@waku/enr 0.0.28-c41b319.0 → 0.0.28-c43cec2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/bundle/index.js +340 -582
  2. package/dist/.tsbuildinfo +1 -1
  3. package/package.json +1 -1
package/bundle/index.js CHANGED
@@ -655,7 +655,7 @@ new TextDecoder();
655
655
 
656
656
  /* eslint-disable */
657
657
  var encode_1 = encode$3;
658
- var MSB$1 = 0x80, MSBALL = -128, INT = Math.pow(2, 31);
658
+ var MSB$1 = 0x80, REST$1 = 0x7F, MSBALL = ~REST$1, INT = Math.pow(2, 31);
659
659
  /**
660
660
  * @param {number} num
661
661
  * @param {number[]} out
@@ -679,7 +679,7 @@ function encode$3(num, out, offset) {
679
679
  return out;
680
680
  }
681
681
  var decode$4 = read$1;
682
- var MSB$1$1 = 0x80, REST$1 = 0x7F;
682
+ var MSB$1$1 = 0x80, REST$1$1 = 0x7F;
683
683
  /**
684
684
  * @param {string | any[]} buf
685
685
  * @param {number} offset
@@ -694,8 +694,8 @@ function read$1(buf, offset) {
694
694
  }
695
695
  b = buf[counter++];
696
696
  res += shift < 28
697
- ? (b & REST$1) << shift
698
- : (b & REST$1) * Math.pow(2, shift);
697
+ ? (b & REST$1$1) << shift
698
+ : (b & REST$1$1) * Math.pow(2, shift);
699
699
  shift += 7;
700
700
  } while (b >= MSB$1$1);
701
701
  // @ts-ignore
@@ -1586,10 +1586,10 @@ class JacobianPoint {
1586
1586
  const cond1 = window % 2 !== 0;
1587
1587
  const cond2 = wbits < 0;
1588
1588
  if (wbits === 0) {
1589
- f = f.add(constTimeNegate$1(cond1, precomputes[offset1]));
1589
+ f = f.add(constTimeNegate(cond1, precomputes[offset1]));
1590
1590
  }
1591
1591
  else {
1592
- p = p.add(constTimeNegate$1(cond2, precomputes[offset2]));
1592
+ p = p.add(constTimeNegate(cond2, precomputes[offset2]));
1593
1593
  }
1594
1594
  }
1595
1595
  return { p, f };
@@ -1602,8 +1602,8 @@ class JacobianPoint {
1602
1602
  const { k1neg, k1, k2neg, k2 } = endo.splitScalar(n);
1603
1603
  let { p: k1p, f: f1p } = this.wNAF(k1, affinePoint);
1604
1604
  let { p: k2p, f: f2p } = this.wNAF(k2, affinePoint);
1605
- k1p = constTimeNegate$1(k1neg, k1p);
1606
- k2p = constTimeNegate$1(k2neg, k2p);
1605
+ k1p = constTimeNegate(k1neg, k1p);
1606
+ k2p = constTimeNegate(k2neg, k2p);
1607
1607
  k2p = new JacobianPoint(mod$1(k2p.x * endo.beta), k2p.y, k2p.z);
1608
1608
  point = k1p.add(k2p);
1609
1609
  fake = f1p.add(f2p);
@@ -1635,7 +1635,7 @@ class JacobianPoint {
1635
1635
  }
1636
1636
  JacobianPoint.BASE = new JacobianPoint(CURVE.Gx, CURVE.Gy, _1n$7);
1637
1637
  JacobianPoint.ZERO = new JacobianPoint(_0n$5, _1n$7, _0n$5);
1638
- function constTimeNegate$1(condition, item) {
1638
+ function constTimeNegate(condition, item) {
1639
1639
  const neg = item.negate();
1640
1640
  return condition ? neg : item;
1641
1641
  }
@@ -3092,55 +3092,43 @@ function verifySignature(signature, message, publicKey) {
3092
3092
  }
3093
3093
  }
3094
3094
 
3095
- /**
3096
- * Internal assertion helpers.
3097
- * @module
3098
- */
3099
- /** Asserts something is positive integer. */
3100
- function anumber(n) {
3095
+ function number(n) {
3101
3096
  if (!Number.isSafeInteger(n) || n < 0)
3102
- throw new Error('positive integer expected, got ' + n);
3097
+ throw new Error(`positive integer expected, not ${n}`);
3103
3098
  }
3104
- /** Is number an Uint8Array? Copied from utils for perf. */
3099
+ // copied from utils
3105
3100
  function isBytes$2(a) {
3106
- return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
3101
+ return (a instanceof Uint8Array ||
3102
+ (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));
3107
3103
  }
3108
- /** Asserts something is Uint8Array. */
3109
- function abytes$1(b, ...lengths) {
3104
+ function bytes(b, ...lengths) {
3110
3105
  if (!isBytes$2(b))
3111
3106
  throw new Error('Uint8Array expected');
3112
3107
  if (lengths.length > 0 && !lengths.includes(b.length))
3113
- throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length);
3108
+ throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`);
3114
3109
  }
3115
- /** Asserts something is hash */
3116
- function ahash(h) {
3110
+ function hash(h) {
3117
3111
  if (typeof h !== 'function' || typeof h.create !== 'function')
3118
3112
  throw new Error('Hash should be wrapped by utils.wrapConstructor');
3119
- anumber(h.outputLen);
3120
- anumber(h.blockLen);
3113
+ number(h.outputLen);
3114
+ number(h.blockLen);
3121
3115
  }
3122
- /** Asserts a hash instance has not been destroyed / finished */
3123
- function aexists(instance, checkFinished = true) {
3116
+ function exists(instance, checkFinished = true) {
3124
3117
  if (instance.destroyed)
3125
3118
  throw new Error('Hash instance has been destroyed');
3126
3119
  if (checkFinished && instance.finished)
3127
3120
  throw new Error('Hash#digest() has already been called');
3128
3121
  }
3129
- /** Asserts output is properly-sized byte array */
3130
- function aoutput(out, instance) {
3131
- abytes$1(out);
3122
+ function output(out, instance) {
3123
+ bytes(out);
3132
3124
  const min = instance.outputLen;
3133
3125
  if (out.length < min) {
3134
- throw new Error('digestInto() expects output buffer of length at least ' + min);
3126
+ throw new Error(`digestInto() expects output buffer of length at least ${min}`);
3135
3127
  }
3136
3128
  }
3137
3129
 
3138
3130
  const crypto$1 = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
3139
3131
 
3140
- /**
3141
- * Utilities for hex, bytes, CSPRNG.
3142
- * @module
3143
- */
3144
3132
  /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
3145
3133
  // We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.
3146
3134
  // node.js versions earlier than v19 don't declare it in global scope.
@@ -3149,20 +3137,16 @@ const crypto$1 = typeof globalThis === 'object' && 'crypto' in globalThis ? glob
3149
3137
  // Makes the utils un-importable in browsers without a bundler.
3150
3138
  // Once node.js 18 is deprecated (2025-04-30), we can just drop the import.
3151
3139
  // Cast array to view
3152
- function createView(arr) {
3153
- return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
3154
- }
3155
- /** The rotate right (circular right shift) operation for uint32 */
3156
- function rotr(word, shift) {
3157
- return (word << (32 - shift)) | (word >>> shift);
3158
- }
3140
+ const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
3141
+ // The rotate right (circular right shift) operation for uint32
3142
+ const rotr = (word, shift) => (word << (32 - shift)) | (word >>> shift);
3143
+ new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44;
3159
3144
  /**
3160
- * Convert JS string to byte array.
3161
3145
  * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
3162
3146
  */
3163
3147
  function utf8ToBytes$1(str) {
3164
3148
  if (typeof str !== 'string')
3165
- throw new Error('utf8ToBytes expected string, got ' + typeof str);
3149
+ throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
3166
3150
  return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
3167
3151
  }
3168
3152
  /**
@@ -3173,7 +3157,7 @@ function utf8ToBytes$1(str) {
3173
3157
  function toBytes$1(data) {
3174
3158
  if (typeof data === 'string')
3175
3159
  data = utf8ToBytes$1(data);
3176
- abytes$1(data);
3160
+ bytes(data);
3177
3161
  return data;
3178
3162
  }
3179
3163
  /**
@@ -3183,7 +3167,7 @@ function concatBytes$1(...arrays) {
3183
3167
  let sum = 0;
3184
3168
  for (let i = 0; i < arrays.length; i++) {
3185
3169
  const a = arrays[i];
3186
- abytes$1(a);
3170
+ bytes(a);
3187
3171
  sum += a.length;
3188
3172
  }
3189
3173
  const res = new Uint8Array(sum);
@@ -3194,14 +3178,13 @@ function concatBytes$1(...arrays) {
3194
3178
  }
3195
3179
  return res;
3196
3180
  }
3197
- /** For runtime check if class implements interface */
3181
+ // For runtime check if class implements interface
3198
3182
  class Hash {
3199
3183
  // Safe version that clones internal state
3200
3184
  clone() {
3201
3185
  return this._cloneInto();
3202
3186
  }
3203
3187
  }
3204
- /** Wraps hash function, creating an interface on top of it */
3205
3188
  function wrapConstructor(hashCons) {
3206
3189
  const hashC = (msg) => hashCons().update(toBytes$1(msg)).digest();
3207
3190
  const tmp = hashCons();
@@ -3210,7 +3193,9 @@ function wrapConstructor(hashCons) {
3210
3193
  hashC.create = () => hashCons();
3211
3194
  return hashC;
3212
3195
  }
3213
- /** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */
3196
+ /**
3197
+ * Secure PRNG. Uses `crypto.getRandomValues`, which defers to OS.
3198
+ */
3214
3199
  function randomBytes(bytesLength = 32) {
3215
3200
  if (crypto$1 && typeof crypto$1.getRandomValues === 'function') {
3216
3201
  return crypto$1.getRandomValues(new Uint8Array(bytesLength));
@@ -3223,10 +3208,8 @@ function randomBytes(bytesLength = 32) {
3223
3208
  }
3224
3209
 
3225
3210
  /**
3226
- * Internal Merkle-Damgard hash utils.
3227
- * @module
3211
+ * Polyfill for Safari 14
3228
3212
  */
3229
- /** Polyfill for Safari 14. https://caniuse.com/mdn-javascript_builtins_dataview_setbiguint64 */
3230
3213
  function setBigUint64(view, byteOffset, value, isLE) {
3231
3214
  if (typeof view.setBigUint64 === 'function')
3232
3215
  return view.setBigUint64(byteOffset, value, isLE);
@@ -3239,14 +3222,14 @@ function setBigUint64(view, byteOffset, value, isLE) {
3239
3222
  view.setUint32(byteOffset + h, wh, isLE);
3240
3223
  view.setUint32(byteOffset + l, wl, isLE);
3241
3224
  }
3242
- /** Choice: a ? b : c */
3243
- function Chi(a, b, c) {
3244
- return (a & b) ^ (~a & c);
3245
- }
3246
- /** Majority function, true if any two inputs is true. */
3247
- function Maj(a, b, c) {
3248
- return (a & b) ^ (a & c) ^ (b & c);
3249
- }
3225
+ /**
3226
+ * Choice: a ? b : c
3227
+ */
3228
+ const Chi = (a, b, c) => (a & b) ^ (~a & c);
3229
+ /**
3230
+ * Majority function, true if any two inputs is true
3231
+ */
3232
+ const Maj = (a, b, c) => (a & b) ^ (a & c) ^ (b & c);
3250
3233
  /**
3251
3234
  * Merkle-Damgard hash construction base class.
3252
3235
  * Could be used to create MD5, RIPEMD, SHA1, SHA2.
@@ -3266,7 +3249,7 @@ class HashMD extends Hash {
3266
3249
  this.view = createView(this.buffer);
3267
3250
  }
3268
3251
  update(data) {
3269
- aexists(this);
3252
+ exists(this);
3270
3253
  const { view, buffer, blockLen } = this;
3271
3254
  data = toBytes$1(data);
3272
3255
  const len = data.length;
@@ -3292,8 +3275,8 @@ class HashMD extends Hash {
3292
3275
  return this;
3293
3276
  }
3294
3277
  digestInto(out) {
3295
- aexists(this);
3296
- aoutput(out, this);
3278
+ exists(this);
3279
+ output(out, this);
3297
3280
  this.finished = true;
3298
3281
  // Padding
3299
3282
  // We can avoid allocation of buffer for padding completely if it
@@ -3350,16 +3333,10 @@ class HashMD extends Hash {
3350
3333
  }
3351
3334
  }
3352
3335
 
3353
- /**
3354
- * SHA2-256 a.k.a. sha256. In JS, it is the fastest hash, even faster than Blake3.
3355
- *
3356
- * To break sha256 using birthday attack, attackers need to try 2^128 hashes.
3357
- * BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
3358
- *
3359
- * Check out [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
3360
- * @module
3361
- */
3362
- /** Round constants: first 32 bits of fractional parts of the cube roots of the first 64 primes 2..311). */
3336
+ // SHA2-256 need to try 2^128 hashes to execute birthday attack.
3337
+ // BTC network is doing 2^67 hashes/sec as per early 2023.
3338
+ // Round constants:
3339
+ // first 32 bits of the fractional parts of the cube roots of the first 64 primes 2..311)
3363
3340
  // prettier-ignore
3364
3341
  const SHA256_K = /* @__PURE__ */ new Uint32Array([
3365
3342
  0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
@@ -3371,15 +3348,14 @@ const SHA256_K = /* @__PURE__ */ new Uint32Array([
3371
3348
  0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
3372
3349
  0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
3373
3350
  ]);
3374
- /** Initial state: first 32 bits of fractional parts of the square roots of the first 8 primes 2..19. */
3351
+ // Initial state:
3352
+ // first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19
3375
3353
  // prettier-ignore
3376
3354
  const SHA256_IV = /* @__PURE__ */ new Uint32Array([
3377
3355
  0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
3378
3356
  ]);
3379
- /**
3380
- * Temporary buffer, not used to store anything between runs.
3381
- * Named this way because it matches specification.
3382
- */
3357
+ // Temporary buffer, not used to store anything between runs
3358
+ // Named this way because it matches specification.
3383
3359
  const SHA256_W = /* @__PURE__ */ new Uint32Array(64);
3384
3360
  class SHA256 extends HashMD {
3385
3361
  constructor() {
@@ -3456,7 +3432,10 @@ class SHA256 extends HashMD {
3456
3432
  this.buffer.fill(0);
3457
3433
  }
3458
3434
  }
3459
- /** SHA2-256 hash function */
3435
+ /**
3436
+ * SHA2-256 hash function
3437
+ * @param message - data that would be hashed
3438
+ */
3460
3439
  const sha256 = /* @__PURE__ */ wrapConstructor(() => new SHA256());
3461
3440
 
3462
3441
  var Protocols;
@@ -3573,10 +3552,6 @@ var EConnectionStateEvents;
3573
3552
  EConnectionStateEvents["CONNECTION_STATUS"] = "waku:connection";
3574
3553
  })(EConnectionStateEvents || (EConnectionStateEvents = {}));
3575
3554
 
3576
- var HealthStatusChangeEvents;
3577
- (function (HealthStatusChangeEvents) {
3578
- HealthStatusChangeEvents["StatusChange"] = "health:change";
3579
- })(HealthStatusChangeEvents || (HealthStatusChangeEvents = {}));
3580
3555
  var HealthStatus;
3581
3556
  (function (HealthStatus) {
3582
3557
  HealthStatus["Unhealthy"] = "Unhealthy";
@@ -3955,62 +3930,24 @@ function setup(env) {
3955
3930
  createDebug.names = [];
3956
3931
  createDebug.skips = [];
3957
3932
 
3958
- const split = (typeof namespaces === 'string' ? namespaces : '')
3959
- .trim()
3960
- .replace(' ', ',')
3961
- .split(',')
3962
- .filter(Boolean);
3933
+ let i;
3934
+ const split = (typeof namespaces === 'string' ? namespaces : '').split(/[\s,]+/);
3935
+ const len = split.length;
3963
3936
 
3964
- for (const ns of split) {
3965
- if (ns[0] === '-') {
3966
- createDebug.skips.push(ns.slice(1));
3967
- } else {
3968
- createDebug.names.push(ns);
3937
+ for (i = 0; i < len; i++) {
3938
+ if (!split[i]) {
3939
+ // ignore empty strings
3940
+ continue;
3969
3941
  }
3970
- }
3971
- }
3972
3942
 
3973
- /**
3974
- * Checks if the given string matches a namespace template, honoring
3975
- * asterisks as wildcards.
3976
- *
3977
- * @param {String} search
3978
- * @param {String} template
3979
- * @return {Boolean}
3980
- */
3981
- function matchesTemplate(search, template) {
3982
- let searchIndex = 0;
3983
- let templateIndex = 0;
3984
- let starIndex = -1;
3985
- let matchIndex = 0;
3986
-
3987
- while (searchIndex < search.length) {
3988
- if (templateIndex < template.length && (template[templateIndex] === search[searchIndex] || template[templateIndex] === '*')) {
3989
- // Match character or proceed with wildcard
3990
- if (template[templateIndex] === '*') {
3991
- starIndex = templateIndex;
3992
- matchIndex = searchIndex;
3993
- templateIndex++; // Skip the '*'
3994
- } else {
3995
- searchIndex++;
3996
- templateIndex++;
3997
- }
3998
- } else if (starIndex !== -1) { // eslint-disable-line no-negated-condition
3999
- // Backtrack to the last '*' and try to match more characters
4000
- templateIndex = starIndex + 1;
4001
- matchIndex++;
4002
- searchIndex = matchIndex;
3943
+ namespaces = split[i].replace(/\*/g, '.*?');
3944
+
3945
+ if (namespaces[0] === '-') {
3946
+ createDebug.skips.push(new RegExp('^' + namespaces.slice(1) + '$'));
4003
3947
  } else {
4004
- return false; // No match
3948
+ createDebug.names.push(new RegExp('^' + namespaces + '$'));
4005
3949
  }
4006
3950
  }
4007
-
4008
- // Handle trailing '*' in template
4009
- while (templateIndex < template.length && template[templateIndex] === '*') {
4010
- templateIndex++;
4011
- }
4012
-
4013
- return templateIndex === template.length;
4014
3951
  }
4015
3952
 
4016
3953
  /**
@@ -4021,8 +3958,8 @@ function setup(env) {
4021
3958
  */
4022
3959
  function disable() {
4023
3960
  const namespaces = [
4024
- ...createDebug.names,
4025
- ...createDebug.skips.map(namespace => '-' + namespace)
3961
+ ...createDebug.names.map(toNamespace),
3962
+ ...createDebug.skips.map(toNamespace).map(namespace => '-' + namespace)
4026
3963
  ].join(',');
4027
3964
  createDebug.enable('');
4028
3965
  return namespaces;
@@ -4036,14 +3973,21 @@ function setup(env) {
4036
3973
  * @api public
4037
3974
  */
4038
3975
  function enabled(name) {
4039
- for (const skip of createDebug.skips) {
4040
- if (matchesTemplate(name, skip)) {
3976
+ if (name[name.length - 1] === '*') {
3977
+ return true;
3978
+ }
3979
+
3980
+ let i;
3981
+ let len;
3982
+
3983
+ for (i = 0, len = createDebug.skips.length; i < len; i++) {
3984
+ if (createDebug.skips[i].test(name)) {
4041
3985
  return false;
4042
3986
  }
4043
3987
  }
4044
3988
 
4045
- for (const ns of createDebug.names) {
4046
- if (matchesTemplate(name, ns)) {
3989
+ for (i = 0, len = createDebug.names.length; i < len; i++) {
3990
+ if (createDebug.names[i].test(name)) {
4047
3991
  return true;
4048
3992
  }
4049
3993
  }
@@ -4051,6 +3995,19 @@ function setup(env) {
4051
3995
  return false;
4052
3996
  }
4053
3997
 
3998
+ /**
3999
+ * Convert regexp to namespace
4000
+ *
4001
+ * @param {RegExp} regxep
4002
+ * @return {String} namespace
4003
+ * @api private
4004
+ */
4005
+ function toNamespace(regexp) {
4006
+ return regexp.toString()
4007
+ .substring(2, regexp.toString().length - 2)
4008
+ .replace(/\.\*\?$/, '*');
4009
+ }
4010
+
4054
4011
  /**
4055
4012
  * Coerce `val`.
4056
4013
  *
@@ -4212,7 +4169,6 @@ var common = setup;
4212
4169
 
4213
4170
  // Is webkit? http://stackoverflow.com/a/16459606/376773
4214
4171
  // document is undefined in react-native: https://github.com/facebook/react-native/pull/1632
4215
- // eslint-disable-next-line no-return-assign
4216
4172
  return (typeof document !== 'undefined' && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance) ||
4217
4173
  // Is firebug? http://stackoverflow.com/a/398120/376773
4218
4174
  (typeof window !== 'undefined' && window.console && (window.console.firebug || (window.console.exception && window.console.table))) ||
@@ -4877,7 +4833,7 @@ function parseIPv6(input) {
4877
4833
  return parser.new(input).parseWith(() => parser.readIPv6Addr());
4878
4834
  }
4879
4835
  /** Parse `input` into IPv4 or IPv6 bytes. */
4880
- function parseIP(input, mapIPv4ToIPv6 = false) {
4836
+ function parseIP(input) {
4881
4837
  // strip zone index if it is present
4882
4838
  if (input.includes("%")) {
4883
4839
  input = input.split("%")[0];
@@ -4885,14 +4841,7 @@ function parseIP(input, mapIPv4ToIPv6 = false) {
4885
4841
  if (input.length > MAX_IPV6_LENGTH) {
4886
4842
  return undefined;
4887
4843
  }
4888
- const addr = parser.new(input).parseWith(() => parser.readIPAddr());
4889
- if (!addr) {
4890
- return undefined;
4891
- }
4892
- if (mapIPv4ToIPv6 && addr.length === 4) {
4893
- return Uint8Array.from([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, addr[0], addr[1], addr[2], addr[3]]);
4894
- }
4895
- return addr;
4844
+ return parser.new(input).parseWith(() => parser.readIPAddr());
4896
4845
  }
4897
4846
 
4898
4847
  /** Check if `input` is IPv4. */
@@ -5080,13 +5029,17 @@ function getProtocol(proto) {
5080
5029
  throw new Error(`invalid protocol id type: ${typeof proto}`);
5081
5030
  }
5082
5031
 
5032
+ /**
5033
+ * @packageDocumentation
5034
+ *
5035
+ * Provides methods for converting
5036
+ */
5083
5037
  getProtocol('ip4');
5084
5038
  getProtocol('ip6');
5085
5039
  getProtocol('ipcidr');
5086
5040
  /**
5087
5041
  * Convert [code,Uint8Array] to string
5088
5042
  */
5089
- // eslint-disable-next-line complexity
5090
5043
  function convertToString(proto, buf) {
5091
5044
  const protocol = getProtocol(proto);
5092
5045
  switch (protocol.code) {
@@ -5095,8 +5048,6 @@ function convertToString(proto, buf) {
5095
5048
  return bytes2ip(buf);
5096
5049
  case 42: // ipv6zone
5097
5050
  return bytes2str(buf);
5098
- case 43: // ipcidr
5099
- return toString$1(buf, 'base10');
5100
5051
  case 6: // tcp
5101
5052
  case 273: // udp
5102
5053
  case 33: // dccp
@@ -5124,7 +5075,6 @@ function convertToString(proto, buf) {
5124
5075
  return toString$1(buf, 'base16'); // no clue. convert to hex
5125
5076
  }
5126
5077
  }
5127
- // eslint-disable-next-line complexity
5128
5078
  function convertToBytes(proto, str) {
5129
5079
  const protocol = getProtocol(proto);
5130
5080
  switch (protocol.code) {
@@ -5134,8 +5084,6 @@ function convertToBytes(proto, str) {
5134
5084
  return ip2bytes(str);
5135
5085
  case 42: // ipv6zone
5136
5086
  return str2bytes(str);
5137
- case 43: // ipcidr
5138
- return fromString(str, 'base10');
5139
5087
  case 6: // tcp
5140
5088
  case 273: // udp
5141
5089
  case 33: // dccp
@@ -5430,6 +5378,19 @@ function ParseError(str) {
5430
5378
  return new Error('Error parsing address: ' + str);
5431
5379
  }
5432
5380
 
5381
+ /**
5382
+ * @packageDocumentation
5383
+ *
5384
+ * An implementation of a Multiaddr in JavaScript
5385
+ *
5386
+ * @example
5387
+ *
5388
+ * ```js
5389
+ * import { multiaddr } from '@multiformats/multiaddr'
5390
+ *
5391
+ * const ma = multiaddr('/ip4/127.0.0.1/tcp/1234')
5392
+ * ```
5393
+ */
5433
5394
  const inspect$1 = Symbol.for('nodejs.util.inspect.custom');
5434
5395
  const symbol = Symbol.for('@multiformats/js-multiaddr/multiaddr');
5435
5396
  const DNS_CODES = [
@@ -5541,20 +5502,10 @@ class Multiaddr {
5541
5502
  return this.#tuples.map(([code]) => getProtocol(code).name);
5542
5503
  }
5543
5504
  tuples() {
5544
- return this.#tuples.map(([code, value]) => {
5545
- if (value == null) {
5546
- return [code];
5547
- }
5548
- return [code, value];
5549
- });
5505
+ return this.#tuples;
5550
5506
  }
5551
5507
  stringTuples() {
5552
- return this.#stringTuples.map(([code, value]) => {
5553
- if (value == null) {
5554
- return [code];
5555
- }
5556
- return [code, value];
5557
- });
5508
+ return this.#stringTuples;
5558
5509
  }
5559
5510
  encapsulate(addr) {
5560
5511
  addr = new Multiaddr(addr);
@@ -5684,8 +5635,10 @@ class Multiaddr {
5684
5635
  *
5685
5636
  * ```TypeScript
5686
5637
  * import { multiaddr } from '@multiformats/multiaddr'
5638
+ * const addr = multiaddr("/ip4/127.0.0.1/udp/1234")
5639
+ * // Multiaddr(/ip4/127.0.0.1/udp/1234)
5687
5640
  *
5688
- * const addr = multiaddr('/ip4/127.0.0.1/udp/1234')
5641
+ * const addr = multiaddr("/ip4/127.0.0.1/udp/1234")
5689
5642
  * // Multiaddr(/ip4/127.0.0.1/udp/1234)
5690
5643
  *
5691
5644
  * addr.bytes
@@ -5724,9 +5677,9 @@ class Multiaddr {
5724
5677
  *
5725
5678
  * ```TypeScript
5726
5679
  * import { multiaddr, resolvers } from '@multiformats/multiaddr'
5727
- * import { dnsaddrResolver } from '@multiformats/multiaddr/resolvers'
5680
+ * import { dnsaddr } from '@multiformats/multiaddr/resolvers'
5728
5681
  *
5729
- * resolvers.set('dnsaddr', dnsaddrResolver)
5682
+ * resolvers.set('dnsaddr', dnsaddr)
5730
5683
  *
5731
5684
  * const ma = multiaddr('/dnsaddr/bootstrap.libp2p.io')
5732
5685
  *
@@ -5735,7 +5688,7 @@ class Multiaddr {
5735
5688
  * signal: AbortSignal.timeout(5000)
5736
5689
  * })
5737
5690
  *
5738
- * console.info(resolved)
5691
+ * console.info(await ma.resolve(resolved)
5739
5692
  * // [Multiaddr('/ip4/147.75...'), Multiaddr('/ip4/147.75...'), Multiaddr('/ip4/147.75...')...]
5740
5693
  * ```
5741
5694
  *
@@ -5749,9 +5702,7 @@ class Multiaddr {
5749
5702
  * import { dnsJsonOverHttps } from '@multiformats/dns/resolvers'
5750
5703
  *
5751
5704
  * const resolver = dns({
5752
- * resolvers: {
5753
- * '.': dnsJsonOverHttps('https://cloudflare-dns.com/dns-query')
5754
- * }
5705
+ * '.': dnsJsonOverHttps('https://cloudflare-dns.com/dns-query')
5755
5706
  * })
5756
5707
  *
5757
5708
  * const ma = multiaddr('/dnsaddr/bootstrap.libp2p.io')
@@ -5879,13 +5830,9 @@ class UnsupportedKeyTypeError extends Error {
5879
5830
  }
5880
5831
  }
5881
5832
 
5882
- /**
5883
- * Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.
5884
- * @todo re-check https://issues.chromium.org/issues/42212588
5885
- * @module
5886
- */
5887
5833
  const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
5888
5834
  const _32n = /* @__PURE__ */ BigInt(32);
5835
+ // We are not using BigUint64Array, because they are extremely slow as per 2022
5889
5836
  function fromBig(n, le = false) {
5890
5837
  if (le)
5891
5838
  return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };
@@ -5942,13 +5889,6 @@ const u64 = {
5942
5889
  add, add3L, add3H, add4L, add4H, add5H, add5L,
5943
5890
  };
5944
5891
 
5945
- /**
5946
- * SHA2-512 a.k.a. sha512 and sha384. It is slower than sha256 in js because u64 operations are slow.
5947
- *
5948
- * Check out [RFC 4634](https://datatracker.ietf.org/doc/html/rfc4634) and
5949
- * [the paper on truncated SHA512/256](https://eprint.iacr.org/2010/548.pdf).
5950
- * @module
5951
- */
5952
5892
  // Round contants (first 32 bits of the fractional parts of the cube roots of the first 80 primes 2..409):
5953
5893
  // prettier-ignore
5954
5894
  const [SHA512_Kh, SHA512_Kl] = /* @__PURE__ */ (() => u64.split([
@@ -6103,13 +6043,8 @@ class SHA512 extends HashMD {
6103
6043
  this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
6104
6044
  }
6105
6045
  }
6106
- /** SHA2-512 hash function. */
6107
6046
  const sha512 = /* @__PURE__ */ wrapConstructor(() => new SHA512());
6108
6047
 
6109
- /**
6110
- * Hex, bytes and number utilities.
6111
- * @module
6112
- */
6113
6048
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
6114
6049
  // 100 lines of code in the file are duplicated from noble-hashes (utils).
6115
6050
  // This is OK: `abstract` directory does not use noble-hashes.
@@ -6119,7 +6054,8 @@ const _0n$4 = /* @__PURE__ */ BigInt(0);
6119
6054
  const _1n$6 = /* @__PURE__ */ BigInt(1);
6120
6055
  const _2n$4 = /* @__PURE__ */ BigInt(2);
6121
6056
  function isBytes$1(a) {
6122
- return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
6057
+ return (a instanceof Uint8Array ||
6058
+ (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));
6123
6059
  }
6124
6060
  function abytes(item) {
6125
6061
  if (!isBytes$1(item))
@@ -6127,7 +6063,7 @@ function abytes(item) {
6127
6063
  }
6128
6064
  function abool(title, value) {
6129
6065
  if (typeof value !== 'boolean')
6130
- throw new Error(title + ' boolean expected, got ' + value);
6066
+ throw new Error(`${title} must be valid boolean, got "${value}".`);
6131
6067
  }
6132
6068
  // Array where index 0xf0 (240) is mapped to string 'f0'
6133
6069
  const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));
@@ -6145,22 +6081,23 @@ function bytesToHex(bytes) {
6145
6081
  }
6146
6082
  function numberToHexUnpadded(num) {
6147
6083
  const hex = num.toString(16);
6148
- return hex.length & 1 ? '0' + hex : hex;
6084
+ return hex.length & 1 ? `0${hex}` : hex;
6149
6085
  }
6150
6086
  function hexToNumber(hex) {
6151
6087
  if (typeof hex !== 'string')
6152
6088
  throw new Error('hex string expected, got ' + typeof hex);
6153
- return hex === '' ? _0n$4 : BigInt('0x' + hex); // Big Endian
6089
+ // Big Endian
6090
+ return BigInt(hex === '' ? '0' : `0x${hex}`);
6154
6091
  }
6155
6092
  // We use optimized technique to convert hex string to byte array
6156
- const asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
6157
- function asciiToBase16(ch) {
6158
- if (ch >= asciis._0 && ch <= asciis._9)
6159
- return ch - asciis._0; // '2' => 50-48
6160
- if (ch >= asciis.A && ch <= asciis.F)
6161
- return ch - (asciis.A - 10); // 'B' => 66-(65-10)
6162
- if (ch >= asciis.a && ch <= asciis.f)
6163
- return ch - (asciis.a - 10); // 'b' => 98-(97-10)
6093
+ const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 };
6094
+ function asciiToBase16(char) {
6095
+ if (char >= asciis._0 && char <= asciis._9)
6096
+ return char - asciis._0;
6097
+ if (char >= asciis._A && char <= asciis._F)
6098
+ return char - (asciis._A - 10);
6099
+ if (char >= asciis._a && char <= asciis._f)
6100
+ return char - (asciis._a - 10);
6164
6101
  return;
6165
6102
  }
6166
6103
  /**
@@ -6172,7 +6109,7 @@ function hexToBytes(hex) {
6172
6109
  const hl = hex.length;
6173
6110
  const al = hl / 2;
6174
6111
  if (hl % 2)
6175
- throw new Error('hex string expected, got unpadded hex of length ' + hl);
6112
+ throw new Error('padded hex string expected, got unpadded hex of length ' + hl);
6176
6113
  const array = new Uint8Array(al);
6177
6114
  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
6178
6115
  const n1 = asciiToBase16(hex.charCodeAt(hi));
@@ -6181,7 +6118,7 @@ function hexToBytes(hex) {
6181
6118
  const char = hex[hi] + hex[hi + 1];
6182
6119
  throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
6183
6120
  }
6184
- array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163
6121
+ array[ai] = n1 * 16 + n2;
6185
6122
  }
6186
6123
  return array;
6187
6124
  }
@@ -6219,7 +6156,7 @@ function ensureBytes(title, hex, expectedLength) {
6219
6156
  res = hexToBytes(hex);
6220
6157
  }
6221
6158
  catch (e) {
6222
- throw new Error(title + ' must be hex string or Uint8Array, cause: ' + e);
6159
+ throw new Error(`${title} must be valid hex string, got "${hex}". Cause: ${e}`);
6223
6160
  }
6224
6161
  }
6225
6162
  else if (isBytes$1(hex)) {
@@ -6228,11 +6165,11 @@ function ensureBytes(title, hex, expectedLength) {
6228
6165
  res = Uint8Array.from(hex);
6229
6166
  }
6230
6167
  else {
6231
- throw new Error(title + ' must be hex string or Uint8Array');
6168
+ throw new Error(`${title} must be hex string or Uint8Array`);
6232
6169
  }
6233
6170
  const len = res.length;
6234
6171
  if (typeof expectedLength === 'number' && len !== expectedLength)
6235
- throw new Error(title + ' of length ' + expectedLength + ' expected, got ' + len);
6172
+ throw new Error(`${title} expected ${expectedLength} bytes, got ${len}`);
6236
6173
  return res;
6237
6174
  }
6238
6175
  /**
@@ -6267,7 +6204,7 @@ function equalBytes(a, b) {
6267
6204
  */
6268
6205
  function utf8ToBytes(str) {
6269
6206
  if (typeof str !== 'string')
6270
- throw new Error('string expected');
6207
+ throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
6271
6208
  return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
6272
6209
  }
6273
6210
  // Is positive bigint
@@ -6287,7 +6224,7 @@ function aInRange(title, n, min, max) {
6287
6224
  // - b would commonly require subtraction: `inRange('x', x, 0n, P - 1n)`
6288
6225
  // - our way is the cleanest: `inRange('x', x, 0n, P)
6289
6226
  if (!inRange(n, min, max))
6290
- throw new Error('expected valid ' + title + ': ' + min + ' <= n < ' + max + ', got ' + n);
6227
+ throw new Error(`expected valid ${title}: ${min} <= n < ${max}, got ${typeof n} ${n}`);
6291
6228
  }
6292
6229
  // Bit operations
6293
6230
  /**
@@ -6397,12 +6334,12 @@ function validateObject(object, validators, optValidators = {}) {
6397
6334
  const checkField = (fieldName, type, isOptional) => {
6398
6335
  const checkVal = validatorFns[type];
6399
6336
  if (typeof checkVal !== 'function')
6400
- throw new Error('invalid validator function');
6337
+ throw new Error(`Invalid validator "${type}", expected function`);
6401
6338
  const val = object[fieldName];
6402
6339
  if (isOptional && val === undefined)
6403
6340
  return;
6404
6341
  if (!checkVal(val, object)) {
6405
- throw new Error('param ' + String(fieldName) + ' is invalid. Expected ' + type + ', got ' + val);
6342
+ throw new Error(`Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`);
6406
6343
  }
6407
6344
  };
6408
6345
  for (const [fieldName, type] of Object.entries(validators))
@@ -6471,17 +6408,14 @@ var ut = /*#__PURE__*/Object.freeze({
6471
6408
  validateObject: validateObject
6472
6409
  });
6473
6410
 
6474
- /**
6475
- * Utils for modular division and finite fields.
6476
- * A finite field over 11 is integer number operations `mod 11`.
6477
- * There is no division: it is replaced by modular multiplicative inverse.
6478
- * @module
6479
- */
6480
6411
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
6412
+ // Utilities for modular arithmetics and finite fields
6413
+ // prettier-ignore
6414
+ const _0n$3 = BigInt(0), _1n$5 = BigInt(1), _2n$3 = BigInt(2), _3n$1 = BigInt(3);
6481
6415
  // prettier-ignore
6482
- const _0n$3 = BigInt(0), _1n$5 = BigInt(1), _2n$3 = /* @__PURE__ */ BigInt(2), _3n$1 = /* @__PURE__ */ BigInt(3);
6416
+ const _4n = BigInt(4), _5n$1 = BigInt(5), _8n$2 = BigInt(8);
6483
6417
  // prettier-ignore
6484
- const _4n = /* @__PURE__ */ BigInt(4), _5n$1 = /* @__PURE__ */ BigInt(5), _8n$2 = /* @__PURE__ */ BigInt(8);
6418
+ BigInt(9); BigInt(16);
6485
6419
  // Calculates a modulo b
6486
6420
  function mod(a, b) {
6487
6421
  const result = a % b;
@@ -6490,15 +6424,13 @@ function mod(a, b) {
6490
6424
  /**
6491
6425
  * Efficiently raise num to power and do modular division.
6492
6426
  * Unsafe in some contexts: uses ladder, so can expose bigint bits.
6493
- * @todo use field version && remove
6494
6427
  * @example
6495
6428
  * pow(2n, 6n, 11n) // 64n % 11n == 9n
6496
6429
  */
6430
+ // TODO: use field version && remove
6497
6431
  function pow(num, power, modulo) {
6498
- if (power < _0n$3)
6499
- throw new Error('invalid exponent, negatives unsupported');
6500
- if (modulo <= _0n$3)
6501
- throw new Error('invalid modulus');
6432
+ if (modulo <= _0n$3 || power < _0n$3)
6433
+ throw new Error('Expected power/modulo > 0');
6502
6434
  if (modulo === _1n$5)
6503
6435
  return _0n$3;
6504
6436
  let res = _1n$5;
@@ -6510,7 +6442,7 @@ function pow(num, power, modulo) {
6510
6442
  }
6511
6443
  return res;
6512
6444
  }
6513
- /** Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` */
6445
+ // Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
6514
6446
  function pow2(x, power, modulo) {
6515
6447
  let res = x;
6516
6448
  while (power-- > _0n$3) {
@@ -6519,15 +6451,12 @@ function pow2(x, power, modulo) {
6519
6451
  }
6520
6452
  return res;
6521
6453
  }
6522
- /**
6523
- * Inverses number over modulo.
6524
- * Implemented using [Euclidean GCD](https://brilliant.org/wiki/extended-euclidean-algorithm/).
6525
- */
6454
+ // Inverses number over modulo
6526
6455
  function invert(number, modulo) {
6527
- if (number === _0n$3)
6528
- throw new Error('invert: expected non-zero number');
6529
- if (modulo <= _0n$3)
6530
- throw new Error('invert: expected positive modulus, got ' + modulo);
6456
+ if (number === _0n$3 || modulo <= _0n$3) {
6457
+ throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
6458
+ }
6459
+ // Euclidean GCD https://brilliant.org/wiki/extended-euclidean-algorithm/
6531
6460
  // Fermat's little theorem "CT-like" version inv(n) = n^(m-2) mod m is 30x slower.
6532
6461
  let a = mod(number, modulo);
6533
6462
  let b = modulo;
@@ -6567,11 +6496,8 @@ function tonelliShanks(P) {
6567
6496
  for (Q = P - _1n$5, S = 0; Q % _2n$3 === _0n$3; Q /= _2n$3, S++)
6568
6497
  ;
6569
6498
  // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
6570
- for (Z = _2n$3; Z < P && pow(Z, legendreC, P) !== P - _1n$5; Z++) {
6571
- // Crash instead of infinity loop, we cannot reasonable count until P.
6572
- if (Z > 1000)
6573
- throw new Error('Cannot find square root: likely non-prime P');
6574
- }
6499
+ for (Z = _2n$3; Z < P && pow(Z, legendreC, P) !== P - _1n$5; Z++)
6500
+ ;
6575
6501
  // Fast-path
6576
6502
  if (S === 1) {
6577
6503
  const p1div4 = (P + _1n$5) / _4n;
@@ -6613,18 +6539,9 @@ function tonelliShanks(P) {
6613
6539
  return x;
6614
6540
  };
6615
6541
  }
6616
- /**
6617
- * Square root for a finite field. It will try to check if optimizations are applicable and fall back to 4:
6618
- *
6619
- * 1. P ≡ 3 (mod 4)
6620
- * 2. P ≡ 5 (mod 8)
6621
- * 3. P ≡ 9 (mod 16)
6622
- * 4. Tonelli-Shanks algorithm
6623
- *
6624
- * Different algorithms can give different roots, it is up to user to decide which one they want.
6625
- * For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
6626
- */
6627
6542
  function FpSqrt(P) {
6543
+ // NOTE: different algorithms can give different roots, it is up to user to decide which one they want.
6544
+ // For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
6628
6545
  // P ≡ 3 (mod 4)
6629
6546
  // √n = n^((P+1)/4)
6630
6547
  if (P % _4n === _3n$1) {
@@ -6688,7 +6605,7 @@ function FpPow(f, num, power) {
6688
6605
  // Should have same speed as pow for bigints
6689
6606
  // TODO: benchmark!
6690
6607
  if (power < _0n$3)
6691
- throw new Error('invalid exponent, negatives unsupported');
6608
+ throw new Error('Expected power > 0');
6692
6609
  if (power === _0n$3)
6693
6610
  return f.ONE;
6694
6611
  if (power === _1n$5)
@@ -6735,15 +6652,15 @@ function nLength(n, nBitLength) {
6735
6652
  return { nBitLength: _nBitLength, nByteLength };
6736
6653
  }
6737
6654
  /**
6738
- * Initializes a finite field over prime.
6655
+ * Initializes a finite field over prime. **Non-primes are not supported.**
6656
+ * Do not init in loop: slow. Very fragile: always run a benchmark on a change.
6739
6657
  * Major performance optimizations:
6740
6658
  * * a) denormalized operations like mulN instead of mul
6741
6659
  * * b) same object shape: never add or remove keys
6742
6660
  * * c) Object.freeze
6743
- * Fragile: always run a benchmark on a change.
6744
- * Security note: operations don't check 'isValid' for all elements for performance reasons,
6661
+ * NOTE: operations don't check 'isValid' for all elements for performance reasons,
6745
6662
  * it is caller responsibility to check this.
6746
- * This is low-level code, please make sure you know what you're doing.
6663
+ * This is low-level code, please make sure you know what you doing.
6747
6664
  * @param ORDER prime positive bigint
6748
6665
  * @param bitLen how many bits the field consumes
6749
6666
  * @param isLE (def: false) if encoding / decoding should be in little-endian
@@ -6751,14 +6668,13 @@ function nLength(n, nBitLength) {
6751
6668
  */
6752
6669
  function Field(ORDER, bitLen, isLE = false, redef = {}) {
6753
6670
  if (ORDER <= _0n$3)
6754
- throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
6671
+ throw new Error(`Expected Field ORDER > 0, got ${ORDER}`);
6755
6672
  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
6756
6673
  if (BYTES > 2048)
6757
- throw new Error('invalid field: expected ORDER of <= 2048 bytes');
6758
- let sqrtP; // cached sqrtP
6674
+ throw new Error('Field lengths over 2048 bytes are not supported');
6675
+ const sqrtP = FpSqrt(ORDER);
6759
6676
  const f = Object.freeze({
6760
6677
  ORDER,
6761
- isLE,
6762
6678
  BITS,
6763
6679
  BYTES,
6764
6680
  MASK: bitMask(BITS),
@@ -6767,7 +6683,7 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
6767
6683
  create: (num) => mod(num, ORDER),
6768
6684
  isValid: (num) => {
6769
6685
  if (typeof num !== 'bigint')
6770
- throw new Error('invalid field element: expected bigint, got ' + typeof num);
6686
+ throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
6771
6687
  return _0n$3 <= num && num < ORDER; // 0 is valid element, but it's not invertible
6772
6688
  },
6773
6689
  is0: (num) => num === _0n$3,
@@ -6786,12 +6702,7 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
6786
6702
  subN: (lhs, rhs) => lhs - rhs,
6787
6703
  mulN: (lhs, rhs) => lhs * rhs,
6788
6704
  inv: (num) => invert(num, ORDER),
6789
- sqrt: redef.sqrt ||
6790
- ((n) => {
6791
- if (!sqrtP)
6792
- sqrtP = FpSqrt(ORDER);
6793
- return sqrtP(f, n);
6794
- }),
6705
+ sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
6795
6706
  invertBatch: (lst) => FpInvertBatch(f, lst),
6796
6707
  // TODO: do we really need constant cmov?
6797
6708
  // We don't have const-time bigints anyway, so probably will be not very useful
@@ -6799,7 +6710,7 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
6799
6710
  toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
6800
6711
  fromBytes: (bytes) => {
6801
6712
  if (bytes.length !== BYTES)
6802
- throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
6713
+ throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
6803
6714
  return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
6804
6715
  },
6805
6716
  });
@@ -6847,80 +6758,52 @@ function mapHashToField(key, fieldOrder, isLE = false) {
6847
6758
  const minLen = getMinHashLength(fieldOrder);
6848
6759
  // No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.
6849
6760
  if (len < 16 || len < minLen || len > 1024)
6850
- throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);
6851
- const num = isLE ? bytesToNumberLE(key) : bytesToNumberBE(key);
6761
+ throw new Error(`expected ${minLen}-1024 bytes of input, got ${len}`);
6762
+ const num = isLE ? bytesToNumberBE(key) : bytesToNumberLE(key);
6852
6763
  // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
6853
6764
  const reduced = mod(num, fieldOrder - _1n$5) + _1n$5;
6854
6765
  return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
6855
6766
  }
6856
6767
 
6857
- /**
6858
- * Methods for elliptic curve multiplication by scalars.
6859
- * Contains wNAF, pippenger
6860
- * @module
6861
- */
6862
6768
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
6769
+ // Abelian group utilities
6863
6770
  const _0n$2 = BigInt(0);
6864
6771
  const _1n$4 = BigInt(1);
6865
- function constTimeNegate(condition, item) {
6866
- const neg = item.negate();
6867
- return condition ? neg : item;
6868
- }
6869
- function validateW(W, bits) {
6870
- if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
6871
- throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
6872
- }
6873
- function calcWOpts(W, bits) {
6874
- validateW(W, bits);
6875
- const windows = Math.ceil(bits / W) + 1; // +1, because
6876
- const windowSize = 2 ** (W - 1); // -1 because we skip zero
6877
- return { windows, windowSize };
6878
- }
6879
- function validateMSMPoints(points, c) {
6880
- if (!Array.isArray(points))
6881
- throw new Error('array expected');
6882
- points.forEach((p, i) => {
6883
- if (!(p instanceof c))
6884
- throw new Error('invalid point at index ' + i);
6885
- });
6886
- }
6887
- function validateMSMScalars(scalars, field) {
6888
- if (!Array.isArray(scalars))
6889
- throw new Error('array of scalars expected');
6890
- scalars.forEach((s, i) => {
6891
- if (!field.isValid(s))
6892
- throw new Error('invalid scalar at index ' + i);
6893
- });
6894
- }
6895
6772
  // Since points in different groups cannot be equal (different object constructor),
6896
6773
  // we can have single place to store precomputes
6897
6774
  const pointPrecomputes = new WeakMap();
6898
6775
  const pointWindowSizes = new WeakMap(); // This allows use make points immutable (nothing changes inside)
6899
- function getW(P) {
6900
- return pointWindowSizes.get(P) || 1;
6901
- }
6902
- /**
6903
- * Elliptic curve multiplication of Point by scalar. Fragile.
6904
- * Scalars should always be less than curve order: this should be checked inside of a curve itself.
6905
- * Creates precomputation tables for fast multiplication:
6906
- * - private scalar is split by fixed size windows of W bits
6907
- * - every window point is collected from window's table & added to accumulator
6908
- * - since windows are different, same point inside tables won't be accessed more than once per calc
6909
- * - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
6910
- * - +1 window is neccessary for wNAF
6911
- * - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
6912
- *
6913
- * @todo Research returning 2d JS array of windows, instead of a single window.
6914
- * This would allow windows to be in different memory locations
6915
- */
6776
+ // Elliptic curve multiplication of Point by scalar. Fragile.
6777
+ // Scalars should always be less than curve order: this should be checked inside of a curve itself.
6778
+ // Creates precomputation tables for fast multiplication:
6779
+ // - private scalar is split by fixed size windows of W bits
6780
+ // - every window point is collected from window's table & added to accumulator
6781
+ // - since windows are different, same point inside tables won't be accessed more than once per calc
6782
+ // - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
6783
+ // - +1 window is neccessary for wNAF
6784
+ // - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
6785
+ // TODO: Research returning 2d JS array of windows, instead of a single window. This would allow
6786
+ // windows to be in different memory locations
6916
6787
  function wNAF(c, bits) {
6788
+ const constTimeNegate = (condition, item) => {
6789
+ const neg = item.negate();
6790
+ return condition ? neg : item;
6791
+ };
6792
+ const validateW = (W) => {
6793
+ if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
6794
+ throw new Error(`Wrong window size=${W}, should be [1..${bits}]`);
6795
+ };
6796
+ const opts = (W) => {
6797
+ validateW(W);
6798
+ const windows = Math.ceil(bits / W) + 1; // +1, because
6799
+ const windowSize = 2 ** (W - 1); // -1 because we skip zero
6800
+ return { windows, windowSize };
6801
+ };
6917
6802
  return {
6918
6803
  constTimeNegate,
6919
- hasPrecomputes(elm) {
6920
- return getW(elm) !== 1;
6921
- },
6922
6804
  // non-const time multiplication ladder
6923
- unsafeLadder(elm, n, p = c.ZERO) {
6805
+ unsafeLadder(elm, n) {
6806
+ let p = c.ZERO;
6924
6807
  let d = elm;
6925
6808
  while (n > _0n$2) {
6926
6809
  if (n & _1n$4)
@@ -6938,12 +6821,10 @@ function wNAF(c, bits) {
6938
6821
  * - 𝑊 is the window size
6939
6822
  * - 𝑛 is the bitlength of the curve order.
6940
6823
  * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
6941
- * @param elm Point instance
6942
- * @param W window size
6943
6824
  * @returns precomputed point tables flattened to a single array
6944
6825
  */
6945
6826
  precomputeWindow(elm, W) {
6946
- const { windows, windowSize } = calcWOpts(W, bits);
6827
+ const { windows, windowSize } = opts(W);
6947
6828
  const points = [];
6948
6829
  let p = elm;
6949
6830
  let base = p;
@@ -6969,7 +6850,7 @@ function wNAF(c, bits) {
6969
6850
  wNAF(W, precomputes, n) {
6970
6851
  // TODO: maybe check that scalar is less than group order? wNAF behavious is undefined otherwise
6971
6852
  // But need to carefully remove other checks before wNAF. ORDER == bits here
6972
- const { windows, windowSize } = calcWOpts(W, bits);
6853
+ const { windows, windowSize } = opts(W);
6973
6854
  let p = c.ZERO;
6974
6855
  let f = c.BASE;
6975
6856
  const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
@@ -7013,44 +6894,8 @@ function wNAF(c, bits) {
7013
6894
  // which makes it less const-time: around 1 bigint multiply.
7014
6895
  return { p, f };
7015
6896
  },
7016
- /**
7017
- * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
7018
- * @param W window size
7019
- * @param precomputes precomputed tables
7020
- * @param n scalar (we don't check here, but should be less than curve order)
7021
- * @param acc accumulator point to add result of multiplication
7022
- * @returns point
7023
- */
7024
- wNAFUnsafe(W, precomputes, n, acc = c.ZERO) {
7025
- const { windows, windowSize } = calcWOpts(W, bits);
7026
- const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
7027
- const maxNumber = 2 ** W;
7028
- const shiftBy = BigInt(W);
7029
- for (let window = 0; window < windows; window++) {
7030
- const offset = window * windowSize;
7031
- if (n === _0n$2)
7032
- break; // No need to go over empty scalar
7033
- // Extract W bits.
7034
- let wbits = Number(n & mask);
7035
- // Shift number by W bits.
7036
- n >>= shiftBy;
7037
- // If the bits are bigger than max size, we'll split those.
7038
- // +224 => 256 - 32
7039
- if (wbits > windowSize) {
7040
- wbits -= maxNumber;
7041
- n += _1n$4;
7042
- }
7043
- if (wbits === 0)
7044
- continue;
7045
- let curr = precomputes[offset + Math.abs(wbits) - 1]; // -1 because we skip zero
7046
- if (wbits < 0)
7047
- curr = curr.negate();
7048
- // NOTE: by re-using acc, we can save a lot of additions in case of MSM
7049
- acc = acc.add(curr);
7050
- }
7051
- return acc;
7052
- },
7053
- getPrecomputes(W, P, transform) {
6897
+ wNAFCached(P, n, transform) {
6898
+ const W = pointWindowSizes.get(P) || 1;
7054
6899
  // Calculate precomputes on a first run, reuse them after
7055
6900
  let comp = pointPrecomputes.get(P);
7056
6901
  if (!comp) {
@@ -7058,66 +6903,62 @@ function wNAF(c, bits) {
7058
6903
  if (W !== 1)
7059
6904
  pointPrecomputes.set(P, transform(comp));
7060
6905
  }
7061
- return comp;
7062
- },
7063
- wNAFCached(P, n, transform) {
7064
- const W = getW(P);
7065
- return this.wNAF(W, this.getPrecomputes(W, P, transform), n);
7066
- },
7067
- wNAFCachedUnsafe(P, n, transform, prev) {
7068
- const W = getW(P);
7069
- if (W === 1)
7070
- return this.unsafeLadder(P, n, prev); // For W=1 ladder is ~x2 faster
7071
- return this.wNAFUnsafe(W, this.getPrecomputes(W, P, transform), n, prev);
6906
+ return this.wNAF(W, comp, n);
7072
6907
  },
7073
6908
  // We calculate precomputes for elliptic curve point multiplication
7074
6909
  // using windowed method. This specifies window size and
7075
6910
  // stores precomputed values. Usually only base point would be precomputed.
7076
6911
  setWindowSize(P, W) {
7077
- validateW(W, bits);
6912
+ validateW(W);
7078
6913
  pointWindowSizes.set(P, W);
7079
6914
  pointPrecomputes.delete(P);
7080
6915
  },
7081
6916
  };
7082
6917
  }
7083
6918
  /**
7084
- * Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
6919
+ * Pippenger algorithm for multi-scalar multiplication (MSM).
6920
+ * MSM is basically (Pa + Qb + Rc + ...).
7085
6921
  * 30x faster vs naive addition on L=4096, 10x faster with precomputes.
7086
6922
  * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
7087
6923
  * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
7088
6924
  * @param c Curve Point constructor
7089
- * @param fieldN field over CURVE.N - important that it's not over CURVE.P
6925
+ * @param field field over CURVE.N - important that it's not over CURVE.P
7090
6926
  * @param points array of L curve points
7091
6927
  * @param scalars array of L scalars (aka private keys / bigints)
7092
6928
  */
7093
- function pippenger(c, fieldN, points, scalars) {
6929
+ function pippenger(c, field, points, scalars) {
7094
6930
  // If we split scalars by some window (let's say 8 bits), every chunk will only
7095
6931
  // take 256 buckets even if there are 4096 scalars, also re-uses double.
7096
6932
  // TODO:
7097
6933
  // - https://eprint.iacr.org/2024/750.pdf
7098
6934
  // - https://tches.iacr.org/index.php/TCHES/article/view/10287
7099
6935
  // 0 is accepted in scalars
7100
- validateMSMPoints(points, c);
7101
- validateMSMScalars(scalars, fieldN);
7102
- if (points.length !== scalars.length)
6936
+ if (!Array.isArray(points) || !Array.isArray(scalars) || scalars.length !== points.length)
7103
6937
  throw new Error('arrays of points and scalars must have equal length');
7104
- const zero = c.ZERO;
6938
+ scalars.forEach((s, i) => {
6939
+ if (!field.isValid(s))
6940
+ throw new Error(`wrong scalar at index ${i}`);
6941
+ });
6942
+ points.forEach((p, i) => {
6943
+ if (!(p instanceof c))
6944
+ throw new Error(`wrong point at index ${i}`);
6945
+ });
7105
6946
  const wbits = bitLen(BigInt(points.length));
7106
6947
  const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1; // in bits
7107
6948
  const MASK = (1 << windowSize) - 1;
7108
- const buckets = new Array(MASK + 1).fill(zero); // +1 for zero array
7109
- const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
7110
- let sum = zero;
6949
+ const buckets = new Array(MASK + 1).fill(c.ZERO); // +1 for zero array
6950
+ const lastBits = Math.floor((field.BITS - 1) / windowSize) * windowSize;
6951
+ let sum = c.ZERO;
7111
6952
  for (let i = lastBits; i >= 0; i -= windowSize) {
7112
- buckets.fill(zero);
6953
+ buckets.fill(c.ZERO);
7113
6954
  for (let j = 0; j < scalars.length; j++) {
7114
6955
  const scalar = scalars[j];
7115
6956
  const wbits = Number((scalar >> BigInt(i)) & BigInt(MASK));
7116
6957
  buckets[wbits] = buckets[wbits].add(points[j]);
7117
6958
  }
7118
- let resI = zero; // not using this will do small speed-up, but will lose ct
6959
+ let resI = c.ZERO; // not using this will do small speed-up, but will lose ct
7119
6960
  // Skip first bucket, because it is zero
7120
- for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
6961
+ for (let j = buckets.length - 1, sumI = c.ZERO; j > 0; j--) {
7121
6962
  sumI = sumI.add(buckets[j]);
7122
6963
  resI = resI.add(sumI);
7123
6964
  }
@@ -7147,12 +6988,8 @@ function validateBasic(curve) {
7147
6988
  });
7148
6989
  }
7149
6990
 
7150
- /**
7151
- * Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².
7152
- * For design rationale of types / exports, see weierstrass module documentation.
7153
- * @module
7154
- */
7155
6991
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
6992
+ // Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
7156
6993
  // Be friendly to bad ECMAScript parsers by not using bigint literals
7157
6994
  // prettier-ignore
7158
6995
  const _0n$1 = BigInt(0), _1n$3 = BigInt(1), _2n$2 = BigInt(2), _8n$1 = BigInt(8);
@@ -7184,10 +7021,6 @@ function validateOpts$1(curve) {
7184
7021
  function twistedEdwards(curveDef) {
7185
7022
  const CURVE = validateOpts$1(curveDef);
7186
7023
  const { Fp, n: CURVE_ORDER, prehash: prehash, hash: cHash, randomBytes, nByteLength, h: cofactor, } = CURVE;
7187
- // Important:
7188
- // There are some places where Fp.BYTES is used instead of nByteLength.
7189
- // So far, everything has been tested with curves of Fp.BYTES == nByteLength.
7190
- // TODO: test and find curves which behave otherwise.
7191
7024
  const MASK = _2n$2 << (BigInt(nByteLength * 8) - _1n$3);
7192
7025
  const modP = Fp.create; // Function overrides
7193
7026
  const Fn = Field(CURVE.n, CURVE.nBitLength);
@@ -7401,15 +7234,16 @@ function twistedEdwards(curveDef) {
7401
7234
  // It's faster, but should only be used when you don't care about
7402
7235
  // an exposed private key e.g. sig verification.
7403
7236
  // Does NOT allow scalars higher than CURVE.n.
7404
- // Accepts optional accumulator to merge with multiply (important for sparse scalars)
7405
- multiplyUnsafe(scalar, acc = Point.ZERO) {
7237
+ multiplyUnsafe(scalar) {
7406
7238
  const n = scalar;
7407
7239
  aInRange('scalar', n, _0n$1, CURVE_ORDER); // 0 <= scalar < L
7408
7240
  if (n === _0n$1)
7409
7241
  return I;
7410
- if (this.is0() || n === _1n$3)
7242
+ if (this.equals(I) || n === _1n$3)
7411
7243
  return this;
7412
- return wnaf.wNAFCachedUnsafe(this, n, Point.normalizeZ, acc);
7244
+ if (this.equals(G))
7245
+ return this.wNAF(n).p;
7246
+ return wnaf.unsafeLadder(this, n);
7413
7247
  }
7414
7248
  // Checks if point is of small order.
7415
7249
  // If you add something to small order point, you will have "dirty"
@@ -7443,9 +7277,8 @@ function twistedEdwards(curveDef) {
7443
7277
  abool('zip215', zip215);
7444
7278
  const normed = hex.slice(); // copy again, we'll manipulate it
7445
7279
  const lastByte = hex[len - 1]; // select last byte
7446
- normed[len - 1] = lastByte & -129; // clear last bit
7280
+ normed[len - 1] = lastByte & ~0x80; // clear last bit
7447
7281
  const y = bytesToNumberLE(normed);
7448
- // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
7449
7282
  // RFC8032 prohibits >= p, but ZIP215 doesn't
7450
7283
  // zip215=true: 0 <= y < MASK (2^256 for ed25519)
7451
7284
  // zip215=false: 0 <= y < P (2^255-19 for ed25519)
@@ -7494,7 +7327,7 @@ function twistedEdwards(curveDef) {
7494
7327
  }
7495
7328
  /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
7496
7329
  function getExtendedPublicKey(key) {
7497
- const len = Fp.BYTES;
7330
+ const len = nByteLength;
7498
7331
  key = ensureBytes('private key', key, len);
7499
7332
  // Hash private key with curve's hash function to produce uniformingly random input
7500
7333
  // Check byte lengths: ensure(64, h(ensure(32, key)))
@@ -7527,29 +7360,23 @@ function twistedEdwards(curveDef) {
7527
7360
  const s = modN(r + k * scalar); // S = (r + k * s) mod L
7528
7361
  aInRange('signature.s', s, _0n$1, CURVE_ORDER); // 0 <= s < l
7529
7362
  const res = concatBytes(R, numberToBytesLE(s, Fp.BYTES));
7530
- return ensureBytes('result', res, Fp.BYTES * 2); // 64-byte signature
7363
+ return ensureBytes('result', res, nByteLength * 2); // 64-byte signature
7531
7364
  }
7532
7365
  const verifyOpts = VERIFY_DEFAULT;
7533
- /**
7534
- * Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
7535
- * An extended group equation is checked.
7536
- */
7537
7366
  function verify(sig, msg, publicKey, options = verifyOpts) {
7538
7367
  const { context, zip215 } = options;
7539
7368
  const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
7540
7369
  sig = ensureBytes('signature', sig, 2 * len); // An extended group equation is checked.
7541
7370
  msg = ensureBytes('message', msg);
7542
- publicKey = ensureBytes('publicKey', publicKey, len);
7543
7371
  if (zip215 !== undefined)
7544
7372
  abool('zip215', zip215);
7545
7373
  if (prehash)
7546
7374
  msg = prehash(msg); // for ed25519ph, etc
7547
7375
  const s = bytesToNumberLE(sig.slice(len, 2 * len));
7376
+ // zip215: true is good for consensus-critical apps and allows points < 2^256
7377
+ // zip215: false follows RFC8032 / NIST186-5 and restricts points to CURVE.p
7548
7378
  let A, R, SB;
7549
7379
  try {
7550
- // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
7551
- // zip215=true: 0 <= y < MASK (2^256 for ed25519)
7552
- // zip215=false: 0 <= y < P (2^255-19 for ed25519)
7553
7380
  A = Point.fromHex(publicKey, zip215);
7554
7381
  R = Point.fromHex(sig.slice(0, len), zip215);
7555
7382
  SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside
@@ -7561,7 +7388,6 @@ function twistedEdwards(curveDef) {
7561
7388
  return false;
7562
7389
  const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
7563
7390
  const RkA = R.add(A.multiplyUnsafe(k));
7564
- // Extended group equation
7565
7391
  // [8][S]B = [8]R + [8][k]A'
7566
7392
  return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);
7567
7393
  }
@@ -7592,14 +7418,13 @@ function twistedEdwards(curveDef) {
7592
7418
  };
7593
7419
  }
7594
7420
 
7421
+ /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
7595
7422
  /**
7596
7423
  * ed25519 Twisted Edwards curve with following addons:
7597
7424
  * - X25519 ECDH
7598
7425
  * - Ristretto cofactor elimination
7599
7426
  * - Elligator hash-to-group / point indistinguishability
7600
- * @module
7601
7427
  */
7602
- /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
7603
7428
  const ED25519_P = BigInt('57896044618658097711785492504343953926634992332820282019728792003956564819949');
7604
7429
  // √(-1) aka √(a) aka 2^((p-1)/4)
7605
7430
  const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
@@ -7658,7 +7483,7 @@ function uvRatio(u, v) {
7658
7483
  x = mod(-x, P);
7659
7484
  return { isValid: useRoot1 || useRoot2, value: x };
7660
7485
  }
7661
- const Fp = /* @__PURE__ */ (() => Field(ED25519_P, undefined, true))();
7486
+ const Fp$1 = /* @__PURE__ */ (() => Field(ED25519_P, undefined, true))();
7662
7487
  const ed25519Defaults = /* @__PURE__ */ (() => ({
7663
7488
  // Param: a
7664
7489
  a: BigInt(-1), // Fp.create(-1) is proper; our way still works and is faster
@@ -7666,7 +7491,7 @@ const ed25519Defaults = /* @__PURE__ */ (() => ({
7666
7491
  // Negative number is P - number, and division is invert(number, P)
7667
7492
  d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
7668
7493
  // Finite field 𝔽p over which we'll do calculations; 2n**255n - 19n
7669
- Fp,
7494
+ Fp: Fp$1,
7670
7495
  // Subgroup order: how many points curve has
7671
7496
  // 2n**252n + 27742317777372353535851937790883648493n;
7672
7497
  n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
@@ -7685,14 +7510,6 @@ const ed25519Defaults = /* @__PURE__ */ (() => ({
7685
7510
  }))();
7686
7511
  /**
7687
7512
  * ed25519 curve with EdDSA signatures.
7688
- * @example
7689
- * import { ed25519 } from '@noble/curves/ed25519';
7690
- * const priv = ed25519.utils.randomPrivateKey();
7691
- * const pub = ed25519.getPublicKey(priv);
7692
- * const msg = new TextEncoder().encode('hello');
7693
- * const sig = ed25519.sign(msg, priv);
7694
- * ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215
7695
- * ed25519.verify(sig, msg, pub, { zip215: false }); // RFC8032 / FIPS 186-5
7696
7513
  */
7697
7514
  const ed25519 = /* @__PURE__ */ (() => twistedEdwards(ed25519Defaults))();
7698
7515
 
@@ -9066,7 +8883,7 @@ var PrivateKey;
9066
8883
  /*!
9067
8884
  * MIT License
9068
8885
  *
9069
- * Copyright (c) 2017-2024 Peculiar Ventures, LLC
8886
+ * Copyright (c) 2017-2022 Peculiar Ventures, LLC
9070
8887
  *
9071
8888
  * Permission is hereby granted, free of charge, to any person obtaining a copy
9072
8889
  * of this software and associated documentation files (the "Software"), to deal
@@ -9178,7 +8995,7 @@ class BufferSourceConverter {
9178
8995
  }
9179
8996
 
9180
8997
  const STRING_TYPE = "string";
9181
- const HEX_REGEX = /^[0-9a-f\s]+$/i;
8998
+ const HEX_REGEX = /^[0-9a-f]+$/i;
9182
8999
  const BASE64_REGEX = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
9183
9000
  const BASE64URL_REGEX = /^[a-zA-Z0-9-_]+$/;
9184
9001
  class Utf8Converter {
@@ -9412,7 +9229,7 @@ class Convert {
9412
9229
  return base64;
9413
9230
  }
9414
9231
  static formatString(data) {
9415
- return (data === null || data === undefined ? undefined : data.replace(/[\n\r\t ]/g, "")) || "";
9232
+ return (data === null || data === void 0 ? void 0 : data.replace(/[\n\r\t ]/g, "")) || "";
9416
9233
  }
9417
9234
  }
9418
9235
  Convert.DEFAULT_UTF8_ENCODING = "utf8";
@@ -9668,7 +9485,7 @@ function HexBlock(BaseClass) {
9668
9485
  var _a;
9669
9486
  super(...args);
9670
9487
  const params = args[0] || {};
9671
- this.isHexOnly = (_a = params.isHexOnly) !== null && _a !== undefined ? _a : false;
9488
+ this.isHexOnly = (_a = params.isHexOnly) !== null && _a !== void 0 ? _a : false;
9672
9489
  this.valueHexView = params.valueHex ? BufferSourceConverter_1.toUint8Array(params.valueHex) : EMPTY_VIEW;
9673
9490
  }
9674
9491
  get valueHex() {
@@ -9758,11 +9575,11 @@ class LocalIdentificationBlock extends HexBlock(LocalBaseBlock) {
9758
9575
  var _a, _b, _c, _d;
9759
9576
  super();
9760
9577
  if (idBlock) {
9761
- this.isHexOnly = (_a = idBlock.isHexOnly) !== null && _a !== undefined ? _a : false;
9578
+ this.isHexOnly = (_a = idBlock.isHexOnly) !== null && _a !== void 0 ? _a : false;
9762
9579
  this.valueHexView = idBlock.valueHex ? BufferSourceConverter_1.toUint8Array(idBlock.valueHex) : EMPTY_VIEW;
9763
- this.tagClass = (_b = idBlock.tagClass) !== null && _b !== undefined ? _b : -1;
9764
- this.tagNumber = (_c = idBlock.tagNumber) !== null && _c !== undefined ? _c : -1;
9765
- this.isConstructed = (_d = idBlock.isConstructed) !== null && _d !== undefined ? _d : false;
9580
+ this.tagClass = (_b = idBlock.tagClass) !== null && _b !== void 0 ? _b : -1;
9581
+ this.tagNumber = (_c = idBlock.tagNumber) !== null && _c !== void 0 ? _c : -1;
9582
+ this.isConstructed = (_d = idBlock.isConstructed) !== null && _d !== void 0 ? _d : false;
9766
9583
  }
9767
9584
  else {
9768
9585
  this.tagClass = -1;
@@ -9929,9 +9746,9 @@ class LocalLengthBlock extends LocalBaseBlock {
9929
9746
  constructor({ lenBlock = {}, } = {}) {
9930
9747
  var _a, _b, _c;
9931
9748
  super();
9932
- this.isIndefiniteForm = (_a = lenBlock.isIndefiniteForm) !== null && _a !== undefined ? _a : false;
9933
- this.longFormUsed = (_b = lenBlock.longFormUsed) !== null && _b !== undefined ? _b : false;
9934
- this.length = (_c = lenBlock.length) !== null && _c !== undefined ? _c : 0;
9749
+ this.isIndefiniteForm = (_a = lenBlock.isIndefiniteForm) !== null && _a !== void 0 ? _a : false;
9750
+ this.longFormUsed = (_b = lenBlock.longFormUsed) !== null && _b !== void 0 ? _b : false;
9751
+ this.length = (_c = lenBlock.length) !== null && _c !== void 0 ? _c : 0;
9935
9752
  }
9936
9753
  fromBER(inputBuffer, inputOffset, inputLength) {
9937
9754
  const view = BufferSourceConverter_1.toUint8Array(inputBuffer);
@@ -10703,7 +10520,7 @@ var _a$r;
10703
10520
  class OctetString extends BaseBlock {
10704
10521
  constructor({ idBlock = {}, lenBlock = {}, ...parameters } = {}) {
10705
10522
  var _b, _c;
10706
- (_b = parameters.isConstructed) !== null && _b !== undefined ? _b : (parameters.isConstructed = !!((_c = parameters.value) === null || _c === undefined ? undefined : _c.length));
10523
+ (_b = parameters.isConstructed) !== null && _b !== void 0 ? _b : (parameters.isConstructed = !!((_c = parameters.value) === null || _c === void 0 ? void 0 : _c.length));
10707
10524
  super({
10708
10525
  idBlock: {
10709
10526
  isConstructed: parameters.isConstructed,
@@ -10864,7 +10681,7 @@ var _a$q;
10864
10681
  class BitString extends BaseBlock {
10865
10682
  constructor({ idBlock = {}, lenBlock = {}, ...parameters } = {}) {
10866
10683
  var _b, _c;
10867
- (_b = parameters.isConstructed) !== null && _b !== undefined ? _b : (parameters.isConstructed = !!((_c = parameters.value) === null || _c === undefined ? undefined : _c.length));
10684
+ (_b = parameters.isConstructed) !== null && _b !== void 0 ? _b : (parameters.isConstructed = !!((_c = parameters.value) === null || _c === void 0 ? void 0 : _c.length));
10868
10685
  super({
10869
10686
  idBlock: {
10870
10687
  isConstructed: parameters.isConstructed,
@@ -12066,7 +11883,7 @@ class GeneralizedTime extends UTCTime {
12066
11883
  constructor(parameters = {}) {
12067
11884
  var _b;
12068
11885
  super(parameters);
12069
- (_b = this.millisecond) !== null && _b !== undefined ? _b : (this.millisecond = 0);
11886
+ (_b = this.millisecond) !== null && _b !== void 0 ? _b : (this.millisecond = 0);
12070
11887
  this.idBlock.tagClass = 1;
12071
11888
  this.idBlock.tagNumber = 24;
12072
11889
  }
@@ -12417,8 +12234,8 @@ function pkixToJwk(bytes) {
12417
12234
  const values = result.valueBlock.value[1].valueBlock.value[0].valueBlock.value;
12418
12235
  return {
12419
12236
  kty: 'RSA',
12420
- n: asn1jsIntegerToBase64(values[0]),
12421
- e: asn1jsIntegerToBase64(values[1])
12237
+ n: toString$1(bnToBuf(values[0].toBigInt()), 'base64url'),
12238
+ e: toString$1(bnToBuf(values[1].toBigInt()), 'base64url')
12422
12239
  };
12423
12240
  }
12424
12241
  /**
@@ -12454,13 +12271,21 @@ function jwkToPkix(jwk) {
12454
12271
  const der = root.toBER();
12455
12272
  return new Uint8Array(der, 0, der.byteLength);
12456
12273
  }
12457
- function asn1jsIntegerToBase64(int) {
12458
- let buf = int.valueBlock.valueHexView;
12459
- // chrome rejects values with leading 0s
12460
- while (buf[0] === 0) {
12461
- buf = buf.subarray(1);
12274
+ function bnToBuf(bn) {
12275
+ let hex = bn.toString(16);
12276
+ if (hex.length % 2 > 0) {
12277
+ hex = `0${hex}`;
12462
12278
  }
12463
- return toString$1(buf, 'base64url');
12279
+ const len = hex.length / 2;
12280
+ const u8 = new Uint8Array(len);
12281
+ let i = 0;
12282
+ let j = 0;
12283
+ while (i < len) {
12284
+ u8[i] = parseInt(hex.slice(j, j + 2), 16);
12285
+ i += 1;
12286
+ j += 2;
12287
+ }
12288
+ return u8;
12464
12289
  }
12465
12290
  function bufToBn(u8) {
12466
12291
  const hex = [];
@@ -12489,18 +12314,15 @@ function pkixToRSAPublicKey(bytes) {
12489
12314
  return new RSAPublicKey(jwk, digest);
12490
12315
  }
12491
12316
 
12492
- /**
12493
- * HMAC: RFC2104 message authentication code.
12494
- * @module
12495
- */
12317
+ // HMAC (RFC 2104)
12496
12318
  class HMAC extends Hash {
12497
- constructor(hash, _key) {
12319
+ constructor(hash$1, _key) {
12498
12320
  super();
12499
12321
  this.finished = false;
12500
12322
  this.destroyed = false;
12501
- ahash(hash);
12323
+ hash(hash$1);
12502
12324
  const key = toBytes$1(_key);
12503
- this.iHash = hash.create();
12325
+ this.iHash = hash$1.create();
12504
12326
  if (typeof this.iHash.update !== 'function')
12505
12327
  throw new Error('Expected instance of class which extends utils.Hash');
12506
12328
  this.blockLen = this.iHash.blockLen;
@@ -12508,12 +12330,12 @@ class HMAC extends Hash {
12508
12330
  const blockLen = this.blockLen;
12509
12331
  const pad = new Uint8Array(blockLen);
12510
12332
  // blockLen can be bigger than outputLen
12511
- pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
12333
+ pad.set(key.length > blockLen ? hash$1.create().update(key).digest() : key);
12512
12334
  for (let i = 0; i < pad.length; i++)
12513
12335
  pad[i] ^= 0x36;
12514
12336
  this.iHash.update(pad);
12515
12337
  // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
12516
- this.oHash = hash.create();
12338
+ this.oHash = hash$1.create();
12517
12339
  // Undo internal XOR && apply outer XOR
12518
12340
  for (let i = 0; i < pad.length; i++)
12519
12341
  pad[i] ^= 0x36 ^ 0x5c;
@@ -12521,13 +12343,13 @@ class HMAC extends Hash {
12521
12343
  pad.fill(0);
12522
12344
  }
12523
12345
  update(buf) {
12524
- aexists(this);
12346
+ exists(this);
12525
12347
  this.iHash.update(buf);
12526
12348
  return this;
12527
12349
  }
12528
12350
  digestInto(out) {
12529
- aexists(this);
12530
- abytes$1(out, this.outputLen);
12351
+ exists(this);
12352
+ bytes(out, this.outputLen);
12531
12353
  this.finished = true;
12532
12354
  this.iHash.digestInto(out);
12533
12355
  this.oHash.update(out);
@@ -12571,33 +12393,8 @@ class HMAC extends Hash {
12571
12393
  const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
12572
12394
  hmac.create = (hash, key) => new HMAC(hash, key);
12573
12395
 
12574
- /**
12575
- * Short Weierstrass curve methods. The formula is: y² = x³ + ax + b.
12576
- *
12577
- * ### Design rationale for types
12578
- *
12579
- * * Interaction between classes from different curves should fail:
12580
- * `k256.Point.BASE.add(p256.Point.BASE)`
12581
- * * For this purpose we want to use `instanceof` operator, which is fast and works during runtime
12582
- * * Different calls of `curve()` would return different classes -
12583
- * `curve(params) !== curve(params)`: if somebody decided to monkey-patch their curve,
12584
- * it won't affect others
12585
- *
12586
- * TypeScript can't infer types for classes created inside a function. Classes is one instance
12587
- * of nominative types in TypeScript and interfaces only check for shape, so it's hard to create
12588
- * unique type for every function call.
12589
- *
12590
- * We can use generic types via some param, like curve opts, but that would:
12591
- * 1. Enable interaction between `curve(params)` and `curve(params)` (curves of same params)
12592
- * which is hard to debug.
12593
- * 2. Params can be generic and we can't enforce them to be constant value:
12594
- * if somebody creates curve from non-constant params,
12595
- * it would be allowed to interact with other curves with non-constant params
12596
- *
12597
- * @todo https://www.typescriptlang.org/docs/handbook/release-notes/typescript-2-7.html#unique-symbol
12598
- * @module
12599
- */
12600
12396
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
12397
+ // Short Weierstrass curve. The formula is: y² = x³ + ax + b
12601
12398
  function validateSigVerOpts(opts) {
12602
12399
  if (opts.lowS !== undefined)
12603
12400
  abool('lowS', opts.lowS);
@@ -12621,22 +12418,17 @@ function validatePointOpts(curve) {
12621
12418
  const { endo, Fp, a } = opts;
12622
12419
  if (endo) {
12623
12420
  if (!Fp.eql(a, Fp.ZERO)) {
12624
- throw new Error('invalid endomorphism, can only be defined for Koblitz curves that have a=0');
12421
+ throw new Error('Endomorphism can only be defined for Koblitz curves that have a=0');
12625
12422
  }
12626
12423
  if (typeof endo !== 'object' ||
12627
12424
  typeof endo.beta !== 'bigint' ||
12628
12425
  typeof endo.splitScalar !== 'function') {
12629
- throw new Error('invalid endomorphism, expected beta: bigint and splitScalar: function');
12426
+ throw new Error('Expected endomorphism with beta: bigint and splitScalar: function');
12630
12427
  }
12631
12428
  }
12632
12429
  return Object.freeze({ ...opts });
12633
12430
  }
12634
12431
  const { bytesToNumberBE: b2n, hexToBytes: h2b } = ut;
12635
- class DERErr extends Error {
12636
- constructor(m = '') {
12637
- super(m);
12638
- }
12639
- }
12640
12432
  /**
12641
12433
  * ASN.1 DER encoding utilities. ASN is very complex & fragile. Format:
12642
12434
  *
@@ -12646,7 +12438,11 @@ class DERErr extends Error {
12646
12438
  */
12647
12439
  const DER = {
12648
12440
  // asn.1 DER encoding utils
12649
- Err: DERErr,
12441
+ Err: class DERErr extends Error {
12442
+ constructor(m = '') {
12443
+ super(m);
12444
+ }
12445
+ },
12650
12446
  // Basic building block is TLV (Tag-Length-Value)
12651
12447
  _tlv: {
12652
12448
  encode: (tag, data) => {
@@ -12661,8 +12457,7 @@ const DER = {
12661
12457
  throw new E('tlv.encode: long form length too big');
12662
12458
  // length of length with long form flag
12663
12459
  const lenLen = dataLen > 127 ? numberToHexUnpadded((len.length / 2) | 128) : '';
12664
- const t = numberToHexUnpadded(tag);
12665
- return t + lenLen + len + data;
12460
+ return `${numberToHexUnpadded(tag)}${lenLen}${len}${data}`;
12666
12461
  },
12667
12462
  // v - value, l - left bytes (unparsed)
12668
12463
  decode(tag, data) {
@@ -12715,15 +12510,15 @@ const DER = {
12715
12510
  if (Number.parseInt(hex[0], 16) & 0b1000)
12716
12511
  hex = '00' + hex;
12717
12512
  if (hex.length & 1)
12718
- throw new E('unexpected DER parsing assertion: unpadded hex');
12513
+ throw new E('unexpected assertion');
12719
12514
  return hex;
12720
12515
  },
12721
12516
  decode(data) {
12722
12517
  const { Err: E } = DER;
12723
12518
  if (data[0] & 128)
12724
- throw new E('invalid signature integer: negative');
12519
+ throw new E('Invalid signature integer: negative');
12725
12520
  if (data[0] === 0x00 && !(data[1] & 128))
12726
- throw new E('invalid signature integer: unnecessary leading zero');
12521
+ throw new E('Invalid signature integer: unnecessary leading zero');
12727
12522
  return b2n(data);
12728
12523
  },
12729
12524
  },
@@ -12734,18 +12529,16 @@ const DER = {
12734
12529
  abytes(data);
12735
12530
  const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);
12736
12531
  if (seqLeftBytes.length)
12737
- throw new E('invalid signature: left bytes after parsing');
12532
+ throw new E('Invalid signature: left bytes after parsing');
12738
12533
  const { v: rBytes, l: rLeftBytes } = tlv.decode(0x02, seqBytes);
12739
12534
  const { v: sBytes, l: sLeftBytes } = tlv.decode(0x02, rLeftBytes);
12740
12535
  if (sLeftBytes.length)
12741
- throw new E('invalid signature: left bytes after parsing');
12536
+ throw new E('Invalid signature: left bytes after parsing');
12742
12537
  return { r: int.decode(rBytes), s: int.decode(sBytes) };
12743
12538
  },
12744
12539
  hexFromSig(sig) {
12745
12540
  const { _tlv: tlv, _int: int } = DER;
12746
- const rs = tlv.encode(0x02, int.encode(sig.r));
12747
- const ss = tlv.encode(0x02, int.encode(sig.s));
12748
- const seq = rs + ss;
12541
+ const seq = `${tlv.encode(0x02, int.encode(sig.r))}${tlv.encode(0x02, int.encode(sig.s))}`;
12749
12542
  return tlv.encode(0x30, seq);
12750
12543
  },
12751
12544
  };
@@ -12799,7 +12592,7 @@ function weierstrassPoints(opts) {
12799
12592
  key = bytesToHex(key);
12800
12593
  // Normalize to hex string, pad. E.g. P521 would norm 130-132 char hex to 132-char bytes
12801
12594
  if (typeof key !== 'string' || !lengths.includes(key.length))
12802
- throw new Error('invalid private key');
12595
+ throw new Error('Invalid key');
12803
12596
  key = key.padStart(nByteLength * 2, '0');
12804
12597
  }
12805
12598
  let num;
@@ -12810,7 +12603,7 @@ function weierstrassPoints(opts) {
12810
12603
  : bytesToNumberBE(ensureBytes('private key', key, nByteLength));
12811
12604
  }
12812
12605
  catch (error) {
12813
- throw new Error('invalid private key, expected hex or ' + nByteLength + ' bytes, got ' + typeof key);
12606
+ throw new Error(`private key must be ${nByteLength} bytes, hex or bigint, not ${typeof key}`);
12814
12607
  }
12815
12608
  if (wrapPrivateKey)
12816
12609
  num = mod(num, N); // disabled by default, enabled for BLS
@@ -12850,7 +12643,7 @@ function weierstrassPoints(opts) {
12850
12643
  if (p.is0()) {
12851
12644
  // (0, 1, 0) aka ZERO is invalid in most contexts.
12852
12645
  // In BLS, ZERO can be serialized, so we allow it.
12853
- // (0, 0, 0) is invalid representation of ZERO.
12646
+ // (0, 0, 0) is wrong representation of ZERO and is always invalid.
12854
12647
  if (CURVE.allowInfinityPoint && !Fp.is0(p.py))
12855
12648
  return;
12856
12649
  throw new Error('bad point: ZERO');
@@ -13074,17 +12867,16 @@ function weierstrassPoints(opts) {
13074
12867
  * an exposed private key e.g. sig verification, which works over *public* keys.
13075
12868
  */
13076
12869
  multiplyUnsafe(sc) {
13077
- const { endo, n: N } = CURVE;
13078
- aInRange('scalar', sc, _0n, N);
12870
+ aInRange('scalar', sc, _0n, CURVE.n);
13079
12871
  const I = Point.ZERO;
13080
12872
  if (sc === _0n)
13081
12873
  return I;
13082
- if (this.is0() || sc === _1n$1)
12874
+ if (sc === _1n$1)
13083
12875
  return this;
13084
- // Case a: no endomorphism. Case b: has precomputes.
13085
- if (!endo || wnaf.hasPrecomputes(this))
13086
- return wnaf.wNAFCachedUnsafe(this, sc, Point.normalizeZ);
13087
- // Case c: endomorphism
12876
+ const { endo } = CURVE;
12877
+ if (!endo)
12878
+ return wnaf.unsafeLadder(this, sc);
12879
+ // Apply endomorphism
13088
12880
  let { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
13089
12881
  let k1p = I;
13090
12882
  let k2p = I;
@@ -13270,9 +13062,7 @@ function weierstrass(curveDef) {
13270
13062
  return { x, y };
13271
13063
  }
13272
13064
  else {
13273
- const cl = compressedLen;
13274
- const ul = uncompressedLen;
13275
- throw new Error('invalid Point, expected length of ' + cl + ', or uncompressed ' + ul + ', got ' + len);
13065
+ throw new Error(`Point of length ${len} was invalid. Expected ${compressedLen} compressed bytes or ${uncompressedLen} uncompressed bytes`);
13276
13066
  }
13277
13067
  },
13278
13068
  });
@@ -13437,9 +13227,6 @@ function weierstrass(curveDef) {
13437
13227
  // int2octets can't be used; pads small msgs with 0: unacceptatble for trunc as per RFC vectors
13438
13228
  const bits2int = CURVE.bits2int ||
13439
13229
  function (bytes) {
13440
- // Our custom check "just in case"
13441
- if (bytes.length > 8192)
13442
- throw new Error('input is too large');
13443
13230
  // For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)
13444
13231
  // for some cases, since bytes.length * 8 is not actual bitLength.
13445
13232
  const num = bytesToNumberBE(bytes); // check for == u8 done here
@@ -13456,15 +13243,15 @@ function weierstrass(curveDef) {
13456
13243
  * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
13457
13244
  */
13458
13245
  function int2octets(num) {
13459
- aInRange('num < 2^' + CURVE.nBitLength, num, _0n, ORDER_MASK);
13246
+ aInRange(`num < 2^${CURVE.nBitLength}`, num, _0n, ORDER_MASK);
13460
13247
  // works with order, can have different size than numToField!
13461
13248
  return numberToBytesBE(num, CURVE.nByteLength);
13462
13249
  }
13463
13250
  // Steps A, D of RFC6979 3.2
13464
13251
  // Creates RFC6979 seed; converts msg/privKey to numbers.
13465
13252
  // Used only in sign, not in verify.
13466
- // NOTE: we cannot assume here that msgHash has same amount of bytes as curve order,
13467
- // this will be invalid at least for P521. Also it can be bigger for P224 + SHA256
13253
+ // NOTE: we cannot assume here that msgHash has same amount of bytes as curve order, this will be wrong at least for P521.
13254
+ // Also it can be bigger for P224 + SHA256
13468
13255
  function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
13469
13256
  if (['recovered', 'canonical'].some((k) => k in opts))
13470
13257
  throw new Error('sign() legacy options not supported');
@@ -13558,48 +13345,39 @@ function weierstrass(curveDef) {
13558
13345
  const sg = signature;
13559
13346
  msgHash = ensureBytes('msgHash', msgHash);
13560
13347
  publicKey = ensureBytes('publicKey', publicKey);
13561
- const { lowS, prehash, format } = opts;
13562
- // Verify opts, deduce signature format
13563
- validateSigVerOpts(opts);
13564
13348
  if ('strict' in opts)
13565
13349
  throw new Error('options.strict was renamed to lowS');
13566
- if (format !== undefined && format !== 'compact' && format !== 'der')
13567
- throw new Error('format must be compact or der');
13568
- const isHex = typeof sg === 'string' || isBytes$1(sg);
13569
- const isObj = !isHex &&
13570
- !format &&
13571
- typeof sg === 'object' &&
13572
- sg !== null &&
13573
- typeof sg.r === 'bigint' &&
13574
- typeof sg.s === 'bigint';
13575
- if (!isHex && !isObj)
13576
- throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
13350
+ validateSigVerOpts(opts);
13351
+ const { lowS, prehash } = opts;
13577
13352
  let _sig = undefined;
13578
13353
  let P;
13579
13354
  try {
13580
- if (isObj)
13581
- _sig = new Signature(sg.r, sg.s);
13582
- if (isHex) {
13355
+ if (typeof sg === 'string' || isBytes$1(sg)) {
13583
13356
  // Signature can be represented in 2 ways: compact (2*nByteLength) & DER (variable-length).
13584
13357
  // Since DER can also be 2*nByteLength bytes, we check for it first.
13585
13358
  try {
13586
- if (format !== 'compact')
13587
- _sig = Signature.fromDER(sg);
13359
+ _sig = Signature.fromDER(sg);
13588
13360
  }
13589
13361
  catch (derError) {
13590
13362
  if (!(derError instanceof DER.Err))
13591
13363
  throw derError;
13592
- }
13593
- if (!_sig && format !== 'der')
13594
13364
  _sig = Signature.fromCompact(sg);
13365
+ }
13366
+ }
13367
+ else if (typeof sg === 'object' && typeof sg.r === 'bigint' && typeof sg.s === 'bigint') {
13368
+ const { r, s } = sg;
13369
+ _sig = new Signature(r, s);
13370
+ }
13371
+ else {
13372
+ throw new Error('PARSE');
13595
13373
  }
13596
13374
  P = Point.fromHex(publicKey);
13597
13375
  }
13598
13376
  catch (error) {
13377
+ if (error.message === 'PARSE')
13378
+ throw new Error(`signature must be Signature instance, Uint8Array or hex string`);
13599
13379
  return false;
13600
13380
  }
13601
- if (!_sig)
13602
- return false;
13603
13381
  if (lowS && _sig.hasHighS())
13604
13382
  return false;
13605
13383
  if (prehash)
@@ -13627,12 +13405,8 @@ function weierstrass(curveDef) {
13627
13405
  };
13628
13406
  }
13629
13407
 
13630
- /**
13631
- * Utilities for short weierstrass curves, combined with noble-hashes.
13632
- * @module
13633
- */
13634
13408
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
13635
- /** connects noble-curves to noble-hashes */
13409
+ // connects noble-curves to noble-hashes
13636
13410
  function getHash(hash) {
13637
13411
  return {
13638
13412
  hash,
@@ -13642,21 +13416,9 @@ function getHash(hash) {
13642
13416
  }
13643
13417
  function createCurve(curveDef, defHash) {
13644
13418
  const create = (hash) => weierstrass({ ...curveDef, ...getHash(hash) });
13645
- return { ...create(defHash), create };
13419
+ return Object.freeze({ ...create(defHash), create });
13646
13420
  }
13647
13421
 
13648
- /**
13649
- * NIST secp256k1. See [pdf](https://www.secg.org/sec2-v2.pdf).
13650
- *
13651
- * Seems to be rigid (not backdoored)
13652
- * [as per discussion](https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975).
13653
- *
13654
- * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
13655
- * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
13656
- * For precomputed wNAF it trades off 1/2 init time & 1/3 ram for 20% perf hit.
13657
- * [See explanation](https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066).
13658
- * @module
13659
- */
13660
13422
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
13661
13423
  const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
13662
13424
  const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
@@ -13687,35 +13449,31 @@ function sqrtMod(y) {
13687
13449
  const t1 = (pow2(b223, _23n, P) * b22) % P;
13688
13450
  const t2 = (pow2(t1, _6n, P) * b2) % P;
13689
13451
  const root = pow2(t2, _2n, P);
13690
- if (!Fpk1.eql(Fpk1.sqr(root), y))
13452
+ if (!Fp.eql(Fp.sqr(root), y))
13691
13453
  throw new Error('Cannot find square root');
13692
13454
  return root;
13693
13455
  }
13694
- const Fpk1 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
13456
+ const Fp = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
13695
13457
  /**
13696
13458
  * secp256k1 short weierstrass curve and ECDSA signatures over it.
13697
- *
13698
- * @example
13699
- * import { secp256k1 } from '@noble/curves/secp256k1';
13700
- *
13701
- * const priv = secp256k1.utils.randomPrivateKey();
13702
- * const pub = secp256k1.getPublicKey(priv);
13703
- * const msg = new Uint8Array(32).fill(1); // message hash (not message) in ecdsa
13704
- * const sig = secp256k1.sign(msg, priv); // `{prehash: true}` option is available
13705
- * const isValid = secp256k1.verify(sig, msg, pub) === true;
13706
13459
  */
13707
13460
  const secp256k1 = createCurve({
13708
13461
  a: BigInt(0), // equation params: a, b
13709
- b: BigInt(7),
13710
- Fp: Fpk1, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
13462
+ b: BigInt(7), // Seem to be rigid: bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
13463
+ Fp, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
13711
13464
  n: secp256k1N, // Curve order, total count of valid points in the field
13712
13465
  // Base point (x, y) aka generator point
13713
13466
  Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
13714
13467
  Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
13715
13468
  h: BigInt(1), // Cofactor
13716
13469
  lowS: true, // Allow only low-S signatures by default in sign() and verify()
13470
+ /**
13471
+ * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
13472
+ * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
13473
+ * For precomputed wNAF it trades off 1/2 init time & 1/3 ram for 20% perf hit.
13474
+ * Explanation: https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
13475
+ */
13717
13476
  endo: {
13718
- // Endomorphism, see above
13719
13477
  beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
13720
13478
  splitScalar: (k) => {
13721
13479
  const n = secp256k1N;