npm - @rialo/ts-cdk - Versions diffs - 0.4.2 → 0.8.0-alpha.0 - Mend

@rialo/ts-cdk 0.4.2 → 0.8.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js CHANGED Viewed

@@ -1,7 +1,6 @@
 'use strict';
-var chacha20poly1305 = require('@hpke/chacha20poly1305');
-var core = require('@hpke/core');
+var chacha = require('@noble/ciphers/chacha');
 var __create = Object.create;
 var __defProp = Object.defineProperty;
@@ -12,8 +11,8 @@ var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
-var __commonJS = (cb, mod) => function __require() {
-  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+var __commonJS = (cb, mod2) => function __require() {
+  return mod2 || (0, cb[__getOwnPropNames(cb)[0]])((mod2 = { exports: {} }).exports, mod2), mod2.exports;
 };
 var __export = (target, all) => {
   for (var name in all)
@@ -27,13 +26,13 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+var __toESM = (mod2, isNodeMode, target) => (target = mod2 != null ? __create(__getProtoOf(mod2)) : {}, __copyProps(
   // If the importer is in node compatibility mode or this is not an ESM
   // file that has been converted to a CommonJS file using a Babel-
   // compatible transform (i.e. "__esModule" has not been set), then set
   // "default" to the CommonJS "module.exports" for node compatibility.
-  __defProp(target, "default", { value: mod, enumerable: true }) ,
-  mod
+  __defProp(target, "default", { value: mod2, enumerable: true }) ,
+  mod2
 ));
 // node_modules/@scure/base/index.js
@@ -5746,82 +5745,52 @@ var RialoError = class _RialoError extends Error {
 };
 // src/rex/errors.ts
-var HpkeErrorCode = /* @__PURE__ */ ((HpkeErrorCode2) => {
-  HpkeErrorCode2["INVALID_KEY_LENGTH"] = "INVALID_KEY_LENGTH";
-  HpkeErrorCode2["CIPHERTEXT_TOO_SHORT"] = "CIPHERTEXT_TOO_SHORT";
-  HpkeErrorCode2["ENCRYPTION_FAILED"] = "ENCRYPTION_FAILED";
-  HpkeErrorCode2["BORSH_DESERIALIZE_FAILED"] = "BORSH_DESERIALIZE_FAILED";
-  HpkeErrorCode2["INVALID_REX_VALUE"] = "INVALID_REX_VALUE";
-  return HpkeErrorCode2;
-})(HpkeErrorCode || {});
-var HpkeError = class _HpkeError extends Error {
+var EncryptionErrorCode = /* @__PURE__ */ ((EncryptionErrorCode2) => {
+  EncryptionErrorCode2["INVALID_INPUT"] = "INVALID_INPUT";
+  EncryptionErrorCode2["INVALID_THRESHOLD_KEY"] = "INVALID_THRESHOLD_KEY";
+  EncryptionErrorCode2["ENCRYPTION_FAILED"] = "ENCRYPTION_FAILED";
+  EncryptionErrorCode2["BORSH_DESERIALIZE_FAILED"] = "BORSH_DESERIALIZE_FAILED";
+  EncryptionErrorCode2["INVALID_REX_VALUE"] = "INVALID_REX_VALUE";
+  return EncryptionErrorCode2;
+})(EncryptionErrorCode || {});
+var EncryptionError = class _EncryptionError extends Error {
   code;
   cause;
   constructor(code, message, cause) {
     super(message);
-    this.name = "HpkeError";
+    this.name = "EncryptionError";
     this.code = code;
     this.cause = cause;
     if (Error.captureStackTrace) {
-      Error.captureStackTrace(this, _HpkeError);
+      Error.captureStackTrace(this, _EncryptionError);
     }
   }
-  /**
-   * Create an error for invalid key length.
-   *
-   * @param expected - Expected key length in bytes
-   * @param actual - Actual key length in bytes
-   * @param keyType - Description of the key type (e.g., "REX public key")
-   */
-  static invalidKeyLength(expected, actual, keyType) {
-    return new _HpkeError(
-      "INVALID_KEY_LENGTH" /* INVALID_KEY_LENGTH */,
-      `Invalid ${keyType} length: expected ${expected} bytes, got ${actual}`
-    );
+  static invalidInput(message) {
+    return new _EncryptionError("INVALID_INPUT" /* INVALID_INPUT */, message);
   }
-  /**
-   * Create an error for ciphertext that is too short.
-   *
-   * @param minLength - Minimum required length
-   * @param actual - Actual length
-   */
-  static ciphertextTooShort(minLength, actual) {
-    return new _HpkeError(
-      "CIPHERTEXT_TOO_SHORT" /* CIPHERTEXT_TOO_SHORT */,
-      `Ciphertext too short: minimum ${minLength} bytes required, got ${actual}`
+  static invalidThresholdKey(cause) {
+    return new _EncryptionError(
+      "INVALID_THRESHOLD_KEY" /* INVALID_THRESHOLD_KEY */,
+      `Invalid threshold public key: ${cause.message}`,
+      cause
     );
   }
-  /**
-   * Create an error for encryption failure.
-   *
-   * @param cause - The underlying error
-   */
   static encryptionFailed(cause) {
-    return new _HpkeError(
+    return new _EncryptionError(
       "ENCRYPTION_FAILED" /* ENCRYPTION_FAILED */,
-      `HPKE encryption failed: ${cause.message}`,
+      `DKG encryption failed: ${cause.message}`,
       cause
     );
   }
-  /**
-   * Create an error for Borsh deserialization failure.
-   *
-   * @param cause - The underlying error
-   */
   static borshDeserializeFailed(cause) {
-    return new _HpkeError(
+    return new _EncryptionError(
       "BORSH_DESERIALIZE_FAILED" /* BORSH_DESERIALIZE_FAILED */,
       `Borsh deserialization failed: ${cause.message}`,
       cause
     );
   }
-  /**
-   * Create an error for invalid RexValue variant.
-   *
-   * @param variant - The invalid variant byte
-   */
   static invalidRexValue(variant) {
-    return new _HpkeError(
+    return new _EncryptionError(
       "INVALID_REX_VALUE" /* INVALID_REX_VALUE */,
       `Invalid RexValue variant: ${variant}`
     );
@@ -5829,15 +5798,12 @@ var HpkeError = class _HpkeError extends Error {
 };
 // src/rex/constants.ts
-var USER_SECRET_AAD = new TextEncoder().encode("rex-secret-v1");
-var SECRET_SHARING_HPKE_INFO = new TextEncoder().encode(
-  "rialo/tee/secret-sharing-hpke/v1"
-);
-var X25519_PUBLIC_KEY_LENGTH = 32;
+var DKG_PAYLOAD_VERSION = 2;
+var MAX_SECRET_LENGTH = 64 * 1024;
+var RISTRETTO_POINT_BYTES = 32;
 var ED25519_PUBLIC_KEY_LENGTH = 32;
-var HPKE_ENC_LENGTH = 32;
+var CHACHA20_POLY1305_NONCE_LENGTH = 12;
 var CHACHA20_POLY1305_TAG_LENGTH = 16;
-var HPKE_OVERHEAD_LENGTH = HPKE_ENC_LENGTH + CHACHA20_POLY1305_TAG_LENGTH;
 // src/rex/rex-value.ts
 var RexValueVariant = /* @__PURE__ */ ((RexValueVariant2) => {
@@ -5874,9 +5840,9 @@ var RexValue = class _RexValue {
     );
   }
   /**
-   * Create an encrypted RexValue from HPKE ciphertext.
+   * Create an encrypted RexValue from a DKG threshold-encrypted payload.
    *
-   * @param ciphertext - The HPKE-encrypted ciphertext (enc || ct || tag)
+   * @param ciphertext - The DKG-encrypted payload bytes (`[0x02] || borsh(DkgEncryptedPayload)`)
    * @returns A new RexValue with Encrypted variant
    */
   static encrypted(ciphertext) {
@@ -5944,22 +5910,22 @@ var RexValue = class _RexValue {
    *
    * @param data - The Borsh-serialized bytes
    * @returns A new RexValue
-   * @throws {HpkeError} If deserialization fails
+   * @throws {EncryptionError} If deserialization fails
    */
   static fromBorsh(data) {
     if (data.length < 5) {
-      throw HpkeError.borshDeserializeFailed(
+      throw EncryptionError.borshDeserializeFailed(
         new Error(`Buffer too short: expected at least 5 bytes, got ${data.length}`)
       );
     }
     const variant = data[0];
     if (variant !== 0 /* Plain */ && variant !== 1 /* Encrypted */) {
-      throw HpkeError.invalidRexValue(variant);
+      throw EncryptionError.invalidRexValue(variant);
     }
     const dataView = new DataView(data.buffer, data.byteOffset, data.byteLength);
     const length = dataView.getUint32(1, true);
     if (data.length < 5 + length) {
-      throw HpkeError.borshDeserializeFailed(
+      throw EncryptionError.borshDeserializeFailed(
         new Error(`Buffer too short: expected ${5 + length} bytes, got ${data.length}`)
       );
     }
@@ -5967,78 +5933,1408 @@ var RexValue = class _RexValue {
     return new _RexValue(variant, payload);
   }
 };
-var hpkeSuite = new core.CipherSuite({
-  kem: new core.DhkemX25519HkdfSha256(),
-  kdf: new core.HkdfSha256(),
-  aead: new chacha20poly1305.Chacha20Poly1305()
-});
-function buildAad(senderPubkey) {
-  const aad = new Uint8Array(USER_SECRET_AAD.length + senderPubkey.length);
-  aad.set(USER_SECRET_AAD, 0);
-  aad.set(senderPubkey, USER_SECRET_AAD.length);
+// node_modules/@noble/curves/node_modules/@noble/hashes/utils.js
+function isBytes5(a) {
+  return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
+}
+function anumber4(n, title = "") {
+  if (!Number.isSafeInteger(n) || n < 0) {
+    const prefix = title && `"${title}" `;
+    throw new Error(`${prefix}expected integer >= 0, got ${n}`);
+  }
+}
+function abytes5(value, length, title = "") {
+  const bytes2 = isBytes5(value);
+  const len = value?.length;
+  const needsLen = length !== void 0;
+  if (!bytes2 || needsLen && len !== length) {
+    const prefix = title && `"${title}" `;
+    const ofLen = needsLen ? ` of length ${length}` : "";
+    const got = bytes2 ? `length=${len}` : `type=${typeof value}`;
+    throw new Error(prefix + "expected Uint8Array" + ofLen + ", got " + got);
+  }
+  return value;
+}
+var hasHexBuiltin2 = /* @__PURE__ */ (() => (
+  // @ts-ignore
+  typeof Uint8Array.from([]).toHex === "function" && typeof Uint8Array.fromHex === "function"
+))();
+var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0"));
+function bytesToHex2(bytes2) {
+  abytes5(bytes2);
+  if (hasHexBuiltin2)
+    return bytes2.toHex();
+  let hex2 = "";
+  for (let i = 0; i < bytes2.length; i++) {
+    hex2 += hexes[bytes2[i]];
+  }
+  return hex2;
+}
+var asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
+function asciiToBase16(ch) {
+  if (ch >= asciis._0 && ch <= asciis._9)
+    return ch - asciis._0;
+  if (ch >= asciis.A && ch <= asciis.F)
+    return ch - (asciis.A - 10);
+  if (ch >= asciis.a && ch <= asciis.f)
+    return ch - (asciis.a - 10);
+  return;
+}
+function hexToBytes2(hex2) {
+  if (typeof hex2 !== "string")
+    throw new Error("hex string expected, got " + typeof hex2);
+  if (hasHexBuiltin2)
+    return Uint8Array.fromHex(hex2);
+  const hl = hex2.length;
+  const al = hl / 2;
+  if (hl % 2)
+    throw new Error("hex string expected, got unpadded hex of length " + hl);
+  const array = new Uint8Array(al);
+  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+    const n1 = asciiToBase16(hex2.charCodeAt(hi));
+    const n2 = asciiToBase16(hex2.charCodeAt(hi + 1));
+    if (n1 === void 0 || n2 === void 0) {
+      const char = hex2[hi] + hex2[hi + 1];
+      throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
+    }
+    array[ai] = n1 * 16 + n2;
+  }
+  return array;
+}
+// node_modules/@noble/curves/utils.js
+var _0n = /* @__PURE__ */ BigInt(0);
+var _1n = /* @__PURE__ */ BigInt(1);
+function abool(value, title = "") {
+  if (typeof value !== "boolean") {
+    const prefix = title && `"${title}" `;
+    throw new Error(prefix + "expected boolean, got type=" + typeof value);
+  }
+  return value;
+}
+function abignumber(n) {
+  if (typeof n === "bigint") {
+    if (!isPosBig(n))
+      throw new Error("positive bigint expected, got " + n);
+  } else
+    anumber4(n);
+  return n;
+}
+function hexToNumber(hex2) {
+  if (typeof hex2 !== "string")
+    throw new Error("hex string expected, got " + typeof hex2);
+  return hex2 === "" ? _0n : BigInt("0x" + hex2);
+}
+function bytesToNumberBE(bytes2) {
+  return hexToNumber(bytesToHex2(bytes2));
+}
+function bytesToNumberLE(bytes2) {
+  return hexToNumber(bytesToHex2(copyBytes(abytes5(bytes2)).reverse()));
+}
+function numberToBytesBE(n, len) {
+  anumber4(len);
+  n = abignumber(n);
+  const res = hexToBytes2(n.toString(16).padStart(len * 2, "0"));
+  if (res.length !== len)
+    throw new Error("number too large");
+  return res;
+}
+function numberToBytesLE(n, len) {
+  return numberToBytesBE(n, len).reverse();
+}
+function equalBytes(a, b) {
+  if (a.length !== b.length)
+    return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++)
+    diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+function copyBytes(bytes2) {
+  return Uint8Array.from(bytes2);
+}
+var isPosBig = (n) => typeof n === "bigint" && _0n <= n;
+function inRange(n, min, max) {
+  return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
+}
+function aInRange(title, n, min, max) {
+  if (!inRange(n, min, max))
+    throw new Error("expected valid " + title + ": " + min + " <= n < " + max + ", got " + n);
+}
+var bitMask = (n) => (_1n << BigInt(n)) - _1n;
+function validateObject(object, fields = {}, optFields = {}) {
+  if (!object || typeof object !== "object")
+    throw new Error("expected valid options object");
+  function checkField(fieldName, expectedType, isOpt) {
+    const val = object[fieldName];
+    if (isOpt && val === void 0)
+      return;
+    const current = typeof val;
+    if (current !== expectedType || val === null)
+      throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
+  }
+  const iter = (f, isOpt) => Object.entries(f).forEach(([k, v]) => checkField(k, v, isOpt));
+  iter(fields, false);
+  iter(optFields, true);
+}
+var notImplemented = () => {
+  throw new Error("not implemented");
+};
+function memoized(fn) {
+  const map = /* @__PURE__ */ new WeakMap();
+  return (arg, ...args) => {
+    const val = map.get(arg);
+    if (val !== void 0)
+      return val;
+    const computed = fn(arg, ...args);
+    map.set(arg, computed);
+    return computed;
+  };
+}
+// node_modules/@noble/curves/abstract/modular.js
+var _0n2 = /* @__PURE__ */ BigInt(0);
+var _1n2 = /* @__PURE__ */ BigInt(1);
+var _2n = /* @__PURE__ */ BigInt(2);
+var _3n = /* @__PURE__ */ BigInt(3);
+var _4n = /* @__PURE__ */ BigInt(4);
+var _5n = /* @__PURE__ */ BigInt(5);
+var _7n = /* @__PURE__ */ BigInt(7);
+var _8n = /* @__PURE__ */ BigInt(8);
+var _9n = /* @__PURE__ */ BigInt(9);
+var _16n = /* @__PURE__ */ BigInt(16);
+function mod(a, b) {
+  const result = a % b;
+  return result >= _0n2 ? result : b + result;
+}
+function pow22(x, power, modulo) {
+  let res = x;
+  while (power-- > _0n2) {
+    res *= res;
+    res %= modulo;
+  }
+  return res;
+}
+function invert2(number, modulo) {
+  if (number === _0n2)
+    throw new Error("invert: expected non-zero number");
+  if (modulo <= _0n2)
+    throw new Error("invert: expected positive modulus, got " + modulo);
+  let a = mod(number, modulo);
+  let b = modulo;
+  let x = _0n2, u = _1n2;
+  while (a !== _0n2) {
+    const q = b / a;
+    const r = b % a;
+    const m = x - u * q;
+    b = a, a = r, x = u, u = m;
+  }
+  const gcd2 = b;
+  if (gcd2 !== _1n2)
+    throw new Error("invert: does not exist");
+  return mod(x, modulo);
+}
+function assertIsSquare(Fp2, root, n) {
+  if (!Fp2.eql(Fp2.sqr(root), n))
+    throw new Error("Cannot find square root");
+}
+function sqrt3mod4(Fp2, n) {
+  const p1div4 = (Fp2.ORDER + _1n2) / _4n;
+  const root = Fp2.pow(n, p1div4);
+  assertIsSquare(Fp2, root, n);
+  return root;
+}
+function sqrt5mod8(Fp2, n) {
+  const p5div8 = (Fp2.ORDER - _5n) / _8n;
+  const n2 = Fp2.mul(n, _2n);
+  const v = Fp2.pow(n2, p5div8);
+  const nv = Fp2.mul(n, v);
+  const i = Fp2.mul(Fp2.mul(nv, _2n), v);
+  const root = Fp2.mul(nv, Fp2.sub(i, Fp2.ONE));
+  assertIsSquare(Fp2, root, n);
+  return root;
+}
+function sqrt9mod16(P2) {
+  const Fp_ = Field(P2);
+  const tn = tonelliShanks(P2);
+  const c1 = tn(Fp_, Fp_.neg(Fp_.ONE));
+  const c2 = tn(Fp_, c1);
+  const c3 = tn(Fp_, Fp_.neg(c1));
+  const c4 = (P2 + _7n) / _16n;
+  return (Fp2, n) => {
+    let tv1 = Fp2.pow(n, c4);
+    let tv2 = Fp2.mul(tv1, c1);
+    const tv3 = Fp2.mul(tv1, c2);
+    const tv4 = Fp2.mul(tv1, c3);
+    const e1 = Fp2.eql(Fp2.sqr(tv2), n);
+    const e2 = Fp2.eql(Fp2.sqr(tv3), n);
+    tv1 = Fp2.cmov(tv1, tv2, e1);
+    tv2 = Fp2.cmov(tv4, tv3, e2);
+    const e3 = Fp2.eql(Fp2.sqr(tv2), n);
+    const root = Fp2.cmov(tv1, tv2, e3);
+    assertIsSquare(Fp2, root, n);
+    return root;
+  };
+}
+function tonelliShanks(P2) {
+  if (P2 < _3n)
+    throw new Error("sqrt is not defined for small field");
+  let Q = P2 - _1n2;
+  let S = 0;
+  while (Q % _2n === _0n2) {
+    Q /= _2n;
+    S++;
+  }
+  let Z = _2n;
+  const _Fp = Field(P2);
+  while (FpLegendre(_Fp, Z) === 1) {
+    if (Z++ > 1e3)
+      throw new Error("Cannot find square root: probably non-prime P");
+  }
+  if (S === 1)
+    return sqrt3mod4;
+  let cc = _Fp.pow(Z, Q);
+  const Q1div2 = (Q + _1n2) / _2n;
+  return function tonelliSlow(Fp2, n) {
+    if (Fp2.is0(n))
+      return n;
+    if (FpLegendre(Fp2, n) !== 1)
+      throw new Error("Cannot find square root");
+    let M2 = S;
+    let c = Fp2.mul(Fp2.ONE, cc);
+    let t = Fp2.pow(n, Q);
+    let R = Fp2.pow(n, Q1div2);
+    while (!Fp2.eql(t, Fp2.ONE)) {
+      if (Fp2.is0(t))
+        return Fp2.ZERO;
+      let i = 1;
+      let t_tmp = Fp2.sqr(t);
+      while (!Fp2.eql(t_tmp, Fp2.ONE)) {
+        i++;
+        t_tmp = Fp2.sqr(t_tmp);
+        if (i === M2)
+          throw new Error("Cannot find square root");
+      }
+      const exponent = _1n2 << BigInt(M2 - i - 1);
+      const b = Fp2.pow(c, exponent);
+      M2 = i;
+      c = Fp2.sqr(b);
+      t = Fp2.mul(t, c);
+      R = Fp2.mul(R, b);
+    }
+    return R;
+  };
+}
+function FpSqrt(P2) {
+  if (P2 % _4n === _3n)
+    return sqrt3mod4;
+  if (P2 % _8n === _5n)
+    return sqrt5mod8;
+  if (P2 % _16n === _9n)
+    return sqrt9mod16(P2);
+  return tonelliShanks(P2);
+}
+var isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n2) === _1n2;
+var FIELD_FIELDS = [
+  "create",
+  "isValid",
+  "is0",
+  "neg",
+  "inv",
+  "sqrt",
+  "sqr",
+  "eql",
+  "add",
+  "sub",
+  "mul",
+  "pow",
+  "div",
+  "addN",
+  "subN",
+  "mulN",
+  "sqrN"
+];
+function validateField(field2) {
+  const initial = {
+    ORDER: "bigint",
+    BYTES: "number",
+    BITS: "number"
+  };
+  const opts = FIELD_FIELDS.reduce((map, val) => {
+    map[val] = "function";
+    return map;
+  }, initial);
+  validateObject(field2, opts);
+  return field2;
+}
+function FpPow(Fp2, num, power) {
+  if (power < _0n2)
+    throw new Error("invalid exponent, negatives unsupported");
+  if (power === _0n2)
+    return Fp2.ONE;
+  if (power === _1n2)
+    return num;
+  let p = Fp2.ONE;
+  let d = num;
+  while (power > _0n2) {
+    if (power & _1n2)
+      p = Fp2.mul(p, d);
+    d = Fp2.sqr(d);
+    power >>= _1n2;
+  }
+  return p;
+}
+function FpInvertBatch(Fp2, nums, passZero = false) {
+  const inverted = new Array(nums.length).fill(passZero ? Fp2.ZERO : void 0);
+  const multipliedAcc = nums.reduce((acc, num, i) => {
+    if (Fp2.is0(num))
+      return acc;
+    inverted[i] = acc;
+    return Fp2.mul(acc, num);
+  }, Fp2.ONE);
+  const invertedAcc = Fp2.inv(multipliedAcc);
+  nums.reduceRight((acc, num, i) => {
+    if (Fp2.is0(num))
+      return acc;
+    inverted[i] = Fp2.mul(acc, inverted[i]);
+    return Fp2.mul(acc, num);
+  }, invertedAcc);
+  return inverted;
+}
+function FpLegendre(Fp2, n) {
+  const p1mod2 = (Fp2.ORDER - _1n2) / _2n;
+  const powered = Fp2.pow(n, p1mod2);
+  const yes = Fp2.eql(powered, Fp2.ONE);
+  const zero = Fp2.eql(powered, Fp2.ZERO);
+  const no = Fp2.eql(powered, Fp2.neg(Fp2.ONE));
+  if (!yes && !zero && !no)
+    throw new Error("invalid Legendre symbol result");
+  return yes ? 1 : zero ? 0 : -1;
+}
+function nLength(n, nBitLength) {
+  if (nBitLength !== void 0)
+    anumber4(nBitLength);
+  const _nBitLength = nBitLength !== void 0 ? nBitLength : n.toString(2).length;
+  const nByteLength = Math.ceil(_nBitLength / 8);
+  return { nBitLength: _nBitLength, nByteLength };
+}
+var _Field = class {
+  ORDER;
+  BITS;
+  BYTES;
+  isLE;
+  ZERO = _0n2;
+  ONE = _1n2;
+  _lengths;
+  _sqrt;
+  // cached sqrt
+  _mod;
+  constructor(ORDER, opts = {}) {
+    if (ORDER <= _0n2)
+      throw new Error("invalid field: expected ORDER > 0, got " + ORDER);
+    let _nbitLength = void 0;
+    this.isLE = false;
+    if (opts != null && typeof opts === "object") {
+      if (typeof opts.BITS === "number")
+        _nbitLength = opts.BITS;
+      if (typeof opts.sqrt === "function")
+        this.sqrt = opts.sqrt;
+      if (typeof opts.isLE === "boolean")
+        this.isLE = opts.isLE;
+      if (opts.allowedLengths)
+        this._lengths = opts.allowedLengths?.slice();
+      if (typeof opts.modFromBytes === "boolean")
+        this._mod = opts.modFromBytes;
+    }
+    const { nBitLength, nByteLength } = nLength(ORDER, _nbitLength);
+    if (nByteLength > 2048)
+      throw new Error("invalid field: expected ORDER of <= 2048 bytes");
+    this.ORDER = ORDER;
+    this.BITS = nBitLength;
+    this.BYTES = nByteLength;
+    this._sqrt = void 0;
+    Object.preventExtensions(this);
+  }
+  create(num) {
+    return mod(num, this.ORDER);
+  }
+  isValid(num) {
+    if (typeof num !== "bigint")
+      throw new Error("invalid field element: expected bigint, got " + typeof num);
+    return _0n2 <= num && num < this.ORDER;
+  }
+  is0(num) {
+    return num === _0n2;
+  }
+  // is valid and invertible
+  isValidNot0(num) {
+    return !this.is0(num) && this.isValid(num);
+  }
+  isOdd(num) {
+    return (num & _1n2) === _1n2;
+  }
+  neg(num) {
+    return mod(-num, this.ORDER);
+  }
+  eql(lhs, rhs) {
+    return lhs === rhs;
+  }
+  sqr(num) {
+    return mod(num * num, this.ORDER);
+  }
+  add(lhs, rhs) {
+    return mod(lhs + rhs, this.ORDER);
+  }
+  sub(lhs, rhs) {
+    return mod(lhs - rhs, this.ORDER);
+  }
+  mul(lhs, rhs) {
+    return mod(lhs * rhs, this.ORDER);
+  }
+  pow(num, power) {
+    return FpPow(this, num, power);
+  }
+  div(lhs, rhs) {
+    return mod(lhs * invert2(rhs, this.ORDER), this.ORDER);
+  }
+  // Same as above, but doesn't normalize
+  sqrN(num) {
+    return num * num;
+  }
+  addN(lhs, rhs) {
+    return lhs + rhs;
+  }
+  subN(lhs, rhs) {
+    return lhs - rhs;
+  }
+  mulN(lhs, rhs) {
+    return lhs * rhs;
+  }
+  inv(num) {
+    return invert2(num, this.ORDER);
+  }
+  sqrt(num) {
+    if (!this._sqrt)
+      this._sqrt = FpSqrt(this.ORDER);
+    return this._sqrt(this, num);
+  }
+  toBytes(num) {
+    return this.isLE ? numberToBytesLE(num, this.BYTES) : numberToBytesBE(num, this.BYTES);
+  }
+  fromBytes(bytes2, skipValidation = false) {
+    abytes5(bytes2);
+    const { _lengths: allowedLengths, BYTES, isLE, ORDER, _mod: modFromBytes } = this;
+    if (allowedLengths) {
+      if (!allowedLengths.includes(bytes2.length) || bytes2.length > BYTES) {
+        throw new Error("Field.fromBytes: expected " + allowedLengths + " bytes, got " + bytes2.length);
+      }
+      const padded = new Uint8Array(BYTES);
+      padded.set(bytes2, isLE ? 0 : padded.length - bytes2.length);
+      bytes2 = padded;
+    }
+    if (bytes2.length !== BYTES)
+      throw new Error("Field.fromBytes: expected " + BYTES + " bytes, got " + bytes2.length);
+    let scalar = isLE ? bytesToNumberLE(bytes2) : bytesToNumberBE(bytes2);
+    if (modFromBytes)
+      scalar = mod(scalar, ORDER);
+    if (!skipValidation) {
+      if (!this.isValid(scalar))
+        throw new Error("invalid field element: outside of range 0..ORDER");
+    }
+    return scalar;
+  }
+  // TODO: we don't need it here, move out to separate fn
+  invertBatch(lst) {
+    return FpInvertBatch(this, lst);
+  }
+  // We can't move this out because Fp6, Fp12 implement it
+  // and it's unclear what to return in there.
+  cmov(a, b, condition) {
+    return condition ? b : a;
+  }
+};
+function Field(ORDER, opts = {}) {
+  return new _Field(ORDER, opts);
+}
+// node_modules/@noble/curves/abstract/curve.js
+var _0n3 = /* @__PURE__ */ BigInt(0);
+var _1n3 = /* @__PURE__ */ BigInt(1);
+function negateCt(condition, item) {
+  const neg = item.negate();
+  return condition ? neg : item;
+}
+function normalizeZ(c, points) {
+  const invertedZs = FpInvertBatch(c.Fp, points.map((p) => p.Z));
+  return points.map((p, i) => c.fromAffine(p.toAffine(invertedZs[i])));
+}
+function validateW(W2, bits) {
+  if (!Number.isSafeInteger(W2) || W2 <= 0 || W2 > bits)
+    throw new Error("invalid window size, expected [1.." + bits + "], got W=" + W2);
+}
+function calcWOpts(W2, scalarBits2) {
+  validateW(W2, scalarBits2);
+  const windows = Math.ceil(scalarBits2 / W2) + 1;
+  const windowSize = 2 ** (W2 - 1);
+  const maxNumber = 2 ** W2;
+  const mask = bitMask(W2);
+  const shiftBy = BigInt(W2);
+  return { windows, windowSize, mask, maxNumber, shiftBy };
+}
+function calcOffsets(n, window, wOpts) {
+  const { windowSize, mask, maxNumber, shiftBy } = wOpts;
+  let wbits = Number(n & mask);
+  let nextN = n >> shiftBy;
+  if (wbits > windowSize) {
+    wbits -= maxNumber;
+    nextN += _1n3;
+  }
+  const offsetStart = window * windowSize;
+  const offset = offsetStart + Math.abs(wbits) - 1;
+  const isZero = wbits === 0;
+  const isNeg = wbits < 0;
+  const isNegF = window % 2 !== 0;
+  const offsetF = offsetStart;
+  return { nextN, offset, isZero, isNeg, isNegF, offsetF };
+}
+var pointPrecomputes = /* @__PURE__ */ new WeakMap();
+var pointWindowSizes = /* @__PURE__ */ new WeakMap();
+function getW(P2) {
+  return pointWindowSizes.get(P2) || 1;
+}
+function assert0(n) {
+  if (n !== _0n3)
+    throw new Error("invalid wNAF");
+}
+var wNAF2 = class {
+  BASE;
+  ZERO;
+  Fn;
+  bits;
+  // Parametrized with a given Point class (not individual point)
+  constructor(Point2, bits) {
+    this.BASE = Point2.BASE;
+    this.ZERO = Point2.ZERO;
+    this.Fn = Point2.Fn;
+    this.bits = bits;
+  }
+  // non-const time multiplication ladder
+  _unsafeLadder(elm, n, p = this.ZERO) {
+    let d = elm;
+    while (n > _0n3) {
+      if (n & _1n3)
+        p = p.add(d);
+      d = d.double();
+      n >>= _1n3;
+    }
+    return p;
+  }
+  /**
+   * Creates a wNAF precomputation window. Used for caching.
+   * Default window size is set by `utils.precompute()` and is equal to 8.
+   * Number of precomputed points depends on the curve size:
+   * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+   * - 𝑊 is the window size
+   * - 𝑛 is the bitlength of the curve order.
+   * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+   * @param point Point instance
+   * @param W window size
+   * @returns precomputed point tables flattened to a single array
+   */
+  precomputeWindow(point, W2) {
+    const { windows, windowSize } = calcWOpts(W2, this.bits);
+    const points = [];
+    let p = point;
+    let base = p;
+    for (let window = 0; window < windows; window++) {
+      base = p;
+      points.push(base);
+      for (let i = 1; i < windowSize; i++) {
+        base = base.add(p);
+        points.push(base);
+      }
+      p = base.double();
+    }
+    return points;
+  }
+  /**
+   * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
+   * More compact implementation:
+   * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
+   * @returns real and fake (for const-time) points
+   */
+  wNAF(W2, precomputes, n) {
+    if (!this.Fn.isValid(n))
+      throw new Error("invalid scalar");
+    let p = this.ZERO;
+    let f = this.BASE;
+    const wo = calcWOpts(W2, this.bits);
+    for (let window = 0; window < wo.windows; window++) {
+      const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
+      n = nextN;
+      if (isZero) {
+        f = f.add(negateCt(isNegF, precomputes[offsetF]));
+      } else {
+        p = p.add(negateCt(isNeg, precomputes[offset]));
+      }
+    }
+    assert0(n);
+    return { p, f };
+  }
+  /**
+   * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
+   * @param acc accumulator point to add result of multiplication
+   * @returns point
+   */
+  wNAFUnsafe(W2, precomputes, n, acc = this.ZERO) {
+    const wo = calcWOpts(W2, this.bits);
+    for (let window = 0; window < wo.windows; window++) {
+      if (n === _0n3)
+        break;
+      const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
+      n = nextN;
+      if (isZero) {
+        continue;
+      } else {
+        const item = precomputes[offset];
+        acc = acc.add(isNeg ? item.negate() : item);
+      }
+    }
+    assert0(n);
+    return acc;
+  }
+  getPrecomputes(W2, point, transform) {
+    let comp = pointPrecomputes.get(point);
+    if (!comp) {
+      comp = this.precomputeWindow(point, W2);
+      if (W2 !== 1) {
+        if (typeof transform === "function")
+          comp = transform(comp);
+        pointPrecomputes.set(point, comp);
+      }
+    }
+    return comp;
+  }
+  cached(point, scalar, transform) {
+    const W2 = getW(point);
+    return this.wNAF(W2, this.getPrecomputes(W2, point, transform), scalar);
+  }
+  unsafe(point, scalar, transform, prev) {
+    const W2 = getW(point);
+    if (W2 === 1)
+      return this._unsafeLadder(point, scalar, prev);
+    return this.wNAFUnsafe(W2, this.getPrecomputes(W2, point, transform), scalar, prev);
+  }
+  // We calculate precomputes for elliptic curve point multiplication
+  // using windowed method. This specifies window size and
+  // stores precomputed values. Usually only base point would be precomputed.
+  createCache(P2, W2) {
+    validateW(W2, this.bits);
+    pointWindowSizes.set(P2, W2);
+    pointPrecomputes.delete(P2);
+  }
+  hasCache(elm) {
+    return getW(elm) !== 1;
+  }
+};
+function createField(order, field2, isLE) {
+  if (field2) {
+    if (field2.ORDER !== order)
+      throw new Error("Field.ORDER must match order: Fp == p, Fn == n");
+    validateField(field2);
+    return field2;
+  } else {
+    return Field(order, { isLE });
+  }
+}
+function createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
+  if (FpFnLE === void 0)
+    FpFnLE = type === "edwards";
+  if (!CURVE || typeof CURVE !== "object")
+    throw new Error(`expected valid ${type} CURVE object`);
+  for (const p of ["p", "n", "h"]) {
+    const val = CURVE[p];
+    if (!(typeof val === "bigint" && val > _0n3))
+      throw new Error(`CURVE.${p} must be positive bigint`);
+  }
+  const Fp2 = createField(CURVE.p, curveOpts.Fp, FpFnLE);
+  const Fn2 = createField(CURVE.n, curveOpts.Fn, FpFnLE);
+  const _b = "d";
+  const params = ["Gx", "Gy", "a", _b];
+  for (const p of params) {
+    if (!Fp2.isValid(CURVE[p]))
+      throw new Error(`CURVE.${p} must be valid field element of CURVE.Fp`);
+  }
+  CURVE = Object.freeze(Object.assign({}, CURVE));
+  return { CURVE, Fp: Fp2, Fn: Fn2 };
+}
+// node_modules/@noble/curves/abstract/edwards.js
+var _0n4 = BigInt(0);
+var _1n4 = BigInt(1);
+var _2n2 = BigInt(2);
+var _8n2 = BigInt(8);
+function isEdValidXY(Fp2, CURVE, x, y) {
+  const x2 = Fp2.sqr(x);
+  const y2 = Fp2.sqr(y);
+  const left = Fp2.add(Fp2.mul(CURVE.a, x2), y2);
+  const right = Fp2.add(Fp2.ONE, Fp2.mul(CURVE.d, Fp2.mul(x2, y2)));
+  return Fp2.eql(left, right);
+}
+function edwards(params, extraOpts = {}) {
+  const validated = createCurveFields("edwards", params, extraOpts, extraOpts.FpFnLE);
+  const { Fp: Fp2, Fn: Fn2 } = validated;
+  let CURVE = validated.CURVE;
+  const { h: cofactor } = CURVE;
+  validateObject(extraOpts, {}, { uvRatio: "function" });
+  const MASK = _2n2 << BigInt(Fn2.BYTES * 8) - _1n4;
+  const modP = (n) => Fp2.create(n);
+  const uvRatio3 = extraOpts.uvRatio || ((u, v) => {
+    try {
+      return { isValid: true, value: Fp2.sqrt(Fp2.div(u, v)) };
+    } catch (e) {
+      return { isValid: false, value: _0n4 };
+    }
+  });
+  if (!isEdValidXY(Fp2, CURVE, CURVE.Gx, CURVE.Gy))
+    throw new Error("bad curve params: generator point");
+  function acoord(title, n, banZero = false) {
+    const min = banZero ? _1n4 : _0n4;
+    aInRange("coordinate " + title, n, min, MASK);
+    return n;
+  }
+  function aedpoint(other) {
+    if (!(other instanceof Point2))
+      throw new Error("EdwardsPoint expected");
+  }
+  const toAffineMemo = memoized((p, iz) => {
+    const { X, Y, Z } = p;
+    const is0 = p.is0();
+    if (iz == null)
+      iz = is0 ? _8n2 : Fp2.inv(Z);
+    const x = modP(X * iz);
+    const y = modP(Y * iz);
+    const zz = Fp2.mul(Z, iz);
+    if (is0)
+      return { x: _0n4, y: _1n4 };
+    if (zz !== _1n4)
+      throw new Error("invZ was invalid");
+    return { x, y };
+  });
+  const assertValidMemo = memoized((p) => {
+    const { a, d } = CURVE;
+    if (p.is0())
+      throw new Error("bad point: ZERO");
+    const { X, Y, Z, T } = p;
+    const X2 = modP(X * X);
+    const Y2 = modP(Y * Y);
+    const Z2 = modP(Z * Z);
+    const Z4 = modP(Z2 * Z2);
+    const aX2 = modP(X2 * a);
+    const left = modP(Z2 * modP(aX2 + Y2));
+    const right = modP(Z4 + modP(d * modP(X2 * Y2)));
+    if (left !== right)
+      throw new Error("bad point: equation left != right (1)");
+    const XY = modP(X * Y);
+    const ZT = modP(Z * T);
+    if (XY !== ZT)
+      throw new Error("bad point: equation left != right (2)");
+    return true;
+  });
+  class Point2 {
+    // base / generator point
+    static BASE = new Point2(CURVE.Gx, CURVE.Gy, _1n4, modP(CURVE.Gx * CURVE.Gy));
+    // zero / infinity / identity point
+    static ZERO = new Point2(_0n4, _1n4, _1n4, _0n4);
+    // 0, 1, 1, 0
+    // math field
+    static Fp = Fp2;
+    // scalar field
+    static Fn = Fn2;
+    X;
+    Y;
+    Z;
+    T;
+    constructor(X, Y, Z, T) {
+      this.X = acoord("x", X);
+      this.Y = acoord("y", Y);
+      this.Z = acoord("z", Z, true);
+      this.T = acoord("t", T);
+      Object.freeze(this);
+    }
+    static CURVE() {
+      return CURVE;
+    }
+    static fromAffine(p) {
+      if (p instanceof Point2)
+        throw new Error("extended point not allowed");
+      const { x, y } = p || {};
+      acoord("x", x);
+      acoord("y", y);
+      return new Point2(x, y, _1n4, modP(x * y));
+    }
+    // Uses algo from RFC8032 5.1.3.
+    static fromBytes(bytes2, zip215 = false) {
+      const len = Fp2.BYTES;
+      const { a, d } = CURVE;
+      bytes2 = copyBytes(abytes5(bytes2, len, "point"));
+      abool(zip215, "zip215");
+      const normed = copyBytes(bytes2);
+      const lastByte = bytes2[len - 1];
+      normed[len - 1] = lastByte & -129;
+      const y = bytesToNumberLE(normed);
+      const max = zip215 ? MASK : Fp2.ORDER;
+      aInRange("point.y", y, _0n4, max);
+      const y2 = modP(y * y);
+      const u = modP(y2 - _1n4);
+      const v = modP(d * y2 - a);
+      let { isValid, value: x } = uvRatio3(u, v);
+      if (!isValid)
+        throw new Error("bad point: invalid y coordinate");
+      const isXOdd = (x & _1n4) === _1n4;
+      const isLastByteOdd = (lastByte & 128) !== 0;
+      if (!zip215 && x === _0n4 && isLastByteOdd)
+        throw new Error("bad point: x=0 and x_0=1");
+      if (isLastByteOdd !== isXOdd)
+        x = modP(-x);
+      return Point2.fromAffine({ x, y });
+    }
+    static fromHex(hex2, zip215 = false) {
+      return Point2.fromBytes(hexToBytes2(hex2), zip215);
+    }
+    get x() {
+      return this.toAffine().x;
+    }
+    get y() {
+      return this.toAffine().y;
+    }
+    precompute(windowSize = 8, isLazy = true) {
+      wnaf.createCache(this, windowSize);
+      if (!isLazy)
+        this.multiply(_2n2);
+      return this;
+    }
+    // Useful in fromAffine() - not for fromBytes(), which always created valid points.
+    assertValidity() {
+      assertValidMemo(this);
+    }
+    // Compare one point to another.
+    equals(other) {
+      aedpoint(other);
+      const { X: X1, Y: Y1, Z: Z1 } = this;
+      const { X: X2, Y: Y2, Z: Z2 } = other;
+      const X1Z2 = modP(X1 * Z2);
+      const X2Z1 = modP(X2 * Z1);
+      const Y1Z2 = modP(Y1 * Z2);
+      const Y2Z1 = modP(Y2 * Z1);
+      return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
+    }
+    is0() {
+      return this.equals(Point2.ZERO);
+    }
+    negate() {
+      return new Point2(modP(-this.X), this.Y, this.Z, modP(-this.T));
+    }
+    // Fast algo for doubling Extended Point.
+    // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
+    // Cost: 4M + 4S + 1*a + 6add + 1*2.
+    double() {
+      const { a } = CURVE;
+      const { X: X1, Y: Y1, Z: Z1 } = this;
+      const A = modP(X1 * X1);
+      const B = modP(Y1 * Y1);
+      const C2 = modP(_2n2 * modP(Z1 * Z1));
+      const D = modP(a * A);
+      const x1y1 = X1 + Y1;
+      const E = modP(modP(x1y1 * x1y1) - A - B);
+      const G2 = D + B;
+      const F = G2 - C2;
+      const H = D - B;
+      const X3 = modP(E * F);
+      const Y3 = modP(G2 * H);
+      const T3 = modP(E * H);
+      const Z3 = modP(F * G2);
+      return new Point2(X3, Y3, Z3, T3);
+    }
+    // Fast algo for adding 2 Extended Points.
+    // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
+    // Cost: 9M + 1*a + 1*d + 7add.
+    add(other) {
+      aedpoint(other);
+      const { a, d } = CURVE;
+      const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
+      const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;
+      const A = modP(X1 * X2);
+      const B = modP(Y1 * Y2);
+      const C2 = modP(T1 * d * T2);
+      const D = modP(Z1 * Z2);
+      const E = modP((X1 + Y1) * (X2 + Y2) - A - B);
+      const F = D - C2;
+      const G2 = D + C2;
+      const H = modP(B - a * A);
+      const X3 = modP(E * F);
+      const Y3 = modP(G2 * H);
+      const T3 = modP(E * H);
+      const Z3 = modP(F * G2);
+      return new Point2(X3, Y3, Z3, T3);
+    }
+    subtract(other) {
+      return this.add(other.negate());
+    }
+    // Constant-time multiplication.
+    multiply(scalar) {
+      if (!Fn2.isValidNot0(scalar))
+        throw new Error("invalid scalar: expected 1 <= sc < curve.n");
+      const { p, f } = wnaf.cached(this, scalar, (p2) => normalizeZ(Point2, p2));
+      return normalizeZ(Point2, [p, f])[0];
+    }
+    // Non-constant-time multiplication. Uses double-and-add algorithm.
+    // It's faster, but should only be used when you don't care about
+    // an exposed private key e.g. sig verification.
+    // Does NOT allow scalars higher than CURVE.n.
+    // Accepts optional accumulator to merge with multiply (important for sparse scalars)
+    multiplyUnsafe(scalar, acc = Point2.ZERO) {
+      if (!Fn2.isValid(scalar))
+        throw new Error("invalid scalar: expected 0 <= sc < curve.n");
+      if (scalar === _0n4)
+        return Point2.ZERO;
+      if (this.is0() || scalar === _1n4)
+        return this;
+      return wnaf.unsafe(this, scalar, (p) => normalizeZ(Point2, p), acc);
+    }
+    // Checks if point is of small order.
+    // If you add something to small order point, you will have "dirty"
+    // point with torsion component.
+    // Multiplies point by cofactor and checks if the result is 0.
+    isSmallOrder() {
+      return this.multiplyUnsafe(cofactor).is0();
+    }
+    // Multiplies point by curve order and checks if the result is 0.
+    // Returns `false` is the point is dirty.
+    isTorsionFree() {
+      return wnaf.unsafe(this, CURVE.n).is0();
+    }
+    // Converts Extended point to default (x, y) coordinates.
+    // Can accept precomputed Z^-1 - for example, from invertBatch.
+    toAffine(invertedZ) {
+      return toAffineMemo(this, invertedZ);
+    }
+    clearCofactor() {
+      if (cofactor === _1n4)
+        return this;
+      return this.multiplyUnsafe(cofactor);
+    }
+    toBytes() {
+      const { x, y } = this.toAffine();
+      const bytes2 = Fp2.toBytes(y);
+      bytes2[bytes2.length - 1] |= x & _1n4 ? 128 : 0;
+      return bytes2;
+    }
+    toHex() {
+      return bytesToHex2(this.toBytes());
+    }
+    toString() {
+      return `<Point ${this.is0() ? "ZERO" : this.toHex()}>`;
+    }
+  }
+  const wnaf = new wNAF2(Point2, Fn2.BITS);
+  Point2.BASE.precompute(8);
+  return Point2;
+}
+var PrimeEdwardsPoint = class {
+  static BASE;
+  static ZERO;
+  static Fp;
+  static Fn;
+  ep;
+  constructor(ep) {
+    this.ep = ep;
+  }
+  // Static methods that must be implemented by subclasses
+  static fromBytes(_bytes) {
+    notImplemented();
+  }
+  static fromHex(_hex) {
+    notImplemented();
+  }
+  get x() {
+    return this.toAffine().x;
+  }
+  get y() {
+    return this.toAffine().y;
+  }
+  // Common implementations
+  clearCofactor() {
+    return this;
+  }
+  assertValidity() {
+    this.ep.assertValidity();
+  }
+  toAffine(invertedZ) {
+    return this.ep.toAffine(invertedZ);
+  }
+  toHex() {
+    return bytesToHex2(this.toBytes());
+  }
+  toString() {
+    return this.toHex();
+  }
+  isTorsionFree() {
+    return true;
+  }
+  isSmallOrder() {
+    return false;
+  }
+  add(other) {
+    this.assertSame(other);
+    return this.init(this.ep.add(other.ep));
+  }
+  subtract(other) {
+    this.assertSame(other);
+    return this.init(this.ep.subtract(other.ep));
+  }
+  multiply(scalar) {
+    return this.init(this.ep.multiply(scalar));
+  }
+  multiplyUnsafe(scalar) {
+    return this.init(this.ep.multiplyUnsafe(scalar));
+  }
+  double() {
+    return this.init(this.ep.double());
+  }
+  negate() {
+    return this.init(this.ep.negate());
+  }
+  precompute(windowSize, isLazy) {
+    return this.init(this.ep.precompute(windowSize, isLazy));
+  }
+};
+// node_modules/@noble/curves/ed25519.js
+var _0n5 = /* @__PURE__ */ BigInt(0);
+var _1n5 = BigInt(1);
+var _2n3 = BigInt(2);
+var _5n2 = BigInt(5);
+var _8n3 = BigInt(8);
+var ed25519_CURVE_p = BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed");
+var ed25519_CURVE2 = /* @__PURE__ */ (() => ({
+  p: ed25519_CURVE_p,
+  n: BigInt("0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed"),
+  h: _8n3,
+  a: BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec"),
+  d: BigInt("0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3"),
+  Gx: BigInt("0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a"),
+  Gy: BigInt("0x6666666666666666666666666666666666666666666666666666666666666658")
+}))();
+function ed25519_pow_2_252_3(x) {
+  const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
+  const P2 = ed25519_CURVE_p;
+  const x2 = x * x % P2;
+  const b2 = x2 * x % P2;
+  const b4 = pow22(b2, _2n3, P2) * b2 % P2;
+  const b5 = pow22(b4, _1n5, P2) * x % P2;
+  const b10 = pow22(b5, _5n2, P2) * b5 % P2;
+  const b20 = pow22(b10, _10n, P2) * b10 % P2;
+  const b40 = pow22(b20, _20n, P2) * b20 % P2;
+  const b80 = pow22(b40, _40n, P2) * b40 % P2;
+  const b160 = pow22(b80, _80n, P2) * b80 % P2;
+  const b240 = pow22(b160, _80n, P2) * b80 % P2;
+  const b250 = pow22(b240, _10n, P2) * b10 % P2;
+  const pow_p_5_8 = pow22(b250, _2n3, P2) * x % P2;
+  return { pow_p_5_8, b2 };
+}
+var ED25519_SQRT_M1 = /* @__PURE__ */ BigInt("19681161376707505956807079304988542015446066515923890162744021073123829784752");
+function uvRatio2(u, v) {
+  const P2 = ed25519_CURVE_p;
+  const v3 = mod(v * v * v, P2);
+  const v7 = mod(v3 * v3 * v, P2);
+  const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
+  let x = mod(u * v3 * pow, P2);
+  const vx2 = mod(v * x * x, P2);
+  const root1 = x;
+  const root2 = mod(x * ED25519_SQRT_M1, P2);
+  const useRoot1 = vx2 === u;
+  const useRoot2 = vx2 === mod(-u, P2);
+  const noRoot = vx2 === mod(-u * ED25519_SQRT_M1, P2);
+  if (useRoot1)
+    x = root1;
+  if (useRoot2 || noRoot)
+    x = root2;
+  if (isNegativeLE(x, P2))
+    x = mod(-x, P2);
+  return { isValid: useRoot1 || useRoot2, value: x };
+}
+var ed25519_Point = /* @__PURE__ */ edwards(ed25519_CURVE2, { uvRatio: uvRatio2 });
+var Fp = /* @__PURE__ */ (() => ed25519_Point.Fp)();
+var Fn = /* @__PURE__ */ (() => ed25519_Point.Fn)();
+var SQRT_M1 = ED25519_SQRT_M1;
+var INVSQRT_A_MINUS_D = /* @__PURE__ */ BigInt("54469307008909316920995813868745141605393597292927456921205312896311721017578");
+var invertSqrt = (number) => uvRatio2(_1n5, number);
+var MAX_255B = /* @__PURE__ */ BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff");
+var bytes255ToNumberLE = (bytes2) => Fp.create(bytesToNumberLE(bytes2) & MAX_255B);
+var _RistrettoPoint = class __RistrettoPoint extends PrimeEdwardsPoint {
+  // Do NOT change syntax: the following gymnastics is done,
+  // because typescript strips comments, which makes bundlers disable tree-shaking.
+  // prettier-ignore
+  static BASE = /* @__PURE__ */ (() => new __RistrettoPoint(ed25519_Point.BASE))();
+  // prettier-ignore
+  static ZERO = /* @__PURE__ */ (() => new __RistrettoPoint(ed25519_Point.ZERO))();
+  // prettier-ignore
+  static Fp = /* @__PURE__ */ (() => Fp)();
+  // prettier-ignore
+  static Fn = /* @__PURE__ */ (() => Fn)();
+  constructor(ep) {
+    super(ep);
+  }
+  static fromAffine(ap) {
+    return new __RistrettoPoint(ed25519_Point.fromAffine(ap));
+  }
+  assertSame(other) {
+    if (!(other instanceof __RistrettoPoint))
+      throw new Error("RistrettoPoint expected");
+  }
+  init(ep) {
+    return new __RistrettoPoint(ep);
+  }
+  static fromBytes(bytes2) {
+    abytes5(bytes2, 32);
+    const { a, d } = ed25519_CURVE2;
+    const P2 = ed25519_CURVE_p;
+    const mod2 = (n) => Fp.create(n);
+    const s = bytes255ToNumberLE(bytes2);
+    if (!equalBytes(Fp.toBytes(s), bytes2) || isNegativeLE(s, P2))
+      throw new Error("invalid ristretto255 encoding 1");
+    const s2 = mod2(s * s);
+    const u1 = mod2(_1n5 + a * s2);
+    const u2 = mod2(_1n5 - a * s2);
+    const u1_2 = mod2(u1 * u1);
+    const u2_2 = mod2(u2 * u2);
+    const v = mod2(a * d * u1_2 - u2_2);
+    const { isValid, value: I2 } = invertSqrt(mod2(v * u2_2));
+    const Dx = mod2(I2 * u2);
+    const Dy = mod2(I2 * Dx * v);
+    let x = mod2((s + s) * Dx);
+    if (isNegativeLE(x, P2))
+      x = mod2(-x);
+    const y = mod2(u1 * Dy);
+    const t = mod2(x * y);
+    if (!isValid || isNegativeLE(t, P2) || y === _0n5)
+      throw new Error("invalid ristretto255 encoding 2");
+    return new __RistrettoPoint(new ed25519_Point(x, y, _1n5, t));
+  }
+  /**
+   * Converts ristretto-encoded string to ristretto point.
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
+   * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
+   */
+  static fromHex(hex2) {
+    return __RistrettoPoint.fromBytes(hexToBytes2(hex2));
+  }
+  /**
+   * Encodes ristretto point to Uint8Array.
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode).
+   */
+  toBytes() {
+    let { X, Y, Z, T } = this.ep;
+    const P2 = ed25519_CURVE_p;
+    const mod2 = (n) => Fp.create(n);
+    const u1 = mod2(mod2(Z + Y) * mod2(Z - Y));
+    const u2 = mod2(X * Y);
+    const u2sq = mod2(u2 * u2);
+    const { value: invsqrt } = invertSqrt(mod2(u1 * u2sq));
+    const D1 = mod2(invsqrt * u1);
+    const D2 = mod2(invsqrt * u2);
+    const zInv = mod2(D1 * D2 * T);
+    let D;
+    if (isNegativeLE(T * zInv, P2)) {
+      let _x = mod2(Y * SQRT_M1);
+      let _y = mod2(X * SQRT_M1);
+      X = _x;
+      Y = _y;
+      D = mod2(D1 * INVSQRT_A_MINUS_D);
+    } else {
+      D = D2;
+    }
+    if (isNegativeLE(X * zInv, P2))
+      Y = mod2(-Y);
+    let s = mod2((Z - Y) * D);
+    if (isNegativeLE(s, P2))
+      s = mod2(-s);
+    return Fp.toBytes(s);
+  }
+  /**
+   * Compares two Ristretto points.
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals).
+   */
+  equals(other) {
+    this.assertSame(other);
+    const { X: X1, Y: Y1 } = this.ep;
+    const { X: X2, Y: Y2 } = other.ep;
+    const mod2 = (n) => Fp.create(n);
+    const one = mod2(X1 * Y2) === mod2(Y1 * X2);
+    const two = mod2(Y1 * Y2) === mod2(X1 * X2);
+    return one || two;
+  }
+  is0() {
+    return this.equals(__RistrettoPoint.ZERO);
+  }
+};
+var ristretto255 = { Point: _RistrettoPoint };
+// node_modules/@noble/hashes/hkdf.js
+function extract(hash, ikm, salt) {
+  ahash(hash);
+  if (salt === void 0)
+    salt = new Uint8Array(hash.outputLen);
+  return hmac(hash, salt, ikm);
+}
+var HKDF_COUNTER = /* @__PURE__ */ Uint8Array.of(0);
+var EMPTY_BUFFER = /* @__PURE__ */ Uint8Array.of();
+function expand(hash, prk, info, length = 32) {
+  ahash(hash);
+  anumber(length, "length");
+  const olen = hash.outputLen;
+  if (length > 255 * olen)
+    throw new Error("Length must be <= 255*HashLen");
+  const blocks = Math.ceil(length / olen);
+  if (info === void 0)
+    info = EMPTY_BUFFER;
+  else
+    abytes2(info, void 0, "info");
+  const okm = new Uint8Array(blocks * olen);
+  const HMAC = hmac.create(hash, prk);
+  const HMACTmp = HMAC._cloneInto();
+  const T = new Uint8Array(HMAC.outputLen);
+  for (let counter = 0; counter < blocks; counter++) {
+    HKDF_COUNTER[0] = counter + 1;
+    HMACTmp.update(counter === 0 ? EMPTY_BUFFER : T).update(info).update(HKDF_COUNTER).digestInto(T);
+    okm.set(T, olen * counter);
+    HMAC._cloneInto(HMACTmp);
+  }
+  HMAC.destroy();
+  HMACTmp.destroy();
+  clean(T, HKDF_COUNTER);
+  return okm.slice(0, length);
+}
+var hkdf = (hash, ikm, salt, info, length) => expand(hash, extract(hash, ikm, salt), info, length);
+// src/rex/dkg.ts
+var RISTRETTO255_ORDER = BigInt(
+  "0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed"
+);
+var DKG_KDF_SALT = /* @__PURE__ */ new TextEncoder().encode(
+  "RIALO_DKG_THRESHOLD_V1"
+);
+var DKG_ACL_AAD_DOMAIN = /* @__PURE__ */ new TextEncoder().encode(
+  "RIALO_DKG_ACL_V1"
+  // exactly 16 bytes
+);
+var DKG_PAYLOAD_VERSION2 = 2;
+var MAX_SECRET_LENGTH2 = 64 * 1024;
+var RISTRETTO_POINT_BYTES2 = 32;
+var ED25519_PUBKEY_BYTES = 32;
+var CHACHA20_NONCE_BYTES = 12;
+function buildAad(creatorPubkey) {
+  const aad = new Uint8Array(DKG_ACL_AAD_DOMAIN.length + creatorPubkey.length);
+  aad.set(DKG_ACL_AAD_DOMAIN, 0);
+  aad.set(creatorPubkey, DKG_ACL_AAD_DOMAIN.length);
   return aad;
 }
-async function hpkeEncrypt(rexPubkey, data, senderPubkey) {
-  if (rexPubkey.length !== X25519_PUBLIC_KEY_LENGTH) {
-    throw HpkeError.invalidKeyLength(
-      X25519_PUBLIC_KEY_LENGTH,
-      rexPubkey.length,
-      "REX public key"
-    );
+function buildKdfInfo(epoch, headerU, aad) {
+  const info = new Uint8Array(8 + RISTRETTO_POINT_BYTES2 + aad.length);
+  new DataView(info.buffer).setBigUint64(0, epoch, true);
+  info.set(headerU, 8);
+  info.set(aad, 8 + RISTRETTO_POINT_BYTES2);
+  return info;
+}
+function encodeDkgPayload(epoch, ciphertextU, ciphertextBody, ciphertextNonce, ciphertextAad) {
+  const size = 8 + RISTRETTO_POINT_BYTES2 + 4 + ciphertextBody.length + CHACHA20_NONCE_BYTES + 4 + ciphertextAad.length;
+  const buf = new Uint8Array(size);
+  const view = new DataView(buf.buffer);
+  let off = 0;
+  view.setBigUint64(off, epoch, true);
+  off += 8;
+  buf.set(ciphertextU, off);
+  off += RISTRETTO_POINT_BYTES2;
+  view.setUint32(off, ciphertextBody.length, true);
+  off += 4;
+  buf.set(ciphertextBody, off);
+  off += ciphertextBody.length;
+  buf.set(ciphertextNonce, off);
+  off += CHACHA20_NONCE_BYTES;
+  view.setUint32(off, ciphertextAad.length, true);
+  off += 4;
+  buf.set(ciphertextAad, off);
+  return buf;
+}
+function encryptSecretBytesWithEpoch(plaintext, creatorPubkey, epoch, thresholdPubkeyHex) {
+  if (plaintext.length === 0) {
+    throw EncryptionError.invalidInput("Secret cannot be empty");
   }
-  if (senderPubkey.length !== ED25519_PUBLIC_KEY_LENGTH) {
-    throw HpkeError.invalidKeyLength(
-      ED25519_PUBLIC_KEY_LENGTH,
-      senderPubkey.length,
-      "sender public key"
+  if (plaintext.length > MAX_SECRET_LENGTH2) {
+    throw EncryptionError.invalidInput(
+      `Secret exceeds maximum length of ${MAX_SECRET_LENGTH2} bytes (got ${plaintext.length} bytes)`
     );
   }
-  try {
-    const recipientKey = await hpkeSuite.kem.importKey(
-      "raw",
-      rexPubkey.buffer.slice(
-        rexPubkey.byteOffset,
-        rexPubkey.byteOffset + rexPubkey.byteLength
-      )
+  if (creatorPubkey.length !== ED25519_PUBKEY_BYTES) {
+    throw EncryptionError.invalidInput(
+      `Creator public key must be ${ED25519_PUBKEY_BYTES} bytes, got ${creatorPubkey.length}`
     );
-    const sender = await hpkeSuite.createSenderContext({
-      recipientPublicKey: recipientKey,
-      info: SECRET_SHARING_HPKE_INFO.buffer.slice(
-        SECRET_SHARING_HPKE_INFO.byteOffset,
-        SECRET_SHARING_HPKE_INFO.byteOffset + SECRET_SHARING_HPKE_INFO.byteLength
-      )
-    });
-    const aad = buildAad(senderPubkey);
-    const ciphertext = await sender.seal(
-      data.buffer.slice(
-        data.byteOffset,
-        data.byteOffset + data.byteLength
-      ),
-      aad.buffer.slice(
-        aad.byteOffset,
-        aad.byteOffset + aad.byteLength
-      )
+  }
+  if (epoch < 0n || epoch > 0xffffffffffffffffn) {
+    throw EncryptionError.invalidInput(
+      `Epoch must be a valid u64 (0 to 2^64-1), got ${epoch}`
     );
-    const enc = new Uint8Array(sender.enc);
-    const result = new Uint8Array(enc.length + ciphertext.byteLength);
-    result.set(enc, 0);
-    result.set(new Uint8Array(ciphertext), enc.length);
-    return result;
-  } catch (error) {
-    throw HpkeError.encryptionFailed(
-      error instanceof Error ? error : new Error(String(error))
+  }
+  let jointPubKey;
+  try {
+    jointPubKey = ristretto255.Point.fromHex(thresholdPubkeyHex);
+  } catch (e) {
+    throw EncryptionError.invalidThresholdKey(
+      e instanceof Error ? e : new Error(String(e))
     );
   }
+  const aad = buildAad(creatorPubkey);
+  const r = bytesToNumberLE(randomBytes(64)) % RISTRETTO255_ORDER;
+  const headerUBytes = ristretto255.Point.BASE.multiply(r).toBytes();
+  const combinedZBytes = jointPubKey.multiply(r).toBytes();
+  const sessionKey = hkdf(
+    sha256,
+    combinedZBytes,
+    DKG_KDF_SALT,
+    buildKdfInfo(epoch, headerUBytes, aad),
+    32
+  );
+  const nonce = randomBytes(CHACHA20_NONCE_BYTES);
+  const ciphertextBody = chacha.chacha20poly1305(sessionKey, nonce, aad).encrypt(
+    plaintext
+  );
+  const payload = encodeDkgPayload(epoch, headerUBytes, ciphertextBody, nonce, aad);
+  const result = new Uint8Array(1 + payload.length);
+  result[0] = DKG_PAYLOAD_VERSION2;
+  result.set(payload, 1);
+  return result;
 }
-async function encryptForRex(rexPubkey, data, senderPubkey) {
-  const ciphertext = await hpkeEncrypt(rexPubkey, data, senderPubkey);
-  return RexValue.encrypted(ciphertext);
+function encryptSecretBytes(plaintext, creatorPubkey, secretSharingPubkey) {
+  return encryptSecretBytesWithEpoch(
+    plaintext,
+    creatorPubkey,
+    secretSharingPubkey.epoch,
+    secretSharingPubkey.publicKey
+  );
 }
-function getCiphertextLength(plaintextLength) {
-  return HPKE_OVERHEAD_LENGTH + plaintextLength;
+function encryptSecret(secret, creatorPubkey, secretSharingPubkey) {
+  return encryptSecretBytes(
+    new TextEncoder().encode(secret),
+    creatorPubkey,
+    secretSharingPubkey
+  );
 }
-function isValidCiphertextLength(ciphertext) {
-  return ciphertext.length >= HPKE_OVERHEAD_LENGTH;
+function encryptForRex(plaintext, creatorPubkey, secretSharingPubkey) {
+  return RexValue.encrypted(
+    encryptSecretBytes(plaintext, creatorPubkey, secretSharingPubkey)
+  );
 }
 // src/rpc/errors.ts
@@ -6670,39 +7966,28 @@ var QueryRpcClient = class extends BaseRpcClient {
     }));
   }
   /**
-   * Retrieve the REX X25519 public key for secret sharing encryption.
-   *
-   * This key is used for HPKE encryption when sending encrypted data
-   * that should only be decryptable within the REX execution environment.
-   *
-   * @returns The REX X25519 public key as a 32-byte Uint8Array
-   *
-   * @example
-   * ```typescript
-   * import { encryptForREX } from "@rialo/ts-cdk";
-   *
-   * // Get the REX public key
-   * const rexPubkey = await client.getSecretSharingPubkey();
+   * Retrieve the active threshold public key metadata.
    *
-   * // Use it for HPKE encryption
-   * const encrypted = await encryptForRex(
-   *   rexPubkey,
-   *   new TextEncoder().encode("secret data"),
-   *   keypair.publicKey.toBytes()
-   * );
-   * ```
+   * Returns the active threshold public key (a compressed Ristretto point) and
+   * its DKG epoch. Pass the result directly to `encryptSecretBytes`,
+   * `encryptSecret`, or `encryptForRex` to produce a threshold-encrypted
+   * `DkgEncryptedPayload` the network can decrypt during REX execution.
    */
   async getSecretSharingPubkey() {
     const result = await this.call(
       "getSecretSharingPubkey",
       []
     );
-    const hexString = result.public_key;
-    const bytes2 = new Uint8Array(hexString.length / 2);
-    for (let i = 0; i < bytes2.length; i++) {
-      bytes2[i] = Number.parseInt(hexString.slice(i * 2, i * 2 + 2), 16);
-    }
-    return bytes2;
+    return {
+      publicKey: result.pubkey,
+      epoch: BigInt(result.epoch)
+    };
+  }
+  /**
+   * @deprecated Use `getSecretSharingPubkey()` instead.
+   */
+  async getSecretSharingPubkeyInfo() {
+    return await this.getSecretSharingPubkey();
   }
   /**
    * Get the config hash prefix for replay protection.
@@ -6961,7 +8246,7 @@ var QueryRpcClient = class extends BaseRpcClient {
       withdrawalKey: v.withdrawal_key,
       stake: BigInt(v.stake),
       address: v.address,
-      stateSyncAddress: v.state_sync_address
+      subdagSyncAddress: v.subdag_sync_address
     }));
   }
   /**
@@ -7597,12 +8882,10 @@ var RialoClient = class extends RpcClient {
     return await this.queryClient.getConnectedFullNodes();
   }
   /**
-   * Gets the TEE's secret sharing public key for HPKE encryption.
+   * Gets the active secret-sharing public key metadata.
    */
   async getSecretSharingPubkey() {
-    const rawBytes = await this.queryClient.getSecretSharingPubkey();
-    const hex2 = Array.from(rawBytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-    return { publicKey: hex2 };
+    return await this.queryClient.getSecretSharingPubkey();
   }
   /**
    * Gets the config hash prefix for protecting against replay attacks.
@@ -10876,6 +12159,298 @@ var KeypairSigner = class {
   }
 };
+// src/generated/keyring.ts
+var Keyring = class {
+};
+// src/keyring/validation.ts
+var U32_MAX = 4294967295;
+function validateKeypairIndex(index) {
+  if (!Number.isInteger(index) || index < 0 || index > U32_MAX) {
+    throw new RialoError(
+      "INVALID_INPUT" /* INVALID_INPUT */,
+      `Invalid keypair index: ${index}. Must be a non-negative integer <= ${U32_MAX}.`
+    );
+  }
+}
+// src/keyring/keyring.ts
+var RialoKeyring = class extends Keyring {
+  keypairs;
+  derivationPaths;
+  activeIndex;
+  constructor(keypairs, derivationPaths) {
+    super();
+    this.keypairs = keypairs;
+    this.derivationPaths = derivationPaths;
+    this.activeIndex = 0;
+  }
+  /**
+   * Sets the active keypair index (facade operation, not in WIT contract).
+   *
+   * @param index - The keypair index to make active
+   * @throws {RialoError} If the index does not exist in this keyring
+   */
+  setActiveKeypair(index) {
+    validateKeypairIndex(index);
+    if (!this.keypairs.has(index)) {
+      throw new RialoError(
+        "WALLET" /* WALLET */,
+        `Keypair ${index} not found in keyring`
+      );
+    }
+    this.activeIndex = index;
+  }
+  activeKeypair() {
+    const kp = this.keypairs.get(this.activeIndex);
+    if (!kp) {
+      throw new RialoError("WALLET" /* WALLET */, "Active keypair does not exist");
+    }
+    return kp;
+  }
+  sign(message) {
+    return this.activeKeypair().sign(message).toBytes();
+  }
+  verify(message, sig) {
+    return this.activeKeypair().verify(message, Signature.fromBytes(sig));
+  }
+  pubkeyString() {
+    return this.activeKeypair().publicKey.toString();
+  }
+  pubkey() {
+    return this.activeKeypair().publicKey;
+  }
+  getKeypairInfo(index) {
+    validateKeypairIndex(index);
+    const kp = this.keypairs.get(index);
+    if (!kp) return void 0;
+    return {
+      index,
+      pubkey: kp.publicKey,
+      pubkeyString: kp.publicKey.toString(),
+      derivationPath: this.derivationPaths.get(index) ?? void 0
+    };
+  }
+  listKeypairs() {
+    return Array.from(this.keypairs.keys()).sort((a, b) => a - b);
+  }
+  getKeypairsInfo() {
+    return this.listKeypairs().map((index) => this.getKeypairInfo(index));
+  }
+  signWithKeypair(message, index) {
+    validateKeypairIndex(index);
+    const kp = this.keypairs.get(index);
+    if (!kp) {
+      throw new RialoError(
+        "WALLET" /* WALLET */,
+        `Keypair ${index} not found in keyring`
+      );
+    }
+    return kp.sign(message).toBytes();
+  }
+  /**
+   * Securely erases all secret key material from this keyring snapshot.
+   *
+   * Calls {@link Keypair.dispose} on every keypair, zeroing private key bytes.
+   * After disposal, signing and secret-key export will throw. Verification
+   * still works (uses only the public key). Does not affect provider-stored
+   * state or other snapshots.
+   */
+  dispose() {
+    for (const kp of this.keypairs.values()) {
+      kp.dispose();
+    }
+  }
+};
+// src/generated/keyring-provider.ts
+var KeyringProvider = class {
+};
+// src/keyring/keyring-provider.ts
+var InMemoryKeyringProvider = class extends KeyringProvider {
+  keyrings = /* @__PURE__ */ new Map();
+  getStored(name) {
+    const stored = this.keyrings.get(name);
+    if (!stored) {
+      throw new RialoError("WALLET" /* WALLET */, `Keyring not found: ${name}`);
+    }
+    return stored;
+  }
+  checkPassword(stored, password) {
+    if (stored.password !== password) {
+      throw new RialoError("PASSWORD" /* PASSWORD */, "Invalid password");
+    }
+  }
+  buildKeyring(stored) {
+    const keypairsCopy = /* @__PURE__ */ new Map();
+    for (const [idx, kp] of stored.keypairs) {
+      keypairsCopy.set(idx, Keypair.fromSecretKey(kp.secretKeyBytes()));
+    }
+    const pathsCopy = new Map(stored.derivationPaths);
+    return new RialoKeyring(keypairsCopy, pathsCopy);
+  }
+  toInfo(index, kp, derivationPath) {
+    return {
+      index,
+      pubkey: kp.publicKey,
+      pubkeyString: kp.publicKey.toString(),
+      derivationPath
+    };
+  }
+  nextIndex(stored) {
+    if (stored.keypairs.size === 0) return 0;
+    return Math.max(...stored.keypairs.keys()) + 1;
+  }
+  async create(name, password) {
+    if (this.keyrings.has(name)) {
+      throw new RialoError("WALLET" /* WALLET */, `Keyring already exists: ${name}`);
+    }
+    const kp = Keypair.generate();
+    const keypairs = /* @__PURE__ */ new Map([[0, kp]]);
+    const derivationPaths = /* @__PURE__ */ new Map([[0, void 0]]);
+    this.keyrings.set(name, { keypairs, derivationPaths, mnemonic: void 0, password });
+    return this.buildKeyring(this.getStored(name));
+  }
+  async createWithMnemonic(name, strengthBits, password) {
+    if (this.keyrings.has(name)) {
+      throw new RialoError("WALLET" /* WALLET */, `Keyring already exists: ${name}`);
+    }
+    if (strengthBits !== 128 && strengthBits !== 256) {
+      throw new RialoError(
+        "INVALID_INPUT" /* INVALID_INPUT */,
+        `Invalid mnemonic strength: ${strengthBits}. Must be 128 or 256.`
+      );
+    }
+    const mnemonic = Mnemonic.generate(strengthBits);
+    const kp = await mnemonic.toKeypair(0);
+    const path = `${BASE_DERIVATION_PATH}0'/0'`;
+    const keypairs = /* @__PURE__ */ new Map([[0, kp]]);
+    const derivationPaths = /* @__PURE__ */ new Map([[0, path]]);
+    this.keyrings.set(name, {
+      keypairs,
+      derivationPaths,
+      mnemonic: mnemonic.toString(),
+      password
+    });
+    return [this.buildKeyring(this.getStored(name)), mnemonic.toString()];
+  }
+  async recoverFromMnemonic(name, mnemonicPhrase, password) {
+    if (this.keyrings.has(name)) {
+      throw new RialoError("WALLET" /* WALLET */, `Keyring already exists: ${name}`);
+    }
+    if (!Mnemonic.isValid(mnemonicPhrase)) {
+      throw new RialoError("INVALID_INPUT" /* INVALID_INPUT */, "Invalid BIP39 mnemonic phrase");
+    }
+    const mnemonic = Mnemonic.fromPhrase(mnemonicPhrase);
+    const kp = await mnemonic.toKeypair(0);
+    const path = `${BASE_DERIVATION_PATH}0'/0'`;
+    const keypairs = /* @__PURE__ */ new Map([[0, kp]]);
+    const derivationPaths = /* @__PURE__ */ new Map([[0, path]]);
+    this.keyrings.set(name, {
+      keypairs,
+      derivationPaths,
+      mnemonic: mnemonicPhrase,
+      password
+    });
+    return this.buildKeyring(this.getStored(name));
+  }
+  async load(name, password) {
+    const stored = this.getStored(name);
+    this.checkPassword(stored, password);
+    return this.buildKeyring(stored);
+  }
+  async list() {
+    return Array.from(this.keyrings.keys()).sort();
+  }
+  async exists(name) {
+    return this.keyrings.has(name);
+  }
+  async getPublicKey(name) {
+    const stored = this.getStored(name);
+    const kp = stored.keypairs.get(0);
+    if (!kp) throw new RialoError("WALLET" /* WALLET */, `Keyring ${name} has no keypair at index 0`);
+    return kp.publicKey;
+  }
+  async listPublicKeys() {
+    const results = [];
+    for (const [name, stored] of this.keyrings) {
+      const kp = stored.keypairs.get(0);
+      if (kp) {
+        results.push([name, this.toInfo(0, kp, stored.derivationPaths.get(0))]);
+      }
+    }
+    results.sort((a, b) => a[0].localeCompare(b[0]));
+    return results;
+  }
+  async listKeypairs(keyringName) {
+    const stored = this.getStored(keyringName);
+    const indices = Array.from(stored.keypairs.keys()).sort((a, b) => a - b);
+    return indices.map((idx) => {
+      const kp = stored.keypairs.get(idx);
+      return this.toInfo(idx, kp, stored.derivationPaths.get(idx));
+    });
+  }
+  async deriveKeypair(keyringName, keypairIndex, password) {
+    validateKeypairIndex(keypairIndex);
+    const stored = this.getStored(keyringName);
+    this.checkPassword(stored, password);
+    if (stored.keypairs.has(keypairIndex)) {
+      throw new RialoError(
+        "WALLET" /* WALLET */,
+        `Keypair with index ${keypairIndex} already exists`
+      );
+    }
+    let kp;
+    let derivationPath;
+    if (stored.mnemonic) {
+      const mnemonic = Mnemonic.fromPhrase(stored.mnemonic);
+      kp = await mnemonic.toKeypair(keypairIndex);
+      derivationPath = `${BASE_DERIVATION_PATH}${keypairIndex}'/0'`;
+    } else {
+      kp = Keypair.generate();
+      derivationPath = void 0;
+    }
+    stored.keypairs.set(keypairIndex, kp);
+    stored.derivationPaths.set(keypairIndex, derivationPath);
+    return this.toInfo(keypairIndex, kp, derivationPath);
+  }
+  async importSecretKey(keyringName, secretKey, derivationPath, password) {
+    if (secretKey.length !== 32) {
+      throw new RialoError(
+        "INVALID_INPUT" /* INVALID_INPUT */,
+        `Invalid secret key length: expected 32 bytes, got ${secretKey.length}`
+      );
+    }
+    const stored = this.getStored(keyringName);
+    this.checkPassword(stored, password);
+    const kp = Keypair.fromSecretKey(secretKey);
+    const nextIdx = this.nextIndex(stored);
+    stored.keypairs.set(nextIdx, kp);
+    stored.derivationPaths.set(nextIdx, derivationPath);
+    return this.toInfo(nextIdx, kp, derivationPath);
+  }
+  async getKeypairsInfo(name) {
+    return this.listKeypairs(name);
+  }
+  async getKeypairInfo(name, keypairIndex) {
+    validateKeypairIndex(keypairIndex);
+    const stored = this.getStored(name);
+    const kp = stored.keypairs.get(keypairIndex);
+    if (!kp) {
+      throw new RialoError(
+        "WALLET" /* WALLET */,
+        `Keypair ${keypairIndex} not found in keyring ${name}`
+      );
+    }
+    return this.toInfo(keypairIndex, kp, stored.derivationPaths.get(keypairIndex));
+  }
+  async nextKeypairIndex(name) {
+    const stored = this.getStored(name);
+    return this.nextIndex(stored);
+  }
+};
 // src/program/constants.ts
 var RISCV_LOADER_PROGRAM_ID = "RiscVLoader11111111111111111111111111111111";
 var LOADER_V4_PROGRAM_ID = "LoaderV411111111111111111111111111111111111";
@@ -11241,12 +12816,20 @@ var ProgramDeployment = class {
 @noble/ed25519/index.js:
   (*! noble-ed25519 - MIT License (c) 2019 Paul Miller (paulmillr.com) *)
+@noble/hashes/utils.js:
 @noble/hashes/utils.js:
 @noble/hashes/utils.js:
   (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
 @scure/bip39/index.js:
   (*! scure-bip39 - MIT License (c) 2022 Patricio Palladino, Paul Miller (paulmillr.com) *)
+@noble/curves/utils.js:
+@noble/curves/abstract/modular.js:
+@noble/curves/abstract/curve.js:
+@noble/curves/abstract/edwards.js:
+@noble/curves/ed25519.js:
+  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
 */
 exports.AccountMetaTable = AccountMetaTable;
@@ -11255,6 +12838,7 @@ exports.BUFFER_BALANCE_FACTOR = BUFFER_BALANCE_FACTOR;
 exports.BaseRpcClient = BaseRpcClient;
 exports.BincodeReader = BincodeReader;
 exports.BincodeWriter = BincodeWriter;
+exports.CHACHA20_POLY1305_NONCE_LENGTH = CHACHA20_POLY1305_NONCE_LENGTH;
 exports.CHACHA20_POLY1305_TAG_LENGTH = CHACHA20_POLY1305_TAG_LENGTH;
 exports.CryptoError = CryptoError;
 exports.CryptoErrorCode = CryptoErrorCode;
@@ -11264,18 +12848,21 @@ exports.DEFAULT_MAX_RETRIES = DEFAULT_MAX_RETRIES2;
 exports.DEFAULT_NUM_ACCOUNTS = DEFAULT_NUM_ACCOUNTS;
 exports.DEFAULT_RETRY_BASE_DELAY_MS = DEFAULT_RETRY_BASE_DELAY_MS;
 exports.DEFAULT_RETRY_MAX_DELAY_MS = DEFAULT_RETRY_MAX_DELAY_MS;
+exports.DKG_PAYLOAD_VERSION = DKG_PAYLOAD_VERSION;
 exports.DeploymentError = DeploymentError;
 exports.DeploymentErrorCode = DeploymentErrorCode;
 exports.ED25519_PUBLIC_KEY_LENGTH = ED25519_PUBLIC_KEY_LENGTH;
-exports.HPKE_ENC_LENGTH = HPKE_ENC_LENGTH;
-exports.HPKE_OVERHEAD_LENGTH = HPKE_OVERHEAD_LENGTH;
-exports.HpkeError = HpkeError;
-exports.HpkeErrorCode = HpkeErrorCode;
+exports.EncryptionError = EncryptionError;
+exports.EncryptionErrorCode = EncryptionErrorCode;
 exports.HttpTransport = HttpTransport;
+exports.InMemoryKeyringProvider = InMemoryKeyringProvider;
 exports.KELVIN_PER_RLO = KELVIN_PER_RLO;
 exports.Keypair = Keypair;
 exports.KeypairSigner = KeypairSigner;
+exports.Keyring = Keyring;
+exports.KeyringProvider = KeyringProvider;
 exports.LOADER_V4_PROGRAM_ID = LOADER_V4_PROGRAM_ID;
+exports.MAX_SECRET_LENGTH = MAX_SECRET_LENGTH;
 exports.Message = Message;
 exports.Mnemonic = Mnemonic;
 exports.PROGRAM_DATA_OFFSET = PROGRAM_DATA_OFFSET;
@@ -11288,16 +12875,17 @@ exports.RIALO_LOCALNET_CHAIN = RIALO_LOCALNET_CHAIN;
 exports.RIALO_MAINNET_CHAIN = RIALO_MAINNET_CHAIN;
 exports.RIALO_TESTNET_CHAIN = RIALO_TESTNET_CHAIN;
 exports.RISCV_LOADER_PROGRAM_ID = RISCV_LOADER_PROGRAM_ID;
+exports.RISTRETTO_POINT_BYTES = RISTRETTO_POINT_BYTES;
 exports.RexValue = RexValue;
 exports.RexValueVariant = RexValueVariant;
 exports.RialoClient = RialoClient;
 exports.RialoError = RialoError;
 exports.RialoErrorType = RialoErrorType;
+exports.RialoKeyring = RialoKeyring;
 exports.RiscVLoaderInstruction = RiscVLoaderInstruction;
 exports.RpcError = RpcError;
 exports.RpcErrorCode = RpcErrorCode;
 exports.SECRET_KEY_LENGTH = SECRET_KEY_LENGTH;
-exports.SECRET_SHARING_HPKE_INFO = SECRET_SHARING_HPKE_INFO;
 exports.SIGNATURE_LENGTH = SIGNATURE_LENGTH;
 exports.SYSTEM_PROGRAM_ID = SYSTEM_PROGRAM_ID;
 exports.Schema = Schema;
@@ -11312,8 +12900,6 @@ exports.URL_DEVNET = URL_DEVNET;
 exports.URL_LOCALNET = URL_LOCALNET;
 exports.URL_MAINNET = URL_MAINNET;
 exports.URL_TESTNET = URL_TESTNET;
-exports.USER_SECRET_AAD = USER_SECRET_AAD;
-exports.X25519_PUBLIC_KEY_LENGTH = X25519_PUBLIC_KEY_LENGTH;
 exports.allocateInstruction = allocateInstruction;
 exports.assignInstruction = assignInstruction;
 exports.calculateBackoff = calculateBackoff;
@@ -11328,18 +12914,18 @@ exports.deserializeCompactU16 = deserializeCompactU162;
 exports.deserializeStrict = deserializeStrict;
 exports.encodeBorshData = encodeBorshData;
 exports.encryptForRex = encryptForRex;
+exports.encryptSecret = encryptSecret;
+exports.encryptSecretBytes = encryptSecretBytes;
+exports.encryptSecretBytesWithEpoch = encryptSecretBytesWithEpoch;
 exports.field = field;
 exports.fixedArray = fixedArray;
 exports.fromBase64 = fromBase64;
-exports.getCiphertextLength = getCiphertextLength;
 exports.getDefaultRialoClientConfig = getDefaultRialoClientConfig;
 exports.getDevnetUrl = getDevnetUrl;
 exports.getLocalnetUrl = getLocalnetUrl;
 exports.getMainnetUrl = getMainnetUrl;
 exports.getTestnetUrl = getTestnetUrl;
-exports.hpkeEncrypt = hpkeEncrypt;
 exports.isOnCurve = isOnCurve;
-exports.isValidCiphertextLength = isValidCiphertextLength;
 exports.option = option;
 exports.retractInstruction = retractInstruction;
 exports.seedToBytes = seedToBytes;