npm - @waku/enr - Versions diffs - 0.0.25-ce62600.0 → 0.0.25 - Mend

@waku/enr 0.0.25-ce62600.0 → 0.0.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/bundle/index.js CHANGED Viewed

@@ -1338,7 +1338,7 @@ const _0n$5 = BigInt(0);
 const _1n$7 = BigInt(1);
 const _2n$5 = BigInt(2);
 const _3n$2 = BigInt(3);
-const _8n$2 = BigInt(8);
+const _8n$3 = BigInt(8);
 const CURVE = Object.freeze({
     a: _0n$5,
     b: BigInt(7),
@@ -1442,7 +1442,7 @@ class JacobianPoint {
         const E = mod$1(_3n$2 * A);
         const F = mod$1(E * E);
         const X3 = mod$1(F - _2n$5 * D);
-        const Y3 = mod$1(E * (D - X3) - _8n$2 * C);
+        const Y3 = mod$1(E * (D - X3) - _8n$3 * C);
         const Z3 = mod$1(_2n$5 * Y1 * Z1);
         return new JacobianPoint(X3, Y3, Z3);
     }
@@ -1542,12 +1542,12 @@ class JacobianPoint {
         if (256 % W) {
             throw new Error('Point#wNAF: Invalid precomputation window, must be power of 2');
         }
-        let precomputes = affinePoint && pointPrecomputes.get(affinePoint);
+        let precomputes = affinePoint && pointPrecomputes$1.get(affinePoint);
         if (!precomputes) {
             precomputes = this.precomputeWindow(W);
             if (affinePoint && W !== 1) {
                 precomputes = JacobianPoint.normalizeZ(precomputes);
-                pointPrecomputes.set(affinePoint, precomputes);
+                pointPrecomputes$1.set(affinePoint, precomputes);
             }
         }
         let p = JacobianPoint.ZERO;
@@ -1603,7 +1603,7 @@ class JacobianPoint {
         const { x, y, z } = this;
         const is0 = this.equals(JacobianPoint.ZERO);
         if (invZ == null)
-            invZ = is0 ? _8n$2 : invert$1(z);
+            invZ = is0 ? _8n$3 : invert$1(z);
         const iz1 = invZ;
         const iz2 = mod$1(iz1 * iz1);
         const iz3 = mod$1(iz2 * iz1);
@@ -1623,7 +1623,7 @@ function constTimeNegate(condition, item) {
     const neg = item.negate();
     return condition ? neg : item;
 }
-const pointPrecomputes = new WeakMap();
+const pointPrecomputes$1 = new WeakMap();
 class Point {
     constructor(x, y) {
         this.x = x;
@@ -1631,7 +1631,7 @@ class Point {
     }
     _setWindowSize(windowSize) {
         this._WINDOW_SIZE = windowSize;
-        pointPrecomputes.delete(this);
+        pointPrecomputes$1.delete(this);
     }
     hasEvenY() {
         return this.y % _2n$5 === _0n$5;
@@ -3477,6 +3477,11 @@ var ProtocolError;
      * Ensure that the pubsub topic used for decoder creation is the same as the one used for protocol.
      */
     ProtocolError["TOPIC_DECODER_MISMATCH"] = "Topic decoder mismatch";
+    /**
+     * The topics passed in the decoders do not match each other, or don't exist at all.
+     * Ensure that all the pubsub topics used in the decoders are valid and match each other.
+     */
+    ProtocolError["INVALID_DECODER_TOPICS"] = "Invalid decoder topics";
     /**
      * Failure to find a peer with suitable protocols. This may due to a connection issue.
      * Mitigation can be: retrying after a given time period, display connectivity issue
@@ -3493,7 +3498,7 @@ var ProtocolError;
      * The remote peer did not behave as expected. Mitigation for `NO_PEER_AVAILABLE`
      * or `DECODE_FAILED` can be used.
      */
-    ProtocolError["REMOTE_PEER_FAULT"] = "Remote peer fault";
+    ProtocolError["NO_RESPONSE"] = "No response received";
     /**
      * The remote peer rejected the message. Information provided by the remote peer
      * is logged. Review message validity, or mitigation for `NO_PEER_AVAILABLE`
@@ -3505,14 +3510,28 @@ var ProtocolError;
      * Mitigation can be: retrying after a given time period
      */
     ProtocolError["REQUEST_TIMEOUT"] = "Request timeout";
+    /**
+     * Missing credentials info message.
+     * nwaku: https://github.com/waku-org/nwaku/blob/c3cb06ac6c03f0f382d3941ea53b330f6a8dd127/waku/waku_rln_relay/group_manager/group_manager_base.nim#L186
+     */
+    ProtocolError["RLN_IDENTITY_MISSING"] = "Identity credentials are not set";
+    /**
+     * Membership index missing info message.
+     * nwaku: https://github.com/waku-org/nwaku/blob/c3cb06ac6c03f0f382d3941ea53b330f6a8dd127/waku/waku_rln_relay/group_manager/group_manager_base.nim#L188
+     */
+    ProtocolError["RLN_MEMBERSHIP_INDEX"] = "Membership index is not set";
+    /**
+     * Message limit is missing.
+     * nwaku: https://github.com/waku-org/nwaku/blob/c3cb06ac6c03f0f382d3941ea53b330f6a8dd127/waku/waku_rln_relay/group_manager/group_manager_base.nim#L190
+     */
+    ProtocolError["RLN_LIMIT_MISSING"] = "User message limit is not set";
+    /**
+     * General proof generation error message.
+     * nwaku: https://github.com/waku-org/nwaku/blob/c3cb06ac6c03f0f382d3941ea53b330f6a8dd127/waku/waku_rln_relay/group_manager/group_manager_base.nim#L201C19-L201C42
+     */
+    ProtocolError["RLN_PROOF_GENERATION"] = "Proof generation failed";
 })(ProtocolError || (ProtocolError = {}));
-var PageDirection;
-(function (PageDirection) {
-    PageDirection["BACKWARD"] = "backward";
-    PageDirection["FORWARD"] = "forward";
-})(PageDirection || (PageDirection = {}));
 var Tags;
 (function (Tags) {
     Tags["BOOTSTRAP"] = "bootstrap";
@@ -3531,6 +3550,13 @@ var EConnectionStateEvents;
     EConnectionStateEvents["CONNECTION_STATUS"] = "waku:connection";
 })(EConnectionStateEvents || (EConnectionStateEvents = {}));
+var HealthStatus;
+(function (HealthStatus) {
+    HealthStatus["Unhealthy"] = "Unhealthy";
+    HealthStatus["MinimallyHealthy"] = "MinimallyHealthy";
+    HealthStatus["SufficientlyHealthy"] = "SufficientlyHealthy";
+})(HealthStatus || (HealthStatus = {}));
 const decodeRelayShard = (bytes) => {
     // explicitly converting to Uint8Array to avoid Buffer
     // https://github.com/libp2p/js-libp2p/issues/2146
@@ -4137,6 +4163,8 @@ var common = setup;
 			return false;
 		}
+		let m;
 		// Is webkit? http://stackoverflow.com/a/16459606/376773
 		// document is undefined in react-native: https://github.com/facebook/react-native/pull/1632
 		return (typeof document !== 'undefined' && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance) ||
@@ -4144,7 +4172,7 @@ var common = setup;
 			(typeof window !== 'undefined' && window.console && (window.console.firebug || (window.console.exception && window.console.table))) ||
 			// Is firefox >= v31?
 			// https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Styling_messages
-			(typeof navigator !== 'undefined' && navigator.userAgent && navigator.userAgent.toLowerCase().match(/firefox\/(\d+)/) && parseInt(RegExp.$1, 10) >= 31) ||
+			(typeof navigator !== 'undefined' && navigator.userAgent && (m = navigator.userAgent.toLowerCase().match(/firefox\/(\d+)/)) && parseInt(m[1], 10) >= 31) ||
 			// Double check webkit in userAgent just in case we are in a worker
 			(typeof navigator !== 'undefined' && navigator.userAgent && navigator.userAgent.toLowerCase().match(/applewebkit\/(\d+)/));
 	}
@@ -4981,6 +5009,7 @@ const table = [
     [478, 0, 'wss'],
     [479, 0, 'p2p-websocket-star'],
     [480, 0, 'http'],
+    [481, V, 'http-path'],
     [777, V, 'memory']
 ];
 // populate tables
@@ -5066,6 +5095,8 @@ function convertToString(proto, buf) {
             return bytes2onion(buf);
         case 466: // certhash
             return bytes2mb(buf);
+        case 481: // http-path
+            return globalThis.encodeURIComponent(bytes2str(buf));
         default:
             return toString$1(buf, 'base16'); // no clue. convert to hex
     }
@@ -5100,6 +5131,8 @@ function convertToBytes(proto, str) {
             return onion32bytes(str);
         case 466: // certhash
             return mb2bytes(str);
+        case 481: // http-path
+            return str2bytes(globalThis.decodeURIComponent(str));
         default:
             return fromString(str, 'base16'); // no clue. convert from hex
     }
@@ -6004,9 +6037,9 @@ const sha512 = /* @__PURE__ */ wrapConstructor(() => new SHA512());
 // This is OK: `abstract` directory does not use noble-hashes.
 // User may opt-in into using different hashing library. This way, noble-hashes
 // won't be included into their bundle.
-const _0n$4 = BigInt(0);
-const _1n$6 = BigInt(1);
-const _2n$4 = BigInt(2);
+const _0n$4 = /* @__PURE__ */ BigInt(0);
+const _1n$6 = /* @__PURE__ */ BigInt(1);
+const _2n$4 = /* @__PURE__ */ BigInt(2);
 function isBytes$1(a) {
     return (a instanceof Uint8Array ||
         (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));
@@ -6015,6 +6048,10 @@ function abytes(item) {
     if (!isBytes$1(item))
         throw new Error('Uint8Array expected');
 }
+function abool(title, value) {
+    if (typeof value !== 'boolean')
+        throw new Error(`${title} must be valid boolean, got "${value}".`);
+}
 // Array where index 0xf0 (240) is mapped to string 'f0'
 const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));
 /**
@@ -6157,6 +6194,25 @@ function utf8ToBytes(str) {
         throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
     return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
 }
+// Is positive bigint
+const isPosBig = (n) => typeof n === 'bigint' && _0n$4 <= n;
+function inRange(n, min, max) {
+    return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
+}
+/**
+ * Asserts min <= n < max. NOTE: It's < max and not <= max.
+ * @example
+ * aInRange('x', x, 1n, 256n); // would assume x is in (1n..255n)
+ */
+function aInRange(title, n, min, max) {
+    // Why min <= n < max and not a (min < n < max) OR b (min <= n <= max)?
+    // consider P=256n, min=0n, max=P
+    // - a for min=0 would require -1:          `inRange('x', x, -1n, P)`
+    // - b would commonly require subtraction:  `inRange('x', x, 0n, P - 1n)`
+    // - our way is the cleanest:               `inRange('x', x, 0n, P)
+    if (!inRange(n, min, max))
+        throw new Error(`expected valid ${title}: ${min} <= n < ${max}, got ${typeof n} ${n}`);
+}
 // Bit operations
 /**
  * Calculates amount of bits in a bigint.
@@ -6287,9 +6343,32 @@ function validateObject(object, validators, optValidators = {}) {
 // const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
 // const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
 // const z4 = validateObject(o, { a: 'boolean', z: 'bug' });
+/**
+ * throws not implemented error
+ */
+const notImplemented = () => {
+    throw new Error('not implemented');
+};
+/**
+ * Memoizes (caches) computation result.
+ * Uses WeakMap: the value is going auto-cleaned by GC after last reference is removed.
+ */
+function memoized(fn) {
+    const map = new WeakMap();
+    return (arg, ...args) => {
+        const val = map.get(arg);
+        if (val !== undefined)
+            return val;
+        const computed = fn(arg, ...args);
+        map.set(arg, computed);
+        return computed;
+    };
+}
 var ut = /*#__PURE__*/Object.freeze({
     __proto__: null,
+    aInRange: aInRange,
+    abool: abool,
     abytes: abytes,
     bitGet: bitGet,
     bitLen: bitLen,
@@ -6304,7 +6383,10 @@ var ut = /*#__PURE__*/Object.freeze({
     equalBytes: equalBytes,
     hexToBytes: hexToBytes,
     hexToNumber: hexToNumber,
+    inRange: inRange,
     isBytes: isBytes$1,
+    memoized: memoized,
+    notImplemented: notImplemented,
     numberToBytesBE: numberToBytesBE,
     numberToBytesLE: numberToBytesLE,
     numberToHexUnpadded: numberToHexUnpadded,
@@ -6318,7 +6400,7 @@ var ut = /*#__PURE__*/Object.freeze({
 // prettier-ignore
 const _0n$3 = BigInt(0), _1n$5 = BigInt(1), _2n$3 = BigInt(2), _3n$1 = BigInt(3);
 // prettier-ignore
-const _4n = BigInt(4), _5n$1 = BigInt(5), _8n$1 = BigInt(8);
+const _4n = BigInt(4), _5n$1 = BigInt(5), _8n$2 = BigInt(8);
 // prettier-ignore
 BigInt(9); BigInt(16);
 // Calculates a modulo b
@@ -6464,8 +6546,8 @@ function FpSqrt(P) {
         };
     }
     // Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)
-    if (P % _8n$1 === _5n$1) {
-        const c1 = (P - _5n$1) / _8n$1;
+    if (P % _8n$2 === _5n$1) {
+        const c1 = (P - _5n$1) / _8n$2;
         return function sqrt5mod8(Fp, n) {
             const n2 = Fp.mul(n, _2n$3);
             const v = Fp.pow(n2, c1);
@@ -6563,6 +6645,9 @@ function nLength(n, nBitLength) {
  * * a) denormalized operations like mulN instead of mul
  * * b) same object shape: never add or remove keys
  * * c) Object.freeze
+ * NOTE: operations don't check 'isValid' for all elements for performance reasons,
+ * it is caller responsibility to check this.
+ * This is low-level code, please make sure you know what you doing.
  * @param ORDER prime positive bigint
  * @param bitLen how many bits the field consumes
  * @param isLE (def: false) if encoding / decoding should be in little-endian
@@ -6618,12 +6703,6 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
     });
     return Object.freeze(f);
 }
-function FpSqrtEven(Fp, elm) {
-    if (!Fp.isOdd)
-        throw new Error(`Field doesn't have isOdd`);
-    const root = Fp.sqrt(elm);
-    return Fp.isOdd(root) ? Fp.neg(root) : root;
-}
 /**
  * Returns total number of bytes consumed by the field element.
  * For example, 32 bytes for usual 256-bit weierstrass curve.
@@ -6677,6 +6756,10 @@ function mapHashToField(key, fieldOrder, isLE = false) {
 // Abelian group utilities
 const _0n$2 = BigInt(0);
 const _1n$4 = BigInt(1);
+// Since points in different groups cannot be equal (different object constructor),
+// we can have single place to store precomputes
+const pointPrecomputes = new WeakMap();
+const pointWindowSizes = new WeakMap(); // This allows use make points immutable (nothing changes inside)
 // Elliptic curve multiplication of Point by scalar. Fragile.
 // Scalars should always be less than curve order: this should be checked inside of a curve itself.
 // Creates precomputation tables for fast multiplication:
@@ -6693,7 +6776,12 @@ function wNAF(c, bits) {
         const neg = item.negate();
         return condition ? neg : item;
     };
+    const validateW = (W) => {
+        if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
+            throw new Error(`Wrong window size=${W}, should be [1..${bits}]`);
+    };
     const opts = (W) => {
+        validateW(W);
         const windows = Math.ceil(bits / W) + 1; // +1, because
         const windowSize = 2 ** (W - 1); // -1 because we skip zero
         return { windows, windowSize };
@@ -6793,19 +6881,25 @@ function wNAF(c, bits) {
             // which makes it less const-time: around 1 bigint multiply.
             return { p, f };
         },
-        wNAFCached(P, precomputesMap, n, transform) {
-            // @ts-ignore
-            const W = P._WINDOW_SIZE || 1;
+        wNAFCached(P, n, transform) {
+            const W = pointWindowSizes.get(P) || 1;
             // Calculate precomputes on a first run, reuse them after
-            let comp = precomputesMap.get(P);
+            let comp = pointPrecomputes.get(P);
             if (!comp) {
                 comp = this.precomputeWindow(P, W);
-                if (W !== 1) {
-                    precomputesMap.set(P, transform(comp));
-                }
+                if (W !== 1)
+                    pointPrecomputes.set(P, transform(comp));
             }
             return this.wNAF(W, comp, n);
         },
+        // We calculate precomputes for elliptic curve point multiplication
+        // using windowed method. This specifies window size and
+        // stores precomputed values. Usually only base point would be precomputed.
+        setWindowSize(P, W) {
+            validateW(W);
+            pointWindowSizes.set(P, W);
+            pointPrecomputes.delete(P);
+        },
     };
 }
 function validateBasic(curve) {
@@ -6831,7 +6925,7 @@ function validateBasic(curve) {
 // Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
-const _0n$1 = BigInt(0), _1n$3 = BigInt(1), _2n$2 = BigInt(2), _8n = BigInt(8);
+const _0n$1 = BigInt(0), _1n$3 = BigInt(1), _2n$2 = BigInt(2), _8n$1 = BigInt(8);
 // verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
 const VERIFY_DEFAULT = { zip215: true };
 function validateOpts$1(curve) {
@@ -6850,7 +6944,13 @@ function validateOpts$1(curve) {
     // Set defaults
     return Object.freeze({ ...opts });
 }
-// It is not generic twisted curve for now, but ed25519/ed448 generic implementation
+/**
+ * Creates Twisted Edwards curve with EdDSA signatures.
+ * @example
+ * import { Field } from '@noble/curves/abstract/modular';
+ * // Before that, define BigInt-s: a, d, p, n, Gx, Gy, h
+ * const curve = twistedEdwards({ a, d, Fp: Field(p), n, Gx, Gy, h })
+ */
 function twistedEdwards(curveDef) {
     const CURVE = validateOpts$1(curveDef);
     const { Fp, n: CURVE_ORDER, prehash: prehash, hash: cHash, randomBytes, nByteLength, h: cofactor, } = CURVE;
@@ -6869,28 +6969,59 @@ function twistedEdwards(curveDef) {
     const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes); // NOOP
     const domain = CURVE.domain ||
         ((data, ctx, phflag) => {
+            abool('phflag', phflag);
             if (ctx.length || phflag)
                 throw new Error('Contexts/pre-hash are not supported');
             return data;
         }); // NOOP
-    const inBig = (n) => typeof n === 'bigint' && _0n$1 < n; // n in [1..]
-    const inRange = (n, max) => inBig(n) && inBig(max) && n < max; // n in [1..max-1]
-    const in0MaskRange = (n) => n === _0n$1 || inRange(n, MASK); // n in [0..MASK-1]
-    function assertInRange(n, max) {
-        // n in [1..max-1]
-        if (inRange(n, max))
-            return n;
-        throw new Error(`Expected valid scalar < ${max}, got ${typeof n} ${n}`);
-    }
-    function assertGE0(n) {
-        // n in [0..CURVE_ORDER-1]
-        return n === _0n$1 ? n : assertInRange(n, CURVE_ORDER); // GE = prime subgroup, not full group
-    }
-    const pointPrecomputes = new Map();
-    function isPoint(other) {
+    // 0 <= n < MASK
+    // Coordinates larger than Fp.ORDER are allowed for zip215
+    function aCoordinate(title, n) {
+        aInRange('coordinate ' + title, n, _0n$1, MASK);
+    }
+    function assertPoint(other) {
         if (!(other instanceof Point))
             throw new Error('ExtendedPoint expected');
     }
+    // Converts Extended point to default (x, y) coordinates.
+    // Can accept precomputed Z^-1 - for example, from invertBatch.
+    const toAffineMemo = memoized((p, iz) => {
+        const { ex: x, ey: y, ez: z } = p;
+        const is0 = p.is0();
+        if (iz == null)
+            iz = is0 ? _8n$1 : Fp.inv(z); // 8 was chosen arbitrarily
+        const ax = modP(x * iz);
+        const ay = modP(y * iz);
+        const zz = modP(z * iz);
+        if (is0)
+            return { x: _0n$1, y: _1n$3 };
+        if (zz !== _1n$3)
+            throw new Error('invZ was invalid');
+        return { x: ax, y: ay };
+    });
+    const assertValidMemo = memoized((p) => {
+        const { a, d } = CURVE;
+        if (p.is0())
+            throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
+        // Equation in affine coordinates: ax² + y² = 1 + dx²y²
+        // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
+        const { ex: X, ey: Y, ez: Z, et: T } = p;
+        const X2 = modP(X * X); // X²
+        const Y2 = modP(Y * Y); // Y²
+        const Z2 = modP(Z * Z); // Z²
+        const Z4 = modP(Z2 * Z2); // Z⁴
+        const aX2 = modP(X2 * a); // aX²
+        const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
+        const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
+        if (left !== right)
+            throw new Error('bad point: equation left != right (1)');
+        // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
+        const XY = modP(X * Y);
+        const ZT = modP(Z * T);
+        if (XY !== ZT)
+            throw new Error('bad point: equation left != right (2)');
+        return true;
+    });
     // Extended Point works in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z, t=xy).
     // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
     class Point {
@@ -6899,14 +7030,11 @@ function twistedEdwards(curveDef) {
             this.ey = ey;
             this.ez = ez;
             this.et = et;
-            if (!in0MaskRange(ex))
-                throw new Error('x required');
-            if (!in0MaskRange(ey))
-                throw new Error('y required');
-            if (!in0MaskRange(ez))
-                throw new Error('z required');
-            if (!in0MaskRange(et))
-                throw new Error('t required');
+            aCoordinate('x', ex);
+            aCoordinate('y', ey);
+            aCoordinate('z', ez);
+            aCoordinate('t', et);
+            Object.freeze(this);
         }
         get x() {
             return this.toAffine().x;
@@ -6918,8 +7046,8 @@ function twistedEdwards(curveDef) {
             if (p instanceof Point)
                 throw new Error('extended point not allowed');
             const { x, y } = p || {};
-            if (!in0MaskRange(x) || !in0MaskRange(y))
-                throw new Error('invalid affine point');
+            aCoordinate('x', x);
+            aCoordinate('y', y);
             return new Point(x, y, _1n$3, modP(x * y));
         }
         static normalizeZ(points) {
@@ -6928,36 +7056,16 @@ function twistedEdwards(curveDef) {
         }
         // "Private method", don't use it directly
         _setWindowSize(windowSize) {
-            this._WINDOW_SIZE = windowSize;
-            pointPrecomputes.delete(this);
+            wnaf.setWindowSize(this, windowSize);
         }
         // Not required for fromHex(), which always creates valid points.
         // Could be useful for fromAffine().
         assertValidity() {
-            const { a, d } = CURVE;
-            if (this.is0())
-                throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
-            // Equation in affine coordinates: ax² + y² = 1 + dx²y²
-            // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
-            const { ex: X, ey: Y, ez: Z, et: T } = this;
-            const X2 = modP(X * X); // X²
-            const Y2 = modP(Y * Y); // Y²
-            const Z2 = modP(Z * Z); // Z²
-            const Z4 = modP(Z2 * Z2); // Z⁴
-            const aX2 = modP(X2 * a); // aX²
-            const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
-            const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
-            if (left !== right)
-                throw new Error('bad point: equation left != right (1)');
-            // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
-            const XY = modP(X * Y);
-            const ZT = modP(Z * T);
-            if (XY !== ZT)
-                throw new Error('bad point: equation left != right (2)');
+            assertValidMemo(this);
         }
         // Compare one point to another.
         equals(other) {
-            isPoint(other);
+            assertPoint(other);
             const { ex: X1, ey: Y1, ez: Z1 } = this;
             const { ex: X2, ey: Y2, ez: Z2 } = other;
             const X1Z2 = modP(X1 * Z2);
@@ -6998,7 +7106,7 @@ function twistedEdwards(curveDef) {
         // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
         // Cost: 9M + 1*a + 1*d + 7add.
         add(other) {
-            isPoint(other);
+            assertPoint(other);
             const { a, d } = CURVE;
             const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
             const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
@@ -7041,11 +7149,13 @@ function twistedEdwards(curveDef) {
             return this.add(other.negate());
         }
         wNAF(n) {
-            return wnaf.wNAFCached(this, pointPrecomputes, n, Point.normalizeZ);
+            return wnaf.wNAFCached(this, n, Point.normalizeZ);
         }
         // Constant-time multiplication.
         multiply(scalar) {
-            const { p, f } = this.wNAF(assertInRange(scalar, CURVE_ORDER));
+            const n = scalar;
+            aInRange('scalar', n, _1n$3, CURVE_ORDER); // 1 <= scalar < L
+            const { p, f } = this.wNAF(n);
             return Point.normalizeZ([p, f])[0];
         }
         // Non-constant-time multiplication. Uses double-and-add algorithm.
@@ -7053,7 +7163,8 @@ function twistedEdwards(curveDef) {
         // an exposed private key e.g. sig verification.
         // Does NOT allow scalars higher than CURVE.n.
         multiplyUnsafe(scalar) {
-            let n = assertGE0(scalar); // 0 <= scalar < CURVE.n
+            const n = scalar;
+            aInRange('scalar', n, _0n$1, CURVE_ORDER); // 0 <= scalar < L
             if (n === _0n$1)
                 return I;
             if (this.equals(I) || n === _1n$3)
@@ -7077,18 +7188,7 @@ function twistedEdwards(curveDef) {
         // Converts Extended point to default (x, y) coordinates.
         // Can accept precomputed Z^-1 - for example, from invertBatch.
         toAffine(iz) {
-            const { ex: x, ey: y, ez: z } = this;
-            const is0 = this.is0();
-            if (iz == null)
-                iz = is0 ? _8n : Fp.inv(z); // 8 was chosen arbitrarily
-            const ax = modP(x * iz);
-            const ay = modP(y * iz);
-            const zz = modP(z * iz);
-            if (is0)
-                return { x: _0n$1, y: _1n$3 };
-            if (zz !== _1n$3)
-                throw new Error('invZ was invalid');
-            return { x: ax, y: ay };
+            return toAffineMemo(this, iz);
         }
         clearCofactor() {
             const { h: cofactor } = CURVE;
@@ -7102,18 +7202,16 @@ function twistedEdwards(curveDef) {
             const { d, a } = CURVE;
             const len = Fp.BYTES;
             hex = ensureBytes('pointHex', hex, len); // copy hex to a new array
+            abool('zip215', zip215);
             const normed = hex.slice(); // copy again, we'll manipulate it
             const lastByte = hex[len - 1]; // select last byte
             normed[len - 1] = lastByte & ~0x80; // clear last bit
             const y = bytesToNumberLE(normed);
-            if (y === _0n$1) ;
-            else {
-                // RFC8032 prohibits >= p, but ZIP215 doesn't
-                if (zip215)
-                    assertInRange(y, MASK); // zip215=true [1..P-1] (2^255-19-1 for ed25519)
-                else
-                    assertInRange(y, Fp.ORDER); // zip215=false [1..MASK-1] (2^256-1 for ed25519)
-            }
+            // RFC8032 prohibits >= p, but ZIP215 doesn't
+            // zip215=true:  0 <= y < MASK (2^256 for ed25519)
+            // zip215=false: 0 <= y < P (2^255-19 for ed25519)
+            const max = zip215 ? MASK : Fp.ORDER;
+            aInRange('pointHex.y', y, _0n$1, max);
             // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
             // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
             const y2 = modP(y * y); // denominator is always non-0 mod p.
@@ -7188,7 +7286,7 @@ function twistedEdwards(curveDef) {
         const R = G.multiply(r).toRawBytes(); // R = rG
         const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
         const s = modN(r + k * scalar); // S = (r + k * s) mod L
-        assertGE0(s); // 0 <= s < l
+        aInRange('signature.s', s, _0n$1, CURVE_ORDER); // 0 <= s < l
         const res = concatBytes(R, numberToBytesLE(s, Fp.BYTES));
         return ensureBytes('result', res, nByteLength * 2); // 64-byte signature
     }
@@ -7198,6 +7296,8 @@ function twistedEdwards(curveDef) {
         const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
         sig = ensureBytes('signature', sig, 2 * len); // An extended group equation is checked.
         msg = ensureBytes('message', msg);
+        if (zip215 !== undefined)
+            abool('zip215', zip215);
         if (prehash)
             msg = prehash(msg); // for ed25519ph, etc
         const s = bytesToNumberLE(sig.slice(len, 2 * len));
@@ -7255,12 +7355,14 @@ function twistedEdwards(curveDef) {
  */
 const ED25519_P = BigInt('57896044618658097711785492504343953926634992332820282019728792003956564819949');
 // √(-1) aka √(a) aka 2^((p-1)/4)
-const ED25519_SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
+const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
 // prettier-ignore
-BigInt(0); const _1n$2 = BigInt(1), _2n$1 = BigInt(2), _5n = BigInt(5);
+BigInt(0); const _1n$2 = BigInt(1), _2n$1 = BigInt(2); BigInt(3);
 // prettier-ignore
-const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
+const _5n = BigInt(5), _8n = BigInt(8);
 function ed25519_pow_2_252_3(x) {
+    // prettier-ignore
+    const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
     const P = ED25519_P;
     const x2 = (x * x) % P;
     const b2 = (x2 * x) % P; // x^3, 11
@@ -7309,8 +7411,8 @@ function uvRatio(u, v) {
         x = mod(-x, P);
     return { isValid: useRoot1 || useRoot2, value: x };
 }
-const Fp$1 = Field(ED25519_P, undefined, true);
-const ed25519Defaults = {
+const Fp$1 = /* @__PURE__ */ (() => Field(ED25519_P, undefined, true))();
+const ed25519Defaults = /* @__PURE__ */ (() => ({
     // Param: a
     a: BigInt(-1), // Fp.create(-1) is proper; our way still works and is faster
     // d is equal to -121665/121666 over finite field.
@@ -7322,7 +7424,7 @@ const ed25519Defaults = {
     // 2n**252n + 27742317777372353535851937790883648493n;
     n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
     // Cofactor
-    h: BigInt(8),
+    h: _8n,
     // Base point (x, y) aka generator point
     Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
     Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
@@ -7333,40 +7435,11 @@ const ed25519Defaults = {
     // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
     // Constant-time, u/√v
     uvRatio,
-};
-const ed25519 = /* @__PURE__ */ twistedEdwards(ed25519Defaults);
-function ed25519_domain(data, ctx, phflag) {
-    if (ctx.length > 255)
-        throw new Error('Context is too big');
-    return concatBytes$1(utf8ToBytes$1('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
-}
-/* @__PURE__ */ twistedEdwards({
-    ...ed25519Defaults,
-    domain: ed25519_domain,
-});
-/* @__PURE__ */ twistedEdwards({
-    ...ed25519Defaults,
-    domain: ed25519_domain,
-    prehash: sha512,
-});
-// Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
-// NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
-// SageMath returns different root first and everything falls apart
-const ELL2_C1 = (Fp$1.ORDER + BigInt(3)) / BigInt(8); // 1. c1 = (q + 3) / 8       # Integer arithmetic
-Fp$1.pow(_2n$1, ELL2_C1); // 2. c2 = 2^c1
-Fp$1.sqrt(Fp$1.neg(Fp$1.ONE)); // 3. c3 = sqrt(-1)
-(Fp$1.ORDER - BigInt(5)) / BigInt(8); // 4. c4 = (q - 5) / 8       # Integer arithmetic
-BigInt(486662);
-FpSqrtEven(Fp$1, Fp$1.neg(BigInt(486664))); // sgn0(c1) MUST equal 0
-// √(ad - 1)
-BigInt('25063068953384623474111414158702152701244531502492656460079210482610430750235');
-// 1 / √(a-d)
-BigInt('54469307008909316920995813868745141605393597292927456921205312896311721017578');
-// 1-d²
-BigInt('1159843021668779879193775521855586647937357759715417654439879720876111806838');
-// (d-1)²
-BigInt('40440834346308536858101042469323190826248399146238708352240133220865137265952');
-BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+}))();
+/**
+ * ed25519 curve with EdDSA signatures.
+ */
+const ed25519 = /* @__PURE__ */ (() => twistedEdwards(ed25519Defaults))();
 const PUBLIC_KEY_BYTE_LENGTH = 32;
 const PRIVATE_KEY_BYTE_LENGTH = 64; // private key is actually 32 bytes but for historical reasons we concat private and public keys
@@ -7423,7 +7496,7 @@ function concatKeys(privateKeyRaw, publicKey) {
 var webcrypto = {
     get(win = globalThis) {
         const nativeCrypto = win.crypto;
-        if (nativeCrypto == null || nativeCrypto.subtle == null) {
+        if (nativeCrypto?.subtle == null) {
             throw Object.assign(new Error('Missing Web Crypto API. ' +
                 'The most likely cause of this error is that this page is being accessed ' +
                 'from an insecure context (i.e. not HTTPS). For more information and ' +
@@ -7447,12 +7520,12 @@ var webcrypto = {
 const derivedEmptyPasswordKey = { alg: 'A128GCM', ext: true, k: 'scm9jmO_4BJAgdwWGVulLg', key_ops: ['encrypt', 'decrypt'], kty: 'oct' };
 // Based off of code from https://github.com/luke-park/SecureCompatibleEncryptionExamples
 function create(opts) {
-    const algorithm = opts?.algorithm ?? 'AES-GCM';
-    let keyLength = opts?.keyLength ?? 16;
-    const nonceLength = opts?.nonceLength ?? 12;
-    const digest = opts?.digest ?? 'SHA-256';
-    const saltLength = opts?.saltLength ?? 16;
-    const iterations = opts?.iterations ?? 32767;
+    const algorithm = 'AES-GCM';
+    let keyLength = 16;
+    const nonceLength = 12;
+    const digest = 'SHA-256';
+    const saltLength = 16;
+    const iterations = 32767;
     const crypto = webcrypto.get();
     keyLength *= 8; // Browser crypto uses bits instead of bytes
     /**
@@ -8236,7 +8309,7 @@ function decodeMessage(buf, codec, opts) {
  * A general purpose buffer pool
  */
 function pool(size) {
-    const SIZE = size ?? 8192;
+    const SIZE = 8192;
     const MAX = SIZE >>> 1;
     let slab;
     let offset = SIZE;
@@ -12824,6 +12897,12 @@ var RSA = /*#__PURE__*/Object.freeze({
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Short Weierstrass curve. The formula is: y² = x³ + ax + b
+function validateSigVerOpts(opts) {
+    if (opts.lowS !== undefined)
+        abool('lowS', opts.lowS);
+    if (opts.prehash !== undefined)
+        abool('prehash', opts.prehash);
+}
 function validatePointOpts(curve) {
     const opts = validateBasic(curve);
     validateObject(opts, {
@@ -12948,16 +13027,12 @@ function weierstrassPoints(opts) {
         throw new Error('bad generator point: equation left != right');
     // Valid group elements reside in range 1..n-1
     function isWithinCurveOrder(num) {
-        return typeof num === 'bigint' && _0n < num && num < CURVE.n;
-    }
-    function assertGE(num) {
-        if (!isWithinCurveOrder(num))
-            throw new Error('Expected valid bigint: 0 < bigint < curve.n');
+        return inRange(num, _1n$1, CURVE.n);
     }
     // Validates if priv key is valid and converts it to bigint.
     // Supports options allowedPrivateKeyLengths and wrapPrivateKey.
     function normPrivateKeyToScalar(key) {
-        const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n } = CURVE;
+        const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n: N } = CURVE;
         if (lengths && typeof key !== 'bigint') {
             if (isBytes$1(key))
                 key = bytesToHex(key);
@@ -12977,15 +13052,61 @@ function weierstrassPoints(opts) {
             throw new Error(`private key must be ${nByteLength} bytes, hex or bigint, not ${typeof key}`);
         }
         if (wrapPrivateKey)
-            num = mod(num, n); // disabled by default, enabled for BLS
-        assertGE(num); // num in range [1..N-1]
+            num = mod(num, N); // disabled by default, enabled for BLS
+        aInRange('private key', num, _1n$1, N); // num in range [1..N-1]
         return num;
     }
-    const pointPrecomputes = new Map();
     function assertPrjPoint(other) {
         if (!(other instanceof Point))
             throw new Error('ProjectivePoint expected');
     }
+    // Memoized toAffine / validity check. They are heavy. Points are immutable.
+    // Converts Projective point to affine (x, y) coordinates.
+    // Can accept precomputed Z^-1 - for example, from invertBatch.
+    // (x, y, z) ∋ (x=x/z, y=y/z)
+    const toAffineMemo = memoized((p, iz) => {
+        const { px: x, py: y, pz: z } = p;
+        // Fast-path for normalized points
+        if (Fp.eql(z, Fp.ONE))
+            return { x, y };
+        const is0 = p.is0();
+        // If invZ was 0, we return zero point. However we still want to execute
+        // all operations, so we replace invZ with a random number, 1.
+        if (iz == null)
+            iz = is0 ? Fp.ONE : Fp.inv(z);
+        const ax = Fp.mul(x, iz);
+        const ay = Fp.mul(y, iz);
+        const zz = Fp.mul(z, iz);
+        if (is0)
+            return { x: Fp.ZERO, y: Fp.ZERO };
+        if (!Fp.eql(zz, Fp.ONE))
+            throw new Error('invZ was invalid');
+        return { x: ax, y: ay };
+    });
+    // NOTE: on exception this will crash 'cached' and no value will be set.
+    // Otherwise true will be return
+    const assertValidMemo = memoized((p) => {
+        if (p.is0()) {
+            // (0, 1, 0) aka ZERO is invalid in most contexts.
+            // In BLS, ZERO can be serialized, so we allow it.
+            // (0, 0, 0) is wrong representation of ZERO and is always invalid.
+            if (CURVE.allowInfinityPoint && !Fp.is0(p.py))
+                return;
+            throw new Error('bad point: ZERO');
+        }
+        // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
+        const { x, y } = p.toAffine();
+        // Check if x, y are valid field elements
+        if (!Fp.isValid(x) || !Fp.isValid(y))
+            throw new Error('bad point: x or y not FE');
+        const left = Fp.sqr(y); // y²
+        const right = weierstrassEquation(x); // x³ + ax + b
+        if (!Fp.eql(left, right))
+            throw new Error('bad point: equation left != right');
+        if (!p.isTorsionFree())
+            throw new Error('bad point: not in prime-order subgroup');
+        return true;
+    });
     /**
      * Projective Point works in 3d / projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)
      * Default Point works in 2d / affine coordinates: (x, y)
@@ -13002,6 +13123,7 @@ function weierstrassPoints(opts) {
                 throw new Error('y required');
             if (pz == null || !Fp.isValid(pz))
                 throw new Error('z required');
+            Object.freeze(this);
         }
         // Does not validate if the point is on-curve.
         // Use fromHex instead, or call assertValidity() later.
@@ -13048,30 +13170,11 @@ function weierstrassPoints(opts) {
         }
         // "Private method", don't use it directly
         _setWindowSize(windowSize) {
-            this._WINDOW_SIZE = windowSize;
-            pointPrecomputes.delete(this);
+            wnaf.setWindowSize(this, windowSize);
         }
         // A point on curve is valid if it conforms to equation.
         assertValidity() {
-            if (this.is0()) {
-                // (0, 1, 0) aka ZERO is invalid in most contexts.
-                // In BLS, ZERO can be serialized, so we allow it.
-                // (0, 0, 0) is wrong representation of ZERO and is always invalid.
-                if (CURVE.allowInfinityPoint && !Fp.is0(this.py))
-                    return;
-                throw new Error('bad point: ZERO');
-            }
-            // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
-            const { x, y } = this.toAffine();
-            // Check if x, y are valid field elements
-            if (!Fp.isValid(x) || !Fp.isValid(y))
-                throw new Error('bad point: x or y not FE');
-            const left = Fp.sqr(y); // y²
-            const right = weierstrassEquation(x); // x³ + ax + b
-            if (!Fp.eql(left, right))
-                throw new Error('bad point: equation left != right');
-            if (!this.isTorsionFree())
-                throw new Error('bad point: not in prime-order subgroup');
+            assertValidMemo(this);
         }
         hasEvenY() {
             const { y } = this.toAffine();
@@ -13198,28 +13301,25 @@ function weierstrassPoints(opts) {
             return this.equals(Point.ZERO);
         }
         wNAF(n) {
-            return wnaf.wNAFCached(this, pointPrecomputes, n, (comp) => {
-                const toInv = Fp.invertBatch(comp.map((p) => p.pz));
-                return comp.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
-            });
+            return wnaf.wNAFCached(this, n, Point.normalizeZ);
         }
         /**
          * Non-constant-time multiplication. Uses double-and-add algorithm.
          * It's faster, but should only be used when you don't care about
          * an exposed private key e.g. sig verification, which works over *public* keys.
          */
-        multiplyUnsafe(n) {
+        multiplyUnsafe(sc) {
+            aInRange('scalar', sc, _0n, CURVE.n);
             const I = Point.ZERO;
-            if (n === _0n)
+            if (sc === _0n)
                 return I;
-            assertGE(n); // Will throw on 0
-            if (n === _1n$1)
+            if (sc === _1n$1)
                 return this;
             const { endo } = CURVE;
             if (!endo)
-                return wnaf.unsafeLadder(this, n);
+                return wnaf.unsafeLadder(this, sc);
             // Apply endomorphism
-            let { k1neg, k1, k2neg, k2 } = endo.splitScalar(n);
+            let { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
             let k1p = I;
             let k2p = I;
             let d = this;
@@ -13249,12 +13349,11 @@ function weierstrassPoints(opts) {
          * @returns New point
          */
         multiply(scalar) {
-            assertGE(scalar);
-            let n = scalar;
+            const { endo, n: N } = CURVE;
+            aInRange('scalar', scalar, _1n$1, N);
             let point, fake; // Fake point is used to const-time mult
-            const { endo } = CURVE;
             if (endo) {
-                const { k1neg, k1, k2neg, k2 } = endo.splitScalar(n);
+                const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);
                 let { p: k1p, f: f1p } = this.wNAF(k1);
                 let { p: k2p, f: f2p } = this.wNAF(k2);
                 k1p = wnaf.constTimeNegate(k1neg, k1p);
@@ -13264,7 +13363,7 @@ function weierstrassPoints(opts) {
                 fake = f1p.add(f2p);
             }
             else {
-                const { p, f } = this.wNAF(n);
+                const { p, f } = this.wNAF(scalar);
                 point = p;
                 fake = f;
             }
@@ -13288,20 +13387,7 @@ function weierstrassPoints(opts) {
         // Can accept precomputed Z^-1 - for example, from invertBatch.
         // (x, y, z) ∋ (x=x/z, y=y/z)
         toAffine(iz) {
-            const { px: x, py: y, pz: z } = this;
-            const is0 = this.is0();
-            // If invZ was 0, we return zero point. However we still want to execute
-            // all operations, so we replace invZ with a random number, 1.
-            if (iz == null)
-                iz = is0 ? Fp.ONE : Fp.inv(z);
-            const ax = Fp.mul(x, iz);
-            const ay = Fp.mul(y, iz);
-            const zz = Fp.mul(z, iz);
-            if (is0)
-                return { x: Fp.ZERO, y: Fp.ZERO };
-            if (!Fp.eql(zz, Fp.ONE))
-                throw new Error('invZ was invalid');
-            return { x: ax, y: ay };
+            return toAffineMemo(this, iz);
         }
         isTorsionFree() {
             const { h: cofactor, isTorsionFree } = CURVE;
@@ -13320,10 +13406,12 @@ function weierstrassPoints(opts) {
             return this.multiplyUnsafe(CURVE.h);
         }
         toRawBytes(isCompressed = true) {
+            abool('isCompressed', isCompressed);
             this.assertValidity();
             return toBytes(Point, this, isCompressed);
         }
         toHex(isCompressed = true) {
+            abool('isCompressed', isCompressed);
             return bytesToHex(this.toRawBytes(isCompressed));
         }
     }
@@ -13353,14 +13441,18 @@ function validateOpts(curve) {
     });
     return Object.freeze({ lowS: true, ...opts });
 }
+/**
+ * Creates short weierstrass curve and ECDSA signature methods for it.
+ * @example
+ * import { Field } from '@noble/curves/abstract/modular';
+ * // Before that, define BigInt-s: a, b, p, n, Gx, Gy
+ * const curve = weierstrass({ a, b, Fp: Field(p), n, Gx, Gy, h: 1n })
+ */
 function weierstrass(curveDef) {
     const CURVE = validateOpts(curveDef);
     const { Fp, n: CURVE_ORDER } = CURVE;
     const compressedLen = Fp.BYTES + 1; // e.g. 33 for 32
     const uncompressedLen = 2 * Fp.BYTES + 1; // e.g. 65 for 32
-    function isValidFieldElement(num) {
-        return _0n < num && num < Fp.ORDER; // 0 is banned since it's not invertible FE
-    }
     function modN(a) {
         return mod(a, CURVE_ORDER);
     }
@@ -13373,6 +13465,7 @@ function weierstrass(curveDef) {
             const a = point.toAffine();
             const x = Fp.toBytes(a.x);
             const cat = concatBytes;
+            abool('isCompressed', isCompressed);
             if (isCompressed) {
                 return cat(Uint8Array.from([point.hasEvenY() ? 0x02 : 0x03]), x);
             }
@@ -13387,7 +13480,7 @@ function weierstrass(curveDef) {
             // this.assertValidity() is done inside of fromHex
             if (len === compressedLen && (head === 0x02 || head === 0x03)) {
                 const x = bytesToNumberBE(tail);
-                if (!isValidFieldElement(x))
+                if (!inRange(x, _1n$1, Fp.ORDER))
                     throw new Error('Point is not on curve');
                 const y2 = weierstrassEquation(x); // y² = x³ + ax + b
                 let y;
@@ -13448,11 +13541,8 @@ function weierstrass(curveDef) {
             return new Signature(r, s);
         }
         assertValidity() {
-            // can use assertGE here
-            if (!isWithinCurveOrder(this.r))
-                throw new Error('r must be 0 < r < CURVE.n');
-            if (!isWithinCurveOrder(this.s))
-                throw new Error('s must be 0 < s < CURVE.n');
+            aInRange('r', this.r, _1n$1, CURVE_ORDER); // r in [1..N]
+            aInRange('s', this.s, _1n$1, CURVE_ORDER); // s in [1..N]
         }
         addRecoveryBit(recovery) {
             return new Signature(this.r, this.s, recovery);
@@ -13595,10 +13685,7 @@ function weierstrass(curveDef) {
      * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
      */
     function int2octets(num) {
-        if (typeof num !== 'bigint')
-            throw new Error('bigint expected');
-        if (!(_0n <= num && num < ORDER_MASK))
-            throw new Error(`bigint expected < 2^${CURVE.nBitLength}`);
+        aInRange(`num < 2^${CURVE.nBitLength}`, num, _0n, ORDER_MASK);
         // works with order, can have different size than numToField!
         return numberToBytesBE(num, CURVE.nByteLength);
     }
@@ -13615,6 +13702,7 @@ function weierstrass(curveDef) {
         if (lowS == null)
             lowS = true; // RFC6979 3.2: we skip step A, because we already provide hash
         msgHash = ensureBytes('msgHash', msgHash);
+        validateSigVerOpts(opts);
         if (prehash)
             msgHash = ensureBytes('prehashed msgHash', hash(msgHash));
         // We can't later call bits2octets, since nested bits2int is broken for curves
@@ -13701,6 +13789,7 @@ function weierstrass(curveDef) {
         publicKey = ensureBytes('publicKey', publicKey);
         if ('strict' in opts)
             throw new Error('options.strict was renamed to lowS');
+        validateSigVerOpts(opts);
         const { lowS, prehash } = opts;
         let _sig = undefined;
         let P;
@@ -13807,6 +13896,9 @@ function sqrtMod(y) {
     return root;
 }
 const Fp = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
+/**
+ * secp256k1 short weierstrass curve and ECDSA signatures over it.
+ */
 const secp256k1 = createCurve({
     a: BigInt(0), // equation params: a, b
     b: BigInt(7), // Seem to be rigid: bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
@@ -14212,6 +14304,41 @@ class Secp256k1PeerIdImpl extends PeerIdImpl {
         this.publicKey = init.multihash.digest;
     }
 }
+// these values are from https://github.com/multiformats/multicodec/blob/master/table.csv
+const TRANSPORT_IPFS_GATEWAY_HTTP_CODE = 0x0920;
+class URLPeerIdImpl {
+    type = 'url';
+    multihash;
+    privateKey;
+    publicKey;
+    url;
+    constructor(url) {
+        this.url = url.toString();
+        this.multihash = identity.digest(fromString(this.url));
+    }
+    [inspect]() {
+        return `PeerId(${this.url})`;
+    }
+    [peerIdSymbol] = true;
+    toString() {
+        return this.toCID().toString();
+    }
+    toCID() {
+        return CID.createV1(TRANSPORT_IPFS_GATEWAY_HTTP_CODE, this.multihash);
+    }
+    toBytes() {
+        return this.toCID().bytes;
+    }
+    equals(other) {
+        if (other == null) {
+            return false;
+        }
+        if (other instanceof Uint8Array) {
+            other = toString$1(other);
+        }
+        return other.toString() === this.toString();
+    }
+}
 function peerIdFromString(str, decoder) {
     if (str.charAt(0) === '1' || str.charAt(0) === 'Q') {
         // identity hash ed25519/secp256k1 key or sha2-256 hash of
@@ -14250,9 +14377,13 @@ function peerIdFromBytes(buf) {
     throw new Error('Supplied PeerID CID is invalid');
 }
 function peerIdFromCID(cid) {
-    if (cid == null || cid.multihash == null || cid.version == null || (cid.version === 1 && cid.code !== LIBP2P_KEY_CODE)) {
+    if (cid?.multihash == null || cid.version == null || (cid.version === 1 && (cid.code !== LIBP2P_KEY_CODE) && cid.code !== TRANSPORT_IPFS_GATEWAY_HTTP_CODE)) {
         throw new Error('Supplied PeerID CID is invalid');
     }
+    if (cid.code === TRANSPORT_IPFS_GATEWAY_HTTP_CODE) {
+        const url = toString$1(cid.multihash.digest);
+        return new URLPeerIdImpl(new URL(url));
+    }
     const multihash = cid.multihash;
     if (multihash.code === sha256$1.code) {
         return new RSAPeerIdImpl({ multihash: cid.multihash });
@@ -14289,6 +14420,9 @@ function getPublicKeyFromPeerId(peerId) {
     if (peerId.type !== "secp256k1") {
         throw new Error("Unsupported peer id type");
     }
+    if (!peerId.publicKey) {
+        throw new Error("Public key not present on peer id");
+    }
     return unmarshalPublicKey(peerId.publicKey).marshal();
 }
 // Only used in tests
@@ -15137,9 +15271,6 @@ function isHexString(value, length) {
     if (typeof (value) !== "string" || !value.match(/^0x[0-9A-Fa-f]*$/)) {
         return false;
     }
-    if (length && value.length !== 2 + 2 * length) {
-        return false;
-    }
     return true;
 }
 const HexCharacters = "0123456789abcdef";