@noble/curves 1.8.0 → 1.8.2

package/secp256k1.js

@@ -14,13 +14,13 @@ exports.encodeToCurve = exports.hashToCurve = exports.schnorr = exports.secp256k
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const sha256_1 = require("@noble/hashes/sha256");
+const sha2_1 = require("@noble/hashes/sha2");
 const utils_1 = require("@noble/hashes/utils");
-const _shortw_utils_js_1 = require("./_shortw_utils.js");
-const hash_to_curve_js_1 = require("./abstract/hash-to-curve.js");
-const modular_js_1 = require("./abstract/modular.js");
-const utils_js_1 = require("./abstract/utils.js");
-const weierstrass_js_1 = require("./abstract/weierstrass.js");
+const _shortw_utils_ts_1 = require("./_shortw_utils.js");
+const hash_to_curve_ts_1 = require("./abstract/hash-to-curve.js");
+const modular_ts_1 = require("./abstract/modular.js");
+const utils_ts_1 = require("./abstract/utils.js");
+const weierstrass_ts_1 = require("./abstract/weierstrass.js");
 const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
 const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
 const _1n = BigInt(1);
@@ -38,41 +38,43 @@ function sqrtMod(y) {
     const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
     const b2 = (y * y * y) % P; // x^3, 11
     const b3 = (b2 * b2 * y) % P; // x^7
-    const b6 = ((0, modular_js_1.pow2)(b3, _3n, P) * b3) % P;
-    const b9 = ((0, modular_js_1.pow2)(b6, _3n, P) * b3) % P;
-    const b11 = ((0, modular_js_1.pow2)(b9, _2n, P) * b2) % P;
-    const b22 = ((0, modular_js_1.pow2)(b11, _11n, P) * b11) % P;
-    const b44 = ((0, modular_js_1.pow2)(b22, _22n, P) * b22) % P;
-    const b88 = ((0, modular_js_1.pow2)(b44, _44n, P) * b44) % P;
-    const b176 = ((0, modular_js_1.pow2)(b88, _88n, P) * b88) % P;
-    const b220 = ((0, modular_js_1.pow2)(b176, _44n, P) * b44) % P;
-    const b223 = ((0, modular_js_1.pow2)(b220, _3n, P) * b3) % P;
-    const t1 = ((0, modular_js_1.pow2)(b223, _23n, P) * b22) % P;
-    const t2 = ((0, modular_js_1.pow2)(t1, _6n, P) * b2) % P;
-    const root = (0, modular_js_1.pow2)(t2, _2n, P);
+    const b6 = ((0, modular_ts_1.pow2)(b3, _3n, P) * b3) % P;
+    const b9 = ((0, modular_ts_1.pow2)(b6, _3n, P) * b3) % P;
+    const b11 = ((0, modular_ts_1.pow2)(b9, _2n, P) * b2) % P;
+    const b22 = ((0, modular_ts_1.pow2)(b11, _11n, P) * b11) % P;
+    const b44 = ((0, modular_ts_1.pow2)(b22, _22n, P) * b22) % P;
+    const b88 = ((0, modular_ts_1.pow2)(b44, _44n, P) * b44) % P;
+    const b176 = ((0, modular_ts_1.pow2)(b88, _88n, P) * b88) % P;
+    const b220 = ((0, modular_ts_1.pow2)(b176, _44n, P) * b44) % P;
+    const b223 = ((0, modular_ts_1.pow2)(b220, _3n, P) * b3) % P;
+    const t1 = ((0, modular_ts_1.pow2)(b223, _23n, P) * b22) % P;
+    const t2 = ((0, modular_ts_1.pow2)(t1, _6n, P) * b2) % P;
+    const root = (0, modular_ts_1.pow2)(t2, _2n, P);
     if (!Fpk1.eql(Fpk1.sqr(root), y))
         throw new Error('Cannot find square root');
     return root;
 }
-const Fpk1 = (0, modular_js_1.Field)(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
+const Fpk1 = (0, modular_ts_1.Field)(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
 /**
- * secp256k1 short weierstrass curve and ECDSA signatures over it.
+ * secp256k1 curve, ECDSA and ECDH methods.
+ *
+ * Field: `2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n`
  *
  * @example
+ * ```js
  * import { secp256k1 } from '@noble/curves/secp256k1';
- *
  * const priv = secp256k1.utils.randomPrivateKey();
  * const pub = secp256k1.getPublicKey(priv);
  * const msg = new Uint8Array(32).fill(1); // message hash (not message) in ecdsa
  * const sig = secp256k1.sign(msg, priv); // `{prehash: true}` option is available
  * const isValid = secp256k1.verify(sig, msg, pub) === true;
+ * ```
  */
-exports.secp256k1 = (0, _shortw_utils_js_1.createCurve)({
-    a: BigInt(0), // equation params: a, b
+exports.secp256k1 = (0, _shortw_utils_ts_1.createCurve)({
+    a: BigInt(0),
     b: BigInt(7),
-    Fp: Fpk1, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
-    n: secp256k1N, // Curve order, total count of valid points in the field
-    // Base point (x, y) aka generator point
+    Fp: Fpk1,
+    n: secp256k1N,
     Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
     Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
     h: BigInt(1), // Cofactor
@@ -89,8 +91,8 @@ exports.secp256k1 = (0, _shortw_utils_js_1.createCurve)({
             const POW_2_128 = BigInt('0x100000000000000000000000000000000'); // (2n**128n).toString(16)
             const c1 = divNearest(b2 * k, n);
             const c2 = divNearest(-b1 * k, n);
-            let k1 = (0, modular_js_1.mod)(k - c1 * a1 - c2 * a2, n);
-            let k2 = (0, modular_js_1.mod)(-c1 * b1 - c2 * b2, n);
+            let k1 = (0, modular_ts_1.mod)(k - c1 * a1 - c2 * a2, n);
+            let k2 = (0, modular_ts_1.mod)(-c1 * b1 - c2 * b2, n);
             const k1neg = k1 > POW_2_128;
             const k2neg = k2 > POW_2_128;
             if (k1neg)
@@ -103,7 +105,7 @@ exports.secp256k1 = (0, _shortw_utils_js_1.createCurve)({
             return { k1neg, k1, k2neg, k2 };
         },
     },
-}, sha256_1.sha256);
+}, sha2_1.sha256);
 // Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
 // https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
 const _0n = BigInt(0);
@@ -112,17 +114,17 @@ const TAGGED_HASH_PREFIXES = {};
 function taggedHash(tag, ...messages) {
     let tagP = TAGGED_HASH_PREFIXES[tag];
     if (tagP === undefined) {
-        const tagH = (0, sha256_1.sha256)(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
-        tagP = (0, utils_js_1.concatBytes)(tagH, tagH);
+        const tagH = (0, sha2_1.sha256)(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
+        tagP = (0, utils_ts_1.concatBytes)(tagH, tagH);
         TAGGED_HASH_PREFIXES[tag] = tagP;
     }
-    return (0, sha256_1.sha256)((0, utils_js_1.concatBytes)(tagP, ...messages));
+    return (0, sha2_1.sha256)((0, utils_ts_1.concatBytes)(tagP, ...messages));
 }
 // ECDSA compact points are 33-byte. Schnorr is 32: we strip first byte 0x02 or 0x03
 const pointToBytes = (point) => point.toRawBytes(true).slice(1);
-const numTo32b = (n) => (0, utils_js_1.numberToBytesBE)(n, 32);
-const modP = (x) => (0, modular_js_1.mod)(x, secp256k1P);
-const modN = (x) => (0, modular_js_1.mod)(x, secp256k1N);
+const numTo32b = (n) => (0, utils_ts_1.numberToBytesBE)(n, 32);
+const modP = (x) => (0, modular_ts_1.mod)(x, secp256k1P);
+const modN = (x) => (0, modular_ts_1.mod)(x, secp256k1N);
 const Point = exports.secp256k1.ProjectivePoint;
 const GmulAdd = (Q, a, b) => Point.BASE.multiplyAndAddUnsafe(Q, a, b);
 // Calculate point, scalar and bytes
@@ -137,7 +139,7 @@ function schnorrGetExtPubKey(priv) {
  * @returns valid point checked for being on-curve
  */
 function lift_x(x) {
-    (0, utils_js_1.aInRange)('x', x, _1n, secp256k1P); // Fail if x ≥ p.
+    (0, utils_ts_1.aInRange)('x', x, _1n, secp256k1P); // Fail if x ≥ p.
     const xx = modP(x * x);
     const c = modP(xx * x + BigInt(7)); // Let c = x³ + 7 mod p.
     let y = sqrtMod(c); // Let y = c^(p+1)/4 mod p.
@@ -147,7 +149,7 @@ function lift_x(x) {
     p.assertValidity();
     return p;
 }
-const num = utils_js_1.bytesToNumberBE;
+const num = utils_ts_1.bytesToNumberBE;
 /**
  * Create tagged hash, convert it to bigint, reduce modulo-n.
  */
@@ -165,9 +167,9 @@ function schnorrGetPublicKey(privateKey) {
  * auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous.
  */
 function schnorrSign(message, privateKey, auxRand = (0, utils_1.randomBytes)(32)) {
-    const m = (0, utils_js_1.ensureBytes)('message', message);
+    const m = (0, utils_ts_1.ensureBytes)('message', message);
     const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey); // checks for isWithinCurveOrder
-    const a = (0, utils_js_1.ensureBytes)('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array
+    const a = (0, utils_ts_1.ensureBytes)('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array
     const t = numTo32b(d ^ num(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
     const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
     const k_ = modN(num(rand)); // Let k' = int(rand) mod n
@@ -188,16 +190,16 @@ function schnorrSign(message, privateKey, auxRand = (0, utils_1.randomBytes)(32)
  * Will swallow errors & return false except for initial type validation of arguments.
  */
 function schnorrVerify(signature, message, publicKey) {
-    const sig = (0, utils_js_1.ensureBytes)('signature', signature, 64);
-    const m = (0, utils_js_1.ensureBytes)('message', message);
-    const pub = (0, utils_js_1.ensureBytes)('publicKey', publicKey, 32);
+    const sig = (0, utils_ts_1.ensureBytes)('signature', signature, 64);
+    const m = (0, utils_ts_1.ensureBytes)('message', message);
+    const pub = (0, utils_ts_1.ensureBytes)('publicKey', publicKey, 32);
     try {
         const P = lift_x(num(pub)); // P = lift_x(int(pk)); fail if that fails
         const r = num(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
-        if (!(0, utils_js_1.inRange)(r, _1n, secp256k1P))
+        if (!(0, utils_ts_1.inRange)(r, _1n, secp256k1P))
             return false;
         const s = num(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
-        if (!(0, utils_js_1.inRange)(s, _1n, secp256k1N))
+        if (!(0, utils_ts_1.inRange)(s, _1n, secp256k1N))
             return false;
         const e = challenge(numTo32b(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m))%n
         const R = GmulAdd(P, s, modN(-e)); // R = s⋅G - e⋅P
@@ -213,12 +215,14 @@ function schnorrVerify(signature, message, publicKey) {
  * Schnorr signatures over secp256k1.
  * https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
  * @example
+ * ```js
  * import { schnorr } from '@noble/curves/secp256k1';
  * const priv = schnorr.utils.randomPrivateKey();
  * const pub = schnorr.getPublicKey(priv);
  * const msg = new TextEncoder().encode('hello');
  * const sig = schnorr.sign(msg, priv);
  * const isValid = schnorr.verify(sig, msg, pub);
+ * ```
  */
 exports.schnorr = (() => ({
     getPublicKey: schnorrGetPublicKey,
@@ -228,13 +232,13 @@ exports.schnorr = (() => ({
         randomPrivateKey: exports.secp256k1.utils.randomPrivateKey,
         lift_x,
         pointToBytes,
-        numberToBytesBE: utils_js_1.numberToBytesBE,
-        bytesToNumberBE: utils_js_1.bytesToNumberBE,
+        numberToBytesBE: utils_ts_1.numberToBytesBE,
+        bytesToNumberBE: utils_ts_1.bytesToNumberBE,
         taggedHash,
-        mod: modular_js_1.mod,
+        mod: modular_ts_1.mod,
     },
 }))();
-const isoMap = /* @__PURE__ */ (() => (0, hash_to_curve_js_1.isogenyMap)(Fpk1, [
+const isoMap = /* @__PURE__ */ (() => (0, hash_to_curve_ts_1.isogenyMap)(Fpk1, [
     // xNum
     [
         '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
@@ -263,12 +267,12 @@ const isoMap = /* @__PURE__ */ (() => (0, hash_to_curve_js_1.isogenyMap)(Fpk1, [
         '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
     ],
 ].map((i) => i.map((j) => BigInt(j)))))();
-const mapSWU = /* @__PURE__ */ (() => (0, weierstrass_js_1.mapToCurveSimpleSWU)(Fpk1, {
+const mapSWU = /* @__PURE__ */ (() => (0, weierstrass_ts_1.mapToCurveSimpleSWU)(Fpk1, {
     A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
     B: BigInt('1771'),
     Z: Fpk1.create(BigInt('-11')),
 }))();
-const htf = /* @__PURE__ */ (() => (0, hash_to_curve_js_1.createHasher)(exports.secp256k1.ProjectivePoint, (scalars) => {
+const htf = /* @__PURE__ */ (() => (0, hash_to_curve_ts_1.createHasher)(exports.secp256k1.ProjectivePoint, (scalars) => {
     const { x, y } = mapSWU(Fpk1.create(scalars[0]));
     return isoMap(x, y);
 }, {
@@ -278,10 +282,10 @@ const htf = /* @__PURE__ */ (() => (0, hash_to_curve_js_1.createHasher)(exports.
     m: 1,
     k: 128,
     expand: 'xmd',
-    hash: sha256_1.sha256,
+    hash: sha2_1.sha256,
 }))();
-/** secp256k1 hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp256k1 hash-to-curve from RFC 9380. */
 exports.hashToCurve = (() => htf.hashToCurve)();
-/** secp256k1 encode-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp256k1 encode-to-curve from RFC 9380. */
 exports.encodeToCurve = (() => htf.encodeToCurve)();
 //# sourceMappingURL=secp256k1.js.map

package/secp256k1.js.map

@@ -1 +1 @@
-{"version":3,"file":"secp256k1.js","sourceRoot":"","sources":["src/secp256k1.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;;;GAWG;AACH,sEAAsE;AACtE,iDAA8C;AAC9C,+CAAkD;AAClD,yDAAoE;AACpE,kEAAkF;AAClF,sDAAyD;AAEzD,kDAO6B;AAC7B,8DAA4F;AAE5F,MAAM,UAAU,GAAG,MAAM,CAAC,oEAAoE,CAAC,CAAC;AAChG,MAAM,UAAU,GAAG,MAAM,CAAC,oEAAoE,CAAC,CAAC;AAChG,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AACtB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AACtB,MAAM,UAAU,GAAG,CAAC,CAAS,EAAE,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;AAE/D;;;GAGG;AACH,SAAS,OAAO,CAAC,CAAS;IACxB,MAAM,CAAC,GAAG,UAAU,CAAC;IACrB,kBAAkB;IAClB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC;IAC7E,kBAAkB;IAClB,MAAM,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC;IAC9D,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU;IACtC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM;IACpC,MAAM,EAAE,GAAG,CAAC,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,EAAE,GAAG,CAAC,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,CAAC,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,CAAC,IAAA,iBAAI,EAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,CAAC,IAAA,iBAAI,EAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,CAAC,IAAA,iBAAI,EAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,CAAC,IAAA,iBAAI,EAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,IAAI,GAAG,CAAC,IAAA,iBAAI,EAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,CAAC,IAAA,iBAAI,EAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,EAAE,GAAG,CAAC,IAAA,iBAAI,EAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,EAAE,GAAG,CAAC,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,IAAI,GAAG,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IAC9B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,IAAI,GAAG,IAAA,kBAAK,EAAC,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;AAExE;;;;;;;;;;;GAWG;AACU,QAAA,SAAS,GAAsB,IAAA,8BAAW,EACrD;IACE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,wBAAwB;IACtC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,EAAE,EAAE,IAAI,EAAE,sFAAsF;IAChG,CAAC,EAAE,UAAU,EAAE,wDAAwD;IACvE,wCAAwC;IACxC,EAAE,EAAE,MAAM,CAAC,+EAA+E,CAAC;IAC3F,EAAE,EAAE,MAAM,CAAC,+EAA+E,CAAC;IAC3F,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,WAAW;IACzB,IAAI,EAAE,IAAI,EAAE,gEAAgE;IAC5E,IAAI,EAAE;QACJ,0BAA0B;QAC1B,IAAI,EAAE,MAAM,CAAC,oEAAoE,CAAC;QAClF,WAAW,EAAE,CAAC,CAAS,EAAE,EAAE;YACzB,MAAM,CAAC,GAAG,UAAU,CAAC;YACrB,MAAM,EAAE,GAAG,MAAM,CAAC,oCAAoC,CAAC,CAAC;YACxD,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,oCAAoC,CAAC,CAAC;YAC/D,MAAM,EAAE,GAAG,MAAM,CAAC,qCAAqC,CAAC,CAAC;YACzD,MAAM,EAAE,GAAG,EAAE,CAAC;YACd,MAAM,SAAS,GAAG,MAAM,CAAC,qCAAqC,CAAC,CAAC,CAAC,0BAA0B;YAE3F,MAAM,EAAE,GAAG,UAAU,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;YACjC,MAAM,EAAE,GAAG,UAAU,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;YAClC,IAAI,EAAE,GAAG,IAAA,gBAAG,EAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;YACvC,IAAI,EAAE,GAAG,IAAA,gBAAG,EAAC,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,EAAE,GAAG,SAAS,CAAC;YAC7B,MAAM,KAAK,GAAG,EAAE,GAAG,SAAS,CAAC;YAC7B,IAAI,KAAK;gBAAE,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,KAAK;gBAAE,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,EAAE,GAAG,SAAS,IAAI,EAAE,GAAG,SAAS,EAAE,CAAC;gBACrC,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,CAAC,CAAC,CAAC;YAC9D,CAAC;YACD,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAClC,CAAC;KACF;CACF,EACD,eAAM,CACP,CAAC;AAEF,+FAA+F;AAC/F,iEAAiE;AACjE,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AACtB,wFAAwF;AACxF,MAAM,oBAAoB,GAAkC,EAAE,CAAC;AAC/D,SAAS,UAAU,CAAC,GAAW,EAAE,GAAG,QAAsB;IACxD,IAAI,IAAI,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,IAAA,eAAM,EAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAClE,IAAI,GAAG,IAAA,sBAAW,EAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC/B,oBAAoB,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;IACnC,CAAC;IACD,OAAO,IAAA,eAAM,EAAC,IAAA,sBAAW,EAAC,IAAI,EAAE,GAAG,QAAQ,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,oFAAoF;AACpF,MAAM,YAAY,GAAG,CAAC,KAAwB,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACnF,MAAM,QAAQ,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAA,0BAAe,EAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACvD,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAA,gBAAG,EAAC,CAAC,EAAE,UAAU,CAAC,CAAC;AAC/C,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAA,gBAAG,EAAC,CAAC,EAAE,UAAU,CAAC,CAAC;AAC/C,MAAM,KAAK,GAAG,iBAAS,CAAC,eAAe,CAAC;AACxC,MAAM,OAAO,GAAG,CAAC,CAAoB,EAAE,CAAS,EAAE,CAAS,EAAE,EAAE,CAC7D,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;AAE3C,oCAAoC;AACpC,SAAS,mBAAmB,CAAC,IAAa;IACxC,IAAI,EAAE,GAAG,iBAAS,CAAC,KAAK,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,yCAAyC;IAChG,IAAI,CAAC,GAAG,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,CAAC,4CAA4C;IAC9E,MAAM,MAAM,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC;IAC7C,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;AACpD,CAAC;AACD;;;GAGG;AACH,SAAS,MAAM,CAAC,CAAS;IACvB,IAAA,mBAAQ,EAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC,iBAAiB;IACpD,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,MAAM,CAAC,GAAG,IAAI,CAAC,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,wBAAwB;IAC5D,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,2BAA2B;IAC/C,IAAI,CAAC,GAAG,GAAG,KAAK,GAAG;QAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,mDAAmD;IACtF,MAAM,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,mDAAmD;IACnF,CAAC,CAAC,cAAc,EAAE,CAAC;IACnB,OAAO,CAAC,CAAC;AACX,CAAC;AACD,MAAM,GAAG,GAAG,0BAAe,CAAC;AAC5B;;GAEG;AACH,SAAS,SAAS,CAAC,GAAG,IAAkB;IACtC,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,mBAAmB,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,UAAe;IAC1C,OAAO,mBAAmB,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,CAAC,oDAAoD;AACpG,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAClB,OAAY,EACZ,UAAmB,EACnB,UAAe,IAAA,mBAAW,EAAC,EAAE,CAAC;IAE9B,MAAM,CAAC,GAAG,IAAA,sBAAW,EAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC1C,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC,CAAC,gCAAgC;IAClG,MAAM,CAAC,GAAG,IAAA,sBAAW,EAAC,SAAS,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,2CAA2C;IAC1F,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,yDAAyD;IACpH,MAAM,IAAI,GAAG,UAAU,CAAC,eAAe,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,4CAA4C;IAChG,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,2BAA2B;IACvD,IAAI,EAAE,KAAK,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC,kBAAkB;IAC7E,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC,CAAC,gBAAgB;IAC1E,MAAM,CAAC,GAAG,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,gEAAgE;IAChG,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,+CAA+C;IAC/E,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACf,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvC,iEAAiE;IACjE,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACpF,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,SAAc,EAAE,OAAY,EAAE,SAAc;IACjE,MAAM,GAAG,GAAG,IAAA,sBAAW,EAAC,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IACpD,MAAM,CAAC,GAAG,IAAA,sBAAW,EAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAA,sBAAW,EAAC,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IACpD,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,0CAA0C;QACtE,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,yCAAyC;QAC7E,IAAI,CAAC,IAAA,kBAAO,EAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC;YAAE,OAAO,KAAK,CAAC;QAC/C,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,0CAA0C;QAC/E,IAAI,CAAC,IAAA,kBAAO,EAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC;YAAE,OAAO,KAAK,CAAC;QAC/C,MAAM,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,0CAA0C;QAChG,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB;QACnD,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC,CAAC,gBAAgB;QAC/E,OAAO,IAAI,CAAC,CAAC,yDAAyD;IACxE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAgBD;;;;;;;;;;GAUG;AACU,QAAA,OAAO,GAAgC,CAAC,GAAG,EAAE,CAAC,CAAC;IAC1D,YAAY,EAAE,mBAAmB;IACjC,IAAI,EAAE,WAAW;IACjB,MAAM,EAAE,aAAa;IACrB,KAAK,EAAE;QACL,gBAAgB,EAAE,iBAAS,CAAC,KAAK,CAAC,gBAAgB;QAClD,MAAM;QACN,YAAY;QACZ,eAAe,EAAf,0BAAe;QACf,eAAe,EAAf,0BAAe;QACf,UAAU;QACV,GAAG,EAAH,gBAAG;KACJ;CACF,CAAC,CAAC,EAAE,CAAC;AAEN,MAAM,MAAM,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CACnC,IAAA,6BAAU,EACR,IAAI,EACJ;IACE,OAAO;IACP;QACE,oEAAoE;QACpE,mEAAmE;QACnE,oEAAoE;QACpE,oEAAoE;KACrE;IACD,OAAO;IACP;QACE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE,EAAE,SAAS;KAChF;IACD,OAAO;IACP;QACE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;KACrE;IACD,OAAO;IACP;QACE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE,EAAE,SAAS;KAChF;CACF,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAA6C,CAClF,CAAC,EAAE,CAAC;AACP,MAAM,MAAM,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CACnC,IAAA,oCAAmB,EAAC,IAAI,EAAE;IACxB,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC;IACjB,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;CAC9B,CAAC,CAAC,EAAE,CAAC;AACR,MAAM,GAAG,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CAChC,IAAA,+BAAY,EACV,iBAAS,CAAC,eAAe,EACzB,CAAC,OAAiB,EAAE,EAAE;IACpB,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACtB,CAAC,EACD;IACE,GAAG,EAAE,gCAAgC;IACrC,SAAS,EAAE,gCAAgC;IAC3C,CAAC,EAAE,IAAI,CAAC,KAAK;IACb,CAAC,EAAE,CAAC;IACJ,CAAC,EAAE,GAAG;IACN,MAAM,EAAE,KAAK;IACb,IAAI,EAAE,eAAM;CACb,CACF,CAAC,EAAE,CAAC;AAEP,uFAAuF;AAC1E,QAAA,WAAW,GAAsC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;AAExF,yFAAyF;AAC5E,QAAA,aAAa,GAAsC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC"}
+{"version":3,"file":"secp256k1.js","sourceRoot":"","sources":["src/secp256k1.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;;;GAWG;AACH,sEAAsE;AACtE,6CAA4C;AAC5C,+CAAkD;AAClD,yDAAyE;AACzE,kEAAuF;AACvF,sDAAyD;AAEzD,kDAO6B;AAC7B,8DAAiG;AAEjG,MAAM,UAAU,GAAG,MAAM,CAAC,oEAAoE,CAAC,CAAC;AAChG,MAAM,UAAU,GAAG,MAAM,CAAC,oEAAoE,CAAC,CAAC;AAChG,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AACtB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AACtB,MAAM,UAAU,GAAG,CAAC,CAAS,EAAE,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;AAE/D;;;GAGG;AACH,SAAS,OAAO,CAAC,CAAS;IACxB,MAAM,CAAC,GAAG,UAAU,CAAC;IACrB,kBAAkB;IAClB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC;IAC7E,kBAAkB;IAClB,MAAM,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC;IAC9D,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU;IACtC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM;IACpC,MAAM,EAAE,GAAG,CAAC,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,EAAE,GAAG,CAAC,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,CAAC,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,CAAC,IAAA,iBAAI,EAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,CAAC,IAAA,iBAAI,EAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,CAAC,IAAA,iBAAI,EAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,CAAC,IAAA,iBAAI,EAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,IAAI,GAAG,CAAC,IAAA,iBAAI,EAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,CAAC,IAAA,iBAAI,EAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,EAAE,GAAG,CAAC,IAAA,iBAAI,EAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,EAAE,GAAG,CAAC,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,IAAI,GAAG,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IAC9B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,IAAI,GAAG,IAAA,kBAAK,EAAC,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;AAExE;;;;;;;;;;;;;;GAcG;AACU,QAAA,SAAS,GAAsB,IAAA,8BAAW,EACrD;IACE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,EAAE,EAAE,IAAI;IACR,CAAC,EAAE,UAAU;IACb,EAAE,EAAE,MAAM,CAAC,+EAA+E,CAAC;IAC3F,EAAE,EAAE,MAAM,CAAC,+EAA+E,CAAC;IAC3F,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,WAAW;IACzB,IAAI,EAAE,IAAI,EAAE,gEAAgE;IAC5E,IAAI,EAAE;QACJ,0BAA0B;QAC1B,IAAI,EAAE,MAAM,CAAC,oEAAoE,CAAC;QAClF,WAAW,EAAE,CAAC,CAAS,EAAE,EAAE;YACzB,MAAM,CAAC,GAAG,UAAU,CAAC;YACrB,MAAM,EAAE,GAAG,MAAM,CAAC,oCAAoC,CAAC,CAAC;YACxD,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,oCAAoC,CAAC,CAAC;YAC/D,MAAM,EAAE,GAAG,MAAM,CAAC,qCAAqC,CAAC,CAAC;YACzD,MAAM,EAAE,GAAG,EAAE,CAAC;YACd,MAAM,SAAS,GAAG,MAAM,CAAC,qCAAqC,CAAC,CAAC,CAAC,0BAA0B;YAE3F,MAAM,EAAE,GAAG,UAAU,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;YACjC,MAAM,EAAE,GAAG,UAAU,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;YAClC,IAAI,EAAE,GAAG,IAAA,gBAAG,EAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;YACvC,IAAI,EAAE,GAAG,IAAA,gBAAG,EAAC,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,EAAE,GAAG,SAAS,CAAC;YAC7B,MAAM,KAAK,GAAG,EAAE,GAAG,SAAS,CAAC;YAC7B,IAAI,KAAK;gBAAE,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,KAAK;gBAAE,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,EAAE,GAAG,SAAS,IAAI,EAAE,GAAG,SAAS,EAAE,CAAC;gBACrC,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,CAAC,CAAC,CAAC;YAC9D,CAAC;YACD,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAClC,CAAC;KACF;CACF,EACD,aAAM,CACP,CAAC;AAEF,+FAA+F;AAC/F,iEAAiE;AACjE,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AACtB,wFAAwF;AACxF,MAAM,oBAAoB,GAAkC,EAAE,CAAC;AAC/D,SAAS,UAAU,CAAC,GAAW,EAAE,GAAG,QAAsB;IACxD,IAAI,IAAI,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,IAAA,aAAM,EAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAClE,IAAI,GAAG,IAAA,sBAAW,EAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC/B,oBAAoB,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;IACnC,CAAC;IACD,OAAO,IAAA,aAAM,EAAC,IAAA,sBAAW,EAAC,IAAI,EAAE,GAAG,QAAQ,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,oFAAoF;AACpF,MAAM,YAAY,GAAG,CAAC,KAAwB,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACnF,MAAM,QAAQ,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAA,0BAAe,EAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACvD,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAA,gBAAG,EAAC,CAAC,EAAE,UAAU,CAAC,CAAC;AAC/C,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAA,gBAAG,EAAC,CAAC,EAAE,UAAU,CAAC,CAAC;AAC/C,MAAM,KAAK,GAAG,iBAAS,CAAC,eAAe,CAAC;AACxC,MAAM,OAAO,GAAG,CAAC,CAAoB,EAAE,CAAS,EAAE,CAAS,EAAE,EAAE,CAC7D,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;AAE3C,oCAAoC;AACpC,SAAS,mBAAmB,CAAC,IAAa;IACxC,IAAI,EAAE,GAAG,iBAAS,CAAC,KAAK,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,yCAAyC;IAChG,IAAI,CAAC,GAAG,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,CAAC,4CAA4C;IAC9E,MAAM,MAAM,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC;IAC7C,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;AACpD,CAAC;AACD;;;GAGG;AACH,SAAS,MAAM,CAAC,CAAS;IACvB,IAAA,mBAAQ,EAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC,iBAAiB;IACpD,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,MAAM,CAAC,GAAG,IAAI,CAAC,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,wBAAwB;IAC5D,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,2BAA2B;IAC/C,IAAI,CAAC,GAAG,GAAG,KAAK,GAAG;QAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,mDAAmD;IACtF,MAAM,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,mDAAmD;IACnF,CAAC,CAAC,cAAc,EAAE,CAAC;IACnB,OAAO,CAAC,CAAC;AACX,CAAC;AACD,MAAM,GAAG,GAAG,0BAAe,CAAC;AAC5B;;GAEG;AACH,SAAS,SAAS,CAAC,GAAG,IAAkB;IACtC,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,mBAAmB,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,UAAe;IAC1C,OAAO,mBAAmB,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,CAAC,oDAAoD;AACpG,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAClB,OAAY,EACZ,UAAmB,EACnB,UAAe,IAAA,mBAAW,EAAC,EAAE,CAAC;IAE9B,MAAM,CAAC,GAAG,IAAA,sBAAW,EAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC1C,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC,CAAC,gCAAgC;IAClG,MAAM,CAAC,GAAG,IAAA,sBAAW,EAAC,SAAS,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,2CAA2C;IAC1F,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,yDAAyD;IACpH,MAAM,IAAI,GAAG,UAAU,CAAC,eAAe,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,4CAA4C;IAChG,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,2BAA2B;IACvD,IAAI,EAAE,KAAK,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC,kBAAkB;IAC7E,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC,CAAC,gBAAgB;IAC1E,MAAM,CAAC,GAAG,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,gEAAgE;IAChG,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,+CAA+C;IAC/E,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACf,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvC,iEAAiE;IACjE,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACpF,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,SAAc,EAAE,OAAY,EAAE,SAAc;IACjE,MAAM,GAAG,GAAG,IAAA,sBAAW,EAAC,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IACpD,MAAM,CAAC,GAAG,IAAA,sBAAW,EAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAA,sBAAW,EAAC,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IACpD,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,0CAA0C;QACtE,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,yCAAyC;QAC7E,IAAI,CAAC,IAAA,kBAAO,EAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC;YAAE,OAAO,KAAK,CAAC;QAC/C,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,0CAA0C;QAC/E,IAAI,CAAC,IAAA,kBAAO,EAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC;YAAE,OAAO,KAAK,CAAC;QAC/C,MAAM,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,0CAA0C;QAChG,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB;QACnD,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC,CAAC,gBAAgB;QAC/E,OAAO,IAAI,CAAC,CAAC,yDAAyD;IACxE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAgBD;;;;;;;;;;;;GAYG;AACU,QAAA,OAAO,GAAgC,CAAC,GAAG,EAAE,CAAC,CAAC;IAC1D,YAAY,EAAE,mBAAmB;IACjC,IAAI,EAAE,WAAW;IACjB,MAAM,EAAE,aAAa;IACrB,KAAK,EAAE;QACL,gBAAgB,EAAE,iBAAS,CAAC,KAAK,CAAC,gBAAgB;QAClD,MAAM;QACN,YAAY;QACZ,eAAe,EAAf,0BAAe;QACf,eAAe,EAAf,0BAAe;QACf,UAAU;QACV,GAAG,EAAH,gBAAG;KACJ;CACF,CAAC,CAAC,EAAE,CAAC;AAEN,MAAM,MAAM,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CACnC,IAAA,6BAAU,EACR,IAAI,EACJ;IACE,OAAO;IACP;QACE,oEAAoE;QACpE,mEAAmE;QACnE,oEAAoE;QACpE,oEAAoE;KACrE;IACD,OAAO;IACP;QACE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE,EAAE,SAAS;KAChF;IACD,OAAO;IACP;QACE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;KACrE;IACD,OAAO;IACP;QACE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE,EAAE,SAAS;KAChF;CACF,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAA6C,CAClF,CAAC,EAAE,CAAC;AACP,MAAM,MAAM,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CACnC,IAAA,oCAAmB,EAAC,IAAI,EAAE;IACxB,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC;IACjB,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;CAC9B,CAAC,CAAC,EAAE,CAAC;AACR,MAAM,GAAG,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CAChC,IAAA,+BAAY,EACV,iBAAS,CAAC,eAAe,EACzB,CAAC,OAAiB,EAAE,EAAE;IACpB,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACtB,CAAC,EACD;IACE,GAAG,EAAE,gCAAgC;IACrC,SAAS,EAAE,gCAAgC;IAC3C,CAAC,EAAE,IAAI,CAAC,KAAK;IACb,CAAC,EAAE,CAAC;IACJ,CAAC,EAAE,GAAG;IACN,MAAM,EAAE,KAAK;IACb,IAAI,EAAE,aAAM;CACb,CACF,CAAC,EAAE,CAAC;AAEP,6CAA6C;AAChC,QAAA,WAAW,GAAsC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;AAExF,+CAA+C;AAClC,QAAA,aAAa,GAAsC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC"}

package/src/_shortw_utils.ts

@@ -5,8 +5,8 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { hmac } from '@noble/hashes/hmac';
 import { concatBytes, randomBytes } from '@noble/hashes/utils';
-import { CHash } from './abstract/utils.js';
-import { CurveType, CurveFn, weierstrass } from './abstract/weierstrass.js';
+import type { CHash } from './abstract/utils.ts';
+import { type CurveFn, type CurveType, weierstrass } from './abstract/weierstrass.ts';
 
 /** connects noble-curves to noble-hashes */
 export function getHash(hash: CHash): {

package/src/abstract/bls.ts

@@ -16,21 +16,23 @@
  * @module
  **/
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// TODO: import { AffinePoint } from './curve.js';
-import { IField, getMinHashLength, mapHashToField } from './modular.js';
-import { Hex, PrivKey, CHash, ensureBytes, memoized } from './utils.js';
-// prettier-ignore
+// TODO: import { AffinePoint } from './curve.ts';
 import {
-  MapToCurve, Opts as HTFOpts, H2CPointConstructor, htfBasicOpts,
-  createHasher
-} from './hash-to-curve.js';
+  type H2CPointConstructor,
+  type htfBasicOpts,
+  type Opts as HTFOpts,
+  type MapToCurve,
+  createHasher,
+} from './hash-to-curve.ts';
+import { type IField, getMinHashLength, mapHashToField } from './modular.ts';
+import type { Fp12, Fp12Bls, Fp2, Fp2Bls, Fp6 } from './tower.ts';
+import { type CHash, type Hex, type PrivKey, ensureBytes, memoized } from './utils.ts';
 import {
-  CurvePointsType,
-  ProjPointType as ProjPointType,
-  CurvePointsRes,
+  type CurvePointsRes,
+  type CurvePointsType,
+  type ProjPointType,
   weierstrassPoints,
-} from './weierstrass.js';
-import type { Fp2, Fp6, Fp12, Fp2Bls, Fp12Bls } from './tower.js';
+} from './weierstrass.ts';
 
 type Fp = bigint; // Can be different field?
 

package/src/abstract/curve.ts

@@ -4,8 +4,8 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { IField, validateField, nLength } from './modular.js';
-import { validateObject, bitLen } from './utils.js';
+import { type IField, nLength, validateField } from './modular.ts';
+import { bitLen, bitMask, validateObject } from './utils.ts';
 
 const _0n = BigInt(0);
 const _1n = BigInt(1);
@@ -40,11 +40,48 @@ function validateW(W: number, bits: number) {
     throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
 }
 
-function calcWOpts(W: number, bits: number) {
-  validateW(W, bits);
-  const windows = Math.ceil(bits / W) + 1; // +1, because
-  const windowSize = 2 ** (W - 1); // -1 because we skip zero
-  return { windows, windowSize };
+/** Internal wNAF opts for specific W and scalarBits */
+export type WOpts = {
+  windows: number;
+  windowSize: number;
+  mask: bigint;
+  maxNumber: number;
+  shiftBy: bigint;
+};
+
+function calcWOpts(W: number, scalarBits: number): WOpts {
+  validateW(W, scalarBits);
+  const windows = Math.ceil(scalarBits / W) + 1; // W=8 33. Not 32, because we skip zero
+  const windowSize = 2 ** (W - 1); // W=8 128. Not 256, because we skip zero
+  const maxNumber = 2 ** W; // W=8 256
+  const mask = bitMask(W); // W=8 255 == mask 0b11111111
+  const shiftBy = BigInt(W); // W=8 8
+  return { windows, windowSize, mask, maxNumber, shiftBy };
+}
+
+function calcOffsets(n: bigint, window: number, wOpts: WOpts) {
+  const { windowSize, mask, maxNumber, shiftBy } = wOpts;
+  let wbits = Number(n & mask); // extract W bits.
+  let nextN = n >> shiftBy; // shift number by W bits.
+
+  // What actually happens here:
+  // const highestBit = Number(mask ^ (mask >> 1n));
+  // let wbits2 = wbits - 1; // skip zero
+  // if (wbits2 & highestBit) { wbits2 ^= Number(mask); // (~);
+
+  // split if bits > max: +224 => 256-32
+  if (wbits > windowSize) {
+    // we skip zero, which means instead of `>= size-1`, we do `> size`
+    wbits -= maxNumber; // -32, can be maxNumber - wbits, but then we need to set isNeg here.
+    nextN += _1n; // +256 (carry)
+  }
+  const offsetStart = window * windowSize;
+  const offset = offsetStart + Math.abs(wbits) - 1; // -1 because we skip zero
+  const isZero = wbits === 0; // is current window slice a 0?
+  const isNeg = wbits < 0; // is current window slice negative?
+  const isNegF = window % 2 !== 0; // fake random statement for noise
+  const offsetF = offsetStart; // fake offset for noise
+  return { nextN, offset, isZero, isNeg, isNegF, offsetF };
 }
 
 function validateMSMPoints(points: any[], c: any) {
@@ -61,9 +98,10 @@ function validateMSMScalars(scalars: any[], field: any) {
 }
 
 // Since points in different groups cannot be equal (different object constructor),
-// we can have single place to store precomputes
+// we can have single place to store precomputes.
+// Allows to make points frozen / immutable.
 const pointPrecomputes = new WeakMap<any, any[]>();
-const pointWindowSizes = new WeakMap<any, number>(); // This allows use make points immutable (nothing changes inside)
+const pointWindowSizes = new WeakMap<any, number>();
 
 function getW(P: any): number {
   return pointWindowSizes.get(P) || 1;
@@ -135,7 +173,7 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number):
       for (let window = 0; window < windows; window++) {
         base = p;
         points.push(base);
-        // =1, because we skip zero
+        // i=1, bc we skip 0
         for (let i = 1; i < windowSize; i++) {
           base = base.add(p);
           points.push(base);
@@ -153,54 +191,34 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number):
      * @returns real and fake (for const-time) points
      */
     wNAF(W: number, precomputes: T[], n: bigint): { p: T; f: T } {
-      // TODO: maybe check that scalar is less than group order? wNAF behavious is undefined otherwise
-      // But need to carefully remove other checks before wNAF. ORDER == bits here
-      const { windows, windowSize } = calcWOpts(W, bits);
-
+      // Smaller version:
+      // https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
+      // TODO: check the scalar is less than group order?
+      // wNAF behavior is undefined otherwise. But have to carefully remove
+      // other checks before wNAF. ORDER == bits here.
+      // Accumulators
       let p = c.ZERO;
       let f = c.BASE;
-
-      const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
-      const maxNumber = 2 ** W;
-      const shiftBy = BigInt(W);
-
-      for (let window = 0; window < windows; window++) {
-        const offset = window * windowSize;
-        // Extract W bits.
-        let wbits = Number(n & mask);
-
-        // Shift number by W bits.
-        n >>= shiftBy;
-
-        // If the bits are bigger than max size, we'll split those.
-        // +224 => 256 - 32
-        if (wbits > windowSize) {
-          wbits -= maxNumber;
-          n += _1n;
-        }
-
-        // This code was first written with assumption that 'f' and 'p' will never be infinity point:
-        // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
-        // there is negate now: it is possible that negated element from low value
-        // would be the same as high element, which will create carry into next window.
-        // It's not obvious how this can fail, but still worth investigating later.
-
-        // Check if we're onto Zero point.
-        // Add random point inside current window to f.
-        const offset1 = offset;
-        const offset2 = offset + Math.abs(wbits) - 1; // -1 because we skip zero
-        const cond1 = window % 2 !== 0;
-        const cond2 = wbits < 0;
-        if (wbits === 0) {
-          // The most important part for const-time getPublicKey
-          f = f.add(constTimeNegate(cond1, precomputes[offset1]));
+      // This code was first written with assumption that 'f' and 'p' will never be infinity point:
+      // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
+      // there is negate now: it is possible that negated element from low value
+      // would be the same as high element, which will create carry into next window.
+      // It's not obvious how this can fail, but still worth investigating later.
+      const wo = calcWOpts(W, bits);
+      for (let window = 0; window < wo.windows; window++) {
+        // (n === _0n) is handled and not early-exited. isEven and offsetF are used for noise
+        const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
+        n = nextN;
+        if (isZero) {
+          // bits are 0: add garbage to fake point
+          // Important part for const-time getPublicKey: add random "noise" point to f.
+          f = f.add(constTimeNegate(isNegF, precomputes[offsetF]));
         } else {
-          p = p.add(constTimeNegate(cond2, precomputes[offset2]));
+          // bits are 1: add to result point
+          p = p.add(constTimeNegate(isNeg, precomputes[offset]));
         }
       }
-      // JIT-compiler should not eliminate f here, since it will later be used in normalizeZ()
-      // Even if the variable is still unused, there are some checks which will
-      // throw an exception, so compiler needs to prove they won't happen, which is hard.
+      // Return both real and fake points: JIT won't eliminate f.
       // At this point there is a way to F be infinity-point even if p is not,
       // which makes it less const-time: around 1 bigint multiply.
       return { p, f };
@@ -215,28 +233,19 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number):
      * @returns point
      */
     wNAFUnsafe(W: number, precomputes: T[], n: bigint, acc: T = c.ZERO): T {
-      const { windows, windowSize } = calcWOpts(W, bits);
-      const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
-      const maxNumber = 2 ** W;
-      const shiftBy = BigInt(W);
-      for (let window = 0; window < windows; window++) {
-        const offset = window * windowSize;
-        if (n === _0n) break; // No need to go over empty scalar
-        // Extract W bits.
-        let wbits = Number(n & mask);
-        // Shift number by W bits.
-        n >>= shiftBy;
-        // If the bits are bigger than max size, we'll split those.
-        // +224 => 256 - 32
-        if (wbits > windowSize) {
-          wbits -= maxNumber;
-          n += _1n;
+      const wo = calcWOpts(W, bits);
+      for (let window = 0; window < wo.windows; window++) {
+        if (n === _0n) break; // Early-exit, skip 0 value
+        const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
+        n = nextN;
+        if (isZero) {
+          // Window bits are 0: skip processing.
+          // Move to next window.
+          continue;
+        } else {
+          const item = precomputes[offset];
+          acc = acc.add(isNeg ? item.negate() : item); // Re-using acc allows to save adds in MSM
         }
-        if (wbits === 0) continue;
-        let curr = precomputes[offset + Math.abs(wbits) - 1]; // -1 because we skip zero
-        if (wbits < 0) curr = curr.negate();
-        // NOTE: by re-using acc, we can save a lot of additions in case of MSM
-        acc = acc.add(curr);
       }
       return acc;
     },
@@ -276,7 +285,7 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number):
 
 /**
  * Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
- * 30x faster vs naive addition on L=4096, 10x faster with precomputes.
+ * 30x faster vs naive addition on L=4096, 10x faster than precomputes.
  * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
  * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
  * @param c Curve Point constructor
@@ -303,15 +312,15 @@ export function pippenger<T extends Group<T>>(
   const zero = c.ZERO;
   const wbits = bitLen(BigInt(points.length));
   const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1; // in bits
-  const MASK = (1 << windowSize) - 1;
-  const buckets = new Array(MASK + 1).fill(zero); // +1 for zero array
+  const MASK = bitMask(windowSize);
+  const buckets = new Array(Number(MASK) + 1).fill(zero); // +1 for zero array
   const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
   let sum = zero;
   for (let i = lastBits; i >= 0; i -= windowSize) {
     buckets.fill(zero);
     for (let j = 0; j < scalars.length; j++) {
       const scalar = scalars[j];
-      const wbits = Number((scalar >> BigInt(i)) & BigInt(MASK));
+      const wbits = Number((scalar >> BigInt(i)) & MASK);
       buckets[wbits] = buckets[wbits].add(points[j]);
     }
     let resI = zero; // not using this will do small speed-up, but will lose ct
@@ -378,7 +387,7 @@ export function precomputeMSMUnsafe<T extends Group<T>>(
   const zero = c.ZERO;
   const tableSize = 2 ** windowSize - 1; // table size (without zero)
   const chunks = Math.ceil(fieldN.BITS / windowSize); // chunks of item
-  const MASK = BigInt((1 << windowSize) - 1);
+  const MASK = bitMask(windowSize);
   const tables = points.map((p: T) => {
     const res = [];
     for (let i = 0, acc = p; i < tableSize; i++) {