@vbyte/btc-dev 2.0.0 → 2.1.0

package/dist/module.mjs

@@ -86,7 +86,10 @@ var Check;
             return true;
         }
         else if (Array.isArray(input) &&
-            input.every(e => typeof e === 'number')) {
+            input.every(e => typeof e === 'number' &&
+                Number.isInteger(e) &&
+                e >= 0 &&
+                e <= 255)) {
             return true;
         }
         else {
@@ -96,26 +99,57 @@ var Check;
     Check.is_bytes = is_bytes;
 })(Check || (Check = {}));
 
-var Assert$1;
+let ValidationError$1 = class ValidationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ValidationError';
+    }
+};
+class HexValidationError extends ValidationError$1 {
+    constructor(message) {
+        super(message);
+        this.name = 'HexValidationError';
+    }
+}
+class ByteRangeError extends ValidationError$1 {
+    constructor(message) {
+        super(message);
+        this.name = 'ByteRangeError';
+    }
+}
+class IntegerBoundsError extends ValidationError$1 {
+    constructor(message) {
+        super(message);
+        this.name = 'IntegerBoundsError';
+    }
+}
+class SizeError extends ValidationError$1 {
+    constructor(message) {
+        super(message);
+        this.name = 'SizeError';
+    }
+}
+
+var Assert$2;
 (function (Assert) {
     function within_size(data, size) {
         if (data.length > size) {
-            throw new TypeError(`Data is larger than array size: ${data.length} > ${size}`);
+            throw new SizeError(`Data is larger than array size: ${data.length} > ${size}`);
         }
     }
     Assert.within_size = within_size;
     function is_hex(hex) {
         if (hex.match(/[^a-fA-F0-9]/) !== null) {
-            throw new TypeError(`Invalid characters in hex string: ${hex}`);
+            throw new HexValidationError(`Invalid characters in hex string: ${hex}`);
         }
         if (hex.length % 2 !== 0) {
-            throw new Error(`Length of hex string is invalid: ${hex.length}`);
+            throw new HexValidationError(`Length of hex string is invalid: ${hex.length}`);
         }
     }
     Assert.is_hex = is_hex;
     function is_bytes(bytes) {
         if (!Check.is_bytes(bytes)) {
-            throw new Error(`Bytes contains invalid elements: ${String(bytes)}`);
+            throw new ByteRangeError(`Bytes contains invalid elements: ${String(bytes)}`);
         }
     }
     Assert.is_bytes = is_bytes;
@@ -124,17 +158,17 @@ var Assert$1;
             JSON.parse(str);
         }
         catch {
-            throw new TypeError('JSON string is invalid!');
+            throw new ValidationError$1('JSON string is invalid!');
         }
     }
     Assert.is_json = is_json;
     function is_safe_int(num) {
-        if (num > Number.MAX_SAFE_INTEGER) {
-            throw new TypeError('Number exceeds safe bounds!');
+        if (num > Number.MAX_SAFE_INTEGER || num < Number.MIN_SAFE_INTEGER) {
+            throw new IntegerBoundsError('Number exceeds safe bounds!');
         }
     }
     Assert.is_safe_int = is_safe_int;
-})(Assert$1 || (Assert$1 = {}));
+})(Assert$2 || (Assert$2 = {}));
 
 const _0n$7 = BigInt(0);
 const _255n = BigInt(255);
@@ -228,7 +262,7 @@ function bytes_to_num(bytes) {
     let num = 0;
     for (let i = bytes.length - 1; i >= 0; i--) {
         num = (num * 256) + bytes[i];
-        Assert$1.is_safe_int(num);
+        Assert$2.is_safe_int(num);
     }
     return num;
 }
@@ -259,7 +293,7 @@ function bytes_to_hex(bytes) {
     return chars;
 }
 function get_hex_size(hexstr, size) {
-    Assert$1.is_hex(hexstr);
+    Assert$2.is_hex(hexstr);
     const len = hexstr.length / 2;
     if (size === undefined)
         size = len;
@@ -277,7 +311,7 @@ function buffer(bytes, size, endian) {
         return create_bytes(bytes, size, endian);
     }
     else if (typeof bytes === 'string') {
-        Assert$1.is_hex(bytes);
+        Assert$2.is_hex(bytes);
         return hex_to_bytes(bytes, size, endian);
     }
     else if (typeof bytes === 'bigint') {
@@ -291,7 +325,7 @@ function buffer(bytes, size, endian) {
 function create_bytes(data, size, endian = 'le') {
     if (size === undefined)
         size = data.length;
-    Assert$1.within_size(data, size);
+    Assert$2.within_size(data, size);
     const buffer = new Uint8Array(size).fill(0);
     const offset = (endian === 'be') ? 0 : size - data.length;
     buffer.set(data, offset);
@@ -368,10 +402,14 @@ function bytes_to_str(bytes) {
     return dc.decode(bytes);
 }
 
+const MAX_RANDOM_LENGTH = 1024 * 1024;
 function get_random_bytes(length = 32) {
     if (!Number.isInteger(length) || length < 0) {
         throw new TypeError('Length must be a non-negative integer');
     }
+    if (length > MAX_RANDOM_LENGTH) {
+        throw new RangeError(`Length exceeds maximum allowed: ${length} > ${MAX_RANDOM_LENGTH}`);
+    }
     if (crypto &&
         typeof crypto.getRandomValues === 'function') {
         return crypto.getRandomValues(new Uint8Array(length));
@@ -404,11 +442,11 @@ class Buff extends Uint8Array {
         return new Buff(uint, size, endian);
     }; }
     static { this.hex = (data, size, endian) => {
-        Assert$1.is_hex(data);
+        Assert$2.is_hex(data);
         return new Buff(data, size, endian);
     }; }
     static { this.bytes = (bytes, size, endian) => {
-        Assert$1.is_bytes(bytes);
+        Assert$2.is_bytes(bytes);
         return new Buff(bytes, size, endian);
     }; }
     static { this.json = (data, replacer) => {
@@ -423,7 +461,15 @@ class Buff extends Uint8Array {
         return chunks.map(e => new Buff(e));
     }; }
     static { this.is_equal = (a, b) => {
-        return new Buff(a).hex === new Buff(b).hex;
+        const buf_a = new Buff(a);
+        const buf_b = new Buff(b);
+        if (buf_a.length !== buf_b.length)
+            return false;
+        for (let i = 0; i < buf_a.length; i++) {
+            if (buf_a[i] !== buf_b[i])
+                return false;
+        }
+        return true;
     }; }
     static { this.is_bytes = Check.is_bytes; }
     static { this.is_hex = Check.is_hex; }
@@ -492,7 +538,14 @@ class Buff extends Uint8Array {
         return Buff.join([this, new Buff(data)]);
     }
     equals(data) {
-        return new Buff(data).hex === this.hex;
+        const other = new Buff(data);
+        if (this.length !== other.length)
+            return false;
+        for (let i = 0; i < this.length; i++) {
+            if (this[i] !== other[i])
+                return false;
+        }
+        return true;
     }
     prepend(data) {
         return Buff.join([new Buff(data), this]);
@@ -541,6 +594,9 @@ class Buff extends Uint8Array {
         return hex.map(e => Buff.hex(e, size));
     }
     static create_varint(num, endian) {
+        if (num < 0) {
+            throw new Error(`Varint cannot be negative: ${num}`);
+        }
         if (num < 0xFD) {
             return Buff.num(num, 1);
         }
@@ -593,6 +649,27 @@ class Stream {
     }
 }
 
+class ValidationError extends Error {
+    constructor(message, field) {
+        super(message);
+        this.name = "ValidationError";
+        this.field = field;
+    }
+}
+class DecodingError extends Error {
+    constructor(message, position) {
+        super(message);
+        this.name = "DecodingError";
+        this.position = position;
+    }
+}
+class ConfigError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "ConfigError";
+    }
+}
+
 function is_return_script(script) {
     const bytes = Buff.bytes(script);
     return bytes.at(0) === 0x6a;
@@ -647,14 +724,20 @@ function is_opreturn_script(script) {
     return LOCK_SCRIPT_REGEX.opreturn.test(hex);
 }
 
-function sort_obj(obj) {
-    if (obj instanceof Map || Array.isArray(obj) || typeof obj !== 'object') {
+function sort(obj) {
+    if (obj === null ||
+        obj === undefined ||
+        obj instanceof Map ||
+        obj instanceof Set ||
+        obj instanceof Date ||
+        Array.isArray(obj) ||
+        typeof obj !== 'object') {
         return obj;
     }
     else {
         return Object.keys(obj)
             .sort()
-            .filter(([_, value]) => value !== undefined)
+            .filter(key => obj[key] !== undefined)
             .reduce((sorted, key) => {
             sorted[key] = obj[key];
             return sorted;
@@ -681,10 +764,10 @@ var Test;
     Test.is_object = is_object;
     function is_deep_equal(a, b) {
         if (is_object(a))
-            a = sort_obj(a);
+            a = sort(a);
         if (is_object(b))
-            b = sort_obj(b);
-        return String(a) === String(b);
+            b = sort(b);
+        return JSON.stringify(a) === JSON.stringify(b);
     }
     Test.is_deep_equal = is_deep_equal;
     function has_items(array) {
@@ -696,33 +779,33 @@ var Test;
     }
     Test.is_string = is_string;
     function is_number(value) {
-        return Number.isInteger(value) && !Number.isNaN(value);
+        return typeof value === 'number' && Number.isFinite(value);
     }
     Test.is_number = is_number;
+    function is_integer(value) {
+        return Number.isInteger(value);
+    }
+    Test.is_integer = is_integer;
     function is_bigint(value) {
         return typeof value === 'bigint';
     }
     Test.is_bigint = is_bigint;
     function is_uchar(value) {
-        return is_number(value) && value >= 0 && value <= 0xFF;
+        return is_integer(value) && value >= 0 && value <= 0xFF;
     }
     Test.is_uchar = is_uchar;
     function is_ushort(value) {
-        return is_number(value) && value >= 0 && value <= 0xFFFF;
+        return is_integer(value) && value >= 0 && value <= 0xFFFF;
     }
     Test.is_ushort = is_ushort;
     function is_uint(value) {
-        return is_number(value) && value >= 0 && value <= 0xFFFFFFFF;
+        return is_integer(value) && value >= 0 && value <= 0xFFFFFFFF;
     }
     Test.is_uint = is_uint;
     function is_u8a(value) {
         return value instanceof Uint8Array;
     }
     Test.is_u8a = is_u8a;
-    function is_bytes(value) {
-        return Buff.is_bytes(value);
-    }
-    Test.is_bytes = is_bytes;
     function is_base58(value) {
         if (typeof value !== 'string')
             return false;
@@ -757,9 +840,33 @@ var Test;
         return (is_string(value) && is_hex(value) && value.length === 64);
     }
     Test.is_hash = is_hash;
+    function is_null(value) {
+        return value === null;
+    }
+    Test.is_null = is_null;
+    function is_undefined(value) {
+        return value === undefined;
+    }
+    Test.is_undefined = is_undefined;
+    function is_array(value) {
+        return Array.isArray(value);
+    }
+    Test.is_array = is_array;
+    function is_function(value) {
+        return typeof value === 'function';
+    }
+    Test.is_function = is_function;
+    function is_error(value) {
+        return value instanceof Error;
+    }
+    Test.is_error = is_error;
+    function is_promise(value) {
+        return value instanceof Promise || (is_object(value) && is_function(value.then) && is_function(value.catch));
+    }
+    Test.is_promise = is_promise;
 })(Test || (Test = {}));
 
-var Assert;
+var Assert$1;
 (function (Assert) {
     function ok(value, message) {
         if (value === false) {
@@ -809,6 +916,12 @@ var Assert;
         }
     }
     Assert.is_number = is_number;
+    function is_integer(value) {
+        if (!Test.is_integer(value)) {
+            throw new TypeError(`invalid integer: ${String(value)}`);
+        }
+    }
+    Assert.is_integer = is_integer;
     function is_bigint(value) {
         if (!Test.is_bigint(value)) {
             throw new TypeError(`invalid bigint: ${String(value)}`);
@@ -851,19 +964,6 @@ var Assert;
         }
     }
     Assert.is_hash = is_hash;
-    function is_bytes(value, msg) {
-        if (!Test.is_bytes(value)) {
-            throw new TypeError(msg ?? `invalid bytes: ${String(value)}`);
-        }
-    }
-    Assert.is_bytes = is_bytes;
-    function size(input, size, msg) {
-        const bytes = Buff.bytes(input);
-        if (bytes.length !== size) {
-            throw new Error(msg ?? `invalid input size: ${bytes.length} !== ${size}`);
-        }
-    }
-    Assert.size = size;
     function has_items(array, err_msg) {
         if (!Test.has_items(array)) {
             throw new Error(err_msg ?? 'array does not contain any items');
@@ -894,41 +994,41 @@ var Assert;
         }
     }
     Assert.is_bech32 = is_bech32;
-})(Assert || (Assert = {}));
-
-const crypto$1 = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
+})(Assert$1 || (Assert$1 = {}));
 
 /**
  * Utilities for hex, bytes, CSPRNG.
  * @module
  */
 /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.
-// node.js versions earlier than v19 don't declare it in global scope.
-// For node.js, package.json#exports field mapping rewrites import
-// from `crypto` to `cryptoNode`, which imports native module.
-// Makes the utils un-importable in browsers without a bundler.
-// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.
 /** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
 function isBytes$1(a) {
     return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
 }
 /** Asserts something is positive integer. */
-function anumber$1(n) {
-    if (!Number.isSafeInteger(n) || n < 0)
-        throw new Error('positive integer expected, got ' + n);
+function anumber$1(n, title = '') {
+    if (!Number.isSafeInteger(n) || n < 0) {
+        const prefix = title && `"${title}" `;
+        throw new Error(`${prefix}expected integer >= 0, got ${n}`);
+    }
 }
 /** Asserts something is Uint8Array. */
-function abytes$1(b, ...lengths) {
-    if (!isBytes$1(b))
-        throw new Error('Uint8Array expected');
-    if (lengths.length > 0 && !lengths.includes(b.length))
-        throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length);
+function abytes$1(value, length, title = '') {
+    const bytes = isBytes$1(value);
+    const len = value?.length;
+    const needsLen = length !== undefined;
+    if (!bytes || (needsLen && len !== length)) {
+        const prefix = title && `"${title}" `;
+        const ofLen = needsLen ? ` of length ${length}` : '';
+        const got = bytes ? `length=${len}` : `type=${typeof value}`;
+        throw new Error(prefix + 'expected Uint8Array' + ofLen + ', got ' + got);
+    }
+    return value;
 }
 /** Asserts something is hash */
 function ahash(h) {
     if (typeof h !== 'function' || typeof h.create !== 'function')
-        throw new Error('Hash should be wrapped by utils.createHasher');
+        throw new Error('Hash must wrapped by utils.createHasher');
     anumber$1(h.outputLen);
     anumber$1(h.blockLen);
 }
@@ -941,10 +1041,10 @@ function aexists(instance, checkFinished = true) {
 }
 /** Asserts output is properly-sized byte array */
 function aoutput(out, instance) {
-    abytes$1(out);
+    abytes$1(out, undefined, 'digestInto() output');
     const min = instance.outputLen;
     if (out.length < min) {
-        throw new Error('digestInto() expects output buffer of length at least ' + min);
+        throw new Error('"digestInto() output" expected to be of length >=' + min);
     }
 }
 /** Zeroize a byte array. Warning: JS provides no guarantees. */
@@ -1024,26 +1124,6 @@ function hexToBytes(hex) {
     }
     return array;
 }
-/**
- * Converts string to bytes using UTF8 encoding.
- * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])
- */
-function utf8ToBytes(str) {
-    if (typeof str !== 'string')
-        throw new Error('string expected');
-    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
-}
-/**
- * Normalizes (non-hex) string or Uint8Array to Uint8Array.
- * Warning: when Uint8Array is passed, it would NOT get copied.
- * Keep in mind for future mutable operations.
- */
-function toBytes(data) {
-    if (typeof data === 'string')
-        data = utf8ToBytes(data);
-    abytes$1(data);
-    return data;
-}
 /** Copies several Uint8Arrays into one. */
 function concatBytes(...arrays) {
     let sum = 0;
@@ -1060,47 +1140,121 @@ function concatBytes(...arrays) {
     }
     return res;
 }
-/** For runtime check if class implements interface */
-class Hash {
-}
-/** Wraps hash function, creating an interface on top of it */
-function createHasher(hashCons) {
-    const hashC = (msg) => hashCons().update(toBytes(msg)).digest();
-    const tmp = hashCons();
+/** Creates function with outputLen, blockLen, create properties from a class constructor. */
+function createHasher(hashCons, info = {}) {
+    const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
+    const tmp = hashCons(undefined);
     hashC.outputLen = tmp.outputLen;
     hashC.blockLen = tmp.blockLen;
-    hashC.create = () => hashCons();
-    return hashC;
+    hashC.create = (opts) => hashCons(opts);
+    Object.assign(hashC, info);
+    return Object.freeze(hashC);
 }
 /** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */
 function randomBytes(bytesLength = 32) {
-    if (crypto$1 && typeof crypto$1.getRandomValues === 'function') {
-        return crypto$1.getRandomValues(new Uint8Array(bytesLength));
+    const cr = typeof globalThis === 'object' ? globalThis.crypto : null;
+    if (typeof cr?.getRandomValues !== 'function')
+        throw new Error('crypto.getRandomValues must be defined');
+    return cr.getRandomValues(new Uint8Array(bytesLength));
+}
+/** Creates OID opts for NIST hashes, with prefix 06 09 60 86 48 01 65 03 04 02. */
+const oidNist = (suffix) => ({
+    oid: Uint8Array.from([0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, suffix]),
+});
+
+/**
+ * HMAC: RFC2104 message authentication code.
+ * @module
+ */
+/** Internal class for HMAC. */
+class _HMAC {
+    oHash;
+    iHash;
+    blockLen;
+    outputLen;
+    finished = false;
+    destroyed = false;
+    constructor(hash, key) {
+        ahash(hash);
+        abytes$1(key, undefined, 'key');
+        this.iHash = hash.create();
+        if (typeof this.iHash.update !== 'function')
+            throw new Error('Expected instance of class which extends utils.Hash');
+        this.blockLen = this.iHash.blockLen;
+        this.outputLen = this.iHash.outputLen;
+        const blockLen = this.blockLen;
+        const pad = new Uint8Array(blockLen);
+        // blockLen can be bigger than outputLen
+        pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
+        for (let i = 0; i < pad.length; i++)
+            pad[i] ^= 0x36;
+        this.iHash.update(pad);
+        // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
+        this.oHash = hash.create();
+        // Undo internal XOR && apply outer XOR
+        for (let i = 0; i < pad.length; i++)
+            pad[i] ^= 0x36 ^ 0x5c;
+        this.oHash.update(pad);
+        clean(pad);
     }
-    // Legacy Node.js compatibility
-    if (crypto$1 && typeof crypto$1.randomBytes === 'function') {
-        return Uint8Array.from(crypto$1.randomBytes(bytesLength));
+    update(buf) {
+        aexists(this);
+        this.iHash.update(buf);
+        return this;
+    }
+    digestInto(out) {
+        aexists(this);
+        abytes$1(out, this.outputLen, 'output');
+        this.finished = true;
+        this.iHash.digestInto(out);
+        this.oHash.update(out);
+        this.oHash.digestInto(out);
+        this.destroy();
+    }
+    digest() {
+        const out = new Uint8Array(this.oHash.outputLen);
+        this.digestInto(out);
+        return out;
+    }
+    _cloneInto(to) {
+        // Create new instance without calling constructor since key already in state and we don't know it.
+        to ||= Object.create(Object.getPrototypeOf(this), {});
+        const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
+        to = to;
+        to.finished = finished;
+        to.destroyed = destroyed;
+        to.blockLen = blockLen;
+        to.outputLen = outputLen;
+        to.oHash = oHash._cloneInto(to.oHash);
+        to.iHash = iHash._cloneInto(to.iHash);
+        return to;
+    }
+    clone() {
+        return this._cloneInto();
+    }
+    destroy() {
+        this.destroyed = true;
+        this.oHash.destroy();
+        this.iHash.destroy();
     }
-    throw new Error('crypto.getRandomValues must be defined');
 }
+/**
+ * HMAC: RFC2104 message authentication code.
+ * @param hash - function that would be used e.g. sha256
+ * @param key - message key
+ * @param message - message data
+ * @example
+ * import { hmac } from '@noble/hashes/hmac';
+ * import { sha256 } from '@noble/hashes/sha2';
+ * const mac1 = hmac(sha256, 'key', 'message');
+ */
+const hmac = (hash, key, message) => new _HMAC(hash, key).update(message).digest();
+hmac.create = (hash, key) => new _HMAC(hash, key);
 
 /**
  * Internal Merkle-Damgard hash utils.
  * @module
  */
-/** Polyfill for Safari 14. https://caniuse.com/mdn-javascript_builtins_dataview_setbiguint64 */
-function setBigUint64(view, byteOffset, value, isLE) {
-    if (typeof view.setBigUint64 === 'function')
-        return view.setBigUint64(byteOffset, value, isLE);
-    const _32n = BigInt(32);
-    const _u32_max = BigInt(0xffffffff);
-    const wh = Number((value >> _32n) & _u32_max);
-    const wl = Number(value & _u32_max);
-    const h = isLE ? 4 : 0;
-    const l = isLE ? 0 : 4;
-    view.setUint32(byteOffset + h, wh, isLE);
-    view.setUint32(byteOffset + l, wl, isLE);
-}
 /** Choice: a ? b : c */
 function Chi(a, b, c) {
     return (a & b) ^ (~a & c);
@@ -1113,13 +1267,19 @@ function Maj(a, b, c) {
  * Merkle-Damgard hash construction base class.
  * Could be used to create MD5, RIPEMD, SHA1, SHA2.
  */
-class HashMD extends Hash {
+class HashMD {
+    blockLen;
+    outputLen;
+    padOffset;
+    isLE;
+    // For partial updates less than block size
+    buffer;
+    view;
+    finished = false;
+    length = 0;
+    pos = 0;
+    destroyed = false;
     constructor(blockLen, outputLen, padOffset, isLE) {
-        super();
-        this.finished = false;
-        this.length = 0;
-        this.pos = 0;
-        this.destroyed = false;
         this.blockLen = blockLen;
         this.outputLen = outputLen;
         this.padOffset = padOffset;
@@ -1129,7 +1289,6 @@ class HashMD extends Hash {
     }
     update(data) {
         aexists(this);
-        data = toBytes(data);
         abytes$1(data);
         const { view, buffer, blockLen } = this;
         const len = data.length;
@@ -1178,13 +1337,13 @@ class HashMD extends Hash {
         // Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that
         // You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen.
         // So we just write lowest 64 bits of that value.
-        setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE);
+        view.setBigUint64(blockLen - 8, BigInt(this.length * 8), isLE);
         this.process(view, 0);
         const oview = createView(out);
         const len = this.outputLen;
-        // NOTE: we do division by 4 later, which should be fused in single op with modulo by JIT
+        // NOTE: we do division by 4 later, which must be fused in single op with modulo by JIT
         if (len % 4)
-            throw new Error('_sha2: outputLen should be aligned to 32bit');
+            throw new Error('_sha2: outputLen must be aligned to 32bit');
         const outLen = len / 4;
         const state = this.get();
         if (outLen > state.length)
@@ -1200,7 +1359,7 @@ class HashMD extends Hash {
         return res;
     }
     _cloneInto(to) {
-        to || (to = new this.constructor());
+        to ||= new this.constructor();
         to.set(...this.get());
         const { blockLen, buffer, length, finished, destroyed, pos } = this;
         to.destroyed = destroyed;
@@ -1224,10 +1383,128 @@ const SHA256_IV = /* @__PURE__ */ Uint32Array.from([
     0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
 ]);
 
+/**
+
+SHA1 (RFC 3174), MD5 (RFC 1321) and RIPEMD160 (RFC 2286) legacy, weak hash functions.
+Don't use them in a new protocol. What "weak" means:
+
+- Collisions can be made with 2^18 effort in MD5, 2^60 in SHA1, 2^80 in RIPEMD160.
+- No practical pre-image attacks (only theoretical, 2^123.4)
+- HMAC seems kinda ok: https://www.rfc-editor.org/rfc/rfc6151
+ * @module
+ */
+// RIPEMD-160
+const Rho160 = /* @__PURE__ */ Uint8Array.from([
+    7, 4, 13, 1, 10, 6, 15, 3, 12, 0, 9, 5, 2, 14, 11, 8,
+]);
+const Id160 = /* @__PURE__ */ (() => Uint8Array.from(new Array(16).fill(0).map((_, i) => i)))();
+const Pi160 = /* @__PURE__ */ (() => Id160.map((i) => (9 * i + 5) % 16))();
+const idxLR = /* @__PURE__ */ (() => {
+    const L = [Id160];
+    const R = [Pi160];
+    const res = [L, R];
+    for (let i = 0; i < 4; i++)
+        for (let j of res)
+            j.push(j[i].map((k) => Rho160[k]));
+    return res;
+})();
+const idxL = /* @__PURE__ */ (() => idxLR[0])();
+const idxR = /* @__PURE__ */ (() => idxLR[1])();
+// const [idxL, idxR] = idxLR;
+const shifts160 = /* @__PURE__ */ [
+    [11, 14, 15, 12, 5, 8, 7, 9, 11, 13, 14, 15, 6, 7, 9, 8],
+    [12, 13, 11, 15, 6, 9, 9, 7, 12, 15, 11, 13, 7, 8, 7, 7],
+    [13, 15, 14, 11, 7, 7, 6, 8, 13, 14, 13, 12, 5, 5, 6, 9],
+    [14, 11, 12, 14, 8, 6, 5, 5, 15, 12, 15, 14, 9, 9, 8, 6],
+    [15, 12, 13, 13, 9, 5, 8, 6, 14, 11, 12, 11, 8, 6, 5, 5],
+].map((i) => Uint8Array.from(i));
+const shiftsL160 = /* @__PURE__ */ idxL.map((idx, i) => idx.map((j) => shifts160[i][j]));
+const shiftsR160 = /* @__PURE__ */ idxR.map((idx, i) => idx.map((j) => shifts160[i][j]));
+const Kl160 = /* @__PURE__ */ Uint32Array.from([
+    0x00000000, 0x5a827999, 0x6ed9eba1, 0x8f1bbcdc, 0xa953fd4e,
+]);
+const Kr160 = /* @__PURE__ */ Uint32Array.from([
+    0x50a28be6, 0x5c4dd124, 0x6d703ef3, 0x7a6d76e9, 0x00000000,
+]);
+// It's called f() in spec.
+function ripemd_f(group, x, y, z) {
+    if (group === 0)
+        return x ^ y ^ z;
+    if (group === 1)
+        return (x & y) | (~x & z);
+    if (group === 2)
+        return (x | ~y) ^ z;
+    if (group === 3)
+        return (x & z) | (y & ~z);
+    return x ^ (y | ~z);
+}
+// Reusable temporary buffer
+const BUF_160 = /* @__PURE__ */ new Uint32Array(16);
+class _RIPEMD160 extends HashMD {
+    h0 = 0x67452301 | 0;
+    h1 = 0xefcdab89 | 0;
+    h2 = 0x98badcfe | 0;
+    h3 = 0x10325476 | 0;
+    h4 = 0xc3d2e1f0 | 0;
+    constructor() {
+        super(64, 20, 8, true);
+    }
+    get() {
+        const { h0, h1, h2, h3, h4 } = this;
+        return [h0, h1, h2, h3, h4];
+    }
+    set(h0, h1, h2, h3, h4) {
+        this.h0 = h0 | 0;
+        this.h1 = h1 | 0;
+        this.h2 = h2 | 0;
+        this.h3 = h3 | 0;
+        this.h4 = h4 | 0;
+    }
+    process(view, offset) {
+        for (let i = 0; i < 16; i++, offset += 4)
+            BUF_160[i] = view.getUint32(offset, true);
+        // prettier-ignore
+        let al = this.h0 | 0, ar = al, bl = this.h1 | 0, br = bl, cl = this.h2 | 0, cr = cl, dl = this.h3 | 0, dr = dl, el = this.h4 | 0, er = el;
+        // Instead of iterating 0 to 80, we split it into 5 groups
+        // And use the groups in constants, functions, etc. Much simpler
+        for (let group = 0; group < 5; group++) {
+            const rGroup = 4 - group;
+            const hbl = Kl160[group], hbr = Kr160[group]; // prettier-ignore
+            const rl = idxL[group], rr = idxR[group]; // prettier-ignore
+            const sl = shiftsL160[group], sr = shiftsR160[group]; // prettier-ignore
+            for (let i = 0; i < 16; i++) {
+                const tl = (rotl(al + ripemd_f(group, bl, cl, dl) + BUF_160[rl[i]] + hbl, sl[i]) + el) | 0;
+                al = el, el = dl, dl = rotl(cl, 10) | 0, cl = bl, bl = tl; // prettier-ignore
+            }
+            // 2 loops are 10% faster
+            for (let i = 0; i < 16; i++) {
+                const tr = (rotl(ar + ripemd_f(rGroup, br, cr, dr) + BUF_160[rr[i]] + hbr, sr[i]) + er) | 0;
+                ar = er, er = dr, dr = rotl(cr, 10) | 0, cr = br, br = tr; // prettier-ignore
+            }
+        }
+        // Add the compressed chunk to the current hash value
+        this.set((this.h1 + cl + dr) | 0, (this.h2 + dl + er) | 0, (this.h3 + el + ar) | 0, (this.h4 + al + br) | 0, (this.h0 + bl + cr) | 0);
+    }
+    roundClean() {
+        clean(BUF_160);
+    }
+    destroy() {
+        this.destroyed = true;
+        clean(this.buffer);
+        this.set(0, 0, 0, 0, 0);
+    }
+}
+/**
+ * RIPEMD-160 - a legacy hash function from 1990s.
+ * * https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
+ * * https://homes.esat.kuleuven.be/~bosselae/ripemd160/pdf/AB-9601/AB-9601.pdf
+ */
+const ripemd160 = /* @__PURE__ */ createHasher(() => new _RIPEMD160());
+
 /**
  * SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256.
  * SHA256 is the fastest hash implementable in JS, even faster than Blake3.
- * Check out [RFC 4634](https://datatracker.ietf.org/doc/html/rfc4634) and
+ * Check out [RFC 4634](https://www.rfc-editor.org/rfc/rfc4634) and
  * [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
  * @module
  */
@@ -1248,19 +1525,10 @@ const SHA256_K = /* @__PURE__ */ Uint32Array.from([
 ]);
 /** Reusable temporary buffer. "W" comes straight from spec. */
 const SHA256_W = /* @__PURE__ */ new Uint32Array(64);
-class SHA256 extends HashMD {
-    constructor(outputLen = 32) {
+/** Internal 32-byte base SHA2 hash class. */
+class SHA2_32B extends HashMD {
+    constructor(outputLen) {
         super(64, outputLen, 8, false);
-        // We cannot use array here since array allows indexing by variable
-        // which means optimizer/compiler cannot use registers.
-        this.A = SHA256_IV[0] | 0;
-        this.B = SHA256_IV[1] | 0;
-        this.C = SHA256_IV[2] | 0;
-        this.D = SHA256_IV[3] | 0;
-        this.E = SHA256_IV[4] | 0;
-        this.F = SHA256_IV[5] | 0;
-        this.G = SHA256_IV[6] | 0;
-        this.H = SHA256_IV[7] | 0;
     }
     get() {
         const { A, B, C, D, E, F, G, H } = this;
@@ -1323,99 +1591,104 @@ class SHA256 extends HashMD {
         clean(this.buffer);
     }
 }
+/** Internal SHA2-256 hash class. */
+class _SHA256 extends SHA2_32B {
+    // We cannot use array here since array allows indexing by variable
+    // which means optimizer/compiler cannot use registers.
+    A = SHA256_IV[0] | 0;
+    B = SHA256_IV[1] | 0;
+    C = SHA256_IV[2] | 0;
+    D = SHA256_IV[3] | 0;
+    E = SHA256_IV[4] | 0;
+    F = SHA256_IV[5] | 0;
+    G = SHA256_IV[6] | 0;
+    H = SHA256_IV[7] | 0;
+    constructor() {
+        super(32);
+    }
+}
 /**
- * SHA2-256 hash function from RFC 4634.
+ * SHA2-256 hash function from RFC 4634. In JS it's the fastest: even faster than Blake3. Some info:
  *
- * It is the fastest JS hash, even faster than Blake3.
- * To break sha256 using birthday attack, attackers need to try 2^128 hashes.
- * BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
+ * - Trying 2^128 hashes would get 50% chance of collision, using birthday attack.
+ * - BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
+ * - Each sha256 hash is executing 2^18 bit operations.
+ * - Good 2024 ASICs can do 200Th/sec with 3500 watts of power, corresponding to 2^36 hashes/joule.
  */
-const sha256$1 = /* @__PURE__ */ createHasher(() => new SHA256());
+const sha256$1 = /* @__PURE__ */ createHasher(() => new _SHA256(), 
+/* @__PURE__ */ oidNist(0x01));
 
-/**
- * HMAC: RFC2104 message authentication code.
- * @module
- */
-class HMAC extends Hash {
-    constructor(hash, _key) {
-        super();
-        this.finished = false;
-        this.destroyed = false;
-        ahash(hash);
-        const key = toBytes(_key);
-        this.iHash = hash.create();
-        if (typeof this.iHash.update !== 'function')
-            throw new Error('Expected instance of class which extends utils.Hash');
-        this.blockLen = this.iHash.blockLen;
-        this.outputLen = this.iHash.outputLen;
-        const blockLen = this.blockLen;
-        const pad = new Uint8Array(blockLen);
-        // blockLen can be bigger than outputLen
-        pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
-        for (let i = 0; i < pad.length; i++)
-            pad[i] ^= 0x36;
-        this.iHash.update(pad);
-        // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
-        this.oHash = hash.create();
-        // Undo internal XOR && apply outer XOR
-        for (let i = 0; i < pad.length; i++)
-            pad[i] ^= 0x36 ^ 0x5c;
-        this.oHash.update(pad);
-        clean(pad);
+function hash160(...input) {
+    const buffer = Buff.join(input);
+    const digest = ripemd160(sha256$1(buffer));
+    return new Buff(digest);
+}
+function sha256(...input) {
+    const buffer = Buff.join(input);
+    const digest = sha256$1(buffer);
+    return new Buff(digest);
+}
+function hash256(...input) {
+    const buffer = Buff.join(input);
+    const digest = sha256$1(sha256$1(buffer));
+    return new Buff(digest);
+}
+function hashtag(tag) {
+    const hash = sha256(Buff.str(tag));
+    return Buff.join([hash, hash]);
+}
+function hash340(tag, ...input) {
+    const htag = hashtag(tag);
+    const pimg = Buff.join([htag, ...input]);
+    return sha256(pimg);
+}
+
+var Assert;
+(function (Assert) {
+    function ok(value, message) {
+        if (!value) {
+            throw new Error(message ?? 'Assertion failed!');
+        }
     }
-    update(buf) {
-        aexists(this);
-        this.iHash.update(buf);
-        return this;
+    Assert.ok = ok;
+    function size(input, size, msg) {
+        const bytes = Buff.bytes(input);
+        if (bytes.length !== size) {
+            throw new Error(msg ?? `invalid input size: ${bytes.length} !== ${size}`);
+        }
     }
-    digestInto(out) {
-        aexists(this);
-        abytes$1(out, this.outputLen);
-        this.finished = true;
-        this.iHash.digestInto(out);
-        this.oHash.update(out);
-        this.oHash.digestInto(out);
-        this.destroy();
+    Assert.size = size;
+    function is_u8a(value) {
+        if (!(value instanceof Uint8Array)) {
+            throw new TypeError(`invalid Uint8Array: ${String(value)}`);
+        }
     }
-    digest() {
-        const out = new Uint8Array(this.oHash.outputLen);
-        this.digestInto(out);
-        return out;
+    Assert.is_u8a = is_u8a;
+    function is_base58(value) {
+        if (typeof value !== 'string' || !/^[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]+$/.test(value)) {
+            throw new Error('invalid base58 string');
+        }
     }
-    _cloneInto(to) {
-        // Create new instance without calling constructor since key already in state and we don't know it.
-        to || (to = Object.create(Object.getPrototypeOf(this), {}));
-        const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
-        to = to;
-        to.finished = finished;
-        to.destroyed = destroyed;
-        to.blockLen = blockLen;
-        to.outputLen = outputLen;
-        to.oHash = oHash._cloneInto(to.oHash);
-        to.iHash = iHash._cloneInto(to.iHash);
-        return to;
+    Assert.is_base58 = is_base58;
+    function is_base64(value) {
+        if (typeof value !== 'string' || value.length === 0 || !/^[a-zA-Z0-9+/]+={0,2}$/.test(value)) {
+            throw new Error('invalid base64 string');
+        }
     }
-    clone() {
-        return this._cloneInto();
+    Assert.is_base64 = is_base64;
+    function is_b64url(value) {
+        if (typeof value !== 'string' || value.length === 0 || !/^[a-zA-Z0-9\-_]+={0,2}$/.test(value)) {
+            throw new Error('invalid base64url string');
+        }
     }
-    destroy() {
-        this.destroyed = true;
-        this.oHash.destroy();
-        this.iHash.destroy();
+    Assert.is_b64url = is_b64url;
+    function is_bech32(value) {
+        if (typeof value !== 'string' || !/^[a-z]+1[023456789acdefghjklmnpqrstuvwxyz]+$/.test(value)) {
+            throw new Error('invalid bech32 string');
+        }
     }
-}
-/**
- * HMAC: RFC2104 message authentication code.
- * @param hash - function that would be used e.g. sha256
- * @param key - message key
- * @param message - message data
- * @example
- * import { hmac } from '@noble/hashes/hmac';
- * import { sha256 } from '@noble/hashes/sha2';
- * const mac1 = hmac(sha256, 'key', 'message');
- */
-const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
-hmac.create = (hash, key) => new HMAC(hash, key);
+    Assert.is_bech32 = is_bech32;
+})(Assert || (Assert = {}));
 
 /**
  * Hex, bytes and number utilities.
@@ -1423,32 +1696,26 @@ hmac.create = (hash, key) => new HMAC(hash, key);
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const _0n$6 = /* @__PURE__ */ BigInt(0);
-const _1n$5 = /* @__PURE__ */ BigInt(1);
-// tmp name until v2
-function _abool2(value, title = '') {
+const _1n$4 = /* @__PURE__ */ BigInt(1);
+function abool(value, title = '') {
     if (typeof value !== 'boolean') {
-        const prefix = title && `"${title}"`;
+        const prefix = title && `"${title}" `;
         throw new Error(prefix + 'expected boolean, got type=' + typeof value);
     }
     return value;
 }
-// tmp name until v2
-/** Asserts something is Uint8Array. */
-function _abytes2(value, length, title = '') {
-    const bytes = isBytes$1(value);
-    const len = value?.length;
-    const needsLen = length !== undefined;
-    if (!bytes || (needsLen && len !== length)) {
-        const prefix = title && `"${title}" `;
-        const ofLen = needsLen ? ` of length ${length}` : '';
-        const got = bytes ? `length=${len}` : `type=${typeof value}`;
-        throw new Error(prefix + 'expected Uint8Array' + ofLen + ', got ' + got);
+// Used in weierstrass, der
+function abignumber(n) {
+    if (typeof n === 'bigint') {
+        if (!isPosBig(n))
+            throw new Error('positive bigint expected, got ' + n);
     }
-    return value;
+    else
+        anumber$1(n);
+    return n;
 }
-// Used in weierstrass, der
 function numberToHexUnpadded(num) {
-    const hex = num.toString(16);
+    const hex = abignumber(num).toString(16);
     return hex.length & 1 ? '0' + hex : hex;
 }
 function hexToNumber(hex) {
@@ -1461,56 +1728,40 @@ function bytesToNumberBE(bytes) {
     return hexToNumber(bytesToHex(bytes));
 }
 function bytesToNumberLE(bytes) {
-    abytes$1(bytes);
-    return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
-}
-function numberToBytesBE(n, len) {
-    return hexToBytes(n.toString(16).padStart(len * 2, '0'));
-}
-function numberToBytesLE(n, len) {
-    return numberToBytesBE(n, len).reverse();
-}
-/**
- * Takes hex string or Uint8Array, converts to Uint8Array.
- * Validates output length.
- * Will throw error for other types.
- * @param title descriptive title for an error e.g. 'secret key'
- * @param hex hex string or Uint8Array
- * @param expectedLength optional, will compare to result array's length
- * @returns
- */
-function ensureBytes(title, hex, expectedLength) {
-    let res;
-    if (typeof hex === 'string') {
-        try {
-            res = hexToBytes(hex);
-        }
-        catch (e) {
-            throw new Error(title + ' must be hex string or Uint8Array, cause: ' + e);
-        }
-    }
-    else if (isBytes$1(hex)) {
-        // Uint8Array.from() instead of hash.slice() because node.js Buffer
-        // is instance of Uint8Array, and its slice() creates **mutable** copy
-        res = Uint8Array.from(hex);
-    }
-    else {
-        throw new Error(title + ' must be hex string or Uint8Array');
-    }
-    const len = res.length;
-    if (typeof expectedLength === 'number' && len !== expectedLength)
-        throw new Error(title + ' of length ' + expectedLength + ' expected, got ' + len);
+    return hexToNumber(bytesToHex(copyBytes(abytes$1(bytes)).reverse()));
+}
+function numberToBytesBE(n, len) {
+    anumber$1(len);
+    n = abignumber(n);
+    const res = hexToBytes(n.toString(16).padStart(len * 2, '0'));
+    if (res.length !== len)
+        throw new Error('number too large');
     return res;
 }
+function numberToBytesLE(n, len) {
+    return numberToBytesBE(n, len).reverse();
+}
 /**
- * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
+ * Copies Uint8Array. We can't use u8a.slice(), because u8a can be Buffer,
+ * and Buffer#slice creates mutable copy. Never use Buffers!
  */
-// export const utf8ToBytes: typeof utf8ToBytes_ = utf8ToBytes_;
+function copyBytes(bytes) {
+    return Uint8Array.from(bytes);
+}
 /**
- * Converts bytes to string using UTF8 encoding.
- * @example bytesToUtf8(Uint8Array.from([97, 98, 99])) // 'abc'
+ * Decodes 7-bit ASCII string to Uint8Array, throws on non-ascii symbols
+ * Should be safe to use for things expected to be ASCII.
+ * Returns exact same result as `TextEncoder` for ASCII or throws.
  */
-// export const bytesToUtf8: typeof bytesToUtf8_ = bytesToUtf8_;
+function asciiToBytes(ascii) {
+    return Uint8Array.from(ascii, (c, i) => {
+        const charCode = c.charCodeAt(0);
+        if (c.length !== 1 || charCode > 127) {
+            throw new Error(`string contains non-ASCII character "${ascii[i]}" with code ${charCode} at position ${i}`);
+        }
+        return charCode;
+    });
+}
 // Is positive bigint
 const isPosBig = (n) => typeof n === 'bigint' && _0n$6 <= n;
 function inRange(n, min, max) {
@@ -1538,7 +1789,7 @@ function aInRange(title, n, min, max) {
  */
 function bitLen(n) {
     let len;
-    for (len = 0; n > _0n$6; n >>= _1n$5, len += 1)
+    for (len = 0; n > _0n$6; n >>= _1n$4, len += 1)
         ;
     return len;
 }
@@ -1546,7 +1797,7 @@ function bitLen(n) {
  * Calculate mask for N bits. Not using ** operator with bigints because of old engines.
  * Same as BigInt(`0b${Array(i).fill('1').join('')}`)
  */
-const bitMask = (n) => (_1n$5 << BigInt(n)) - _1n$5;
+const bitMask = (n) => (_1n$4 << BigInt(n)) - _1n$4;
 /**
  * Minimal HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
  * @returns function that will call DRBG until 2nd arg returns something meaningful
@@ -1555,15 +1806,16 @@ const bitMask = (n) => (_1n$5 << BigInt(n)) - _1n$5;
  *   drbg(seed, bytesToKey); // bytesToKey must return Key or undefined
  */
 function createHmacDrbg(hashLen, qByteLen, hmacFn) {
-    if (typeof hashLen !== 'number' || hashLen < 2)
-        throw new Error('hashLen must be a number');
-    if (typeof qByteLen !== 'number' || qByteLen < 2)
-        throw new Error('qByteLen must be a number');
+    anumber$1(hashLen, 'hashLen');
+    anumber$1(qByteLen, 'qByteLen');
     if (typeof hmacFn !== 'function')
         throw new Error('hmacFn must be a function');
-    // Step B, Step C: set hashLen to 8*ceil(hlen/8)
     const u8n = (len) => new Uint8Array(len); // creates Uint8Array
-    const u8of = (byte) => Uint8Array.of(byte); // another shortcut
+    const NULL = Uint8Array.of();
+    const byte0 = Uint8Array.of(0x00);
+    const byte1 = Uint8Array.of(0x01);
+    const _maxDrbgIters = 1000;
+    // Step B, Step C: set hashLen to 8*ceil(hlen/8)
     let v = u8n(hashLen); // Minimal non-full-spec HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
     let k = u8n(hashLen); // Steps B and C of RFC6979 3.2: set hashLen, in our case always same
     let i = 0; // Iterations counter, will throw when over 1000
@@ -1572,20 +1824,20 @@ function createHmacDrbg(hashLen, qByteLen, hmacFn) {
         k.fill(0);
         i = 0;
     };
-    const h = (...b) => hmacFn(k, v, ...b); // hmac(k)(v, ...values)
-    const reseed = (seed = u8n(0)) => {
+    const h = (...msgs) => hmacFn(k, concatBytes(v, ...msgs)); // hmac(k)(v, ...values)
+    const reseed = (seed = NULL) => {
         // HMAC-DRBG reseed() function. Steps D-G
-        k = h(u8of(0x00), seed); // k = hmac(k || v || 0x00 || seed)
+        k = h(byte0, seed); // k = hmac(k || v || 0x00 || seed)
         v = h(); // v = hmac(k || v)
         if (seed.length === 0)
             return;
-        k = h(u8of(0x01), seed); // k = hmac(k || v || 0x01 || seed)
+        k = h(byte1, seed); // k = hmac(k || v || 0x01 || seed)
         v = h(); // v = hmac(k || v)
     };
     const gen = () => {
         // HMAC-DRBG generate() function
-        if (i++ >= 1000)
-            throw new Error('drbg: tried 1000 values');
+        if (i++ >= _maxDrbgIters)
+            throw new Error('drbg: tried max amount of iterations');
         let len = 0;
         const out = [];
         while (len < qByteLen) {
@@ -1607,7 +1859,7 @@ function createHmacDrbg(hashLen, qByteLen, hmacFn) {
     };
     return genUntil;
 }
-function _validateObject(object, fields, optFields = {}) {
+function validateObject(object, fields = {}, optFields = {}) {
     if (!object || typeof object !== 'object')
         throw new Error('expected valid options object');
     function checkField(fieldName, expectedType, isOpt) {
@@ -1618,8 +1870,9 @@ function _validateObject(object, fields, optFields = {}) {
         if (current !== expectedType || val === null)
             throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
     }
-    Object.entries(fields).forEach(([k, v]) => checkField(k, v, false));
-    Object.entries(optFields).forEach(([k, v]) => checkField(k, v, true));
+    const iter = (f, isOpt) => Object.entries(f).forEach(([k, v]) => checkField(k, v, isOpt));
+    iter(fields, false);
+    iter(optFields, true);
 }
 /**
  * Memoizes (caches) computation result.
@@ -1644,12 +1897,14 @@ function memoized(fn) {
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Numbers aren't used in x25519 / x448 builds
 // prettier-ignore
-const _0n$5 = BigInt(0), _1n$4 = BigInt(1), _2n$3 = /* @__PURE__ */ BigInt(2), _3n$1 = /* @__PURE__ */ BigInt(3);
+const _0n$5 = /* @__PURE__ */ BigInt(0), _1n$3 = /* @__PURE__ */ BigInt(1), _2n$3 = /* @__PURE__ */ BigInt(2);
 // prettier-ignore
-const _4n$1 = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _7n = /* @__PURE__ */ BigInt(7);
+const _3n$1 = /* @__PURE__ */ BigInt(3), _4n$1 = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5);
 // prettier-ignore
-const _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9), _16n = /* @__PURE__ */ BigInt(16);
+const _7n = /* @__PURE__ */ BigInt(7), _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9);
+const _16n = /* @__PURE__ */ BigInt(16);
 // Calculates a modulo b
 function mod(a, b) {
     const result = a % b;
@@ -1677,7 +1932,7 @@ function invert(number, modulo) {
     let a = mod(number, modulo);
     let b = modulo;
     // prettier-ignore
-    let x = _0n$5, u = _1n$4;
+    let x = _0n$5, u = _1n$3;
     while (a !== _0n$5) {
         // JIT applies optimization if those two lines follow each other
         const q = b / a;
@@ -1687,7 +1942,7 @@ function invert(number, modulo) {
         b = a, a = r, x = u, u = m;
     }
     const gcd = b;
-    if (gcd !== _1n$4)
+    if (gcd !== _1n$3)
         throw new Error('invert: does not exist');
     return mod(x, modulo);
 }
@@ -1700,7 +1955,7 @@ function assertIsSquare(Fp, root, n) {
 // n = 72057594037927816n;
 // Fp = Field(BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'));
 function sqrt3mod4(Fp, n) {
-    const p1div4 = (Fp.ORDER + _1n$4) / _4n$1;
+    const p1div4 = (Fp.ORDER + _1n$3) / _4n$1;
     const root = Fp.pow(n, p1div4);
     assertIsSquare(Fp, root, n);
     return root;
@@ -1752,7 +2007,7 @@ function tonelliShanks(P) {
     if (P < _3n$1)
         throw new Error('sqrt is not defined for small field');
     // Factor P - 1 = Q * 2^S, where Q is odd
-    let Q = P - _1n$4;
+    let Q = P - _1n$3;
     let S = 0;
     while (Q % _2n$3 === _0n$5) {
         Q /= _2n$3;
@@ -1773,7 +2028,7 @@ function tonelliShanks(P) {
     // Slow-path
     // TODO: test on Fp2 and others
     let cc = _Fp.pow(Z, Q); // c = z^Q
-    const Q1div2 = (Q + _1n$4) / _2n$3;
+    const Q1div2 = (Q + _1n$3) / _2n$3;
     return function tonelliSlow(Fp, n) {
         if (Fp.is0(n))
             return n;
@@ -1800,7 +2055,7 @@ function tonelliShanks(P) {
                     throw new Error('Cannot find square root');
             }
             // Calculate the exponent for b: 2^(M - i - 1)
-            const exponent = _1n$4 << BigInt(M - i - 1); // bigint is important
+            const exponent = _1n$3 << BigInt(M - i - 1); // bigint is important
             const b = Fp.pow(c, exponent); // b = 2^(M - i - 1)
             // Update variables
             M = i;
@@ -1844,7 +2099,6 @@ const FIELD_FIELDS = [
 function validateField(field) {
     const initial = {
         ORDER: 'bigint',
-        MASK: 'bigint',
         BYTES: 'number',
         BITS: 'number',
     };
@@ -1852,7 +2106,7 @@ function validateField(field) {
         map[val] = 'function';
         return map;
     }, initial);
-    _validateObject(field, opts);
+    validateObject(field, opts);
     // const max = 16384;
     // if (field.BYTES < 1 || field.BYTES > max) throw new Error('invalid field');
     // if (field.BITS < 1 || field.BITS > 8 * max) throw new Error('invalid field');
@@ -1868,15 +2122,15 @@ function FpPow(Fp, num, power) {
         throw new Error('invalid exponent, negatives unsupported');
     if (power === _0n$5)
         return Fp.ONE;
-    if (power === _1n$4)
+    if (power === _1n$3)
         return num;
     let p = Fp.ONE;
     let d = num;
     while (power > _0n$5) {
-        if (power & _1n$4)
+        if (power & _1n$3)
             p = Fp.mul(p, d);
         d = Fp.sqr(d);
-        power >>= _1n$4;
+        power >>= _1n$3;
     }
     return p;
 }
@@ -1917,7 +2171,7 @@ function FpInvertBatch(Fp, nums, passZero = false) {
 function FpLegendre(Fp, n) {
     // We can use 3rd argument as optional cache of this value
     // but seems unneeded for now. The operation is very fast.
-    const p1mod2 = (Fp.ORDER - _1n$4) / _2n$3;
+    const p1mod2 = (Fp.ORDER - _1n$3) / _2n$3;
     const powered = Fp.pow(n, p1mod2);
     const yes = Fp.eql(powered, Fp.ONE);
     const zero = Fp.eql(powered, Fp.ZERO);
@@ -1935,6 +2189,143 @@ function nLength(n, nBitLength) {
     const nByteLength = Math.ceil(_nBitLength / 8);
     return { nBitLength: _nBitLength, nByteLength };
 }
+class _Field {
+    ORDER;
+    BITS;
+    BYTES;
+    isLE;
+    ZERO = _0n$5;
+    ONE = _1n$3;
+    _lengths;
+    _sqrt; // cached sqrt
+    _mod;
+    constructor(ORDER, opts = {}) {
+        if (ORDER <= _0n$5)
+            throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
+        let _nbitLength = undefined;
+        this.isLE = false;
+        if (opts != null && typeof opts === 'object') {
+            if (typeof opts.BITS === 'number')
+                _nbitLength = opts.BITS;
+            if (typeof opts.sqrt === 'function')
+                this.sqrt = opts.sqrt;
+            if (typeof opts.isLE === 'boolean')
+                this.isLE = opts.isLE;
+            if (opts.allowedLengths)
+                this._lengths = opts.allowedLengths?.slice();
+            if (typeof opts.modFromBytes === 'boolean')
+                this._mod = opts.modFromBytes;
+        }
+        const { nBitLength, nByteLength } = nLength(ORDER, _nbitLength);
+        if (nByteLength > 2048)
+            throw new Error('invalid field: expected ORDER of <= 2048 bytes');
+        this.ORDER = ORDER;
+        this.BITS = nBitLength;
+        this.BYTES = nByteLength;
+        this._sqrt = undefined;
+        Object.preventExtensions(this);
+    }
+    create(num) {
+        return mod(num, this.ORDER);
+    }
+    isValid(num) {
+        if (typeof num !== 'bigint')
+            throw new Error('invalid field element: expected bigint, got ' + typeof num);
+        return _0n$5 <= num && num < this.ORDER; // 0 is valid element, but it's not invertible
+    }
+    is0(num) {
+        return num === _0n$5;
+    }
+    // is valid and invertible
+    isValidNot0(num) {
+        return !this.is0(num) && this.isValid(num);
+    }
+    isOdd(num) {
+        return (num & _1n$3) === _1n$3;
+    }
+    neg(num) {
+        return mod(-num, this.ORDER);
+    }
+    eql(lhs, rhs) {
+        return lhs === rhs;
+    }
+    sqr(num) {
+        return mod(num * num, this.ORDER);
+    }
+    add(lhs, rhs) {
+        return mod(lhs + rhs, this.ORDER);
+    }
+    sub(lhs, rhs) {
+        return mod(lhs - rhs, this.ORDER);
+    }
+    mul(lhs, rhs) {
+        return mod(lhs * rhs, this.ORDER);
+    }
+    pow(num, power) {
+        return FpPow(this, num, power);
+    }
+    div(lhs, rhs) {
+        return mod(lhs * invert(rhs, this.ORDER), this.ORDER);
+    }
+    // Same as above, but doesn't normalize
+    sqrN(num) {
+        return num * num;
+    }
+    addN(lhs, rhs) {
+        return lhs + rhs;
+    }
+    subN(lhs, rhs) {
+        return lhs - rhs;
+    }
+    mulN(lhs, rhs) {
+        return lhs * rhs;
+    }
+    inv(num) {
+        return invert(num, this.ORDER);
+    }
+    sqrt(num) {
+        // Caching _sqrt speeds up sqrt9mod16 by 5x and tonneli-shanks by 10%
+        if (!this._sqrt)
+            this._sqrt = FpSqrt(this.ORDER);
+        return this._sqrt(this, num);
+    }
+    toBytes(num) {
+        return this.isLE ? numberToBytesLE(num, this.BYTES) : numberToBytesBE(num, this.BYTES);
+    }
+    fromBytes(bytes, skipValidation = false) {
+        abytes$1(bytes);
+        const { _lengths: allowedLengths, BYTES, isLE, ORDER, _mod: modFromBytes } = this;
+        if (allowedLengths) {
+            if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
+                throw new Error('Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length);
+            }
+            const padded = new Uint8Array(BYTES);
+            // isLE add 0 to right, !isLE to the left.
+            padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
+            bytes = padded;
+        }
+        if (bytes.length !== BYTES)
+            throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
+        let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+        if (modFromBytes)
+            scalar = mod(scalar, ORDER);
+        if (!skipValidation)
+            if (!this.isValid(scalar))
+                throw new Error('invalid field element: outside of range 0..ORDER');
+        // NOTE: we don't validate scalar here, please use isValid. This done such way because some
+        // protocol may allow non-reduced scalar that reduced later or changed some other way.
+        return scalar;
+    }
+    // TODO: we don't need it here, move out to separate fn
+    invertBatch(lst) {
+        return FpInvertBatch(this, lst);
+    }
+    // We can't move this out because Fp6, Fp12 implement it
+    // and it's unclear what to return in there.
+    cmov(a, b, condition) {
+        return condition ? b : a;
+    }
+}
 /**
  * Creates a finite field. Major performance optimizations:
  * * 1. Denormalized operations like mulN instead of mul.
@@ -1954,107 +2345,8 @@ function nLength(n, nBitLength) {
  * @param isLE (default: false) if encoding / decoding should be in little-endian
  * @param redef optional faster redefinitions of sqrt and other methods
  */
-function Field(ORDER, bitLenOrOpts, // TODO: use opts only in v2?
-isLE = false, opts = {}) {
-    if (ORDER <= _0n$5)
-        throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
-    let _nbitLength = undefined;
-    let _sqrt = undefined;
-    let modFromBytes = false;
-    let allowedLengths = undefined;
-    if (typeof bitLenOrOpts === 'object' && bitLenOrOpts != null) {
-        if (opts.sqrt || isLE)
-            throw new Error('cannot specify opts in two arguments');
-        const _opts = bitLenOrOpts;
-        if (_opts.BITS)
-            _nbitLength = _opts.BITS;
-        if (_opts.sqrt)
-            _sqrt = _opts.sqrt;
-        if (typeof _opts.isLE === 'boolean')
-            isLE = _opts.isLE;
-        if (typeof _opts.modFromBytes === 'boolean')
-            modFromBytes = _opts.modFromBytes;
-        allowedLengths = _opts.allowedLengths;
-    }
-    else {
-        if (typeof bitLenOrOpts === 'number')
-            _nbitLength = bitLenOrOpts;
-        if (opts.sqrt)
-            _sqrt = opts.sqrt;
-    }
-    const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, _nbitLength);
-    if (BYTES > 2048)
-        throw new Error('invalid field: expected ORDER of <= 2048 bytes');
-    let sqrtP; // cached sqrtP
-    const f = Object.freeze({
-        ORDER,
-        isLE,
-        BITS,
-        BYTES,
-        MASK: bitMask(BITS),
-        ZERO: _0n$5,
-        ONE: _1n$4,
-        allowedLengths: allowedLengths,
-        create: (num) => mod(num, ORDER),
-        isValid: (num) => {
-            if (typeof num !== 'bigint')
-                throw new Error('invalid field element: expected bigint, got ' + typeof num);
-            return _0n$5 <= num && num < ORDER; // 0 is valid element, but it's not invertible
-        },
-        is0: (num) => num === _0n$5,
-        // is valid and invertible
-        isValidNot0: (num) => !f.is0(num) && f.isValid(num),
-        isOdd: (num) => (num & _1n$4) === _1n$4,
-        neg: (num) => mod(-num, ORDER),
-        eql: (lhs, rhs) => lhs === rhs,
-        sqr: (num) => mod(num * num, ORDER),
-        add: (lhs, rhs) => mod(lhs + rhs, ORDER),
-        sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
-        mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
-        pow: (num, power) => FpPow(f, num, power),
-        div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
-        // Same as above, but doesn't normalize
-        sqrN: (num) => num * num,
-        addN: (lhs, rhs) => lhs + rhs,
-        subN: (lhs, rhs) => lhs - rhs,
-        mulN: (lhs, rhs) => lhs * rhs,
-        inv: (num) => invert(num, ORDER),
-        sqrt: _sqrt ||
-            ((n) => {
-                if (!sqrtP)
-                    sqrtP = FpSqrt(ORDER);
-                return sqrtP(f, n);
-            }),
-        toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
-        fromBytes: (bytes, skipValidation = true) => {
-            if (allowedLengths) {
-                if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
-                    throw new Error('Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length);
-                }
-                const padded = new Uint8Array(BYTES);
-                // isLE add 0 to right, !isLE to the left.
-                padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
-                bytes = padded;
-            }
-            if (bytes.length !== BYTES)
-                throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
-            let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
-            if (modFromBytes)
-                scalar = mod(scalar, ORDER);
-            if (!skipValidation)
-                if (!f.isValid(scalar))
-                    throw new Error('invalid field element: outside of range 0..ORDER');
-            // NOTE: we don't validate scalar here, please use isValid. This done such way because some
-            // protocol may allow non-reduced scalar that reduced later or changed some other way.
-            return scalar;
-        },
-        // TODO: we don't need it here, move out to separate fn
-        invertBatch: (lst) => FpInvertBatch(f, lst),
-        // We can't move this out because Fp6, Fp12 implement it
-        // and it's unclear what to return in there.
-        cmov: (a, b, c) => (c ? b : a),
-    });
-    return Object.freeze(f);
+function Field(ORDER, opts = {}) {
+    return new _Field(ORDER, opts);
 }
 /**
  * Returns total number of bytes consumed by the field element.
@@ -2088,11 +2380,12 @@ function getMinHashLength(fieldOrder) {
  * FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final
  * RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5
  * @param hash hash output from SHA3 or a similar function
- * @param groupOrder size of subgroup - (e.g. secp256k1.CURVE.n)
+ * @param groupOrder size of subgroup - (e.g. secp256k1.Point.Fn.ORDER)
  * @param isLE interpret hash bytes as LE num
  * @returns valid private scalar
  */
 function mapHashToField(key, fieldOrder, isLE = false) {
+    abytes$1(key);
     const len = key.length;
     const fieldLen = getFieldBytesLength(fieldOrder);
     const minLen = getMinHashLength(fieldOrder);
@@ -2101,7 +2394,7 @@ function mapHashToField(key, fieldOrder, isLE = false) {
         throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);
     const num = isLE ? bytesToNumberLE(key) : bytesToNumberBE(key);
     // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
-    const reduced = mod(num, fieldOrder - _1n$4) + _1n$4;
+    const reduced = mod(num, fieldOrder - _1n$3) + _1n$3;
     return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
 }
 
@@ -2111,8 +2404,8 @@ function mapHashToField(key, fieldOrder, isLE = false) {
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const _0n$4 = BigInt(0);
-const _1n$3 = BigInt(1);
+const _0n$4 = /* @__PURE__ */ BigInt(0);
+const _1n$2 = /* @__PURE__ */ BigInt(1);
 function negateCt(condition, item) {
     const neg = item.negate();
     return condition ? neg : item;
@@ -2152,7 +2445,7 @@ function calcOffsets(n, window, wOpts) {
     if (wbits > windowSize) {
         // we skip zero, which means instead of `>= size-1`, we do `> size`
         wbits -= maxNumber; // -32, can be maxNumber - wbits, but then we need to set isNeg here.
-        nextN += _1n$3; // +256 (carry)
+        nextN += _1n$2; // +256 (carry)
     }
     const offsetStart = window * windowSize;
     const offset = offsetStart + Math.abs(wbits) - 1; // -1 because we skip zero
@@ -2162,22 +2455,6 @@ function calcOffsets(n, window, wOpts) {
     const offsetF = offsetStart; // fake offset for noise
     return { nextN, offset, isZero, isNeg, isNegF, offsetF };
 }
-function validateMSMPoints(points, c) {
-    if (!Array.isArray(points))
-        throw new Error('array expected');
-    points.forEach((p, i) => {
-        if (!(p instanceof c))
-            throw new Error('invalid point at index ' + i);
-    });
-}
-function validateMSMScalars(scalars, field) {
-    if (!Array.isArray(scalars))
-        throw new Error('array of scalars expected');
-    scalars.forEach((s, i) => {
-        if (!field.isValid(s))
-            throw new Error('invalid scalar at index ' + i);
-    });
-}
 // Since points in different groups cannot be equal (different object constructor),
 // we can have single place to store precomputes.
 // Allows to make points frozen / immutable.
@@ -2211,6 +2488,10 @@ function assert0(n) {
  * This would allow windows to be in different memory locations
  */
 class wNAF {
+    BASE;
+    ZERO;
+    Fn;
+    bits;
     // Parametrized with a given Point class (not individual point)
     constructor(Point, bits) {
         this.BASE = Point.BASE;
@@ -2222,10 +2503,10 @@ class wNAF {
     _unsafeLadder(elm, n, p = this.ZERO) {
         let d = elm;
         while (n > _0n$4) {
-            if (n & _1n$3)
+            if (n & _1n$2)
                 p = p.add(d);
             d = d.double();
-            n >>= _1n$3;
+            n >>= _1n$2;
         }
         return p;
     }
@@ -2367,73 +2648,16 @@ function mulEndoUnsafe(Point, point, k1, k2) {
     let p1 = Point.ZERO;
     let p2 = Point.ZERO;
     while (k1 > _0n$4 || k2 > _0n$4) {
-        if (k1 & _1n$3)
+        if (k1 & _1n$2)
             p1 = p1.add(acc);
-        if (k2 & _1n$3)
+        if (k2 & _1n$2)
             p2 = p2.add(acc);
         acc = acc.double();
-        k1 >>= _1n$3;
-        k2 >>= _1n$3;
+        k1 >>= _1n$2;
+        k2 >>= _1n$2;
     }
     return { p1, p2 };
 }
-/**
- * Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
- * 30x faster vs naive addition on L=4096, 10x faster than precomputes.
- * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
- * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
- * @param c Curve Point constructor
- * @param fieldN field over CURVE.N - important that it's not over CURVE.P
- * @param points array of L curve points
- * @param scalars array of L scalars (aka secret keys / bigints)
- */
-function pippenger(c, fieldN, points, scalars) {
-    // If we split scalars by some window (let's say 8 bits), every chunk will only
-    // take 256 buckets even if there are 4096 scalars, also re-uses double.
-    // TODO:
-    // - https://eprint.iacr.org/2024/750.pdf
-    // - https://tches.iacr.org/index.php/TCHES/article/view/10287
-    // 0 is accepted in scalars
-    validateMSMPoints(points, c);
-    validateMSMScalars(scalars, fieldN);
-    const plength = points.length;
-    const slength = scalars.length;
-    if (plength !== slength)
-        throw new Error('arrays of points and scalars must have equal length');
-    // if (plength === 0) throw new Error('array must be of length >= 2');
-    const zero = c.ZERO;
-    const wbits = bitLen(BigInt(plength));
-    let windowSize = 1; // bits
-    if (wbits > 12)
-        windowSize = wbits - 3;
-    else if (wbits > 4)
-        windowSize = wbits - 2;
-    else if (wbits > 0)
-        windowSize = 2;
-    const MASK = bitMask(windowSize);
-    const buckets = new Array(Number(MASK) + 1).fill(zero); // +1 for zero array
-    const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
-    let sum = zero;
-    for (let i = lastBits; i >= 0; i -= windowSize) {
-        buckets.fill(zero);
-        for (let j = 0; j < slength; j++) {
-            const scalar = scalars[j];
-            const wbits = Number((scalar >> BigInt(i)) & MASK);
-            buckets[wbits] = buckets[wbits].add(points[j]);
-        }
-        let resI = zero; // not using this will do small speed-up, but will lose ct
-        // Skip first bucket, because it is zero
-        for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
-            sumI = sumI.add(buckets[j]);
-            resI = resI.add(sumI);
-        }
-        sum = sum.add(resI);
-        if (i !== 0)
-            for (let j = 0; j < windowSize; j++)
-                sum = sum.double();
-    }
-    return sum;
-}
 function createField(order, field, isLE) {
     if (field) {
         if (field.ORDER !== order)
@@ -2446,7 +2670,7 @@ function createField(order, field, isLE) {
     }
 }
 /** Validates CURVE opts and creates fields */
-function _createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
+function createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
     if (FpFnLE === undefined)
         FpFnLE = type === 'edwards';
     if (!CURVE || typeof CURVE !== 'object')
@@ -2468,6 +2692,12 @@ function _createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
     CURVE = Object.freeze(Object.assign({}, CURVE));
     return { CURVE, Fp, Fn };
 }
+function createKeygen(randomSecretKey, getPublicKey) {
+    return function keygen(seed) {
+        const secretKey = randomSecretKey(seed);
+        return { secretKey, publicKey: getPublicKey(secretKey) };
+    };
+}
 
 /**
  * Short Weierstrass curve methods. The formula is: y² = x³ + ax + b.
@@ -2520,7 +2750,7 @@ function _splitEndoScalar(k, basis, n) {
         k2 = -k2;
     // Double check that resulting scalar less than half bits of N: otherwise wNAF will fail.
     // This should only happen on wrong basises. Also, math inside is too complex and I don't trust it.
-    const MAX_NUM = bitMask(Math.ceil(bitLen(n) / 2)) + _1n$2; // Half bits of N
+    const MAX_NUM = bitMask(Math.ceil(bitLen(n) / 2)) + _1n$1; // Half bits of N
     if (k1 < _0n$3 || k1 >= MAX_NUM || k2 < _0n$3 || k2 >= MAX_NUM) {
         throw new Error('splitScalar (endomorphism): failed, k=' + k);
     }
@@ -2537,8 +2767,8 @@ function validateSigOpts(opts, def) {
         // @ts-ignore
         optsn[optName] = opts[optName] === undefined ? def[optName] : opts[optName];
     }
-    _abool2(optsn.lowS, 'lowS');
-    _abool2(optsn.prehash, 'prehash');
+    abool(optsn.lowS, 'lowS');
+    abool(optsn.prehash, 'prehash');
     if (optsn.format !== undefined)
         validateSigFormat(optsn.format);
     return optsn;
@@ -2568,10 +2798,10 @@ const DER = {
                 throw new E('tlv.encode: unpadded data');
             const dataLen = data.length / 2;
             const len = numberToHexUnpadded(dataLen);
-            if ((len.length / 2) & 128)
+            if ((len.length / 2) & 0b1000_0000)
                 throw new E('tlv.encode: long form length too big');
             // length of length with long form flag
-            const lenLen = dataLen > 127 ? numberToHexUnpadded((len.length / 2) | 128) : '';
+            const lenLen = dataLen > 127 ? numberToHexUnpadded((len.length / 2) | 0b1000_0000) : '';
             const t = numberToHexUnpadded(tag);
             return t + lenLen + len + data;
         },
@@ -2584,13 +2814,13 @@ const DER = {
             if (data.length < 2 || data[pos++] !== tag)
                 throw new E('tlv.decode: wrong tlv');
             const first = data[pos++];
-            const isLong = !!(first & 128); // First bit of first length byte is flag for short/long form
+            const isLong = !!(first & 0b1000_0000); // First bit of first length byte is flag for short/long form
             let length = 0;
             if (!isLong)
                 length = first;
             else {
                 // Long form: [longFlag(1bit), lengthLength(7bit), length (BE)]
-                const lenLen = first & 127;
+                const lenLen = first & 0b0111_1111;
                 if (!lenLen)
                     throw new E('tlv.decode(long): indefinite length not supported');
                 if (lenLen > 4)
@@ -2631,17 +2861,17 @@ const DER = {
         },
         decode(data) {
             const { Err: E } = DER;
-            if (data[0] & 128)
+            if (data[0] & 0b1000_0000)
                 throw new E('invalid signature integer: negative');
-            if (data[0] === 0x00 && !(data[1] & 128))
+            if (data[0] === 0x00 && !(data[1] & 0b1000_0000))
                 throw new E('invalid signature integer: unnecessary leading zero');
             return bytesToNumberBE(data);
         },
     },
-    toSig(hex) {
+    toSig(bytes) {
         // parse DER signature
         const { Err: E, _int: int, _tlv: tlv } = DER;
-        const data = ensureBytes('signature', hex);
+        const data = abytes$1(bytes, undefined, 'signature');
         const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);
         if (seqLeftBytes.length)
             throw new E('invalid signature: left bytes after parsing');
@@ -2661,56 +2891,38 @@ const DER = {
 };
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
-const _0n$3 = BigInt(0), _1n$2 = BigInt(1), _2n$2 = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
-function _normFnElement(Fn, key) {
-    const { BYTES: expected } = Fn;
-    let num;
-    if (typeof key === 'bigint') {
-        num = key;
-    }
-    else {
-        let bytes = ensureBytes('private key', key);
-        try {
-            num = Fn.fromBytes(bytes);
-        }
-        catch (error) {
-            throw new Error(`invalid private key: expected ui8a of size ${expected}, got ${typeof key}`);
-        }
-    }
-    if (!Fn.isValidNot0(num))
-        throw new Error('invalid private key: out of range [1..N-1]');
-    return num;
-}
+const _0n$3 = BigInt(0), _1n$1 = BigInt(1), _2n$2 = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
 /**
  * Creates weierstrass Point constructor, based on specified curve options.
  *
+ * See {@link WeierstrassOpts}.
+ *
  * @example
 ```js
 const opts = {
-  p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
-  n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
-  h: BigInt(1),
-  a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
-  b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
-  Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
-  Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
+  p: 0xfffffffffffffffffffffffffffffffeffffac73n,
+  n: 0x100000000000000000001b8fa16dfab9aca16b6b3n,
+  h: 1n,
+  a: 0n,
+  b: 7n,
+  Gx: 0x3b4c382ce37aa192a4019e763036f4f5dd4d7ebbn,
+  Gy: 0x938cf935318fdced6bc28286531733c3f03c4feen,
 };
-const p256_Point = weierstrass(opts);
+const secp160k1_Point = weierstrass(opts);
 ```
  */
-function weierstrassN(params, extraOpts = {}) {
-    const validated = _createCurveFields('weierstrass', params, extraOpts);
+function weierstrass(params, extraOpts = {}) {
+    const validated = createCurveFields('weierstrass', params, extraOpts);
     const { Fp, Fn } = validated;
     let CURVE = validated.CURVE;
     const { h: cofactor, n: CURVE_ORDER } = CURVE;
-    _validateObject(extraOpts, {}, {
+    validateObject(extraOpts, {}, {
         allowInfinityPoint: 'boolean',
         clearCofactor: 'function',
         isTorsionFree: 'function',
         fromBytes: 'function',
         toBytes: 'function',
         endo: 'object',
-        wrapPrivateKey: 'boolean',
     });
     const { endo } = extraOpts;
     if (endo) {
@@ -2728,7 +2940,7 @@ function weierstrassN(params, extraOpts = {}) {
     function pointToBytes(_c, point, isCompressed) {
         const { x, y } = point.toAffine();
         const bx = Fp.toBytes(x);
-        _abool2(isCompressed, 'isCompressed');
+        abool(isCompressed, 'isCompressed');
         if (isCompressed) {
             assertCompressionIsSupported();
             const hasEvenY = !Fp.isOdd(y);
@@ -2739,7 +2951,7 @@ function weierstrassN(params, extraOpts = {}) {
         }
     }
     function pointFromBytes(bytes) {
-        _abytes2(bytes, undefined, 'Point');
+        abytes$1(bytes, undefined, 'Point');
         const { publicKey: comp, publicKeyUncompressed: uncomp } = lengths; // e.g. for 32-byte: 33, 65
         const length = bytes.length;
         const head = bytes[0];
@@ -2759,9 +2971,9 @@ function weierstrassN(params, extraOpts = {}) {
                 throw new Error('bad point: is not on curve, sqrt error' + err);
             }
             assertCompressionIsSupported();
-            const isYOdd = Fp.isOdd(y); // (y & _1n) === _1n;
-            const isHeadOdd = (head & 1) === 1; // ECDSA-specific
-            if (isHeadOdd !== isYOdd)
+            const evenY = Fp.isOdd(y);
+            const evenH = (head & 1) === 1; // ECDSA-specific
+            if (evenH !== evenY)
                 y = Fp.neg(y);
             return { x, y };
         }
@@ -2810,7 +3022,7 @@ function weierstrassN(params, extraOpts = {}) {
     }
     function aprjpoint(other) {
         if (!(other instanceof Point))
-            throw new Error('ProjectivePoint expected');
+            throw new Error('Weierstrass Point expected');
     }
     function splitEndoScalarN(k) {
         if (!endo || !endo.basises)
@@ -2873,6 +3085,17 @@ function weierstrassN(params, extraOpts = {}) {
      * We're doing calculations in projective, because its operations don't require costly inversion.
      */
     class Point {
+        // base / generator point
+        static BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
+        // zero / infinity / identity point
+        static ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO); // 0, 1, 0
+        // math field
+        static Fp = Fp;
+        // scalar field
+        static Fn = Fn;
+        X;
+        Y;
+        Z;
         /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
         constructor(X, Y, Z) {
             this.X = acoord('x', X);
@@ -2896,12 +3119,12 @@ function weierstrassN(params, extraOpts = {}) {
             return new Point(x, y, Fp.ONE);
         }
         static fromBytes(bytes) {
-            const P = Point.fromAffine(decodePoint(_abytes2(bytes, undefined, 'point')));
+            const P = Point.fromAffine(decodePoint(abytes$1(bytes, undefined, 'point')));
             P.assertValidity();
             return P;
         }
         static fromHex(hex) {
-            return Point.fromBytes(ensureBytes('pointHex', hex));
+            return Point.fromBytes(hexToBytes(hex));
         }
         get x() {
             return this.toAffine().x;
@@ -3088,11 +3311,13 @@ function weierstrassN(params, extraOpts = {}) {
             if (!Fn.isValid(sc))
                 throw new Error('invalid scalar: out of range'); // 0 is valid
             if (sc === _0n$3 || p.is0())
-                return Point.ZERO;
-            if (sc === _1n$2)
-                return p; // fast-path
+                return Point.ZERO; // 0
+            if (sc === _1n$1)
+                return p; // 1
             if (wnaf.hasCache(this))
-                return this.multiply(sc);
+                return this.multiply(sc); // precomputes
+            // We don't have method for double scalar multiplication (aP + bQ):
+            // Even with using Strauss-Shamir trick, it's 35% slower than naïve mul+add.
             if (endo) {
                 const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(sc);
                 const { p1, p2 } = mulEndoUnsafe(Point, p, k1, k2); // 30% faster vs wnaf.unsafe
@@ -3102,10 +3327,6 @@ function weierstrassN(params, extraOpts = {}) {
                 return wnaf.unsafe(p, sc);
             }
         }
-        multiplyAndAddUnsafe(Q, a, b) {
-            const sum = this.multiplyUnsafe(a).add(Q.multiplyUnsafe(b));
-            return sum.is0() ? undefined : sum;
-        }
         /**
          * Converts Projective point to affine (x, y) coordinates.
          * @param invertedZ Z^-1 (inverted zero) - optional, precomputation is useful for invertBatch
@@ -3119,7 +3340,7 @@ function weierstrassN(params, extraOpts = {}) {
          */
         isTorsionFree() {
             const { isTorsionFree } = extraOpts;
-            if (cofactor === _1n$2)
+            if (cofactor === _1n$1)
                 return true;
             if (isTorsionFree)
                 return isTorsionFree(Point, this);
@@ -3127,7 +3348,7 @@ function weierstrassN(params, extraOpts = {}) {
         }
         clearCofactor() {
             const { clearCofactor } = extraOpts;
-            if (cofactor === _1n$2)
+            if (cofactor === _1n$1)
                 return this; // Fast-path
             if (clearCofactor)
                 return clearCofactor(Point, this);
@@ -3138,7 +3359,7 @@ function weierstrassN(params, extraOpts = {}) {
             return this.multiplyUnsafe(cofactor).is0();
         }
         toBytes(isCompressed = true) {
-            _abool2(isCompressed, 'isCompressed');
+            abool(isCompressed, 'isCompressed');
             this.assertValidity();
             return encodePoint(Point, this, isCompressed);
         }
@@ -3148,40 +3369,7 @@ function weierstrassN(params, extraOpts = {}) {
         toString() {
             return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
         }
-        // TODO: remove
-        get px() {
-            return this.X;
-        }
-        get py() {
-            return this.X;
-        }
-        get pz() {
-            return this.Z;
-        }
-        toRawBytes(isCompressed = true) {
-            return this.toBytes(isCompressed);
-        }
-        _setWindowSize(windowSize) {
-            this.precompute(windowSize);
-        }
-        static normalizeZ(points) {
-            return normalizeZ(Point, points);
-        }
-        static msm(points, scalars) {
-            return pippenger(Point, Fn, points, scalars);
-        }
-        static fromPrivateKey(privateKey) {
-            return Point.BASE.multiply(_normFnElement(Fn, privateKey));
-        }
     }
-    // base / generator point
-    Point.BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
-    // zero / infinity / identity point
-    Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO); // 0, 1, 0
-    // math field
-    Point.Fp = Fp;
-    // scalar field
-    Point.Fn = Fn;
     const bits = Fn.BITS;
     const wnaf = new wNAF(Point, extraOpts.endo ? Math.ceil(bits / 2) : bits);
     Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
@@ -3210,7 +3398,8 @@ function ecdh(Point, ecdhOpts = {}) {
     const lengths = Object.assign(getWLengths(Point.Fp, Fn), { seed: getMinHashLength(Fn.ORDER) });
     function isValidSecretKey(secretKey) {
         try {
-            return !!_normFnElement(Fn, secretKey);
+            const num = Fn.fromBytes(secretKey);
+            return Fn.isValidNot0(num);
         }
         catch (error) {
             return false;
@@ -3235,7 +3424,7 @@ function ecdh(Point, ecdhOpts = {}) {
      * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
      */
     function randomSecretKey(seed = randomBytes_(lengths.seed)) {
-        return mapHashToField(_abytes2(seed, lengths.seed, 'seed'), Fn.ORDER);
+        return mapHashToField(abytes$1(seed, lengths.seed, 'seed'), Fn.ORDER);
     }
     /**
      * Computes public key for a secret key. Checks for validity of the secret key.
@@ -3243,24 +3432,18 @@ function ecdh(Point, ecdhOpts = {}) {
      * @returns Public key, full when isCompressed=false; short when isCompressed=true
      */
     function getPublicKey(secretKey, isCompressed = true) {
-        return Point.BASE.multiply(_normFnElement(Fn, secretKey)).toBytes(isCompressed);
-    }
-    function keygen(seed) {
-        const secretKey = randomSecretKey(seed);
-        return { secretKey, publicKey: getPublicKey(secretKey) };
+        return Point.BASE.multiply(Fn.fromBytes(secretKey)).toBytes(isCompressed);
     }
     /**
      * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
      */
     function isProbPub(item) {
-        if (typeof item === 'bigint')
-            return false;
-        if (item instanceof Point)
-            return true;
         const { secretKey, publicKey, publicKeyUncompressed } = lengths;
-        if (Fn.allowedLengths || secretKey === publicKey)
+        if (!isBytes$1(item))
             return undefined;
-        const l = ensureBytes('key', item).length;
+        if (('_lengths' in Fn && Fn._lengths) || secretKey === publicKey)
+            return undefined;
+        const l = abytes$1(item, undefined, 'key').length;
         return l === publicKey || l === publicKeyUncompressed;
     }
     /**
@@ -3276,31 +3459,24 @@ function ecdh(Point, ecdhOpts = {}) {
             throw new Error('first arg must be private key');
         if (isProbPub(publicKeyB) === false)
             throw new Error('second arg must be public key');
-        const s = _normFnElement(Fn, secretKeyA);
-        const b = Point.fromHex(publicKeyB); // checks for being on-curve
+        const s = Fn.fromBytes(secretKeyA);
+        const b = Point.fromBytes(publicKeyB); // checks for being on-curve
         return b.multiply(s).toBytes(isCompressed);
     }
     const utils = {
         isValidSecretKey,
         isValidPublicKey,
         randomSecretKey,
-        // TODO: remove
-        isValidPrivateKey: isValidSecretKey,
-        randomPrivateKey: randomSecretKey,
-        normPrivateKeyToScalar: (key) => _normFnElement(Fn, key),
-        precompute(windowSize = 8, point = Point.BASE) {
-            return point.precompute(windowSize, false);
-        },
     };
+    const keygen = createKeygen(randomSecretKey, getPublicKey);
     return Object.freeze({ getPublicKey, getSharedSecret, keygen, Point, utils, lengths });
 }
 /**
  * Creates ECDSA signing interface for given elliptic curve `Point` and `hash` function.
- * We need `hash` for 2 features:
- * 1. Message prehash-ing. NOT used if `sign` / `verify` are called with `prehash: false`
- * 2. k generation in `sign`, using HMAC-drbg(hash)
  *
- * ECDSAOpts are only rarely needed.
+ * @param Point created using {@link weierstrass} function
+ * @param hash used for 1) message prehash-ing 2) k generation in `sign`, using hmac_drbg(hash)
+ * @param ecdsaOpts rarely needed, see {@link ECDSAOpts}
  *
  * @example
  * ```js
@@ -3312,28 +3488,28 @@ function ecdh(Point, ecdhOpts = {}) {
  */
 function ecdsa(Point, hash, ecdsaOpts = {}) {
     ahash(hash);
-    _validateObject(ecdsaOpts, {}, {
+    validateObject(ecdsaOpts, {}, {
         hmac: 'function',
         lowS: 'boolean',
         randomBytes: 'function',
         bits2int: 'function',
         bits2int_modN: 'function',
     });
+    ecdsaOpts = Object.assign({}, ecdsaOpts);
     const randomBytes$1 = ecdsaOpts.randomBytes || randomBytes;
-    const hmac$1 = ecdsaOpts.hmac ||
-        ((key, ...msgs) => hmac(hash, key, concatBytes(...msgs)));
+    const hmac$1 = ecdsaOpts.hmac || ((key, msg) => hmac(hash, key, msg));
     const { Fp, Fn } = Point;
     const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
     const { keygen, getPublicKey, getSharedSecret, utils, lengths } = ecdh(Point, ecdsaOpts);
     const defaultSigOpts = {
-        prehash: false,
-        lowS: typeof ecdsaOpts.lowS === 'boolean' ? ecdsaOpts.lowS : false,
-        format: undefined, //'compact' as ECDSASigFormat,
+        prehash: true,
+        lowS: typeof ecdsaOpts.lowS === 'boolean' ? ecdsaOpts.lowS : true,
+        format: 'compact',
         extraEntropy: false,
     };
-    const defaultSigOpts_format = 'compact';
+    const hasLargeCofactor = CURVE_ORDER * _2n$2 < Fp.ORDER; // Won't CURVE().h > 2n be more effective?
     function isBiggerThanHalfOrder(number) {
-        const HALF = CURVE_ORDER >> _1n$2;
+        const HALF = CURVE_ORDER >> _1n$1;
         return number > HALF;
     }
     function validateRS(title, num) {
@@ -3341,28 +3517,47 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
             throw new Error(`invalid signature ${title}: out of range 1..Point.Fn.ORDER`);
         return num;
     }
+    function assertSmallCofactor() {
+        // ECDSA recovery is hard for cofactor > 1 curves.
+        // In sign, `r = q.x mod n`, and here we recover q.x from r.
+        // While recovering q.x >= n, we need to add r+n for cofactor=1 curves.
+        // However, for cofactor>1, r+n may not get q.x:
+        // r+n*i would need to be done instead where i is unknown.
+        // To easily get i, we either need to:
+        // a. increase amount of valid recid values (4, 5...); OR
+        // b. prohibit non-prime-order signatures (recid > 1).
+        if (hasLargeCofactor)
+            throw new Error('"recovered" sig type is not supported for cofactor >2 curves');
+    }
     function validateSigLength(bytes, format) {
         validateSigFormat(format);
         const size = lengths.signature;
         const sizer = format === 'compact' ? size : format === 'recovered' ? size + 1 : undefined;
-        return _abytes2(bytes, sizer, `${format} signature`);
+        return abytes$1(bytes, sizer);
     }
     /**
      * ECDSA signature with its (r, s) properties. Supports compact, recovered & DER representations.
      */
     class Signature {
+        r;
+        s;
+        recovery;
         constructor(r, s, recovery) {
             this.r = validateRS('r', r); // r in [1..N-1];
             this.s = validateRS('s', s); // s in [1..N-1];
-            if (recovery != null)
+            if (recovery != null) {
+                assertSmallCofactor();
+                if (![0, 1, 2, 3].includes(recovery))
+                    throw new Error('invalid recovery id');
                 this.recovery = recovery;
+            }
             Object.freeze(this);
         }
-        static fromBytes(bytes, format = defaultSigOpts_format) {
+        static fromBytes(bytes, format = defaultSigOpts.format) {
             validateSigLength(bytes, format);
             let recid;
             if (format === 'der') {
-                const { r, s } = DER.toSig(_abytes2(bytes));
+                const { r, s } = DER.toSig(abytes$1(bytes));
                 return new Signature(r, s);
             }
             if (format === 'recovered') {
@@ -3370,7 +3565,7 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
                 format = 'compact';
                 bytes = bytes.subarray(1);
             }
-            const L = Fn.BYTES;
+            const L = lengths.signature / 2;
             const r = bytes.subarray(0, L);
             const s = bytes.subarray(L, L * 2);
             return new Signature(Fn.fromBytes(r), Fn.fromBytes(s), recid);
@@ -3378,38 +3573,31 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
         static fromHex(hex, format) {
             return this.fromBytes(hexToBytes(hex), format);
         }
+        assertRecovery() {
+            const { recovery } = this;
+            if (recovery == null)
+                throw new Error('invalid recovery id: must be present');
+            return recovery;
+        }
         addRecoveryBit(recovery) {
             return new Signature(this.r, this.s, recovery);
         }
         recoverPublicKey(messageHash) {
-            const FIELD_ORDER = Fp.ORDER;
-            const { r, s, recovery: rec } = this;
-            if (rec == null || ![0, 1, 2, 3].includes(rec))
-                throw new Error('recovery id invalid');
-            // ECDSA recovery is hard for cofactor > 1 curves.
-            // In sign, `r = q.x mod n`, and here we recover q.x from r.
-            // While recovering q.x >= n, we need to add r+n for cofactor=1 curves.
-            // However, for cofactor>1, r+n may not get q.x:
-            // r+n*i would need to be done instead where i is unknown.
-            // To easily get i, we either need to:
-            // a. increase amount of valid recid values (4, 5...); OR
-            // b. prohibit non-prime-order signatures (recid > 1).
-            const hasCofactor = CURVE_ORDER * _2n$2 < FIELD_ORDER;
-            if (hasCofactor && rec > 1)
-                throw new Error('recovery id is ambiguous for h>1 curve');
-            const radj = rec === 2 || rec === 3 ? r + CURVE_ORDER : r;
+            const { r, s } = this;
+            const recovery = this.assertRecovery();
+            const radj = recovery === 2 || recovery === 3 ? r + CURVE_ORDER : r;
             if (!Fp.isValid(radj))
-                throw new Error('recovery id 2 or 3 invalid');
+                throw new Error('invalid recovery id: sig.r+curve.n != R.x');
             const x = Fp.toBytes(radj);
-            const R = Point.fromBytes(concatBytes(pprefix((rec & 1) === 0), x));
+            const R = Point.fromBytes(concatBytes(pprefix((recovery & 1) === 0), x));
             const ir = Fn.inv(radj); // r^-1
-            const h = bits2int_modN(ensureBytes('msgHash', messageHash)); // Truncate hash
+            const h = bits2int_modN(abytes$1(messageHash, undefined, 'msgHash')); // Truncate hash
             const u1 = Fn.create(-h * ir); // -hr^-1
             const u2 = Fn.create(s * ir); // sr^-1
             // (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1). unsafe is fine: there is no private data.
             const Q = Point.BASE.multiplyUnsafe(u1).add(R.multiplyUnsafe(u2));
             if (Q.is0())
-                throw new Error('point at infinify');
+                throw new Error('invalid recovery: point at infinify');
             Q.assertValidity();
             return Q;
         }
@@ -3417,45 +3605,22 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
         hasHighS() {
             return isBiggerThanHalfOrder(this.s);
         }
-        toBytes(format = defaultSigOpts_format) {
+        toBytes(format = defaultSigOpts.format) {
             validateSigFormat(format);
             if (format === 'der')
                 return hexToBytes(DER.hexFromSig(this));
-            const r = Fn.toBytes(this.r);
-            const s = Fn.toBytes(this.s);
+            const { r, s } = this;
+            const rb = Fn.toBytes(r);
+            const sb = Fn.toBytes(s);
             if (format === 'recovered') {
-                if (this.recovery == null)
-                    throw new Error('recovery bit must be present');
-                return concatBytes(Uint8Array.of(this.recovery), r, s);
+                assertSmallCofactor();
+                return concatBytes(Uint8Array.of(this.assertRecovery()), rb, sb);
             }
-            return concatBytes(r, s);
+            return concatBytes(rb, sb);
         }
         toHex(format) {
             return bytesToHex(this.toBytes(format));
         }
-        // TODO: remove
-        assertValidity() { }
-        static fromCompact(hex) {
-            return Signature.fromBytes(ensureBytes('sig', hex), 'compact');
-        }
-        static fromDER(hex) {
-            return Signature.fromBytes(ensureBytes('sig', hex), 'der');
-        }
-        normalizeS() {
-            return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
-        }
-        toDERRawBytes() {
-            return this.toBytes('der');
-        }
-        toDERHex() {
-            return bytesToHex(this.toBytes('der'));
-        }
-        toCompactRawBytes() {
-            return this.toBytes('compact');
-        }
-        toCompactHex() {
-            return bytesToHex(this.toBytes('compact'));
-        }
     }
     // RFC6979: ensure ECDSA msg is X bytes and < N. RFC suggests optional truncating via bits2octets.
     // FIPS 186-4 4.6 suggests the leftmost min(nBitLen, outLen) bits, which matches bits2int.
@@ -3485,8 +3650,8 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
         return Fn.toBytes(num);
     }
     function validateMsgAndHash(message, prehash) {
-        _abytes2(message, undefined, 'message');
-        return prehash ? _abytes2(hash(message), undefined, 'prehashed message') : message;
+        abytes$1(message, undefined, 'message');
+        return prehash ? abytes$1(hash(message), undefined, 'prehashed message') : message;
     }
     /**
      * Steps A, D of RFC6979 3.2.
@@ -3496,26 +3661,26 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
      * Warning: we cannot assume here that message has same amount of bytes as curve order,
      * this will be invalid at least for P521. Also it can be bigger for P224 + SHA256.
      */
-    function prepSig(message, privateKey, opts) {
-        if (['recovered', 'canonical'].some((k) => k in opts))
-            throw new Error('sign() legacy options not supported');
+    function prepSig(message, secretKey, opts) {
         const { lowS, prehash, extraEntropy } = validateSigOpts(opts, defaultSigOpts);
         message = validateMsgAndHash(message, prehash); // RFC6979 3.2 A: h1 = H(m)
         // We can't later call bits2octets, since nested bits2int is broken for curves
         // with fnBits % 8 !== 0. Because of that, we unwrap it here as int2octets call.
         // const bits2octets = (bits) => int2octets(bits2int_modN(bits))
         const h1int = bits2int_modN(message);
-        const d = _normFnElement(Fn, privateKey); // validate secret key, convert to bigint
+        const d = Fn.fromBytes(secretKey); // validate secret key, convert to bigint
+        if (!Fn.isValidNot0(d))
+            throw new Error('invalid private key');
         const seedArgs = [int2octets(d), int2octets(h1int)];
         // extraEntropy. RFC6979 3.6: additional k' (optional).
         if (extraEntropy != null && extraEntropy !== false) {
             // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
             // gen random bytes OR pass as-is
             const e = extraEntropy === true ? randomBytes$1(lengths.secretKey) : extraEntropy;
-            seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
+            seedArgs.push(abytes$1(e, undefined, 'extraEntropy')); // check for being bytes
         }
         const seed = concatBytes(...seedArgs); // Step D of RFC6979 3.2
-        const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!
+        const m = h1int; // no need to call bits2int second time here, it is inside truncateHash!
         // Converts signature params into point w r/s, checks result for validity.
         // To transform k => Signature:
         // q = k⋅G
@@ -3527,7 +3692,7 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
         function k2sig(kBytes) {
             // RFC 6979 Section 3.2, step 3: k = bits2int(T)
             // Important: all mod() calls here must be done over N
-            const k = bits2int(kBytes); // mod n, not mod p
+            const k = bits2int(kBytes); // Cannot use fields methods, since it is group element
             if (!Fn.isValidNot0(k))
                 return; // Valid scalars (including k) must be in 1..N-1
             const ik = Fn.inv(k); // k^-1 mod n
@@ -3535,16 +3700,16 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
             const r = Fn.create(q.x); // r = q.x mod n
             if (r === _0n$3)
                 return;
-            const s = Fn.create(ik * Fn.create(m + r * d)); // Not using blinding here, see comment above
+            const s = Fn.create(ik * Fn.create(m + r * d)); // s = k^-1(m + rd) mod n
             if (s === _0n$3)
                 return;
-            let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n$2); // recovery bit (2 or 3, when q.x > n)
+            let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n$1); // recovery bit (2 or 3 when q.x>n)
             let normS = s;
             if (lowS && isBiggerThanHalfOrder(s)) {
-                normS = Fn.neg(s); // if lowS was passed, ensure s is always
-                recovery ^= 1; // // in the bottom half of N
+                normS = Fn.neg(s); // if lowS was passed, ensure s is always in the bottom half of N
+                recovery ^= 1;
             }
-            return new Signature(r, normS, recovery); // use normS, not s
+            return new Signature(r, normS, hasLargeCofactor ? undefined : recovery);
         }
         return { seed, k2sig };
     }
@@ -3560,46 +3725,10 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
      * ```
      */
     function sign(message, secretKey, opts = {}) {
-        message = ensureBytes('message', message);
         const { seed, k2sig } = prepSig(message, secretKey, opts); // Steps A, D of RFC6979 3.2.
         const drbg = createHmacDrbg(hash.outputLen, Fn.BYTES, hmac$1);
         const sig = drbg(seed, k2sig); // Steps B, C, D, E, F, G
-        return sig;
-    }
-    function tryParsingSig(sg) {
-        // Try to deduce format
-        let sig = undefined;
-        const isHex = typeof sg === 'string' || isBytes$1(sg);
-        const isObj = !isHex &&
-            sg !== null &&
-            typeof sg === 'object' &&
-            typeof sg.r === 'bigint' &&
-            typeof sg.s === 'bigint';
-        if (!isHex && !isObj)
-            throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
-        if (isObj) {
-            sig = new Signature(sg.r, sg.s);
-        }
-        else if (isHex) {
-            try {
-                sig = Signature.fromBytes(ensureBytes('sig', sg), 'der');
-            }
-            catch (derError) {
-                if (!(derError instanceof DER.Err))
-                    throw derError;
-            }
-            if (!sig) {
-                try {
-                    sig = Signature.fromBytes(ensureBytes('sig', sg), 'compact');
-                }
-                catch (error) {
-                    return false;
-                }
-            }
-        }
-        if (!sig)
-            return false;
-        return sig;
+        return sig.toBytes(opts.format);
     }
     /**
      * Verifies a signature against message and public key.
@@ -3616,16 +3745,15 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
      */
     function verify(signature, message, publicKey, opts = {}) {
         const { lowS, prehash, format } = validateSigOpts(opts, defaultSigOpts);
-        publicKey = ensureBytes('publicKey', publicKey);
-        message = validateMsgAndHash(ensureBytes('message', message), prehash);
-        if ('strict' in opts)
-            throw new Error('options.strict was renamed to lowS');
-        const sig = format === undefined
-            ? tryParsingSig(signature)
-            : Signature.fromBytes(ensureBytes('sig', signature), format);
-        if (sig === false)
-            return false;
+        publicKey = abytes$1(publicKey, undefined, 'publicKey');
+        message = validateMsgAndHash(message, prehash);
+        if (!isBytes$1(signature)) {
+            const end = signature instanceof Signature ? ', use sig.toBytes()' : '';
+            throw new Error('verify expects Uint8Array signature' + end);
+        }
+        validateSigLength(signature, format); // execute this twice because we want loud error
         try {
+            const sig = Signature.fromBytes(signature, format);
             const P = Point.fromBytes(publicKey);
             if (lowS && sig.hasHighS())
                 return false;
@@ -3663,73 +3791,6 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
         hash,
     });
 }
-function _weierstrass_legacy_opts_to_new(c) {
-    const CURVE = {
-        a: c.a,
-        b: c.b,
-        p: c.Fp.ORDER,
-        n: c.n,
-        h: c.h,
-        Gx: c.Gx,
-        Gy: c.Gy,
-    };
-    const Fp = c.Fp;
-    let allowedLengths = c.allowedPrivateKeyLengths
-        ? Array.from(new Set(c.allowedPrivateKeyLengths.map((l) => Math.ceil(l / 2))))
-        : undefined;
-    const Fn = Field(CURVE.n, {
-        BITS: c.nBitLength,
-        allowedLengths: allowedLengths,
-        modFromBytes: c.wrapPrivateKey,
-    });
-    const curveOpts = {
-        Fp,
-        Fn,
-        allowInfinityPoint: c.allowInfinityPoint,
-        endo: c.endo,
-        isTorsionFree: c.isTorsionFree,
-        clearCofactor: c.clearCofactor,
-        fromBytes: c.fromBytes,
-        toBytes: c.toBytes,
-    };
-    return { CURVE, curveOpts };
-}
-function _ecdsa_legacy_opts_to_new(c) {
-    const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
-    const ecdsaOpts = {
-        hmac: c.hmac,
-        randomBytes: c.randomBytes,
-        lowS: c.lowS,
-        bits2int: c.bits2int,
-        bits2int_modN: c.bits2int_modN,
-    };
-    return { CURVE, curveOpts, hash: c.hash, ecdsaOpts };
-}
-function _ecdsa_new_output_to_legacy(c, _ecdsa) {
-    const Point = _ecdsa.Point;
-    return Object.assign({}, _ecdsa, {
-        ProjectivePoint: Point,
-        CURVE: Object.assign({}, c, nLength(Point.Fn.ORDER, Point.Fn.BITS)),
-    });
-}
-// _ecdsa_legacy
-function weierstrass(c) {
-    const { CURVE, curveOpts, hash, ecdsaOpts } = _ecdsa_legacy_opts_to_new(c);
-    const Point = weierstrassN(CURVE, curveOpts);
-    const signs = ecdsa(Point, hash, ecdsaOpts);
-    return _ecdsa_new_output_to_legacy(c, signs);
-}
-
-/**
- * Utilities for short weierstrass curves, combined with noble-hashes.
- * @module
- */
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-/** @deprecated use new `weierstrass()` and `ecdsa()` methods */
-function createCurve(curveDef, defHash) {
-    const create = (hash) => weierstrass({ ...curveDef, hash: hash });
-    return { ...create(defHash), create };
-}
 
 /**
  * SECG secp256k1. See [pdf](https://www.secg.org/sec2-v2.pdf).
@@ -3740,7 +3801,7 @@ function createCurve(curveDef, defHash) {
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Seems like generator was produced from some seed:
-// `Point.BASE.multiply(Point.Fn.inv(2n, N)).toAffine().x`
+// `Pointk1.BASE.multiply(Pointk1.Fn.inv(2n, N)).toAffine().x`
 // // gives short x 0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63n
 const secp256k1_CURVE = {
     p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'),
@@ -3759,7 +3820,6 @@ const secp256k1_ENDO = {
     ],
 };
 const _0n$2 = /* @__PURE__ */ BigInt(0);
-const _1n$1 = /* @__PURE__ */ BigInt(1);
 const _2n$1 = /* @__PURE__ */ BigInt(2);
 /**
  * √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.
@@ -3790,21 +3850,28 @@ function sqrtMod(y) {
     return root;
 }
 const Fpk1 = Field(secp256k1_CURVE.p, { sqrt: sqrtMod });
+const Pointk1 = /* @__PURE__ */ weierstrass(secp256k1_CURVE, {
+    Fp: Fpk1,
+    endo: secp256k1_ENDO,
+});
 /**
- * secp256k1 curve, ECDSA and ECDH methods.
+ * secp256k1 curve: ECDSA and ECDH methods.
  *
- * Field: `2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n`
+ * Uses sha256 to hash messages. To use a different hash,
+ * pass `{ prehash: false }` to sign / verify.
  *
  * @example
  * ```js
- * import { secp256k1 } from '@noble/curves/secp256k1';
+ * import { secp256k1 } from '@noble/curves/secp256k1.js';
  * const { secretKey, publicKey } = secp256k1.keygen();
- * const msg = new TextEncoder().encode('hello');
+ * // const publicKey = secp256k1.getPublicKey(secretKey);
+ * const msg = new TextEncoder().encode('hello noble');
  * const sig = secp256k1.sign(msg, secretKey);
- * const isValid = secp256k1.verify(sig, msg, publicKey) === true;
+ * const isValid = secp256k1.verify(sig, msg, publicKey);
+ * // const sigKeccak = secp256k1.sign(keccak256(msg), secretKey, { prehash: false });
  * ```
  */
-const secp256k1 = createCurve({ ...secp256k1_CURVE, Fp: Fpk1, lowS: true, endo: secp256k1_ENDO }, sha256$1);
+const secp256k1 = /* @__PURE__ */ ecdsa(Pointk1, sha256$1);
 // Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
 // https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
 /** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
@@ -3812,7 +3879,7 @@ const TAGGED_HASH_PREFIXES = {};
 function taggedHash(tag, ...messages) {
     let tagP = TAGGED_HASH_PREFIXES[tag];
     if (tagP === undefined) {
-        const tagH = sha256$1(utf8ToBytes(tag));
+        const tagH = sha256$1(asciiToBytes(tag));
         tagP = concatBytes(tagH, tagH);
         TAGGED_HASH_PREFIXES[tag] = tagP;
     }
@@ -3820,12 +3887,11 @@ function taggedHash(tag, ...messages) {
 }
 // ECDSA compact points are 33-byte. Schnorr is 32: we strip first byte 0x02 or 0x03
 const pointToBytes = (point) => point.toBytes(true).slice(1);
-const Pointk1 = /* @__PURE__ */ (() => secp256k1.Point)();
 const hasEven = (y) => y % _2n$1 === _0n$2;
 // Calculate point, scalar and bytes
 function schnorrGetExtPubKey(priv) {
     const { Fn, BASE } = Pointk1;
-    const d_ = _normFnElement(Fn, priv);
+    const d_ = Fn.fromBytes(priv);
     const p = BASE.multiply(d_); // P = d'⋅G; 0 < d' < n check is done inside
     const scalar = hasEven(p.y) ? d_ : Fn.neg(d_);
     return { scalar, bytes: pointToBytes(p) };
@@ -3868,9 +3934,9 @@ function schnorrGetPublicKey(secretKey) {
  */
 function schnorrSign(message, secretKey, auxRand = randomBytes(32)) {
     const { Fn } = Pointk1;
-    const m = ensureBytes('message', message);
+    const m = abytes$1(message, undefined, 'message');
     const { bytes: px, scalar: d } = schnorrGetExtPubKey(secretKey); // checks for isWithinCurveOrder
-    const a = ensureBytes('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array
+    const a = abytes$1(auxRand, 32, 'auxRand'); // Auxiliary random data a: a 32-byte array
     const t = Fn.toBytes(d ^ num$1(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
     const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
     // Let k' = int(rand) mod n. Fail if k' = 0. Let R = k'⋅G
@@ -3889,20 +3955,19 @@ function schnorrSign(message, secretKey, auxRand = randomBytes(32)) {
  * Will swallow errors & return false except for initial type validation of arguments.
  */
 function schnorrVerify(signature, message, publicKey) {
-    const { Fn, BASE } = Pointk1;
-    const sig = ensureBytes('signature', signature, 64);
-    const m = ensureBytes('message', message);
-    const pub = ensureBytes('publicKey', publicKey, 32);
+    const { Fp, Fn, BASE } = Pointk1;
+    const sig = abytes$1(signature, 64, 'signature');
+    const m = abytes$1(message, undefined, 'message');
+    const pub = abytes$1(publicKey, 32, 'publicKey');
     try {
         const P = lift_x(num$1(pub)); // P = lift_x(int(pk)); fail if that fails
         const r = num$1(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
-        if (!inRange(r, _1n$1, secp256k1_CURVE.p))
+        if (!Fp.isValidNot0(r))
             return false;
         const s = num$1(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
-        if (!inRange(s, _1n$1, secp256k1_CURVE.n))
+        if (!Fn.isValidNot0(s))
             return false;
-        // int(challenge(bytes(r)||bytes(P)||m))%n
-        const e = challenge(Fn.toBytes(r), pointToBytes(P), m);
+        const e = challenge(Fn.toBytes(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m))%n
         // R = s⋅G - e⋅P, where -eP == (n-e)P
         const R = BASE.multiplyUnsafe(s).add(P.multiplyUnsafe(Fn.neg(e)));
         const { x, y } = R.toAffine();
@@ -3920,7 +3985,7 @@ function schnorrVerify(signature, message, publicKey) {
  * https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
  * @example
  * ```js
- * import { schnorr } from '@noble/curves/secp256k1';
+ * import { schnorr } from '@noble/curves/secp256k1.js';
  * const { secretKey, publicKey } = schnorr.keygen();
  * // const publicKey = schnorr.getPublicKey(secretKey);
  * const msg = new TextEncoder().encode('hello');
@@ -3934,26 +3999,17 @@ const schnorr = /* @__PURE__ */ (() => {
     const randomSecretKey = (seed = randomBytes(seedLength)) => {
         return mapHashToField(seed, secp256k1_CURVE.n);
     };
-    function keygen(seed) {
-        const secretKey = randomSecretKey(seed);
-        return { secretKey, publicKey: schnorrGetPublicKey(secretKey) };
-    }
     return {
-        keygen,
+        keygen: createKeygen(randomSecretKey, schnorrGetPublicKey),
         getPublicKey: schnorrGetPublicKey,
         sign: schnorrSign,
         verify: schnorrVerify,
         Point: Pointk1,
         utils: {
-            randomSecretKey: randomSecretKey,
-            randomPrivateKey: randomSecretKey,
+            randomSecretKey,
             taggedHash,
-            // TODO: remove
             lift_x,
             pointToBytes,
-            numberToBytesBE,
-            bytesToNumberBE,
-            mod,
         },
         lengths: {
             secretKey: size,
@@ -3967,8 +4023,8 @@ const schnorr = /* @__PURE__ */ (() => {
 
 const _0n$1 = BigInt(0);
 const _2n = BigInt(2);
-const _N = secp256k1.CURVE.n;
-Field(_N, 32, true);
+const _N = secp256k1.Point.Fn.ORDER;
+Field(_N, { isLE: true });
 const GP = secp256k1.Point.BASE;
 function tweak_pubkey(pubkey, tweak, format, even_y = false) {
     const twk_big = serialize_bytes(tweak).big;
@@ -3983,19 +4039,21 @@ function tweak_pubkey(pubkey, tweak, format, even_y = false) {
 }
 function sign_ecdsa(seckey, message) {
     const msg = serialize_bytes(message);
-    const sig = secp256k1.sign(msg, seckey).toDERRawBytes();
+    const sk = serialize_bytes(seckey);
+    const sig = secp256k1.sign(msg, sk, { format: 'der', prehash: false });
     return Buff.bytes(sig);
 }
 function sign_bip340(seckey, message) {
     const msg = serialize_bytes(message);
-    const sig = schnorr.sign(msg, seckey);
-    return serialize_bytes(sig);
+    const sk = serialize_bytes(seckey);
+    const sig = schnorr.sign(msg, sk);
+    return Buff.bytes(sig);
 }
 function verify_ecdsa(signature, message, pubkey) {
     const sig = serialize_bytes(signature);
     const msg = serialize_bytes(message);
     const pk = serialize_pubkey(pubkey, 'ecdsa');
-    return secp256k1.verify(sig, msg, pk);
+    return secp256k1.verify(sig, msg, pk, { format: 'der', prehash: false });
 }
 function verify_bip340(signature, message, pubkey) {
     const sig = serialize_bytes(signature);
@@ -4006,10 +4064,10 @@ function verify_bip340(signature, message, pubkey) {
 function lift_point(pubkey) {
     try {
         const pk = serialize_pubkey(pubkey, 'ecdsa');
-        return secp256k1.Point.fromHex(pk);
+        return secp256k1.Point.fromHex(pk.hex);
     }
-    catch (err) {
-        throw new Error('invalid pubkey: ' + pubkey);
+    catch {
+        throw new Error(`invalid pubkey: ${pubkey}`);
     }
 }
 function serialize_pubkey(pubkey, format) {
@@ -4026,161 +4084,21 @@ function serialize_pubkey(pubkey, format) {
             return pk;
         }
     }
-    catch (err) {
-        throw new Error('invalid pubkey: ' + String(pubkey));
+    catch {
+        throw new Error(`invalid pubkey: ${String(pubkey)}`);
     }
 }
 function serialize_bytes(bytes) {
-    try {
+    if (bytes instanceof Uint8Array) {
         return Buff.bytes(bytes);
     }
-    catch (err) {
-        throw new Error('invalid bytes: ' + String(bytes));
-    }
-}
-
-/**
-
-SHA1 (RFC 3174), MD5 (RFC 1321) and RIPEMD160 (RFC 2286) legacy, weak hash functions.
-Don't use them in a new protocol. What "weak" means:
-
-- Collisions can be made with 2^18 effort in MD5, 2^60 in SHA1, 2^80 in RIPEMD160.
-- No practical pre-image attacks (only theoretical, 2^123.4)
-- HMAC seems kinda ok: https://datatracker.ietf.org/doc/html/rfc6151
- * @module
- */
-// RIPEMD-160
-const Rho160 = /* @__PURE__ */ Uint8Array.from([
-    7, 4, 13, 1, 10, 6, 15, 3, 12, 0, 9, 5, 2, 14, 11, 8,
-]);
-const Id160 = /* @__PURE__ */ (() => Uint8Array.from(new Array(16).fill(0).map((_, i) => i)))();
-const Pi160 = /* @__PURE__ */ (() => Id160.map((i) => (9 * i + 5) % 16))();
-const idxLR = /* @__PURE__ */ (() => {
-    const L = [Id160];
-    const R = [Pi160];
-    const res = [L, R];
-    for (let i = 0; i < 4; i++)
-        for (let j of res)
-            j.push(j[i].map((k) => Rho160[k]));
-    return res;
-})();
-const idxL = /* @__PURE__ */ (() => idxLR[0])();
-const idxR = /* @__PURE__ */ (() => idxLR[1])();
-// const [idxL, idxR] = idxLR;
-const shifts160 = /* @__PURE__ */ [
-    [11, 14, 15, 12, 5, 8, 7, 9, 11, 13, 14, 15, 6, 7, 9, 8],
-    [12, 13, 11, 15, 6, 9, 9, 7, 12, 15, 11, 13, 7, 8, 7, 7],
-    [13, 15, 14, 11, 7, 7, 6, 8, 13, 14, 13, 12, 5, 5, 6, 9],
-    [14, 11, 12, 14, 8, 6, 5, 5, 15, 12, 15, 14, 9, 9, 8, 6],
-    [15, 12, 13, 13, 9, 5, 8, 6, 14, 11, 12, 11, 8, 6, 5, 5],
-].map((i) => Uint8Array.from(i));
-const shiftsL160 = /* @__PURE__ */ idxL.map((idx, i) => idx.map((j) => shifts160[i][j]));
-const shiftsR160 = /* @__PURE__ */ idxR.map((idx, i) => idx.map((j) => shifts160[i][j]));
-const Kl160 = /* @__PURE__ */ Uint32Array.from([
-    0x00000000, 0x5a827999, 0x6ed9eba1, 0x8f1bbcdc, 0xa953fd4e,
-]);
-const Kr160 = /* @__PURE__ */ Uint32Array.from([
-    0x50a28be6, 0x5c4dd124, 0x6d703ef3, 0x7a6d76e9, 0x00000000,
-]);
-// It's called f() in spec.
-function ripemd_f(group, x, y, z) {
-    if (group === 0)
-        return x ^ y ^ z;
-    if (group === 1)
-        return (x & y) | (~x & z);
-    if (group === 2)
-        return (x | ~y) ^ z;
-    if (group === 3)
-        return (x & z) | (y & ~z);
-    return x ^ (y | ~z);
-}
-// Reusable temporary buffer
-const BUF_160 = /* @__PURE__ */ new Uint32Array(16);
-class RIPEMD160 extends HashMD {
-    constructor() {
-        super(64, 20, 8, true);
-        this.h0 = 0x67452301 | 0;
-        this.h1 = 0xefcdab89 | 0;
-        this.h2 = 0x98badcfe | 0;
-        this.h3 = 0x10325476 | 0;
-        this.h4 = 0xc3d2e1f0 | 0;
-    }
-    get() {
-        const { h0, h1, h2, h3, h4 } = this;
-        return [h0, h1, h2, h3, h4];
-    }
-    set(h0, h1, h2, h3, h4) {
-        this.h0 = h0 | 0;
-        this.h1 = h1 | 0;
-        this.h2 = h2 | 0;
-        this.h3 = h3 | 0;
-        this.h4 = h4 | 0;
-    }
-    process(view, offset) {
-        for (let i = 0; i < 16; i++, offset += 4)
-            BUF_160[i] = view.getUint32(offset, true);
-        // prettier-ignore
-        let al = this.h0 | 0, ar = al, bl = this.h1 | 0, br = bl, cl = this.h2 | 0, cr = cl, dl = this.h3 | 0, dr = dl, el = this.h4 | 0, er = el;
-        // Instead of iterating 0 to 80, we split it into 5 groups
-        // And use the groups in constants, functions, etc. Much simpler
-        for (let group = 0; group < 5; group++) {
-            const rGroup = 4 - group;
-            const hbl = Kl160[group], hbr = Kr160[group]; // prettier-ignore
-            const rl = idxL[group], rr = idxR[group]; // prettier-ignore
-            const sl = shiftsL160[group], sr = shiftsR160[group]; // prettier-ignore
-            for (let i = 0; i < 16; i++) {
-                const tl = (rotl(al + ripemd_f(group, bl, cl, dl) + BUF_160[rl[i]] + hbl, sl[i]) + el) | 0;
-                al = el, el = dl, dl = rotl(cl, 10) | 0, cl = bl, bl = tl; // prettier-ignore
-            }
-            // 2 loops are 10% faster
-            for (let i = 0; i < 16; i++) {
-                const tr = (rotl(ar + ripemd_f(rGroup, br, cr, dr) + BUF_160[rr[i]] + hbr, sr[i]) + er) | 0;
-                ar = er, er = dr, dr = rotl(cr, 10) | 0, cr = br, br = tr; // prettier-ignore
-            }
+    if (typeof bytes === 'string') {
+        if (bytes.length > 0 && bytes.length % 2 === 0 && /^[0-9a-fA-F]+$/.test(bytes)) {
+            return Buff.hex(bytes);
         }
-        // Add the compressed chunk to the current hash value
-        this.set((this.h1 + cl + dr) | 0, (this.h2 + dl + er) | 0, (this.h3 + el + ar) | 0, (this.h4 + al + br) | 0, (this.h0 + bl + cr) | 0);
-    }
-    roundClean() {
-        clean(BUF_160);
-    }
-    destroy() {
-        this.destroyed = true;
-        clean(this.buffer);
-        this.set(0, 0, 0, 0, 0);
+        throw new Error(`invalid hex string: ${bytes}`);
     }
-}
-/**
- * RIPEMD-160 - a legacy hash function from 1990s.
- * * https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
- * * https://homes.esat.kuleuven.be/~bosselae/ripemd160/pdf/AB-9601/AB-9601.pdf
- */
-const ripemd160 = /* @__PURE__ */ createHasher(() => new RIPEMD160());
-
-function hash160(...input) {
-    const buffer = Buff.join(input);
-    const digest = ripemd160(sha256$1(buffer));
-    return new Buff(digest);
-}
-function sha256(...input) {
-    const buffer = Buff.join(input);
-    const digest = sha256$1(buffer);
-    return new Buff(digest);
-}
-function hash256(...input) {
-    const buffer = Buff.join(input);
-    const digest = sha256$1(sha256$1(buffer));
-    return new Buff(digest);
-}
-function hashtag(tag) {
-    const hash = sha256(Buff.str(tag));
-    return Buff.join([hash, hash]);
-}
-function hash340(tag, ...input) {
-    const htag = hashtag(tag);
-    const data = input.map(e => new Buff(e));
-    const pimg = Buff.join([htag, ...data]);
-    return sha256(pimg);
+    throw new Error(`invalid bytes: ${String(bytes)}`);
 }
 
 /*! scure-base - MIT License (c) 2022 Paul Miller (paulmillr.com) */
@@ -4188,11 +4106,9 @@ function isBytes(a) {
     return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
 }
 /** Asserts something is Uint8Array. */
-function abytes(b, ...lengths) {
+function abytes(b) {
     if (!isBytes(b))
         throw new Error('Uint8Array expected');
-    if (lengths.length > 0 && !lengths.includes(b.length))
-        throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length);
 }
 function isArrayOf(isString, arr) {
     if (!Array.isArray(arr))
@@ -4206,7 +4122,6 @@ function isArrayOf(isString, arr) {
         return arr.every((item) => Number.isSafeInteger(item));
     }
 }
-// no abytes: seems to have 10% slowdown. Why?!
 function afn(input) {
     if (typeof input !== 'function')
         throw new Error('function expected');
@@ -4757,14 +4672,14 @@ const VERSION = {
 function decode_address(address) {
     const format = get_address_format(address);
     if (format === null)
-        throw new Error(`unrecognized address format: ${address}`);
+        throw new ValidationError(`unrecognized address format: ${address}`, "address");
     if (format === "base58")
         return base58_decode(address);
     if (format === "bech32")
         return bech32_decode(address);
     if (format === "bech32m")
         return bech32m_decode(address);
-    throw new Error("unable to find a matching address configuration");
+    throw new ValidationError("unable to find a matching address configuration", "address");
 }
 function encode_address(config) {
     if (config.format === "base58")
@@ -4773,7 +4688,7 @@ function encode_address(config) {
         return bech32_encode(config);
     if (config.format === "bech32m")
         return bech32m_encode(config);
-    throw new Error(`unrecognized encoding format: ${config.format}`);
+    throw new ValidationError(`unrecognized encoding format: ${config.format}`, "format");
 }
 function get_address_format(address) {
     for (const [format, regex] of Object.entries(ENCODING_REGEX)) {
@@ -4783,8 +4698,8 @@ function get_address_format(address) {
     return null;
 }
 function base58_encode(config) {
-    Assert.ok(config.format === "base58", "encoding mismatch");
-    Assert.exists(config.version, "must specify a version");
+    Assert$1.ok(config.format === "base58", "encoding mismatch");
+    Assert$1.exists(config.version, "must specify a version");
     const bytes = Buff.join([config.version, config.data]);
     return B58chk.encode(bytes);
 }
@@ -4795,8 +4710,8 @@ function base58_decode(encoded) {
     return { data, format: "base58", version };
 }
 function bech32_encode(config) {
-    Assert.ok(config.format === "bech32", "encoding mismatch");
-    Assert.exists(config.prefix, "prefix is required");
+    Assert$1.ok(config.format === "bech32", "encoding mismatch");
+    Assert$1.exists(config.prefix, "prefix is required");
     const bytes = Buff.bytes(config.data);
     const words = Bech32.to_words(bytes);
     return Bech32.encode(config.prefix, [VERSION.bech32, ...words]);
@@ -4804,13 +4719,13 @@ function bech32_encode(config) {
 function bech32_decode(encoded) {
     const { prefix, words } = Bech32.decode(encoded);
     const [version, ...rest] = words;
-    Assert.ok(version === VERSION.bech32, "bech32 version mismatch");
+    Assert$1.ok(version === VERSION.bech32, "bech32 version mismatch");
     const data = Bech32.to_bytes(rest);
     return { data, format: "bech32", prefix, version };
 }
 function bech32m_encode(config) {
-    Assert.ok(config.format === "bech32m", "encoding mismatch");
-    Assert.exists(config.prefix, "prefix is required");
+    Assert$1.ok(config.format === "bech32m", "encoding mismatch");
+    Assert$1.exists(config.prefix, "prefix is required");
     const bytes = Buff.bytes(config.data);
     const words = Bech32m.to_words(bytes);
     return Bech32m.encode(config.prefix, [VERSION.bech32m, ...words]);
@@ -4818,7 +4733,7 @@ function bech32m_encode(config) {
 function bech32m_decode(encoded) {
     const { prefix, words } = Bech32m.decode(encoded);
     const [version, ...rest] = words;
-    Assert.ok(version === VERSION.bech32m, "bech32m version mismatch");
+    Assert$1.ok(version === VERSION.bech32m, "bech32m version mismatch");
     const data = Bech32m.to_bytes(rest);
     return { data, format: "bech32m", prefix, version };
 }
@@ -4918,7 +4833,8 @@ function get_address_info(address) {
         const script = get_address_script(data, type);
         return { data, script, type, prefix, network, size, format, version };
     }
-    throw new Error("address configuration is invalid");
+    throw new ConfigError(`unrecognized address configuration: format=${dec.format}, size=${dec.data.length}, version=${dec.version}. ` +
+        `Supported formats: base58 (p2pkh, p2sh), bech32 (p2wpkh, p2wsh), bech32m (p2tr)`);
 }
 
 const ADDRESS_TYPE$4 = LOCK_SCRIPT_TYPE.P2PKH;
@@ -4937,7 +4853,7 @@ function create_p2pkh_address(pubkey, network = "main") {
 }
 function create_p2pkh_script(pubkey) {
     const bytes = Buff.bytes(pubkey);
-    Assert.size(bytes, 33, "invalid pubkey size");
+    Assert$1.ok(bytes.length === 33, "invalid pubkey size");
     const hash = hash160(bytes);
     return encode_p2pkh_script(hash);
 }
@@ -4947,8 +4863,8 @@ function encode_p2pkh_script(pk_hash) {
 function encode_p2pkh_address(script, network = "main") {
     const pk_hash = decode_p2pkh_script(script);
     const config = get_address_config(network, ADDRESS_TYPE$4);
-    Assert.exists(config, `unrecognized address config: ${ADDRESS_TYPE$4} on ${network}`);
-    Assert.size(pk_hash, config.size, `invalid payload size: ${pk_hash.length} !== ${config.size}`);
+    Assert$1.exists(config, `unrecognized address config: ${ADDRESS_TYPE$4} on ${network}`);
+    Assert$1.ok(pk_hash.length === config.size, `invalid payload size: ${pk_hash.length} !== ${config.size}`);
     return encode_address({
         data: pk_hash,
         format: "base58",
@@ -4957,12 +4873,12 @@ function encode_p2pkh_address(script, network = "main") {
 }
 function decode_p2pkh_address(address) {
     const parsed = get_address_info(address);
-    Assert.ok(parsed.type === "p2pkh", `address type mismatch: ${parsed.type} !== ${ADDRESS_TYPE$4}`);
+    Assert$1.ok(parsed.type === "p2pkh", `address type mismatch: ${parsed.type} !== ${ADDRESS_TYPE$4}`);
     return parsed;
 }
 function decode_p2pkh_script(script) {
     const bytes = Buff.bytes(script);
-    Assert.ok(is_p2pkh_script(script), `invalid p2pkh script`);
+    Assert$1.ok(is_p2pkh_script(script), `invalid p2pkh script`);
     return bytes.slice(3, 23);
 }
 
@@ -4993,8 +4909,8 @@ function encode_p2sh_script(script_hash) {
 function encode_p2sh_address(script_pk, network = "main") {
     const script_hash = decode_p2sh_script(script_pk);
     const config = get_address_config(network, ADDRESS_TYPE$3);
-    Assert.exists(config, `unrecognized address config: ${ADDRESS_TYPE$3} on ${network}`);
-    Assert.size(script_hash, config.size, `invalid payload size: ${script_hash.length} !== ${config.size}`);
+    Assert$1.exists(config, `unrecognized address config: ${ADDRESS_TYPE$3} on ${network}`);
+    Assert$1.ok(script_hash.length === config.size, `invalid payload size: ${script_hash.length} !== ${config.size}`);
     return encode_address({
         data: script_hash,
         format: "base58",
@@ -5003,11 +4919,11 @@ function encode_p2sh_address(script_pk, network = "main") {
 }
 function decode_p2sh_address(address) {
     const parsed = get_address_info(address);
-    Assert.ok(parsed.type === "p2sh", `address type mismatch: ${parsed.type} !== ${ADDRESS_TYPE$3}`);
+    Assert$1.ok(parsed.type === "p2sh", `address type mismatch: ${parsed.type} !== ${ADDRESS_TYPE$3}`);
     return parsed;
 }
 function decode_p2sh_script(script) {
-    Assert.ok(is_p2sh_script(script), `invalid p2sh script`);
+    Assert$1.ok(is_p2sh_script(script), `invalid p2sh script`);
     const bytes = Buff.bytes(script);
     return bytes.slice(2, 22);
 }
@@ -5028,7 +4944,7 @@ function create_p2tr_address(pubkey, network = "main") {
 }
 function create_p2tr_script(pubkey) {
     const bytes = Buff.bytes(pubkey);
-    Assert.size(bytes, 32, "invalid pubkey size");
+    Assert$1.ok(bytes.length === 32, "invalid pubkey size");
     return encode_p2tr_script(bytes);
 }
 function encode_p2tr_script(pubkey) {
@@ -5037,8 +4953,8 @@ function encode_p2tr_script(pubkey) {
 function encode_p2tr_address(script_pk, network = "main") {
     const pubkey = decode_p2tr_script(script_pk);
     const config = get_address_config(network, ADDRESS_TYPE$2);
-    Assert.exists(config, `unrecognized address config: ${ADDRESS_TYPE$2} on ${network}`);
-    Assert.size(pubkey, config.size, `invalid payload size: ${pubkey.length} !== ${config.size}`);
+    Assert$1.exists(config, `unrecognized address config: ${ADDRESS_TYPE$2} on ${network}`);
+    Assert$1.ok(pubkey.length === config.size, `invalid payload size: ${pubkey.length} !== ${config.size}`);
     return encode_address({
         data: pubkey,
         format: "bech32m",
@@ -5047,11 +4963,11 @@ function encode_p2tr_address(script_pk, network = "main") {
 }
 function decode_p2tr_address(address) {
     const parsed = get_address_info(address);
-    Assert.ok(parsed.type === "p2tr", `address type mismatch: ${parsed.type} !== ${ADDRESS_TYPE$2}`);
+    Assert$1.ok(parsed.type === "p2tr", `address type mismatch: ${parsed.type} !== ${ADDRESS_TYPE$2}`);
     return parsed;
 }
 function decode_p2tr_script(script) {
-    Assert.ok(is_p2tr_script(script), `invalid p2tr script`);
+    Assert$1.ok(is_p2tr_script(script), `invalid p2tr script`);
     const bytes = Buff.bytes(script);
     return bytes.slice(2, 34);
 }
@@ -5072,7 +4988,7 @@ function create_p2wpkh_address(pubkey, network = "main") {
 }
 function create_p2wpkh_script(pubkey) {
     const bytes = Buff.bytes(pubkey);
-    Assert.size(bytes, 33, "invalid pubkey size");
+    Assert$1.ok(bytes.length === 33, "invalid pubkey size");
     const hash = hash160(bytes);
     return encode_p2wpkh_script(hash);
 }
@@ -5082,8 +4998,8 @@ function encode_p2wpkh_script(pk_hash) {
 function encode_p2wpkh_address(script_pk, network = "main") {
     const pk_hash = decode_p2wpkh_script(script_pk);
     const config = get_address_config(network, ADDRESS_TYPE$1);
-    Assert.exists(config, `unrecognized address config: ${ADDRESS_TYPE$1} on ${network}`);
-    Assert.size(pk_hash, config.size, `invalid payload size: ${pk_hash.length} !== ${config.size}`);
+    Assert$1.exists(config, `unrecognized address config: ${ADDRESS_TYPE$1} on ${network}`);
+    Assert$1.ok(pk_hash.length === config.size, `invalid payload size: ${pk_hash.length} !== ${config.size}`);
     return encode_address({
         data: pk_hash,
         format: "bech32",
@@ -5092,11 +5008,11 @@ function encode_p2wpkh_address(script_pk, network = "main") {
 }
 function decode_p2wpkh_address(address) {
     const parsed = get_address_info(address);
-    Assert.ok(parsed.type === "p2wpkh", `address type mismatch: ${parsed.type} !== ${ADDRESS_TYPE$1}`);
+    Assert$1.ok(parsed.type === "p2wpkh", `address type mismatch: ${parsed.type} !== ${ADDRESS_TYPE$1}`);
     return parsed;
 }
 function decode_p2wpkh_script(script) {
-    Assert.ok(is_p2wpkh_script(script), `invalid p2wpkh script`);
+    Assert$1.ok(is_p2wpkh_script(script), `invalid p2wpkh script`);
     const bytes = Buff.bytes(script);
     return bytes.slice(2, 22);
 }
@@ -5126,8 +5042,8 @@ function encode_p2wsh_script(script_hash) {
 function encode_p2wsh_address(script_pk, network = "main") {
     const script_hash = decode_p2wsh_script(script_pk);
     const config = get_address_config(network, ADDRESS_TYPE);
-    Assert.exists(config, `unrecognized address config: ${ADDRESS_TYPE} on ${network}`);
-    Assert.size(script_hash, config.size, `invalid payload size: ${script_hash.length} !== ${config.size}`);
+    Assert$1.exists(config, `unrecognized address config: ${ADDRESS_TYPE} on ${network}`);
+    Assert$1.ok(script_hash.length === config.size, `invalid payload size: ${script_hash.length} !== ${config.size}`);
     return encode_address({
         data: script_hash,
         format: "bech32",
@@ -5136,11 +5052,11 @@ function encode_p2wsh_address(script_pk, network = "main") {
 }
 function decode_p2wsh_address(address) {
     const parsed = get_address_info(address);
-    Assert.ok(parsed.type === "p2wsh", `address type mismatch: ${parsed.type} !== ${ADDRESS_TYPE}`);
+    Assert$1.ok(parsed.type === "p2wsh", `address type mismatch: ${parsed.type} !== ${ADDRESS_TYPE}`);
     return parsed;
 }
 function decode_p2wsh_script(script) {
-    Assert.ok(is_p2wsh_script(script), `invalid p2wsh script`);
+    Assert$1.ok(is_p2wsh_script(script), `invalid p2wsh script`);
     const bytes = Buff.bytes(script);
     return bytes.slice(2, 34);
 }
@@ -5149,7 +5065,7 @@ function get_address(script, network = "main") {
     const bytes = Buff.bytes(script);
     const type = get_lock_script_type(bytes);
     if (type === null)
-        throw new Error("Unknown or unsupported locking script type");
+        throw new ConfigError("Unknown or unsupported locking script type");
     switch (type) {
         case LOCK_SCRIPT_TYPE.P2PKH:
             return P2PKH.encode_address(script, network);
@@ -5162,7 +5078,7 @@ function get_address(script, network = "main") {
         case LOCK_SCRIPT_TYPE.P2TR:
             return P2TR.encode_address(script, network);
         default:
-            throw new Error(`unknown script type: ${type}`);
+            throw new ConfigError(`unknown script type: ${type}`);
     }
 }
 function parse_address(address) {
@@ -5189,14 +5105,14 @@ var LocktimeField;
 function encode_locktime(locktime) {
     switch (locktime.type) {
         case "timelock":
-            Assert.ok(locktime.stamp >= LOCKTIME_THRESHOLD, "Invalid timestamp");
+            Assert$1.ok(locktime.stamp >= LOCKTIME_THRESHOLD, "Invalid timestamp");
             return locktime.stamp;
         case "heightlock":
-            Assert.ok(locktime.height > 0, "height must be greater than 0");
-            Assert.ok(locktime.height < LOCKTIME_THRESHOLD, "invalid block height");
+            Assert$1.ok(locktime.height > 0, "height must be greater than 0");
+            Assert$1.ok(locktime.height < LOCKTIME_THRESHOLD, "invalid block height");
             return locktime.height;
         default:
-            throw new Error("Invalid locktime type");
+            throw new ConfigError(`Invalid locktime type: expected 'timelock' or 'heightlock'`);
     }
 }
 function decode_locktime(locktime) {
@@ -5251,7 +5167,7 @@ function verify_inscription_id(inscription_id) {
 }
 function assert_inscription_id(inscription_id) {
     if (!verify_inscription_id(inscription_id)) {
-        throw new Error(`invalid inscription id: ${inscription_id}`);
+        throw new ValidationError(`invalid inscription id: "${inscription_id}". Expected format: <64-char-txid>i<index> (e.g., "abc123...i0")`);
     }
 }
 function encode_rune_id(block_height, block_index) {
@@ -5270,7 +5186,7 @@ function verify_rune_id(rune_id) {
 }
 function assert_rune_id(rune_id) {
     if (!verify_rune_id(rune_id)) {
-        throw new Error(`invalid rune id: ${rune_id}`);
+        throw new ValidationError(`invalid rune id: "${rune_id}". Expected format: <block_height>:<block_index> (e.g., "840000:1")`);
     }
 }
 function encode_outpoint(txid, vout) {
@@ -5286,7 +5202,7 @@ function verify_outpoint(outpoint) {
 }
 function assert_outpoint(outpoint) {
     if (!verify_outpoint(outpoint)) {
-        throw new Error(`invalid outpoint: ${outpoint}`);
+        throw new ValidationError(`invalid outpoint: "${outpoint}". Expected format: <64-char-txid>:<vout> (e.g., "abc123...:0")`);
     }
 }
 
@@ -5410,14 +5326,14 @@ function get_op_code(num) {
         if (v === num)
             return k;
     }
-    throw new Error(`OPCODE not found:${String(num)}`);
+    throw new ValidationError(`opcode not found for value: ${num} (0x${num.toString(16)}). Valid range is 0x00-0xba`);
 }
 function get_asm_code(string) {
     for (const [k, v] of Object.entries(OPCODE_MAP)) {
         if (k === string)
             return Number(v);
     }
-    throw new Error(`OPCODE not found:${string}`);
+    throw new ValidationError(`opcode not found: "${string}". Valid opcodes start with "OP_" (e.g., OP_DUP, OP_CHECKSIG)`);
 }
 function get_op_type(word) {
     switch (true) {
@@ -5434,7 +5350,7 @@ function get_op_type(word) {
         case word <= 254:
             return "opcode";
         default:
-            throw new Error(`Invalid word range: ${word}`);
+            throw new ValidationError(`invalid word value: ${word}. Expected 0-254`);
     }
 }
 function is_valid_op(word) {
@@ -5480,7 +5396,7 @@ function decode_script(script) {
                     stack.push(stream.read(word).hex);
                 }
                 catch {
-                    throw new Error(`Malformed script: varint push at position ${count - 1} requires ${word} bytes but stream exhausted`);
+                    throw new DecodingError(`Malformed script: varint push at position ${count - 1} requires ${word} bytes but stream exhausted`, count - 1);
                 }
                 count += word;
                 break;
@@ -5489,13 +5405,13 @@ function decode_script(script) {
                     word_size = stream.read(1).reverse().num;
                 }
                 catch {
-                    throw new Error(`Malformed script: PUSHDATA1 at position ${count - 1} missing size byte`);
+                    throw new DecodingError(`Malformed script: PUSHDATA1 at position ${count - 1} missing size byte`, count - 1);
                 }
                 try {
                     stack.push(stream.read(word_size).hex);
                 }
                 catch {
-                    throw new Error(`Malformed script: PUSHDATA1 at position ${count - 1} requires ${word_size} bytes but stream exhausted`);
+                    throw new DecodingError(`Malformed script: PUSHDATA1 at position ${count - 1} requires ${word_size} bytes but stream exhausted`, count - 1);
                 }
                 count += word_size + 1;
                 break;
@@ -5504,13 +5420,13 @@ function decode_script(script) {
                     word_size = stream.read(2).reverse().num;
                 }
                 catch {
-                    throw new Error(`Malformed script: PUSHDATA2 at position ${count - 1} missing size bytes`);
+                    throw new DecodingError(`Malformed script: PUSHDATA2 at position ${count - 1} missing size bytes`, count - 1);
                 }
                 try {
                     stack.push(stream.read(word_size).hex);
                 }
                 catch {
-                    throw new Error(`Malformed script: PUSHDATA2 at position ${count - 1} requires ${word_size} bytes but stream exhausted`);
+                    throw new DecodingError(`Malformed script: PUSHDATA2 at position ${count - 1} requires ${word_size} bytes but stream exhausted`, count - 1);
                 }
                 count += word_size + 2;
                 break;
@@ -5519,24 +5435,24 @@ function decode_script(script) {
                     word_size = stream.read(4).reverse().num;
                 }
                 catch {
-                    throw new Error(`Malformed script: PUSHDATA4 at position ${count - 1} missing size bytes`);
+                    throw new DecodingError(`Malformed script: PUSHDATA4 at position ${count - 1} missing size bytes`, count - 1);
                 }
                 try {
                     stack.push(stream.read(word_size).hex);
                 }
                 catch {
-                    throw new Error(`Malformed script: PUSHDATA4 at position ${count - 1} requires ${word_size} bytes but stream exhausted`);
+                    throw new DecodingError(`Malformed script: PUSHDATA4 at position ${count - 1} requires ${word_size} bytes but stream exhausted`, count - 1);
                 }
                 count += word_size + 4;
                 break;
             case "opcode":
                 if (!is_valid_op(word)) {
-                    throw new Error(`Invalid OPCODE: ${word}`);
+                    throw new DecodingError(`Invalid OPCODE: ${word}`, count - 1);
                 }
                 stack.push(get_op_code(word));
                 break;
             default:
-                throw new Error(`Word type undefined: ${word}`);
+                throw new DecodingError(`Word type undefined: ${word}`, count - 1);
         }
     }
     return stack;
@@ -5561,7 +5477,7 @@ function encode_script(words, varint = false) {
     }
     const buffer = Buff.join(bytes);
     if (buffer.length > MAX_SCRIPT_SIZE) {
-        throw new Error(`script size ${buffer.length} exceeds consensus limit of ${MAX_SCRIPT_SIZE} bytes`);
+        throw new ValidationError(`script size ${buffer.length} exceeds consensus limit of ${MAX_SCRIPT_SIZE} bytes`);
     }
     return varint
         ? buffer.prepend(Buff.create_varint(buffer.length, "le"))
@@ -5588,7 +5504,7 @@ function encode_script_word(word) {
         buff = new Buff(word);
     }
     else {
-        throw new Error(`invalid word type:${typeof word}`);
+        throw new ValidationError(`invalid script word type: ${typeof word}. Expected string, number, or Uint8Array`);
     }
     if (buff.length === 1 && buff[0] <= 16) {
         if (buff[0] !== 0)
@@ -5629,7 +5545,7 @@ function get_size_varint(size) {
         case size >= 0x100 && size <= MAX_WORD_SIZE:
             return Buff.join([OP_PUSHDATA2, Buff.num(size, 2, "le")]);
         default:
-            throw new Error(`Invalid word size:${size.toString()}`);
+            throw new ValidationError(`invalid script word size: ${size}. Maximum allowed is ${MAX_WORD_SIZE} bytes`);
     }
 }
 
@@ -5687,16 +5603,17 @@ function create_envelope(data) {
 function parse_envelopes(script) {
     const words = decode_script(script);
     const start_idx = words.indexOf("OP_0");
-    Assert.ok(start_idx !== -1, "inscription envelope not found");
+    Assert$1.ok(start_idx !== -1, "inscription envelope not found");
     const envelopes = [];
     for (let idx = start_idx; idx < words.length; idx++) {
-        Assert.ok(words[idx + 1] === "OP_IF", "OP_IF missing from envelope");
-        Assert.ok(words[idx + 2] === "6f7264", "magic bytes missing from envelope");
-        const stop_idx = words.indexOf("OP_ENDIF");
-        Assert.ok(stop_idx !== -1, "inscription envelope missing END_IF statement");
+        Assert$1.ok(idx + 2 < words.length, "incomplete envelope: missing OP_IF or magic bytes");
+        Assert$1.ok(words[idx + 1] === "OP_IF", "OP_IF missing from envelope");
+        Assert$1.ok(words[idx + 2] === "6f7264", "magic bytes missing from envelope");
+        const stop_idx = words.indexOf("OP_ENDIF", idx);
+        Assert$1.ok(stop_idx !== -1, "inscription envelope missing OP_ENDIF statement");
         const env = words.slice(idx + 3, stop_idx);
         envelopes.push(env);
-        idx += stop_idx;
+        idx = stop_idx;
     }
     return envelopes;
 }
@@ -5742,8 +5659,21 @@ function parse_record(envelope) {
 function decode_bytes(bytes) {
     return Buff.bytes(bytes).hex;
 }
+function normalize_script_word(word) {
+    if (typeof word === "string" && word.startsWith("OP_")) {
+        if (word === "OP_0")
+            return Buff.num(0).hex;
+        const match = word.match(/^OP_(\d+)$/);
+        if (match) {
+            const num = parseInt(match[1], 10);
+            if (num >= 1 && num <= 16)
+                return Buff.num(num).hex;
+        }
+    }
+    return word;
+}
 function encode_id(identifier) {
-    Assert.ok(identifier.includes("i"), "identifier must include an index");
+    Assert$1.ok(identifier.includes("i"), "identifier must include an index");
     const parts = identifier.split("i");
     const bytes = Buff.hex(parts[0]);
     const idx = Number(parts[1]);
@@ -5752,6 +5682,9 @@ function encode_id(identifier) {
 }
 function decode_id(identifier) {
     const bytes = Buff.bytes(identifier);
+    if (bytes.length === 32) {
+        return `${bytes.reverse().hex}i0`;
+    }
     const idx = bytes.at(-1) ?? 0;
     const txid = bytes.slice(0, -1).reverse().hex;
     return `${txid}i${String(idx)}`;
@@ -5760,7 +5693,7 @@ function encode_pointer(pointer) {
     return Buff.num(pointer).reverse().hex;
 }
 function decode_pointer(bytes) {
-    return Buff.bytes(bytes).reverse().num;
+    return Buff.bytes(normalize_script_word(bytes)).reverse().num;
 }
 function encode_label(label) {
     return Buff.str(label).hex;
@@ -5795,12 +5728,16 @@ function encode_rune_label(label) {
         if (char >= "A" && char <= "Z") {
             big = big * _26n + BigInt(char.charCodeAt(0) - ("A".charCodeAt(0) - 1));
         }
+        else {
+            throw new ValidationError(`invalid character in rune label: '${char}' (only A-Z allowed)`, "label");
+        }
     }
     big = big - _1n;
     return Buff.big(big).reverse().hex;
 }
 function decode_rune_label(label) {
-    let big = Buff.bytes(label).reverse().big;
+    const normalized = normalize_script_word(label);
+    let big = Buff.bytes(normalized).reverse().big;
     big = big + _1n;
     let result = "";
     while (big > _0n) {
@@ -5837,7 +5774,7 @@ function encode_sequence(data) {
         const stamp = parse_stamp(data.stamp);
         return (TIMELOCK_TYPE | (stamp & TIMELOCK_VALUE_MASK)) >>> 0;
     }
-    throw new Error(`invalid timelock mode: ${data.mode}`);
+    throw new ValidationError(`invalid timelock mode: "${data.mode}". Valid modes are "height" or "stamp"`);
 }
 function decode_sequence(sequence) {
     const seq = parse_sequence(sequence);
@@ -5847,13 +5784,13 @@ function decode_sequence(sequence) {
     if (seq & TIMELOCK_TYPE) {
         const stamp = value * TIMELOCK_GRANULARITY;
         if (stamp > 0xffffffff) {
-            throw new Error("Decoded timestamp exceeds 32-bit limit");
+            throw new ValidationError(`decoded timestamp ${stamp} exceeds 32-bit limit (max: ${0xffffffff})`);
         }
         return { mode: "stamp", stamp };
     }
     else {
         if (value > TIMELOCK_VALUE_MAX) {
-            throw new Error("Decoded height exceeds maximum");
+            throw new ValidationError(`decoded height ${value} exceeds maximum (${TIMELOCK_VALUE_MAX})`);
         }
         return { mode: "height", height: value };
     }
@@ -5861,17 +5798,17 @@ function decode_sequence(sequence) {
 function parse_sequence(sequence) {
     const seq = typeof sequence === "string" ? parseInt(sequence, 16) : sequence;
     if (!Number.isInteger(seq) || seq < 0 || seq > 0xffffffff) {
-        throw new Error(`invalid sequence value: ${seq}`);
+        throw new ValidationError(`invalid sequence value: ${seq}. Must be an integer between 0 and 0xffffffff`);
     }
     return seq;
 }
 function parse_stamp(stamp) {
     if (stamp === undefined || !Number.isInteger(stamp)) {
-        throw new Error(`timestamp must be a number`);
+        throw new ValidationError(`timestamp must be an integer, got: ${stamp}`);
     }
     const ts = Math.floor(stamp / TIMELOCK_GRANULARITY);
     if (!Number.isInteger(ts) || ts < 0 || ts > TIMELOCK_VALUE_MAX) {
-        throw new Error(`timelock value must be an integer between 0 and ${TIMELOCK_VALUE_MAX} (in 512-second increments)`);
+        throw new ValidationError(`timelock value must be an integer between 0 and ${TIMELOCK_VALUE_MAX} (in 512-second increments)`);
     }
     return ts;
 }
@@ -5880,7 +5817,7 @@ function parse_height(height) {
         !Number.isInteger(height) ||
         height < 0 ||
         height > TIMELOCK_VALUE_MAX) {
-        throw new Error(`Heightlock value must be an integer between 0 and ${TIMELOCK_VALUE_MAX}`);
+        throw new ValidationError(`heightlock value must be an integer between 0 and ${TIMELOCK_VALUE_MAX}, got: ${height}`);
     }
     return height;
 }
@@ -5941,10 +5878,10 @@ var index$6 = /*#__PURE__*/Object.freeze({
 const MAX_TX_SIZE = 4_000_000;
 const MAX_TX_ELEMENTS = 100_000;
 function decode_tx(txdata, use_segwit = true) {
-    Assert.is_bytes(txdata, "txdata must be hex or bytes");
+    Assert$1.ok(typeof txdata === "string" || txdata instanceof Uint8Array, "txdata must be hex or bytes");
     const txSize = typeof txdata === "string" ? txdata.length / 2 : txdata.length;
     if (txSize > MAX_TX_SIZE) {
-        throw new Error(`Transaction size ${txSize} exceeds maximum ${MAX_TX_SIZE} bytes`);
+        throw new DecodingError(`Transaction size ${txSize} exceeds maximum ${MAX_TX_SIZE} bytes`);
     }
     const stream = new Stream(txdata);
     const version = read_version(stream);
@@ -5971,7 +5908,7 @@ function check_witness_flag(stream) {
             return true;
         }
         else {
-            throw new Error(`Invalid witness flag: ${flag}`);
+            throw new DecodingError(`Invalid witness flag: ${flag}`, 1);
         }
     }
     return false;
@@ -5980,7 +5917,7 @@ function read_inputs(stream) {
     const inputs = [];
     const vinCount = stream.read_varint();
     if (vinCount > MAX_TX_ELEMENTS) {
-        throw new Error(`Input count ${vinCount} exceeds maximum ${MAX_TX_ELEMENTS}`);
+        throw new DecodingError(`Input count ${vinCount} exceeds maximum ${MAX_TX_ELEMENTS}`);
     }
     for (let i = 0; i < vinCount; i++) {
         const txinput = read_vin(stream);
@@ -6021,14 +5958,15 @@ function read_outputs(stream) {
     const outputs = [];
     const vcount = stream.read_varint();
     if (vcount > MAX_TX_ELEMENTS) {
-        throw new Error(`Output count ${vcount} exceeds maximum ${MAX_TX_ELEMENTS}`);
+        throw new DecodingError(`Output count ${vcount} exceeds maximum ${MAX_TX_ELEMENTS}`);
     }
     for (let i = 0; i < vcount; i++) {
         try {
             outputs.push(read_vout(stream));
         }
-        catch (_error) {
-            throw new Error(`failed to decode output at index ${i}`);
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            throw new DecodingError(`Failed to decode output at index ${i}: ${message}`);
         }
     }
     return outputs;
@@ -6036,19 +5974,19 @@ function read_outputs(stream) {
 function read_vout(stream) {
     const value = stream.read(8).reverse().big;
     const script_pk = read_payload(stream);
-    Assert.exists(script_pk, "failed to decode script_pk");
+    Assert$1.exists(script_pk, "failed to decode script_pk");
     return { value, script_pk };
 }
 function read_witness(stream) {
     const stack = [];
     const count = stream.read_varint();
     if (count > MAX_TX_ELEMENTS) {
-        throw new Error(`Witness element count ${count} exceeds maximum ${MAX_TX_ELEMENTS}`);
+        throw new DecodingError(`Witness element count ${count} exceeds maximum ${MAX_TX_ELEMENTS}`);
     }
     for (let i = 0; i < count; i++) {
         const element = read_payload(stream);
         if (element === null) {
-            throw new Error(`failed to decode witness element at index ${i}`);
+            throw new DecodingError(`Failed to decode witness element at index ${i}`);
         }
         stack.push(element);
     }
@@ -6057,7 +5995,7 @@ function read_witness(stream) {
 function read_payload(stream) {
     const size = stream.read_varint("le");
     if (size > MAX_VARINT_SIZE) {
-        throw new Error(`Payload size ${size} exceeds maximum ${MAX_VARINT_SIZE}`);
+        throw new DecodingError(`Payload size ${size} exceeds maximum ${MAX_VARINT_SIZE}`);
     }
     return size > 0 ? stream.read(size).hex : null;
 }
@@ -7240,7 +7178,7 @@ class Doc {
 const version = {
     major: 4,
     minor: 3,
-    patch: 5,
+    patch: 6,
 };
 
 const $ZodType = /*@__PURE__*/ $constructor("$ZodType", (inst, def) => {
@@ -8298,11 +8236,9 @@ const $ZodRecord = /*@__PURE__*/ $constructor("$ZodRecord", (inst, def) => {
                 if (keyResult instanceof Promise) {
                     throw new Error("Async schemas not supported in object keys currently");
                 }
-                // Numeric string fallback: if key failed with "expected number", retry with Number(key)
-                const checkNumericKey = typeof key === "string" &&
-                    number$1.test(key) &&
-                    keyResult.issues.length &&
-                    keyResult.issues.some((iss) => iss.code === "invalid_type" && iss.expected === "number");
+                // Numeric string fallback: if key is a numeric string and failed, retry with Number(key)
+                // This handles z.number(), z.literal([1, 2, 3]), and unions containing numeric literals
+                const checkNumericKey = typeof key === "string" && number$1.test(key) && keyResult.issues.length;
                 if (checkNumericKey) {
                     const retryResult = def.keyType._zod.run({ value: Number(key), issues: [] }, ctx);
                     if (retryResult instanceof Promise) {
@@ -9503,7 +9439,7 @@ function finalize(ctx, schema) {
                 }
             }
             // When ref was extracted to $defs, remove properties that match the definition
-            if (refSchema.$ref) {
+            if (refSchema.$ref && refSeen.def) {
                 for (const key in schema) {
                     if (key === "$ref" || key === "allOf")
                         continue;
@@ -10905,32 +10841,59 @@ var index$5 = /*#__PURE__*/Object.freeze({
     tx: tx
 });
 
+function format_zod_error(error) {
+    const issues = error.issues.map((issue) => {
+        const path = issue.path.length > 0 ? `${issue.path.join(".")}: ` : "";
+        return `${path}${issue.message}`;
+    });
+    return issues.join("; ");
+}
 function assert_tx_template(txdata) {
-    tx_template.parse(txdata);
+    const result = tx_template.safeParse(txdata);
+    if (!result.success) {
+        throw new ValidationError(`invalid transaction template: ${format_zod_error(result.error)}`);
+    }
 }
 function assert_has_prevouts(vin) {
-    if (vin.some((txin) => txin.prevout === null)) {
-        throw new Error("transaction missing prevouts");
+    const missingIdx = vin.findIndex((txin) => txin.prevout === null || txin.prevout === undefined);
+    if (missingIdx !== -1) {
+        throw new ValidationError(`transaction input at index ${missingIdx} is missing prevout data. ` +
+            `Prevout (previous output) is required for signing`);
     }
 }
 function assert_tx_data(txdata) {
-    tx_data.parse(txdata);
+    const result = tx_data.safeParse(txdata);
+    if (!result.success) {
+        throw new ValidationError(`invalid transaction data: ${format_zod_error(result.error)}`);
+    }
 }
 function assert_tx_spend_data(txdata) {
     assert_tx_data(txdata);
     assert_has_prevouts(txdata.vin);
 }
 function assert_tx_input(tx_input$1) {
-    tx_input.parse(tx_input$1);
+    const result = tx_input.safeParse(tx_input$1);
+    if (!result.success) {
+        throw new ValidationError(`invalid transaction input: ${format_zod_error(result.error)}`);
+    }
 }
 function assert_tx_output(tx_output$1) {
-    tx_output.parse(tx_output$1);
+    const result = tx_output.safeParse(tx_output$1);
+    if (!result.success) {
+        throw new ValidationError(`invalid transaction output: ${format_zod_error(result.error)}`);
+    }
 }
 function assert_vin_template(vin) {
-    vin_template.parse(vin);
+    const result = vin_template.safeParse(vin);
+    if (!result.success) {
+        throw new ValidationError(`invalid input template: ${format_zod_error(result.error)}`);
+    }
 }
 function assert_vout_template(vout) {
-    vout_template.parse(vout);
+    const result = vout_template.safeParse(vout);
+    if (!result.success) {
+        throw new ValidationError(`invalid output template: ${format_zod_error(result.error)}`);
+    }
 }
 
 function encode_tx(txdata, use_segwit = true) {
@@ -11013,7 +10976,7 @@ function encode_tx_locktime(locktime) {
 }
 function encode_script_data(script) {
     if (script !== null) {
-        Assert.is_hex(script);
+        Assert$1.is_hex(script);
         return Buff.hex(script).prefix_varint("le");
     }
     else {
@@ -11031,10 +10994,10 @@ function parse_tx(txdata, prevouts) {
         tx = create_tx(txdata);
     }
     if (prevouts) {
-        Assert.has_items(prevouts, "prevouts must be a non-empty array");
+        Assert$1.has_items(prevouts, "prevouts must be a non-empty array");
         for (const [idx, vin] of tx.vin.entries()) {
             const prevout = prevouts.at(idx);
-            Assert.exists(prevout, `prevout not found for input index: ${idx}`);
+            Assert$1.exists(prevout, `prevout not found for input index: ${idx}`);
             vin.prevout = create_tx_output(prevout);
         }
     }
@@ -11050,14 +11013,14 @@ function serialize_tx(txdata) {
         if (e.prevout !== null) {
             vin.push({
                 script_pk: e.prevout.script_pk,
-                value: Number(e.prevout.value),
+                value: String(e.prevout.value),
             });
         }
     }
     for (const e of tx.vout) {
         vout.push({
             script_pk: e.script_pk,
-            value: Number(e.value),
+            value: String(e.value),
         });
     }
     return { version, locktime, vin, vout };
@@ -11077,7 +11040,7 @@ function get_txid(txdata) {
         buffer = encode_tx(txdata, false);
     }
     else if (typeof txdata === "string") {
-        Assert.is_hex(txdata);
+        Assert$1.is_hex(txdata);
         buffer = transcode_tx(txdata, false);
     }
     else {
@@ -11103,7 +11066,7 @@ function get_tx_value(txdata) {
 function get_prevouts(txdata) {
     assert_tx_template(txdata);
     const prevouts = txdata.vin.map((e) => e.prevout);
-    Assert.ok(prevouts.every((e) => e !== null), "prevouts missing from tx");
+    Assert$1.ok(prevouts.every((e) => e !== null), "prevouts missing from tx");
     return prevouts;
 }
 function normalize_sequence(sequence) {
@@ -11131,7 +11094,7 @@ function normalize_prevout(prevout) {
 
 function create_coinbase_input(config) {
     assert_vin_template(config);
-    Assert.exists(config.coinbase, "coinbase is required");
+    Assert$1.exists(config.coinbase, "coinbase is required");
     const txid = COINBASE.TXID;
     const vout = COINBASE.VOUT;
     const coinbase = config.coinbase;
@@ -11149,8 +11112,8 @@ function create_coinbase_input(config) {
 }
 function create_virtual_input(config) {
     assert_vin_template(config);
-    Assert.is_empty(config.coinbase, "coinbase is not allowed");
-    Assert.is_empty(config.prevout, "prevout is not allowed");
+    Assert$1.is_empty(config.coinbase, "coinbase is not allowed");
+    Assert$1.is_empty(config.prevout, "prevout is not allowed");
     const { txid, vout, script_sig = null, witness = [] } = config;
     const sequence = normalize_sequence(config.sequence);
     return {
@@ -11165,7 +11128,7 @@ function create_virtual_input(config) {
 }
 function create_spend_input(config) {
     assert_vin_template(config);
-    Assert.exists(config.prevout, "prevout is required");
+    Assert$1.exists(config.prevout, "prevout is required");
     const { txid, vout, script_sig = null, witness = [] } = config;
     const prevout = normalize_prevout(config.prevout);
     const sequence = normalize_sequence(config.sequence);
@@ -11197,16 +11160,14 @@ function create_tx(config) {
 const WIT_FLAG_BYTES = 2;
 function get_vsize(bytes) {
     const weight = Buff.bytes(bytes).length;
-    const remain = weight % 4 > 0 ? 1 : 0;
-    return Math.ceil(weight / 4) + remain;
+    return Math.ceil(weight / 4);
 }
 function get_txsize(txdata) {
     const json = parse_tx(txdata);
     const base = encode_tx(json, false).length;
     const total = encode_tx(json, true).length;
     const weight = base * 3 + total;
-    const remain = weight % 4 > 0 ? 1 : 0;
-    const vsize = Math.ceil(weight / 4) + remain;
+    const vsize = Math.ceil(weight / 4);
     return { base, total, vsize, weight };
 }
 function get_vin_size(vin) {
@@ -11284,18 +11245,18 @@ var index$4 = /*#__PURE__*/Object.freeze({
 });
 
 function get_prevout(vin) {
-    Assert.exists(vin.prevout, `Prevout data missing for input: ${String(vin.txid)}`);
+    Assert$1.exists(vin.prevout, `Prevout data missing for input: ${String(vin.txid)}`);
     return vin.prevout;
 }
 function parse_txinput(txdata, config) {
     let { txindex, txinput } = config ?? {};
     if (txindex !== undefined) {
         if (txindex >= txdata.vin.length) {
-            throw new Error(`Input index out of bounds: ${String(txindex)}`);
+            throw new ValidationError(`input index ${txindex} out of bounds. Transaction has ${txdata.vin.length} inputs (indices 0-${txdata.vin.length - 1})`);
         }
         txinput = txdata.vin.at(txindex);
     }
-    Assert.ok(txinput !== undefined);
+    Assert$1.ok(txinput !== undefined);
     return txinput;
 }
 function get_annex_data(witness) {
@@ -11317,14 +11278,16 @@ function hash_segwit_tx(txdata, options = {}) {
     const is_anypay = (sigflag & 0x80) === 0x80;
     const flag = sigflag % 0x80;
     if (!SIGHASH_SEGWIT.includes(flag)) {
-        throw new Error(`Invalid hash type: ${String(sigflag)}`);
+        throw new ValidationError(`invalid sighash type: 0x${sigflag.toString(16)}. ` +
+            `Valid values: SIGHASH_ALL (0x01), SIGHASH_NONE (0x02), SIGHASH_SINGLE (0x03), ` +
+            `or combined with ANYONECANPAY (0x81, 0x82, 0x83)`);
     }
     const { version, vin, vout, locktime } = tx;
     const txinput = parse_txinput(tx, options);
     const { txid, vout: prevIdx, prevout, sequence } = txinput;
     const { value } = prevout ?? {};
     if (value === undefined) {
-        throw new Error("Prevout value is empty!");
+        throw new ValidationError("Prevout value is required for segwit sighash calculation", "prevout.value");
     }
     let { pubkey, script } = options;
     if (script === undefined && pubkey !== undefined) {
@@ -11332,10 +11295,10 @@ function hash_segwit_tx(txdata, options = {}) {
         script = `76a914${String(pkhash)}88ac`;
     }
     if (script === undefined) {
-        throw new Error("No pubkey / script has been set!");
+        throw new ValidationError("Either pubkey or script must be provided for segwit sighash", "pubkey/script");
     }
     if (decode_script(script).includes("OP_CODESEPARATOR")) {
-        throw new Error("This library does not currently support the use of OP_CODESEPARATOR in segwit scripts.");
+        throw new ValidationError("OP_CODESEPARATOR is not supported in segwit scripts", "script");
     }
     const sighash = [
         encode_tx_version(version),
@@ -11383,8 +11346,8 @@ function bip143_hash_outputs(vout, sigflag, idx) {
         return hash256(Buff.join(stack));
     }
     if (sigflag === 0x03) {
-        Assert.ok(idx !== undefined, "txindex required for SIGHASH_SINGLE");
-        Assert.ok(idx >= 0, "txindex must be non-negative");
+        Assert$1.ok(idx !== undefined, "txindex required for SIGHASH_SINGLE");
+        Assert$1.ok(idx >= 0, "txindex must be non-negative");
         if (idx < vout.length) {
             const { value, script_pk } = vout[idx];
             stack.push(encode_vout_value(value));
@@ -11414,7 +11377,7 @@ function encode_leaf_version(version = 0xc0) {
     return version & 0xfe;
 }
 function encode_taptweak(pubkey, data = new Uint8Array()) {
-    Assert.size(pubkey, 32);
+    Assert$1.ok(Buff.bytes(pubkey).length === 32, "pubkey must be 32 bytes");
     return hash340("TapTweak", pubkey, data);
 }
 
@@ -11429,10 +11392,12 @@ function get_taproot_tx_preimage(template, config = {}) {
     const txinput = parse_txinput(tx, config);
     const { txid, vout, sequence, witness = [] } = txinput;
     if (!SIGHASH_TAPROOT.includes(sigflag)) {
-        throw new Error(`Invalid hash type: ${String(sigflag)}`);
+        throw new ValidationError(`invalid taproot sighash type: 0x${sigflag.toString(16)}. ` +
+            `Valid values: SIGHASH_DEFAULT (0x00), SIGHASH_ALL (0x01), SIGHASH_NONE (0x02), SIGHASH_SINGLE (0x03), ` +
+            `or combined with ANYONECANPAY (0x81, 0x82, 0x83)`);
     }
     if (extflag < 0 || extflag > 127) {
-        throw new Error(`Extention flag out of range: ${String(extflag)}`);
+        throw new ValidationError(`extension flag out of range: ${extflag}. Valid range is 0-127`);
     }
     let { extension } = config;
     if (script !== undefined) {
@@ -11462,15 +11427,15 @@ function get_taproot_tx_preimage(template, config = {}) {
         preimage.push(encode_txin_txid(txid), encode_txin_vout(vout), encode_vout_value(value), encode_script_data(script_pk), encode_txin_sequence(sequence));
     }
     else {
-        Assert.ok(typeof txindex === "number");
+        Assert$1.ok(typeof txindex === "number");
         preimage.push(Buff.num(txindex, 4).reverse());
     }
     if (annex !== undefined) {
         preimage.push(annex);
     }
     if ((sigflag & 0x03) === 0x03) {
-        Assert.ok(typeof txindex === "number", "txindex required for SIGHASH_SINGLE");
-        Assert.ok(txindex >= 0 && txindex < output.length, `txindex ${txindex} out of bounds for ${output.length} outputs`);
+        Assert$1.ok(typeof txindex === "number", "txindex required for SIGHASH_SINGLE");
+        Assert$1.ok(txindex >= 0 && txindex < output.length, `txindex ${txindex} out of bounds for ${output.length} outputs`);
         preimage.push(bip341_hash_output(output[txindex]));
     }
     if (extension !== undefined) {
@@ -11529,31 +11494,31 @@ var index$3 = /*#__PURE__*/Object.freeze({
 const SECKEY_REGEX = /^[0-9a-fA-F]{64}$/;
 function validate_seckey(seckey) {
     if (typeof seckey !== "string") {
-        throw new Error("Secret key must be a string");
+        throw new ValidationError("Secret key must be a string", "seckey");
     }
     if (!SECKEY_REGEX.test(seckey)) {
-        throw new Error("Invalid secret key format: expected 32-byte hex string (64 characters)");
+        throw new ValidationError("Invalid secret key format: expected 32-byte hex string (64 characters)", "seckey");
     }
 }
 function validate_sighash_options(options, validFlags) {
     const { sigflag, txindex } = options;
     if (sigflag !== undefined) {
         if (typeof sigflag !== "number" || !Number.isInteger(sigflag)) {
-            throw new Error("sigflag must be an integer");
+            throw new ConfigError("sigflag must be an integer");
         }
         const normalizedFlag = sigflag & 0x7f;
         const isAnypay = (sigflag & 0x80) === 0x80;
         const baseFlag = isAnypay ? normalizedFlag | 0x80 : normalizedFlag;
         if (!validFlags.includes(baseFlag) &&
             !validFlags.includes(normalizedFlag)) {
-            throw new Error(`Invalid sigflag: ${sigflag}`);
+            throw new ConfigError(`Invalid sigflag: ${sigflag}`);
         }
     }
     if (txindex !== undefined) {
         if (typeof txindex !== "number" ||
             !Number.isInteger(txindex) ||
             txindex < 0) {
-            throw new Error("txindex must be a non-negative integer");
+            throw new ValidationError("txindex must be a non-negative integer", "txindex");
         }
     }
 }
@@ -11668,8 +11633,8 @@ function parse_witness_version(type) {
 
 function parse_taproot_witness(witness) {
     const { cblock, params, script } = parse_witness(witness);
-    Assert.exists(cblock, "cblock is null");
-    Assert.exists(script, "script is null");
+    Assert$1.exists(cblock, "cblock is null");
+    Assert$1.exists(script, "script is null");
     const cblk = parse_cblock(cblock);
     const target = encode_tapscript(script, cblk.version);
     let branch = target.hex;
@@ -11678,8 +11643,8 @@ function parse_taproot_witness(witness) {
     }
     const tweak = encode_taptweak(cblk.int_key, branch);
     const tapkey = tweak_pubkey(cblk.int_key, tweak, "bip340");
-    params.map((e) => Buff.bytes(e).hex);
-    return { cblock: cblk, params, script, tapkey: tapkey.hex, tweak: tweak.hex };
+    const hexParams = params.map((e) => Buff.bytes(e).hex);
+    return { cblock: cblk, params: hexParams, script, tapkey: tapkey.hex, tweak: tweak.hex };
 }
 function parse_cblock(cblock) {
     const buffer = new Stream(cblock);
@@ -11691,21 +11656,21 @@ function parse_cblock(cblock) {
         path.push(buffer.read(32).hex);
     }
     if (buffer.size !== 0) {
-        throw new Error(`Non-empty buffer on control block: ${String(buffer)}`);
+        throw new DecodingError(`control block has ${buffer.size} extra bytes. Expected: 33 + (32 * path_length) bytes`);
     }
     return { int_key, path, parity, version };
 }
 function parse_cblock_parity(cbits) {
-    return cbits % 2 === 0 ? [cbits - 0, 0x02] : [cbits - 1, 0x03];
+    return cbits % 2 === 0 ? [cbits, 0x02] : [cbits - 1, 0x03];
 }
 function parse_pubkey_parity(pubkey) {
-    Assert.size(pubkey, 33, "invalid pubkey size");
+    Assert$1.ok(Buff.bytes(pubkey).length === 33, "invalid pubkey size");
     const [parity] = Buff.bytes(pubkey);
     if (parity === 0x02)
         return 0;
     if (parity === 0x03)
         return 1;
-    throw new Error(`Invalid parity bit: ${String(parity)}`);
+    throw new ValidationError(`invalid pubkey parity prefix: 0x${parity.toString(16)}. Expected 0x02 (even) or 0x03 (odd)`);
 }
 
 const MAX_TAPROOT_DEPTH = 128;
@@ -11714,12 +11679,12 @@ function get_merkle_root(leaves) {
 }
 function merkleize(taptree, target, path = [], depth = 0) {
     if (depth > MAX_TAPROOT_DEPTH) {
-        throw new Error(`Taproot tree depth ${depth} exceeds maximum ${MAX_TAPROOT_DEPTH}`);
+        throw new ValidationError(`Taproot tree depth ${depth} exceeds maximum ${MAX_TAPROOT_DEPTH}`, "depth");
     }
     const leaves = [];
     const tree = [];
     if (taptree.length < 1) {
-        throw new Error("Tree is empty!");
+        throw new ValidationError("Taproot tree cannot be empty", "taptree");
     }
     for (let i = 0; i < taptree.length; i++) {
         const bytes = taptree[i];
@@ -11796,7 +11761,7 @@ function create_taproot(config$1) {
     };
 }
 function verify_taproot(tapkey, target, cblock) {
-    Assert.size(tapkey, 32);
+    Assert$1.ok(Buff.bytes(tapkey).length === 32, "tapkey must be 32 bytes");
     const { parity, path, int_key } = parse_cblock(cblock);
     const ext_key = Buff.join([parity, tapkey]);
     let branch = Buff.bytes(target).hex;
@@ -11824,7 +11789,7 @@ function verify_tx(txdata, options = {}) {
         if (!result.valid) {
             allValid = false;
             if (throws) {
-                throw new Error(`Input ${i} verification failed: ${result.error}`);
+                throw new ValidationError(`Input ${i} verification failed: ${result.error}`, `vin[${i}]`);
             }
         }
     }
@@ -11849,12 +11814,11 @@ function verify_input(tx, vin, index, options) {
         if (prevout === null || prevout === undefined) {
             return { index, valid: false, type, error: "Missing prevout data" };
         }
-        const scriptType = get_lock_script_type(prevout.script_pk);
         if (version === 0) {
             return verify_segwit_input(tx, vin, index, witnessData);
         }
         else if (version === 1) {
-            return verify_taproot_input(tx, vin, index, witnessData, scriptType, options);
+            return verify_taproot_input(tx, vin, index, witnessData, options);
         }
         return {
             index,
@@ -11936,7 +11900,7 @@ function verify_segwit_input(tx, vin, index, witnessData, options) {
         error: isValid ? undefined : "Invalid ECDSA signature",
     };
 }
-function verify_taproot_input(tx, vin, index, witnessData, _scriptType, options) {
+function verify_taproot_input(tx, vin, index, witnessData, options) {
     const { type, params, script, cblock } = witnessData;
     if (vin.prevout == null) {
         return {
@@ -12024,12 +11988,12 @@ function parse_schnorr_signature(sigHex) {
     else if (sigBytes.length === 65) {
         const sigflag = sigBytes.at(-1) ?? 0x00;
         if (sigflag === 0x00) {
-            throw new Error("0x00 is not a valid appended sigflag");
+            throw new ValidationError("0x00 is not a valid appended sigflag (use 64-byte signature for SIGHASH_DEFAULT)", "sigflag");
         }
         const signature = sigBytes.slice(0, 64).hex;
         return { signature, sigflag };
     }
-    throw new Error(`Invalid Schnorr signature length: ${sigBytes.length}`);
+    throw new ValidationError(`Invalid Schnorr signature length: ${sigBytes.length} (expected 64 or 65 bytes)`, "signature");
 }
 
 var index$2 = /*#__PURE__*/Object.freeze({
@@ -12064,8 +12028,8 @@ function get_witness_size(witness) {
     return { total: size, vsize };
 }
 function assert_witness(witness) {
-    Assert.ok(Array.isArray(witness), "witness must be an array");
-    Assert.ok(witness.every((e) => Buff.is_bytes(e)), "witness must be an array of strings or bytes");
+    Assert$1.ok(Array.isArray(witness), "witness must be an array");
+    Assert$1.ok(witness.every((e) => Buff.is_bytes(e)), "witness must be an array of strings or bytes");
 }
 
 var index = /*#__PURE__*/Object.freeze({
@@ -12075,5 +12039,5 @@ var index = /*#__PURE__*/Object.freeze({
     parse_witness: parse_witness
 });
 
-export { index$8 as ADDRESS, _const as CONST, index$7 as META, index$5 as SCHEMA, index$6 as SCRIPT, index$3 as SIGHASH, index$2 as SIGNER, index$1 as TAPROOT, index$4 as TX, index as WITNESS };
+export { index$8 as ADDRESS, _const as CONST, ConfigError, DecodingError, index$7 as META, index$5 as SCHEMA, index$6 as SCRIPT, index$3 as SIGHASH, index$2 as SIGNER, index$1 as TAPROOT, index$4 as TX, ValidationError, index as WITNESS };
 //# sourceMappingURL=module.mjs.map