@noble/curves 1.9.7 → 2.0.0-beta.2

package/src/nist.ts

@@ -5,18 +5,21 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256, sha384, sha512 } from '@noble/hashes/sha2.js';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
 import { createHasher, type H2CHasher } from './abstract/hash-to-curve.ts';
 import { Field } from './abstract/modular.ts';
+import { createORPF, type OPRF } from './abstract/oprf.ts';
 import {
+  ecdsa,
   mapToCurveSimpleSWU,
+  weierstrass,
+  type ECDSA,
   type WeierstrassOpts,
   type WeierstrassPointCons,
 } from './abstract/weierstrass.ts';
 
 // p = 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n - 1n
 // a = Fp256.create(BigInt('-3'));
-const p256_CURVE: WeierstrassOpts<bigint> = {
+const p256_CURVE: WeierstrassOpts<bigint> = /* @__PURE__ */ (() => ({
   p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
   n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
   h: BigInt(1),
@@ -24,10 +27,10 @@ const p256_CURVE: WeierstrassOpts<bigint> = {
   b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
   Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
   Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
-};
+}))();
 
 // p = 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
-const p384_CURVE: WeierstrassOpts<bigint> = {
+const p384_CURVE: WeierstrassOpts<bigint> = /* @__PURE__ */ (() => ({
   p: BigInt(
     '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'
   ),
@@ -47,10 +50,10 @@ const p384_CURVE: WeierstrassOpts<bigint> = {
   Gy: BigInt(
     '0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'
   ),
-};
+}))();
 
 // p = 2n**521n - 1n
-const p521_CURVE: WeierstrassOpts<bigint> = {
+const p521_CURVE: WeierstrassOpts<bigint> = /* @__PURE__ */ (() => ({
   p: BigInt(
     '0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
   ),
@@ -70,34 +73,45 @@ const p521_CURVE: WeierstrassOpts<bigint> = {
   Gy: BigInt(
     '0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'
   ),
-};
+}))();
 
-const Fp256 = Field(p256_CURVE.p);
-const Fp384 = Field(p384_CURVE.p);
-const Fp521 = Field(p521_CURVE.p);
 type SwuOpts = {
   A: bigint;
   B: bigint;
   Z: bigint;
 };
+
 function createSWU(Point: WeierstrassPointCons<bigint>, opts: SwuOpts) {
   const map = mapToCurveSimpleSWU(Point.Fp, opts);
   return (scalars: bigint[]) => map(scalars[0]);
 }
 
-/** NIST P256 (aka secp256r1, prime256v1) curve, ECDSA and ECDH methods. */
-export const p256: CurveFnWithCreate = createCurve(
-  { ...p256_CURVE, Fp: Fp256, lowS: false },
-  sha256
-);
+// NIST P256
+const p256_Point = /* @__PURE__ */ weierstrass(p256_CURVE);
+/**
+ * NIST P256 (aka secp256r1, prime256v1) curve, ECDSA and ECDH methods.
+ * Hashes inputs with sha256 by default.
+ *
+ * @example
+ * ```js
+ * import { p256 } from '@noble/curves/nist.js';
+ * const { secretKey, publicKey } = p256.keygen();
+ * // const publicKey = p256.getPublicKey(secretKey);
+ * const msg = new TextEncoder().encode('hello noble');
+ * const sig = p256.sign(msg, secretKey);
+ * const isValid = p256.verify(sig, msg, publicKey);
+ * // const sigKeccak = p256.sign(keccak256(msg), secretKey, { prehash: false });
+ * ```
+ */
+export const p256: ECDSA = /* @__PURE__ */ ecdsa(p256_Point, sha256);
 /** Hashing / encoding to p256 points / field. RFC 9380 methods. */
-export const p256_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
+export const p256_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__ */ (() => {
   return createHasher(
-    p256.Point,
-    createSWU(p256.Point, {
+    p256_Point,
+    createSWU(p256_Point, {
       A: p256_CURVE.a,
       B: p256_CURVE.b,
-      Z: p256.Point.Fp.create(BigInt('-10')),
+      Z: p256_Point.Fp.create(BigInt('-10')),
     }),
     {
       DST: 'P256_XMD:SHA-256_SSWU_RO_',
@@ -110,28 +124,28 @@ export const p256_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
     }
   );
 })();
+/** p256 OPRF, defined in RFC 9497. */
+export const p256_oprf: OPRF = /* @__PURE__ */ (() =>
+  createORPF({
+    name: 'P256-SHA256',
+    Point: p256_Point,
+    hash: sha256,
+    hashToGroup: p256_hasher.hashToCurve,
+    hashToScalar: p256_hasher.hashToScalar,
+  }))();
 
-// export const p256_oprf: OPRF = createORPF({
-//   name: 'P256-SHA256',
-//   Point: p256.Point,
-//   hash: sha256,
-//   hashToGroup: p256_hasher.hashToCurve,
-//   hashToScalar: p256_hasher.hashToScalar,
-// });
-
-/** NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. */
-export const p384: CurveFnWithCreate = createCurve(
-  { ...p384_CURVE, Fp: Fp384, lowS: false },
-  sha384
-);
+// NIST P384
+const p384_Point = /* @__PURE__ */ weierstrass(p384_CURVE);
+/** NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. Hashes inputs with sha384 by default. */
+export const p384: ECDSA = /* @__PURE__ */ ecdsa(p384_Point, sha384);
 /** Hashing / encoding to p384 points / field. RFC 9380 methods. */
-export const p384_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
+export const p384_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__ */ (() => {
   return createHasher(
-    p384.Point,
-    createSWU(p384.Point, {
+    p384_Point,
+    createSWU(p384_Point, {
       A: p384_CURVE.a,
       B: p384_CURVE.b,
-      Z: p384.Point.Fp.create(BigInt('-12')),
+      Z: p384_Point.Fp.create(BigInt('-12')),
     }),
     {
       DST: 'P384_XMD:SHA-384_SSWU_RO_',
@@ -144,37 +158,29 @@ export const p384_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
     }
   );
 })();
+/** p384 OPRF, defined in RFC 9497. */
+export const p384_oprf: OPRF = /* @__PURE__ */ (() =>
+  createORPF({
+    name: 'P384-SHA384',
+    Point: p384_Point,
+    hash: sha384,
+    hashToGroup: p384_hasher.hashToCurve,
+    hashToScalar: p384_hasher.hashToScalar,
+  }))();
 
-// export const p384_oprf: OPRF = createORPF({
-//   name: 'P384-SHA384',
-//   Point: p384.Point,
-//   hash: sha384,
-//   hashToGroup: p384_hasher.hashToCurve,
-//   hashToScalar: p384_hasher.hashToScalar,
-// });
-
-// const Fn521 = Field(p521_CURVE.n, { allowedScalarLengths: [65, 66] });
-/** NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. */
-export const p521: CurveFnWithCreate = createCurve(
-  { ...p521_CURVE, Fp: Fp521, lowS: false, allowedPrivateKeyLengths: [130, 131, 132] },
-  sha512
-);
-
-/** @deprecated use `p256` for consistency with `p256_hasher` */
-export const secp256r1: typeof p256 = p256;
-/** @deprecated use `p384` for consistency with `p384_hasher` */
-export const secp384r1: typeof p384 = p384;
-/** @deprecated use `p521` for consistency with `p521_hasher` */
-export const secp521r1: typeof p521 = p521;
-
+// NIST P521
+const Fn521 = /* @__PURE__ */ (() => Field(p521_CURVE.n, { allowedLengths: [65, 66] }))();
+const p521_Point = /* @__PURE__ */ weierstrass(p521_CURVE, { Fn: Fn521 });
+/** NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. Hashes inputs with sha512 by default. */
+export const p521: ECDSA = /* @__PURE__ */ ecdsa(p521_Point, sha512);
 /** Hashing / encoding to p521 points / field. RFC 9380 methods. */
-export const p521_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
+export const p521_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__ */ (() => {
   return createHasher(
-    p521.Point,
-    createSWU(p521.Point, {
+    p521_Point,
+    createSWU(p521_Point, {
       A: p521_CURVE.a,
       B: p521_CURVE.b,
-      Z: p521.Point.Fp.create(BigInt('-4')),
+      Z: p521_Point.Fp.create(BigInt('-4')),
     }),
     {
       DST: 'P521_XMD:SHA-512_SSWU_RO_',
@@ -187,11 +193,12 @@ export const p521_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
     }
   );
 })();
-
-// export const p521_oprf: OPRF = createORPF({
-//   name: 'P521-SHA512',
-//   Point: p521.Point,
-//   hash: sha512,
-//   hashToGroup: p521_hasher.hashToCurve,
-//   hashToScalar: p521_hasher.hashToScalar, // produces L=98 just like in RFC
-// });
+/** p521 OPRF, defined in RFC 9497. */
+export const p521_oprf: OPRF = /* @__PURE__ */ (() =>
+  createORPF({
+    name: 'P521-SHA512',
+    Point: p521_Point,
+    hash: sha512,
+    hashToGroup: p521_hasher.hashToCurve,
+    hashToScalar: p521_hasher.hashToScalar, // produces L=98 just like in RFC
+  }))();

package/src/secp256k1.ts

@@ -8,35 +8,23 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha2.js';
 import { randomBytes } from '@noble/hashes/utils.js';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
-import type { CurveLengths } from './abstract/curve.ts';
+import { createKeygen, type CurveLengths } from './abstract/curve.ts';
+import { createHasher, type H2CHasher, isogenyMap } from './abstract/hash-to-curve.ts';
+import { Field, mapHashToField, pow2 } from './abstract/modular.ts';
 import {
-  createHasher,
-  type H2CHasher,
-  type H2CMethod,
-  isogenyMap,
-} from './abstract/hash-to-curve.ts';
-import { Field, mapHashToField, mod, pow2 } from './abstract/modular.ts';
-import {
-  _normFnElement,
+  type ECDSA,
+  ecdsa,
   type EndomorphismOpts,
   mapToCurveSimpleSWU,
   type WeierstrassPoint as PointType,
+  weierstrass,
   type WeierstrassOpts,
   type WeierstrassPointCons,
 } from './abstract/weierstrass.ts';
-import type { Hex, PrivKey } from './utils.ts';
-import {
-  bytesToNumberBE,
-  concatBytes,
-  ensureBytes,
-  inRange,
-  numberToBytesBE,
-  utf8ToBytes,
-} from './utils.ts';
+import { abytes, asciiToBytes, bytesToNumberBE, concatBytes } from './utils.ts';
 
 // Seems like generator was produced from some seed:
-// `Point.BASE.multiply(Point.Fn.inv(2n, N)).toAffine().x`
+// `Pointk1.BASE.multiply(Pointk1.Fn.inv(2n, N)).toAffine().x`
 // // gives short x 0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63n
 const secp256k1_CURVE: WeierstrassOpts<bigint> = {
   p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'),
@@ -57,7 +45,6 @@ const secp256k1_ENDO: EndomorphismOpts = {
 };
 
 const _0n = /* @__PURE__ */ BigInt(0);
-const _1n = /* @__PURE__ */ BigInt(1);
 const _2n = /* @__PURE__ */ BigInt(2);
 
 /**
@@ -89,25 +76,29 @@ function sqrtMod(y: bigint): bigint {
 }
 
 const Fpk1 = Field(secp256k1_CURVE.p, { sqrt: sqrtMod });
+const Pointk1 = /* @__PURE__ */ weierstrass(secp256k1_CURVE, {
+  Fp: Fpk1,
+  endo: secp256k1_ENDO,
+});
 
 /**
- * secp256k1 curve, ECDSA and ECDH methods.
+ * secp256k1 curve: ECDSA and ECDH methods.
  *
- * Field: `2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n`
+ * Uses sha256 to hash messages. To use a different hash,
+ * pass `{ prehash: false }` to sign / verify.
  *
  * @example
  * ```js
- * import { secp256k1 } from '@noble/curves/secp256k1';
+ * import { secp256k1 } from '@noble/curves/secp256k1.js';
  * const { secretKey, publicKey } = secp256k1.keygen();
- * const msg = new TextEncoder().encode('hello');
+ * // const publicKey = secp256k1.getPublicKey(secretKey);
+ * const msg = new TextEncoder().encode('hello noble');
  * const sig = secp256k1.sign(msg, secretKey);
- * const isValid = secp256k1.verify(sig, msg, publicKey) === true;
+ * const isValid = secp256k1.verify(sig, msg, publicKey);
+ * // const sigKeccak = secp256k1.sign(keccak256(msg), secretKey, { prehash: false });
  * ```
  */
-export const secp256k1: CurveFnWithCreate = createCurve(
-  { ...secp256k1_CURVE, Fp: Fpk1, lowS: true, endo: secp256k1_ENDO },
-  sha256
-);
+export const secp256k1: ECDSA = /* @__PURE__ */ ecdsa(Pointk1, sha256);
 
 // Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
 // https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
@@ -116,7 +107,7 @@ const TAGGED_HASH_PREFIXES: { [tag: string]: Uint8Array } = {};
 function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array {
   let tagP = TAGGED_HASH_PREFIXES[tag];
   if (tagP === undefined) {
-    const tagH = sha256(utf8ToBytes(tag));
+    const tagH = sha256(asciiToBytes(tag));
     tagP = concatBytes(tagH, tagH);
     TAGGED_HASH_PREFIXES[tag] = tagP;
   }
@@ -125,13 +116,12 @@ function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array {
 
 // ECDSA compact points are 33-byte. Schnorr is 32: we strip first byte 0x02 or 0x03
 const pointToBytes = (point: PointType<bigint>) => point.toBytes(true).slice(1);
-const Pointk1 = /* @__PURE__ */ (() => secp256k1.Point)();
 const hasEven = (y: bigint) => y % _2n === _0n;
 
 // Calculate point, scalar and bytes
-function schnorrGetExtPubKey(priv: PrivKey) {
+function schnorrGetExtPubKey(priv: Uint8Array) {
   const { Fn, BASE } = Pointk1;
-  const d_ = _normFnElement(Fn, priv);
+  const d_ = Fn.fromBytes(priv);
   const p = BASE.multiply(d_); // P = d'⋅G; 0 < d' < n check is done inside
   const scalar = hasEven(p.y) ? d_ : Fn.neg(d_);
   return { scalar, bytes: pointToBytes(p) };
@@ -164,7 +154,7 @@ function challenge(...args: Uint8Array[]): bigint {
 /**
  * Schnorr public key is just `x` coordinate of Point as per BIP340.
  */
-function schnorrGetPublicKey(secretKey: Hex): Uint8Array {
+function schnorrGetPublicKey(secretKey: Uint8Array): Uint8Array {
   return schnorrGetExtPubKey(secretKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)
 }
 
@@ -172,11 +162,15 @@ function schnorrGetPublicKey(secretKey: Hex): Uint8Array {
  * Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
  * auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous.
  */
-function schnorrSign(message: Hex, secretKey: PrivKey, auxRand: Hex = randomBytes(32)): Uint8Array {
+function schnorrSign(
+  message: Uint8Array,
+  secretKey: Uint8Array,
+  auxRand: Uint8Array = randomBytes(32)
+): Uint8Array {
   const { Fn } = Pointk1;
-  const m = ensureBytes('message', message);
+  const m = abytes(message, undefined, 'message');
   const { bytes: px, scalar: d } = schnorrGetExtPubKey(secretKey); // checks for isWithinCurveOrder
-  const a = ensureBytes('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array
+  const a = abytes(auxRand, 32, 'auxRand'); // Auxiliary random data a: a 32-byte array
   const t = Fn.toBytes(d ^ num(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
   const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
   // Let k' = int(rand) mod n. Fail if k' = 0. Let R = k'⋅G
@@ -194,19 +188,19 @@ function schnorrSign(message: Hex, secretKey: PrivKey, auxRand: Hex = randomByte
  * Verifies Schnorr signature.
  * Will swallow errors & return false except for initial type validation of arguments.
  */
-function schnorrVerify(signature: Hex, message: Hex, publicKey: Hex): boolean {
-  const { Fn, BASE } = Pointk1;
-  const sig = ensureBytes('signature', signature, 64);
-  const m = ensureBytes('message', message);
-  const pub = ensureBytes('publicKey', publicKey, 32);
+function schnorrVerify(signature: Uint8Array, message: Uint8Array, publicKey: Uint8Array): boolean {
+  const { Fp, Fn, BASE } = Pointk1;
+  const sig = abytes(signature, 64, 'signature');
+  const m = abytes(message, undefined, 'message');
+  const pub = abytes(publicKey, 32, 'publicKey');
   try {
     const P = lift_x(num(pub)); // P = lift_x(int(pk)); fail if that fails
     const r = num(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
-    if (!inRange(r, _1n, secp256k1_CURVE.p)) return false;
+    if (!Fp.isValidNot0(r)) return false;
     const s = num(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
-    if (!inRange(s, _1n, secp256k1_CURVE.n)) return false;
-    // int(challenge(bytes(r)||bytes(P)||m))%n
-    const e = challenge(Fn.toBytes(r), pointToBytes(P), m);
+    if (!Fn.isValidNot0(s)) return false;
+
+    const e = challenge(Fn.toBytes(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m))%n
     // R = s⋅G - e⋅P, where -eP == (n-e)P
     const R = BASE.multiplyUnsafe(s).add(P.multiplyUnsafe(Fn.neg(e)));
     const { x, y } = R.toAffine();
@@ -229,15 +223,6 @@ export type SecpSchnorr = {
     pointToBytes: (point: PointType<bigint>) => Uint8Array;
     lift_x: typeof lift_x;
     taggedHash: typeof taggedHash;
-
-    /** @deprecated use `randomSecretKey` */
-    randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
-    /** @deprecated use `utils` */
-    numberToBytesBE: typeof numberToBytesBE;
-    /** @deprecated use `utils` */
-    bytesToNumberBE: typeof bytesToNumberBE;
-    /** @deprecated use `modular` */
-    mod: typeof mod;
   };
   lengths: CurveLengths;
 };
@@ -246,7 +231,7 @@ export type SecpSchnorr = {
  * https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
  * @example
  * ```js
- * import { schnorr } from '@noble/curves/secp256k1';
+ * import { schnorr } from '@noble/curves/secp256k1.js';
  * const { secretKey, publicKey } = schnorr.keygen();
  * // const publicKey = schnorr.getPublicKey(secretKey);
  * const msg = new TextEncoder().encode('hello');
@@ -260,29 +245,17 @@ export const schnorr: SecpSchnorr = /* @__PURE__ */ (() => {
   const randomSecretKey = (seed = randomBytes(seedLength)): Uint8Array => {
     return mapHashToField(seed, secp256k1_CURVE.n);
   };
-  // TODO: remove
-  secp256k1.utils.randomSecretKey;
-  function keygen(seed?: Uint8Array) {
-    const secretKey = randomSecretKey(seed);
-    return { secretKey, publicKey: schnorrGetPublicKey(secretKey) };
-  }
   return {
-    keygen,
+    keygen: createKeygen(randomSecretKey, schnorrGetPublicKey),
     getPublicKey: schnorrGetPublicKey,
     sign: schnorrSign,
     verify: schnorrVerify,
     Point: Pointk1,
     utils: {
-      randomSecretKey: randomSecretKey,
-      randomPrivateKey: randomSecretKey,
+      randomSecretKey,
       taggedHash,
-
-      // TODO: remove
       lift_x,
       pointToBytes,
-      numberToBytesBE,
-      bytesToNumberBE,
-      mod,
     },
     lengths: {
       secretKey: size,
@@ -335,9 +308,9 @@ const mapSWU = /* @__PURE__ */ (() =>
   }))();
 
 /** Hashing / encoding to secp256k1 points / field. RFC 9380 methods. */
-export const secp256k1_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
+export const secp256k1_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__ */ (() =>
   createHasher(
-    secp256k1.Point,
+    Pointk1,
     (scalars: bigint[]) => {
       const { x, y } = mapSWU(Fpk1.create(scalars[0]));
       return isoMap(x, y);
@@ -352,11 +325,3 @@ export const secp256k1_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
       hash: sha256,
     }
   ))();
-
-/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */
-export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
-  secp256k1_hasher.hashToCurve)();
-
-/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */
-export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
-  secp256k1_hasher.encodeToCurve)();