@umbra-privacy/sdk 5.0.0-rc.0 → 5.0.0-rc.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (353) hide show
  1. package/dist/{addresses-BbmoaEss.d.cts → addresses-CIRc4bLk.d.cts} +1 -1
  2. package/dist/{addresses-DmXWa1Bi.d.ts → addresses-xHY8prWl.d.ts} +1 -1
  3. package/dist/{aggregation-DyiVod2L.d.ts → aggregation-C-u1ZlSW.d.ts} +2 -2
  4. package/dist/{aggregation-D0j1gF5g.d.cts → aggregation-D2lmFpwR.d.cts} +2 -2
  5. package/dist/application/client/index.cjs +13 -13
  6. package/dist/application/client/index.d.cts +10 -10
  7. package/dist/application/client/index.d.ts +10 -10
  8. package/dist/application/client/index.js +8 -8
  9. package/dist/{chunk-JJXV4VZC.js → chunk-2IJ3WWKS.js} +5 -5
  10. package/dist/{chunk-JJXV4VZC.js.map → chunk-2IJ3WWKS.js.map} +1 -1
  11. package/dist/{chunk-2PV6XMDU.js → chunk-4FGHYI47.js} +3 -3
  12. package/dist/{chunk-2PV6XMDU.js.map → chunk-4FGHYI47.js.map} +1 -1
  13. package/dist/{chunk-FBE55AHC.cjs → chunk-4OPKHKQ4.cjs} +6 -6
  14. package/dist/{chunk-FBE55AHC.cjs.map → chunk-4OPKHKQ4.cjs.map} +1 -1
  15. package/dist/{chunk-VWWK72JX.cjs → chunk-4VBAGHP5.cjs} +19 -19
  16. package/dist/{chunk-VWWK72JX.cjs.map → chunk-4VBAGHP5.cjs.map} +1 -1
  17. package/dist/{chunk-LGQVU24T.js → chunk-5BTPOVAR.js} +4 -4
  18. package/dist/{chunk-LGQVU24T.js.map → chunk-5BTPOVAR.js.map} +1 -1
  19. package/dist/{chunk-VGPYZT4M.js → chunk-5FVQDUJC.js} +5 -5
  20. package/dist/{chunk-VGPYZT4M.js.map → chunk-5FVQDUJC.js.map} +1 -1
  21. package/dist/{chunk-XSDT5KGS.cjs → chunk-5ZFZ5252.cjs} +5 -5
  22. package/dist/{chunk-XSDT5KGS.cjs.map → chunk-5ZFZ5252.cjs.map} +1 -1
  23. package/dist/{chunk-NSASSW5A.js → chunk-6KAYA2GH.js} +3 -3
  24. package/dist/{chunk-NSASSW5A.js.map → chunk-6KAYA2GH.js.map} +1 -1
  25. package/dist/{chunk-ZZKNMKT3.js → chunk-6OHWNQA5.js} +3 -3
  26. package/dist/{chunk-ZZKNMKT3.js.map → chunk-6OHWNQA5.js.map} +1 -1
  27. package/dist/{chunk-4SVKUPKL.js → chunk-6T2GVW37.js} +6 -6
  28. package/dist/{chunk-4SVKUPKL.js.map → chunk-6T2GVW37.js.map} +1 -1
  29. package/dist/{chunk-MQ5FKZEL.js → chunk-7YTHMLGR.js} +3 -3
  30. package/dist/{chunk-MQ5FKZEL.js.map → chunk-7YTHMLGR.js.map} +1 -1
  31. package/dist/{chunk-DGO2AYIN.js → chunk-BU2SZVDY.js} +9 -9
  32. package/dist/{chunk-DGO2AYIN.js.map → chunk-BU2SZVDY.js.map} +1 -1
  33. package/dist/{chunk-64WMNELN.cjs → chunk-BX4C2I5E.cjs} +5 -5
  34. package/dist/{chunk-64WMNELN.cjs.map → chunk-BX4C2I5E.cjs.map} +1 -1
  35. package/dist/{chunk-EF7FD3JZ.cjs → chunk-C4PZMH3U.cjs} +20 -20
  36. package/dist/{chunk-EF7FD3JZ.cjs.map → chunk-C4PZMH3U.cjs.map} +1 -1
  37. package/dist/{chunk-GO2E3PLZ.cjs → chunk-CFCB5AGF.cjs} +7 -7
  38. package/dist/{chunk-GO2E3PLZ.cjs.map → chunk-CFCB5AGF.cjs.map} +1 -1
  39. package/dist/{chunk-JQMPZPL6.cjs → chunk-DEDQCLTZ.cjs} +28 -28
  40. package/dist/{chunk-JQMPZPL6.cjs.map → chunk-DEDQCLTZ.cjs.map} +1 -1
  41. package/dist/{chunk-UWHFOVYP.js → chunk-DPIWQKFS.js} +4 -4
  42. package/dist/{chunk-UWHFOVYP.js.map → chunk-DPIWQKFS.js.map} +1 -1
  43. package/dist/{chunk-RLXZUD4I.cjs → chunk-E3ENZP6F.cjs} +595 -595
  44. package/dist/{chunk-RLXZUD4I.cjs.map → chunk-E3ENZP6F.cjs.map} +1 -1
  45. package/dist/{chunk-QWGCDUCP.cjs → chunk-E7CCB7PY.cjs} +20 -20
  46. package/dist/{chunk-QWGCDUCP.cjs.map → chunk-E7CCB7PY.cjs.map} +1 -1
  47. package/dist/{chunk-SJHTH2CJ.js → chunk-EH7CUMR4.js} +4 -4
  48. package/dist/{chunk-SJHTH2CJ.js.map → chunk-EH7CUMR4.js.map} +1 -1
  49. package/dist/{chunk-RCZEOQA7.cjs → chunk-F7VBZGJV.cjs} +20 -20
  50. package/dist/{chunk-RCZEOQA7.cjs.map → chunk-F7VBZGJV.cjs.map} +1 -1
  51. package/dist/{chunk-TXSWPBGS.cjs → chunk-FRGBGKLU.cjs} +9 -9
  52. package/dist/{chunk-TXSWPBGS.cjs.map → chunk-FRGBGKLU.cjs.map} +1 -1
  53. package/dist/{chunk-GHXWAWQJ.js → chunk-G46RNHHQ.js} +4 -4
  54. package/dist/{chunk-GHXWAWQJ.js.map → chunk-G46RNHHQ.js.map} +1 -1
  55. package/dist/{chunk-ZQS2RUQQ.js → chunk-GKAMOUOM.js} +3 -3
  56. package/dist/{chunk-ZQS2RUQQ.js.map → chunk-GKAMOUOM.js.map} +1 -1
  57. package/dist/{chunk-X7APEEEE.js → chunk-GRJQVIEB.js} +3 -3
  58. package/dist/{chunk-X7APEEEE.js.map → chunk-GRJQVIEB.js.map} +1 -1
  59. package/dist/{chunk-IH6BI5O7.js → chunk-GWF3PX43.js} +5 -5
  60. package/dist/{chunk-IH6BI5O7.js.map → chunk-GWF3PX43.js.map} +1 -1
  61. package/dist/{chunk-BR57DYZH.cjs → chunk-H2LV4QU5.cjs} +40 -40
  62. package/dist/{chunk-BR57DYZH.cjs.map → chunk-H2LV4QU5.cjs.map} +1 -1
  63. package/dist/{chunk-DPLAUIJ4.js → chunk-HHPCNDAB.js} +6 -6
  64. package/dist/{chunk-DPLAUIJ4.js.map → chunk-HHPCNDAB.js.map} +1 -1
  65. package/dist/{chunk-O4UZ6FMO.js → chunk-HKA265U3.js} +7 -7
  66. package/dist/{chunk-O4UZ6FMO.js.map → chunk-HKA265U3.js.map} +1 -1
  67. package/dist/{chunk-BYMSGPB5.cjs → chunk-IIQRQ2UH.cjs} +16 -16
  68. package/dist/{chunk-BYMSGPB5.cjs.map → chunk-IIQRQ2UH.cjs.map} +1 -1
  69. package/dist/{chunk-QRP6EPA6.cjs → chunk-IOJSSJKM.cjs} +5 -5
  70. package/dist/{chunk-QRP6EPA6.cjs.map → chunk-IOJSSJKM.cjs.map} +1 -1
  71. package/dist/{chunk-ULC4FRH7.js → chunk-IPOD4C3X.js} +3 -3
  72. package/dist/{chunk-ULC4FRH7.js.map → chunk-IPOD4C3X.js.map} +1 -1
  73. package/dist/{chunk-34LUP6SK.cjs → chunk-IZAISYX3.cjs} +8 -8
  74. package/dist/{chunk-34LUP6SK.cjs.map → chunk-IZAISYX3.cjs.map} +1 -1
  75. package/dist/{chunk-XAYUPZJG.cjs → chunk-J4KZCIZW.cjs} +125 -125
  76. package/dist/{chunk-XAYUPZJG.cjs.map → chunk-J4KZCIZW.cjs.map} +1 -1
  77. package/dist/{chunk-RCW4WOLH.js → chunk-JDZ7YBGH.js} +4 -4
  78. package/dist/{chunk-RCW4WOLH.js.map → chunk-JDZ7YBGH.js.map} +1 -1
  79. package/dist/{chunk-NE6OEOR4.cjs → chunk-K2AKXPXA.cjs} +2 -12
  80. package/dist/chunk-K2AKXPXA.cjs.map +1 -0
  81. package/dist/{chunk-45NIZXEH.js → chunk-KYCTLUUO.js} +3 -3
  82. package/dist/{chunk-45NIZXEH.js.map → chunk-KYCTLUUO.js.map} +1 -1
  83. package/dist/{chunk-LNZV33FI.cjs → chunk-KZZELFCE.cjs} +15 -15
  84. package/dist/{chunk-LNZV33FI.cjs.map → chunk-KZZELFCE.cjs.map} +1 -1
  85. package/dist/{chunk-34BHNVIK.cjs → chunk-LHT5GCKB.cjs} +9 -9
  86. package/dist/{chunk-34BHNVIK.cjs.map → chunk-LHT5GCKB.cjs.map} +1 -1
  87. package/dist/{chunk-ZIH2ASX3.js → chunk-NL3NCTCO.js} +16 -16
  88. package/dist/{chunk-ZIH2ASX3.js.map → chunk-NL3NCTCO.js.map} +1 -1
  89. package/dist/{chunk-JBCGZBUH.js → chunk-NVJMSVCH.js} +3 -3
  90. package/dist/{chunk-JBCGZBUH.js.map → chunk-NVJMSVCH.js.map} +1 -1
  91. package/dist/{chunk-JFWHQXME.cjs → chunk-O6GP3JSZ.cjs} +35 -35
  92. package/dist/{chunk-JFWHQXME.cjs.map → chunk-O6GP3JSZ.cjs.map} +1 -1
  93. package/dist/{chunk-TCH7MDNY.cjs → chunk-OMKTXXQQ.cjs} +16 -16
  94. package/dist/{chunk-TCH7MDNY.cjs.map → chunk-OMKTXXQQ.cjs.map} +1 -1
  95. package/dist/{chunk-U2SQ2YBH.cjs → chunk-PDVIQK24.cjs} +9 -9
  96. package/dist/{chunk-U2SQ2YBH.cjs.map → chunk-PDVIQK24.cjs.map} +1 -1
  97. package/dist/{chunk-YFXQPECD.cjs → chunk-PPDNOTME.cjs} +5 -5
  98. package/dist/{chunk-YFXQPECD.cjs.map → chunk-PPDNOTME.cjs.map} +1 -1
  99. package/dist/{chunk-XWFU4US7.js → chunk-QCNAUZIW.js} +3 -3
  100. package/dist/{chunk-XWFU4US7.js.map → chunk-QCNAUZIW.js.map} +1 -1
  101. package/dist/{chunk-QY5KSORC.js → chunk-QLH6JL2Z.js} +5 -5
  102. package/dist/{chunk-QY5KSORC.js.map → chunk-QLH6JL2Z.js.map} +1 -1
  103. package/dist/{chunk-WLNVVB6J.js → chunk-REWNJ3HO.js} +3 -3
  104. package/dist/{chunk-WLNVVB6J.js.map → chunk-REWNJ3HO.js.map} +1 -1
  105. package/dist/{chunk-YAPFJ6TA.js → chunk-S3NOXIAZ.js} +8 -8
  106. package/dist/{chunk-YAPFJ6TA.js.map → chunk-S3NOXIAZ.js.map} +1 -1
  107. package/dist/{chunk-55LQYM7D.js → chunk-SC34XOU4.js} +3 -3
  108. package/dist/{chunk-55LQYM7D.js.map → chunk-SC34XOU4.js.map} +1 -1
  109. package/dist/{chunk-PJCSSDMQ.cjs → chunk-SKXCPGSQ.cjs} +85 -85
  110. package/dist/{chunk-PJCSSDMQ.cjs.map → chunk-SKXCPGSQ.cjs.map} +1 -1
  111. package/dist/{chunk-HG36GFK3.js → chunk-TGHCKK36.js} +3 -12
  112. package/dist/chunk-TGHCKK36.js.map +1 -0
  113. package/dist/{chunk-3HMBF543.js → chunk-TLCYQHNK.js} +5 -5
  114. package/dist/{chunk-3HMBF543.js.map → chunk-TLCYQHNK.js.map} +1 -1
  115. package/dist/{chunk-BBEVX6QC.js → chunk-TNDJTSKI.js} +6 -6
  116. package/dist/{chunk-BBEVX6QC.js.map → chunk-TNDJTSKI.js.map} +1 -1
  117. package/dist/{chunk-LHXAVQEO.cjs → chunk-TZ73IDTV.cjs} +4 -4
  118. package/dist/{chunk-LHXAVQEO.cjs.map → chunk-TZ73IDTV.cjs.map} +1 -1
  119. package/dist/{chunk-ZVQ42ZYK.js → chunk-UE4M5CBU.js} +3 -3
  120. package/dist/{chunk-ZVQ42ZYK.js.map → chunk-UE4M5CBU.js.map} +1 -1
  121. package/dist/{chunk-FILA3D2Z.cjs → chunk-WCTMC2J7.cjs} +8 -8
  122. package/dist/{chunk-FILA3D2Z.cjs.map → chunk-WCTMC2J7.cjs.map} +1 -1
  123. package/dist/{chunk-N44EDM3H.cjs → chunk-WUZEMDJP.cjs} +17 -17
  124. package/dist/{chunk-N44EDM3H.cjs.map → chunk-WUZEMDJP.cjs.map} +1 -1
  125. package/dist/{chunk-3Q2HEN7B.js → chunk-WWUZQSAT.js} +4 -4
  126. package/dist/{chunk-3Q2HEN7B.js.map → chunk-WWUZQSAT.js.map} +1 -1
  127. package/dist/{chunk-B63O4SHX.cjs → chunk-X3SNQGZC.cjs} +8 -8
  128. package/dist/{chunk-B63O4SHX.cjs.map → chunk-X3SNQGZC.cjs.map} +1 -1
  129. package/dist/{chunk-6E4JEZSE.cjs → chunk-XOCTEEKI.cjs} +16 -16
  130. package/dist/{chunk-6E4JEZSE.cjs.map → chunk-XOCTEEKI.cjs.map} +1 -1
  131. package/dist/{chunk-LNCEHYWQ.js → chunk-XTHZNSDM.js} +3 -3
  132. package/dist/{chunk-LNCEHYWQ.js.map → chunk-XTHZNSDM.js.map} +1 -1
  133. package/dist/{chunk-RR4DQCGD.cjs → chunk-XVU3RFPG.cjs} +17 -17
  134. package/dist/{chunk-RR4DQCGD.cjs.map → chunk-XVU3RFPG.cjs.map} +1 -1
  135. package/dist/{chunk-BMTIGH3Q.cjs → chunk-ZE2HKERO.cjs} +3 -3
  136. package/dist/{chunk-BMTIGH3Q.cjs.map → chunk-ZE2HKERO.cjs.map} +1 -1
  137. package/dist/{chunk-34IEX6LO.js → chunk-ZFMFMHPM.js} +3 -3
  138. package/dist/{chunk-34IEX6LO.js.map → chunk-ZFMFMHPM.js.map} +1 -1
  139. package/dist/{chunk-RQ3FZ3W6.cjs → chunk-ZT3UMAP3.cjs} +4 -4
  140. package/dist/{chunk-RQ3FZ3W6.cjs.map → chunk-ZT3UMAP3.cjs.map} +1 -1
  141. package/dist/{chunk-4P6R4NKQ.cjs → chunk-ZU7RKDLM.cjs} +22 -22
  142. package/dist/{chunk-4P6R4NKQ.cjs.map → chunk-ZU7RKDLM.cjs.map} +1 -1
  143. package/dist/{chunk-UDNBK7IT.cjs → chunk-ZWLF65R7.cjs} +51 -51
  144. package/dist/{chunk-UDNBK7IT.cjs.map → chunk-ZWLF65R7.cjs.map} +1 -1
  145. package/dist/{cipher-Dn--bOv1.d.cts → cipher-D4ZOcEqe.d.cts} +6 -6
  146. package/dist/{cipher-DBcYP1R0.d.ts → cipher-DhRY5IUJ.d.ts} +6 -6
  147. package/dist/{client-C37tXOAz.d.ts → client-BcKDaAlL.d.ts} +3 -3
  148. package/dist/{client-DLy0G7iy.d.cts → client-CAjjq0aG.d.cts} +3 -3
  149. package/dist/core/errors/index.cjs +5 -5
  150. package/dist/core/errors/index.js +1 -1
  151. package/dist/core/types/index.cjs +304 -304
  152. package/dist/core/types/index.d.cts +9 -9
  153. package/dist/core/types/index.d.ts +9 -9
  154. package/dist/core/types/index.js +2 -2
  155. package/dist/{encrypt-decrypt-Pb6Jtjqi.d.cts → encrypt-decrypt-DH145NDo.d.cts} +1 -1
  156. package/dist/{encrypt-decrypt-67DJHlLB.d.ts → encrypt-decrypt-DadSUYF5.d.ts} +1 -1
  157. package/dist/{encryption-BV-y0tbS.d.cts → encryption-Bc7IIyw5.d.cts} +1 -1
  158. package/dist/{encryption-BP3YEOSA.d.ts → encryption-CGZiZsgo.d.ts} +1 -1
  159. package/dist/{ephemeral-Yy5jjNVp.d.cts → ephemeral-Bpo4iveT.d.cts} +8 -8
  160. package/dist/{ephemeral-D008mavM.d.ts → ephemeral-CPM1hSby.d.ts} +8 -8
  161. package/dist/{fees-BbR8Ph0F.d.ts → fees--AYv-pMP.d.ts} +1 -1
  162. package/dist/{fees-DNNufRuv.d.cts → fees-BlzUIS4s.d.cts} +1 -1
  163. package/dist/{field-arithmetic-CWwECCut.d.ts → field-arithmetic-D9okzIIv.d.ts} +2 -2
  164. package/dist/{field-arithmetic-CNgHokR7.d.cts → field-arithmetic-_OtnHNge.d.cts} +2 -2
  165. package/dist/{field-elements-C0SJbeLY.d.cts → field-elements-CkmlImDp.d.cts} +1 -1
  166. package/dist/{field-elements-CM9QBbb9.d.ts → field-elements-DIsQRdcP.d.ts} +1 -1
  167. package/dist/{index-CXJCFogu.d.ts → index-B8YzcyGp.d.ts} +4 -4
  168. package/dist/{index-hOwVJHzy.d.ts → index-Br42RN1N.d.ts} +1 -1
  169. package/dist/{index-BUeSZ27A.d.cts → index-CdIFKNgv.d.cts} +1 -1
  170. package/dist/{index-Cy2WLwkB.d.cts → index-D95R3XQL.d.cts} +4 -4
  171. package/dist/{index-Ddg_LLI9.d.ts → index-Djv4DGYD.d.ts} +2 -2
  172. package/dist/{index-DEsnu5-j.d.cts → index-YrJEWSzj.d.cts} +2 -2
  173. package/dist/index.cjs +206 -210
  174. package/dist/index.d.cts +27 -27
  175. package/dist/index.d.ts +27 -27
  176. package/dist/index.js +18 -18
  177. package/dist/infrastructure/arcium/index.cjs +28 -28
  178. package/dist/infrastructure/arcium/index.d.cts +3 -3
  179. package/dist/infrastructure/arcium/index.d.ts +3 -3
  180. package/dist/infrastructure/arcium/index.js +6 -6
  181. package/dist/infrastructure/indexer/index.cjs +19 -19
  182. package/dist/infrastructure/indexer/index.d.cts +3 -3
  183. package/dist/infrastructure/indexer/index.d.ts +3 -3
  184. package/dist/infrastructure/indexer/index.js +5 -5
  185. package/dist/infrastructure/indexer/nullifier/index.d.cts +2 -2
  186. package/dist/infrastructure/indexer/nullifier/index.d.ts +2 -2
  187. package/dist/infrastructure/indexer/utxo/index.cjs +5 -5
  188. package/dist/infrastructure/indexer/utxo/index.d.cts +2 -2
  189. package/dist/infrastructure/indexer/utxo/index.d.ts +2 -2
  190. package/dist/infrastructure/indexer/utxo/index.js +4 -4
  191. package/dist/infrastructure/relayer/index.d.cts +21 -21
  192. package/dist/infrastructure/relayer/index.d.ts +21 -21
  193. package/dist/infrastructure/solana/index.cjs +29 -29
  194. package/dist/infrastructure/solana/index.d.cts +9 -9
  195. package/dist/infrastructure/solana/index.d.ts +9 -9
  196. package/dist/infrastructure/solana/index.js +7 -7
  197. package/dist/infrastructure/solana/pda/index.cjs +76 -76
  198. package/dist/infrastructure/solana/pda/index.d.cts +3 -3
  199. package/dist/infrastructure/solana/pda/index.d.ts +3 -3
  200. package/dist/infrastructure/solana/pda/index.js +8 -8
  201. package/dist/infrastructure/zk-prover/cdn/index.d.cts +3 -3
  202. package/dist/infrastructure/zk-prover/cdn/index.d.ts +3 -3
  203. package/dist/infrastructure/zk-prover/index.cjs +13 -17
  204. package/dist/infrastructure/zk-prover/index.d.cts +25 -51
  205. package/dist/infrastructure/zk-prover/index.d.ts +25 -51
  206. package/dist/infrastructure/zk-prover/index.js +1 -1
  207. package/dist/{integers-Cn9qqGPN.d.cts → integers-CpcaRRvR.d.cts} +1 -1
  208. package/dist/{integers-BjcD64xA.d.ts → integers-N8ltXqxB.d.ts} +1 -1
  209. package/dist/{interfaces-DAVL0CiG.d.cts → interfaces-B4qqUc1V.d.cts} +1 -1
  210. package/dist/{interfaces-BWsJd8ml.d.ts → interfaces-BGGt7AUM.d.ts} +1 -1
  211. package/dist/{interfaces-BxxSkFOI.d.cts → interfaces-BGIgqucE.d.cts} +2 -2
  212. package/dist/{interfaces-7TRe1bW3.d.ts → interfaces-BOSXRgRA.d.ts} +1 -1
  213. package/dist/{interfaces-Ctmno8r3.d.ts → interfaces-BSeBh94Y.d.ts} +1 -1
  214. package/dist/{interfaces-BcZR4Thh.d.ts → interfaces-BVGK3Eqr.d.ts} +9 -9
  215. package/dist/{interfaces-C1TJUtsw.d.cts → interfaces-Bd6NNPdC.d.cts} +8 -8
  216. package/dist/{interfaces-D8juZRt-.d.ts → interfaces-BoZPvzV3.d.ts} +8 -8
  217. package/dist/{interfaces-EpTB2MuA.d.cts → interfaces-C2d-CuuK.d.cts} +5 -5
  218. package/dist/{interfaces-Da3J66Lw.d.cts → interfaces-CF1Gdqcs.d.cts} +2 -2
  219. package/dist/{interfaces-Dk08IknK.d.cts → interfaces-CQFl6mB5.d.cts} +1 -1
  220. package/dist/{interfaces-UjcaQaOj.d.ts → interfaces-CZqgIKf4.d.ts} +2 -2
  221. package/dist/{interfaces-Dlcq75C1.d.ts → interfaces-CzEzF9zz.d.ts} +1 -1
  222. package/dist/{interfaces-MCJPyOY3.d.ts → interfaces-DIkps_rM.d.ts} +2 -2
  223. package/dist/{interfaces-qvZ--S4_.d.cts → interfaces-DL7zHwUj.d.cts} +1 -1
  224. package/dist/{interfaces-D5_RCBJ0.d.cts → interfaces-DUD_0wIh.d.cts} +9 -9
  225. package/dist/{interfaces-BY_L-plg.d.ts → interfaces-DWmY4MBn.d.ts} +5 -5
  226. package/dist/{interfaces-C2ro0V1W.d.ts → interfaces-Dd-LXF_N.d.ts} +13 -13
  227. package/dist/{interfaces-TCo7_1gP.d.cts → interfaces-DvDFLwBi.d.cts} +20 -20
  228. package/dist/{interfaces-BY2S86bT.d.ts → interfaces-Dvj04vgX.d.ts} +20 -20
  229. package/dist/{interfaces-BexnqzyD.d.ts → interfaces-LcKcK7yY.d.ts} +8 -8
  230. package/dist/{interfaces-BbSbafks.d.ts → interfaces-U66KACUY.d.ts} +1 -1
  231. package/dist/{interfaces-BfJAxFXl.d.cts → interfaces-UbDFfIZM.d.cts} +8 -8
  232. package/dist/{interfaces-FO1f2puK.d.cts → interfaces-ZI-O5j0R.d.cts} +13 -13
  233. package/dist/{interfaces-B5pq5XbK.d.cts → interfaces-j1CrF9Te.d.cts} +1 -1
  234. package/dist/{interfaces-C-uxPvmc.d.cts → interfaces-l4Pg83Ol.d.cts} +1 -1
  235. package/dist/master-seed-schemes/index.d.cts +9 -9
  236. package/dist/master-seed-schemes/index.d.ts +9 -9
  237. package/dist/operations/account/index.cjs +40 -40
  238. package/dist/operations/account/index.d.cts +25 -25
  239. package/dist/operations/account/index.d.ts +25 -25
  240. package/dist/operations/account/index.js +28 -28
  241. package/dist/operations/burn/index.cjs +906 -906
  242. package/dist/operations/burn/index.d.cts +24 -24
  243. package/dist/operations/burn/index.d.ts +24 -24
  244. package/dist/operations/burn/index.js +26 -26
  245. package/dist/operations/compliance/index.cjs +41 -41
  246. package/dist/operations/compliance/index.d.cts +19 -19
  247. package/dist/operations/compliance/index.d.ts +19 -19
  248. package/dist/operations/compliance/index.js +21 -21
  249. package/dist/operations/conversion/index.cjs +29 -29
  250. package/dist/operations/conversion/index.d.cts +17 -17
  251. package/dist/operations/conversion/index.d.ts +17 -17
  252. package/dist/operations/conversion/index.js +20 -20
  253. package/dist/operations/deposit/index.cjs +691 -2782
  254. package/dist/operations/deposit/index.cjs.map +1 -1
  255. package/dist/operations/deposit/index.d.cts +32 -425
  256. package/dist/operations/deposit/index.d.ts +32 -425
  257. package/dist/operations/deposit/index.js +35 -2118
  258. package/dist/operations/deposit/index.js.map +1 -1
  259. package/dist/operations/query/index.cjs +27 -27
  260. package/dist/operations/query/index.d.cts +17 -17
  261. package/dist/operations/query/index.d.ts +17 -17
  262. package/dist/operations/query/index.js +18 -18
  263. package/dist/operations/registration/index.cjs +33 -33
  264. package/dist/operations/registration/index.d.cts +27 -27
  265. package/dist/operations/registration/index.d.ts +27 -27
  266. package/dist/operations/registration/index.js +25 -25
  267. package/dist/operations/transfer/index.cjs +55 -55
  268. package/dist/operations/transfer/index.d.cts +13 -13
  269. package/dist/operations/transfer/index.d.ts +13 -13
  270. package/dist/operations/transfer/index.js +23 -23
  271. package/dist/operations/withdrawal/index.cjs +33 -33
  272. package/dist/operations/withdrawal/index.d.cts +12 -12
  273. package/dist/operations/withdrawal/index.d.ts +12 -12
  274. package/dist/operations/withdrawal/index.js +25 -25
  275. package/dist/persistence/adapters/index.cjs +14 -14
  276. package/dist/persistence/adapters/index.d.cts +8 -8
  277. package/dist/persistence/adapters/index.d.ts +8 -8
  278. package/dist/persistence/adapters/index.js +14 -14
  279. package/dist/persistence/store/index.cjs +19 -19
  280. package/dist/persistence/store/index.d.cts +12 -12
  281. package/dist/persistence/store/index.d.ts +12 -12
  282. package/dist/persistence/store/index.js +14 -14
  283. package/dist/{persistence-CsaBDtco.d.cts → persistence-C9lfE2wa.d.cts} +2 -2
  284. package/dist/{persistence-CJUm_Ur8.d.ts → persistence-DH0MWTTB.d.ts} +2 -2
  285. package/dist/{poseidon-DzieIcha.d.ts → poseidon-DVZJKnT9.d.ts} +2 -2
  286. package/dist/{poseidon-DeZRAgs0.d.cts → poseidon-G8ows5t7.d.cts} +2 -2
  287. package/dist/primitives/crypto/aes/index.cjs +11 -11
  288. package/dist/primitives/crypto/aes/index.d.cts +2 -2
  289. package/dist/primitives/crypto/aes/index.d.ts +2 -2
  290. package/dist/primitives/crypto/aes/index.js +3 -3
  291. package/dist/primitives/crypto/challenges/index.cjs +12 -12
  292. package/dist/primitives/crypto/challenges/index.d.cts +3 -3
  293. package/dist/primitives/crypto/challenges/index.d.ts +3 -3
  294. package/dist/primitives/crypto/challenges/index.js +6 -6
  295. package/dist/primitives/crypto/commitment/index.cjs +6 -6
  296. package/dist/primitives/crypto/commitment/index.d.cts +5 -5
  297. package/dist/primitives/crypto/commitment/index.d.ts +5 -5
  298. package/dist/primitives/crypto/commitment/index.js +5 -5
  299. package/dist/primitives/crypto/index.cjs +200 -200
  300. package/dist/primitives/crypto/index.d.cts +22 -22
  301. package/dist/primitives/crypto/index.d.ts +22 -22
  302. package/dist/primitives/crypto/index.js +17 -17
  303. package/dist/primitives/crypto/key-derivation/index.cjs +93 -93
  304. package/dist/primitives/crypto/key-derivation/index.d.cts +14 -14
  305. package/dist/primitives/crypto/key-derivation/index.d.ts +14 -14
  306. package/dist/primitives/crypto/key-derivation/index.js +11 -11
  307. package/dist/primitives/crypto/poseidon/index.cjs +23 -23
  308. package/dist/primitives/crypto/poseidon/index.d.cts +7 -7
  309. package/dist/primitives/crypto/poseidon/index.d.ts +7 -7
  310. package/dist/primitives/crypto/poseidon/index.js +4 -4
  311. package/dist/primitives/crypto/rescue/index.cjs +77 -77
  312. package/dist/primitives/crypto/rescue/index.d.cts +10 -10
  313. package/dist/primitives/crypto/rescue/index.d.ts +10 -10
  314. package/dist/primitives/crypto/rescue/index.js +10 -10
  315. package/dist/primitives/math/index.cjs +64 -64
  316. package/dist/primitives/math/index.d.cts +5 -5
  317. package/dist/primitives/math/index.d.ts +5 -5
  318. package/dist/primitives/math/index.js +8 -8
  319. package/dist/{proofs-CSxiFFWM.d.cts → proofs-CW1AOH5n.d.cts} +1 -1
  320. package/dist/{proofs-Bb6GJLbE.d.ts → proofs-Cm_rxfho.d.ts} +1 -1
  321. package/dist/protocol/constants/index.cjs +64 -64
  322. package/dist/protocol/constants/index.js +4 -4
  323. package/dist/protocol/shared/index.cjs +25 -25
  324. package/dist/protocol/shared/index.d.cts +13 -13
  325. package/dist/protocol/shared/index.d.ts +13 -13
  326. package/dist/protocol/shared/index.js +13 -13
  327. package/dist/{protocol-types-CMAMp0XI.d.cts → protocol-types-7TSP8QEe.d.cts} +2 -2
  328. package/dist/{protocol-types-Cs4-U-59.d.ts → protocol-types-bwhnp4or.d.ts} +2 -2
  329. package/dist/{rescue-CI9m68DN.d.cts → rescue-3TTiUElO.d.cts} +2 -2
  330. package/dist/{rescue-DBeWZk6v.d.ts → rescue-B6LN7LbM.d.ts} +2 -2
  331. package/dist/{submit-sVDSW3rv.d.cts → submit-C4IB5BUE.d.cts} +13 -13
  332. package/dist/{submit-BWMVVY8d.d.ts → submit-Dvkubcv-.d.ts} +13 -13
  333. package/dist/utilities/converters/index.cjs +310 -310
  334. package/dist/utilities/converters/index.d.cts +6 -6
  335. package/dist/utilities/converters/index.d.ts +6 -6
  336. package/dist/utilities/converters/index.js +5 -5
  337. package/dist/utilities/hooks/index.d.cts +2 -2
  338. package/dist/utilities/hooks/index.d.ts +2 -2
  339. package/dist/utilities/pipeline/index.d.cts +10 -10
  340. package/dist/utilities/pipeline/index.d.ts +10 -10
  341. package/dist/utilities/temporal/index.cjs +9 -9
  342. package/dist/utilities/temporal/index.js +3 -3
  343. package/dist/utilities/validation/index.cjs +45 -45
  344. package/dist/utilities/validation/index.d.cts +24 -24
  345. package/dist/utilities/validation/index.d.ts +24 -24
  346. package/dist/utilities/validation/index.js +29 -29
  347. package/dist/{viewing-keys-DxYo1pf7.d.cts → viewing-keys-DGA1Gfej.d.cts} +1 -1
  348. package/dist/{viewing-keys-7Frjro_0.d.ts → viewing-keys-MNI7bt1s.d.ts} +1 -1
  349. package/dist/{zk-C5uAB1ey.d.ts → zk-BBmjvBtC.d.ts} +3 -3
  350. package/dist/{zk-J36uqueQ.d.cts → zk-CXWSDMxF.d.cts} +3 -3
  351. package/package.json +2 -2
  352. package/dist/chunk-HG36GFK3.js.map +0 -1
  353. package/dist/chunk-NE6OEOR4.cjs.map +0 -1
package/dist/{addresses-BbmoaEss.d.cts → addresses-CIRc4bLk.d.cts} RENAMED
@@ -1,5 +1,5 @@
1
1
  import { Address } from '@solana/kit';
2
- import { d as U128 } from './integers-Cn9qqGPN.cjs';
2
+ import { d as U128 } from './integers-CpcaRRvR.cjs';
3
3
 
4
4
  /**
5
5
  * Address Utilities
package/dist/{addresses-DmXWa1Bi.d.ts → addresses-xHY8prWl.d.ts} RENAMED
@@ -1,5 +1,5 @@
1
1
  import { Address } from '@solana/kit';
2
- import { d as U128 } from './integers-BjcD64xA.js';
2
+ import { d as U128 } from './integers-N8ltXqxB.js';
3
3
 
4
4
  /**
5
5
  * Address Utilities
package/dist/{aggregation-DyiVod2L.d.ts → aggregation-C-u1ZlSW.d.ts} RENAMED
@@ -1,5 +1,5 @@
1
- import { B as Bn254FieldElement } from './field-elements-CM9QBbb9.js';
2
- import { g as PoseidonHashFunction, c as H2GeneratorFns, K as KeystreamCommitmentFunction } from './interfaces-MCJPyOY3.js';
1
+ import { B as Bn254FieldElement } from './field-elements-DIsQRdcP.js';
2
+ import { g as PoseidonHashFunction, c as H2GeneratorFns, K as KeystreamCommitmentFunction } from './interfaces-DIkps_rM.js';
3
3
 
4
4
  /**
5
5
  * Poseidon Aggregation, H2 Hash, and Keystream Commitment
package/dist/{aggregation-D0j1gF5g.d.cts → aggregation-D2lmFpwR.d.cts} RENAMED
@@ -1,5 +1,5 @@
1
- import { B as Bn254FieldElement } from './field-elements-C0SJbeLY.cjs';
2
- import { g as PoseidonHashFunction, c as H2GeneratorFns, K as KeystreamCommitmentFunction } from './interfaces-BxxSkFOI.cjs';
1
+ import { B as Bn254FieldElement } from './field-elements-CkmlImDp.cjs';
2
+ import { g as PoseidonHashFunction, c as H2GeneratorFns, K as KeystreamCommitmentFunction } from './interfaces-BGIgqucE.cjs';
3
3
 
4
4
  /**
5
5
  * Poseidon Aggregation, H2 Hash, and Keystream Commitment
package/dist/application/client/index.cjs CHANGED
@@ -1,21 +1,21 @@
1
1
  'use strict';
2
2
 
3
- var chunkU2SQ2YBH_cjs = require('../../chunk-U2SQ2YBH.cjs');
3
+ var chunkPDVIQK24_cjs = require('../../chunk-PDVIQK24.cjs');
4
4
  require('../../chunk-J5ITKJGL.cjs');
5
- require('../../chunk-LHXAVQEO.cjs');
5
+ require('../../chunk-TZ73IDTV.cjs');
6
6
  require('../../chunk-ZQPYEYNH.cjs');
7
7
  require('../../chunk-R527UTLQ.cjs');
8
- require('../../chunk-YFXQPECD.cjs');
8
+ require('../../chunk-PPDNOTME.cjs');
9
9
  require('../../chunk-XJHL5XHJ.cjs');
10
- require('../../chunk-RLXZUD4I.cjs');
11
- require('../../chunk-GO2E3PLZ.cjs');
10
+ require('../../chunk-E3ENZP6F.cjs');
11
+ require('../../chunk-CFCB5AGF.cjs');
12
12
  require('../../chunk-F6T6U7AM.cjs');
13
13
  require('../../chunk-Q6UFPB7O.cjs');
14
- require('../../chunk-JFWHQXME.cjs');
14
+ require('../../chunk-O6GP3JSZ.cjs');
15
+ require('../../chunk-ZE2HKERO.cjs');
16
+ require('../../chunk-CCOYTYMU.cjs');
15
17
  require('../../chunk-ZGJ643WD.cjs');
16
- require('../../chunk-BMTIGH3Q.cjs');
17
18
  require('../../chunk-YYTN2ZYT.cjs');
18
- require('../../chunk-CCOYTYMU.cjs');
19
19
  require('../../chunk-CETP6SCU.cjs');
20
20
  require('../../chunk-7CTQO52M.cjs');
21
21
  require('../../chunk-PK6SKIKE.cjs');
@@ -24,23 +24,23 @@ require('../../chunk-PK6SKIKE.cjs');
24
24
 
25
25
  Object.defineProperty(exports, "getDefaultKeyLoader", {
26
26
  enumerable: true,
27
- get: function () { return chunkU2SQ2YBH_cjs.getDefaultKeyLoader; }
27
+ get: function () { return chunkPDVIQK24_cjs.getDefaultKeyLoader; }
28
28
  });
29
29
  Object.defineProperty(exports, "getDefaultKeyStorer", {
30
30
  enumerable: true,
31
- get: function () { return chunkU2SQ2YBH_cjs.getDefaultKeyStorer; }
31
+ get: function () { return chunkPDVIQK24_cjs.getDefaultKeyStorer; }
32
32
  });
33
33
  Object.defineProperty(exports, "getDefaultMasterSeedGenerator", {
34
34
  enumerable: true,
35
- get: function () { return chunkU2SQ2YBH_cjs.getDefaultMasterSeedGenerator; }
35
+ get: function () { return chunkPDVIQK24_cjs.getDefaultMasterSeedGenerator; }
36
36
  });
37
37
  Object.defineProperty(exports, "getDefaultMasterSeedStorage", {
38
38
  enumerable: true,
39
- get: function () { return chunkU2SQ2YBH_cjs.getDefaultMasterSeedStorage; }
39
+ get: function () { return chunkPDVIQK24_cjs.getDefaultMasterSeedStorage; }
40
40
  });
41
41
  Object.defineProperty(exports, "getUmbraClient", {
42
42
  enumerable: true,
43
- get: function () { return chunkU2SQ2YBH_cjs.getUmbraClient; }
43
+ get: function () { return chunkPDVIQK24_cjs.getUmbraClient; }
44
44
  });
45
45
  //# sourceMappingURL=index.cjs.map
46
46
  //# sourceMappingURL=index.cjs.map
package/dist/application/client/index.d.cts CHANGED
@@ -1,8 +1,8 @@
1
- export { G as GetUmbraClientArgs, a as GetUmbraClientDeps, g as getUmbraClient } from '../../client-DLy0G7iy.cjs';
2
- import { a as IUmbraSigner } from '../../interfaces-BfJAxFXl.cjs';
3
- export { G as GetMasterSeedFunction, I as IUmbraClient, K as KeyStorageRegistry, S as SignableTransaction, b as SignedMessage } from '../../interfaces-BfJAxFXl.cjs';
4
- import { L as LoadResult, S as StoreResult, M as MasterSeedGeneratorFunction, a as MasterSeedLoaderFunction, b as MasterSeedStorerFunction } from '../../persistence-CsaBDtco.cjs';
5
- import '../../integers-Cn9qqGPN.cjs';
1
+ export { G as GetUmbraClientArgs, a as GetUmbraClientDeps, g as getUmbraClient } from '../../client-CAjjq0aG.cjs';
2
+ import { a as IUmbraSigner } from '../../interfaces-UbDFfIZM.cjs';
3
+ export { G as GetMasterSeedFunction, I as IUmbraClient, K as KeyStorageRegistry, S as SignableTransaction, c as SignedMessage } from '../../interfaces-UbDFfIZM.cjs';
4
+ import { L as LoadResult, S as StoreResult, a as MasterSeedGeneratorFunction, b as MasterSeedLoaderFunction, c as MasterSeedStorerFunction } from '../../persistence-C9lfE2wa.cjs';
5
+ import '../../integers-CpcaRRvR.cjs';
6
6
  import '../../branded-BFPJ_OxW.cjs';
7
7
  import '../../networks-CG20juz3.cjs';
8
8
  import '@solana/kit';
@@ -11,13 +11,13 @@ import '../../bytes-C8phL6cg.cjs';
11
11
  import '../../interfaces-BFZ8V7QY.cjs';
12
12
  import '@umbra-privacy/arcium-codama';
13
13
  import '../../signatures-Btf780JJ.cjs';
14
- import '../../field-elements-C0SJbeLY.cjs';
15
- import '../../viewing-keys-DxYo1pf7.cjs';
16
- import '../../poseidon-DeZRAgs0.cjs';
14
+ import '../../field-elements-CkmlImDp.cjs';
15
+ import '../../viewing-keys-DGA1Gfej.cjs';
16
+ import '../../poseidon-G8ows5t7.cjs';
17
17
  import '../../components-BRNTNnbl.cjs';
18
- import '../../interfaces-B5pq5XbK.cjs';
18
+ import '../../interfaces-j1CrF9Te.cjs';
19
19
  import '../../aes-B_N3ELV-.cjs';
20
- import '../../interfaces-qvZ--S4_.cjs';
20
+ import '../../interfaces-DL7zHwUj.cjs';
21
21
 
22
22
  /**
23
23
  * Default Storage Implementations
package/dist/application/client/index.d.ts CHANGED
@@ -1,8 +1,8 @@
1
- export { G as GetUmbraClientArgs, a as GetUmbraClientDeps, g as getUmbraClient } from '../../client-C37tXOAz.js';
2
- import { a as IUmbraSigner } from '../../interfaces-BexnqzyD.js';
3
- export { G as GetMasterSeedFunction, I as IUmbraClient, K as KeyStorageRegistry, S as SignableTransaction, b as SignedMessage } from '../../interfaces-BexnqzyD.js';
4
- import { L as LoadResult, S as StoreResult, M as MasterSeedGeneratorFunction, a as MasterSeedLoaderFunction, b as MasterSeedStorerFunction } from '../../persistence-CJUm_Ur8.js';
5
- import '../../integers-BjcD64xA.js';
1
+ export { G as GetUmbraClientArgs, a as GetUmbraClientDeps, g as getUmbraClient } from '../../client-BcKDaAlL.js';
2
+ import { a as IUmbraSigner } from '../../interfaces-LcKcK7yY.js';
3
+ export { G as GetMasterSeedFunction, I as IUmbraClient, K as KeyStorageRegistry, S as SignableTransaction, c as SignedMessage } from '../../interfaces-LcKcK7yY.js';
4
+ import { L as LoadResult, S as StoreResult, a as MasterSeedGeneratorFunction, b as MasterSeedLoaderFunction, c as MasterSeedStorerFunction } from '../../persistence-DH0MWTTB.js';
5
+ import '../../integers-N8ltXqxB.js';
6
6
  import '../../branded-BFPJ_OxW.js';
7
7
  import '../../networks-Ltg1_JUz.js';
8
8
  import '@solana/kit';
@@ -11,13 +11,13 @@ import '../../bytes-Cu6wpUCj.js';
11
11
  import '../../interfaces-DyW4gyZB.js';
12
12
  import '@umbra-privacy/arcium-codama';
13
13
  import '../../signatures-CTkMeCQJ.js';
14
- import '../../field-elements-CM9QBbb9.js';
15
- import '../../viewing-keys-7Frjro_0.js';
16
- import '../../poseidon-DzieIcha.js';
14
+ import '../../field-elements-DIsQRdcP.js';
15
+ import '../../viewing-keys-MNI7bt1s.js';
16
+ import '../../poseidon-DVZJKnT9.js';
17
17
  import '../../components-7UJwt_bl.js';
18
- import '../../interfaces-7TRe1bW3.js';
18
+ import '../../interfaces-BOSXRgRA.js';
19
19
  import '../../aes-DGepa5LL.js';
20
- import '../../interfaces-BbSbafks.js';
20
+ import '../../interfaces-U66KACUY.js';
21
21
 
22
22
  /**
23
23
  * Default Storage Implementations
package/dist/application/client/index.js CHANGED
@@ -1,19 +1,19 @@
1
- export { getDefaultKeyLoader, getDefaultKeyStorer, getDefaultMasterSeedGenerator, getDefaultMasterSeedStorage, getUmbraClient } from '../../chunk-UWHFOVYP.js';
1
+ export { getDefaultKeyLoader, getDefaultKeyStorer, getDefaultMasterSeedGenerator, getDefaultMasterSeedStorage, getUmbraClient } from '../../chunk-DPIWQKFS.js';
2
2
  import '../../chunk-TVJJFQQT.js';
3
- import '../../chunk-XWFU4US7.js';
3
+ import '../../chunk-QCNAUZIW.js';
4
4
  import '../../chunk-3PTA5FV4.js';
5
5
  import '../../chunk-Z7C2EB64.js';
6
- import '../../chunk-45NIZXEH.js';
6
+ import '../../chunk-KYCTLUUO.js';
7
7
  import '../../chunk-P4DFIN6K.js';
8
- import '../../chunk-QY5KSORC.js';
9
- import '../../chunk-JBCGZBUH.js';
8
+ import '../../chunk-QLH6JL2Z.js';
9
+ import '../../chunk-NVJMSVCH.js';
10
10
  import '../../chunk-5FF6FHVL.js';
11
11
  import '../../chunk-IOLL35HZ.js';
12
- import '../../chunk-ULC4FRH7.js';
12
+ import '../../chunk-IPOD4C3X.js';
13
+ import '../../chunk-GKAMOUOM.js';
14
+ import '../../chunk-MD5CJFKS.js';
13
15
  import '../../chunk-VPGEMFSQ.js';
14
- import '../../chunk-ZQS2RUQQ.js';
15
16
  import '../../chunk-4FQJA46G.js';
16
- import '../../chunk-MD5CJFKS.js';
17
17
  import '../../chunk-WLXW3M22.js';
18
18
  import '../../chunk-KWXFMYDC.js';
19
19
  import '../../chunk-7QVYU63E.js';
package/dist/{chunk-JJXV4VZC.js → chunk-2IJ3WWKS.js} RENAMED
@@ -1,6 +1,6 @@
1
- import { createU256BeBytes } from './chunk-JBCGZBUH.js';
2
- import { decodeU256BeBytesToU256 } from './chunk-ULC4FRH7.js';
3
- import { CURVE25519_FIELD_PRIME } from './chunk-ZQS2RUQQ.js';
1
+ import { createU256BeBytes } from './chunk-NVJMSVCH.js';
2
+ import { decodeU256BeBytesToU256 } from './chunk-IPOD4C3X.js';
3
+ import { CURVE25519_FIELD_PRIME } from './chunk-GKAMOUOM.js';
4
4
  import { U256_BYTE_LENGTH } from './chunk-4FQJA46G.js';
5
5
  import { __name } from './chunk-7QVYU63E.js';
6
6
 
@@ -201,5 +201,5 @@ __name(getCurve25519FieldElementSampler, "getCurve25519FieldElementSampler");
201
201
  var curve25519FieldElementSampler = getCurve25519FieldElementSampler();
202
202
 
203
203
  export { R_MOD_P_CURVE25519, curve25519BytesToBigintBigEndian, curve25519FieldElementSampler, curve25519ModuloAdd, curve25519ModuloInv, curve25519ModuloMul, curve25519ModuloPow, curve25519ModuloSub, getCurve25519FieldElementSampler, getCurve25519ModularAddFunction, getCurve25519ModularInvFunction, getCurve25519ModularMulFunction, getCurve25519ModularPowFunction, getCurve25519ModularSubFunction, modularExpLimbs, multiplyModularLimbs, reduce256Curve25519 };
204
- //# sourceMappingURL=chunk-JJXV4VZC.js.map
205
- //# sourceMappingURL=chunk-JJXV4VZC.js.map
204
+ //# sourceMappingURL=chunk-2IJ3WWKS.js.map
205
+ //# sourceMappingURL=chunk-2IJ3WWKS.js.map
package/dist/{chunk-JJXV4VZC.js.map → chunk-2IJ3WWKS.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/primitives/math/curve25519/field-arithmetic.ts"],"names":[],"mappings":";;;;;;;AA4HO,IAAM,GAAA,GAAM,GAAA;AAqBZ,IAAM,MAAA,GAAS,mBAAA;AA2Bf,IAAM,OAAA,GAAsC;AAAA,EACjD,mBAAA;AAAA;AAAA,EACA,mBAAA;AAAA;AAAA,EACA,mBAAA;AAAA;AAAA,EACA;AAAA;AACF,CAAA;AAiCO,SAAS,kBAAA,CAAmB,GAAA,EAAa,CAAA,EAAW,CAAA,EAAmB;AAC5E,EAAA,MAAM,OAAO,CAAC,GAAA;AACd,EAAA,OAAQ,CAAA,GAAI,IAAA,GAAS,CAAA,GAAI,CAAC,IAAA;AAC5B;AAHgB,MAAA,CAAA,kBAAA,EAAA,oBAAA,CAAA;AA4BT,SAAS,cAAc,KAAA,EAA2C;AACvE,EAAA,OAAO;AAAA,IACL,KAAA,GAAQ,MAAA;AAAA,IACP,SAAS,GAAA,GAAO,MAAA;AAAA,IAChB,KAAA,IAAU,MAAM,EAAA,GAAO,MAAA;AAAA,IACvB,KAAA,IAAU,MAAM,EAAA,GAAO;AAAA,GAC1B;AACF;AAPgB,MAAA,CAAA,aAAA,EAAA,eAAA,CAAA;AA6BT,SAAS,cAAc,KAAA,EAA2C;AACvE,EAAA,OAAO,KAAA,CAAM,CAAC,CAAA,IAAK,KAAA,CAAM,CAAC,CAAA,IAAK,GAAA,CAAA,IAAQ,KAAA,CAAM,CAAC,KAAM,GAAA,GAAM,EAAA,CAAA,IAAQ,KAAA,CAAM,CAAC,KAAM,GAAA,GAAM,EAAA,CAAA;AACvF;AAFgB,MAAA,CAAA,aAAA,EAAA,eAAA,CAAA;AAwCT,SAAS,eAAA,CACd,GACA,CAAA,EAC4B;AAE5B,EAAA,MAAM,CAAA,GAAc,CAAC,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA;AACnC,EAAA,IAAI,KAAA,GAAQ,EAAA;AAEZ,EAAA,KAAA,IAAS,KAAA,GAAQ,CAAA,EAAG,KAAA,GAAQ,CAAA,EAAG,KAAA,EAAA,EAAS;AACtC,IAAA,MAAM,MAAM,CAAA,CAAE,KAAK,CAAA,GAAI,CAAA,CAAE,KAAK,CAAA,GAAI,KAAA;AAClC,IAAA,CAAA,CAAE,KAAK,IAAI,GAAA,GAAM,MAAA;AACjB,IAAA,KAAA,GAAQ,GAAA,IAAO,GAAA;AAAA,EACjB;AACA,EAAA,MAAM,MAAA,GAAS,KAAA;AAGf,EAAA,MAAM,CAAA,GAAc,CAAC,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA;AACnC,EAAA,IAAI,MAAA,GAAS,EAAA;AAEb,EAAA,KAAA,IAAS,KAAA,GAAQ,CAAA,EAAG,KAAA,GAAQ,CAAA,EAAG,KAAA,EAAA,EAAS;AACtC,IAAA,MAAM,MAAM,CAAA,CAAE,KAAK,CAAA,GAAI,OAAA,CAAQ,KAAK,CAAA,GAAI,MAAA;AACxC,IAAA,CAAA,CAAE,KAAK,IAAI,GAAA,GAAM,MAAA;AACjB,IAAA,MAAA,GAAS,EAAE,GAAA,IAAO,GAAA,CAAA;AAAA,EACpB;AAGA,EAAA,MAAM,IAAA,GAAO,SAAU,EAAA,GAAK,MAAA;AAE5B,EAAA,OAAO;AAAA,IACL,mBAAmB,IAAA,EAAM,CAAA,CAAE,CAAC,CAAA,EAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,IACnC,mBAAmB,IAAA,EAAM,CAAA,CAAE,CAAC,CAAA,EAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,IACnC,mBAAmB,IAAA,EAAM,CAAA,CAAE,CAAC,CAAA,EAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,IACnC,mBAAmB,IAAA,EAAM,CAAA,CAAE,CAAC,CAAA,EAAG,CAAA,CAAE,CAAC,CAAC;AAAA,GACrC;AACF;AAlCgB,MAAA,CAAA,eAAA,EAAA,iBAAA,CAAA;AAkET,SAAS,oBAAA,CACd,GACA,CAAA,EAC4B;AAE5B,EAAA,MAAM,GAAA,GAAgB,CAAC,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA;AACrC,EAAA,IAAI,MAAA,GAAS,EAAA;AAEb,EAAA,KAAA,IAAS,KAAA,GAAQ,CAAA,EAAG,KAAA,GAAQ,CAAA,EAAG,KAAA,EAAA,EAAS;AACtC,IAAA,MAAM,MAAM,CAAA,CAAE,KAAK,CAAA,GAAI,CAAA,CAAE,KAAK,CAAA,GAAI,MAAA;AAClC,IAAA,GAAA,CAAI,KAAK,IAAI,GAAA,GAAM,MAAA;AACnB,IAAA,MAAA,GAAS,EAAE,GAAA,IAAO,GAAA,CAAA;AAAA,EACpB;AAGA,EAAA,MAAM,OAAO,CAAC,MAAA;AACd,EAAA,IAAI,KAAA,GAAQ,EAAA;AAEZ,EAAA,KAAA,IAAS,KAAA,GAAQ,CAAA,EAAG,KAAA,GAAQ,CAAA,EAAG,KAAA,EAAA,EAAS;AACtC,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,KAAK,CAAA,GAAI,IAAA;AAElC,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,KAAK,CAAA,GAAI,QAAA,GAAW,KAAA;AACpC,IAAA,GAAA,CAAI,KAAK,IAAI,GAAA,GAAM,MAAA;AACnB,IAAA,KAAA,GAAQ,GAAA,IAAO,GAAA;AAAA,EACjB;AAEA,EAAA,OAAO,CAAC,GAAA,CAAI,CAAC,CAAA,EAAG,GAAA,CAAI,CAAC,CAAA,EAAG,GAAA,CAAI,CAAC,CAAA,EAAG,GAAA,CAAI,CAAC,CAAC,CAAA;AACxC;AA3BgB,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA;AAqET,SAAS,oBAAA,CACd,GACA,CAAA,EAC4B;AAG5B,EAAA,MAAM,IAAA,GAAO,cAAc,CAAC,CAAA;AAC5B,EAAA,MAAM,IAAA,GAAO,cAAc,CAAC,CAAA;AAC5B,EAAA,MAAM,OAAA,GAAW,OAAO,IAAA,GAAQ,sBAAA;AAChC,EAAA,OAAO,cAAc,OAAO,CAAA;AAC9B;AAVgB,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA;AAgDT,SAAS,eAAA,CAAgB,MAAkC,GAAA,EAAyC;AACzG,EAAA,IAAI,MAAA,GAAqC,CAAC,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA;AACxD,EAAA,IAAI,OAAA,GAAU,IAAA;AAEd,EAAA,OAAO,MAAM,EAAA,EAAI;AACf,IAAA,IAAA,CAAK,GAAA,GAAM,QAAQ,EAAA,EAAI;AACrB,MAAA,MAAA,GAAS,oBAAA,CAAqB,QAAQ,OAAO,CAAA;AAAA,IAC/C;AACA,IAAA,OAAA,GAAU,oBAAA,CAAqB,SAAS,OAAO,CAAA;AAC/C,IAAA,GAAA,KAAQ,EAAA;AAAA,EACV;AAEA,EAAA,OAAO,MAAA;AACT;AAbgB,MAAA,CAAA,eAAA,EAAA,iBAAA,CAAA;AAyDT,IAAM,mBAAA,mBAAmD,MAAA,CAAA,CAAC,CAAA,EAAW,CAAA,KAAsB;AAChG,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,WAAA,GAAc,eAAA,CAAgB,MAAA,EAAQ,MAAM,CAAA;AAClD,EAAA,OAAO,cAAc,WAAW,CAAA;AAClC,CAAA,EALgE,qBAAA;AA6CzD,IAAM,mBAAA,mBAAmD,MAAA,CAAA,CAAC,CAAA,EAAW,CAAA,KAAsB;AAChG,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,WAAA,GAAc,oBAAA,CAAqB,MAAA,EAAQ,MAAM,CAAA;AACvD,EAAA,OAAO,cAAc,WAAW,CAAA;AAClC,CAAA,EALgE,qBAAA;AA8CzD,IAAM,mBAAA,mBAAmD,MAAA,CAAA,CAAC,CAAA,EAAW,CAAA,KAAsB;AAChG,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,WAAA,GAAc,oBAAA,CAAqB,MAAA,EAAQ,MAAM,CAAA;AACvD,EAAA,OAAO,cAAc,WAAW,CAAA;AAClC,CAAA,EALgE,qBAAA;AAkEzD,IAAM,mBAAA,2BAAoD,CAAA,KAAsB;AACrF,EAAA,IAAI,MAAM,EAAA,EAAI;AACZ,IAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,EAC1D;AAEA,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,MAAM,sBAAA,GAAyB,EAAA;AACrC,EAAA,MAAM,WAAA,GAAc,eAAA,CAAgB,MAAA,EAAQ,GAAG,CAAA;AAC/C,EAAA,OAAO,cAAc,WAAW,CAAA;AAClC,CAAA,EATgE,qBAAA;AAqDzD,IAAM,mBAAA,mBAAmD,MAAA,CAAA,CAC9D,IAAA,EACA,GAAA,KACW;AACX,EAAA,IAAI,QAAQ,EAAA,EAAI;AACd,IAAA,OAAO,EAAA;AAAA,EACT;AAEA,EAAA,MAAM,SAAA,GAAY,cAAc,IAAI,CAAA;AACpC,EAAA,MAAM,WAAA,GAAc,eAAA,CAAgB,SAAA,EAAW,GAAG,CAAA;AAClD,EAAA,OAAO,cAAc,WAAW,CAAA;AAClC,CAAA,EAXgE,qBAAA;AA6CzD,SAAS,+BAAA,GAA+D;AAC7E,EAAA,OAAO,mBAAA;AACT;AAFgB,MAAA,CAAA,+BAAA,EAAA,iCAAA,CAAA;AAyBT,SAAS,+BAAA,GAA+D;AAC7E,EAAA,OAAO,mBAAA;AACT;AAFgB,MAAA,CAAA,+BAAA,EAAA,iCAAA,CAAA;AAyBT,SAAS,+BAAA,GAA+D;AAC7E,EAAA,OAAO,mBAAA;AACT;AAFgB,MAAA,CAAA,+BAAA,EAAA,iCAAA,CAAA;AA0BT,SAAS,+BAAA,GAA+D;AAC7E,EAAA,OAAO,mBAAA;AACT;AAFgB,MAAA,CAAA,+BAAA,EAAA,iCAAA,CAAA;AAyBT,SAAS,+BAAA,GAA+D;AAC7E,EAAA,OAAO,mBAAA;AACT;AAFgB,MAAA,CAAA,+BAAA,EAAA,iCAAA,CAAA;AAiCT,IAAM,kBAAA,GAAqB;AAyB3B,SAAS,oBAAoB,KAAA,EAAuB;AACzD,EAAA,MAAM,CAAC,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA,GAAI,cAAc,KAAK,CAAA;AAC5C,EAAA,MAAM,CAAC,EAAA,EAAI,EAAA,EAAI,EAAA,EAAI,EAAE,CAAA,GAAI,OAAA;AAIzB,EAAA,MAAM,OAAO,EAAA,GAAK,EAAA;AAClB,EAAA,MAAM,KAAK,IAAA,GAAO,MAAA;AAClB,EAAA,MAAM,OAAA,GAAU,EAAE,IAAA,IAAQ,GAAA,CAAA,GAAO,EAAA;AAGjC,EAAA,MAAM,IAAA,GAAO,KAAK,EAAA,GAAK,OAAA;AACvB,EAAA,MAAM,KAAK,IAAA,GAAO,MAAA;AAClB,EAAA,MAAM,OAAA,GAAU,EAAE,IAAA,IAAQ,GAAA,CAAA,GAAO,EAAA;AAGjC,EAAA,MAAM,IAAA,GAAO,KAAK,EAAA,GAAK,OAAA;AACvB,EAAA,MAAM,KAAK,IAAA,GAAO,MAAA;AAClB,EAAA,MAAM,OAAA,GAAU,EAAE,IAAA,IAAQ,GAAA,CAAA,GAAO,EAAA;AAGjC,EAAA,MAAM,IAAA,GAAO,KAAK,EAAA,GAAK,OAAA;AACvB,EAAA,MAAM,KAAK,IAAA,GAAO,MAAA;AAClB,EAAA,MAAM,OAAA,GAAU,EAAE,IAAA,IAAQ,GAAA,CAAA,GAAO,EAAA;AAIjC,EAAA,MAAM,WAAA,GAAc,OAAA;AAEpB,EAAA,OAAO,aAAA,CAAc;AAAA,IACnB,kBAAA,CAAmB,WAAA,EAAa,EAAA,EAAI,EAAE,CAAA;AAAA,IACtC,kBAAA,CAAmB,WAAA,EAAa,EAAA,EAAI,EAAE,CAAA;AAAA,IACtC,kBAAA,CAAmB,WAAA,EAAa,EAAA,EAAI,EAAE,CAAA;AAAA,IACtC,kBAAA,CAAmB,WAAA,EAAa,EAAA,EAAI,EAAE;AAAA,GACvC,CAAA;AACH;AAnCgB,MAAA,CAAA,mBAAA,EAAA,qBAAA,CAAA;AAyDT,SAAS,gCAAA,CAAiC,OAAmB,MAAA,EAAwB;AAC1F,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,MAAA,EAAQ,SAAS,gBAAgB,CAAA;AAC3D,EAAA,MAAM,WAAA,GAAc,kBAAkB,KAAK,CAAA;AAC3C,EAAA,OAAO,wBAAwB,WAAW,CAAA;AAC5C;AAJgB,MAAA,CAAA,gCAAA,EAAA,kCAAA,CAAA;AAyET,SAAS,iCACd,IAAA,EACgD;AAEhD,EAAA,MAAM,EAAE,QAAQ,SAAA,GAAY,mBAAA,EAAqB,QAAQ,SAAA,GAAY,mBAAA,EAAoB,GACvF,IAAA,IAAQ,EAAC;AAEX,EAAA,OAAO,CAAC,KAAA,KAA+C;AAIrD,IAAA,MAAM,IAAA,GAAO,gCAAA,CAAiC,KAAA,EAAO,CAAC,CAAA;AACtD,IAAA,MAAM,GAAA,GAAM,gCAAA,CAAiC,KAAA,EAAO,EAAE,CAAA;AAItD,IAAA,MAAM,UAAA,GAAa,oBAAoB,GAAG,CAAA;AAC1C,IAAA,MAAM,WAAA,GAAc,oBAAoB,IAAI,CAAA;AAI5C,IAAA,MAAM,UAAA,GAAa,SAAA,CAAU,WAAA,EAAa,kBAAkB,CAAA;AAC5D,IAAA,MAAM,MAAA,GAAS,SAAA,CAAU,UAAA,EAAY,UAAU,CAAA;AAE/C,IAAA,OAAO,MAAA;AAAA,EACT,CAAA;AACF;AA1BgB,MAAA,CAAA,gCAAA,EAAA,kCAAA,CAAA;AA2ET,IAAM,gCACX,gCAAA","file":"chunk-JJXV4VZC.js","sourcesContent":["/**\n * Curve25519 Base Field Arithmetic — Concrete Implementation\n *\n * This module provides the constant-operation-count implementations of all\n * modular arithmetic operations over the Curve25519 prime field GF(p), where:\n * ```\n * p = 2^255 - 19\n * = 57896044618658097711785492504343953926634992332820282019728792003956564819949\n * ```\n *\n * ## Role in the SDK\n *\n * This module is the lowest-level arithmetic layer in the SDK's cryptographic\n * stack. Its exported functions are consumed by:\n *\n * - **`crypto/rescue-cipher/`** — the Rescue-XLIX block cipher used inside\n * Arcium MPC computations for symmetric encryption of Umbra confidential\n * token account balances.\n * - **`math/curve25519/interfaces`** — the function-type contracts that the\n * exported symbols satisfy.\n * - Dependency-injection consumers that call\n * `getCurve25519FieldElementSampler` with custom arithmetic.\n *\n * X25519 key-exchange itself (used for Umbra encrypted token account key\n * registration) does not call this module directly — its scalar multiplication\n * is handled by `@noble/curves` — but the field prime is the same.\n *\n * ## Algorithm Overview\n *\n * ### Addition / Subtraction\n *\n * Both operations are implemented at the 4-limb level using carry/borrow\n * propagation, followed by a **constant-time conditional correction**:\n *\n * - **Addition**: compute `t = a + b`; if `t ≥ p` then return `t - p`, else `t`.\n * The conditional is resolved by a bitwise mask derived from the carry and\n * borrow, never an `if` statement.\n * - **Subtraction**: compute `d = a - b`; if a borrow occurred (a < b), add `p`\n * back. The borrow bit is propagated as a mask applied to `P_LIMBS`.\n *\n * ### Multiplication\n *\n * Uses JavaScript's native `BigInt` multiplication (`a * b`) followed by\n * a single `% p` reduction. While this is not a limb-level schoolbook\n * implementation, `BigInt` intermediate values of ≤ 510 bits keep the\n * per-call work uniform. Montgomery form is not used because the constant\n * conversion overhead is not amortised over the small number of multiplications\n * per Rescue-XLIX round.\n *\n * ### Inversion\n *\n * Uses Fermat's Little Theorem: `a^(-1) ≡ a^(p-2) (mod p)`. This delegates to\n * the square-and-multiply exponentiation function with a fixed exponent of\n * p - 2 ≈ 2^255, costing ≈ 255 squarings and ~128 multiplications.\n *\n * ### Exponentiation\n *\n * Binary (square-and-multiply) exponentiation via `modularExpLimbs`. The loop\n * visits each bit of the exponent from LSB to MSB; the branch on the current\n * bit (`exp & 1n`) operates on the **exponent**, not secret field data, so it\n * does not constitute a secret-dependent branch.\n *\n * ## Security Considerations\n *\n * True hardware-level constant time cannot be guaranteed in JavaScript because\n * the V8/SpiderMonkey JIT, branch predictors, and GC can all introduce\n * data-dependent timing variation. These implementations are\n * **constant-operation-count**: they always execute the same sequence of BigInt\n * operations regardless of the input values. This is the accepted standard for\n * JavaScript cryptographic libraries (e.g., `@noble/curves`).\n *\n * Secret-dependent branching is avoided by:\n * - Using `constantTimeSelect` (bitwise mask) for all conditional value choices.\n * - Processing all 4 limbs in every loop iteration regardless of value.\n * - Applying `P_LIMBS` correction via masking rather than a conditional add.\n *\n * ## Limb Representation\n *\n * All internal computation decomposes field elements into four 64-bit limbs\n * stored in little-endian order `[limb0, limb1, limb2, limb3]`:\n * ```\n * value = limb0 + limb1×2^64 + limb2×2^128 + limb3×2^192\n * ```\n * - `limb0` — bits 0-63 (least significant)\n * - `limb1` — bits 64-127\n * - `limb2` — bits 128-191\n * - `limb3` — bits 192-255 (most significant; high bit always 0 for valid elements)\n *\n * The 4-limb split keeps individual BigInt values at a uniform 64-bit size,\n * making per-limb arithmetic cost independent of the field element's magnitude.\n *\n * @module implementation/mathematics/curve25519-field-arithmetic\n * @packageDocumentation\n */\n\nimport type {\n Curve25519FieldElementLimb,\n Curve25519ModuloAddFunction as Curve25519ModuleAddFunction,\n Curve25519ModuloInvFunction as Curve25519ModuleInvFunction,\n Curve25519ModuloMulFunction as Curve25519ModuleMulFunction,\n Curve25519ModuloPowFunction as Curve25519ModulePowFunction,\n Curve25519ModuloSubFunction as Curve25519ModuleSubFunction,\n U512BasedCurve25519FieldElementSamplerFunction as U512BasedCurve25519FieldElementSamplerFunction,\n U512BasedCurve25519FieldElementSamplerDeps,\n} from \"./interfaces\";\nimport { CURVE25519_FIELD_PRIME, type Curve25519FieldElement, type U512BeBytes, U256_BYTE_LENGTH } from \"@sdk/core/types\";\nimport { createU256BeBytes } from \"@sdk/utilities/converters/branded\";\nimport { decodeU256BeBytesToU256 } from \"@sdk/utilities/converters/mathematics\";\n\n// =============================================================================\n// Constants\n// =============================================================================\n\n/**\n * The number of bits per limb used in the 4-limb field element representation.\n *\n * @remarks\n * All field elements are decomposed into 4 limbs of exactly 64 bits each.\n * Using 64 as the limb width keeps each limb within the range of a single\n * 64-bit unsigned integer, making carry/borrow arithmetic straightforward\n * with BigInt shift operations.\n *\n * @public\n */\nexport const N64 = 64n;\n\n/**\n * Bitmask for extracting the lower 64 bits from a BigInt.\n *\n * @remarks\n * Equal to 2^64 - 1 = 0xFFFFFFFFFFFFFFFF. Applied with the bitwise AND\n * operator (`& MASK64`) after any addition or shift to isolate the low 64\n * bits of a result and discard any carry that has propagated into bit 64 or\n * above.\n *\n * @example\n * ```typescript\n * // Extract low 64 bits after an addition that may overflow\n * const sum = a + b + carry;\n * const low64 = sum & MASK64; // keep bits 0-63\n * const nextCarry = sum >> N64; // propagate bit 64 upwards\n * ```\n *\n * @public\n */\nexport const MASK64 = 0xff_ff_ff_ff_ff_ff_ff_ffn;\n\n/**\n * The Curve25519 field prime p = 2^255 - 19 decomposed into 4 × 64-bit limbs,\n * stored in little-endian order.\n *\n * @remarks\n * Binary representation of p = 2^255 - 19:\n * - Bits 0-63: `0xFFFFFFFFFFFFFFED` (= 2^64 - 19)\n * - Bits 64-127: `0xFFFFFFFFFFFFFFFF` (all ones)\n * - Bits 128-191:`0xFFFFFFFFFFFFFFFF` (all ones)\n * - Bits 192-255:`0x7FFFFFFFFFFFFFFF` (2^63 - 1; high bit is 0)\n *\n * The high bit of limb 3 being 0 reflects the fact that p < 2^255.\n *\n * This constant is used in:\n * - `addModularLimbs` — trial subtraction to enforce the canonical range.\n * - `subtractModularLimbs` — conditional addition to wrap negative differences.\n * - `reduce256Curve25519` — single-step reduction of 256-bit values.\n *\n * @privateRemarks\n * Limb 0 value derivation:\n * p = 2^255 - 19. The low 64 bits of p are:\n * 2^64 × floor(p / 2^64) + r => r = p mod 2^64 = (2^64 - 19) = 0xFFFFFFFFFFFFFFED\n *\n * @public\n */\nexport const P_LIMBS: Curve25519FieldElementLimb = [\n 0xff_ff_ff_ff_ff_ff_ff_edn, // limb 0 (bits 0-63): 2^64 - 19\n 0xff_ff_ff_ff_ff_ff_ff_ffn, // limb 1 (bits 64-127): all 1s\n 0xff_ff_ff_ff_ff_ff_ff_ffn, // limb 2 (bits 128-191): all 1s\n 0x7f_ff_ff_ff_ff_ff_ff_ffn, // limb 3 (bits 192-255): 2^63 - 1\n];\n\n// =============================================================================\n// Internal Helper Functions\n// =============================================================================\n\n/**\n * Constant-time conditional select between two `bigint` values.\n *\n * @remarks\n * Returns `x` when `bit === 1n` and `y` when `bit === 0n`, without branching\n * on the value of `bit`. The selection is performed using bitwise arithmetic:\n * ```\n * mask = -bit // 0n if bit=0, -1n (all ones) if bit=1\n * result = (x & mask) | (y & ~mask)\n * ```\n * This is the BigInt equivalent of the C idiom `(mask & x) | (~mask & y)`.\n *\n * `bit` MUST be exactly `0n` or `1n`. Passing any other value produces\n * undefined results.\n *\n * @param bit - Selection bit. Must be `0n` or `1n`.\n * @param x - Value returned when `bit === 1n`.\n * @param y - Value returned when `bit === 0n`.\n * @returns `x` if `bit === 1n`; `y` if `bit === 0n`.\n *\n * @privateRemarks\n * JavaScript BigInt negation of a 1-bit value: `-1n` in BigInt is the\n * two's-complement all-ones pattern (arbitrary precision), which acts as a\n * perfect mask. `-0n === 0n`, so the 0 case also works correctly.\n *\n * @public\n */\nexport function constantTimeSelect(bit: bigint, x: bigint, y: bigint): bigint {\n const mask = -bit;\n return (x & mask) | (y & ~mask);\n}\n\n/**\n * Decomposes a non-negative `bigint` into the 4-limb little-endian representation\n * used throughout this module.\n *\n * @remarks\n * Extracts four 64-bit windows by successive right-shifts combined with\n * `MASK64`:\n * ```\n * limb0 = value & 0xFFFFFFFFFFFFFFFF (bits 0-63)\n * limb1 = (value >> 64) & 0xFFFFFFFFFFFFFFFF (bits 64-127)\n * limb2 = (value >> 128) & 0xFFFFFFFFFFFFFFFF (bits 128-191)\n * limb3 = (value >> 192) & 0xFFFFFFFFFFFFFFFF (bits 192-255)\n * ```\n *\n * The input must satisfy 0 ≤ value < 2^256. Values in the range [p, 2^256)\n * are representable in limb form but are not canonical field elements;\n * callers are responsible for reducing them if needed.\n *\n * @param value - A non-negative `bigint` in range [0, 2^256 - 1].\n * @returns A 4-element tuple `[limb0, limb1, limb2, limb3]` in little-endian order.\n *\n * @public\n */\nexport function bigintToLimbs(value: bigint): Curve25519FieldElementLimb {\n return [\n value & MASK64,\n (value >> N64) & MASK64,\n (value >> (N64 * 2n)) & MASK64,\n (value >> (N64 * 3n)) & MASK64,\n ];\n}\n\n/**\n * Reconstructs a `bigint` from the 4-limb little-endian representation.\n *\n * @remarks\n * Computes:\n * ```\n * value = limbs[0]\n * + limbs[1] × 2^64\n * + limbs[2] × 2^128\n * + limbs[3] × 2^192\n * ```\n *\n * This is the inverse of {@link bigintToLimbs}. The reconstructed value lies in\n * [0, 2^256 - 1] (or [0, p-1] if the limbs represent a canonical field element).\n *\n * @param limbs - A 4-element tuple in little-endian order, each limb in [0, 2^64 - 1].\n * @returns The reconstructed `bigint` value.\n *\n * @public\n */\nexport function limbsToBigint(limbs: Curve25519FieldElementLimb): bigint {\n return limbs[0] + (limbs[1] << N64) + (limbs[2] << (N64 * 2n)) + (limbs[3] << (N64 * 3n));\n}\n\n/**\n * Constant-time modular addition of two field elements, both in 4-limb form.\n *\n * @remarks\n * ## Algorithm\n *\n * **Step 1 — Raw addition with carry propagation:**\n * ```\n * t[i] = a[i] + b[i] + carry_in\n * t_carry = final carry out of limb 3\n * ```\n * The carry is propagated upward through all 4 limbs. After all limbs are\n * processed, `tCarry` is `1n` iff the sum `a + b` exceeded 2^256 - 1.\n *\n * **Step 2 — Trial subtraction:**\n * ```\n * d = t - p (with borrow propagation across 4 limbs)\n * ```\n * After this step, `borrow` is `1n` iff `t < p` (i.e., no reduction needed).\n *\n * **Step 3 — Constant-time selection:**\n * ```\n * useD = tCarry | (1 - borrow)\n * result[i] = constantTimeSelect(useD, d[i], t[i])\n * ```\n * If `tCarry` is 1 (overflow) or if the trial subtraction did not borrow\n * (meaning t ≥ p), use the reduced value `d`. Otherwise use `t`.\n *\n * No `if` statement branches on input-derived data.\n *\n * @param a - Minuend in 4-limb form. Each limb in [0, 2^64 - 1]; value in [0, p-1].\n * @param b - Subtrahend in 4-limb form. Each limb in [0, 2^64 - 1]; value in [0, p-1].\n * @returns The canonical sum `(a + b) mod p` in 4-limb form.\n *\n * @public\n */\nexport function addModularLimbs(\n a: Curve25519FieldElementLimb,\n b: Curve25519FieldElementLimb,\n): Curve25519FieldElementLimb {\n // 1. Raw Addition: t = a + b\n const t: bigint[] = [0n, 0n, 0n, 0n];\n let carry = 0n;\n\n for (let index = 0; index < 4; index++) {\n const sum = a[index] + b[index] + carry;\n t[index] = sum & MASK64;\n carry = sum >> N64;\n }\n const tCarry = carry;\n\n // 2. Trial Subtraction: d = t - p\n const d: bigint[] = [0n, 0n, 0n, 0n];\n let borrow = 0n;\n\n for (let index = 0; index < 4; index++) {\n const sub = t[index] - P_LIMBS[index] - borrow;\n d[index] = sub & MASK64;\n borrow = -(sub >> N64);\n }\n\n // 3. Selection: use d if overflow or no borrow\n const useD = tCarry | (1n - borrow);\n\n return [\n constantTimeSelect(useD, d[0], t[0]),\n constantTimeSelect(useD, d[1], t[1]),\n constantTimeSelect(useD, d[2], t[2]),\n constantTimeSelect(useD, d[3], t[3]),\n ];\n}\n\n/**\n * Constant-time modular subtraction of two field elements, both in 4-limb form.\n *\n * @remarks\n * ## Algorithm\n *\n * **Step 1 — Raw subtraction with borrow propagation:**\n * ```\n * out[i] = a[i] - b[i] - borrow_in\n * ```\n * After all 4 limbs, `borrow` is `1n` iff a < b (the difference is negative\n * in ordinary arithmetic and must wrap around modulo p).\n *\n * **Step 2 — Conditional add-back of p:**\n * ```\n * mask = -borrow // all-ones mask if a < b, zero mask otherwise\n * for each limb i:\n * addValue = P_LIMBS[i] & mask // add p iff borrow occurred\n * out[i] = out[i] + addValue + carry\n * ```\n * The mask is derived from the borrow bit without a branch. When borrow = 0\n * the mask is 0 and no correction is applied. When borrow = 1 the mask is\n * all-ones and p is added back.\n *\n * @param a - Minuend in 4-limb form. Value in [0, p-1].\n * @param b - Subtrahend in 4-limb form. Value in [0, p-1].\n * @returns The canonical difference `(a - b) mod p` in 4-limb form.\n *\n * @public\n */\nexport function subtractModularLimbs(\n a: Curve25519FieldElementLimb,\n b: Curve25519FieldElementLimb,\n): Curve25519FieldElementLimb {\n // 1. Calculate diff = a - b\n const out: bigint[] = [0n, 0n, 0n, 0n];\n let borrow = 0n;\n\n for (let index = 0; index < 4; index++) {\n const sub = a[index] - b[index] - borrow;\n out[index] = sub & MASK64;\n borrow = -(sub >> N64);\n }\n\n // 2. If we borrowed, add P back using masking\n const mask = -borrow;\n let carry = 0n;\n\n for (let index = 0; index < 4; index++) {\n const addValue = P_LIMBS[index] & mask;\n\n const sum = out[index] + addValue + carry;\n out[index] = sum & MASK64;\n carry = sum >> N64;\n }\n\n return [out[0], out[1], out[2], out[3]];\n}\n\n/**\n * Modular multiplication of two field elements in 4-limb form, returning the\n * product reduced modulo p.\n *\n * @remarks\n * ## Algorithm\n *\n * Converts both limb arrays back to full-precision `BigInt` values, performs\n * native `BigInt` multiplication to obtain a ≤ 510-bit intermediate product,\n * and reduces by `% CURVE25519_FIELD_PRIME`.\n *\n * ```\n * product = limbsToBigint(a) * limbsToBigint(b) (up to 510 bits)\n * reduced = product % p\n * return bigintToLimbs(reduced)\n * ```\n *\n * ## Why Not Schoolbook Limb Multiplication?\n *\n * A true 4×4 schoolbook multiplication would produce an 8-limb (512-bit)\n * intermediate and require a multi-step reduction using the structure of p.\n * JavaScript's `BigInt` already implements this internally, and the V8 engine\n * performs the reduction in native code. This approach is simpler and has\n * predictable worst-case cost.\n *\n * ## Why Not Montgomery Form?\n *\n * Montgomery multiplication eliminates the per-call division at the cost of\n * converting inputs into and out of Montgomery domain. That conversion\n * overhead is only amortized when the same operands participate in many\n * multiplications (e.g., long scalar multiplication chains). For the Rescue\n * cipher's relatively short permutation rounds, the conversion cost is not\n * justified.\n *\n * @param a - First factor in 4-limb form. Value in [0, p-1].\n * @param b - Second factor in 4-limb form. Value in [0, p-1].\n * @returns The canonical product `(a × b) mod p` in 4-limb form.\n *\n * @public\n */\nexport function multiplyModularLimbs(\n a: Curve25519FieldElementLimb,\n b: Curve25519FieldElementLimb,\n): Curve25519FieldElementLimb {\n // For Curve25519, we use direct multiplication and reduction\n // This is simpler than Montgomery for this specific prime\n const aBig = limbsToBigint(a);\n const bBig = limbsToBigint(b);\n const product = (aBig * bBig) % CURVE25519_FIELD_PRIME;\n return bigintToLimbs(product);\n}\n\n/**\n * Modular exponentiation of a field element by an arbitrary non-negative\n * exponent, using binary square-and-multiply.\n *\n * @remarks\n * ## Algorithm — Binary Exponentiation\n *\n * Starting from `result = 1` (the multiplicative identity in limb form):\n * ```\n * current = base\n * while exp > 0:\n * if (exp & 1) == 1:\n * result = result × current (mod p)\n * current = current × current (mod p)\n * exp >>= 1\n * return result\n * ```\n *\n * The branch `if (exp & 1) == 1` tests a bit of the **exponent**, not a\n * secret field value. When the exponent is a fixed protocol constant (e.g.,\n * p - 2 for inversion) this does not leak secret data; when the exponent is\n * secret (e.g., a private scalar), a constant-time double-and-add should be\n * used instead.\n *\n * ## Cost\n *\n * For an n-bit exponent: at most n squarings and at most n multiplications\n * (≈ n/2 on average). For the full range [0, p-1] this is ≈ 255 squarings\n * and ≈ 128 multiplications.\n *\n * @param base - Base field element in 4-limb form. Value in [0, p-1].\n * @param exp - Non-negative exponent as a plain `bigint`.\n * @returns `base^exp mod p` in 4-limb form.\n *\n * @public\n */\nexport function modularExpLimbs(base: Curve25519FieldElementLimb, exp: bigint): Curve25519FieldElementLimb {\n let result: Curve25519FieldElementLimb = [1n, 0n, 0n, 0n];\n let current = base;\n\n while (exp > 0n) {\n if ((exp & 1n) === 1n) {\n result = multiplyModularLimbs(result, current);\n }\n current = multiplyModularLimbs(current, current);\n exp >>= 1n;\n }\n\n return result;\n}\n\n// =============================================================================\n// Exported Functions\n// =============================================================================\n\n/**\n * Constant-operation-count modular addition for the Curve25519 base field.\n *\n * @remarks\n * Computes the canonical field sum:\n * ```\n * result ≡ a + b (mod p), p = 2^255 - 19\n * ```\n *\n * Implementation delegates to {@link addModularLimbs} which performs the\n * addition and conditional reduction entirely with bitwise masking — no\n * data-dependent branches on `a` or `b`.\n *\n * This function satisfies {@link Curve25519ModuloAddFunction}.\n *\n * @param a - First field element. Must be in canonical range [0, p-1].\n * @param b - Second field element. Must be in canonical range [0, p-1].\n * @returns `(a + b) mod p` in canonical range [0, p-1].\n *\n * @example\n * ```typescript\n * import { curve25519ModuloAdd } from \"@umbra-privacy/sdk/math\";\n * import { CURVE25519_FIELD_PRIME } from \"@umbra-privacy/sdk/types\";\n *\n * // Basic addition\n * const sum = curve25519ModuloAdd(10n, 20n);\n * console.log(sum); // 30n\n *\n * // Wrap-around: p-1 + 1 = 0\n * const wrap = curve25519ModuloAdd(CURVE25519_FIELD_PRIME - 1n, 1n);\n * console.log(wrap); // 0n\n * ```\n *\n * @see {@link curve25519ModuloSub} — complementary subtraction\n * @see {@link getCurve25519ModularAddFunction} — returns a cached reference to this function\n *\n * @public\n */\nexport const curve25519ModuloAdd: Curve25519ModuleAddFunction = (a: bigint, b: bigint): bigint => {\n const aLimbs = bigintToLimbs(a);\n const bLimbs = bigintToLimbs(b);\n const resultLimbs = addModularLimbs(aLimbs, bLimbs);\n return limbsToBigint(resultLimbs);\n};\n\n/**\n * Constant-operation-count modular subtraction for the Curve25519 base field.\n *\n * @remarks\n * Computes the canonical field difference:\n * ```\n * result ≡ a - b (mod p), p = 2^255 - 19\n * ```\n *\n * When a < b the result wraps around: `a - b + p`, which is still in [0, p-1].\n * Implementation delegates to {@link subtractModularLimbs}, which adds p back via\n * a borrow-derived bitmask rather than a conditional branch.\n *\n * This function satisfies {@link Curve25519ModuloSubFunction}.\n *\n * @param a - Minuend. Must be in canonical range [0, p-1].\n * @param b - Subtrahend. Must be in canonical range [0, p-1].\n * @returns `(a - b) mod p` in canonical range [0, p-1].\n *\n * @example\n * ```typescript\n * import { curve25519ModuloSub } from \"@umbra-privacy/sdk/math\";\n * import { CURVE25519_FIELD_PRIME } from \"@umbra-privacy/sdk/types\";\n *\n * // Normal subtraction\n * const diff = curve25519ModuloSub(30n, 10n);\n * console.log(diff); // 20n\n *\n * // Wrap-around: 0 - 1 = p - 1\n * const wrap = curve25519ModuloSub(0n, 1n);\n * console.log(wrap === CURVE25519_FIELD_PRIME - 1n); // true\n * ```\n *\n * @see {@link curve25519ModuloAdd} — complementary addition\n * @see {@link getCurve25519ModularSubFunction} — returns a cached reference to this function\n *\n * @public\n */\nexport const curve25519ModuloSub: Curve25519ModuleSubFunction = (a: bigint, b: bigint): bigint => {\n const aLimbs = bigintToLimbs(a);\n const bLimbs = bigintToLimbs(b);\n const resultLimbs = subtractModularLimbs(aLimbs, bLimbs);\n return limbsToBigint(resultLimbs);\n};\n\n/**\n * Modular multiplication for the Curve25519 base field.\n *\n * @remarks\n * Computes the canonical field product:\n * ```\n * result ≡ a × b (mod p), p = 2^255 - 19\n * ```\n *\n * Implementation converts both operands to full-precision `BigInt`, multiplies\n * natively (producing a ≤ 510-bit intermediate), then reduces with `% p`.\n * See {@link multiplyModularLimbs} for rationale on why Montgomery form is not used.\n *\n * This function satisfies {@link Curve25519ModuloMulFunction}.\n *\n * @param a - First factor. Must be in canonical range [0, p-1].\n * @param b - Second factor. Must be in canonical range [0, p-1].\n * @returns `(a × b) mod p` in canonical range [0, p-1].\n *\n * @example\n * ```typescript\n * import { curve25519ModuloMul } from \"@umbra-privacy/sdk/math\";\n * import { CURVE25519_FIELD_PRIME } from \"@umbra-privacy/sdk/types\";\n *\n * // Basic multiplication\n * const product = curve25519ModuloMul(7n, 8n);\n * console.log(product); // 56n\n *\n * // Large value reduces modulo p\n * const large = curve25519ModuloMul(CURVE25519_FIELD_PRIME - 1n, 2n);\n * // (p-1) × 2 = 2p - 2 ≡ p - 2 (mod p)\n * console.log(large === CURVE25519_FIELD_PRIME - 2n); // true\n * ```\n *\n * @see {@link curve25519ModuloInv} — uses this function for inversion via Fermat's theorem\n * @see {@link getCurve25519ModularMulFunction} — returns a cached reference to this function\n *\n * @public\n */\nexport const curve25519ModuloMul: Curve25519ModuleMulFunction = (a: bigint, b: bigint): bigint => {\n const aLimbs = bigintToLimbs(a);\n const bLimbs = bigintToLimbs(b);\n const resultLimbs = multiplyModularLimbs(aLimbs, bLimbs);\n return limbsToBigint(resultLimbs);\n};\n\n/**\n * Modular multiplicative inverse for the Curve25519 base field.\n *\n * @remarks\n * Computes the unique inverse such that:\n * ```\n * a × result ≡ 1 (mod p), p = 2^255 - 19\n * ```\n *\n * ## Algorithm — Fermat's Little Theorem\n *\n * Because p is prime, Fermat's Little Theorem guarantees:\n * ```\n * a^(p-1) ≡ 1 (mod p) for all a ≠ 0\n * ```\n * Therefore:\n * ```\n * a^(-1) ≡ a^(p-2) (mod p)\n * ```\n *\n * The exponent p - 2 is a fixed protocol constant, so the square-and-multiply\n * loop in {@link modularExpLimbs} does not branch on secret data.\n *\n * **Cost**: ≈ 255 squarings + ≈ 128 multiplications. For applications that call\n * inversion in a tight loop, a batch-inversion algorithm (Montgomery's trick)\n * can reduce the cost to 1 inversion + 3(n-1) multiplications for n elements.\n *\n * This function satisfies {@link Curve25519ModuloInvFunction}.\n *\n * @param a - The field element to invert. Must be in range [1, p-1].\n * Passing `0n` is a programming error — zero has no multiplicative inverse.\n * @returns The unique inverse `a^(-1) mod p` in range [1, p-1].\n * @throws {Error} If `a === 0n`. The error message is\n * `\"Cannot compute modular inverse of zero\"`.\n *\n * @example\n * ```typescript\n * import { curve25519ModuloInv, curve25519ModuloMul } from \"@umbra-privacy/sdk/math\";\n *\n * const a = 7n;\n * const invA = curve25519ModuloInv(a);\n *\n * // Verification: a × a^{-1} ≡ 1 (mod p)\n * const product = curve25519ModuloMul(a, invA);\n * console.log(product === 1n); // true\n *\n * // Throws for zero\n * try {\n * curve25519ModuloInv(0n);\n * } catch (e) {\n * console.log((e as Error).message); // \"Cannot compute modular inverse of zero\"\n * }\n * ```\n *\n * @see {@link curve25519ModuloPow} — the underlying exponentiation used internally\n * @see {@link getCurve25519ModularInvFunction} — returns a cached reference to this function\n *\n * @public\n */\nexport const curve25519ModuloInv: Curve25519ModuleInvFunction = (a: bigint): bigint => {\n if (a === 0n) {\n throw new Error(\"Cannot compute modular inverse of zero\");\n }\n\n const aLimbs = bigintToLimbs(a);\n const exp = CURVE25519_FIELD_PRIME - 2n;\n const resultLimbs = modularExpLimbs(aLimbs, exp);\n return limbsToBigint(resultLimbs);\n};\n\n/**\n * Modular exponentiation for the Curve25519 base field.\n *\n * @remarks\n * Computes the field power:\n * ```\n * result ≡ base^exp (mod p), p = 2^255 - 19\n * ```\n *\n * Uses binary (square-and-multiply) exponentiation via {@link modularExpLimbs}.\n * The special case `exp === 0n` is handled explicitly: `base^0 = 1` for all\n * `base`, including `base = 0`.\n *\n * This function satisfies {@link Curve25519ModuloPowFunction}.\n *\n * @param base - The base. Must be in canonical range [0, p-1].\n * @param exp - A non-negative `bigint` exponent.\n * @returns `base^exp mod p` in canonical range [0, p-1].\n *\n * @example\n * ```typescript\n * import { curve25519ModuloPow } from \"@umbra-privacy/sdk/math\";\n * import { CURVE25519_FIELD_PRIME } from \"@umbra-privacy/sdk/types\";\n *\n * // Small exponent\n * const r1 = curve25519ModuloPow(2n, 10n);\n * console.log(r1); // 1024n\n *\n * // Zero exponent: always 1\n * const r2 = curve25519ModuloPow(12345n, 0n);\n * console.log(r2); // 1n\n *\n * // Fermat's Little Theorem: a^(p-1) ≡ 1 for a ≠ 0\n * const r3 = curve25519ModuloPow(42n, CURVE25519_FIELD_PRIME - 1n);\n * console.log(r3); // 1n\n * ```\n *\n * @see {@link curve25519ModuloInv} — uses this with exponent p-2\n * @see {@link getCurve25519ModularPowFunction} — returns a cached reference to this function\n *\n * @public\n */\nexport const curve25519ModuloPow: Curve25519ModulePowFunction = (\n base: bigint,\n exp: bigint,\n): bigint => {\n if (exp === 0n) {\n return 1n;\n }\n\n const baseLimbs = bigintToLimbs(base);\n const resultLimbs = modularExpLimbs(baseLimbs, exp);\n return limbsToBigint(resultLimbs);\n};\n\n// =============================================================================\n// Getter Functions\n// =============================================================================\n\n/**\n * Returns a lazily cached reference to the Curve25519 modular addition function.\n *\n * @remarks\n * On the first call, stores `curve25519ModuloAdd` in the module-level cache\n * variable and returns it. Subsequent calls return the cached reference\n * without re-assignment. This pattern avoids redundant function object\n * allocation when the getter is called in a hot path.\n *\n * The returned function is identical to calling {@link curve25519ModuloAdd}\n * directly; the getter is provided for dependency-injection consumers that\n * accept a `Curve25519ModuloAddFunction` from a provider rather than\n * importing the concrete implementation.\n *\n * @returns The singleton `curve25519ModuloAdd` function.\n *\n * @example\n * ```typescript\n * import { getCurve25519ModularAddFunction } from \"@umbra-privacy/sdk/math\";\n *\n * const modAdd = getCurve25519ModularAddFunction();\n * const sum = modAdd(10n, 20n); // 30n\n * ```\n *\n * @see {@link curve25519ModuloAdd} — the underlying constant-time implementation\n *\n * @public\n */\nexport function getCurve25519ModularAddFunction(): Curve25519ModuleAddFunction {\n return curve25519ModuloAdd;\n}\n\n/**\n * Returns a lazily cached reference to the Curve25519 modular subtraction function.\n *\n * @remarks\n * Follows the same lazy-caching pattern as {@link getCurve25519ModularAddFunction}.\n * The returned function is identical to calling {@link curve25519ModuloSub} directly.\n *\n * @returns The singleton `curve25519ModuloSub` function.\n *\n * @example\n * ```typescript\n * import { getCurve25519ModularSubFunction } from \"@umbra-privacy/sdk/math\";\n *\n * const modSub = getCurve25519ModularSubFunction();\n * const diff = modSub(30n, 10n); // 20n\n * ```\n *\n * @see {@link curve25519ModuloSub} — the underlying constant-time implementation\n *\n * @public\n */\nexport function getCurve25519ModularSubFunction(): Curve25519ModuleSubFunction {\n return curve25519ModuloSub;\n}\n\n/**\n * Returns a lazily cached reference to the Curve25519 modular multiplication function.\n *\n * @remarks\n * Follows the same lazy-caching pattern as {@link getCurve25519ModularAddFunction}.\n * The returned function is identical to calling {@link curve25519ModuloMul} directly.\n *\n * @returns The singleton `curve25519ModuloMul` function.\n *\n * @example\n * ```typescript\n * import { getCurve25519ModularMulFunction } from \"@umbra-privacy/sdk/math\";\n *\n * const modMul = getCurve25519ModularMulFunction();\n * const product = modMul(7n, 8n); // 56n\n * ```\n *\n * @see {@link curve25519ModuloMul} — the underlying implementation\n *\n * @public\n */\nexport function getCurve25519ModularMulFunction(): Curve25519ModuleMulFunction {\n return curve25519ModuloMul;\n}\n\n/**\n * Returns a lazily cached reference to the Curve25519 modular inverse function.\n *\n * @remarks\n * Follows the same lazy-caching pattern as {@link getCurve25519ModularAddFunction}.\n * The returned function is identical to calling {@link curve25519ModuloInv} directly.\n *\n * @returns The singleton `curve25519ModuloInv` function.\n *\n * @example\n * ```typescript\n * import { getCurve25519ModularInvFunction } from \"@umbra-privacy/sdk/math\";\n *\n * const modInv = getCurve25519ModularInvFunction();\n * const inverse = modInv(7n);\n * // modInv(7n) * 7n ≡ 1 (mod p)\n * ```\n *\n * @see {@link curve25519ModuloInv} — the underlying Fermat's theorem implementation\n *\n * @public\n */\nexport function getCurve25519ModularInvFunction(): Curve25519ModuleInvFunction {\n return curve25519ModuloInv;\n}\n\n/**\n * Returns a lazily cached reference to the Curve25519 modular exponentiation function.\n *\n * @remarks\n * Follows the same lazy-caching pattern as {@link getCurve25519ModularAddFunction}.\n * The returned function is identical to calling {@link curve25519ModuloPow} directly.\n *\n * @returns The singleton `curve25519ModuloPow` function.\n *\n * @example\n * ```typescript\n * import { getCurve25519ModularPowFunction } from \"@umbra-privacy/sdk/math\";\n *\n * const modPow = getCurve25519ModularPowFunction();\n * const result = modPow(2n, 10n); // 1024n\n * ```\n *\n * @see {@link curve25519ModuloPow} — the underlying square-and-multiply implementation\n *\n * @public\n */\nexport function getCurve25519ModularPowFunction(): Curve25519ModulePowFunction {\n return curve25519ModuloPow;\n}\n\n// =============================================================================\n// U512-Based Field Element Sampler\n// =============================================================================\n\n/**\n * The Montgomery constant R = 2^256 mod p for the Curve25519 field.\n *\n * @remarks\n * Used in the U512-based sampler to combine the high and low 256-bit halves\n * of a 512-bit input into a single field element:\n * ```\n * result = (high × R + low) mod p\n * ```\n *\n * ## Derivation\n *\n * ```\n * 2^256 = 2 × 2^255\n * = 2 × (p + 19) (since p = 2^255 - 19)\n * = 2p + 38\n * ∴ 2^256 mod p = 38\n * ```\n *\n * The small value of R (just 38) means the multiplication `high × R` can be\n * computed cheaply: it is equivalent to `high × 38`, well within the range\n * of a single BigInt multiply-and-reduce.\n *\n * @public\n */\nexport const R_MOD_P_CURVE25519 = 38n;\n\n/**\n * Reduces a 256-bit value into the canonical Curve25519 field range [0, p)\n * using constant-time trial subtraction.\n *\n * @remarks\n * ## Algorithm\n *\n * Computes `d = value - p` using 4-limb borrow propagation. If the final\n * borrow is 1, then value < p and the original value should be returned;\n * otherwise d is in [0, p) and should be returned. Selection between `value`\n * and `d` is performed with {@link constantTimeSelect} — no branch on the borrow bit.\n *\n * This function handles exactly one conditional subtraction, which is correct\n * because the input is guaranteed to be in [0, 2^256). Any value in\n * [p, 2^256) satisfies p ≤ value < 2p (since p > 2^254), so a single\n * subtraction of p suffices.\n *\n * @param value - A non-negative `bigint` in [0, 2^256 - 1]. Values already\n * in [0, p) are returned unchanged. Values in [p, 2^256) are reduced by p.\n * @returns The equivalent element in the canonical range [0, p-1].\n *\n * @public\n */\nexport function reduce256Curve25519(value: bigint): bigint {\n const [l0, l1, l2, l3] = bigintToLimbs(value);\n const [p0, p1, p2, p3] = P_LIMBS;\n\n // Trial subtraction: d = value - p\n // Compute d0\n const sub0 = l0 - p0;\n const d0 = sub0 & MASK64;\n const borrow0 = -(sub0 >> N64) & 1n;\n\n // Compute d1\n const sub1 = l1 - p1 - borrow0;\n const d1 = sub1 & MASK64;\n const borrow1 = -(sub1 >> N64) & 1n;\n\n // Compute d2\n const sub2 = l2 - p2 - borrow1;\n const d2 = sub2 & MASK64;\n const borrow2 = -(sub2 >> N64) & 1n;\n\n // Compute d3\n const sub3 = l3 - p3 - borrow2;\n const d3 = sub3 & MASK64;\n const borrow3 = -(sub3 >> N64) & 1n;\n\n // If borrow3 is 0, value >= p, so use d (the subtracted value)\n // If borrow3 is 1, value < p, so use original value\n const useOriginal = borrow3;\n\n return limbsToBigint([\n constantTimeSelect(useOriginal, l0, d0),\n constantTimeSelect(useOriginal, l1, d1),\n constantTimeSelect(useOriginal, l2, d2),\n constantTimeSelect(useOriginal, l3, d3),\n ]);\n}\n\n/**\n * Decodes 32 bytes from a big-endian byte array starting at `offset` into a\n * `bigint`, using the SDK's typed `U256BeBytes` converter pipeline.\n *\n * @remarks\n * Steps:\n * 1. Slice `bytes[offset .. offset+32]` (32 bytes = 256 bits).\n * 2. Wrap the slice in a `U256BeBytes` branded type via `createU256BeBytes`.\n * 3. Decode the branded bytes to a `bigint` via `decodeU256BeBytesToU256`.\n *\n * The resulting `bigint` is in the range [0, 2^256 - 1]. It may be ≥ p;\n * callers are responsible for reducing it if needed (e.g., via\n * {@link reduce256Curve25519}).\n *\n * @param bytes - The source byte array (must be at least `offset + 32` bytes long).\n * @param offset - Byte index at which to start reading the 32-byte window.\n * @returns The big-endian decoded `bigint` for bytes `[offset, offset+32)`.\n *\n * @public\n */\nexport function curve25519BytesToBigintBigEndian(bytes: Uint8Array, offset: number): bigint {\n const slice = bytes.slice(offset, offset + U256_BYTE_LENGTH);\n const u256BeBytes = createU256BeBytes(slice);\n return decodeU256BeBytesToU256(u256BeBytes);\n}\n\n/**\n * Factory that creates a sampler converting 512-bit big-endian byte arrays to\n * uniformly distributed Curve25519 field elements.\n *\n * @remarks\n * ## Purpose\n *\n * Hash-to-field algorithms produce 512-bit outputs to avoid statistical bias\n * when mapping into the 255-bit field. This factory encapsulates the standard\n * two-half combination technique (see below), returning a closure that can be\n * used repeatedly.\n *\n * ## Algorithm\n *\n * Given a 64-byte big-endian input array:\n *\n * 1. **Split** into two 256-bit halves:\n * - `high = input[0..31]` (most significant)\n * - `low = input[32..63]` (least significant)\n *\n * 2. **Reduce** each half into [0, p) via constant-time trial subtraction\n * (`reduce256Curve25519`).\n *\n * 3. **Combine** using the precomputed constant R = 2^256 mod p = 38:\n * ```\n * result = (highReduced × R + lowReduced) mod p\n * ```\n *\n * ## Customization via `deps`\n *\n * The `modAdd` and `modMul` slots in `deps` allow replacing the default\n * constant-time implementations with alternatives. Common use cases:\n * - Inject test stubs to exercise the combination logic in isolation.\n * - Use a faster non-constant-time implementation for offline tooling.\n *\n * ## Uniformity\n *\n * The bias of the result is bounded by p / 2^512 < 2^-257, which is\n * negligible for all practical cryptographic purposes.\n *\n * @param deps - Optional overrides for modular arithmetic. If omitted, uses\n * the default constant-time SDK implementations.\n * @returns A closure `(input: U512BeBytes) => Curve25519FieldElement`.\n *\n * @example\n * ```typescript\n * import { getCurve25519FieldElementSampler } from \"@umbra-privacy/sdk/math\";\n *\n * // Default: uses SDK constant-time arithmetic\n * const sampler = getCurve25519FieldElementSampler();\n *\n * const input = crypto.getRandomValues(new Uint8Array(64)) as U512BeBytes;\n * const element = sampler(input);\n * // element is a valid Curve25519FieldElement in [0, p-1]\n *\n * // With custom multiplication for testing\n * const testSampler = getCurve25519FieldElementSampler({\n * modMul: (a, b) => (a * b) % ((1n << 255n) - 19n),\n * });\n * ```\n *\n * @see {@link curve25519FieldElementSampler} — pre-built default instance\n * @see {@link U512BasedCurve25519FieldElementSamplerDeps} — the dependency injection bag\n * @see {@link U512BasedCurve25519FieldElementSamplerFunction} — the returned function's type\n *\n * @public\n */\nexport function getCurve25519FieldElementSampler(\n deps?: U512BasedCurve25519FieldElementSamplerDeps,\n): U512BasedCurve25519FieldElementSamplerFunction {\n // Use provided functions or fall back to defaults\n const { modAdd: moduleAdd = curve25519ModuloAdd, modMul: moduleMul = curve25519ModuloMul } =\n deps ?? {};\n\n return (input: U512BeBytes): Curve25519FieldElement => {\n // Extract high and low 256-bit halves (big-endian)\n // bytes 0-31 = high (most significant)\n // bytes 32-63 = low (least significant)\n const high = curve25519BytesToBigintBigEndian(input, 0); // bytes 0-31\n const low = curve25519BytesToBigintBigEndian(input, 32); // bytes 32-63\n\n // Reduce both halves to [0, p)\n // This is necessary because 256-bit values can be >= p\n const lowReduced = reduce256Curve25519(low);\n const highReduced = reduce256Curve25519(high);\n\n // Compute: result = (high × R + low) mod p\n // where R = 2^256 mod p = 38 for Curve25519\n const highTimesR = moduleMul(highReduced, R_MOD_P_CURVE25519);\n const result = moduleAdd(highTimesR, lowReduced);\n\n return result as Curve25519FieldElement;\n };\n}\n\n/**\n * Pre-instantiated U512-to-field-element sampler using the default\n * constant-time Curve25519 field arithmetic.\n *\n * @remarks\n * This is a convenience export for callers that do not need to inject custom\n * arithmetic. It is equivalent to calling:\n * ```typescript\n * getCurve25519FieldElementSampler()\n * ```\n * but avoids the factory call overhead for the common case.\n *\n * ## Typical Usage Pattern\n *\n * Hash-to-field: pass the 512-bit output of a wide hash (SHA-512, BLAKE2b-512,\n * HKDF output, etc.) directly to this sampler to obtain a uniformly distributed\n * field element:\n * ```\n * fieldElement = sampler(sha512(domainSeparator || message))\n * ```\n *\n * This pattern is used internally in the Umbra SDK wherever a scalar must be\n * derived deterministically from a secret without bias.\n *\n * @param input - A 64-byte big-endian byte array (`U512BeBytes`).\n * @returns A `Curve25519FieldElement` in the canonical range [0, p-1].\n *\n * @example\n * ```typescript\n * import { curve25519FieldElementSampler } from \"@umbra-privacy/sdk/math\";\n *\n * // All-zero input → deterministic result (== 0n)\n * const zeroInput = new Uint8Array(64) as U512BeBytes;\n * const element = curve25519FieldElementSampler(zeroInput);\n * console.log(element); // 0n\n *\n * // Random 64-byte input from a CSPRNG\n * const randomInput = crypto.getRandomValues(new Uint8Array(64)) as U512BeBytes;\n * const randomElement = curve25519FieldElementSampler(randomInput);\n * // randomElement is uniformly distributed in [0, p-1]\n * ```\n *\n * @see {@link getCurve25519FieldElementSampler} — factory for custom arithmetic\n * @see {@link U512BasedCurve25519FieldElementSamplerFunction} — the function type\n *\n * @public\n */\nexport const curve25519FieldElementSampler: U512BasedCurve25519FieldElementSamplerFunction =\n getCurve25519FieldElementSampler();\n"]}
1
+ {"version":3,"sources":["../src/primitives/math/curve25519/field-arithmetic.ts"],"names":[],"mappings":";;;;;;;AA4HO,IAAM,GAAA,GAAM,GAAA;AAqBZ,IAAM,MAAA,GAAS,mBAAA;AA2Bf,IAAM,OAAA,GAAsC;AAAA,EACjD,mBAAA;AAAA;AAAA,EACA,mBAAA;AAAA;AAAA,EACA,mBAAA;AAAA;AAAA,EACA;AAAA;AACF,CAAA;AAiCO,SAAS,kBAAA,CAAmB,GAAA,EAAa,CAAA,EAAW,CAAA,EAAmB;AAC5E,EAAA,MAAM,OAAO,CAAC,GAAA;AACd,EAAA,OAAQ,CAAA,GAAI,IAAA,GAAS,CAAA,GAAI,CAAC,IAAA;AAC5B;AAHgB,MAAA,CAAA,kBAAA,EAAA,oBAAA,CAAA;AA4BT,SAAS,cAAc,KAAA,EAA2C;AACvE,EAAA,OAAO;AAAA,IACL,KAAA,GAAQ,MAAA;AAAA,IACP,SAAS,GAAA,GAAO,MAAA;AAAA,IAChB,KAAA,IAAU,MAAM,EAAA,GAAO,MAAA;AAAA,IACvB,KAAA,IAAU,MAAM,EAAA,GAAO;AAAA,GAC1B;AACF;AAPgB,MAAA,CAAA,aAAA,EAAA,eAAA,CAAA;AA6BT,SAAS,cAAc,KAAA,EAA2C;AACvE,EAAA,OAAO,KAAA,CAAM,CAAC,CAAA,IAAK,KAAA,CAAM,CAAC,CAAA,IAAK,GAAA,CAAA,IAAQ,KAAA,CAAM,CAAC,KAAM,GAAA,GAAM,EAAA,CAAA,IAAQ,KAAA,CAAM,CAAC,KAAM,GAAA,GAAM,EAAA,CAAA;AACvF;AAFgB,MAAA,CAAA,aAAA,EAAA,eAAA,CAAA;AAwCT,SAAS,eAAA,CACd,GACA,CAAA,EAC4B;AAE5B,EAAA,MAAM,CAAA,GAAc,CAAC,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA;AACnC,EAAA,IAAI,KAAA,GAAQ,EAAA;AAEZ,EAAA,KAAA,IAAS,KAAA,GAAQ,CAAA,EAAG,KAAA,GAAQ,CAAA,EAAG,KAAA,EAAA,EAAS;AACtC,IAAA,MAAM,MAAM,CAAA,CAAE,KAAK,CAAA,GAAI,CAAA,CAAE,KAAK,CAAA,GAAI,KAAA;AAClC,IAAA,CAAA,CAAE,KAAK,IAAI,GAAA,GAAM,MAAA;AACjB,IAAA,KAAA,GAAQ,GAAA,IAAO,GAAA;AAAA,EACjB;AACA,EAAA,MAAM,MAAA,GAAS,KAAA;AAGf,EAAA,MAAM,CAAA,GAAc,CAAC,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA;AACnC,EAAA,IAAI,MAAA,GAAS,EAAA;AAEb,EAAA,KAAA,IAAS,KAAA,GAAQ,CAAA,EAAG,KAAA,GAAQ,CAAA,EAAG,KAAA,EAAA,EAAS;AACtC,IAAA,MAAM,MAAM,CAAA,CAAE,KAAK,CAAA,GAAI,OAAA,CAAQ,KAAK,CAAA,GAAI,MAAA;AACxC,IAAA,CAAA,CAAE,KAAK,IAAI,GAAA,GAAM,MAAA;AACjB,IAAA,MAAA,GAAS,EAAE,GAAA,IAAO,GAAA,CAAA;AAAA,EACpB;AAGA,EAAA,MAAM,IAAA,GAAO,SAAU,EAAA,GAAK,MAAA;AAE5B,EAAA,OAAO;AAAA,IACL,mBAAmB,IAAA,EAAM,CAAA,CAAE,CAAC,CAAA,EAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,IACnC,mBAAmB,IAAA,EAAM,CAAA,CAAE,CAAC,CAAA,EAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,IACnC,mBAAmB,IAAA,EAAM,CAAA,CAAE,CAAC,CAAA,EAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,IACnC,mBAAmB,IAAA,EAAM,CAAA,CAAE,CAAC,CAAA,EAAG,CAAA,CAAE,CAAC,CAAC;AAAA,GACrC;AACF;AAlCgB,MAAA,CAAA,eAAA,EAAA,iBAAA,CAAA;AAkET,SAAS,oBAAA,CACd,GACA,CAAA,EAC4B;AAE5B,EAAA,MAAM,GAAA,GAAgB,CAAC,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA;AACrC,EAAA,IAAI,MAAA,GAAS,EAAA;AAEb,EAAA,KAAA,IAAS,KAAA,GAAQ,CAAA,EAAG,KAAA,GAAQ,CAAA,EAAG,KAAA,EAAA,EAAS;AACtC,IAAA,MAAM,MAAM,CAAA,CAAE,KAAK,CAAA,GAAI,CAAA,CAAE,KAAK,CAAA,GAAI,MAAA;AAClC,IAAA,GAAA,CAAI,KAAK,IAAI,GAAA,GAAM,MAAA;AACnB,IAAA,MAAA,GAAS,EAAE,GAAA,IAAO,GAAA,CAAA;AAAA,EACpB;AAGA,EAAA,MAAM,OAAO,CAAC,MAAA;AACd,EAAA,IAAI,KAAA,GAAQ,EAAA;AAEZ,EAAA,KAAA,IAAS,KAAA,GAAQ,CAAA,EAAG,KAAA,GAAQ,CAAA,EAAG,KAAA,EAAA,EAAS;AACtC,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,KAAK,CAAA,GAAI,IAAA;AAElC,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,KAAK,CAAA,GAAI,QAAA,GAAW,KAAA;AACpC,IAAA,GAAA,CAAI,KAAK,IAAI,GAAA,GAAM,MAAA;AACnB,IAAA,KAAA,GAAQ,GAAA,IAAO,GAAA;AAAA,EACjB;AAEA,EAAA,OAAO,CAAC,GAAA,CAAI,CAAC,CAAA,EAAG,GAAA,CAAI,CAAC,CAAA,EAAG,GAAA,CAAI,CAAC,CAAA,EAAG,GAAA,CAAI,CAAC,CAAC,CAAA;AACxC;AA3BgB,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA;AAqET,SAAS,oBAAA,CACd,GACA,CAAA,EAC4B;AAG5B,EAAA,MAAM,IAAA,GAAO,cAAc,CAAC,CAAA;AAC5B,EAAA,MAAM,IAAA,GAAO,cAAc,CAAC,CAAA;AAC5B,EAAA,MAAM,OAAA,GAAW,OAAO,IAAA,GAAQ,sBAAA;AAChC,EAAA,OAAO,cAAc,OAAO,CAAA;AAC9B;AAVgB,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA;AAgDT,SAAS,eAAA,CAAgB,MAAkC,GAAA,EAAyC;AACzG,EAAA,IAAI,MAAA,GAAqC,CAAC,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA;AACxD,EAAA,IAAI,OAAA,GAAU,IAAA;AAEd,EAAA,OAAO,MAAM,EAAA,EAAI;AACf,IAAA,IAAA,CAAK,GAAA,GAAM,QAAQ,EAAA,EAAI;AACrB,MAAA,MAAA,GAAS,oBAAA,CAAqB,QAAQ,OAAO,CAAA;AAAA,IAC/C;AACA,IAAA,OAAA,GAAU,oBAAA,CAAqB,SAAS,OAAO,CAAA;AAC/C,IAAA,GAAA,KAAQ,EAAA;AAAA,EACV;AAEA,EAAA,OAAO,MAAA;AACT;AAbgB,MAAA,CAAA,eAAA,EAAA,iBAAA,CAAA;AAyDT,IAAM,mBAAA,mBAAmD,MAAA,CAAA,CAAC,CAAA,EAAW,CAAA,KAAsB;AAChG,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,WAAA,GAAc,eAAA,CAAgB,MAAA,EAAQ,MAAM,CAAA;AAClD,EAAA,OAAO,cAAc,WAAW,CAAA;AAClC,CAAA,EALgE,qBAAA;AA6CzD,IAAM,mBAAA,mBAAmD,MAAA,CAAA,CAAC,CAAA,EAAW,CAAA,KAAsB;AAChG,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,WAAA,GAAc,oBAAA,CAAqB,MAAA,EAAQ,MAAM,CAAA;AACvD,EAAA,OAAO,cAAc,WAAW,CAAA;AAClC,CAAA,EALgE,qBAAA;AA8CzD,IAAM,mBAAA,mBAAmD,MAAA,CAAA,CAAC,CAAA,EAAW,CAAA,KAAsB;AAChG,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,WAAA,GAAc,oBAAA,CAAqB,MAAA,EAAQ,MAAM,CAAA;AACvD,EAAA,OAAO,cAAc,WAAW,CAAA;AAClC,CAAA,EALgE,qBAAA;AAkEzD,IAAM,mBAAA,2BAAoD,CAAA,KAAsB;AACrF,EAAA,IAAI,MAAM,EAAA,EAAI;AACZ,IAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,EAC1D;AAEA,EAAA,MAAM,MAAA,GAAS,cAAc,CAAC,CAAA;AAC9B,EAAA,MAAM,MAAM,sBAAA,GAAyB,EAAA;AACrC,EAAA,MAAM,WAAA,GAAc,eAAA,CAAgB,MAAA,EAAQ,GAAG,CAAA;AAC/C,EAAA,OAAO,cAAc,WAAW,CAAA;AAClC,CAAA,EATgE,qBAAA;AAqDzD,IAAM,mBAAA,mBAAmD,MAAA,CAAA,CAC9D,IAAA,EACA,GAAA,KACW;AACX,EAAA,IAAI,QAAQ,EAAA,EAAI;AACd,IAAA,OAAO,EAAA;AAAA,EACT;AAEA,EAAA,MAAM,SAAA,GAAY,cAAc,IAAI,CAAA;AACpC,EAAA,MAAM,WAAA,GAAc,eAAA,CAAgB,SAAA,EAAW,GAAG,CAAA;AAClD,EAAA,OAAO,cAAc,WAAW,CAAA;AAClC,CAAA,EAXgE,qBAAA;AA6CzD,SAAS,+BAAA,GAA+D;AAC7E,EAAA,OAAO,mBAAA;AACT;AAFgB,MAAA,CAAA,+BAAA,EAAA,iCAAA,CAAA;AAyBT,SAAS,+BAAA,GAA+D;AAC7E,EAAA,OAAO,mBAAA;AACT;AAFgB,MAAA,CAAA,+BAAA,EAAA,iCAAA,CAAA;AAyBT,SAAS,+BAAA,GAA+D;AAC7E,EAAA,OAAO,mBAAA;AACT;AAFgB,MAAA,CAAA,+BAAA,EAAA,iCAAA,CAAA;AA0BT,SAAS,+BAAA,GAA+D;AAC7E,EAAA,OAAO,mBAAA;AACT;AAFgB,MAAA,CAAA,+BAAA,EAAA,iCAAA,CAAA;AAyBT,SAAS,+BAAA,GAA+D;AAC7E,EAAA,OAAO,mBAAA;AACT;AAFgB,MAAA,CAAA,+BAAA,EAAA,iCAAA,CAAA;AAiCT,IAAM,kBAAA,GAAqB;AAyB3B,SAAS,oBAAoB,KAAA,EAAuB;AACzD,EAAA,MAAM,CAAC,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA,GAAI,cAAc,KAAK,CAAA;AAC5C,EAAA,MAAM,CAAC,EAAA,EAAI,EAAA,EAAI,EAAA,EAAI,EAAE,CAAA,GAAI,OAAA;AAIzB,EAAA,MAAM,OAAO,EAAA,GAAK,EAAA;AAClB,EAAA,MAAM,KAAK,IAAA,GAAO,MAAA;AAClB,EAAA,MAAM,OAAA,GAAU,EAAE,IAAA,IAAQ,GAAA,CAAA,GAAO,EAAA;AAGjC,EAAA,MAAM,IAAA,GAAO,KAAK,EAAA,GAAK,OAAA;AACvB,EAAA,MAAM,KAAK,IAAA,GAAO,MAAA;AAClB,EAAA,MAAM,OAAA,GAAU,EAAE,IAAA,IAAQ,GAAA,CAAA,GAAO,EAAA;AAGjC,EAAA,MAAM,IAAA,GAAO,KAAK,EAAA,GAAK,OAAA;AACvB,EAAA,MAAM,KAAK,IAAA,GAAO,MAAA;AAClB,EAAA,MAAM,OAAA,GAAU,EAAE,IAAA,IAAQ,GAAA,CAAA,GAAO,EAAA;AAGjC,EAAA,MAAM,IAAA,GAAO,KAAK,EAAA,GAAK,OAAA;AACvB,EAAA,MAAM,KAAK,IAAA,GAAO,MAAA;AAClB,EAAA,MAAM,OAAA,GAAU,EAAE,IAAA,IAAQ,GAAA,CAAA,GAAO,EAAA;AAIjC,EAAA,MAAM,WAAA,GAAc,OAAA;AAEpB,EAAA,OAAO,aAAA,CAAc;AAAA,IACnB,kBAAA,CAAmB,WAAA,EAAa,EAAA,EAAI,EAAE,CAAA;AAAA,IACtC,kBAAA,CAAmB,WAAA,EAAa,EAAA,EAAI,EAAE,CAAA;AAAA,IACtC,kBAAA,CAAmB,WAAA,EAAa,EAAA,EAAI,EAAE,CAAA;AAAA,IACtC,kBAAA,CAAmB,WAAA,EAAa,EAAA,EAAI,EAAE;AAAA,GACvC,CAAA;AACH;AAnCgB,MAAA,CAAA,mBAAA,EAAA,qBAAA,CAAA;AAyDT,SAAS,gCAAA,CAAiC,OAAmB,MAAA,EAAwB;AAC1F,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,MAAA,EAAQ,SAAS,gBAAgB,CAAA;AAC3D,EAAA,MAAM,WAAA,GAAc,kBAAkB,KAAK,CAAA;AAC3C,EAAA,OAAO,wBAAwB,WAAW,CAAA;AAC5C;AAJgB,MAAA,CAAA,gCAAA,EAAA,kCAAA,CAAA;AAyET,SAAS,iCACd,IAAA,EACgD;AAEhD,EAAA,MAAM,EAAE,QAAQ,SAAA,GAAY,mBAAA,EAAqB,QAAQ,SAAA,GAAY,mBAAA,EAAoB,GACvF,IAAA,IAAQ,EAAC;AAEX,EAAA,OAAO,CAAC,KAAA,KAA+C;AAIrD,IAAA,MAAM,IAAA,GAAO,gCAAA,CAAiC,KAAA,EAAO,CAAC,CAAA;AACtD,IAAA,MAAM,GAAA,GAAM,gCAAA,CAAiC,KAAA,EAAO,EAAE,CAAA;AAItD,IAAA,MAAM,UAAA,GAAa,oBAAoB,GAAG,CAAA;AAC1C,IAAA,MAAM,WAAA,GAAc,oBAAoB,IAAI,CAAA;AAI5C,IAAA,MAAM,UAAA,GAAa,SAAA,CAAU,WAAA,EAAa,kBAAkB,CAAA;AAC5D,IAAA,MAAM,MAAA,GAAS,SAAA,CAAU,UAAA,EAAY,UAAU,CAAA;AAE/C,IAAA,OAAO,MAAA;AAAA,EACT,CAAA;AACF;AA1BgB,MAAA,CAAA,gCAAA,EAAA,kCAAA,CAAA;AA2ET,IAAM,gCACX,gCAAA","file":"chunk-2IJ3WWKS.js","sourcesContent":["/**\n * Curve25519 Base Field Arithmetic — Concrete Implementation\n *\n * This module provides the constant-operation-count implementations of all\n * modular arithmetic operations over the Curve25519 prime field GF(p), where:\n * ```\n * p = 2^255 - 19\n * = 57896044618658097711785492504343953926634992332820282019728792003956564819949\n * ```\n *\n * ## Role in the SDK\n *\n * This module is the lowest-level arithmetic layer in the SDK's cryptographic\n * stack. Its exported functions are consumed by:\n *\n * - **`crypto/rescue-cipher/`** — the Rescue-XLIX block cipher used inside\n * Arcium MPC computations for symmetric encryption of Umbra confidential\n * token account balances.\n * - **`math/curve25519/interfaces`** — the function-type contracts that the\n * exported symbols satisfy.\n * - Dependency-injection consumers that call\n * `getCurve25519FieldElementSampler` with custom arithmetic.\n *\n * X25519 key-exchange itself (used for Umbra encrypted token account key\n * registration) does not call this module directly — its scalar multiplication\n * is handled by `@noble/curves` — but the field prime is the same.\n *\n * ## Algorithm Overview\n *\n * ### Addition / Subtraction\n *\n * Both operations are implemented at the 4-limb level using carry/borrow\n * propagation, followed by a **constant-time conditional correction**:\n *\n * - **Addition**: compute `t = a + b`; if `t ≥ p` then return `t - p`, else `t`.\n * The conditional is resolved by a bitwise mask derived from the carry and\n * borrow, never an `if` statement.\n * - **Subtraction**: compute `d = a - b`; if a borrow occurred (a < b), add `p`\n * back. The borrow bit is propagated as a mask applied to `P_LIMBS`.\n *\n * ### Multiplication\n *\n * Uses JavaScript's native `BigInt` multiplication (`a * b`) followed by\n * a single `% p` reduction. While this is not a limb-level schoolbook\n * implementation, `BigInt` intermediate values of ≤ 510 bits keep the\n * per-call work uniform. Montgomery form is not used because the constant\n * conversion overhead is not amortised over the small number of multiplications\n * per Rescue-XLIX round.\n *\n * ### Inversion\n *\n * Uses Fermat's Little Theorem: `a^(-1) ≡ a^(p-2) (mod p)`. This delegates to\n * the square-and-multiply exponentiation function with a fixed exponent of\n * p - 2 ≈ 2^255, costing ≈ 255 squarings and ~128 multiplications.\n *\n * ### Exponentiation\n *\n * Binary (square-and-multiply) exponentiation via `modularExpLimbs`. The loop\n * visits each bit of the exponent from LSB to MSB; the branch on the current\n * bit (`exp & 1n`) operates on the **exponent**, not secret field data, so it\n * does not constitute a secret-dependent branch.\n *\n * ## Security Considerations\n *\n * True hardware-level constant time cannot be guaranteed in JavaScript because\n * the V8/SpiderMonkey JIT, branch predictors, and GC can all introduce\n * data-dependent timing variation. These implementations are\n * **constant-operation-count**: they always execute the same sequence of BigInt\n * operations regardless of the input values. This is the accepted standard for\n * JavaScript cryptographic libraries (e.g., `@noble/curves`).\n *\n * Secret-dependent branching is avoided by:\n * - Using `constantTimeSelect` (bitwise mask) for all conditional value choices.\n * - Processing all 4 limbs in every loop iteration regardless of value.\n * - Applying `P_LIMBS` correction via masking rather than a conditional add.\n *\n * ## Limb Representation\n *\n * All internal computation decomposes field elements into four 64-bit limbs\n * stored in little-endian order `[limb0, limb1, limb2, limb3]`:\n * ```\n * value = limb0 + limb1×2^64 + limb2×2^128 + limb3×2^192\n * ```\n * - `limb0` — bits 0-63 (least significant)\n * - `limb1` — bits 64-127\n * - `limb2` — bits 128-191\n * - `limb3` — bits 192-255 (most significant; high bit always 0 for valid elements)\n *\n * The 4-limb split keeps individual BigInt values at a uniform 64-bit size,\n * making per-limb arithmetic cost independent of the field element's magnitude.\n *\n * @module implementation/mathematics/curve25519-field-arithmetic\n * @packageDocumentation\n */\n\nimport type {\n Curve25519FieldElementLimb,\n Curve25519ModuloAddFunction as Curve25519ModuleAddFunction,\n Curve25519ModuloInvFunction as Curve25519ModuleInvFunction,\n Curve25519ModuloMulFunction as Curve25519ModuleMulFunction,\n Curve25519ModuloPowFunction as Curve25519ModulePowFunction,\n Curve25519ModuloSubFunction as Curve25519ModuleSubFunction,\n U512BasedCurve25519FieldElementSamplerFunction as U512BasedCurve25519FieldElementSamplerFunction,\n U512BasedCurve25519FieldElementSamplerDeps,\n} from \"./interfaces\";\nimport { CURVE25519_FIELD_PRIME, type Curve25519FieldElement, type U512BeBytes, U256_BYTE_LENGTH } from \"@sdk/core/types\";\nimport { createU256BeBytes } from \"@sdk/utilities/converters/branded\";\nimport { decodeU256BeBytesToU256 } from \"@sdk/utilities/converters/mathematics\";\n\n// =============================================================================\n// Constants\n// =============================================================================\n\n/**\n * The number of bits per limb used in the 4-limb field element representation.\n *\n * @remarks\n * All field elements are decomposed into 4 limbs of exactly 64 bits each.\n * Using 64 as the limb width keeps each limb within the range of a single\n * 64-bit unsigned integer, making carry/borrow arithmetic straightforward\n * with BigInt shift operations.\n *\n * @public\n */\nexport const N64 = 64n;\n\n/**\n * Bitmask for extracting the lower 64 bits from a BigInt.\n *\n * @remarks\n * Equal to 2^64 - 1 = 0xFFFFFFFFFFFFFFFF. Applied with the bitwise AND\n * operator (`& MASK64`) after any addition or shift to isolate the low 64\n * bits of a result and discard any carry that has propagated into bit 64 or\n * above.\n *\n * @example\n * ```typescript\n * // Extract low 64 bits after an addition that may overflow\n * const sum = a + b + carry;\n * const low64 = sum & MASK64; // keep bits 0-63\n * const nextCarry = sum >> N64; // propagate bit 64 upwards\n * ```\n *\n * @public\n */\nexport const MASK64 = 0xff_ff_ff_ff_ff_ff_ff_ffn;\n\n/**\n * The Curve25519 field prime p = 2^255 - 19 decomposed into 4 × 64-bit limbs,\n * stored in little-endian order.\n *\n * @remarks\n * Binary representation of p = 2^255 - 19:\n * - Bits 0-63: `0xFFFFFFFFFFFFFFED` (= 2^64 - 19)\n * - Bits 64-127: `0xFFFFFFFFFFFFFFFF` (all ones)\n * - Bits 128-191:`0xFFFFFFFFFFFFFFFF` (all ones)\n * - Bits 192-255:`0x7FFFFFFFFFFFFFFF` (2^63 - 1; high bit is 0)\n *\n * The high bit of limb 3 being 0 reflects the fact that p < 2^255.\n *\n * This constant is used in:\n * - `addModularLimbs` — trial subtraction to enforce the canonical range.\n * - `subtractModularLimbs` — conditional addition to wrap negative differences.\n * - `reduce256Curve25519` — single-step reduction of 256-bit values.\n *\n * @privateRemarks\n * Limb 0 value derivation:\n * p = 2^255 - 19. The low 64 bits of p are:\n * 2^64 × floor(p / 2^64) + r => r = p mod 2^64 = (2^64 - 19) = 0xFFFFFFFFFFFFFFED\n *\n * @public\n */\nexport const P_LIMBS: Curve25519FieldElementLimb = [\n 0xff_ff_ff_ff_ff_ff_ff_edn, // limb 0 (bits 0-63): 2^64 - 19\n 0xff_ff_ff_ff_ff_ff_ff_ffn, // limb 1 (bits 64-127): all 1s\n 0xff_ff_ff_ff_ff_ff_ff_ffn, // limb 2 (bits 128-191): all 1s\n 0x7f_ff_ff_ff_ff_ff_ff_ffn, // limb 3 (bits 192-255): 2^63 - 1\n];\n\n// =============================================================================\n// Internal Helper Functions\n// =============================================================================\n\n/**\n * Constant-time conditional select between two `bigint` values.\n *\n * @remarks\n * Returns `x` when `bit === 1n` and `y` when `bit === 0n`, without branching\n * on the value of `bit`. The selection is performed using bitwise arithmetic:\n * ```\n * mask = -bit // 0n if bit=0, -1n (all ones) if bit=1\n * result = (x & mask) | (y & ~mask)\n * ```\n * This is the BigInt equivalent of the C idiom `(mask & x) | (~mask & y)`.\n *\n * `bit` MUST be exactly `0n` or `1n`. Passing any other value produces\n * undefined results.\n *\n * @param bit - Selection bit. Must be `0n` or `1n`.\n * @param x - Value returned when `bit === 1n`.\n * @param y - Value returned when `bit === 0n`.\n * @returns `x` if `bit === 1n`; `y` if `bit === 0n`.\n *\n * @privateRemarks\n * JavaScript BigInt negation of a 1-bit value: `-1n` in BigInt is the\n * two's-complement all-ones pattern (arbitrary precision), which acts as a\n * perfect mask. `-0n === 0n`, so the 0 case also works correctly.\n *\n * @public\n */\nexport function constantTimeSelect(bit: bigint, x: bigint, y: bigint): bigint {\n const mask = -bit;\n return (x & mask) | (y & ~mask);\n}\n\n/**\n * Decomposes a non-negative `bigint` into the 4-limb little-endian representation\n * used throughout this module.\n *\n * @remarks\n * Extracts four 64-bit windows by successive right-shifts combined with\n * `MASK64`:\n * ```\n * limb0 = value & 0xFFFFFFFFFFFFFFFF (bits 0-63)\n * limb1 = (value >> 64) & 0xFFFFFFFFFFFFFFFF (bits 64-127)\n * limb2 = (value >> 128) & 0xFFFFFFFFFFFFFFFF (bits 128-191)\n * limb3 = (value >> 192) & 0xFFFFFFFFFFFFFFFF (bits 192-255)\n * ```\n *\n * The input must satisfy 0 ≤ value < 2^256. Values in the range [p, 2^256)\n * are representable in limb form but are not canonical field elements;\n * callers are responsible for reducing them if needed.\n *\n * @param value - A non-negative `bigint` in range [0, 2^256 - 1].\n * @returns A 4-element tuple `[limb0, limb1, limb2, limb3]` in little-endian order.\n *\n * @public\n */\nexport function bigintToLimbs(value: bigint): Curve25519FieldElementLimb {\n return [\n value & MASK64,\n (value >> N64) & MASK64,\n (value >> (N64 * 2n)) & MASK64,\n (value >> (N64 * 3n)) & MASK64,\n ];\n}\n\n/**\n * Reconstructs a `bigint` from the 4-limb little-endian representation.\n *\n * @remarks\n * Computes:\n * ```\n * value = limbs[0]\n * + limbs[1] × 2^64\n * + limbs[2] × 2^128\n * + limbs[3] × 2^192\n * ```\n *\n * This is the inverse of {@link bigintToLimbs}. The reconstructed value lies in\n * [0, 2^256 - 1] (or [0, p-1] if the limbs represent a canonical field element).\n *\n * @param limbs - A 4-element tuple in little-endian order, each limb in [0, 2^64 - 1].\n * @returns The reconstructed `bigint` value.\n *\n * @public\n */\nexport function limbsToBigint(limbs: Curve25519FieldElementLimb): bigint {\n return limbs[0] + (limbs[1] << N64) + (limbs[2] << (N64 * 2n)) + (limbs[3] << (N64 * 3n));\n}\n\n/**\n * Constant-time modular addition of two field elements, both in 4-limb form.\n *\n * @remarks\n * ## Algorithm\n *\n * **Step 1 — Raw addition with carry propagation:**\n * ```\n * t[i] = a[i] + b[i] + carry_in\n * t_carry = final carry out of limb 3\n * ```\n * The carry is propagated upward through all 4 limbs. After all limbs are\n * processed, `tCarry` is `1n` iff the sum `a + b` exceeded 2^256 - 1.\n *\n * **Step 2 — Trial subtraction:**\n * ```\n * d = t - p (with borrow propagation across 4 limbs)\n * ```\n * After this step, `borrow` is `1n` iff `t < p` (i.e., no reduction needed).\n *\n * **Step 3 — Constant-time selection:**\n * ```\n * useD = tCarry | (1 - borrow)\n * result[i] = constantTimeSelect(useD, d[i], t[i])\n * ```\n * If `tCarry` is 1 (overflow) or if the trial subtraction did not borrow\n * (meaning t ≥ p), use the reduced value `d`. Otherwise use `t`.\n *\n * No `if` statement branches on input-derived data.\n *\n * @param a - Minuend in 4-limb form. Each limb in [0, 2^64 - 1]; value in [0, p-1].\n * @param b - Subtrahend in 4-limb form. Each limb in [0, 2^64 - 1]; value in [0, p-1].\n * @returns The canonical sum `(a + b) mod p` in 4-limb form.\n *\n * @public\n */\nexport function addModularLimbs(\n a: Curve25519FieldElementLimb,\n b: Curve25519FieldElementLimb,\n): Curve25519FieldElementLimb {\n // 1. Raw Addition: t = a + b\n const t: bigint[] = [0n, 0n, 0n, 0n];\n let carry = 0n;\n\n for (let index = 0; index < 4; index++) {\n const sum = a[index] + b[index] + carry;\n t[index] = sum & MASK64;\n carry = sum >> N64;\n }\n const tCarry = carry;\n\n // 2. Trial Subtraction: d = t - p\n const d: bigint[] = [0n, 0n, 0n, 0n];\n let borrow = 0n;\n\n for (let index = 0; index < 4; index++) {\n const sub = t[index] - P_LIMBS[index] - borrow;\n d[index] = sub & MASK64;\n borrow = -(sub >> N64);\n }\n\n // 3. Selection: use d if overflow or no borrow\n const useD = tCarry | (1n - borrow);\n\n return [\n constantTimeSelect(useD, d[0], t[0]),\n constantTimeSelect(useD, d[1], t[1]),\n constantTimeSelect(useD, d[2], t[2]),\n constantTimeSelect(useD, d[3], t[3]),\n ];\n}\n\n/**\n * Constant-time modular subtraction of two field elements, both in 4-limb form.\n *\n * @remarks\n * ## Algorithm\n *\n * **Step 1 — Raw subtraction with borrow propagation:**\n * ```\n * out[i] = a[i] - b[i] - borrow_in\n * ```\n * After all 4 limbs, `borrow` is `1n` iff a < b (the difference is negative\n * in ordinary arithmetic and must wrap around modulo p).\n *\n * **Step 2 — Conditional add-back of p:**\n * ```\n * mask = -borrow // all-ones mask if a < b, zero mask otherwise\n * for each limb i:\n * addValue = P_LIMBS[i] & mask // add p iff borrow occurred\n * out[i] = out[i] + addValue + carry\n * ```\n * The mask is derived from the borrow bit without a branch. When borrow = 0\n * the mask is 0 and no correction is applied. When borrow = 1 the mask is\n * all-ones and p is added back.\n *\n * @param a - Minuend in 4-limb form. Value in [0, p-1].\n * @param b - Subtrahend in 4-limb form. Value in [0, p-1].\n * @returns The canonical difference `(a - b) mod p` in 4-limb form.\n *\n * @public\n */\nexport function subtractModularLimbs(\n a: Curve25519FieldElementLimb,\n b: Curve25519FieldElementLimb,\n): Curve25519FieldElementLimb {\n // 1. Calculate diff = a - b\n const out: bigint[] = [0n, 0n, 0n, 0n];\n let borrow = 0n;\n\n for (let index = 0; index < 4; index++) {\n const sub = a[index] - b[index] - borrow;\n out[index] = sub & MASK64;\n borrow = -(sub >> N64);\n }\n\n // 2. If we borrowed, add P back using masking\n const mask = -borrow;\n let carry = 0n;\n\n for (let index = 0; index < 4; index++) {\n const addValue = P_LIMBS[index] & mask;\n\n const sum = out[index] + addValue + carry;\n out[index] = sum & MASK64;\n carry = sum >> N64;\n }\n\n return [out[0], out[1], out[2], out[3]];\n}\n\n/**\n * Modular multiplication of two field elements in 4-limb form, returning the\n * product reduced modulo p.\n *\n * @remarks\n * ## Algorithm\n *\n * Converts both limb arrays back to full-precision `BigInt` values, performs\n * native `BigInt` multiplication to obtain a ≤ 510-bit intermediate product,\n * and reduces by `% CURVE25519_FIELD_PRIME`.\n *\n * ```\n * product = limbsToBigint(a) * limbsToBigint(b) (up to 510 bits)\n * reduced = product % p\n * return bigintToLimbs(reduced)\n * ```\n *\n * ## Why Not Schoolbook Limb Multiplication?\n *\n * A true 4×4 schoolbook multiplication would produce an 8-limb (512-bit)\n * intermediate and require a multi-step reduction using the structure of p.\n * JavaScript's `BigInt` already implements this internally, and the V8 engine\n * performs the reduction in native code. This approach is simpler and has\n * predictable worst-case cost.\n *\n * ## Why Not Montgomery Form?\n *\n * Montgomery multiplication eliminates the per-call division at the cost of\n * converting inputs into and out of Montgomery domain. That conversion\n * overhead is only amortized when the same operands participate in many\n * multiplications (e.g., long scalar multiplication chains). For the Rescue\n * cipher's relatively short permutation rounds, the conversion cost is not\n * justified.\n *\n * @param a - First factor in 4-limb form. Value in [0, p-1].\n * @param b - Second factor in 4-limb form. Value in [0, p-1].\n * @returns The canonical product `(a × b) mod p` in 4-limb form.\n *\n * @public\n */\nexport function multiplyModularLimbs(\n a: Curve25519FieldElementLimb,\n b: Curve25519FieldElementLimb,\n): Curve25519FieldElementLimb {\n // For Curve25519, we use direct multiplication and reduction\n // This is simpler than Montgomery for this specific prime\n const aBig = limbsToBigint(a);\n const bBig = limbsToBigint(b);\n const product = (aBig * bBig) % CURVE25519_FIELD_PRIME;\n return bigintToLimbs(product);\n}\n\n/**\n * Modular exponentiation of a field element by an arbitrary non-negative\n * exponent, using binary square-and-multiply.\n *\n * @remarks\n * ## Algorithm — Binary Exponentiation\n *\n * Starting from `result = 1` (the multiplicative identity in limb form):\n * ```\n * current = base\n * while exp > 0:\n * if (exp & 1) == 1:\n * result = result × current (mod p)\n * current = current × current (mod p)\n * exp >>= 1\n * return result\n * ```\n *\n * The branch `if (exp & 1) == 1` tests a bit of the **exponent**, not a\n * secret field value. When the exponent is a fixed protocol constant (e.g.,\n * p - 2 for inversion) this does not leak secret data; when the exponent is\n * secret (e.g., a private scalar), a constant-time double-and-add should be\n * used instead.\n *\n * ## Cost\n *\n * For an n-bit exponent: at most n squarings and at most n multiplications\n * (≈ n/2 on average). For the full range [0, p-1] this is ≈ 255 squarings\n * and ≈ 128 multiplications.\n *\n * @param base - Base field element in 4-limb form. Value in [0, p-1].\n * @param exp - Non-negative exponent as a plain `bigint`.\n * @returns `base^exp mod p` in 4-limb form.\n *\n * @public\n */\nexport function modularExpLimbs(base: Curve25519FieldElementLimb, exp: bigint): Curve25519FieldElementLimb {\n let result: Curve25519FieldElementLimb = [1n, 0n, 0n, 0n];\n let current = base;\n\n while (exp > 0n) {\n if ((exp & 1n) === 1n) {\n result = multiplyModularLimbs(result, current);\n }\n current = multiplyModularLimbs(current, current);\n exp >>= 1n;\n }\n\n return result;\n}\n\n// =============================================================================\n// Exported Functions\n// =============================================================================\n\n/**\n * Constant-operation-count modular addition for the Curve25519 base field.\n *\n * @remarks\n * Computes the canonical field sum:\n * ```\n * result ≡ a + b (mod p), p = 2^255 - 19\n * ```\n *\n * Implementation delegates to {@link addModularLimbs} which performs the\n * addition and conditional reduction entirely with bitwise masking — no\n * data-dependent branches on `a` or `b`.\n *\n * This function satisfies {@link Curve25519ModuloAddFunction}.\n *\n * @param a - First field element. Must be in canonical range [0, p-1].\n * @param b - Second field element. Must be in canonical range [0, p-1].\n * @returns `(a + b) mod p` in canonical range [0, p-1].\n *\n * @example\n * ```typescript\n * import { curve25519ModuloAdd } from \"@umbra-privacy/sdk/math\";\n * import { CURVE25519_FIELD_PRIME } from \"@umbra-privacy/sdk/types\";\n *\n * // Basic addition\n * const sum = curve25519ModuloAdd(10n, 20n);\n * console.log(sum); // 30n\n *\n * // Wrap-around: p-1 + 1 = 0\n * const wrap = curve25519ModuloAdd(CURVE25519_FIELD_PRIME - 1n, 1n);\n * console.log(wrap); // 0n\n * ```\n *\n * @see {@link curve25519ModuloSub} — complementary subtraction\n * @see {@link getCurve25519ModularAddFunction} — returns a cached reference to this function\n *\n * @public\n */\nexport const curve25519ModuloAdd: Curve25519ModuleAddFunction = (a: bigint, b: bigint): bigint => {\n const aLimbs = bigintToLimbs(a);\n const bLimbs = bigintToLimbs(b);\n const resultLimbs = addModularLimbs(aLimbs, bLimbs);\n return limbsToBigint(resultLimbs);\n};\n\n/**\n * Constant-operation-count modular subtraction for the Curve25519 base field.\n *\n * @remarks\n * Computes the canonical field difference:\n * ```\n * result ≡ a - b (mod p), p = 2^255 - 19\n * ```\n *\n * When a < b the result wraps around: `a - b + p`, which is still in [0, p-1].\n * Implementation delegates to {@link subtractModularLimbs}, which adds p back via\n * a borrow-derived bitmask rather than a conditional branch.\n *\n * This function satisfies {@link Curve25519ModuloSubFunction}.\n *\n * @param a - Minuend. Must be in canonical range [0, p-1].\n * @param b - Subtrahend. Must be in canonical range [0, p-1].\n * @returns `(a - b) mod p` in canonical range [0, p-1].\n *\n * @example\n * ```typescript\n * import { curve25519ModuloSub } from \"@umbra-privacy/sdk/math\";\n * import { CURVE25519_FIELD_PRIME } from \"@umbra-privacy/sdk/types\";\n *\n * // Normal subtraction\n * const diff = curve25519ModuloSub(30n, 10n);\n * console.log(diff); // 20n\n *\n * // Wrap-around: 0 - 1 = p - 1\n * const wrap = curve25519ModuloSub(0n, 1n);\n * console.log(wrap === CURVE25519_FIELD_PRIME - 1n); // true\n * ```\n *\n * @see {@link curve25519ModuloAdd} — complementary addition\n * @see {@link getCurve25519ModularSubFunction} — returns a cached reference to this function\n *\n * @public\n */\nexport const curve25519ModuloSub: Curve25519ModuleSubFunction = (a: bigint, b: bigint): bigint => {\n const aLimbs = bigintToLimbs(a);\n const bLimbs = bigintToLimbs(b);\n const resultLimbs = subtractModularLimbs(aLimbs, bLimbs);\n return limbsToBigint(resultLimbs);\n};\n\n/**\n * Modular multiplication for the Curve25519 base field.\n *\n * @remarks\n * Computes the canonical field product:\n * ```\n * result ≡ a × b (mod p), p = 2^255 - 19\n * ```\n *\n * Implementation converts both operands to full-precision `BigInt`, multiplies\n * natively (producing a ≤ 510-bit intermediate), then reduces with `% p`.\n * See {@link multiplyModularLimbs} for rationale on why Montgomery form is not used.\n *\n * This function satisfies {@link Curve25519ModuloMulFunction}.\n *\n * @param a - First factor. Must be in canonical range [0, p-1].\n * @param b - Second factor. Must be in canonical range [0, p-1].\n * @returns `(a × b) mod p` in canonical range [0, p-1].\n *\n * @example\n * ```typescript\n * import { curve25519ModuloMul } from \"@umbra-privacy/sdk/math\";\n * import { CURVE25519_FIELD_PRIME } from \"@umbra-privacy/sdk/types\";\n *\n * // Basic multiplication\n * const product = curve25519ModuloMul(7n, 8n);\n * console.log(product); // 56n\n *\n * // Large value reduces modulo p\n * const large = curve25519ModuloMul(CURVE25519_FIELD_PRIME - 1n, 2n);\n * // (p-1) × 2 = 2p - 2 ≡ p - 2 (mod p)\n * console.log(large === CURVE25519_FIELD_PRIME - 2n); // true\n * ```\n *\n * @see {@link curve25519ModuloInv} — uses this function for inversion via Fermat's theorem\n * @see {@link getCurve25519ModularMulFunction} — returns a cached reference to this function\n *\n * @public\n */\nexport const curve25519ModuloMul: Curve25519ModuleMulFunction = (a: bigint, b: bigint): bigint => {\n const aLimbs = bigintToLimbs(a);\n const bLimbs = bigintToLimbs(b);\n const resultLimbs = multiplyModularLimbs(aLimbs, bLimbs);\n return limbsToBigint(resultLimbs);\n};\n\n/**\n * Modular multiplicative inverse for the Curve25519 base field.\n *\n * @remarks\n * Computes the unique inverse such that:\n * ```\n * a × result ≡ 1 (mod p), p = 2^255 - 19\n * ```\n *\n * ## Algorithm — Fermat's Little Theorem\n *\n * Because p is prime, Fermat's Little Theorem guarantees:\n * ```\n * a^(p-1) ≡ 1 (mod p) for all a ≠ 0\n * ```\n * Therefore:\n * ```\n * a^(-1) ≡ a^(p-2) (mod p)\n * ```\n *\n * The exponent p - 2 is a fixed protocol constant, so the square-and-multiply\n * loop in {@link modularExpLimbs} does not branch on secret data.\n *\n * **Cost**: ≈ 255 squarings + ≈ 128 multiplications. For applications that call\n * inversion in a tight loop, a batch-inversion algorithm (Montgomery's trick)\n * can reduce the cost to 1 inversion + 3(n-1) multiplications for n elements.\n *\n * This function satisfies {@link Curve25519ModuloInvFunction}.\n *\n * @param a - The field element to invert. Must be in range [1, p-1].\n * Passing `0n` is a programming error — zero has no multiplicative inverse.\n * @returns The unique inverse `a^(-1) mod p` in range [1, p-1].\n * @throws {Error} If `a === 0n`. The error message is\n * `\"Cannot compute modular inverse of zero\"`.\n *\n * @example\n * ```typescript\n * import { curve25519ModuloInv, curve25519ModuloMul } from \"@umbra-privacy/sdk/math\";\n *\n * const a = 7n;\n * const invA = curve25519ModuloInv(a);\n *\n * // Verification: a × a^{-1} ≡ 1 (mod p)\n * const product = curve25519ModuloMul(a, invA);\n * console.log(product === 1n); // true\n *\n * // Throws for zero\n * try {\n * curve25519ModuloInv(0n);\n * } catch (e) {\n * console.log((e as Error).message); // \"Cannot compute modular inverse of zero\"\n * }\n * ```\n *\n * @see {@link curve25519ModuloPow} — the underlying exponentiation used internally\n * @see {@link getCurve25519ModularInvFunction} — returns a cached reference to this function\n *\n * @public\n */\nexport const curve25519ModuloInv: Curve25519ModuleInvFunction = (a: bigint): bigint => {\n if (a === 0n) {\n throw new Error(\"Cannot compute modular inverse of zero\");\n }\n\n const aLimbs = bigintToLimbs(a);\n const exp = CURVE25519_FIELD_PRIME - 2n;\n const resultLimbs = modularExpLimbs(aLimbs, exp);\n return limbsToBigint(resultLimbs);\n};\n\n/**\n * Modular exponentiation for the Curve25519 base field.\n *\n * @remarks\n * Computes the field power:\n * ```\n * result ≡ base^exp (mod p), p = 2^255 - 19\n * ```\n *\n * Uses binary (square-and-multiply) exponentiation via {@link modularExpLimbs}.\n * The special case `exp === 0n` is handled explicitly: `base^0 = 1` for all\n * `base`, including `base = 0`.\n *\n * This function satisfies {@link Curve25519ModuloPowFunction}.\n *\n * @param base - The base. Must be in canonical range [0, p-1].\n * @param exp - A non-negative `bigint` exponent.\n * @returns `base^exp mod p` in canonical range [0, p-1].\n *\n * @example\n * ```typescript\n * import { curve25519ModuloPow } from \"@umbra-privacy/sdk/math\";\n * import { CURVE25519_FIELD_PRIME } from \"@umbra-privacy/sdk/types\";\n *\n * // Small exponent\n * const r1 = curve25519ModuloPow(2n, 10n);\n * console.log(r1); // 1024n\n *\n * // Zero exponent: always 1\n * const r2 = curve25519ModuloPow(12345n, 0n);\n * console.log(r2); // 1n\n *\n * // Fermat's Little Theorem: a^(p-1) ≡ 1 for a ≠ 0\n * const r3 = curve25519ModuloPow(42n, CURVE25519_FIELD_PRIME - 1n);\n * console.log(r3); // 1n\n * ```\n *\n * @see {@link curve25519ModuloInv} — uses this with exponent p-2\n * @see {@link getCurve25519ModularPowFunction} — returns a cached reference to this function\n *\n * @public\n */\nexport const curve25519ModuloPow: Curve25519ModulePowFunction = (\n base: bigint,\n exp: bigint,\n): bigint => {\n if (exp === 0n) {\n return 1n;\n }\n\n const baseLimbs = bigintToLimbs(base);\n const resultLimbs = modularExpLimbs(baseLimbs, exp);\n return limbsToBigint(resultLimbs);\n};\n\n// =============================================================================\n// Getter Functions\n// =============================================================================\n\n/**\n * Returns a lazily cached reference to the Curve25519 modular addition function.\n *\n * @remarks\n * On the first call, stores `curve25519ModuloAdd` in the module-level cache\n * variable and returns it. Subsequent calls return the cached reference\n * without re-assignment. This pattern avoids redundant function object\n * allocation when the getter is called in a hot path.\n *\n * The returned function is identical to calling {@link curve25519ModuloAdd}\n * directly; the getter is provided for dependency-injection consumers that\n * accept a `Curve25519ModuloAddFunction` from a provider rather than\n * importing the concrete implementation.\n *\n * @returns The singleton `curve25519ModuloAdd` function.\n *\n * @example\n * ```typescript\n * import { getCurve25519ModularAddFunction } from \"@umbra-privacy/sdk/math\";\n *\n * const modAdd = getCurve25519ModularAddFunction();\n * const sum = modAdd(10n, 20n); // 30n\n * ```\n *\n * @see {@link curve25519ModuloAdd} — the underlying constant-time implementation\n *\n * @public\n */\nexport function getCurve25519ModularAddFunction(): Curve25519ModuleAddFunction {\n return curve25519ModuloAdd;\n}\n\n/**\n * Returns a lazily cached reference to the Curve25519 modular subtraction function.\n *\n * @remarks\n * Follows the same lazy-caching pattern as {@link getCurve25519ModularAddFunction}.\n * The returned function is identical to calling {@link curve25519ModuloSub} directly.\n *\n * @returns The singleton `curve25519ModuloSub` function.\n *\n * @example\n * ```typescript\n * import { getCurve25519ModularSubFunction } from \"@umbra-privacy/sdk/math\";\n *\n * const modSub = getCurve25519ModularSubFunction();\n * const diff = modSub(30n, 10n); // 20n\n * ```\n *\n * @see {@link curve25519ModuloSub} — the underlying constant-time implementation\n *\n * @public\n */\nexport function getCurve25519ModularSubFunction(): Curve25519ModuleSubFunction {\n return curve25519ModuloSub;\n}\n\n/**\n * Returns a lazily cached reference to the Curve25519 modular multiplication function.\n *\n * @remarks\n * Follows the same lazy-caching pattern as {@link getCurve25519ModularAddFunction}.\n * The returned function is identical to calling {@link curve25519ModuloMul} directly.\n *\n * @returns The singleton `curve25519ModuloMul` function.\n *\n * @example\n * ```typescript\n * import { getCurve25519ModularMulFunction } from \"@umbra-privacy/sdk/math\";\n *\n * const modMul = getCurve25519ModularMulFunction();\n * const product = modMul(7n, 8n); // 56n\n * ```\n *\n * @see {@link curve25519ModuloMul} — the underlying implementation\n *\n * @public\n */\nexport function getCurve25519ModularMulFunction(): Curve25519ModuleMulFunction {\n return curve25519ModuloMul;\n}\n\n/**\n * Returns a lazily cached reference to the Curve25519 modular inverse function.\n *\n * @remarks\n * Follows the same lazy-caching pattern as {@link getCurve25519ModularAddFunction}.\n * The returned function is identical to calling {@link curve25519ModuloInv} directly.\n *\n * @returns The singleton `curve25519ModuloInv` function.\n *\n * @example\n * ```typescript\n * import { getCurve25519ModularInvFunction } from \"@umbra-privacy/sdk/math\";\n *\n * const modInv = getCurve25519ModularInvFunction();\n * const inverse = modInv(7n);\n * // modInv(7n) * 7n ≡ 1 (mod p)\n * ```\n *\n * @see {@link curve25519ModuloInv} — the underlying Fermat's theorem implementation\n *\n * @public\n */\nexport function getCurve25519ModularInvFunction(): Curve25519ModuleInvFunction {\n return curve25519ModuloInv;\n}\n\n/**\n * Returns a lazily cached reference to the Curve25519 modular exponentiation function.\n *\n * @remarks\n * Follows the same lazy-caching pattern as {@link getCurve25519ModularAddFunction}.\n * The returned function is identical to calling {@link curve25519ModuloPow} directly.\n *\n * @returns The singleton `curve25519ModuloPow` function.\n *\n * @example\n * ```typescript\n * import { getCurve25519ModularPowFunction } from \"@umbra-privacy/sdk/math\";\n *\n * const modPow = getCurve25519ModularPowFunction();\n * const result = modPow(2n, 10n); // 1024n\n * ```\n *\n * @see {@link curve25519ModuloPow} — the underlying square-and-multiply implementation\n *\n * @public\n */\nexport function getCurve25519ModularPowFunction(): Curve25519ModulePowFunction {\n return curve25519ModuloPow;\n}\n\n// =============================================================================\n// U512-Based Field Element Sampler\n// =============================================================================\n\n/**\n * The Montgomery constant R = 2^256 mod p for the Curve25519 field.\n *\n * @remarks\n * Used in the U512-based sampler to combine the high and low 256-bit halves\n * of a 512-bit input into a single field element:\n * ```\n * result = (high × R + low) mod p\n * ```\n *\n * ## Derivation\n *\n * ```\n * 2^256 = 2 × 2^255\n * = 2 × (p + 19) (since p = 2^255 - 19)\n * = 2p + 38\n * ∴ 2^256 mod p = 38\n * ```\n *\n * The small value of R (just 38) means the multiplication `high × R` can be\n * computed cheaply: it is equivalent to `high × 38`, well within the range\n * of a single BigInt multiply-and-reduce.\n *\n * @public\n */\nexport const R_MOD_P_CURVE25519 = 38n;\n\n/**\n * Reduces a 256-bit value into the canonical Curve25519 field range [0, p)\n * using constant-time trial subtraction.\n *\n * @remarks\n * ## Algorithm\n *\n * Computes `d = value - p` using 4-limb borrow propagation. If the final\n * borrow is 1, then value < p and the original value should be returned;\n * otherwise d is in [0, p) and should be returned. Selection between `value`\n * and `d` is performed with {@link constantTimeSelect} — no branch on the borrow bit.\n *\n * This function handles exactly one conditional subtraction, which is correct\n * because the input is guaranteed to be in [0, 2^256). Any value in\n * [p, 2^256) satisfies p ≤ value < 2p (since p > 2^254), so a single\n * subtraction of p suffices.\n *\n * @param value - A non-negative `bigint` in [0, 2^256 - 1]. Values already\n * in [0, p) are returned unchanged. Values in [p, 2^256) are reduced by p.\n * @returns The equivalent element in the canonical range [0, p-1].\n *\n * @public\n */\nexport function reduce256Curve25519(value: bigint): bigint {\n const [l0, l1, l2, l3] = bigintToLimbs(value);\n const [p0, p1, p2, p3] = P_LIMBS;\n\n // Trial subtraction: d = value - p\n // Compute d0\n const sub0 = l0 - p0;\n const d0 = sub0 & MASK64;\n const borrow0 = -(sub0 >> N64) & 1n;\n\n // Compute d1\n const sub1 = l1 - p1 - borrow0;\n const d1 = sub1 & MASK64;\n const borrow1 = -(sub1 >> N64) & 1n;\n\n // Compute d2\n const sub2 = l2 - p2 - borrow1;\n const d2 = sub2 & MASK64;\n const borrow2 = -(sub2 >> N64) & 1n;\n\n // Compute d3\n const sub3 = l3 - p3 - borrow2;\n const d3 = sub3 & MASK64;\n const borrow3 = -(sub3 >> N64) & 1n;\n\n // If borrow3 is 0, value >= p, so use d (the subtracted value)\n // If borrow3 is 1, value < p, so use original value\n const useOriginal = borrow3;\n\n return limbsToBigint([\n constantTimeSelect(useOriginal, l0, d0),\n constantTimeSelect(useOriginal, l1, d1),\n constantTimeSelect(useOriginal, l2, d2),\n constantTimeSelect(useOriginal, l3, d3),\n ]);\n}\n\n/**\n * Decodes 32 bytes from a big-endian byte array starting at `offset` into a\n * `bigint`, using the SDK's typed `U256BeBytes` converter pipeline.\n *\n * @remarks\n * Steps:\n * 1. Slice `bytes[offset .. offset+32]` (32 bytes = 256 bits).\n * 2. Wrap the slice in a `U256BeBytes` branded type via `createU256BeBytes`.\n * 3. Decode the branded bytes to a `bigint` via `decodeU256BeBytesToU256`.\n *\n * The resulting `bigint` is in the range [0, 2^256 - 1]. It may be ≥ p;\n * callers are responsible for reducing it if needed (e.g., via\n * {@link reduce256Curve25519}).\n *\n * @param bytes - The source byte array (must be at least `offset + 32` bytes long).\n * @param offset - Byte index at which to start reading the 32-byte window.\n * @returns The big-endian decoded `bigint` for bytes `[offset, offset+32)`.\n *\n * @public\n */\nexport function curve25519BytesToBigintBigEndian(bytes: Uint8Array, offset: number): bigint {\n const slice = bytes.slice(offset, offset + U256_BYTE_LENGTH);\n const u256BeBytes = createU256BeBytes(slice);\n return decodeU256BeBytesToU256(u256BeBytes);\n}\n\n/**\n * Factory that creates a sampler converting 512-bit big-endian byte arrays to\n * uniformly distributed Curve25519 field elements.\n *\n * @remarks\n * ## Purpose\n *\n * Hash-to-field algorithms produce 512-bit outputs to avoid statistical bias\n * when mapping into the 255-bit field. This factory encapsulates the standard\n * two-half combination technique (see below), returning a closure that can be\n * used repeatedly.\n *\n * ## Algorithm\n *\n * Given a 64-byte big-endian input array:\n *\n * 1. **Split** into two 256-bit halves:\n * - `high = input[0..31]` (most significant)\n * - `low = input[32..63]` (least significant)\n *\n * 2. **Reduce** each half into [0, p) via constant-time trial subtraction\n * (`reduce256Curve25519`).\n *\n * 3. **Combine** using the precomputed constant R = 2^256 mod p = 38:\n * ```\n * result = (highReduced × R + lowReduced) mod p\n * ```\n *\n * ## Customization via `deps`\n *\n * The `modAdd` and `modMul` slots in `deps` allow replacing the default\n * constant-time implementations with alternatives. Common use cases:\n * - Inject test stubs to exercise the combination logic in isolation.\n * - Use a faster non-constant-time implementation for offline tooling.\n *\n * ## Uniformity\n *\n * The bias of the result is bounded by p / 2^512 < 2^-257, which is\n * negligible for all practical cryptographic purposes.\n *\n * @param deps - Optional overrides for modular arithmetic. If omitted, uses\n * the default constant-time SDK implementations.\n * @returns A closure `(input: U512BeBytes) => Curve25519FieldElement`.\n *\n * @example\n * ```typescript\n * import { getCurve25519FieldElementSampler } from \"@umbra-privacy/sdk/math\";\n *\n * // Default: uses SDK constant-time arithmetic\n * const sampler = getCurve25519FieldElementSampler();\n *\n * const input = crypto.getRandomValues(new Uint8Array(64)) as U512BeBytes;\n * const element = sampler(input);\n * // element is a valid Curve25519FieldElement in [0, p-1]\n *\n * // With custom multiplication for testing\n * const testSampler = getCurve25519FieldElementSampler({\n * modMul: (a, b) => (a * b) % ((1n << 255n) - 19n),\n * });\n * ```\n *\n * @see {@link curve25519FieldElementSampler} — pre-built default instance\n * @see {@link U512BasedCurve25519FieldElementSamplerDeps} — the dependency injection bag\n * @see {@link U512BasedCurve25519FieldElementSamplerFunction} — the returned function's type\n *\n * @public\n */\nexport function getCurve25519FieldElementSampler(\n deps?: U512BasedCurve25519FieldElementSamplerDeps,\n): U512BasedCurve25519FieldElementSamplerFunction {\n // Use provided functions or fall back to defaults\n const { modAdd: moduleAdd = curve25519ModuloAdd, modMul: moduleMul = curve25519ModuloMul } =\n deps ?? {};\n\n return (input: U512BeBytes): Curve25519FieldElement => {\n // Extract high and low 256-bit halves (big-endian)\n // bytes 0-31 = high (most significant)\n // bytes 32-63 = low (least significant)\n const high = curve25519BytesToBigintBigEndian(input, 0); // bytes 0-31\n const low = curve25519BytesToBigintBigEndian(input, 32); // bytes 32-63\n\n // Reduce both halves to [0, p)\n // This is necessary because 256-bit values can be >= p\n const lowReduced = reduce256Curve25519(low);\n const highReduced = reduce256Curve25519(high);\n\n // Compute: result = (high × R + low) mod p\n // where R = 2^256 mod p = 38 for Curve25519\n const highTimesR = moduleMul(highReduced, R_MOD_P_CURVE25519);\n const result = moduleAdd(highTimesR, lowReduced);\n\n return result as Curve25519FieldElement;\n };\n}\n\n/**\n * Pre-instantiated U512-to-field-element sampler using the default\n * constant-time Curve25519 field arithmetic.\n *\n * @remarks\n * This is a convenience export for callers that do not need to inject custom\n * arithmetic. It is equivalent to calling:\n * ```typescript\n * getCurve25519FieldElementSampler()\n * ```\n * but avoids the factory call overhead for the common case.\n *\n * ## Typical Usage Pattern\n *\n * Hash-to-field: pass the 512-bit output of a wide hash (SHA-512, BLAKE2b-512,\n * HKDF output, etc.) directly to this sampler to obtain a uniformly distributed\n * field element:\n * ```\n * fieldElement = sampler(sha512(domainSeparator || message))\n * ```\n *\n * This pattern is used internally in the Umbra SDK wherever a scalar must be\n * derived deterministically from a secret without bias.\n *\n * @param input - A 64-byte big-endian byte array (`U512BeBytes`).\n * @returns A `Curve25519FieldElement` in the canonical range [0, p-1].\n *\n * @example\n * ```typescript\n * import { curve25519FieldElementSampler } from \"@umbra-privacy/sdk/math\";\n *\n * // All-zero input → deterministic result (== 0n)\n * const zeroInput = new Uint8Array(64) as U512BeBytes;\n * const element = curve25519FieldElementSampler(zeroInput);\n * console.log(element); // 0n\n *\n * // Random 64-byte input from a CSPRNG\n * const randomInput = crypto.getRandomValues(new Uint8Array(64)) as U512BeBytes;\n * const randomElement = curve25519FieldElementSampler(randomInput);\n * // randomElement is uniformly distributed in [0, p-1]\n * ```\n *\n * @see {@link getCurve25519FieldElementSampler} — factory for custom arithmetic\n * @see {@link U512BasedCurve25519FieldElementSamplerFunction} — the function type\n *\n * @public\n */\nexport const curve25519FieldElementSampler: U512BasedCurve25519FieldElementSamplerFunction =\n getCurve25519FieldElementSampler();\n"]}
package/dist/{chunk-2PV6XMDU.js → chunk-4FGHYI47.js} RENAMED
@@ -1,4 +1,4 @@
1
- import { computeStructSeed } from './chunk-55LQYM7D.js';
1
+ import { computeStructSeed } from './chunk-SC34XOU4.js';
2
2
  import { __name } from './chunk-7QVYU63E.js';
3
3
  import { getAddressEncoder, getProgramDerivedAddress } from '@solana/kit';
4
4
 
@@ -30,5 +30,5 @@ async function findETAPda(args) {
30
30
  __name(findETAPda, "findETAPda");
31
31
 
32
32
  export { findETAPda, findEncryptedUserAccountPda };
33
- //# sourceMappingURL=chunk-2PV6XMDU.js.map
34
- //# sourceMappingURL=chunk-2PV6XMDU.js.map
33
+ //# sourceMappingURL=chunk-4FGHYI47.js.map
34
+ //# sourceMappingURL=chunk-4FGHYI47.js.map
package/dist/{chunk-2PV6XMDU.js.map → chunk-4FGHYI47.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/infrastructure/solana/pda/user.ts"],"names":[],"mappings":";;;;AA8CA,IAAM,2BAAA,GAA8B,kBAAkB,sBAAsB,CAAA;AAW5E,IAAM,4BAAA,GAA+B,kBAAkB,uBAAuB,CAAA;AAuC9E,eAAsB,4BACpB,IAAA,EACkB;AAClB,EAAA,MAAM,EAAE,UAAA,EAAY,YAAA,EAAa,GAAI,IAAA;AACrC,EAAA,MAAM,iBAAiB,iBAAA,EAAkB;AAEzC,EAAA,MAAM,CAAC,GAAG,CAAA,GAAI,MAAM,wBAAA,CAAyB;AAAA,IAC3C,cAAA,EAAgB,YAAA;AAAA,IAChB,OAAO,CAAC,2BAAA,EAA6B,cAAA,CAAe,MAAA,CAAO,UAAU,CAAC;AAAA,GACvE,CAAA;AAED,EAAA,OAAO,GAAA;AACT;AAZsB,MAAA,CAAA,2BAAA,EAAA,6BAAA,CAAA;AAuDtB,eAAsB,WACpB,IAAA,EACkB;AAClB,EAAA,MAAM,EAAE,UAAA,EAAY,UAAA,EAAY,YAAA,EAAa,GAAI,IAAA;AACjD,EAAA,MAAM,iBAAiB,iBAAA,EAAkB;AAEzC,EAAA,MAAM,CAAC,GAAG,CAAA,GAAI,MAAM,wBAAA,CAAyB;AAAA,IAC3C,cAAA,EAAgB,YAAA;AAAA,IAChB,KAAA,EAAO;AAAA,MACL,4BAAA;AAAA,MACA,cAAA,CAAe,OAAO,UAAU,CAAA;AAAA,MAChC,cAAA,CAAe,OAAO,UAAU;AAAA;AAClC,GACD,CAAA;AAED,EAAA,OAAO,GAAA;AACT;AAhBsB,MAAA,CAAA,UAAA,EAAA,YAAA,CAAA","file":"chunk-2PV6XMDU.js","sourcesContent":["/**\n * User PDA Utilities\n *\n * This module provides functions to derive Program Derived Addresses (PDAs)\n * for user-related accounts in the Umbra protocol.\n *\n * @remarks\n * Umbra users have two distinct on-chain account types, both stored as\n * Arcium-encrypted accounts so their contents are opaque to on-chain\n * observers:\n *\n * - **`EncryptedUserAccount`** — stores the user's protocol-level state,\n * including their registered X25519 public key and account generation index.\n * Created once per user wallet via `RegisterUserV14`. Referenced by all\n * confidential and compliance instructions that need to look up the user's\n * encryption key.\n *\n * - **`ETA`** — stores the user's encrypted SPL token\n * balance for a specific mint. Created once per `(user, mint)` pair via\n * `InitialiseUserTokenAccount`. Modified by deposit, withdrawal, transfer,\n * and claim instructions.\n *\n * Both PDAs are keyed under the Umbra program address (not the Arcium program)\n * because the Umbra program owns and manages these accounts through its\n * instruction handlers and Arcium callbacks.\n *\n * @see {@link findEncryptedUserAccountPda}\n * @see {@link findETAPda}\n *\n * @packageDocumentation\n * @since 2.0.0\n * @module utils/pda/user\n */\n\nimport { type Address, getAddressEncoder, getProgramDerivedAddress } from \"@solana/kit\";\nimport { computeStructSeed } from \"./umbra\";\n\n/**\n * SHA-256 of the string `\"EncryptedUserAccount\"`, stored as a 32-byte `Uint8Array`.\n *\n * Matches `EncryptedUserAccount::SEED` as generated by the\n * `#[umbra_account]` macro in `state/arcium/arcium_encrypted_user_account.rs`.\n * Used as the first seed when deriving encrypted user account PDAs.\n *\n * @internal\n */\nconst ENCRYPTED_USER_ACCOUNT_SEED = computeStructSeed(\"EncryptedUserAccount\");\n\n/**\n * SHA-256 of the string `\"EncryptedTokenAccount\"`, stored as a 32-byte `Uint8Array`.\n *\n * Matches `ETA::SEED` as generated by the\n * `#[umbra_account]` macro in `state/arcium/arcium_encrypted_token_account.rs`.\n * Used as the first seed when deriving encrypted token account PDAs.\n *\n * @internal\n */\nconst ENCRYPTED_TOKEN_ACCOUNT_SEED = computeStructSeed(\"EncryptedTokenAccount\");\n\n/**\n * Arguments for deriving a user's encrypted user account PDA.\n *\n * @public\n */\nexport interface FindEncryptedUserAccountPdaArgs {\n readonly userPubkey: Address;\n readonly umbraProgram: Address;\n}\n\n/**\n * Derives the Program Derived Address for an encrypted user account.\n * Seeds: [EncryptedUserAccount::SEED, user_pubkey]\n *\n * The `EncryptedUserAccount` is the user's top-level protocol identity\n * within Umbra. It is a singleton per user wallet and stores the user's\n * registered X25519 public key and account generation index.\n *\n * @param args - The arguments for deriving the PDA.\n * @param args.userPubkey - The user's wallet public key (Solana Ed25519 address).\n * @param args.umbraProgram - The Umbra program address.\n * @returns A Promise resolving to the derived PDA `Address`.\n *\n * @example\n * ```typescript\n * import { findEncryptedUserAccountPda } from \"@umbra-privacy/sdk/pda\";\n *\n * const userAccountPda = await findEncryptedUserAccountPda({\n * userPubkey: userWalletAddress,\n * umbraProgram: networkConfig.programId,\n * });\n * ```\n *\n * @see {@link findETAPda} for per-mint encrypted balance accounts\n *\n * @public\n */\nexport async function findEncryptedUserAccountPda(\n args: FindEncryptedUserAccountPdaArgs,\n): Promise<Address> {\n const { userPubkey, umbraProgram } = args;\n const addressEncoder = getAddressEncoder();\n\n const [pda] = await getProgramDerivedAddress({\n programAddress: umbraProgram,\n seeds: [ENCRYPTED_USER_ACCOUNT_SEED, addressEncoder.encode(userPubkey)],\n });\n\n return pda;\n}\n\n/**\n * Arguments for deriving a user's encrypted token account PDA for one mint.\n *\n * @public\n */\nexport interface FindETAPdaArgs {\n readonly userPubkey: Address;\n readonly mintPubkey: Address;\n readonly umbraProgram: Address;\n}\n\n/**\n * Derives the Program Derived Address for an encrypted token account.\n * Seeds: [ETA::SEED, user_pubkey, mint_pubkey]\n *\n * The `ETA` holds the user's encrypted SPL token\n * balance for a specific mint. A separate account exists for each\n * `(user, mint)` pair.\n *\n * @param args - The arguments for deriving the PDA.\n * @param args.userPubkey - The user's wallet public key (Solana Ed25519 address).\n * @param args.mintPubkey - The SPL token mint address.\n * @param args.umbraProgram - The Umbra program address.\n * @returns A Promise resolving to the derived PDA `Address`.\n *\n * @example\n * ```typescript\n * import { findETAPda } from \"@umbra-privacy/sdk/pda\";\n *\n * const tokenAccountPda = await findETAPda({\n * userPubkey: userWalletAddress,\n * mintPubkey: usdcMint,\n * umbraProgram: networkConfig.programId,\n * });\n * ```\n *\n * @see {@link findEncryptedUserAccountPda} for the top-level user identity account\n * @see {@link findTokenPoolPda} for the per-mint pool configuration that governs this account's features\n *\n * @public\n */\nexport async function findETAPda(\n args: FindETAPdaArgs,\n): Promise<Address> {\n const { userPubkey, mintPubkey, umbraProgram } = args;\n const addressEncoder = getAddressEncoder();\n\n const [pda] = await getProgramDerivedAddress({\n programAddress: umbraProgram,\n seeds: [\n ENCRYPTED_TOKEN_ACCOUNT_SEED,\n addressEncoder.encode(userPubkey),\n addressEncoder.encode(mintPubkey),\n ],\n });\n\n return pda;\n}\n"]}
1
+ {"version":3,"sources":["../src/infrastructure/solana/pda/user.ts"],"names":[],"mappings":";;;;AA8CA,IAAM,2BAAA,GAA8B,kBAAkB,sBAAsB,CAAA;AAW5E,IAAM,4BAAA,GAA+B,kBAAkB,uBAAuB,CAAA;AAuC9E,eAAsB,4BACpB,IAAA,EACkB;AAClB,EAAA,MAAM,EAAE,UAAA,EAAY,YAAA,EAAa,GAAI,IAAA;AACrC,EAAA,MAAM,iBAAiB,iBAAA,EAAkB;AAEzC,EAAA,MAAM,CAAC,GAAG,CAAA,GAAI,MAAM,wBAAA,CAAyB;AAAA,IAC3C,cAAA,EAAgB,YAAA;AAAA,IAChB,OAAO,CAAC,2BAAA,EAA6B,cAAA,CAAe,MAAA,CAAO,UAAU,CAAC;AAAA,GACvE,CAAA;AAED,EAAA,OAAO,GAAA;AACT;AAZsB,MAAA,CAAA,2BAAA,EAAA,6BAAA,CAAA;AAuDtB,eAAsB,WACpB,IAAA,EACkB;AAClB,EAAA,MAAM,EAAE,UAAA,EAAY,UAAA,EAAY,YAAA,EAAa,GAAI,IAAA;AACjD,EAAA,MAAM,iBAAiB,iBAAA,EAAkB;AAEzC,EAAA,MAAM,CAAC,GAAG,CAAA,GAAI,MAAM,wBAAA,CAAyB;AAAA,IAC3C,cAAA,EAAgB,YAAA;AAAA,IAChB,KAAA,EAAO;AAAA,MACL,4BAAA;AAAA,MACA,cAAA,CAAe,OAAO,UAAU,CAAA;AAAA,MAChC,cAAA,CAAe,OAAO,UAAU;AAAA;AAClC,GACD,CAAA;AAED,EAAA,OAAO,GAAA;AACT;AAhBsB,MAAA,CAAA,UAAA,EAAA,YAAA,CAAA","file":"chunk-4FGHYI47.js","sourcesContent":["/**\n * User PDA Utilities\n *\n * This module provides functions to derive Program Derived Addresses (PDAs)\n * for user-related accounts in the Umbra protocol.\n *\n * @remarks\n * Umbra users have two distinct on-chain account types, both stored as\n * Arcium-encrypted accounts so their contents are opaque to on-chain\n * observers:\n *\n * - **`EncryptedUserAccount`** — stores the user's protocol-level state,\n * including their registered X25519 public key and account generation index.\n * Created once per user wallet via `RegisterUserV14`. Referenced by all\n * confidential and compliance instructions that need to look up the user's\n * encryption key.\n *\n * - **`ETA`** — stores the user's encrypted SPL token\n * balance for a specific mint. Created once per `(user, mint)` pair via\n * `InitialiseUserTokenAccount`. Modified by deposit, withdrawal, transfer,\n * and claim instructions.\n *\n * Both PDAs are keyed under the Umbra program address (not the Arcium program)\n * because the Umbra program owns and manages these accounts through its\n * instruction handlers and Arcium callbacks.\n *\n * @see {@link findEncryptedUserAccountPda}\n * @see {@link findETAPda}\n *\n * @packageDocumentation\n * @since 2.0.0\n * @module utils/pda/user\n */\n\nimport { type Address, getAddressEncoder, getProgramDerivedAddress } from \"@solana/kit\";\nimport { computeStructSeed } from \"./umbra\";\n\n/**\n * SHA-256 of the string `\"EncryptedUserAccount\"`, stored as a 32-byte `Uint8Array`.\n *\n * Matches `EncryptedUserAccount::SEED` as generated by the\n * `#[umbra_account]` macro in `state/arcium/arcium_encrypted_user_account.rs`.\n * Used as the first seed when deriving encrypted user account PDAs.\n *\n * @internal\n */\nconst ENCRYPTED_USER_ACCOUNT_SEED = computeStructSeed(\"EncryptedUserAccount\");\n\n/**\n * SHA-256 of the string `\"EncryptedTokenAccount\"`, stored as a 32-byte `Uint8Array`.\n *\n * Matches `ETA::SEED` as generated by the\n * `#[umbra_account]` macro in `state/arcium/arcium_encrypted_token_account.rs`.\n * Used as the first seed when deriving encrypted token account PDAs.\n *\n * @internal\n */\nconst ENCRYPTED_TOKEN_ACCOUNT_SEED = computeStructSeed(\"EncryptedTokenAccount\");\n\n/**\n * Arguments for deriving a user's encrypted user account PDA.\n *\n * @public\n */\nexport interface FindEncryptedUserAccountPdaArgs {\n readonly userPubkey: Address;\n readonly umbraProgram: Address;\n}\n\n/**\n * Derives the Program Derived Address for an encrypted user account.\n * Seeds: [EncryptedUserAccount::SEED, user_pubkey]\n *\n * The `EncryptedUserAccount` is the user's top-level protocol identity\n * within Umbra. It is a singleton per user wallet and stores the user's\n * registered X25519 public key and account generation index.\n *\n * @param args - The arguments for deriving the PDA.\n * @param args.userPubkey - The user's wallet public key (Solana Ed25519 address).\n * @param args.umbraProgram - The Umbra program address.\n * @returns A Promise resolving to the derived PDA `Address`.\n *\n * @example\n * ```typescript\n * import { findEncryptedUserAccountPda } from \"@umbra-privacy/sdk/pda\";\n *\n * const userAccountPda = await findEncryptedUserAccountPda({\n * userPubkey: userWalletAddress,\n * umbraProgram: networkConfig.programId,\n * });\n * ```\n *\n * @see {@link findETAPda} for per-mint encrypted balance accounts\n *\n * @public\n */\nexport async function findEncryptedUserAccountPda(\n args: FindEncryptedUserAccountPdaArgs,\n): Promise<Address> {\n const { userPubkey, umbraProgram } = args;\n const addressEncoder = getAddressEncoder();\n\n const [pda] = await getProgramDerivedAddress({\n programAddress: umbraProgram,\n seeds: [ENCRYPTED_USER_ACCOUNT_SEED, addressEncoder.encode(userPubkey)],\n });\n\n return pda;\n}\n\n/**\n * Arguments for deriving a user's encrypted token account PDA for one mint.\n *\n * @public\n */\nexport interface FindETAPdaArgs {\n readonly userPubkey: Address;\n readonly mintPubkey: Address;\n readonly umbraProgram: Address;\n}\n\n/**\n * Derives the Program Derived Address for an encrypted token account.\n * Seeds: [ETA::SEED, user_pubkey, mint_pubkey]\n *\n * The `ETA` holds the user's encrypted SPL token\n * balance for a specific mint. A separate account exists for each\n * `(user, mint)` pair.\n *\n * @param args - The arguments for deriving the PDA.\n * @param args.userPubkey - The user's wallet public key (Solana Ed25519 address).\n * @param args.mintPubkey - The SPL token mint address.\n * @param args.umbraProgram - The Umbra program address.\n * @returns A Promise resolving to the derived PDA `Address`.\n *\n * @example\n * ```typescript\n * import { findETAPda } from \"@umbra-privacy/sdk/pda\";\n *\n * const tokenAccountPda = await findETAPda({\n * userPubkey: userWalletAddress,\n * mintPubkey: usdcMint,\n * umbraProgram: networkConfig.programId,\n * });\n * ```\n *\n * @see {@link findEncryptedUserAccountPda} for the top-level user identity account\n * @see {@link findTokenPoolPda} for the per-mint pool configuration that governs this account's features\n *\n * @public\n */\nexport async function findETAPda(\n args: FindETAPdaArgs,\n): Promise<Address> {\n const { userPubkey, mintPubkey, umbraProgram } = args;\n const addressEncoder = getAddressEncoder();\n\n const [pda] = await getProgramDerivedAddress({\n programAddress: umbraProgram,\n seeds: [\n ENCRYPTED_TOKEN_ACCOUNT_SEED,\n addressEncoder.encode(userPubkey),\n addressEncoder.encode(mintPubkey),\n ],\n });\n\n return pda;\n}\n"]}
package/dist/{chunk-FBE55AHC.cjs → chunk-4OPKHKQ4.cjs} RENAMED
@@ -1,6 +1,6 @@
1
1
  'use strict';
2
2
 
3
- var chunkBMTIGH3Q_cjs = require('./chunk-BMTIGH3Q.cjs');
3
+ var chunkZE2HKERO_cjs = require('./chunk-ZE2HKERO.cjs');
4
4
  var chunkPK6SKIKE_cjs = require('./chunk-PK6SKIKE.cjs');
5
5
 
6
6
  // src/primitives/math/bn254/field-arithmetic.ts
@@ -194,7 +194,7 @@ var bn254ModuloInv = /* @__PURE__ */ chunkPK6SKIKE_cjs.__name((a) => {
194
194
  }
195
195
  const aLimbs = bigintToLimbs(a);
196
196
  const aMont = toMontgomery(aLimbs);
197
- const exp = chunkBMTIGH3Q_cjs.BN254_FIELD_PRIME - 2n;
197
+ const exp = chunkZE2HKERO_cjs.BN254_FIELD_PRIME - 2n;
198
198
  const resultMont = montgomeryModularExp(aMont, exp);
199
199
  const resultLimbs = fromMontgomery(resultMont);
200
200
  return limbsToBigint(resultLimbs);
@@ -220,14 +220,14 @@ function getBn254ModularInverter() {
220
220
  }
221
221
  chunkPK6SKIKE_cjs.__name(getBn254ModularInverter, "getBn254ModularInverter");
222
222
  function computeBn254LimbwiseSumInverse(limbs) {
223
- const sum = (limbs.low + limbs.middle + limbs.high) % chunkBMTIGH3Q_cjs.BN254_FIELD_PRIME;
223
+ const sum = (limbs.low + limbs.middle + limbs.high) % chunkZE2HKERO_cjs.BN254_FIELD_PRIME;
224
224
  if (sum === 0n) {
225
225
  throw new Error(
226
226
  "Cannot compute modular inverse of zero sum. The sum of Base85 limbs must be non-zero."
227
227
  );
228
228
  }
229
229
  const inverse = bn254ModuloInv(sum);
230
- chunkBMTIGH3Q_cjs.assertBn254FieldElement(inverse);
230
+ chunkZE2HKERO_cjs.assertBn254FieldElement(inverse);
231
231
  return inverse;
232
232
  }
233
233
  chunkPK6SKIKE_cjs.__name(computeBn254LimbwiseSumInverse, "computeBn254LimbwiseSumInverse");
@@ -259,5 +259,5 @@ exports.montgomeryMulLimbs = montgomeryMulLimbs;
259
259
  exports.negateModularLimbs = negateModularLimbs;
260
260
  exports.subtractModularLimbs = subtractModularLimbs;
261
261
  exports.toMontgomery = toMontgomery;
262
- //# sourceMappingURL=chunk-FBE55AHC.cjs.map
263
- //# sourceMappingURL=chunk-FBE55AHC.cjs.map
262
+ //# sourceMappingURL=chunk-4OPKHKQ4.cjs.map
263
+ //# sourceMappingURL=chunk-4OPKHKQ4.cjs.map