@protontech/openpgp 6.0.0 → 6.0.2-patch.0

package/dist/lightweight/noble_curves.mjs

@@ -1,17 +1,18 @@
-/*! OpenPGP.js v6.0.0 - 2024-11-06 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.0.2-patch.0 - 2024-11-27 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
-import { H as Hash, h as hash, t as toBytes, e as exists, b as bytes, c as concatBytes$1, r as randomBytes, s as sha256, a as sha384, d as sha512, w as wrapConstructor, u as utf8ToBytes$1, f as shake256 } from './sha3.mjs';
+import { s as sha256, a as sha384, b as sha512 } from './sha512.mjs';
+import { H as Hash, a as ahash, t as toBytes, b as aexists, c as abytes$1, d as concatBytes$1, r as randomBytes, w as wrapConstructor, u as utf8ToBytes$1, s as shake256 } from './sha3.mjs';
 
 // HMAC (RFC 2104)
 class HMAC extends Hash {
-    constructor(hash$1, _key) {
+    constructor(hash, _key) {
         super();
         this.finished = false;
         this.destroyed = false;
-        hash(hash$1);
+        ahash(hash);
         const key = toBytes(_key);
-        this.iHash = hash$1.create();
+        this.iHash = hash.create();
         if (typeof this.iHash.update !== 'function')
             throw new Error('Expected instance of class which extends utils.Hash');
         this.blockLen = this.iHash.blockLen;
@@ -19,12 +20,12 @@ class HMAC extends Hash {
         const blockLen = this.blockLen;
         const pad = new Uint8Array(blockLen);
         // blockLen can be bigger than outputLen
-        pad.set(key.length > blockLen ? hash$1.create().update(key).digest() : key);
+        pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
         for (let i = 0; i < pad.length; i++)
             pad[i] ^= 0x36;
         this.iHash.update(pad);
         // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
-        this.oHash = hash$1.create();
+        this.oHash = hash.create();
         // Undo internal XOR && apply outer XOR
         for (let i = 0; i < pad.length; i++)
             pad[i] ^= 0x36 ^ 0x5c;
@@ -32,13 +33,13 @@ class HMAC extends Hash {
         pad.fill(0);
     }
     update(buf) {
-        exists(this);
+        aexists(this);
         this.iHash.update(buf);
         return this;
     }
     digestInto(out) {
-        exists(this);
-        bytes(out, this.outputLen);
+        aexists(this);
+        abytes$1(out, this.outputLen);
         this.finished = true;
         this.iHash.digestInto(out);
         this.oHash.update(out);
@@ -91,8 +92,7 @@ const _0n$5 = /* @__PURE__ */ BigInt(0);
 const _1n$7 = /* @__PURE__ */ BigInt(1);
 const _2n$4 = /* @__PURE__ */ BigInt(2);
 function isBytes(a) {
-    return (a instanceof Uint8Array ||
-        (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));
+    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
 }
 function abytes(item) {
     if (!isBytes(item))
@@ -100,7 +100,7 @@ function abytes(item) {
 }
 function abool(title, value) {
     if (typeof value !== 'boolean')
-        throw new Error(`${title} must be valid boolean, got "${value}".`);
+        throw new Error(title + ' boolean expected, got ' + value);
 }
 // Array where index 0xf0 (240) is mapped to string 'f0'
 const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));
@@ -118,23 +118,22 @@ function bytesToHex(bytes) {
 }
 function numberToHexUnpadded(num) {
     const hex = num.toString(16);
-    return hex.length & 1 ? `0${hex}` : hex;
+    return hex.length & 1 ? '0' + hex : hex;
 }
 function hexToNumber(hex) {
     if (typeof hex !== 'string')
         throw new Error('hex string expected, got ' + typeof hex);
-    // Big Endian
-    return BigInt(hex === '' ? '0' : `0x${hex}`);
+    return hex === '' ? _0n$5 : BigInt('0x' + hex); // Big Endian
 }
 // We use optimized technique to convert hex string to byte array
-const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 };
-function asciiToBase16(char) {
-    if (char >= asciis._0 && char <= asciis._9)
-        return char - asciis._0;
-    if (char >= asciis._A && char <= asciis._F)
-        return char - (asciis._A - 10);
-    if (char >= asciis._a && char <= asciis._f)
-        return char - (asciis._a - 10);
+const asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
+function asciiToBase16(ch) {
+    if (ch >= asciis._0 && ch <= asciis._9)
+        return ch - asciis._0; // '2' => 50-48
+    if (ch >= asciis.A && ch <= asciis.F)
+        return ch - (asciis.A - 10); // 'B' => 66-(65-10)
+    if (ch >= asciis.a && ch <= asciis.f)
+        return ch - (asciis.a - 10); // 'b' => 98-(97-10)
     return;
 }
 /**
@@ -146,7 +145,7 @@ function hexToBytes(hex) {
     const hl = hex.length;
     const al = hl / 2;
     if (hl % 2)
-        throw new Error('padded hex string expected, got unpadded hex of length ' + hl);
+        throw new Error('hex string expected, got unpadded hex of length ' + hl);
     const array = new Uint8Array(al);
     for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
         const n1 = asciiToBase16(hex.charCodeAt(hi));
@@ -155,7 +154,7 @@ function hexToBytes(hex) {
             const char = hex[hi] + hex[hi + 1];
             throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
         }
-        array[ai] = n1 * 16 + n2;
+        array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163
     }
     return array;
 }
@@ -193,7 +192,7 @@ function ensureBytes(title, hex, expectedLength) {
             res = hexToBytes(hex);
         }
         catch (e) {
-            throw new Error(`${title} must be valid hex string, got "${hex}". Cause: ${e}`);
+            throw new Error(title + ' must be hex string or Uint8Array, cause: ' + e);
         }
     }
     else if (isBytes(hex)) {
@@ -202,11 +201,11 @@ function ensureBytes(title, hex, expectedLength) {
         res = Uint8Array.from(hex);
     }
     else {
-        throw new Error(`${title} must be hex string or Uint8Array`);
+        throw new Error(title + ' must be hex string or Uint8Array');
     }
     const len = res.length;
     if (typeof expectedLength === 'number' && len !== expectedLength)
-        throw new Error(`${title} expected ${expectedLength} bytes, got ${len}`);
+        throw new Error(title + ' of length ' + expectedLength + ' expected, got ' + len);
     return res;
 }
 /**
@@ -241,7 +240,7 @@ function equalBytes(a, b) {
  */
 function utf8ToBytes(str) {
     if (typeof str !== 'string')
-        throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
+        throw new Error('string expected');
     return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
 }
 // Is positive bigint
@@ -261,7 +260,7 @@ function aInRange(title, n, min, max) {
     // - b would commonly require subtraction:  `inRange('x', x, 0n, P - 1n)`
     // - our way is the cleanest:               `inRange('x', x, 0n, P)
     if (!inRange(n, min, max))
-        throw new Error(`expected valid ${title}: ${min} <= n < ${max}, got ${typeof n} ${n}`);
+        throw new Error('expected valid ' + title + ': ' + min + ' <= n < ' + max + ', got ' + n);
 }
 // Bit operations
 /**
@@ -371,12 +370,12 @@ function validateObject(object, validators, optValidators = {}) {
     const checkField = (fieldName, type, isOptional) => {
         const checkVal = validatorFns[type];
         if (typeof checkVal !== 'function')
-            throw new Error(`Invalid validator "${type}", expected function`);
+            throw new Error('invalid validator function');
         const val = object[fieldName];
         if (isOptional && val === undefined)
             return;
         if (!checkVal(val, object)) {
-            throw new Error(`Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`);
+            throw new Error('param ' + String(fieldName) + ' is invalid. Expected ' + type + ', got ' + val);
         }
     };
     for (const [fieldName, type] of Object.entries(validators))
@@ -448,11 +447,9 @@ var ut = /*#__PURE__*/Object.freeze({
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Utilities for modular arithmetics and finite fields
 // prettier-ignore
-const _0n$4 = BigInt(0), _1n$6 = BigInt(1), _2n$3 = BigInt(2), _3n$2 = BigInt(3);
+const _0n$4 = BigInt(0), _1n$6 = BigInt(1), _2n$3 = /* @__PURE__ */ BigInt(2), _3n$2 = /* @__PURE__ */ BigInt(3);
 // prettier-ignore
-const _4n = BigInt(4), _5n = BigInt(5), _8n$1 = BigInt(8);
-// prettier-ignore
-BigInt(9); BigInt(16);
+const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _8n$1 = /* @__PURE__ */ BigInt(8);
 // Calculates a modulo b
 function mod(a, b) {
     const result = a % b;
@@ -466,8 +463,10 @@ function mod(a, b) {
  */
 // TODO: use field version && remove
 function pow(num, power, modulo) {
-    if (modulo <= _0n$4 || power < _0n$4)
-        throw new Error('Expected power/modulo > 0');
+    if (power < _0n$4)
+        throw new Error('invalid exponent, negatives unsupported');
+    if (modulo <= _0n$4)
+        throw new Error('invalid modulus');
     if (modulo === _1n$6)
         return _0n$4;
     let res = _1n$6;
@@ -490,9 +489,10 @@ function pow2(x, power, modulo) {
 }
 // Inverses number over modulo
 function invert(number, modulo) {
-    if (number === _0n$4 || modulo <= _0n$4) {
-        throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
-    }
+    if (number === _0n$4)
+        throw new Error('invert: expected non-zero number');
+    if (modulo <= _0n$4)
+        throw new Error('invert: expected positive modulus, got ' + modulo);
     // Euclidean GCD https://brilliant.org/wiki/extended-euclidean-algorithm/
     // Fermat's little theorem "CT-like" version inv(n) = n^(m-2) mod m is 30x slower.
     let a = mod(number, modulo);
@@ -533,8 +533,11 @@ function tonelliShanks(P) {
     for (Q = P - _1n$6, S = 0; Q % _2n$3 === _0n$4; Q /= _2n$3, S++)
         ;
     // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
-    for (Z = _2n$3; Z < P && pow(Z, legendreC, P) !== P - _1n$6; Z++)
-        ;
+    for (Z = _2n$3; Z < P && pow(Z, legendreC, P) !== P - _1n$6; Z++) {
+        // Crash instead of infinity loop, we cannot reasonable count until P.
+        if (Z > 1000)
+            throw new Error('Cannot find square root: likely non-prime P');
+    }
     // Fast-path
     if (S === 1) {
         const p1div4 = (P + _1n$6) / _4n;
@@ -640,7 +643,7 @@ function FpPow(f, num, power) {
     // Should have same speed as pow for bigints
     // TODO: benchmark!
     if (power < _0n$4)
-        throw new Error('Expected power > 0');
+        throw new Error('invalid exponent, negatives unsupported');
     if (power === _0n$4)
         return f.ONE;
     if (power === _1n$6)
@@ -703,11 +706,11 @@ function nLength(n, nBitLength) {
  */
 function Field(ORDER, bitLen, isLE = false, redef = {}) {
     if (ORDER <= _0n$4)
-        throw new Error(`Expected Field ORDER > 0, got ${ORDER}`);
+        throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
     const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
     if (BYTES > 2048)
-        throw new Error('Field lengths over 2048 bytes are not supported');
-    const sqrtP = FpSqrt(ORDER);
+        throw new Error('invalid field: expected ORDER of <= 2048 bytes');
+    let sqrtP; // cached sqrtP
     const f = Object.freeze({
         ORDER,
         BITS,
@@ -718,7 +721,7 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
         create: (num) => mod(num, ORDER),
         isValid: (num) => {
             if (typeof num !== 'bigint')
-                throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
+                throw new Error('invalid field element: expected bigint, got ' + typeof num);
             return _0n$4 <= num && num < ORDER; // 0 is valid element, but it's not invertible
         },
         is0: (num) => num === _0n$4,
@@ -737,7 +740,12 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
         subN: (lhs, rhs) => lhs - rhs,
         mulN: (lhs, rhs) => lhs * rhs,
         inv: (num) => invert(num, ORDER),
-        sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
+        sqrt: redef.sqrt ||
+            ((n) => {
+                if (!sqrtP)
+                    sqrtP = FpSqrt(ORDER);
+                return sqrtP(f, n);
+            }),
         invertBatch: (lst) => FpInvertBatch(f, lst),
         // TODO: do we really need constant cmov?
         // We don't have const-time bigints anyway, so probably will be not very useful
@@ -745,7 +753,7 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
         toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
         fromBytes: (bytes) => {
             if (bytes.length !== BYTES)
-                throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
+                throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
             return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
         },
     });
@@ -793,7 +801,7 @@ function mapHashToField(key, fieldOrder, isLE = false) {
     const minLen = getMinHashLength(fieldOrder);
     // No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.
     if (len < 16 || len < minLen || len > 1024)
-        throw new Error(`expected ${minLen}-1024 bytes of input, got ${len}`);
+        throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);
     const num = isLE ? bytesToNumberBE(key) : bytesToNumberLE(key);
     // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
     const reduced = mod(num, fieldOrder - _1n$6) + _1n$6;
@@ -804,10 +812,43 @@ function mapHashToField(key, fieldOrder, isLE = false) {
 // Abelian group utilities
 const _0n$3 = BigInt(0);
 const _1n$5 = BigInt(1);
+function constTimeNegate(condition, item) {
+    const neg = item.negate();
+    return condition ? neg : item;
+}
+function validateW(W, bits) {
+    if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
+        throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
+}
+function calcWOpts(W, bits) {
+    validateW(W, bits);
+    const windows = Math.ceil(bits / W) + 1; // +1, because
+    const windowSize = 2 ** (W - 1); // -1 because we skip zero
+    return { windows, windowSize };
+}
+function validateMSMPoints(points, c) {
+    if (!Array.isArray(points))
+        throw new Error('array expected');
+    points.forEach((p, i) => {
+        if (!(p instanceof c))
+            throw new Error('invalid point at index ' + i);
+    });
+}
+function validateMSMScalars(scalars, field) {
+    if (!Array.isArray(scalars))
+        throw new Error('array of scalars expected');
+    scalars.forEach((s, i) => {
+        if (!field.isValid(s))
+            throw new Error('invalid scalar at index ' + i);
+    });
+}
 // Since points in different groups cannot be equal (different object constructor),
 // we can have single place to store precomputes
 const pointPrecomputes = new WeakMap();
 const pointWindowSizes = new WeakMap(); // This allows use make points immutable (nothing changes inside)
+function getW(P) {
+    return pointWindowSizes.get(P) || 1;
+}
 // Elliptic curve multiplication of Point by scalar. Fragile.
 // Scalars should always be less than curve order: this should be checked inside of a curve itself.
 // Creates precomputation tables for fast multiplication:
@@ -820,25 +861,13 @@ const pointWindowSizes = new WeakMap(); // This allows use make points immutable
 // TODO: Research returning 2d JS array of windows, instead of a single window. This would allow
 // windows to be in different memory locations
 function wNAF(c, bits) {
-    const constTimeNegate = (condition, item) => {
-        const neg = item.negate();
-        return condition ? neg : item;
-    };
-    const validateW = (W) => {
-        if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
-            throw new Error(`Wrong window size=${W}, should be [1..${bits}]`);
-    };
-    const opts = (W) => {
-        validateW(W);
-        const windows = Math.ceil(bits / W) + 1; // +1, because
-        const windowSize = 2 ** (W - 1); // -1 because we skip zero
-        return { windows, windowSize };
-    };
     return {
         constTimeNegate,
+        hasPrecomputes(elm) {
+            return getW(elm) !== 1;
+        },
         // non-const time multiplication ladder
-        unsafeLadder(elm, n) {
-            let p = c.ZERO;
+        unsafeLadder(elm, n, p = c.ZERO) {
             let d = elm;
             while (n > _0n$3) {
                 if (n & _1n$5)
@@ -856,10 +885,12 @@ function wNAF(c, bits) {
          * - 𝑊 is the window size
          * - 𝑛 is the bitlength of the curve order.
          * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+         * @param elm Point instance
+         * @param W window size
          * @returns precomputed point tables flattened to a single array
          */
         precomputeWindow(elm, W) {
-            const { windows, windowSize } = opts(W);
+            const { windows, windowSize } = calcWOpts(W, bits);
             const points = [];
             let p = elm;
             let base = p;
@@ -885,7 +916,7 @@ function wNAF(c, bits) {
         wNAF(W, precomputes, n) {
             // TODO: maybe check that scalar is less than group order? wNAF behavious is undefined otherwise
             // But need to carefully remove other checks before wNAF. ORDER == bits here
-            const { windows, windowSize } = opts(W);
+            const { windows, windowSize } = calcWOpts(W, bits);
             let p = c.ZERO;
             let f = c.BASE;
             const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
@@ -929,8 +960,44 @@ function wNAF(c, bits) {
             // which makes it less const-time: around 1 bigint multiply.
             return { p, f };
         },
-        wNAFCached(P, n, transform) {
-            const W = pointWindowSizes.get(P) || 1;
+        /**
+         * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
+         * @param W window size
+         * @param precomputes precomputed tables
+         * @param n scalar (we don't check here, but should be less than curve order)
+         * @param acc accumulator point to add result of multiplication
+         * @returns point
+         */
+        wNAFUnsafe(W, precomputes, n, acc = c.ZERO) {
+            const { windows, windowSize } = calcWOpts(W, bits);
+            const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
+            const maxNumber = 2 ** W;
+            const shiftBy = BigInt(W);
+            for (let window = 0; window < windows; window++) {
+                const offset = window * windowSize;
+                if (n === _0n$3)
+                    break; // No need to go over empty scalar
+                // Extract W bits.
+                let wbits = Number(n & mask);
+                // Shift number by W bits.
+                n >>= shiftBy;
+                // If the bits are bigger than max size, we'll split those.
+                // +224 => 256 - 32
+                if (wbits > windowSize) {
+                    wbits -= maxNumber;
+                    n += _1n$5;
+                }
+                if (wbits === 0)
+                    continue;
+                let curr = precomputes[offset + Math.abs(wbits) - 1]; // -1 because we skip zero
+                if (wbits < 0)
+                    curr = curr.negate();
+                // NOTE: by re-using acc, we can save a lot of additions in case of MSM
+                acc = acc.add(curr);
+            }
+            return acc;
+        },
+        getPrecomputes(W, P, transform) {
             // Calculate precomputes on a first run, reuse them after
             let comp = pointPrecomputes.get(P);
             if (!comp) {
@@ -938,62 +1005,66 @@ function wNAF(c, bits) {
                 if (W !== 1)
                     pointPrecomputes.set(P, transform(comp));
             }
-            return this.wNAF(W, comp, n);
+            return comp;
+        },
+        wNAFCached(P, n, transform) {
+            const W = getW(P);
+            return this.wNAF(W, this.getPrecomputes(W, P, transform), n);
+        },
+        wNAFCachedUnsafe(P, n, transform, prev) {
+            const W = getW(P);
+            if (W === 1)
+                return this.unsafeLadder(P, n, prev); // For W=1 ladder is ~x2 faster
+            return this.wNAFUnsafe(W, this.getPrecomputes(W, P, transform), n, prev);
         },
         // We calculate precomputes for elliptic curve point multiplication
         // using windowed method. This specifies window size and
         // stores precomputed values. Usually only base point would be precomputed.
         setWindowSize(P, W) {
-            validateW(W);
+            validateW(W, bits);
             pointWindowSizes.set(P, W);
             pointPrecomputes.delete(P);
         },
     };
 }
 /**
- * Pippenger algorithm for multi-scalar multiplication (MSM).
- * MSM is basically (Pa + Qb + Rc + ...).
+ * Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
  * 30x faster vs naive addition on L=4096, 10x faster with precomputes.
  * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
  * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
  * @param c Curve Point constructor
- * @param field field over CURVE.N - important that it's not over CURVE.P
+ * @param fieldN field over CURVE.N - important that it's not over CURVE.P
  * @param points array of L curve points
  * @param scalars array of L scalars (aka private keys / bigints)
  */
-function pippenger(c, field, points, scalars) {
+function pippenger(c, fieldN, points, scalars) {
     // If we split scalars by some window (let's say 8 bits), every chunk will only
     // take 256 buckets even if there are 4096 scalars, also re-uses double.
     // TODO:
     // - https://eprint.iacr.org/2024/750.pdf
     // - https://tches.iacr.org/index.php/TCHES/article/view/10287
     // 0 is accepted in scalars
-    if (!Array.isArray(points) || !Array.isArray(scalars) || scalars.length !== points.length)
+    validateMSMPoints(points, c);
+    validateMSMScalars(scalars, fieldN);
+    if (points.length !== scalars.length)
         throw new Error('arrays of points and scalars must have equal length');
-    scalars.forEach((s, i) => {
-        if (!field.isValid(s))
-            throw new Error(`wrong scalar at index ${i}`);
-    });
-    points.forEach((p, i) => {
-        if (!(p instanceof c))
-            throw new Error(`wrong point at index ${i}`);
-    });
+    const zero = c.ZERO;
     const wbits = bitLen(BigInt(points.length));
     const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1; // in bits
     const MASK = (1 << windowSize) - 1;
-    const buckets = new Array(MASK + 1).fill(c.ZERO); // +1 for zero array
-    const lastBits = Math.floor((field.BITS - 1) / windowSize) * windowSize;
-    let sum = c.ZERO;
+    const buckets = new Array(MASK + 1).fill(zero); // +1 for zero array
+    const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
+    let sum = zero;
     for (let i = lastBits; i >= 0; i -= windowSize) {
-        buckets.fill(c.ZERO);
+        buckets.fill(zero);
         for (let j = 0; j < scalars.length; j++) {
             const scalar = scalars[j];
             const wbits = Number((scalar >> BigInt(i)) & BigInt(MASK));
             buckets[wbits] = buckets[wbits].add(points[j]);
         }
-        let resI = c.ZERO; // not using this will do small speed-up, but will lose ct
+        let resI = zero; // not using this will do small speed-up, but will lose ct
         // Skip first bucket, because it is zero
-        for (let j = buckets.length - 1, sumI = c.ZERO; j > 0; j--) {
+        for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
             sumI = sumI.add(buckets[j]);
             resI = resI.add(sumI);
         }
@@ -1048,12 +1119,12 @@ function validatePointOpts(curve) {
     const { endo, Fp, a } = opts;
     if (endo) {
         if (!Fp.eql(a, Fp.ZERO)) {
-            throw new Error('Endomorphism can only be defined for Koblitz curves that have a=0');
+            throw new Error('invalid endomorphism, can only be defined for Koblitz curves that have a=0');
         }
         if (typeof endo !== 'object' ||
             typeof endo.beta !== 'bigint' ||
             typeof endo.splitScalar !== 'function') {
-            throw new Error('Expected endomorphism with beta: bigint and splitScalar: function');
+            throw new Error('invalid endomorphism, expected beta: bigint and splitScalar: function');
         }
     }
     return Object.freeze({ ...opts });
@@ -1087,7 +1158,8 @@ const DER = {
                 throw new E('tlv.encode: long form length too big');
             // length of length with long form flag
             const lenLen = dataLen > 127 ? numberToHexUnpadded((len.length / 2) | 128) : '';
-            return `${numberToHexUnpadded(tag)}${lenLen}${len}${data}`;
+            const t = numberToHexUnpadded(tag);
+            return t + lenLen + len + data;
         },
         // v - value, l - left bytes (unparsed)
         decode(tag, data) {
@@ -1140,15 +1212,15 @@ const DER = {
             if (Number.parseInt(hex[0], 16) & 0b1000)
                 hex = '00' + hex;
             if (hex.length & 1)
-                throw new E('unexpected assertion');
+                throw new E('unexpected DER parsing assertion: unpadded hex');
             return hex;
         },
         decode(data) {
             const { Err: E } = DER;
             if (data[0] & 128)
-                throw new E('Invalid signature integer: negative');
+                throw new E('invalid signature integer: negative');
             if (data[0] === 0x00 && !(data[1] & 128))
-                throw new E('Invalid signature integer: unnecessary leading zero');
+                throw new E('invalid signature integer: unnecessary leading zero');
             return b2n(data);
         },
     },
@@ -1159,16 +1231,18 @@ const DER = {
         abytes(data);
         const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);
         if (seqLeftBytes.length)
-            throw new E('Invalid signature: left bytes after parsing');
+            throw new E('invalid signature: left bytes after parsing');
         const { v: rBytes, l: rLeftBytes } = tlv.decode(0x02, seqBytes);
         const { v: sBytes, l: sLeftBytes } = tlv.decode(0x02, rLeftBytes);
         if (sLeftBytes.length)
-            throw new E('Invalid signature: left bytes after parsing');
+            throw new E('invalid signature: left bytes after parsing');
         return { r: int.decode(rBytes), s: int.decode(sBytes) };
     },
     hexFromSig(sig) {
         const { _tlv: tlv, _int: int } = DER;
-        const seq = `${tlv.encode(0x02, int.encode(sig.r))}${tlv.encode(0x02, int.encode(sig.s))}`;
+        const rs = tlv.encode(0x02, int.encode(sig.r));
+        const ss = tlv.encode(0x02, int.encode(sig.s));
+        const seq = rs + ss;
         return tlv.encode(0x30, seq);
     },
 };
@@ -1222,7 +1296,7 @@ function weierstrassPoints(opts) {
                 key = bytesToHex(key);
             // Normalize to hex string, pad. E.g. P521 would norm 130-132 char hex to 132-char bytes
             if (typeof key !== 'string' || !lengths.includes(key.length))
-                throw new Error('Invalid key');
+                throw new Error('invalid private key');
             key = key.padStart(nByteLength * 2, '0');
         }
         let num;
@@ -1233,7 +1307,7 @@ function weierstrassPoints(opts) {
                     : bytesToNumberBE(ensureBytes('private key', key, nByteLength));
         }
         catch (error) {
-            throw new Error(`private key must be ${nByteLength} bytes, hex or bigint, not ${typeof key}`);
+            throw new Error('invalid private key, expected hex or ' + nByteLength + ' bytes, got ' + typeof key);
         }
         if (wrapPrivateKey)
             num = mod(num, N); // disabled by default, enabled for BLS
@@ -1273,7 +1347,7 @@ function weierstrassPoints(opts) {
         if (p.is0()) {
             // (0, 1, 0) aka ZERO is invalid in most contexts.
             // In BLS, ZERO can be serialized, so we allow it.
-            // (0, 0, 0) is wrong representation of ZERO and is always invalid.
+            // (0, 0, 0) is invalid representation of ZERO.
             if (CURVE.allowInfinityPoint && !Fp.is0(p.py))
                 return;
             throw new Error('bad point: ZERO');
@@ -1497,16 +1571,17 @@ function weierstrassPoints(opts) {
          * an exposed private key e.g. sig verification, which works over *public* keys.
          */
         multiplyUnsafe(sc) {
-            aInRange('scalar', sc, _0n$2, CURVE.n);
+            const { endo, n: N } = CURVE;
+            aInRange('scalar', sc, _0n$2, N);
             const I = Point.ZERO;
             if (sc === _0n$2)
                 return I;
-            if (sc === _1n$4)
+            if (this.is0() || sc === _1n$4)
                 return this;
-            const { endo } = CURVE;
-            if (!endo)
-                return wnaf.unsafeLadder(this, sc);
-            // Apply endomorphism
+            // Case a: no endomorphism. Case b: has precomputes.
+            if (!endo || wnaf.hasPrecomputes(this))
+                return wnaf.wNAFCachedUnsafe(this, sc, Point.normalizeZ);
+            // Case c: endomorphism
             let { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
             let k1p = I;
             let k2p = I;
@@ -1692,7 +1767,9 @@ function weierstrass(curveDef) {
                 return { x, y };
             }
             else {
-                throw new Error(`Point of length ${len} was invalid. Expected ${compressedLen} compressed bytes or ${uncompressedLen} uncompressed bytes`);
+                const cl = compressedLen;
+                const ul = uncompressedLen;
+                throw new Error('invalid Point, expected length of ' + cl + ', or uncompressed ' + ul + ', got ' + len);
             }
         },
     });
@@ -1857,6 +1934,9 @@ function weierstrass(curveDef) {
     // int2octets can't be used; pads small msgs with 0: unacceptatble for trunc as per RFC vectors
     const bits2int = CURVE.bits2int ||
         function (bytes) {
+            // Our custom check "just in case"
+            if (bytes.length > 8192)
+                throw new Error('input is too large');
             // For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)
             // for some cases, since bytes.length * 8 is not actual bitLength.
             const num = bytesToNumberBE(bytes); // check for == u8 done here
@@ -1873,15 +1953,15 @@ function weierstrass(curveDef) {
      * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
      */
     function int2octets(num) {
-        aInRange(`num < 2^${CURVE.nBitLength}`, num, _0n$2, ORDER_MASK);
+        aInRange('num < 2^' + CURVE.nBitLength, num, _0n$2, ORDER_MASK);
         // works with order, can have different size than numToField!
         return numberToBytesBE(num, CURVE.nByteLength);
     }
     // Steps A, D of RFC6979 3.2
     // Creates RFC6979 seed; converts msg/privKey to numbers.
     // Used only in sign, not in verify.
-    // NOTE: we cannot assume here that msgHash has same amount of bytes as curve order, this will be wrong at least for P521.
-    // Also it can be bigger for P224 + SHA256
+    // NOTE: we cannot assume here that msgHash has same amount of bytes as curve order,
+    // this will be invalid at least for P521. Also it can be bigger for P224 + SHA256
     function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
         if (['recovered', 'canonical'].some((k) => k in opts))
             throw new Error('sign() legacy options not supported');
@@ -1975,39 +2055,48 @@ function weierstrass(curveDef) {
         const sg = signature;
         msgHash = ensureBytes('msgHash', msgHash);
         publicKey = ensureBytes('publicKey', publicKey);
+        const { lowS, prehash, format } = opts;
+        // Verify opts, deduce signature format
+        validateSigVerOpts(opts);
         if ('strict' in opts)
             throw new Error('options.strict was renamed to lowS');
-        validateSigVerOpts(opts);
-        const { lowS, prehash } = opts;
+        if (format !== undefined && format !== 'compact' && format !== 'der')
+            throw new Error('format must be compact or der');
+        const isHex = typeof sg === 'string' || isBytes(sg);
+        const isObj = !isHex &&
+            !format &&
+            typeof sg === 'object' &&
+            sg !== null &&
+            typeof sg.r === 'bigint' &&
+            typeof sg.s === 'bigint';
+        if (!isHex && !isObj)
+            throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
         let _sig = undefined;
         let P;
         try {
-            if (typeof sg === 'string' || isBytes(sg)) {
+            if (isObj)
+                _sig = new Signature(sg.r, sg.s);
+            if (isHex) {
                 // Signature can be represented in 2 ways: compact (2*nByteLength) & DER (variable-length).
                 // Since DER can also be 2*nByteLength bytes, we check for it first.
                 try {
-                    _sig = Signature.fromDER(sg);
+                    if (format !== 'compact')
+                        _sig = Signature.fromDER(sg);
                 }
                 catch (derError) {
                     if (!(derError instanceof DER.Err))
                         throw derError;
-                    _sig = Signature.fromCompact(sg);
                 }
-            }
-            else if (typeof sg === 'object' && typeof sg.r === 'bigint' && typeof sg.s === 'bigint') {
-                const { r, s } = sg;
-                _sig = new Signature(r, s);
-            }
-            else {
-                throw new Error('PARSE');
+                if (!_sig && format !== 'der')
+                    _sig = Signature.fromCompact(sg);
             }
             P = Point.fromHex(publicKey);
         }
         catch (error) {
-            if (error.message === 'PARSE')
-                throw new Error(`signature must be Signature instance, Uint8Array or hex string`);
             return false;
         }
+        if (!_sig)
+            return false;
         if (lowS && _sig.hasHighS())
             return false;
         if (prehash)
@@ -2052,14 +2141,14 @@ function createCurve(curveDef, defHash) {
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // NIST secp256r1 aka p256
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
-const Fp$7 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
-const CURVE_A$4 = Fp$7.create(BigInt('-3'));
+const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
+const CURVE_A$4 = Fp256.create(BigInt('-3'));
 const CURVE_B$4 = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
 // prettier-ignore
 const p256 = createCurve({
     a: CURVE_A$4, // Equation params: a, b
     b: CURVE_B$4,
-    Fp: Fp$7, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
+    Fp: Fp256, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
     // Curve order, total count of valid points in the field
     n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
     // Base (generator) point (x, y)
@@ -2075,15 +2164,15 @@ const p256 = createCurve({
 // Field over which we'll do calculations.
 // prettier-ignore
 const P$1 = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');
-const Fp$6 = Field(P$1);
-const CURVE_A$3 = Fp$6.create(BigInt('-3'));
+const Fp384 = Field(P$1);
+const CURVE_A$3 = Fp384.create(BigInt('-3'));
 // prettier-ignore
 const CURVE_B$3 = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
 // prettier-ignore
 const p384 = createCurve({
     a: CURVE_A$3, // Equation params: a, b
     b: CURVE_B$3,
-    Fp: Fp$6, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
+    Fp: Fp384, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
     // Curve order, total count of valid points in the field.
     n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
     // Base (generator) point (x, y)
@@ -2100,11 +2189,11 @@ const p384 = createCurve({
 // Field over which we'll do calculations.
 // prettier-ignore
 const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
-const Fp$5 = Field(P);
+const Fp521 = Field(P);
 const CURVE = {
-    a: Fp$5.create(BigInt('-3')),
+    a: Fp521.create(BigInt('-3')),
     b: BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'),
-    Fp: Fp$5,
+    Fp: Fp521,
     n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
     Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
     Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
@@ -2114,7 +2203,7 @@ const CURVE = {
 const p521 = createCurve({
     a: CURVE.a, // Equation params: a, b
     b: CURVE.b,
-    Fp: Fp$5, // Field: 2n**521n - 1n
+    Fp: Fp521, // Field: 2n**521n - 1n
     // Curve order, total count of valid points in the field
     n: CURVE.n,
     Gx: CURVE.Gx, // Base point (x, y) aka generator point
@@ -2157,6 +2246,10 @@ function validateOpts$1(curve) {
 function twistedEdwards(curveDef) {
     const CURVE = validateOpts$1(curveDef);
     const { Fp, n: CURVE_ORDER, prehash: prehash, hash: cHash, randomBytes, nByteLength, h: cofactor, } = CURVE;
+    // Important:
+    // There are some places where Fp.BYTES is used instead of nByteLength.
+    // So far, everything has been tested with curves of Fp.BYTES == nByteLength.
+    // TODO: test and find curves which behave otherwise.
     const MASK = _2n$2 << (BigInt(nByteLength * 8) - _1n$3);
     const modP = Fp.create; // Function overrides
     const Fn = Field(CURVE.n, CURVE.nBitLength);
@@ -2370,16 +2463,15 @@ function twistedEdwards(curveDef) {
         // It's faster, but should only be used when you don't care about
         // an exposed private key e.g. sig verification.
         // Does NOT allow scalars higher than CURVE.n.
-        multiplyUnsafe(scalar) {
+        // Accepts optional accumulator to merge with multiply (important for sparse scalars)
+        multiplyUnsafe(scalar, acc = Point.ZERO) {
             const n = scalar;
             aInRange('scalar', n, _0n$1, CURVE_ORDER); // 0 <= scalar < L
             if (n === _0n$1)
                 return I;
-            if (this.equals(I) || n === _1n$3)
+            if (this.is0() || n === _1n$3)
                 return this;
-            if (this.equals(G))
-                return this.wNAF(n).p;
-            return wnaf.unsafeLadder(this, n);
+            return wnaf.wNAFCachedUnsafe(this, n, Point.normalizeZ, acc);
         }
         // Checks if point is of small order.
         // If you add something to small order point, you will have "dirty"
@@ -2415,6 +2507,7 @@ function twistedEdwards(curveDef) {
             const lastByte = hex[len - 1]; // select last byte
             normed[len - 1] = lastByte & ~0x80; // clear last bit
             const y = bytesToNumberLE(normed);
+            // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
             // RFC8032 prohibits >= p, but ZIP215 doesn't
             // zip215=true:  0 <= y < MASK (2^256 for ed25519)
             // zip215=false: 0 <= y < P (2^255-19 for ed25519)
@@ -2463,7 +2556,7 @@ function twistedEdwards(curveDef) {
     }
     /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
     function getExtendedPublicKey(key) {
-        const len = nByteLength;
+        const len = Fp.BYTES;
         key = ensureBytes('private key', key, len);
         // Hash private key with curve's hash function to produce uniformingly random input
         // Check byte lengths: ensure(64, h(ensure(32, key)))
@@ -2496,23 +2589,29 @@ function twistedEdwards(curveDef) {
         const s = modN(r + k * scalar); // S = (r + k * s) mod L
         aInRange('signature.s', s, _0n$1, CURVE_ORDER); // 0 <= s < l
         const res = concatBytes(R, numberToBytesLE(s, Fp.BYTES));
-        return ensureBytes('result', res, nByteLength * 2); // 64-byte signature
+        return ensureBytes('result', res, Fp.BYTES * 2); // 64-byte signature
     }
     const verifyOpts = VERIFY_DEFAULT;
+    /**
+     * Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
+     * An extended group equation is checked.
+     */
     function verify(sig, msg, publicKey, options = verifyOpts) {
         const { context, zip215 } = options;
         const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
         sig = ensureBytes('signature', sig, 2 * len); // An extended group equation is checked.
         msg = ensureBytes('message', msg);
+        publicKey = ensureBytes('publicKey', publicKey, len);
         if (zip215 !== undefined)
             abool('zip215', zip215);
         if (prehash)
             msg = prehash(msg); // for ed25519ph, etc
         const s = bytesToNumberLE(sig.slice(len, 2 * len));
-        // zip215: true is good for consensus-critical apps and allows points < 2^256
-        // zip215: false follows RFC8032 / NIST186-5 and restricts points to CURVE.p
         let A, R, SB;
         try {
+            // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
+            // zip215=true:  0 <= y < MASK (2^256 for ed25519)
+            // zip215=false: 0 <= y < P (2^255-19 for ed25519)
             A = Point.fromHex(publicKey, zip215);
             R = Point.fromHex(sig.slice(0, len), zip215);
             SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside
@@ -2524,6 +2623,7 @@ function twistedEdwards(curveDef) {
             return false;
         const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
         const RkA = R.add(A.multiplyUnsafe(k));
+        // Extended group equation
         // [8][S]B = [8]R + [8][k]A'
         return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);
     }
@@ -2673,8 +2773,10 @@ function montgomery(curveDef) {
     function decodeScalar(n) {
         const bytes = ensureBytes('scalar', n);
         const len = bytes.length;
-        if (len !== montgomeryBytes && len !== fieldLen)
-            throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${len}`);
+        if (len !== montgomeryBytes && len !== fieldLen) {
+            let valid = '' + montgomeryBytes + ' or ' + fieldLen;
+            throw new Error('invalid scalar, expected ' + valid + ' bytes, got ' + len);
+        }
         return bytesToNumberLE(adjustScalarBytes(bytes));
     }
     function scalarMult(scalar, u) {
@@ -2684,7 +2786,7 @@ function montgomery(curveDef) {
         // The result was not contributory
         // https://cr.yp.to/ecdh.html#validate
         if (pu === _0n)
-            throw new Error('Invalid private or public key received');
+            throw new Error('invalid private or public key received');
         return encodeUCoordinate(pu);
     }
     // Computes public key from private. By doing scalar multiplication of base point.
@@ -2767,14 +2869,14 @@ function uvRatio(u, v) {
     // square root exists, and the decoding fails.
     return { isValid: mod(x2 * v, P) === u, value: x };
 }
-const Fp$4 = Field(ed448P, 456, true);
+const Fp$3 = Field(ed448P, 456, true);
 const ED448_DEF = {
     // Param: a
     a: BigInt(1),
     // -39081. Negative number is P - number
     d: BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'),
     // Finite field 𝔽p over which we'll do calculations; 2n**448n - 2n**224n - 1n
-    Fp: Fp$4,
+    Fp: Fp$3,
     // Subgroup order: how many points curve has;
     // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
     n: BigInt('181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'),
@@ -2792,7 +2894,7 @@ const ED448_DEF = {
     // dom4
     domain: (data, ctx, phflag) => {
         if (ctx.length > 255)
-            throw new Error(`Context is too big: ${ctx.length}`);
+            throw new Error('context must be smaller than 255, got: ' + ctx.length);
         return concatBytes$1(utf8ToBytes$1('SigEd448'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
     },
     uvRatio,
@@ -2818,7 +2920,7 @@ const x448 = /* @__PURE__ */ (() => montgomery({
 }))();
 // TODO: add edwardsToMontgomeryPriv, similar to ed25519 version
 // Hash To Curve Elligator2 Map
-(Fp$4.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+(Fp$3.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
 BigInt(156326);
 // 1-d
 BigInt('39082');
@@ -2860,18 +2962,18 @@ function sqrtMod(y) {
     const t1 = (pow2(b223, _23n, P) * b22) % P;
     const t2 = (pow2(t1, _6n, P) * b2) % P;
     const root = pow2(t2, _2n, P);
-    if (!Fp$3.eql(Fp$3.sqr(root), y))
+    if (!Fpk1.eql(Fpk1.sqr(root), y))
         throw new Error('Cannot find square root');
     return root;
 }
-const Fp$3 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
+const Fpk1 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
 /**
  * secp256k1 short weierstrass curve and ECDSA signatures over it.
  */
 const secp256k1 = createCurve({
     a: BigInt(0), // equation params: a, b
     b: BigInt(7), // Seem to be rigid: bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
-    Fp: Fp$3, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
+    Fp: Fpk1, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
     n: secp256k1N, // Curve order, total count of valid points in the field
     // Base point (x, y) aka generator point
     Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),