@noble/curves 0.2.1 → 0.3.1

package/lib/definitions/p384.d.ts

@@ -0,0 +1,112 @@
+export declare const P384: Readonly<{
+    create: (hash: import("../weierstrass.js").CHash) => import("../weierstrass.js").CurveFn;
+    CURVE: Readonly<{
+        readonly nBitLength: number;
+        readonly nByteLength: number;
+        readonly P: bigint;
+        readonly n: bigint;
+        readonly h: bigint;
+        readonly Gx: bigint;
+        readonly Gy: bigint;
+        readonly a: bigint;
+        readonly b: bigint;
+        lowS: boolean;
+        readonly hash: import("../weierstrass.js").CHash;
+        readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
+        randomBytes: typeof import("../utils.js").randomBytes;
+        readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
+        readonly sqrtMod?: ((n: bigint) => bigint) | undefined;
+        readonly normalizePrivateKey?: ((key: import("../utils.js").PrivKey) => import("../utils.js").PrivKey) | undefined;
+        readonly endo?: {
+            beta: bigint;
+            splitScalar: (k: bigint) => {
+                k1neg: boolean;
+                k1: bigint;
+                k2neg: boolean;
+                k2: bigint;
+            };
+        } | undefined;
+    }>;
+    getPublicKey: (privateKey: import("../utils.js").PrivKey, isCompressed?: boolean | undefined) => Uint8Array;
+    getSharedSecret: (privateA: import("../utils.js").PrivKey, publicB: import("../weierstrass.js").PubKey, isCompressed?: boolean | undefined) => Uint8Array;
+    sign: (msgHash: import("../utils.js").Hex, privKey: import("../utils.js").PrivKey, opts?: {
+        lowS?: boolean | undefined;
+        extraEntropy?: (true | import("../utils.js").Hex) | undefined;
+    } | undefined) => import("../weierstrass.js").SignatureType;
+    verify: (signature: import("../utils.js").Hex | import("../weierstrass.js").SignatureType, msgHash: import("../utils.js").Hex, publicKey: import("../weierstrass.js").PubKey, opts?: {
+        lowS?: boolean | undefined;
+    } | undefined) => boolean;
+    Point: import("../weierstrass.js").PointConstructor;
+    JacobianPoint: import("../weierstrass.js").JacobianPointConstructor;
+    Signature: import("../weierstrass.js").SignatureConstructor;
+    utils: {
+        mod: (a: bigint, b?: bigint | undefined) => bigint;
+        invert: (number: bigint, modulo?: bigint | undefined) => bigint;
+        _bigintToBytes: (num: bigint) => Uint8Array;
+        _bigintToString: (num: bigint) => string;
+        _normalizePrivateKey: (key: import("../utils.js").PrivKey) => bigint;
+        _normalizePublicKey: (publicKey: import("../weierstrass.js").PubKey) => import("../weierstrass.js").PointType;
+        _isWithinCurveOrder: (num: bigint) => boolean;
+        _isValidFieldElement: (num: bigint) => boolean;
+        _weierstrassEquation: (x: bigint) => bigint;
+        isValidPrivateKey(privateKey: import("../utils.js").PrivKey): boolean;
+        hashToPrivateKey: (hash: import("../utils.js").Hex) => Uint8Array;
+        randomPrivateKey: () => Uint8Array;
+    };
+}>;
+export declare const secp384r1: Readonly<{
+    create: (hash: import("../weierstrass.js").CHash) => import("../weierstrass.js").CurveFn;
+    CURVE: Readonly<{
+        readonly nBitLength: number;
+        readonly nByteLength: number;
+        readonly P: bigint;
+        readonly n: bigint;
+        readonly h: bigint;
+        readonly Gx: bigint;
+        readonly Gy: bigint;
+        readonly a: bigint;
+        readonly b: bigint;
+        lowS: boolean;
+        readonly hash: import("../weierstrass.js").CHash;
+        readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
+        randomBytes: typeof import("../utils.js").randomBytes;
+        readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
+        readonly sqrtMod?: ((n: bigint) => bigint) | undefined;
+        readonly normalizePrivateKey?: ((key: import("../utils.js").PrivKey) => import("../utils.js").PrivKey) | undefined;
+        readonly endo?: {
+            beta: bigint;
+            splitScalar: (k: bigint) => {
+                k1neg: boolean;
+                k1: bigint;
+                k2neg: boolean;
+                k2: bigint;
+            };
+        } | undefined;
+    }>;
+    getPublicKey: (privateKey: import("../utils.js").PrivKey, isCompressed?: boolean | undefined) => Uint8Array;
+    getSharedSecret: (privateA: import("../utils.js").PrivKey, publicB: import("../weierstrass.js").PubKey, isCompressed?: boolean | undefined) => Uint8Array;
+    sign: (msgHash: import("../utils.js").Hex, privKey: import("../utils.js").PrivKey, opts?: {
+        lowS?: boolean | undefined;
+        extraEntropy?: (true | import("../utils.js").Hex) | undefined;
+    } | undefined) => import("../weierstrass.js").SignatureType;
+    verify: (signature: import("../utils.js").Hex | import("../weierstrass.js").SignatureType, msgHash: import("../utils.js").Hex, publicKey: import("../weierstrass.js").PubKey, opts?: {
+        lowS?: boolean | undefined;
+    } | undefined) => boolean;
+    Point: import("../weierstrass.js").PointConstructor;
+    JacobianPoint: import("../weierstrass.js").JacobianPointConstructor;
+    Signature: import("../weierstrass.js").SignatureConstructor;
+    utils: {
+        mod: (a: bigint, b?: bigint | undefined) => bigint;
+        invert: (number: bigint, modulo?: bigint | undefined) => bigint;
+        _bigintToBytes: (num: bigint) => Uint8Array;
+        _bigintToString: (num: bigint) => string;
+        _normalizePrivateKey: (key: import("../utils.js").PrivKey) => bigint;
+        _normalizePublicKey: (publicKey: import("../weierstrass.js").PubKey) => import("../weierstrass.js").PointType;
+        _isWithinCurveOrder: (num: bigint) => boolean;
+        _isValidFieldElement: (num: bigint) => boolean;
+        _weierstrassEquation: (x: bigint) => bigint;
+        isValidPrivateKey(privateKey: import("../utils.js").PrivKey): boolean;
+        hashToPrivateKey: (hash: import("../utils.js").Hex) => Uint8Array;
+        randomPrivateKey: () => Uint8Array;
+    };
+}>;

package/lib/definitions/p384.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secp384r1 = exports.P384 = void 0;
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const _shortw_utils_js_1 = require("./_shortw_utils.js");
+const sha512_1 = require("@noble/hashes/sha512");
+// NIST secp384r1 aka P384
+// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
+// prettier-ignore
+exports.P384 = (0, _shortw_utils_js_1.createCurve)({
+    // Params: a, b
+    a: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc'),
+    b: BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef'),
+    // Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
+    P: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'),
+    // Curve order, total count of valid points in the field.
+    n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
+    Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
+    h: BigInt(1),
+    lowS: false,
+}, sha512_1.sha384);
+exports.secp384r1 = exports.P384;

package/lib/definitions/p521.d.ts

@@ -0,0 +1,113 @@
+import { PrivKey } from '../utils';
+export declare const P521: Readonly<{
+    create: (hash: import("../weierstrass.js").CHash) => import("../weierstrass.js").CurveFn;
+    CURVE: Readonly<{
+        readonly nBitLength: number;
+        readonly nByteLength: number;
+        readonly P: bigint;
+        readonly n: bigint;
+        readonly h: bigint;
+        readonly Gx: bigint;
+        readonly Gy: bigint;
+        readonly a: bigint;
+        readonly b: bigint;
+        lowS: boolean;
+        readonly hash: import("../weierstrass.js").CHash;
+        readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
+        randomBytes: typeof import("../utils").randomBytes;
+        readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
+        readonly sqrtMod?: ((n: bigint) => bigint) | undefined;
+        readonly normalizePrivateKey?: ((key: PrivKey) => PrivKey) | undefined;
+        readonly endo?: {
+            beta: bigint;
+            splitScalar: (k: bigint) => {
+                k1neg: boolean;
+                k1: bigint;
+                k2neg: boolean;
+                k2: bigint;
+            };
+        } | undefined;
+    }>;
+    getPublicKey: (privateKey: PrivKey, isCompressed?: boolean | undefined) => Uint8Array;
+    getSharedSecret: (privateA: PrivKey, publicB: import("../weierstrass.js").PubKey, isCompressed?: boolean | undefined) => Uint8Array;
+    sign: (msgHash: import("../utils").Hex, privKey: PrivKey, opts?: {
+        lowS?: boolean | undefined;
+        extraEntropy?: (true | import("../utils").Hex) | undefined;
+    } | undefined) => import("../weierstrass.js").SignatureType;
+    verify: (signature: import("../utils").Hex | import("../weierstrass.js").SignatureType, msgHash: import("../utils").Hex, publicKey: import("../weierstrass.js").PubKey, opts?: {
+        lowS?: boolean | undefined;
+    } | undefined) => boolean;
+    Point: import("../weierstrass.js").PointConstructor;
+    JacobianPoint: import("../weierstrass.js").JacobianPointConstructor;
+    Signature: import("../weierstrass.js").SignatureConstructor;
+    utils: {
+        mod: (a: bigint, b?: bigint | undefined) => bigint;
+        invert: (number: bigint, modulo?: bigint | undefined) => bigint;
+        _bigintToBytes: (num: bigint) => Uint8Array;
+        _bigintToString: (num: bigint) => string;
+        _normalizePrivateKey: (key: PrivKey) => bigint;
+        _normalizePublicKey: (publicKey: import("../weierstrass.js").PubKey) => import("../weierstrass.js").PointType;
+        _isWithinCurveOrder: (num: bigint) => boolean;
+        _isValidFieldElement: (num: bigint) => boolean;
+        _weierstrassEquation: (x: bigint) => bigint;
+        isValidPrivateKey(privateKey: PrivKey): boolean;
+        hashToPrivateKey: (hash: import("../utils").Hex) => Uint8Array;
+        randomPrivateKey: () => Uint8Array;
+    };
+}>;
+export declare const secp521r1: Readonly<{
+    create: (hash: import("../weierstrass.js").CHash) => import("../weierstrass.js").CurveFn;
+    CURVE: Readonly<{
+        readonly nBitLength: number;
+        readonly nByteLength: number;
+        readonly P: bigint;
+        readonly n: bigint;
+        readonly h: bigint;
+        readonly Gx: bigint;
+        readonly Gy: bigint;
+        readonly a: bigint;
+        readonly b: bigint;
+        lowS: boolean;
+        readonly hash: import("../weierstrass.js").CHash;
+        readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
+        randomBytes: typeof import("../utils").randomBytes;
+        readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
+        readonly sqrtMod?: ((n: bigint) => bigint) | undefined;
+        readonly normalizePrivateKey?: ((key: PrivKey) => PrivKey) | undefined;
+        readonly endo?: {
+            beta: bigint;
+            splitScalar: (k: bigint) => {
+                k1neg: boolean;
+                k1: bigint;
+                k2neg: boolean;
+                k2: bigint;
+            };
+        } | undefined;
+    }>;
+    getPublicKey: (privateKey: PrivKey, isCompressed?: boolean | undefined) => Uint8Array;
+    getSharedSecret: (privateA: PrivKey, publicB: import("../weierstrass.js").PubKey, isCompressed?: boolean | undefined) => Uint8Array;
+    sign: (msgHash: import("../utils").Hex, privKey: PrivKey, opts?: {
+        lowS?: boolean | undefined;
+        extraEntropy?: (true | import("../utils").Hex) | undefined;
+    } | undefined) => import("../weierstrass.js").SignatureType;
+    verify: (signature: import("../utils").Hex | import("../weierstrass.js").SignatureType, msgHash: import("../utils").Hex, publicKey: import("../weierstrass.js").PubKey, opts?: {
+        lowS?: boolean | undefined;
+    } | undefined) => boolean;
+    Point: import("../weierstrass.js").PointConstructor;
+    JacobianPoint: import("../weierstrass.js").JacobianPointConstructor;
+    Signature: import("../weierstrass.js").SignatureConstructor;
+    utils: {
+        mod: (a: bigint, b?: bigint | undefined) => bigint;
+        invert: (number: bigint, modulo?: bigint | undefined) => bigint;
+        _bigintToBytes: (num: bigint) => Uint8Array;
+        _bigintToString: (num: bigint) => string;
+        _normalizePrivateKey: (key: PrivKey) => bigint;
+        _normalizePublicKey: (publicKey: import("../weierstrass.js").PubKey) => import("../weierstrass.js").PointType;
+        _isWithinCurveOrder: (num: bigint) => boolean;
+        _isValidFieldElement: (num: bigint) => boolean;
+        _weierstrassEquation: (x: bigint) => bigint;
+        isValidPrivateKey(privateKey: PrivKey): boolean;
+        hashToPrivateKey: (hash: import("../utils").Hex) => Uint8Array;
+        randomPrivateKey: () => Uint8Array;
+    };
+}>;

package/lib/definitions/p521.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secp521r1 = exports.P521 = void 0;
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const _shortw_utils_js_1 = require("./_shortw_utils.js");
+const sha512_1 = require("@noble/hashes/sha512");
+const utils_1 = require("../utils");
+// NIST secp521r1 aka P521
+// Note that it's 521, which differs from 512 of its hash function.
+// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
+// prettier-ignore
+exports.P521 = (0, _shortw_utils_js_1.createCurve)({
+    // Params: a, b
+    a: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc'),
+    b: BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'),
+    // Field over which we'll do calculations; 2n**521n - 1n
+    P: BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'),
+    // Curve order, total count of valid points in the field
+    n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
+    Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
+    h: BigInt(1),
+    lowS: false,
+    normalizePrivateKey(key) {
+        if (typeof key === 'bigint')
+            return key;
+        if (key instanceof Uint8Array)
+            key = (0, utils_1.bytesToHex)(key);
+        if (typeof key !== 'string' || !([130, 131, 132].includes(key.length))) {
+            throw new Error('Invalid key');
+        }
+        return key.padStart(66 * 2, '0');
+    }
+}, sha512_1.sha512);
+exports.secp521r1 = exports.P521;

package/lib/definitions/pasta.d.ts

@@ -0,0 +1,2 @@
+export declare const pallas: import("../weierstrass").CurveFn;
+export declare const vesta: import("../weierstrass").CurveFn;

package/lib/definitions/pasta.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.vesta = exports.pallas = void 0;
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const sha256_1 = require("@noble/hashes/sha256");
+const weierstrass_1 = require("../weierstrass");
+const _shortw_utils_js_1 = require("./_shortw_utils.js");
+const mod = require("../modular");
+const p = BigInt('0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001');
+const q = BigInt('0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001');
+// https://neuromancer.sk/std/other/Pallas
+exports.pallas = (0, weierstrass_1.weierstrass)({
+    a: BigInt(0),
+    b: BigInt(5),
+    P: p,
+    n: q,
+    Gx: mod.mod(BigInt(-1), p),
+    Gy: BigInt(2),
+    h: BigInt(1),
+    ...(0, _shortw_utils_js_1.getHash)(sha256_1.sha256),
+});
+// https://neuromancer.sk/std/other/Vesta
+exports.vesta = (0, weierstrass_1.weierstrass)({
+    a: BigInt(0),
+    b: BigInt(5),
+    P: q,
+    n: p,
+    Gx: mod.mod(BigInt(-1), q),
+    Gy: BigInt(2),
+    h: BigInt(1),
+    ...(0, _shortw_utils_js_1.getHash)(sha256_1.sha256),
+});

package/lib/definitions/secp256k1.d.ts

@@ -0,0 +1,87 @@
+import { PointType } from '../weierstrass';
+import { Hex, PrivKey, randomBytes } from '../utils';
+export declare const secp256k1: Readonly<{
+    create: (hash: import("../weierstrass").CHash) => import("../weierstrass").CurveFn;
+    CURVE: Readonly<{
+        readonly nBitLength: number;
+        readonly nByteLength: number;
+        readonly P: bigint;
+        readonly n: bigint;
+        readonly h: bigint;
+        readonly Gx: bigint;
+        readonly Gy: bigint;
+        readonly a: bigint;
+        readonly b: bigint;
+        lowS: boolean;
+        readonly hash: import("../weierstrass").CHash;
+        readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
+        randomBytes: typeof randomBytes;
+        readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
+        readonly sqrtMod?: ((n: bigint) => bigint) | undefined;
+        readonly normalizePrivateKey?: ((key: PrivKey) => PrivKey) | undefined;
+        readonly endo?: {
+            beta: bigint;
+            splitScalar: (k: bigint) => {
+                k1neg: boolean;
+                k1: bigint;
+                k2neg: boolean;
+                k2: bigint;
+            };
+        } | undefined;
+    }>;
+    getPublicKey: (privateKey: PrivKey, isCompressed?: boolean | undefined) => Uint8Array;
+    getSharedSecret: (privateA: PrivKey, publicB: import("../weierstrass").PubKey, isCompressed?: boolean | undefined) => Uint8Array;
+    sign: (msgHash: Hex, privKey: PrivKey, opts?: {
+        lowS?: boolean | undefined;
+        extraEntropy?: (true | Hex) | undefined;
+    } | undefined) => import("../weierstrass").SignatureType;
+    verify: (signature: Hex | import("../weierstrass").SignatureType, msgHash: Hex, publicKey: import("../weierstrass").PubKey, opts?: {
+        lowS?: boolean | undefined;
+    } | undefined) => boolean;
+    Point: import("../weierstrass").PointConstructor;
+    JacobianPoint: import("../weierstrass").JacobianPointConstructor;
+    Signature: import("../weierstrass").SignatureConstructor;
+    utils: {
+        mod: (a: bigint, b?: bigint | undefined) => bigint;
+        invert: (number: bigint, modulo?: bigint | undefined) => bigint;
+        _bigintToBytes: (num: bigint) => Uint8Array;
+        _bigintToString: (num: bigint) => string;
+        _normalizePrivateKey: (key: PrivKey) => bigint;
+        _normalizePublicKey: (publicKey: import("../weierstrass").PubKey) => PointType;
+        _isWithinCurveOrder: (num: bigint) => boolean;
+        _isValidFieldElement: (num: bigint) => boolean;
+        _weierstrassEquation: (x: bigint) => bigint;
+        isValidPrivateKey(privateKey: PrivKey): boolean;
+        hashToPrivateKey: (hash: Hex) => Uint8Array;
+        randomPrivateKey: () => Uint8Array;
+    };
+}>;
+export declare function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array;
+declare class SchnorrSignature {
+    readonly r: bigint;
+    readonly s: bigint;
+    constructor(r: bigint, s: bigint);
+    static fromHex(hex: Hex): SchnorrSignature;
+    assertValidity(): void;
+    toHex(): string;
+    toRawBytes(): Uint8Array;
+}
+/**
+ * Synchronously creates Schnorr signature. Improved security: verifies itself before
+ * producing an output.
+ * @param msg message (not message hash)
+ * @param privateKey private key
+ * @param auxRand random bytes that would be added to k. Bad RNG won't break it.
+ */
+declare function schnorrSign(message: Hex, privateKey: PrivKey, auxRand?: Hex): Uint8Array;
+/**
+ * Verifies Schnorr signature synchronously.
+ */
+declare function schnorrVerify(signature: Hex, message: Hex, publicKey: Hex): boolean;
+export declare const schnorr: {
+    Signature: typeof SchnorrSignature;
+    getPublicKey: (privateKey: PrivKey) => Uint8Array;
+    sign: typeof schnorrSign;
+    verify: typeof schnorrVerify;
+};
+export {};

package/lib/definitions/secp256k1.js

@@ -0,0 +1,245 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.schnorr = exports.taggedHash = exports.secp256k1 = void 0;
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const sha256_1 = require("@noble/hashes/sha256");
+const modular_1 = require("../modular");
+const _shortw_utils_js_1 = require("./_shortw_utils.js");
+const utils_1 = require("../utils");
+/**
+ * secp256k1 belongs to Koblitz curves: it has
+ * efficiently computable Frobenius endomorphism.
+ * Endomorphism improves efficiency:
+ * Uses 2x less RAM, speeds up precomputation by 2x and ECDH / sign key recovery by 20%.
+ * Should always be used for Jacobian's double-and-add multiplication.
+ * For affines cached multiplication, it trades off 1/2 init time & 1/3 ram for 20% perf hit.
+ * https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
+ */
+const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
+const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
+const _1n = BigInt(1);
+const _2n = BigInt(2);
+const divNearest = (a, b) => (a + b / _2n) / b;
+/**
+ * Allows to compute square root √y 2x faster.
+ * To calculate √y, we need to exponentiate it to a very big number:
+ * `y² = x³ + ax + b; y = y² ^ (p+1)/4`
+ * We are unwrapping the loop and multiplying it bit-by-bit.
+ * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
+ */
+// prettier-ignore
+function sqrtMod(y) {
+    const P = secp256k1P;
+    const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11);
+    const _22n = BigInt(22);
+    const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
+    const b2 = (y * y * y) % P; // x^3, 11
+    const b3 = (b2 * b2 * y) % P; // x^7
+    const b6 = ((0, modular_1.pow2)(b3, _3n, P) * b3) % P;
+    const b9 = ((0, modular_1.pow2)(b6, _3n, P) * b3) % P;
+    const b11 = ((0, modular_1.pow2)(b9, _2n, P) * b2) % P;
+    const b22 = ((0, modular_1.pow2)(b11, _11n, P) * b11) % P;
+    const b44 = ((0, modular_1.pow2)(b22, _22n, P) * b22) % P;
+    const b88 = ((0, modular_1.pow2)(b44, _44n, P) * b44) % P;
+    const b176 = ((0, modular_1.pow2)(b88, _88n, P) * b88) % P;
+    const b220 = ((0, modular_1.pow2)(b176, _44n, P) * b44) % P;
+    const b223 = ((0, modular_1.pow2)(b220, _3n, P) * b3) % P;
+    const t1 = ((0, modular_1.pow2)(b223, _23n, P) * b22) % P;
+    const t2 = ((0, modular_1.pow2)(t1, _6n, P) * b2) % P;
+    return (0, modular_1.pow2)(t2, _2n, P);
+}
+exports.secp256k1 = (0, _shortw_utils_js_1.createCurve)({
+    // Params: a, b
+    // Seem to be rigid https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
+    a: BigInt(0),
+    b: BigInt(7),
+    // Field over which we'll do calculations;
+    // 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
+    P: secp256k1P,
+    // Curve order, total count of valid points in the field
+    n: secp256k1N,
+    // Base point (x, y) aka generator point
+    Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
+    Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
+    h: BigInt(1),
+    // Alllow only low-S signatures by default in sign() and verify()
+    lowS: true,
+    sqrtMod,
+    endo: {
+        // Params taken from https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
+        beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
+        splitScalar: (k) => {
+            const n = secp256k1N;
+            const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');
+            const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
+            const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
+            const b2 = a1;
+            const POW_2_128 = BigInt('0x100000000000000000000000000000000');
+            const c1 = divNearest(b2 * k, n);
+            const c2 = divNearest(-b1 * k, n);
+            let k1 = (0, modular_1.mod)(k - c1 * a1 - c2 * a2, n);
+            let k2 = (0, modular_1.mod)(-c1 * b1 - c2 * b2, n);
+            const k1neg = k1 > POW_2_128;
+            const k2neg = k2 > POW_2_128;
+            if (k1neg)
+                k1 = n - k1;
+            if (k2neg)
+                k2 = n - k2;
+            if (k1 > POW_2_128 || k2 > POW_2_128) {
+                throw new Error('splitScalar: Endomorphism failed, k=' + k);
+            }
+            return { k1neg, k1, k2neg, k2 };
+        },
+    },
+}, sha256_1.sha256);
+// Schnorr
+const _0n = BigInt(0);
+const numTo32b = exports.secp256k1.utils._bigintToBytes;
+const numTo32bStr = exports.secp256k1.utils._bigintToString;
+const normalizePrivateKey = exports.secp256k1.utils._normalizePrivateKey;
+// TODO: export?
+function normalizePublicKey(publicKey) {
+    if (publicKey instanceof exports.secp256k1.Point) {
+        publicKey.assertValidity();
+        return publicKey;
+    }
+    else {
+        const bytes = (0, utils_1.ensureBytes)(publicKey);
+        // Schnorr is 32 bytes
+        if (bytes.length === 32) {
+            const x = (0, utils_1.bytesToNumberBE)(bytes);
+            if (!isValidFieldElement(x))
+                throw new Error('Point is not on curve');
+            const y2 = exports.secp256k1.utils._weierstrassEquation(x); // y² = x³ + ax + b
+            let y = sqrtMod(y2); // y = y² ^ (p+1)/4
+            const isYOdd = (y & _1n) === _1n;
+            // Schnorr
+            if (isYOdd)
+                y = (0, modular_1.mod)(-y, exports.secp256k1.CURVE.P);
+            const point = new exports.secp256k1.Point(x, y);
+            point.assertValidity();
+            return point;
+        }
+        // Do we need that in schnorr at all?
+        return exports.secp256k1.Point.fromHex(publicKey);
+    }
+}
+const isWithinCurveOrder = exports.secp256k1.utils._isWithinCurveOrder;
+const isValidFieldElement = exports.secp256k1.utils._isValidFieldElement;
+const TAGS = {
+    challenge: 'BIP0340/challenge',
+    aux: 'BIP0340/aux',
+    nonce: 'BIP0340/nonce',
+};
+/** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
+const TAGGED_HASH_PREFIXES = {};
+function taggedHash(tag, ...messages) {
+    let tagP = TAGGED_HASH_PREFIXES[tag];
+    if (tagP === undefined) {
+        const tagH = (0, sha256_1.sha256)(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
+        tagP = (0, utils_1.concatBytes)(tagH, tagH);
+        TAGGED_HASH_PREFIXES[tag] = tagP;
+    }
+    return (0, sha256_1.sha256)((0, utils_1.concatBytes)(tagP, ...messages));
+}
+exports.taggedHash = taggedHash;
+const toRawX = (point) => point.toRawBytes(true).slice(1);
+// Schnorr signatures are superior to ECDSA from above.
+// Below is Schnorr-specific code as per BIP0340.
+function schnorrChallengeFinalize(ch) {
+    return (0, modular_1.mod)((0, utils_1.bytesToNumberBE)(ch), exports.secp256k1.CURVE.n);
+}
+// Do we need this at all for Schnorr?
+class SchnorrSignature {
+    constructor(r, s) {
+        this.r = r;
+        this.s = s;
+        this.assertValidity();
+    }
+    static fromHex(hex) {
+        const bytes = (0, utils_1.ensureBytes)(hex);
+        if (bytes.length !== 64)
+            throw new TypeError(`SchnorrSignature.fromHex: expected 64 bytes, not ${bytes.length}`);
+        const r = (0, utils_1.bytesToNumberBE)(bytes.subarray(0, 32));
+        const s = (0, utils_1.bytesToNumberBE)(bytes.subarray(32, 64));
+        return new SchnorrSignature(r, s);
+    }
+    assertValidity() {
+        const { r, s } = this;
+        if (!isValidFieldElement(r) || !isWithinCurveOrder(s))
+            throw new Error('Invalid signature');
+    }
+    toHex() {
+        return numTo32bStr(this.r) + numTo32bStr(this.s);
+    }
+    toRawBytes() {
+        return (0, utils_1.hexToBytes)(this.toHex());
+    }
+}
+function schnorrGetScalar(priv) {
+    const point = exports.secp256k1.Point.fromPrivateKey(priv);
+    const scalar = point.hasEvenY() ? priv : exports.secp256k1.CURVE.n - priv;
+    return { point, scalar, x: toRawX(point) };
+}
+/**
+ * Synchronously creates Schnorr signature. Improved security: verifies itself before
+ * producing an output.
+ * @param msg message (not message hash)
+ * @param privateKey private key
+ * @param auxRand random bytes that would be added to k. Bad RNG won't break it.
+ */
+function schnorrSign(message, privateKey, auxRand = (0, utils_1.randomBytes)(32)) {
+    if (message == null)
+        throw new TypeError(`sign: Expected valid message, not "${message}"`);
+    const m = (0, utils_1.ensureBytes)(message);
+    // checks for isWithinCurveOrder
+    const { x: px, scalar: d } = schnorrGetScalar(normalizePrivateKey(privateKey));
+    const rand = (0, utils_1.ensureBytes)(auxRand);
+    if (rand.length !== 32)
+        throw new TypeError('sign: Expected 32 bytes of aux randomness');
+    const tag = taggedHash;
+    const t0h = tag(TAGS.aux, rand);
+    const t = numTo32b(d ^ (0, utils_1.bytesToNumberBE)(t0h));
+    const k0h = tag(TAGS.nonce, t, px, m);
+    const k0 = (0, modular_1.mod)((0, utils_1.bytesToNumberBE)(k0h), exports.secp256k1.CURVE.n);
+    if (k0 === _0n)
+        throw new Error('sign: Creation of signature failed. k is zero');
+    const { point: R, x: rx, scalar: k } = schnorrGetScalar(k0);
+    const e = schnorrChallengeFinalize(tag(TAGS.challenge, rx, px, m));
+    const sig = new SchnorrSignature(R.x, (0, modular_1.mod)(k + e * d, exports.secp256k1.CURVE.n)).toRawBytes();
+    if (!schnorrVerify(sig, m, px))
+        throw new Error('sign: Invalid signature produced');
+    return sig;
+}
+/**
+ * Verifies Schnorr signature synchronously.
+ */
+function schnorrVerify(signature, message, publicKey) {
+    try {
+        const raw = signature instanceof SchnorrSignature;
+        const sig = raw ? signature : SchnorrSignature.fromHex(signature);
+        if (raw)
+            sig.assertValidity(); // just in case
+        const { r, s } = sig;
+        const m = (0, utils_1.ensureBytes)(message);
+        const P = normalizePublicKey(publicKey);
+        const e = schnorrChallengeFinalize(taggedHash(TAGS.challenge, numTo32b(r), toRawX(P), m));
+        // Finalize
+        // R = s⋅G - e⋅P
+        // -eP == (n-e)P
+        const R = exports.secp256k1.Point.BASE.multiplyAndAddUnsafe(P, normalizePrivateKey(s), (0, modular_1.mod)(-e, exports.secp256k1.CURVE.n));
+        if (!R || !R.hasEvenY() || R.x !== r)
+            return false;
+        return true;
+    }
+    catch (error) {
+        return false;
+    }
+}
+exports.schnorr = {
+    Signature: SchnorrSignature,
+    // Schnorr's pubkey is just `x` of Point (BIP340)
+    getPublicKey: (privateKey) => toRawX(exports.secp256k1.Point.fromPrivateKey(privateKey)),
+    sign: schnorrSign,
+    verify: schnorrVerify,
+};