uint8Array or string");
2278
+ return typeof DST === "string" ? utf8ToBytes(DST) : DST;
2279
+ }
1898
2280
  function expand_message_xmd(msg, DST, lenInBytes, H) {
1899
- abytes2(msg);
1900
- abytes2(DST);
2281
+ abytes(msg);
1901
2282
  anum(lenInBytes);
2283
+ DST = normDST(DST);
1902
2284
  if (DST.length > 255)
1903
- DST = H(concatBytes2(utf8ToBytes("H2C-OVERSIZE-DST-"), DST));
2285
+ DST = H(concatBytes(utf8ToBytes("H2C-OVERSIZE-DST-"), DST));
1904
2286
  const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
1905
2287
  const ell = Math.ceil(lenInBytes / b_in_bytes);
1906
2288
  if (lenInBytes > 65535 || ell > 255)
1907
2289
  throw new Error("expand_message_xmd: invalid lenInBytes");
1908
- const DST_prime = concatBytes2(DST, i2osp(DST.length, 1));
2290
+ const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
1909
2291
  const Z_pad = i2osp(0, r_in_bytes);
1910
2292
  const l_i_b_str = i2osp(lenInBytes, 2);
1911
2293
  const b = new Array(ell);
1912
- const b_0 = H(concatBytes2(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
1913
- b[0] = H(concatBytes2(b_0, i2osp(1, 1), DST_prime));
2294
+ const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
2295
+ b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));
1914
2296
  for (let i = 1; i <= ell; i++) {
1915
2297
  const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
1916
- b[i] = H(concatBytes2(...args));
2298
+ b[i] = H(concatBytes(...args));
1917
2299
  }
1918
- const pseudo_random_bytes = concatBytes2(...b);
2300
+ const pseudo_random_bytes = concatBytes(...b);
1919
2301
  return pseudo_random_bytes.slice(0, lenInBytes);
1920
2302
  }
1921
2303
  function expand_message_xof(msg, DST, lenInBytes, k, H) {
1922
- abytes2(msg);
1923
- abytes2(DST);
2304
+ abytes(msg);
1924
2305
  anum(lenInBytes);
2306
+ DST = normDST(DST);
1925
2307
  if (DST.length > 255) {
1926
2308
  const dkLen = Math.ceil(2 * k / 8);
1927
2309
  DST = H.create({ dkLen }).update(utf8ToBytes("H2C-OVERSIZE-DST-")).update(DST).digest();
@@ -1931,17 +2313,17 @@ function expand_message_xof(msg, DST, lenInBytes, k, H) {
1931
2313
  return H.create({ dkLen: lenInBytes }).update(msg).update(i2osp(lenInBytes, 2)).update(DST).update(i2osp(DST.length, 1)).digest();
1932
2314
  }
1933
2315
  function hash_to_field(msg, count, options) {
1934
- validateObject(options, {
1935
- DST: "stringOrUint8Array",
2316
+ _validateObject(options, {
1936
2317
  p: "bigint",
1937
- m: "isSafeInteger",
1938
- k: "isSafeInteger",
1939
- hash: "hash"
2318
+ m: "number",
2319
+ k: "number",
2320
+ hash: "function"
1940
2321
  });
1941
- const { p, k, m, hash, expand, DST: _DST } = options;
1942
- abytes2(msg);
2322
+ const { p, k, m, hash, expand, DST } = options;
2323
+ if (!isHash(options.hash))
2324
+ throw new Error("expected valid hash");
2325
+ abytes(msg);
1943
2326
  anum(count);
1944
- const DST = typeof _DST === "string" ? utf8ToBytes(_DST) : _DST;
1945
2327
  const log2p = p.toString(2).length;
1946
2328
  const L = Math.ceil((log2p + k) / 8);
1947
2329
  const len_in_bytes = count * m * L;
@@ -1977,36 +2359,37 @@ function isogenyMap(field, map) {
1977
2359
  return { x, y };
1978
2360
  };
1979
2361
  }
1980
- function createHasher2(Point2, mapToCurve, defaults) {
2362
+ var _DST_scalar = utf8ToBytes("HashToScalar-");
2363
+ function createHasher2(Point, mapToCurve, defaults) {
1981
2364
  if (typeof mapToCurve !== "function")
1982
2365
  throw new Error("mapToCurve() must be defined");
1983
2366
  function map(num2) {
1984
- return Point2.fromAffine(mapToCurve(num2));
2367
+ return Point.fromAffine(mapToCurve(num2));
1985
2368
  }
1986
2369
  function clear(initial) {
1987
2370
  const P = initial.clearCofactor();
1988
- if (P.equals(Point2.ZERO))
1989
- return Point2.ZERO;
2371
+ if (P.equals(Point.ZERO))
2372
+ return Point.ZERO;
1990
2373
  P.assertValidity();
1991
2374
  return P;
1992
2375
  }
1993
2376
  return {
1994
2377
  defaults,
1995
- // Encodes byte string to elliptic curve.
1996
- // hash_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
1997
2378
  hashToCurve(msg, options) {
1998
- const u = hash_to_field(msg, 2, { ...defaults, DST: defaults.DST, ...options });
2379
+ const opts = Object.assign({}, defaults, options);
2380
+ const u = hash_to_field(msg, 2, opts);
1999
2381
  const u0 = map(u[0]);
2000
2382
  const u1 = map(u[1]);
2001
2383
  return clear(u0.add(u1));
2002
2384
  },
2003
- // Encodes byte string to elliptic curve.
2004
- // encode_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
2005
2385
  encodeToCurve(msg, options) {
2006
- const u = hash_to_field(msg, 1, { ...defaults, DST: defaults.encodeDST, ...options });
2007
- return clear(map(u[0]));
2386
+ const optsDst = defaults.encodeDST ? { DST: defaults.encodeDST } : {};
2387
+ const opts = Object.assign({}, defaults, optsDst, options);
2388
+ const u = hash_to_field(msg, 1, opts);
2389
+ const u0 = map(u[0]);
2390
+ return clear(u0);
2008
2391
  },
2009
- // Same as encodeToCurve, but without hash
2392
+ /** See {@link H2CHasher} */
2010
2393
  mapToCurve(scalars) {
2011
2394
  if (!Array.isArray(scalars))
2012
2395
  throw new Error("expected array of bigints");
@@ -2014,19 +2397,39 @@ function createHasher2(Point2, mapToCurve, defaults) {
2014
2397
  if (typeof i !== "bigint")
2015
2398
  throw new Error("expected array of bigints");
2016
2399
  return clear(map(scalars));
2400
+ },
2401
+ // hash_to_scalar can produce 0: https://www.rfc-editor.org/errata/eid8393
2402
+ // RFC 9380, draft-irtf-cfrg-bbs-signatures-08
2403
+ hashToScalar(msg, options) {
2404
+ const N = Point.Fn.ORDER;
2405
+ const opts = Object.assign({}, defaults, { p: N, m: 1, DST: _DST_scalar }, options);
2406
+ return hash_to_field(msg, 1, opts)[0][0];
2017
2407
  }
2018
2408
  };
2019
2409
  }
2020
2410
 
2021
- // ../../node_modules/.pnpm/@noble+curves@1.9.1/node_modules/@noble/curves/esm/secp256k1.js
2022
- var secp256k1P = BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f");
2023
- var secp256k1N = BigInt("0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141");
2024
- var _0n4 = BigInt(0);
2025
- var _1n4 = BigInt(1);
2026
- var _2n3 = BigInt(2);
2027
- var divNearest = (a, b) => (a + b / _2n3) / b;
2411
+ // ../../node_modules/.pnpm/@noble+curves@1.9.6/node_modules/@noble/curves/esm/secp256k1.js
2412
+ var secp256k1_CURVE = {
2413
+ p: BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f"),
2414
+ n: BigInt("0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141"),
2415
+ h: BigInt(1),
2416
+ a: BigInt(0),
2417
+ b: BigInt(7),
2418
+ Gx: BigInt("0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798"),
2419
+ Gy: BigInt("0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8")
2420
+ };
2421
+ var secp256k1_ENDO = {
2422
+ beta: BigInt("0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee"),
2423
+ basises: [
2424
+ [BigInt("0x3086d221a7d46bcde86c90e49284eb15"), -BigInt("0xe4437ed6010e88286f547fa90abfe4c3")],
2425
+ [BigInt("0x114ca50f7a8e2f3f657c1108d9d44cfd8"), BigInt("0x3086d221a7d46bcde86c90e49284eb15")]
2426
+ ]
2427
+ };
2428
+ var _0n5 = /* @__PURE__ */ BigInt(0);
2429
+ var _1n5 = /* @__PURE__ */ BigInt(1);
2430
+ var _2n3 = /* @__PURE__ */ BigInt(2);
2028
2431
  function sqrtMod(y) {
2029
- const P = secp256k1P;
2432
+ const P = secp256k1_CURVE.p;
2030
2433
  const _3n3 = BigInt(3), _6n = BigInt(6), _11n = BigInt(11), _22n = BigInt(22);
2031
2434
  const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
2032
2435
  const b2 = y * y * y % P;
@@ -2047,137 +2450,124 @@ function sqrtMod(y) {
2047
2450
  throw new Error("Cannot find square root");
2048
2451
  return root;
2049
2452
  }
2050
- var Fpk1 = Field(secp256k1P, void 0, void 0, { sqrt: sqrtMod });
2051
- var secp256k1 = createCurve({
2052
- a: _0n4,
2053
- b: BigInt(7),
2054
- Fp: Fpk1,
2055
- n: secp256k1N,
2056
- Gx: BigInt("55066263022277343669578718895168534326250603453777594175500187360389116729240"),
2057
- Gy: BigInt("32670510020758816978083085130507043184471273380659243275938904335757337482424"),
2058
- h: BigInt(1),
2059
- lowS: true,
2060
- // Allow only low-S signatures by default in sign() and verify()
2061
- endo: {
2062
- // Endomorphism, see above
2063
- beta: BigInt("0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee"),
2064
- splitScalar: (k) => {
2065
- const n = secp256k1N;
2066
- const a1 = BigInt("0x3086d221a7d46bcde86c90e49284eb15");
2067
- const b1 = -_1n4 * BigInt("0xe4437ed6010e88286f547fa90abfe4c3");
2068
- const a2 = BigInt("0x114ca50f7a8e2f3f657c1108d9d44cfd8");
2069
- const b2 = a1;
2070
- const POW_2_128 = BigInt("0x100000000000000000000000000000000");
2071
- const c1 = divNearest(b2 * k, n);
2072
- const c2 = divNearest(-b1 * k, n);
2073
- let k1 = mod(k - c1 * a1 - c2 * a2, n);
2074
- let k2 = mod(-c1 * b1 - c2 * b2, n);
2075
- const k1neg = k1 > POW_2_128;
2076
- const k2neg = k2 > POW_2_128;
2077
- if (k1neg)
2078
- k1 = n - k1;
2079
- if (k2neg)
2080
- k2 = n - k2;
2081
- if (k1 > POW_2_128 || k2 > POW_2_128) {
2082
- throw new Error("splitScalar: Endomorphism failed, k=" + k);
2083
- }
2084
- return { k1neg, k1, k2neg, k2 };
2085
- }
2086
- }
2087
- }, sha256);
2453
+ var Fpk1 = Field(secp256k1_CURVE.p, { sqrt: sqrtMod });
2454
+ var secp256k1 = createCurve({ ...secp256k1_CURVE, Fp: Fpk1, lowS: true, endo: secp256k1_ENDO }, sha256);
2088
2455
  var TAGGED_HASH_PREFIXES = {};
2089
2456
  function taggedHash(tag, ...messages) {
2090
2457
  let tagP = TAGGED_HASH_PREFIXES[tag];
2091
2458
  if (tagP === void 0) {
2092
- const tagH = sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
2093
- tagP = concatBytes2(tagH, tagH);
2459
+ const tagH = sha256(utf8ToBytes(tag));
2460
+ tagP = concatBytes(tagH, tagH);
2094
2461
  TAGGED_HASH_PREFIXES[tag] = tagP;
2095
2462
  }
2096
- return sha256(concatBytes2(tagP, ...messages));
2463
+ return sha256(concatBytes(tagP, ...messages));
2097
2464
  }
2098
- var pointToBytes = (point) => point.toRawBytes(true).slice(1);
2099
- var numTo32b = (n) => numberToBytesBE(n, 32);
2100
- var modP = (x) => mod(x, secp256k1P);
2101
- var modN = (x) => mod(x, secp256k1N);
2102
- var Point = /* @__PURE__ */ (() => secp256k1.ProjectivePoint)();
2103
- var GmulAdd = (Q, a, b) => Point.BASE.multiplyAndAddUnsafe(Q, a, b);
2465
+ var pointToBytes = (point) => point.toBytes(true).slice(1);
2466
+ var Pointk1 = /* @__PURE__ */ (() => secp256k1.Point)();
2467
+ var hasEven = (y) => y % _2n3 === _0n5;
2104
2468
  function schnorrGetExtPubKey(priv) {
2105
- let d_ = secp256k1.utils.normPrivateKeyToScalar(priv);
2106
- let p = Point.fromPrivateKey(d_);
2107
- const scalar = p.hasEvenY() ? d_ : modN(-d_);
2469
+ const { Fn, BASE } = Pointk1;
2470
+ const d_ = _normFnElement(Fn, priv);
2471
+ const p = BASE.multiply(d_);
2472
+ const scalar = hasEven(p.y) ? d_ : Fn.neg(d_);
2108
2473
  return { scalar, bytes: pointToBytes(p) };
2109
2474
  }
2110
2475
  function lift_x(x) {
2111
- aInRange("x", x, _1n4, secp256k1P);
2112
- const xx = modP(x * x);
2113
- const c = modP(xx * x + BigInt(7));
2114
- let y = sqrtMod(c);
2115
- if (y % _2n3 !== _0n4)
2116
- y = modP(-y);
2117
- const p = new Point(x, y, _1n4);
2476
+ const Fp = Fpk1;
2477
+ if (!Fp.isValidNot0(x))
2478
+ throw new Error("invalid x: Fail if x \u2265 p");
2479
+ const xx = Fp.create(x * x);
2480
+ const c = Fp.create(xx * x + BigInt(7));
2481
+ let y = Fp.sqrt(c);
2482
+ if (!hasEven(y))
2483
+ y = Fp.neg(y);
2484
+ const p = Pointk1.fromAffine({ x, y });
2118
2485
  p.assertValidity();
2119
2486
  return p;
2120
2487
  }
2121
2488
  var num = bytesToNumberBE;
2122
2489
  function challenge(...args) {
2123
- return modN(num(taggedHash("BIP0340/challenge", ...args)));
2490
+ return Pointk1.Fn.create(num(taggedHash("BIP0340/challenge", ...args)));
2124
2491
  }
2125
- function schnorrGetPublicKey(privateKey) {
2126
- return schnorrGetExtPubKey(privateKey).bytes;
2492
+ function schnorrGetPublicKey(secretKey) {
2493
+ return schnorrGetExtPubKey(secretKey).bytes;
2127
2494
  }
2128
- function schnorrSign(message, privateKey, auxRand = randomBytes(32)) {
2495
+ function schnorrSign(message, secretKey, auxRand = randomBytes(32)) {
2496
+ const { Fn } = Pointk1;
2129
2497
  const m = ensureBytes("message", message);
2130
- const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey);
2498
+ const { bytes: px, scalar: d } = schnorrGetExtPubKey(secretKey);
2131
2499
  const a = ensureBytes("auxRand", auxRand, 32);
2132
- const t = numTo32b(d ^ num(taggedHash("BIP0340/aux", a)));
2500
+ const t = Fn.toBytes(d ^ num(taggedHash("BIP0340/aux", a)));
2133
2501
  const rand = taggedHash("BIP0340/nonce", t, px, m);
2134
- const k_ = modN(num(rand));
2135
- if (k_ === _0n4)
2136
- throw new Error("sign failed: k is zero");
2137
- const { bytes: rx, scalar: k } = schnorrGetExtPubKey(k_);
2502
+ const { bytes: rx, scalar: k } = schnorrGetExtPubKey(rand);
2138
2503
  const e = challenge(rx, px, m);
2139
2504
  const sig = new Uint8Array(64);
2140
2505
  sig.set(rx, 0);
2141
- sig.set(numTo32b(modN(k + e * d)), 32);
2506
+ sig.set(Fn.toBytes(Fn.create(k + e * d)), 32);
2142
2507
  if (!schnorrVerify(sig, m, px))
2143
2508
  throw new Error("sign: Invalid signature produced");
2144
2509
  return sig;
2145
2510
  }
2146
2511
  function schnorrVerify(signature, message, publicKey) {
2512
+ const { Fn, BASE } = Pointk1;
2147
2513
  const sig = ensureBytes("signature", signature, 64);
2148
2514
  const m = ensureBytes("message", message);
2149
2515
  const pub = ensureBytes("publicKey", publicKey, 32);
2150
2516
  try {
2151
2517
  const P = lift_x(num(pub));
2152
2518
  const r = num(sig.subarray(0, 32));
2153
- if (!inRange(r, _1n4, secp256k1P))
2519
+ if (!inRange(r, _1n5, secp256k1_CURVE.p))
2154
2520
  return false;
2155
2521
  const s = num(sig.subarray(32, 64));
2156
- if (!inRange(s, _1n4, secp256k1N))
2522
+ if (!inRange(s, _1n5, secp256k1_CURVE.n))
2157
2523
  return false;
2158
- const e = challenge(numTo32b(r), pointToBytes(P), m);
2159
- const R = GmulAdd(P, s, modN(-e));
2160
- if (!R || !R.hasEvenY() || R.toAffine().x !== r)
2524
+ const e = challenge(Fn.toBytes(r), pointToBytes(P), m);
2525
+ const R = BASE.multiplyUnsafe(s).add(P.multiplyUnsafe(Fn.neg(e)));
2526
+ const { x, y } = R.toAffine();
2527
+ if (R.is0() || !hasEven(y) || x !== r)
2161
2528
  return false;
2162
2529
  return true;
2163
2530
  } catch (error) {
2164
2531
  return false;
2165
2532
  }
2166
2533
  }
2167
- var schnorr = /* @__PURE__ */ (() => ({
2168
- getPublicKey: schnorrGetPublicKey,
2169
- sign: schnorrSign,
2170
- verify: schnorrVerify,
2171
- utils: {
2172
- randomPrivateKey: secp256k1.utils.randomPrivateKey,
2173
- lift_x,
2174
- pointToBytes,
2175
- numberToBytesBE,
2176
- bytesToNumberBE,
2177
- taggedHash,
2178
- mod
2534
+ var schnorr = /* @__PURE__ */ (() => {
2535
+ const size = 32;
2536
+ const seedLength = 48;
2537
+ const randomSecretKey = (seed = randomBytes(seedLength)) => {
2538
+ return mapHashToField(seed, secp256k1_CURVE.n);
2539
+ };
2540
+ secp256k1.utils.randomSecretKey;
2541
+ function keygen(seed) {
2542
+ const secretKey = randomSecretKey(seed);
2543
+ return { secretKey, publicKey: schnorrGetPublicKey(secretKey) };
2179
2544
  }
2180
- }))();
2545
+ return {
2546
+ keygen,
2547
+ getPublicKey: schnorrGetPublicKey,
2548
+ sign: schnorrSign,
2549
+ verify: schnorrVerify,
2550
+ Point: Pointk1,
2551
+ utils: {
2552
+ randomSecretKey,
2553
+ randomPrivateKey: randomSecretKey,
2554
+ taggedHash,
2555
+ // TODO: remove
2556
+ lift_x,
2557
+ pointToBytes,
2558
+ numberToBytesBE,
2559
+ bytesToNumberBE,
2560
+ mod
2561
+ },
2562
+ lengths: {
2563
+ secretKey: size,
2564
+ publicKey: size,
2565
+ publicKeyHasPrefix: false,
2566
+ signature: size * 2,
2567
+ seed: seedLength
2568
+ }
2569
+ };
2570
+ })();
2181
2571
  var isoMap = /* @__PURE__ */ (() => isogenyMap(Fpk1, [
2182
2572
  // xNum
2183
2573
  [
@@ -2214,7 +2604,7 @@ var mapSWU = /* @__PURE__ */ (() => mapToCurveSimpleSWU(Fpk1, {
2214
2604
  B: BigInt("1771"),
2215
2605
  Z: Fpk1.create(BigInt("-11"))
2216
2606
  }))();
2217
- var secp256k1_hasher = /* @__PURE__ */ (() => createHasher2(secp256k1.ProjectivePoint, (scalars) => {
2607
+ var secp256k1_hasher = /* @__PURE__ */ (() => createHasher2(secp256k1.Point, (scalars) => {
2218
2608
  const { x, y } = mapSWU(Fpk1.create(scalars[0]));
2219
2609
  return isoMap(x, y);
2220
2610
  }, {
@@ -2237,6 +2627,9 @@ export {
2237
2627
  };
2238
2628
  /*! Bundled license information:
2239
2629
 
2630
+ @noble/curves/esm/utils.js:
2631
+ (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
2632
+
2240
2633
  @noble/curves/esm/abstract/modular.js:
2241
2634
  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
2242
2635
 
@@ -2252,4 +2645,4 @@ export {
2252
2645
  @noble/curves/esm/secp256k1.js:
2253
2646
  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
2254
2647
  */
2255
- //# sourceMappingURL=secp256k1-QCGY4Z6Q.js.map
2648
+ //# sourceMappingURL=secp256k1-ELJ5HZRX.js.map