@waku/enr 0.0.30-006cd41.0 → 0.0.30-10590da.0

package/bundle/index.js

@@ -843,7 +843,7 @@ class Hasher {
 function sha(name) {
     return async (data) => new Uint8Array(await crypto.subtle.digest(name, data));
 }
-const sha256$1 = from({
+const sha256$2 = from({
     name: 'sha2-256',
     code: 0x12,
     encode: sha('SHA-256')
@@ -1330,7 +1330,7 @@ const bytesToUtf8 = (b) => toString$1(b, "utf8");
 /**
  * Encode utf-8 string to byte array.
  */
-const utf8ToBytes$2 = (s) => fromString(s, "utf8");
+const utf8ToBytes$1 = (s) => fromString(s, "utf8");
 /**
  * Concatenate using Uint8Arrays as `Buffer` has a different behavior with `DataView`
  */
@@ -1355,7 +1355,7 @@ var nodeCrypto = /*#__PURE__*/Object.freeze({
 /*! noble-secp256k1 - MIT License (c) 2019 Paul Miller (paulmillr.com) */
 const _0n$5 = BigInt(0);
 const _1n$7 = BigInt(1);
-const _2n$5 = BigInt(2);
+const _2n$4 = BigInt(2);
 const _3n$2 = BigInt(3);
 const _8n$3 = BigInt(8);
 const CURVE = Object.freeze({
@@ -1368,7 +1368,7 @@ const CURVE = Object.freeze({
     Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
     beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
 });
-const divNearest$1 = (a, b) => (a + b / _2n$5) / b;
+const divNearest$1 = (a, b) => (a + b / _2n$4) / b;
 const endo = {
     beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
     splitScalar(k) {
@@ -1457,12 +1457,12 @@ class JacobianPoint {
         const B = mod$1(Y1 * Y1);
         const C = mod$1(B * B);
         const x1b = X1 + B;
-        const D = mod$1(_2n$5 * (mod$1(x1b * x1b) - A - C));
+        const D = mod$1(_2n$4 * (mod$1(x1b * x1b) - A - C));
         const E = mod$1(_3n$2 * A);
         const F = mod$1(E * E);
-        const X3 = mod$1(F - _2n$5 * D);
+        const X3 = mod$1(F - _2n$4 * D);
         const Y3 = mod$1(E * (D - X3) - _8n$3 * C);
-        const Z3 = mod$1(_2n$5 * Y1 * Z1);
+        const Z3 = mod$1(_2n$4 * Y1 * Z1);
         return new JacobianPoint(X3, Y3, Z3);
     }
     add(other) {
@@ -1492,7 +1492,7 @@ class JacobianPoint {
         const HH = mod$1(H * H);
         const HHH = mod$1(H * HH);
         const V = mod$1(U1 * HH);
-        const X3 = mod$1(r * r - HHH - _2n$5 * V);
+        const X3 = mod$1(r * r - HHH - _2n$4 * V);
         const Y3 = mod$1(r * (V - X3) - S1 * HHH);
         const Z3 = mod$1(Z1 * Z2 * H);
         return new JacobianPoint(X3, Y3, Z3);
@@ -1653,7 +1653,7 @@ class Point {
         pointPrecomputes$1.delete(this);
     }
     hasEvenY() {
-        return this.y % _2n$5 === _0n$5;
+        return this.y % _2n$4 === _0n$5;
     }
     static fromCompressedHex(bytes) {
         const isShort = bytes.length === 32;
@@ -1812,7 +1812,7 @@ class Signature {
         this.assertValidity();
     }
     static fromCompact(hex) {
-        const arr = hex instanceof Uint8Array;
+        const arr = isBytes$3(hex);
         const name = 'Signature.fromCompact';
         if (typeof hex !== 'string' && !arr)
             throw new TypeError(`${name}: Expected string or Uint8Array`);
@@ -1822,7 +1822,7 @@ class Signature {
         return new Signature(hexToNumber$1(str.slice(0, 64)), hexToNumber$1(str.slice(64, 128)));
     }
     static fromDER(hex) {
-        const arr = hex instanceof Uint8Array;
+        const arr = isBytes$3(hex);
         if (typeof hex !== 'string' && !arr)
             throw new TypeError(`Signature.fromDER: Expected string or Uint8Array`);
         const { r, s } = parseDERSignature(arr ? hex : hexToBytes$1(hex));
@@ -1871,9 +1871,15 @@ class Signature {
         return numTo32bStr(this.r) + numTo32bStr(this.s);
     }
 }
+function isBytes$3(a) {
+    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
+}
+function abytes$2(item) {
+    if (!isBytes$3(item))
+        throw new Error('Uint8Array expected');
+}
 function concatBytes$2(...arrays) {
-    if (!arrays.every((b) => b instanceof Uint8Array))
-        throw new Error('Uint8Array list expected');
+    arrays.every(abytes$2);
     if (arrays.length === 1)
         return arrays[0];
     const length = arrays.reduce((a, arr) => a + arr.length, 0);
@@ -1885,16 +1891,44 @@ function concatBytes$2(...arrays) {
     }
     return result;
 }
-const hexes$1 = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
-function bytesToHex$1(uint8a) {
-    if (!(uint8a instanceof Uint8Array))
-        throw new Error('Expected Uint8Array');
+const hexes$1 = Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));
+function bytesToHex$1(bytes) {
+    abytes$2(bytes);
     let hex = '';
-    for (let i = 0; i < uint8a.length; i++) {
-        hex += hexes$1[uint8a[i]];
+    for (let i = 0; i < bytes.length; i++) {
+        hex += hexes$1[bytes[i]];
     }
     return hex;
 }
+const asciis$1 = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
+function asciiToBase16$1(ch) {
+    if (ch >= asciis$1._0 && ch <= asciis$1._9)
+        return ch - asciis$1._0;
+    if (ch >= asciis$1.A && ch <= asciis$1.F)
+        return ch - (asciis$1.A - 10);
+    if (ch >= asciis$1.a && ch <= asciis$1.f)
+        return ch - (asciis$1.a - 10);
+    return;
+}
+function hexToBytes$1(hex) {
+    if (typeof hex !== 'string')
+        throw new Error('hex string expected, got ' + typeof hex);
+    const hl = hex.length;
+    const al = hl / 2;
+    if (hl % 2)
+        throw new Error('hex string expected, got unpadded hex of length ' + hl);
+    const array = new Uint8Array(al);
+    for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+        const n1 = asciiToBase16$1(hex.charCodeAt(hi));
+        const n2 = asciiToBase16$1(hex.charCodeAt(hi + 1));
+        if (n1 === undefined || n2 === undefined) {
+            const char = hex[hi] + hex[hi + 1];
+            throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
+        }
+        array[ai] = n1 * 16 + n2;
+    }
+    return array;
+}
 const POW_2_256 = BigInt('0x10000000000000000000000000000000000000000000000000000000000000000');
 function numTo32bStr(num) {
     if (typeof num !== 'bigint')
@@ -1919,28 +1953,11 @@ function hexToNumber$1(hex) {
     }
     return BigInt(`0x${hex}`);
 }
-function hexToBytes$1(hex) {
-    if (typeof hex !== 'string') {
-        throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
-    }
-    if (hex.length % 2)
-        throw new Error('hexToBytes: received invalid unpadded hex' + hex.length);
-    const array = new Uint8Array(hex.length / 2);
-    for (let i = 0; i < array.length; i++) {
-        const j = i * 2;
-        const hexByte = hex.slice(j, j + 2);
-        const byte = Number.parseInt(hexByte, 16);
-        if (Number.isNaN(byte) || byte < 0)
-            throw new Error('Invalid byte sequence');
-        array[i] = byte;
-    }
-    return array;
-}
 function bytesToNumber(bytes) {
     return hexToNumber$1(bytesToHex$1(bytes));
 }
 function ensureBytes$1(hex) {
-    return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes$1(hex);
+    return isBytes$3(hex) ? Uint8Array.from(hex) : hexToBytes$1(hex);
 }
 function normalizeScalar(num) {
     if (typeof num === 'number' && Number.isSafeInteger(num) && num > 0)
@@ -1974,7 +1991,7 @@ function sqrtMod$1(x) {
     const b3 = (b2 * b2 * x) % P;
     const b6 = (pow2$1(b3, _3n$2) * b3) % P;
     const b9 = (pow2$1(b6, _3n$2) * b3) % P;
-    const b11 = (pow2$1(b9, _2n$5) * b2) % P;
+    const b11 = (pow2$1(b9, _2n$4) * b2) % P;
     const b22 = (pow2$1(b11, _11n) * b11) % P;
     const b44 = (pow2$1(b22, _22n) * b22) % P;
     const b88 = (pow2$1(b44, _44n) * b44) % P;
@@ -1983,7 +2000,7 @@ function sqrtMod$1(x) {
     const b223 = (pow2$1(b220, _3n$2) * b3) % P;
     const t1 = (pow2$1(b223, _23n) * b22) % P;
     const t2 = (pow2$1(t1, _6n) * b2) % P;
-    const rt = pow2$1(t2, _2n$5);
+    const rt = pow2$1(t2, _2n$4);
     const xc = (rt * rt) % P;
     if (xc !== x)
         throw new Error('Cannot find square root');
@@ -2148,7 +2165,7 @@ function normalizePrivateKey(key) {
             throw new Error('Expected 32 bytes of private key');
         num = hexToNumber$1(key);
     }
-    else if (key instanceof Uint8Array) {
+    else if (isBytes$3(key)) {
         if (key.length !== groupLen)
             throw new Error('Expected 32 bytes of private key');
         num = bytesToNumber(key);
@@ -3095,19 +3112,28 @@ function verifySignature(signature, message, publicKey) {
     }
 }
 
+const crypto$1 = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
+
 /**
- * Internal assertion helpers.
+ * Utilities for hex, bytes, CSPRNG.
  * @module
  */
+/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.
+// node.js versions earlier than v19 don't declare it in global scope.
+// For node.js, package.json#exports field mapping rewrites import
+// from `crypto` to `cryptoNode`, which imports native module.
+// Makes the utils un-importable in browsers without a bundler.
+// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.
+/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
+function isBytes$2(a) {
+    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
+}
 /** Asserts something is positive integer. */
 function anumber(n) {
     if (!Number.isSafeInteger(n) || n < 0)
         throw new Error('positive integer expected, got ' + n);
 }
-/** Is number an Uint8Array? Copied from utils for perf. */
-function isBytes$2(a) {
-    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
-}
 /** Asserts something is Uint8Array. */
 function abytes$1(b, ...lengths) {
     if (!isBytes$2(b))
@@ -3118,7 +3144,7 @@ function abytes$1(b, ...lengths) {
 /** Asserts something is hash */
 function ahash(h) {
     if (typeof h !== 'function' || typeof h.create !== 'function')
-        throw new Error('Hash should be wrapped by utils.wrapConstructor');
+        throw new Error('Hash should be wrapped by utils.createHasher');
     anumber(h.outputLen);
     anumber(h.blockLen);
 }
@@ -3137,21 +3163,13 @@ function aoutput(out, instance) {
         throw new Error('digestInto() expects output buffer of length at least ' + min);
     }
 }
-
-const crypto$1 = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
-
-/**
- * Utilities for hex, bytes, CSPRNG.
- * @module
- */
-/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.
-// node.js versions earlier than v19 don't declare it in global scope.
-// For node.js, package.json#exports field mapping rewrites import
-// from `crypto` to `cryptoNode`, which imports native module.
-// Makes the utils un-importable in browsers without a bundler.
-// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.
-// Cast array to view
+/** Zeroize a byte array. Warning: JS provides no guarantees. */
+function clean(...arrays) {
+    for (let i = 0; i < arrays.length; i++) {
+        arrays[i].fill(0);
+    }
+}
+/** Create DataView of an array for easy byte-level manipulation. */
 function createView(arr) {
     return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
 }
@@ -3160,12 +3178,12 @@ function rotr(word, shift) {
     return (word << (32 - shift)) | (word >>> shift);
 }
 /**
- * Convert JS string to byte array.
- * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
+ * Converts string to bytes using UTF8 encoding.
+ * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])
  */
-function utf8ToBytes$1(str) {
+function utf8ToBytes(str) {
     if (typeof str !== 'string')
-        throw new Error('utf8ToBytes expected string, got ' + typeof str);
+        throw new Error('string expected');
     return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
 }
 /**
@@ -3175,13 +3193,11 @@ function utf8ToBytes$1(str) {
  */
 function toBytes$1(data) {
     if (typeof data === 'string')
-        data = utf8ToBytes$1(data);
+        data = utf8ToBytes(data);
     abytes$1(data);
     return data;
 }
-/**
- * Copies several Uint8Arrays into one.
- */
+/** Copies several Uint8Arrays into one. */
 function concatBytes$1(...arrays) {
     let sum = 0;
     for (let i = 0; i < arrays.length; i++) {
@@ -3199,13 +3215,9 @@ function concatBytes$1(...arrays) {
 }
 /** For runtime check if class implements interface */
 class Hash {
-    // Safe version that clones internal state
-    clone() {
-        return this._cloneInto();
-    }
 }
 /** Wraps hash function, creating an interface on top of it */
-function wrapConstructor(hashCons) {
+function createHasher(hashCons) {
     const hashC = (msg) => hashCons().update(toBytes$1(msg)).digest();
     const tmp = hashCons();
     hashC.outputLen = tmp.outputLen;
@@ -3220,7 +3232,7 @@ function randomBytes(bytesLength = 32) {
     }
     // Legacy Node.js compatibility
     if (crypto$1 && typeof crypto$1.randomBytes === 'function') {
-        return crypto$1.randomBytes(bytesLength);
+        return Uint8Array.from(crypto$1.randomBytes(bytesLength));
     }
     throw new Error('crypto.getRandomValues must be defined');
 }
@@ -3257,21 +3269,22 @@ function Maj(a, b, c) {
 class HashMD extends Hash {
     constructor(blockLen, outputLen, padOffset, isLE) {
         super();
-        this.blockLen = blockLen;
-        this.outputLen = outputLen;
-        this.padOffset = padOffset;
-        this.isLE = isLE;
         this.finished = false;
         this.length = 0;
         this.pos = 0;
         this.destroyed = false;
+        this.blockLen = blockLen;
+        this.outputLen = outputLen;
+        this.padOffset = padOffset;
+        this.isLE = isLE;
         this.buffer = new Uint8Array(blockLen);
         this.view = createView(this.buffer);
     }
     update(data) {
         aexists(this);
-        const { view, buffer, blockLen } = this;
         data = toBytes$1(data);
+        abytes$1(data);
+        const { view, buffer, blockLen } = this;
         const len = data.length;
         for (let pos = 0; pos < len;) {
             const take = Math.min(blockLen - this.pos, len - pos);
@@ -3305,7 +3318,7 @@ class HashMD extends Hash {
         let { pos } = this;
         // append the bit '1' to the message
         buffer[pos++] = 0b10000000;
-        this.buffer.subarray(pos).fill(0);
+        clean(this.buffer.subarray(pos));
         // we have less than padOffset left in buffer, so we cannot put length in
         // current block, need process it and pad again
         if (this.padOffset > blockLen - pos) {
@@ -3343,28 +3356,90 @@ class HashMD extends Hash {
         to || (to = new this.constructor());
         to.set(...this.get());
         const { blockLen, buffer, length, finished, destroyed, pos } = this;
+        to.destroyed = destroyed;
+        to.finished = finished;
         to.length = length;
         to.pos = pos;
-        to.finished = finished;
-        to.destroyed = destroyed;
         if (length % blockLen)
             to.buffer.set(buffer);
         return to;
     }
+    clone() {
+        return this._cloneInto();
+    }
 }
+/**
+ * Initial SHA-2 state: fractional parts of square roots of first 16 primes 2..53.
+ * Check out `test/misc/sha2-gen-iv.js` for recomputation guide.
+ */
+/** Initial SHA256 state. Bits 0..32 of frac part of sqrt of primes 2..19 */
+const SHA256_IV = /* @__PURE__ */ Uint32Array.from([
+    0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
+]);
+/** Initial SHA512 state. Bits 0..64 of frac part of sqrt of primes 2..19 */
+const SHA512_IV = /* @__PURE__ */ Uint32Array.from([
+    0x6a09e667, 0xf3bcc908, 0xbb67ae85, 0x84caa73b, 0x3c6ef372, 0xfe94f82b, 0xa54ff53a, 0x5f1d36f1,
+    0x510e527f, 0xade682d1, 0x9b05688c, 0x2b3e6c1f, 0x1f83d9ab, 0xfb41bd6b, 0x5be0cd19, 0x137e2179,
+]);
 
 /**
- * SHA2-256 a.k.a. sha256. In JS, it is the fastest hash, even faster than Blake3.
- *
- * To break sha256 using birthday attack, attackers need to try 2^128 hashes.
- * BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
- *
- * Check out [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
+ * Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.
+ * @todo re-check https://issues.chromium.org/issues/42212588
  * @module
  */
-/** Round constants: first 32 bits of fractional parts of the cube roots of the first 64 primes 2..311). */
+const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
+const _32n = /* @__PURE__ */ BigInt(32);
+function fromBig(n, le = false) {
+    if (le)
+        return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };
+    return { h: Number((n >> _32n) & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
+}
+function split(lst, le = false) {
+    const len = lst.length;
+    let Ah = new Uint32Array(len);
+    let Al = new Uint32Array(len);
+    for (let i = 0; i < len; i++) {
+        const { h, l } = fromBig(lst[i], le);
+        [Ah[i], Al[i]] = [h, l];
+    }
+    return [Ah, Al];
+}
+// for Shift in [0, 32)
+const shrSH = (h, _l, s) => h >>> s;
+const shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
+// Right rotate for Shift in [1, 32)
+const rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));
+const rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
+// Right rotate for Shift in (32, 64), NOTE: 32 is special case.
+const rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));
+const rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));
+// JS uses 32-bit signed integers for bitwise operations which means we cannot
+// simple take carry out of low bit sum by shift, we need to use division.
+function add(Ah, Al, Bh, Bl) {
+    const l = (Al >>> 0) + (Bl >>> 0);
+    return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };
+}
+// Addition with more than 2 elements
+const add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
+const add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;
+const add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
+const add4H = (low, Ah, Bh, Ch, Dh) => (Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;
+const add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
+const add5H = (low, Ah, Bh, Ch, Dh, Eh) => (Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;
+
+/**
+ * SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256.
+ * SHA256 is the fastest hash implementable in JS, even faster than Blake3.
+ * Check out [RFC 4634](https://datatracker.ietf.org/doc/html/rfc4634) and
+ * [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
+ * @module
+ */
+/**
+ * Round constants:
+ * First 32 bits of fractional parts of the cube roots of the first 64 primes 2..311)
+ */
 // prettier-ignore
-const SHA256_K = /* @__PURE__ */ new Uint32Array([
+const SHA256_K = /* @__PURE__ */ Uint32Array.from([
     0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
     0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
     0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
@@ -3374,19 +3449,11 @@ const SHA256_K = /* @__PURE__ */ new Uint32Array([
     0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
     0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
 ]);
-/** Initial state: first 32 bits of fractional parts of the square roots of the first 8 primes 2..19. */
-// prettier-ignore
-const SHA256_IV = /* @__PURE__ */ new Uint32Array([
-    0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
-]);
-/**
- * Temporary buffer, not used to store anything between runs.
- * Named this way because it matches specification.
- */
+/** Reusable temporary buffer. "W" comes straight from spec. */
 const SHA256_W = /* @__PURE__ */ new Uint32Array(64);
 class SHA256 extends HashMD {
-    constructor() {
-        super(64, 32, 8, false);
+    constructor(outputLen = 32) {
+        super(64, outputLen, 8, false);
         // We cannot use array here since array allows indexing by variable
         // which means optimizer/compiler cannot use registers.
         this.A = SHA256_IV[0] | 0;
@@ -3452,15 +3519,192 @@ class SHA256 extends HashMD {
         this.set(A, B, C, D, E, F, G, H);
     }
     roundClean() {
-        SHA256_W.fill(0);
+        clean(SHA256_W);
     }
     destroy() {
         this.set(0, 0, 0, 0, 0, 0, 0, 0);
-        this.buffer.fill(0);
+        clean(this.buffer);
+    }
+}
+// SHA2-512 is slower than sha256 in js because u64 operations are slow.
+// Round contants
+// First 32 bits of the fractional parts of the cube roots of the first 80 primes 2..409
+// prettier-ignore
+const K512 = /* @__PURE__ */ (() => split([
+    '0x428a2f98d728ae22', '0x7137449123ef65cd', '0xb5c0fbcfec4d3b2f', '0xe9b5dba58189dbbc',
+    '0x3956c25bf348b538', '0x59f111f1b605d019', '0x923f82a4af194f9b', '0xab1c5ed5da6d8118',
+    '0xd807aa98a3030242', '0x12835b0145706fbe', '0x243185be4ee4b28c', '0x550c7dc3d5ffb4e2',
+    '0x72be5d74f27b896f', '0x80deb1fe3b1696b1', '0x9bdc06a725c71235', '0xc19bf174cf692694',
+    '0xe49b69c19ef14ad2', '0xefbe4786384f25e3', '0x0fc19dc68b8cd5b5', '0x240ca1cc77ac9c65',
+    '0x2de92c6f592b0275', '0x4a7484aa6ea6e483', '0x5cb0a9dcbd41fbd4', '0x76f988da831153b5',
+    '0x983e5152ee66dfab', '0xa831c66d2db43210', '0xb00327c898fb213f', '0xbf597fc7beef0ee4',
+    '0xc6e00bf33da88fc2', '0xd5a79147930aa725', '0x06ca6351e003826f', '0x142929670a0e6e70',
+    '0x27b70a8546d22ffc', '0x2e1b21385c26c926', '0x4d2c6dfc5ac42aed', '0x53380d139d95b3df',
+    '0x650a73548baf63de', '0x766a0abb3c77b2a8', '0x81c2c92e47edaee6', '0x92722c851482353b',
+    '0xa2bfe8a14cf10364', '0xa81a664bbc423001', '0xc24b8b70d0f89791', '0xc76c51a30654be30',
+    '0xd192e819d6ef5218', '0xd69906245565a910', '0xf40e35855771202a', '0x106aa07032bbd1b8',
+    '0x19a4c116b8d2d0c8', '0x1e376c085141ab53', '0x2748774cdf8eeb99', '0x34b0bcb5e19b48a8',
+    '0x391c0cb3c5c95a63', '0x4ed8aa4ae3418acb', '0x5b9cca4f7763e373', '0x682e6ff3d6b2b8a3',
+    '0x748f82ee5defb2fc', '0x78a5636f43172f60', '0x84c87814a1f0ab72', '0x8cc702081a6439ec',
+    '0x90befffa23631e28', '0xa4506cebde82bde9', '0xbef9a3f7b2c67915', '0xc67178f2e372532b',
+    '0xca273eceea26619c', '0xd186b8c721c0c207', '0xeada7dd6cde0eb1e', '0xf57d4f7fee6ed178',
+    '0x06f067aa72176fba', '0x0a637dc5a2c898a6', '0x113f9804bef90dae', '0x1b710b35131c471b',
+    '0x28db77f523047d84', '0x32caab7b40c72493', '0x3c9ebe0a15c9bebc', '0x431d67c49c100d4c',
+    '0x4cc5d4becb3e42b6', '0x597f299cfc657e2a', '0x5fcb6fab3ad6faec', '0x6c44198c4a475817'
+].map(n => BigInt(n))))();
+const SHA512_Kh = /* @__PURE__ */ (() => K512[0])();
+const SHA512_Kl = /* @__PURE__ */ (() => K512[1])();
+// Reusable temporary buffers
+const SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
+const SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
+class SHA512 extends HashMD {
+    constructor(outputLen = 64) {
+        super(128, outputLen, 16, false);
+        // We cannot use array here since array allows indexing by variable
+        // which means optimizer/compiler cannot use registers.
+        // h -- high 32 bits, l -- low 32 bits
+        this.Ah = SHA512_IV[0] | 0;
+        this.Al = SHA512_IV[1] | 0;
+        this.Bh = SHA512_IV[2] | 0;
+        this.Bl = SHA512_IV[3] | 0;
+        this.Ch = SHA512_IV[4] | 0;
+        this.Cl = SHA512_IV[5] | 0;
+        this.Dh = SHA512_IV[6] | 0;
+        this.Dl = SHA512_IV[7] | 0;
+        this.Eh = SHA512_IV[8] | 0;
+        this.El = SHA512_IV[9] | 0;
+        this.Fh = SHA512_IV[10] | 0;
+        this.Fl = SHA512_IV[11] | 0;
+        this.Gh = SHA512_IV[12] | 0;
+        this.Gl = SHA512_IV[13] | 0;
+        this.Hh = SHA512_IV[14] | 0;
+        this.Hl = SHA512_IV[15] | 0;
+    }
+    // prettier-ignore
+    get() {
+        const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
+        return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];
+    }
+    // prettier-ignore
+    set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {
+        this.Ah = Ah | 0;
+        this.Al = Al | 0;
+        this.Bh = Bh | 0;
+        this.Bl = Bl | 0;
+        this.Ch = Ch | 0;
+        this.Cl = Cl | 0;
+        this.Dh = Dh | 0;
+        this.Dl = Dl | 0;
+        this.Eh = Eh | 0;
+        this.El = El | 0;
+        this.Fh = Fh | 0;
+        this.Fl = Fl | 0;
+        this.Gh = Gh | 0;
+        this.Gl = Gl | 0;
+        this.Hh = Hh | 0;
+        this.Hl = Hl | 0;
+    }
+    process(view, offset) {
+        // Extend the first 16 words into the remaining 64 words w[16..79] of the message schedule array
+        for (let i = 0; i < 16; i++, offset += 4) {
+            SHA512_W_H[i] = view.getUint32(offset);
+            SHA512_W_L[i] = view.getUint32((offset += 4));
+        }
+        for (let i = 16; i < 80; i++) {
+            // s0 := (w[i-15] rightrotate 1) xor (w[i-15] rightrotate 8) xor (w[i-15] rightshift 7)
+            const W15h = SHA512_W_H[i - 15] | 0;
+            const W15l = SHA512_W_L[i - 15] | 0;
+            const s0h = rotrSH(W15h, W15l, 1) ^ rotrSH(W15h, W15l, 8) ^ shrSH(W15h, W15l, 7);
+            const s0l = rotrSL(W15h, W15l, 1) ^ rotrSL(W15h, W15l, 8) ^ shrSL(W15h, W15l, 7);
+            // s1 := (w[i-2] rightrotate 19) xor (w[i-2] rightrotate 61) xor (w[i-2] rightshift 6)
+            const W2h = SHA512_W_H[i - 2] | 0;
+            const W2l = SHA512_W_L[i - 2] | 0;
+            const s1h = rotrSH(W2h, W2l, 19) ^ rotrBH(W2h, W2l, 61) ^ shrSH(W2h, W2l, 6);
+            const s1l = rotrSL(W2h, W2l, 19) ^ rotrBL(W2h, W2l, 61) ^ shrSL(W2h, W2l, 6);
+            // SHA256_W[i] = s0 + s1 + SHA256_W[i - 7] + SHA256_W[i - 16];
+            const SUMl = add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);
+            const SUMh = add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]);
+            SHA512_W_H[i] = SUMh | 0;
+            SHA512_W_L[i] = SUMl | 0;
+        }
+        let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
+        // Compression function main loop, 80 rounds
+        for (let i = 0; i < 80; i++) {
+            // S1 := (e rightrotate 14) xor (e rightrotate 18) xor (e rightrotate 41)
+            const sigma1h = rotrSH(Eh, El, 14) ^ rotrSH(Eh, El, 18) ^ rotrBH(Eh, El, 41);
+            const sigma1l = rotrSL(Eh, El, 14) ^ rotrSL(Eh, El, 18) ^ rotrBL(Eh, El, 41);
+            //const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;
+            const CHIh = (Eh & Fh) ^ (~Eh & Gh);
+            const CHIl = (El & Fl) ^ (~El & Gl);
+            // T1 = H + sigma1 + Chi(E, F, G) + SHA512_K[i] + SHA512_W[i]
+            // prettier-ignore
+            const T1ll = add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]);
+            const T1h = add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]);
+            const T1l = T1ll | 0;
+            // S0 := (a rightrotate 28) xor (a rightrotate 34) xor (a rightrotate 39)
+            const sigma0h = rotrSH(Ah, Al, 28) ^ rotrBH(Ah, Al, 34) ^ rotrBH(Ah, Al, 39);
+            const sigma0l = rotrSL(Ah, Al, 28) ^ rotrBL(Ah, Al, 34) ^ rotrBL(Ah, Al, 39);
+            const MAJh = (Ah & Bh) ^ (Ah & Ch) ^ (Bh & Ch);
+            const MAJl = (Al & Bl) ^ (Al & Cl) ^ (Bl & Cl);
+            Hh = Gh | 0;
+            Hl = Gl | 0;
+            Gh = Fh | 0;
+            Gl = Fl | 0;
+            Fh = Eh | 0;
+            Fl = El | 0;
+            ({ h: Eh, l: El } = add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));
+            Dh = Ch | 0;
+            Dl = Cl | 0;
+            Ch = Bh | 0;
+            Cl = Bl | 0;
+            Bh = Ah | 0;
+            Bl = Al | 0;
+            const All = add3L(T1l, sigma0l, MAJl);
+            Ah = add3H(All, T1h, sigma0h, MAJh);
+            Al = All | 0;
+        }
+        // Add the compressed chunk to the current hash value
+        ({ h: Ah, l: Al } = add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));
+        ({ h: Bh, l: Bl } = add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));
+        ({ h: Ch, l: Cl } = add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));
+        ({ h: Dh, l: Dl } = add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));
+        ({ h: Eh, l: El } = add(this.Eh | 0, this.El | 0, Eh | 0, El | 0));
+        ({ h: Fh, l: Fl } = add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));
+        ({ h: Gh, l: Gl } = add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));
+        ({ h: Hh, l: Hl } = add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));
+        this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);
+    }
+    roundClean() {
+        clean(SHA512_W_H, SHA512_W_L);
+    }
+    destroy() {
+        clean(this.buffer);
+        this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
     }
 }
-/** SHA2-256 hash function */
-const sha256 = /* @__PURE__ */ wrapConstructor(() => new SHA256());
+/**
+ * SHA2-256 hash function from RFC 4634.
+ *
+ * It is the fastest JS hash, even faster than Blake3.
+ * To break sha256 using birthday attack, attackers need to try 2^128 hashes.
+ * BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
+ */
+const sha256$1 = /* @__PURE__ */ createHasher(() => new SHA256());
+/** SHA2-512 hash function from RFC 4634. */
+const sha512 = /* @__PURE__ */ createHasher(() => new SHA512());
+
+/**
+ * SHA2-256 a.k.a. sha256. In JS, it is the fastest hash, even faster than Blake3.
+ *
+ * To break sha256 using birthday attack, attackers need to try 2^128 hashes.
+ * BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
+ *
+ * Check out [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
+ * @module
+ * @deprecated
+ */
+/** @deprecated Use import from `noble/hashes/sha2` module */
+const sha256 = sha256$1;
 
 var Protocols;
 (function (Protocols) {
@@ -6720,274 +6964,47 @@ function getOID(curve) {
     if (curve === 'P-256') {
         return OID_256;
     }
-    if (curve === 'P-384') {
-        return OID_384;
-    }
-    if (curve === 'P-521') {
-        return OID_521;
-    }
-    throw new InvalidParametersError(`Invalid curve ${curve}`);
-}
-
-class ECDSAPublicKey {
-    type = 'ECDSA';
-    jwk;
-    _raw;
-    constructor(jwk) {
-        this.jwk = jwk;
-    }
-    get raw() {
-        if (this._raw == null) {
-            this._raw = publicKeyToPKIMessage(this.jwk);
-        }
-        return this._raw;
-    }
-    toMultihash() {
-        return identity.digest(publicKeyToProtobuf(this));
-    }
-    toCID() {
-        return CID.createV1(114, this.toMultihash());
-    }
-    toString() {
-        return base58btc.encode(this.toMultihash().bytes).substring(1);
-    }
-    equals(key) {
-        if (key == null || !(key.raw instanceof Uint8Array)) {
-            return false;
-        }
-        return equals(this.raw, key.raw);
-    }
-    async verify(data, sig) {
-        return hashAndVerify$3(this.jwk, sig, data);
-    }
-}
-
-/**
- * Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.
- * @todo re-check https://issues.chromium.org/issues/42212588
- * @module
- */
-const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
-const _32n = /* @__PURE__ */ BigInt(32);
-function fromBig(n, le = false) {
-    if (le)
-        return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };
-    return { h: Number((n >> _32n) & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
-}
-function split(lst, le = false) {
-    let Ah = new Uint32Array(lst.length);
-    let Al = new Uint32Array(lst.length);
-    for (let i = 0; i < lst.length; i++) {
-        const { h, l } = fromBig(lst[i], le);
-        [Ah[i], Al[i]] = [h, l];
-    }
-    return [Ah, Al];
-}
-const toBig = (h, l) => (BigInt(h >>> 0) << _32n) | BigInt(l >>> 0);
-// for Shift in [0, 32)
-const shrSH = (h, _l, s) => h >>> s;
-const shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
-// Right rotate for Shift in [1, 32)
-const rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));
-const rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
-// Right rotate for Shift in (32, 64), NOTE: 32 is special case.
-const rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));
-const rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));
-// Right rotate for shift===32 (just swaps l&h)
-const rotr32H = (_h, l) => l;
-const rotr32L = (h, _l) => h;
-// Left rotate for Shift in [1, 32)
-const rotlSH = (h, l, s) => (h << s) | (l >>> (32 - s));
-const rotlSL = (h, l, s) => (l << s) | (h >>> (32 - s));
-// Left rotate for Shift in (32, 64), NOTE: 32 is special case.
-const rotlBH = (h, l, s) => (l << (s - 32)) | (h >>> (64 - s));
-const rotlBL = (h, l, s) => (h << (s - 32)) | (l >>> (64 - s));
-// JS uses 32-bit signed integers for bitwise operations which means we cannot
-// simple take carry out of low bit sum by shift, we need to use division.
-function add(Ah, Al, Bh, Bl) {
-    const l = (Al >>> 0) + (Bl >>> 0);
-    return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };
+    if (curve === 'P-384') {
+        return OID_384;
+    }
+    if (curve === 'P-521') {
+        return OID_521;
+    }
+    throw new InvalidParametersError(`Invalid curve ${curve}`);
 }
-// Addition with more than 2 elements
-const add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
-const add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;
-const add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
-const add4H = (low, Ah, Bh, Ch, Dh) => (Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;
-const add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
-const add5H = (low, Ah, Bh, Ch, Dh, Eh) => (Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;
-// prettier-ignore
-const u64 = {
-    fromBig, split, toBig,
-    shrSH, shrSL,
-    rotrSH, rotrSL, rotrBH, rotrBL,
-    rotr32H, rotr32L,
-    rotlSH, rotlSL, rotlBH, rotlBL,
-    add, add3L, add3H, add4L, add4H, add5H, add5L,
-};
 
-/**
- * SHA2-512 a.k.a. sha512 and sha384. It is slower than sha256 in js because u64 operations are slow.
- *
- * Check out [RFC 4634](https://datatracker.ietf.org/doc/html/rfc4634) and
- * [the paper on truncated SHA512/256](https://eprint.iacr.org/2010/548.pdf).
- * @module
- */
-// Round contants (first 32 bits of the fractional parts of the cube roots of the first 80 primes 2..409):
-// prettier-ignore
-const [SHA512_Kh, SHA512_Kl] = /* @__PURE__ */ (() => u64.split([
-    '0x428a2f98d728ae22', '0x7137449123ef65cd', '0xb5c0fbcfec4d3b2f', '0xe9b5dba58189dbbc',
-    '0x3956c25bf348b538', '0x59f111f1b605d019', '0x923f82a4af194f9b', '0xab1c5ed5da6d8118',
-    '0xd807aa98a3030242', '0x12835b0145706fbe', '0x243185be4ee4b28c', '0x550c7dc3d5ffb4e2',
-    '0x72be5d74f27b896f', '0x80deb1fe3b1696b1', '0x9bdc06a725c71235', '0xc19bf174cf692694',
-    '0xe49b69c19ef14ad2', '0xefbe4786384f25e3', '0x0fc19dc68b8cd5b5', '0x240ca1cc77ac9c65',
-    '0x2de92c6f592b0275', '0x4a7484aa6ea6e483', '0x5cb0a9dcbd41fbd4', '0x76f988da831153b5',
-    '0x983e5152ee66dfab', '0xa831c66d2db43210', '0xb00327c898fb213f', '0xbf597fc7beef0ee4',
-    '0xc6e00bf33da88fc2', '0xd5a79147930aa725', '0x06ca6351e003826f', '0x142929670a0e6e70',
-    '0x27b70a8546d22ffc', '0x2e1b21385c26c926', '0x4d2c6dfc5ac42aed', '0x53380d139d95b3df',
-    '0x650a73548baf63de', '0x766a0abb3c77b2a8', '0x81c2c92e47edaee6', '0x92722c851482353b',
-    '0xa2bfe8a14cf10364', '0xa81a664bbc423001', '0xc24b8b70d0f89791', '0xc76c51a30654be30',
-    '0xd192e819d6ef5218', '0xd69906245565a910', '0xf40e35855771202a', '0x106aa07032bbd1b8',
-    '0x19a4c116b8d2d0c8', '0x1e376c085141ab53', '0x2748774cdf8eeb99', '0x34b0bcb5e19b48a8',
-    '0x391c0cb3c5c95a63', '0x4ed8aa4ae3418acb', '0x5b9cca4f7763e373', '0x682e6ff3d6b2b8a3',
-    '0x748f82ee5defb2fc', '0x78a5636f43172f60', '0x84c87814a1f0ab72', '0x8cc702081a6439ec',
-    '0x90befffa23631e28', '0xa4506cebde82bde9', '0xbef9a3f7b2c67915', '0xc67178f2e372532b',
-    '0xca273eceea26619c', '0xd186b8c721c0c207', '0xeada7dd6cde0eb1e', '0xf57d4f7fee6ed178',
-    '0x06f067aa72176fba', '0x0a637dc5a2c898a6', '0x113f9804bef90dae', '0x1b710b35131c471b',
-    '0x28db77f523047d84', '0x32caab7b40c72493', '0x3c9ebe0a15c9bebc', '0x431d67c49c100d4c',
-    '0x4cc5d4becb3e42b6', '0x597f299cfc657e2a', '0x5fcb6fab3ad6faec', '0x6c44198c4a475817'
-].map(n => BigInt(n))))();
-// Temporary buffer, not used to store anything between runs
-const SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
-const SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
-class SHA512 extends HashMD {
-    constructor() {
-        super(128, 64, 16, false);
-        // We cannot use array here since array allows indexing by variable which means optimizer/compiler cannot use registers.
-        // Also looks cleaner and easier to verify with spec.
-        // Initial state (first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19):
-        // h -- high 32 bits, l -- low 32 bits
-        this.Ah = 0x6a09e667 | 0;
-        this.Al = 0xf3bcc908 | 0;
-        this.Bh = 0xbb67ae85 | 0;
-        this.Bl = 0x84caa73b | 0;
-        this.Ch = 0x3c6ef372 | 0;
-        this.Cl = 0xfe94f82b | 0;
-        this.Dh = 0xa54ff53a | 0;
-        this.Dl = 0x5f1d36f1 | 0;
-        this.Eh = 0x510e527f | 0;
-        this.El = 0xade682d1 | 0;
-        this.Fh = 0x9b05688c | 0;
-        this.Fl = 0x2b3e6c1f | 0;
-        this.Gh = 0x1f83d9ab | 0;
-        this.Gl = 0xfb41bd6b | 0;
-        this.Hh = 0x5be0cd19 | 0;
-        this.Hl = 0x137e2179 | 0;
+class ECDSAPublicKey {
+    type = 'ECDSA';
+    jwk;
+    _raw;
+    constructor(jwk) {
+        this.jwk = jwk;
     }
-    // prettier-ignore
-    get() {
-        const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
-        return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];
+    get raw() {
+        if (this._raw == null) {
+            this._raw = publicKeyToPKIMessage(this.jwk);
+        }
+        return this._raw;
     }
-    // prettier-ignore
-    set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {
-        this.Ah = Ah | 0;
-        this.Al = Al | 0;
-        this.Bh = Bh | 0;
-        this.Bl = Bl | 0;
-        this.Ch = Ch | 0;
-        this.Cl = Cl | 0;
-        this.Dh = Dh | 0;
-        this.Dl = Dl | 0;
-        this.Eh = Eh | 0;
-        this.El = El | 0;
-        this.Fh = Fh | 0;
-        this.Fl = Fl | 0;
-        this.Gh = Gh | 0;
-        this.Gl = Gl | 0;
-        this.Hh = Hh | 0;
-        this.Hl = Hl | 0;
+    toMultihash() {
+        return identity.digest(publicKeyToProtobuf(this));
     }
-    process(view, offset) {
-        // Extend the first 16 words into the remaining 64 words w[16..79] of the message schedule array
-        for (let i = 0; i < 16; i++, offset += 4) {
-            SHA512_W_H[i] = view.getUint32(offset);
-            SHA512_W_L[i] = view.getUint32((offset += 4));
-        }
-        for (let i = 16; i < 80; i++) {
-            // s0 := (w[i-15] rightrotate 1) xor (w[i-15] rightrotate 8) xor (w[i-15] rightshift 7)
-            const W15h = SHA512_W_H[i - 15] | 0;
-            const W15l = SHA512_W_L[i - 15] | 0;
-            const s0h = u64.rotrSH(W15h, W15l, 1) ^ u64.rotrSH(W15h, W15l, 8) ^ u64.shrSH(W15h, W15l, 7);
-            const s0l = u64.rotrSL(W15h, W15l, 1) ^ u64.rotrSL(W15h, W15l, 8) ^ u64.shrSL(W15h, W15l, 7);
-            // s1 := (w[i-2] rightrotate 19) xor (w[i-2] rightrotate 61) xor (w[i-2] rightshift 6)
-            const W2h = SHA512_W_H[i - 2] | 0;
-            const W2l = SHA512_W_L[i - 2] | 0;
-            const s1h = u64.rotrSH(W2h, W2l, 19) ^ u64.rotrBH(W2h, W2l, 61) ^ u64.shrSH(W2h, W2l, 6);
-            const s1l = u64.rotrSL(W2h, W2l, 19) ^ u64.rotrBL(W2h, W2l, 61) ^ u64.shrSL(W2h, W2l, 6);
-            // SHA256_W[i] = s0 + s1 + SHA256_W[i - 7] + SHA256_W[i - 16];
-            const SUMl = u64.add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);
-            const SUMh = u64.add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]);
-            SHA512_W_H[i] = SUMh | 0;
-            SHA512_W_L[i] = SUMl | 0;
-        }
-        let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
-        // Compression function main loop, 80 rounds
-        for (let i = 0; i < 80; i++) {
-            // S1 := (e rightrotate 14) xor (e rightrotate 18) xor (e rightrotate 41)
-            const sigma1h = u64.rotrSH(Eh, El, 14) ^ u64.rotrSH(Eh, El, 18) ^ u64.rotrBH(Eh, El, 41);
-            const sigma1l = u64.rotrSL(Eh, El, 14) ^ u64.rotrSL(Eh, El, 18) ^ u64.rotrBL(Eh, El, 41);
-            //const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;
-            const CHIh = (Eh & Fh) ^ (~Eh & Gh);
-            const CHIl = (El & Fl) ^ (~El & Gl);
-            // T1 = H + sigma1 + Chi(E, F, G) + SHA512_K[i] + SHA512_W[i]
-            // prettier-ignore
-            const T1ll = u64.add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]);
-            const T1h = u64.add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]);
-            const T1l = T1ll | 0;
-            // S0 := (a rightrotate 28) xor (a rightrotate 34) xor (a rightrotate 39)
-            const sigma0h = u64.rotrSH(Ah, Al, 28) ^ u64.rotrBH(Ah, Al, 34) ^ u64.rotrBH(Ah, Al, 39);
-            const sigma0l = u64.rotrSL(Ah, Al, 28) ^ u64.rotrBL(Ah, Al, 34) ^ u64.rotrBL(Ah, Al, 39);
-            const MAJh = (Ah & Bh) ^ (Ah & Ch) ^ (Bh & Ch);
-            const MAJl = (Al & Bl) ^ (Al & Cl) ^ (Bl & Cl);
-            Hh = Gh | 0;
-            Hl = Gl | 0;
-            Gh = Fh | 0;
-            Gl = Fl | 0;
-            Fh = Eh | 0;
-            Fl = El | 0;
-            ({ h: Eh, l: El } = u64.add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));
-            Dh = Ch | 0;
-            Dl = Cl | 0;
-            Ch = Bh | 0;
-            Cl = Bl | 0;
-            Bh = Ah | 0;
-            Bl = Al | 0;
-            const All = u64.add3L(T1l, sigma0l, MAJl);
-            Ah = u64.add3H(All, T1h, sigma0h, MAJh);
-            Al = All | 0;
-        }
-        // Add the compressed chunk to the current hash value
-        ({ h: Ah, l: Al } = u64.add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));
-        ({ h: Bh, l: Bl } = u64.add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));
-        ({ h: Ch, l: Cl } = u64.add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));
-        ({ h: Dh, l: Dl } = u64.add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));
-        ({ h: Eh, l: El } = u64.add(this.Eh | 0, this.El | 0, Eh | 0, El | 0));
-        ({ h: Fh, l: Fl } = u64.add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));
-        ({ h: Gh, l: Gl } = u64.add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));
-        ({ h: Hh, l: Hl } = u64.add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));
-        this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);
+    toCID() {
+        return CID.createV1(114, this.toMultihash());
     }
-    roundClean() {
-        SHA512_W_H.fill(0);
-        SHA512_W_L.fill(0);
+    toString() {
+        return base58btc.encode(this.toMultihash().bytes).substring(1);
     }
-    destroy() {
-        this.buffer.fill(0);
-        this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+    equals(key) {
+        if (key == null || !(key.raw instanceof Uint8Array)) {
+            return false;
+        }
+        return equals(this.raw, key.raw);
+    }
+    async verify(data, sig) {
+        return hashAndVerify$3(this.jwk, sig, data);
     }
 }
-/** SHA2-512 hash function. */
-const sha512 = /* @__PURE__ */ wrapConstructor(() => new SHA512());
 
 /**
  * Hex, bytes and number utilities.
@@ -7000,7 +7017,6 @@ const sha512 = /* @__PURE__ */ wrapConstructor(() => new SHA512());
 // won't be included into their bundle.
 const _0n$4 = /* @__PURE__ */ BigInt(0);
 const _1n$6 = /* @__PURE__ */ BigInt(1);
-const _2n$4 = /* @__PURE__ */ BigInt(2);
 function isBytes$1(a) {
     return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
 }
@@ -7012,13 +7028,31 @@ function abool(title, value) {
     if (typeof value !== 'boolean')
         throw new Error(title + ' boolean expected, got ' + value);
 }
+// Used in weierstrass, der
+function numberToHexUnpadded(num) {
+    const hex = num.toString(16);
+    return hex.length & 1 ? '0' + hex : hex;
+}
+function hexToNumber(hex) {
+    if (typeof hex !== 'string')
+        throw new Error('hex string expected, got ' + typeof hex);
+    return hex === '' ? _0n$4 : BigInt('0x' + hex); // Big Endian
+}
+// Built-in hex conversion https://caniuse.com/mdn-javascript_builtins_uint8array_fromhex
+const hasHexBuiltin = 
+// @ts-ignore
+typeof Uint8Array.from([]).toHex === 'function' && typeof Uint8Array.fromHex === 'function';
 // Array where index 0xf0 (240) is mapped to string 'f0'
 const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));
 /**
+ * Convert byte array to hex string. Uses built-in function, when available.
  * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
  */
 function bytesToHex(bytes) {
     abytes(bytes);
+    // @ts-ignore
+    if (hasHexBuiltin)
+        return bytes.toHex();
     // pre-caching improves the speed 6x
     let hex = '';
     for (let i = 0; i < bytes.length; i++) {
@@ -7026,15 +7060,6 @@ function bytesToHex(bytes) {
     }
     return hex;
 }
-function numberToHexUnpadded(num) {
-    const hex = num.toString(16);
-    return hex.length & 1 ? '0' + hex : hex;
-}
-function hexToNumber(hex) {
-    if (typeof hex !== 'string')
-        throw new Error('hex string expected, got ' + typeof hex);
-    return hex === '' ? _0n$4 : BigInt('0x' + hex); // Big Endian
-}
 // We use optimized technique to convert hex string to byte array
 const asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
 function asciiToBase16(ch) {
@@ -7047,11 +7072,15 @@ function asciiToBase16(ch) {
     return;
 }
 /**
+ * Convert hex string to byte array. Uses built-in function, when available.
  * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
  */
 function hexToBytes(hex) {
     if (typeof hex !== 'string')
         throw new Error('hex string expected, got ' + typeof hex);
+    // @ts-ignore
+    if (hasHexBuiltin)
+        return Uint8Array.fromHex(hex);
     const hl = hex.length;
     const al = hl / 2;
     if (hl % 2)
@@ -7082,10 +7111,6 @@ function numberToBytesBE(n, len) {
 function numberToBytesLE(n, len) {
     return numberToBytesBE(n, len).reverse();
 }
-// Unpadded, rarely used
-function numberToVarBytesBE(n) {
-    return hexToBytes(numberToHexUnpadded(n));
-}
 /**
  * Takes hex string or Uint8Array, converts to Uint8Array.
  * Validates output length.
@@ -7136,23 +7161,6 @@ function concatBytes(...arrays) {
     }
     return res;
 }
-// Compares 2 u8a-s in kinda constant time
-function equalBytes(a, b) {
-    if (a.length !== b.length)
-        return false;
-    let diff = 0;
-    for (let i = 0; i < a.length; i++)
-        diff |= a[i] ^ b[i];
-    return diff === 0;
-}
-/**
- * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
- */
-function utf8ToBytes(str) {
-    if (typeof str !== 'string')
-        throw new Error('string expected');
-    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
-}
 // Is positive bigint
 const isPosBig = (n) => typeof n === 'bigint' && _0n$4 <= n;
 function inRange(n, min, max) {
@@ -7176,6 +7184,7 @@ function aInRange(title, n, min, max) {
 /**
  * Calculates amount of bits in a bigint.
  * Same as `n.toString(2).length`
+ * TODO: merge with nLength in modular
  */
 function bitLen(n) {
     let len;
@@ -7183,27 +7192,13 @@ function bitLen(n) {
         ;
     return len;
 }
-/**
- * Gets single bit at position.
- * NOTE: first bit position is 0 (same as arrays)
- * Same as `!!+Array.from(n.toString(2)).reverse()[pos]`
- */
-function bitGet(n, pos) {
-    return (n >> BigInt(pos)) & _1n$6;
-}
-/**
- * Sets single bit at position.
- */
-function bitSet(n, pos, value) {
-    return n | ((value ? _1n$6 : _0n$4) << BigInt(pos));
-}
 /**
  * Calculate mask for N bits. Not using ** operator with bigints because of old engines.
  * Same as BigInt(`0b${Array(i).fill('1').join('')}`)
  */
-const bitMask = (n) => (_2n$4 << BigInt(n - 1)) - _1n$6;
+const bitMask = (n) => (_1n$6 << BigInt(n)) - _1n$6;
 // DRBG
-const u8n = (data) => new Uint8Array(data); // creates Uint8Array
+const u8n = (len) => new Uint8Array(len); // creates Uint8Array
 const u8fr = (arr) => Uint8Array.from(arr); // another shortcut
 /**
  * Minimal HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
@@ -7229,7 +7224,7 @@ function createHmacDrbg(hashLen, qByteLen, hmacFn) {
         i = 0;
     };
     const h = (...b) => hmacFn(k, v, ...b); // hmac(k)(v, ...values)
-    const reseed = (seed = u8n()) => {
+    const reseed = (seed = u8n(0)) => {
         // HMAC-DRBG reseed() function. Steps D-G
         k = h(u8fr([0x00]), seed); // k = hmac(k || v || 0x00 || seed)
         v = h(); // v = hmac(k || v)
@@ -7294,20 +7289,6 @@ function validateObject(object, validators, optValidators = {}) {
         checkField(fieldName, type, true);
     return object;
 }
-// validate type tests
-// const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 };
-// const z0 = validateObject(o, { a: 'isSafeInteger' }, { c: 'bigint' }); // Ok!
-// // Should fail type-check
-// const z1 = validateObject(o, { a: 'tmp' }, { c: 'zz' });
-// const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
-// const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
-// const z4 = validateObject(o, { a: 'boolean', z: 'bug' });
-/**
- * throws not implemented error
- */
-const notImplemented = () => {
-    throw new Error('not implemented');
-};
 /**
  * Memoizes (caches) computation result.
  * Uses WeakMap: the value is going auto-cleaned by GC after last reference is removed.
@@ -7324,36 +7305,6 @@ function memoized(fn) {
     };
 }
 
-var ut = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    aInRange: aInRange,
-    abool: abool,
-    abytes: abytes,
-    bitGet: bitGet,
-    bitLen: bitLen,
-    bitMask: bitMask,
-    bitSet: bitSet,
-    bytesToHex: bytesToHex,
-    bytesToNumberBE: bytesToNumberBE,
-    bytesToNumberLE: bytesToNumberLE,
-    concatBytes: concatBytes,
-    createHmacDrbg: createHmacDrbg,
-    ensureBytes: ensureBytes,
-    equalBytes: equalBytes,
-    hexToBytes: hexToBytes,
-    hexToNumber: hexToNumber,
-    inRange: inRange,
-    isBytes: isBytes$1,
-    memoized: memoized,
-    notImplemented: notImplemented,
-    numberToBytesBE: numberToBytesBE,
-    numberToBytesLE: numberToBytesLE,
-    numberToHexUnpadded: numberToHexUnpadded,
-    numberToVarBytesBE: numberToVarBytesBE,
-    utf8ToBytes: utf8ToBytes,
-    validateObject: validateObject
-});
-
 /**
  * Utils for modular division and finite fields.
  * A finite field over 11 is integer number operations `mod 11`.
@@ -7370,29 +7321,6 @@ function mod(a, b) {
     const result = a % b;
     return result >= _0n$3 ? result : b + result;
 }
-/**
- * Efficiently raise num to power and do modular division.
- * Unsafe in some contexts: uses ladder, so can expose bigint bits.
- * @todo use field version && remove
- * @example
- * pow(2n, 6n, 11n) // 64n % 11n == 9n
- */
-function pow(num, power, modulo) {
-    if (power < _0n$3)
-        throw new Error('invalid exponent, negatives unsupported');
-    if (modulo <= _0n$3)
-        throw new Error('invalid modulus');
-    if (modulo === _1n$5)
-        return _0n$3;
-    let res = _1n$5;
-    while (power > _0n$3) {
-        if (power & _1n$5)
-            res = (res * num) % modulo;
-        num = (num * num) % modulo;
-        power >>= _1n$5;
-    }
-    return res;
-}
 /** Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` */
 function pow2(x, power, modulo) {
     let res = x;
@@ -7433,27 +7361,25 @@ function invert(number, modulo) {
  * Tonelli-Shanks square root search algorithm.
  * 1. https://eprint.iacr.org/2012/685.pdf (page 12)
  * 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
- * Will start an infinite loop if field order P is not prime.
  * @param P field order
  * @returns function that takes field Fp (created from P) and number n
  */
 function tonelliShanks(P) {
-    // Legendre constant: used to calculate Legendre symbol (a | p),
-    // which denotes the value of a^((p-1)/2) (mod p).
-    // (a | p) ≡ 1    if a is a square (mod p)
-    // (a | p) ≡ -1   if a is not a square (mod p)
-    // (a | p) ≡ 0    if a ≡ 0 (mod p)
-    const legendreC = (P - _1n$5) / _2n$3;
-    let Q, S, Z;
+    // Do expensive precomputation step
     // Step 1: By factoring out powers of 2 from p - 1,
-    // find q and s such that p - 1 = q*(2^s) with q odd
-    for (Q = P - _1n$5, S = 0; Q % _2n$3 === _0n$3; Q /= _2n$3, S++)
-        ;
+    // find q and s such that p-1 == q*(2^s) with q odd
+    let Q = P - _1n$5;
+    let S = 0;
+    while (Q % _2n$3 === _0n$3) {
+        Q /= _2n$3;
+        S++;
+    }
     // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
-    for (Z = _2n$3; Z < P && pow(Z, legendreC, P) !== P - _1n$5; Z++) {
-        // Crash instead of infinity loop, we cannot reasonable count until P.
-        if (Z > 1000)
-            throw new Error('Cannot find square root: likely non-prime P');
+    let Z = _2n$3;
+    const _Fp = Field(P);
+    while (Z < P && FpIsSquare(_Fp, Z)) {
+        if (Z++ > 1000)
+            throw new Error('Cannot find square root: probably non-prime P');
     }
     // Fast-path
     if (S === 1) {
@@ -7469,16 +7395,18 @@ function tonelliShanks(P) {
     const Q1div2 = (Q + _1n$5) / _2n$3;
     return function tonelliSlow(Fp, n) {
         // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
-        if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE))
+        if (!FpIsSquare(Fp, n))
             throw new Error('Cannot find square root');
         let r = S;
-        // TODO: will fail at Fp2/etc
+        // TODO: test on Fp2 and others
         let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b
         let x = Fp.pow(n, Q1div2); // first guess at the square root
         let b = Fp.pow(n, Q); // first guess at the fudge factor
         while (!Fp.eql(b, Fp.ONE)) {
+            // (4. If t = 0, return r = 0)
+            // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm
             if (Fp.eql(b, Fp.ZERO))
-                return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)
+                return Fp.ZERO;
             // Find m such b^(2^m)==1
             let m = 1;
             for (let t2 = Fp.sqr(b); m < r; m++) {
@@ -7486,7 +7414,8 @@ function tonelliShanks(P) {
                     break;
                 t2 = Fp.sqr(t2); // t2 *= t2
             }
-            // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow
+            // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift,
+            // otherwise there will be overflow.
             const ge = Fp.pow(g, _1n$5 << BigInt(r - m - 1)); // ge = 2^(r-m-1)
             g = Fp.sqr(ge); // g = ge * ge
             x = Fp.mul(x, ge); // x *= ge
@@ -7515,8 +7444,8 @@ function FpSqrt(P) {
         // const ORDER =
         //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
         // const NUM = 72057594037927816n;
-        const p1div4 = (P + _1n$5) / _4n;
         return function sqrt3mod4(Fp, n) {
+            const p1div4 = (P + _1n$5) / _4n;
             const root = Fp.pow(n, p1div4);
             // Throw if root**2 != n
             if (!Fp.eql(Fp.sqr(root), n))
@@ -7526,9 +7455,9 @@ function FpSqrt(P) {
     }
     // Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)
     if (P % _8n$2 === _5n$1) {
-        const c1 = (P - _5n$1) / _8n$2;
         return function sqrt5mod8(Fp, n) {
             const n2 = Fp.mul(n, _2n$3);
+            const c1 = (P - _5n$1) / _8n$2;
             const v = Fp.pow(n2, c1);
             const nv = Fp.mul(n, v);
             const i = Fp.mul(Fp.mul(nv, _2n$3), v);
@@ -7567,52 +7496,78 @@ function validateField(field) {
  * Same as `pow` but for Fp: non-constant-time.
  * Unsafe in some contexts: uses ladder, so can expose bigint bits.
  */
-function FpPow(f, num, power) {
-    // Should have same speed as pow for bigints
-    // TODO: benchmark!
+function FpPow(Fp, num, power) {
     if (power < _0n$3)
         throw new Error('invalid exponent, negatives unsupported');
     if (power === _0n$3)
-        return f.ONE;
+        return Fp.ONE;
     if (power === _1n$5)
         return num;
-    let p = f.ONE;
+    // @ts-ignore
+    let p = Fp.ONE;
     let d = num;
     while (power > _0n$3) {
         if (power & _1n$5)
-            p = f.mul(p, d);
-        d = f.sqr(d);
+            p = Fp.mul(p, d);
+        d = Fp.sqr(d);
         power >>= _1n$5;
     }
     return p;
 }
 /**
  * Efficiently invert an array of Field elements.
- * `inv(0)` will return `undefined` here: make sure to throw an error.
+ * Exception-free. Will return `undefined` for 0 elements.
+ * @param passZero map 0 to 0 (instead of undefined)
  */
-function FpInvertBatch(f, nums) {
-    const tmp = new Array(nums.length);
+function FpInvertBatch(Fp, nums, passZero = false) {
+    const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : undefined);
     // Walk from first to last, multiply them by each other MOD p
-    const lastMultiplied = nums.reduce((acc, num, i) => {
-        if (f.is0(num))
+    const multipliedAcc = nums.reduce((acc, num, i) => {
+        if (Fp.is0(num))
             return acc;
-        tmp[i] = acc;
-        return f.mul(acc, num);
-    }, f.ONE);
+        inverted[i] = acc;
+        return Fp.mul(acc, num);
+    }, Fp.ONE);
     // Invert last element
-    const inverted = f.inv(lastMultiplied);
+    const invertedAcc = Fp.inv(multipliedAcc);
     // Walk from last to first, multiply them by inverted each other MOD p
     nums.reduceRight((acc, num, i) => {
-        if (f.is0(num))
+        if (Fp.is0(num))
             return acc;
-        tmp[i] = f.mul(acc, tmp[i]);
-        return f.mul(acc, num);
-    }, inverted);
-    return tmp;
+        inverted[i] = Fp.mul(acc, inverted[i]);
+        return Fp.mul(acc, num);
+    }, invertedAcc);
+    return inverted;
+}
+/**
+ * Legendre symbol.
+ * Legendre constant is used to calculate Legendre symbol (a | p)
+ * which denotes the value of a^((p-1)/2) (mod p)..
+ *
+ * * (a | p) ≡ 1    if a is a square (mod p), quadratic residue
+ * * (a | p) ≡ -1   if a is not a square (mod p), quadratic non residue
+ * * (a | p) ≡ 0    if a ≡ 0 (mod p)
+ */
+function FpLegendre(Fp, n) {
+    const legc = (Fp.ORDER - _1n$5) / _2n$3;
+    const powered = Fp.pow(n, legc);
+    const yes = Fp.eql(powered, Fp.ONE);
+    const zero = Fp.eql(powered, Fp.ZERO);
+    const no = Fp.eql(powered, Fp.neg(Fp.ONE));
+    if (!yes && !zero && !no)
+        throw new Error('Cannot find square root: probably non-prime P');
+    return yes ? 1 : zero ? 0 : -1;
+}
+// This function returns True whenever the value x is a square in the field F.
+function FpIsSquare(Fp, n) {
+    const l = FpLegendre(Fp, n);
+    return l === 0 || l === 1;
 }
 // CURVE.n lengths
 function nLength(n, nBitLength) {
     // Bit size, byte size of CURVE.n
+    if (nBitLength !== undefined)
+        anumber(nBitLength);
     const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
     const nByteLength = Math.ceil(_nBitLength / 8);
     return { nBitLength: _nBitLength, nByteLength };
@@ -7675,16 +7630,17 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
                     sqrtP = FpSqrt(ORDER);
                 return sqrtP(f, n);
             }),
-        invertBatch: (lst) => FpInvertBatch(f, lst),
-        // TODO: do we really need constant cmov?
-        // We don't have const-time bigints anyway, so probably will be not very useful
-        cmov: (a, b, c) => (c ? b : a),
         toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
         fromBytes: (bytes) => {
             if (bytes.length !== BYTES)
                 throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
             return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
         },
+        // TODO: we don't need it here, move out to separate fn
+        invertBatch: (lst) => FpInvertBatch(f, lst),
+        // We can't move this out because Fp6, Fp12 implement it
+        // and it's unclear what to return in there.
+        cmov: (a, b, c) => (c ? b : a),
     });
     return Object.freeze(f);
 }
@@ -7753,11 +7709,36 @@ function validateW(W, bits) {
     if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
         throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
 }
-function calcWOpts(W, bits) {
-    validateW(W, bits);
-    const windows = Math.ceil(bits / W) + 1; // +1, because
-    const windowSize = 2 ** (W - 1); // -1 because we skip zero
-    return { windows, windowSize };
+function calcWOpts(W, scalarBits) {
+    validateW(W, scalarBits);
+    const windows = Math.ceil(scalarBits / W) + 1; // W=8 33. Not 32, because we skip zero
+    const windowSize = 2 ** (W - 1); // W=8 128. Not 256, because we skip zero
+    const maxNumber = 2 ** W; // W=8 256
+    const mask = bitMask(W); // W=8 255 == mask 0b11111111
+    const shiftBy = BigInt(W); // W=8 8
+    return { windows, windowSize, mask, maxNumber, shiftBy };
+}
+function calcOffsets(n, window, wOpts) {
+    const { windowSize, mask, maxNumber, shiftBy } = wOpts;
+    let wbits = Number(n & mask); // extract W bits.
+    let nextN = n >> shiftBy; // shift number by W bits.
+    // What actually happens here:
+    // const highestBit = Number(mask ^ (mask >> 1n));
+    // let wbits2 = wbits - 1; // skip zero
+    // if (wbits2 & highestBit) { wbits2 ^= Number(mask); // (~);
+    // split if bits > max: +224 => 256-32
+    if (wbits > windowSize) {
+        // we skip zero, which means instead of `>= size-1`, we do `> size`
+        wbits -= maxNumber; // -32, can be maxNumber - wbits, but then we need to set isNeg here.
+        nextN += _1n$4; // +256 (carry)
+    }
+    const offsetStart = window * windowSize;
+    const offset = offsetStart + Math.abs(wbits) - 1; // -1 because we skip zero
+    const isZero = wbits === 0; // is current window slice a 0?
+    const isNeg = wbits < 0; // is current window slice negative?
+    const isNegF = window % 2 !== 0; // fake random statement for noise
+    const offsetF = offsetStart; // fake offset for noise
+    return { nextN, offset, isZero, isNeg, isNegF, offsetF };
 }
 function validateMSMPoints(points, c) {
     if (!Array.isArray(points))
@@ -7776,9 +7757,10 @@ function validateMSMScalars(scalars, field) {
     });
 }
 // Since points in different groups cannot be equal (different object constructor),
-// we can have single place to store precomputes
+// we can have single place to store precomputes.
+// Allows to make points frozen / immutable.
 const pointPrecomputes = new WeakMap();
-const pointWindowSizes = new WeakMap(); // This allows use make points immutable (nothing changes inside)
+const pointWindowSizes = new WeakMap();
 function getW(P) {
     return pointWindowSizes.get(P) || 1;
 }
@@ -7833,7 +7815,7 @@ function wNAF(c, bits) {
             for (let window = 0; window < windows; window++) {
                 base = p;
                 points.push(base);
-                // =1, because we skip zero
+                // i=1, bc we skip 0
                 for (let i = 1; i < windowSize; i++) {
                     base = base.add(p);
                     points.push(base);
@@ -7850,48 +7832,35 @@ function wNAF(c, bits) {
          * @returns real and fake (for const-time) points
          */
         wNAF(W, precomputes, n) {
-            // TODO: maybe check that scalar is less than group order? wNAF behavious is undefined otherwise
-            // But need to carefully remove other checks before wNAF. ORDER == bits here
-            const { windows, windowSize } = calcWOpts(W, bits);
+            // Smaller version:
+            // https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
+            // TODO: check the scalar is less than group order?
+            // wNAF behavior is undefined otherwise. But have to carefully remove
+            // other checks before wNAF. ORDER == bits here.
+            // Accumulators
             let p = c.ZERO;
             let f = c.BASE;
-            const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
-            const maxNumber = 2 ** W;
-            const shiftBy = BigInt(W);
-            for (let window = 0; window < windows; window++) {
-                const offset = window * windowSize;
-                // Extract W bits.
-                let wbits = Number(n & mask);
-                // Shift number by W bits.
-                n >>= shiftBy;
-                // If the bits are bigger than max size, we'll split those.
-                // +224 => 256 - 32
-                if (wbits > windowSize) {
-                    wbits -= maxNumber;
-                    n += _1n$4;
-                }
-                // This code was first written with assumption that 'f' and 'p' will never be infinity point:
-                // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
-                // there is negate now: it is possible that negated element from low value
-                // would be the same as high element, which will create carry into next window.
-                // It's not obvious how this can fail, but still worth investigating later.
-                // Check if we're onto Zero point.
-                // Add random point inside current window to f.
-                const offset1 = offset;
-                const offset2 = offset + Math.abs(wbits) - 1; // -1 because we skip zero
-                const cond1 = window % 2 !== 0;
-                const cond2 = wbits < 0;
-                if (wbits === 0) {
-                    // The most important part for const-time getPublicKey
-                    f = f.add(constTimeNegate(cond1, precomputes[offset1]));
+            // This code was first written with assumption that 'f' and 'p' will never be infinity point:
+            // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
+            // there is negate now: it is possible that negated element from low value
+            // would be the same as high element, which will create carry into next window.
+            // It's not obvious how this can fail, but still worth investigating later.
+            const wo = calcWOpts(W, bits);
+            for (let window = 0; window < wo.windows; window++) {
+                // (n === _0n) is handled and not early-exited. isEven and offsetF are used for noise
+                const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
+                n = nextN;
+                if (isZero) {
+                    // bits are 0: add garbage to fake point
+                    // Important part for const-time getPublicKey: add random "noise" point to f.
+                    f = f.add(constTimeNegate(isNegF, precomputes[offsetF]));
                 }
                 else {
-                    p = p.add(constTimeNegate(cond2, precomputes[offset2]));
+                    // bits are 1: add to result point
+                    p = p.add(constTimeNegate(isNeg, precomputes[offset]));
                 }
             }
-            // JIT-compiler should not eliminate f here, since it will later be used in normalizeZ()
-            // Even if the variable is still unused, there are some checks which will
-            // throw an exception, so compiler needs to prove they won't happen, which is hard.
+            // Return both real and fake points: JIT won't eliminate f.
             // At this point there is a way to F be infinity-point even if p is not,
             // which makes it less const-time: around 1 bigint multiply.
             return { p, f };
@@ -7905,31 +7874,21 @@ function wNAF(c, bits) {
          * @returns point
          */
         wNAFUnsafe(W, precomputes, n, acc = c.ZERO) {
-            const { windows, windowSize } = calcWOpts(W, bits);
-            const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
-            const maxNumber = 2 ** W;
-            const shiftBy = BigInt(W);
-            for (let window = 0; window < windows; window++) {
-                const offset = window * windowSize;
+            const wo = calcWOpts(W, bits);
+            for (let window = 0; window < wo.windows; window++) {
                 if (n === _0n$2)
-                    break; // No need to go over empty scalar
-                // Extract W bits.
-                let wbits = Number(n & mask);
-                // Shift number by W bits.
-                n >>= shiftBy;
-                // If the bits are bigger than max size, we'll split those.
-                // +224 => 256 - 32
-                if (wbits > windowSize) {
-                    wbits -= maxNumber;
-                    n += _1n$4;
-                }
-                if (wbits === 0)
+                    break; // Early-exit, skip 0 value
+                const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
+                n = nextN;
+                if (isZero) {
+                    // Window bits are 0: skip processing.
+                    // Move to next window.
                     continue;
-                let curr = precomputes[offset + Math.abs(wbits) - 1]; // -1 because we skip zero
-                if (wbits < 0)
-                    curr = curr.negate();
-                // NOTE: by re-using acc, we can save a lot of additions in case of MSM
-                acc = acc.add(curr);
+                }
+                else {
+                    const item = precomputes[offset];
+                    acc = acc.add(isNeg ? item.negate() : item); // Re-using acc allows to save adds in MSM
+                }
             }
             return acc;
         },
@@ -7965,7 +7924,7 @@ function wNAF(c, bits) {
 }
 /**
  * Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
- * 30x faster vs naive addition on L=4096, 10x faster with precomputes.
+ * 30x faster vs naive addition on L=4096, 10x faster than precomputes.
  * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
  * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
  * @param c Curve Point constructor
@@ -7987,15 +7946,15 @@ function pippenger(c, fieldN, points, scalars) {
     const zero = c.ZERO;
     const wbits = bitLen(BigInt(points.length));
     const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1; // in bits
-    const MASK = (1 << windowSize) - 1;
-    const buckets = new Array(MASK + 1).fill(zero); // +1 for zero array
+    const MASK = bitMask(windowSize);
+    const buckets = new Array(Number(MASK) + 1).fill(zero); // +1 for zero array
     const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
     let sum = zero;
     for (let i = lastBits; i >= 0; i -= windowSize) {
         buckets.fill(zero);
         for (let j = 0; j < scalars.length; j++) {
             const scalar = scalars[j];
-            const wbits = Number((scalar >> BigInt(i)) & BigInt(MASK));
+            const wbits = Number((scalar >> BigInt(i)) & MASK);
             buckets[wbits] = buckets[wbits].add(points[j]);
         }
         let resI = zero; // not using this will do small speed-up, but will lose ct
@@ -8036,6 +7995,7 @@ function validateBasic(curve) {
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// prettier-ignore
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
 const _0n$1 = BigInt(0), _1n$3 = BigInt(1), _2n$2 = BigInt(2), _8n$1 = BigInt(8);
@@ -8094,10 +8054,11 @@ function twistedEdwards(curveDef) {
         }); // NOOP
     // 0 <= n < MASK
     // Coordinates larger than Fp.ORDER are allowed for zip215
-    function aCoordinate(title, n) {
-        aInRange('coordinate ' + title, n, _0n$1, MASK);
+    function aCoordinate(title, n, banZero = false) {
+        const min = banZero ? _1n$3 : _0n$1;
+        aInRange('coordinate ' + title, n, min, MASK);
     }
-    function assertPoint(other) {
+    function aextpoint(other) {
         if (!(other instanceof Point))
             throw new Error('ExtendedPoint expected');
     }
@@ -8144,14 +8105,14 @@ function twistedEdwards(curveDef) {
     // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
     class Point {
         constructor(ex, ey, ez, et) {
+            aCoordinate('x', ex);
+            aCoordinate('y', ey);
+            aCoordinate('z', ez, true);
+            aCoordinate('t', et);
             this.ex = ex;
             this.ey = ey;
             this.ez = ez;
             this.et = et;
-            aCoordinate('x', ex);
-            aCoordinate('y', ey);
-            aCoordinate('z', ez);
-            aCoordinate('t', et);
             Object.freeze(this);
         }
         get x() {
@@ -8169,7 +8130,7 @@ function twistedEdwards(curveDef) {
             return new Point(x, y, _1n$3, modP(x * y));
         }
         static normalizeZ(points) {
-            const toInv = Fp.invertBatch(points.map((p) => p.ez));
+            const toInv = FpInvertBatch(Fp, points.map((p) => p.ez));
             return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
         }
         // Multiscalar Multiplication
@@ -8187,7 +8148,7 @@ function twistedEdwards(curveDef) {
         }
         // Compare one point to another.
         equals(other) {
-            assertPoint(other);
+            aextpoint(other);
             const { ex: X1, ey: Y1, ez: Z1 } = this;
             const { ex: X2, ey: Y2, ez: Z2 } = other;
             const X1Z2 = modP(X1 * Z2);
@@ -8228,31 +8189,10 @@ function twistedEdwards(curveDef) {
         // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
         // Cost: 9M + 1*a + 1*d + 7add.
         add(other) {
-            assertPoint(other);
+            aextpoint(other);
             const { a, d } = CURVE;
             const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
             const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
-            // Faster algo for adding 2 Extended Points when curve's a=-1.
-            // http://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-add-2008-hwcd-4
-            // Cost: 8M + 8add + 2*2.
-            // Note: It does not check whether the `other` point is valid.
-            if (a === BigInt(-1)) {
-                const A = modP((Y1 - X1) * (Y2 + X2));
-                const B = modP((Y1 + X1) * (Y2 - X2));
-                const F = modP(B - A);
-                if (F === _0n$1)
-                    return this.double(); // Same point. Tests say it doesn't affect timing
-                const C = modP(Z1 * _2n$2 * T2);
-                const D = modP(T1 * _2n$2 * Z2);
-                const E = D + C;
-                const G = B + A;
-                const H = D - C;
-                const X3 = modP(E * F);
-                const Y3 = modP(G * H);
-                const T3 = modP(E * H);
-                const Z3 = modP(F * G);
-                return new Point(X3, Y3, Z3, T3);
-            }
             const A = modP(X1 * X2); // A = X1*X2
             const B = modP(Y1 * Y2); // B = Y1*Y2
             const C = modP(T1 * d * T2); // C = T1*d*T2
@@ -8352,7 +8292,8 @@ function twistedEdwards(curveDef) {
             return Point.fromAffine({ x, y });
         }
         static fromPrivateKey(privKey) {
-            return getExtendedPublicKey(privKey).point;
+            const { scalar } = getPrivateScalar(privKey);
+            return G.multiply(scalar); // reduced one call of `toRawBytes`
         }
         toRawBytes() {
             const { x, y } = this.toAffine();
@@ -8375,8 +8316,8 @@ function twistedEdwards(curveDef) {
     function modN_LE(hash) {
         return modN(bytesToNumberLE(hash));
     }
-    /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
-    function getExtendedPublicKey(key) {
+    // Get the hashed private scalar per RFC8032 5.1.5
+    function getPrivateScalar(key) {
         const len = Fp.BYTES;
         key = ensureBytes('private key', key, len);
         // Hash private key with curve's hash function to produce uniformingly random input
@@ -8385,6 +8326,11 @@ function twistedEdwards(curveDef) {
         const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE
         const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)
         const scalar = modN_LE(head); // The actual private scalar
+        return { head, prefix, scalar };
+    }
+    // Convenience method that creates public key from scalar. RFC8032 5.1.5
+    function getExtendedPublicKey(key) {
+        const { head, prefix, scalar } = getPrivateScalar(key);
         const point = G.multiply(scalar); // Point on Edwards curve aka public key
         const pointBytes = point.toRawBytes(); // Uint8Array representation
         return { head, prefix, scalar, point, pointBytes };
@@ -8394,7 +8340,7 @@ function twistedEdwards(curveDef) {
         return getExtendedPublicKey(privKey).pointBytes;
     }
     // int('LE', SHA512(dom2(F, C) || msgs)) mod N
-    function hashDomainToScalar(context = new Uint8Array(), ...msgs) {
+    function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {
         const msg = concatBytes(...msgs);
         return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));
     }
@@ -8451,7 +8397,7 @@ function twistedEdwards(curveDef) {
     G._setWindowSize(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
     const utils = {
         getExtendedPublicKey,
-        // ed25519 private keys are uniform 32b. No need to check for modulo bias, like in secp256k1.
+        /** ed25519 priv keys are uniform 32b. No need to check for modulo bias, like in secp256k1. */
         randomPrivateKey: () => randomBytes(Fp.BYTES),
         /**
          * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
@@ -8483,8 +8429,10 @@ function twistedEdwards(curveDef) {
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// 2n**255n - 19n
 const ED25519_P = BigInt('57896044618658097711785492504343953926634992332820282019728792003956564819949');
 // √(-1) aka √(a) aka 2^((p-1)/4)
+// Fp.sqrt(Fp.neg(1))
 const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
 // prettier-ignore
 BigInt(0); const _1n$2 = BigInt(1), _2n$1 = BigInt(2); BigInt(3);
@@ -8543,19 +8491,15 @@ function uvRatio(u, v) {
 }
 const Fp = /* @__PURE__ */ (() => Field(ED25519_P, undefined, true))();
 const ed25519Defaults = /* @__PURE__ */ (() => ({
-    // Param: a
-    a: BigInt(-1), // Fp.create(-1) is proper; our way still works and is faster
-    // d is equal to -121665/121666 over finite field.
-    // Negative number is P - number, and division is invert(number, P)
+    // Removing Fp.create() will still work, and is 10% faster on sign
+    a: Fp.create(BigInt(-1)),
+    // d is -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
     d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
-    // Finite field 𝔽p over which we'll do calculations; 2n**255n - 19n
+    // Finite field 2n**255n - 19n
     Fp,
-    // Subgroup order: how many points curve has
-    // 2n**252n + 27742317777372353535851937790883648493n;
+    // Subgroup order 2n**252n + 27742317777372353535851937790883648493n;
     n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
-    // Cofactor
     h: _8n,
-    // Base point (x, y) aka generator point
     Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
     Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
     hash: sha512,
@@ -10104,7 +10048,7 @@ class HMAC extends Hash {
         for (let i = 0; i < pad.length; i++)
             pad[i] ^= 0x36 ^ 0x5c;
         this.oHash.update(pad);
-        pad.fill(0);
+        clean(pad);
     }
     update(buf) {
         aexists(this);
@@ -10138,6 +10082,9 @@ class HMAC extends Hash {
         to.iHash = iHash._cloneInto(to.iHash);
         return to;
     }
+    clone() {
+        return this._cloneInto();
+    }
     destroy() {
         this.destroyed = true;
         this.oHash.destroy();
@@ -10160,6 +10107,19 @@ hmac.create = (hash, key) => new HMAC(hash, key);
 /**
  * Short Weierstrass curve methods. The formula is: y² = x³ + ax + b.
  *
+ * ### Parameters
+ *
+ * To initialize a weierstrass curve, one needs to pass following params:
+ *
+ * * a: formula param
+ * * b: formula param
+ * * Fp: finite Field over which we'll do calculations. Can be complex (Fp2, Fp12)
+ * * n: Curve prime subgroup order, total count of valid points in the field
+ * * Gx: Base point (x, y) aka generator point x coordinate
+ * * Gy: ...y coordinate
+ * * h: cofactor, usually 1. h*n = curve group order (n is only subgroup order)
+ * * lowS: whether to enable (default) or disable "low-s" non-malleable signatures
+ *
  * ### Design rationale for types
  *
  * * Interaction between classes from different curves should fail:
@@ -10184,6 +10144,7 @@ hmac.create = (hash, key) => new HMAC(hash, key);
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// prettier-ignore
 function validateSigVerOpts(opts) {
     if (opts.lowS !== undefined)
         abool('lowS', opts.lowS);
@@ -10217,7 +10178,6 @@ function validatePointOpts(curve) {
     }
     return Object.freeze({ ...opts });
 }
-const { bytesToNumberBE: b2n, hexToBytes: h2b } = ut;
 class DERErr extends Error {
     constructor(m = '') {
         super(m);
@@ -10310,14 +10270,13 @@ const DER = {
                 throw new E('invalid signature integer: negative');
             if (data[0] === 0x00 && !(data[1] & 128))
                 throw new E('invalid signature integer: unnecessary leading zero');
-            return b2n(data);
+            return bytesToNumberBE(data);
         },
     },
     toSig(hex) {
         // parse DER signature
         const { Err: E, _int: int, _tlv: tlv } = DER;
-        const data = typeof hex === 'string' ? h2b(hex) : hex;
-        abytes(data);
+        const data = ensureBytes('signature', hex);
         const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);
         if (seqLeftBytes.length)
             throw new E('invalid signature: left bytes after parsing');
@@ -10357,7 +10316,7 @@ function weierstrassPoints(opts) {
             return { x, y };
         });
     /**
-     * y² = x³ + ax + b: Short weierstrass curve formula
+     * y² = x³ + ax + b: Short weierstrass curve formula. Takes x, returns y².
      * @returns y²
      */
     function weierstrassEquation(x) {
@@ -10403,7 +10362,7 @@ function weierstrassPoints(opts) {
         aInRange('private key', num, _1n$1, N); // num in range [1..N-1]
         return num;
     }
-    function assertPrjPoint(other) {
+    function aprjpoint(other) {
         if (!(other instanceof Point))
             throw new Error('ProjectivePoint expected');
     }
@@ -10461,15 +10420,15 @@ function weierstrassPoints(opts) {
      */
     class Point {
         constructor(px, py, pz) {
-            this.px = px;
-            this.py = py;
-            this.pz = pz;
             if (px == null || !Fp.isValid(px))
                 throw new Error('x required');
-            if (py == null || !Fp.isValid(py))
+            if (py == null || !Fp.isValid(py) || Fp.is0(py))
                 throw new Error('y required');
             if (pz == null || !Fp.isValid(pz))
                 throw new Error('z required');
+            this.px = px;
+            this.py = py;
+            this.pz = pz;
             Object.freeze(this);
         }
         // Does not validate if the point is on-curve.
@@ -10499,7 +10458,7 @@ function weierstrassPoints(opts) {
          * Optimization: converts a list of projective points to a list of identical points with Z=1.
          */
         static normalizeZ(points) {
-            const toInv = Fp.invertBatch(points.map((p) => p.pz));
+            const toInv = FpInvertBatch(Fp, points.map((p) => p.pz));
             return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
         }
         /**
@@ -10537,7 +10496,7 @@ function weierstrassPoints(opts) {
          * Compare one point to another.
          */
         equals(other) {
-            assertPrjPoint(other);
+            aprjpoint(other);
             const { px: X1, py: Y1, pz: Z1 } = this;
             const { px: X2, py: Y2, pz: Z2 } = other;
             const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
@@ -10597,7 +10556,7 @@ function weierstrassPoints(opts) {
         // https://eprint.iacr.org/2015/1060, algorithm 1
         // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
         add(other) {
-            assertPrjPoint(other);
+            aprjpoint(other);
             const { px: X1, py: Y1, pz: Z1 } = this;
             const { px: X2, py: Y2, pz: Z2 } = other;
             let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
@@ -10768,10 +10727,9 @@ function weierstrassPoints(opts) {
         }
     }
     Point.BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
-    Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO);
+    Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO); // 0, 1, 0
     const _bits = CURVE.nBitLength;
     const wnaf = wNAF(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
-    // Validate if generator point is on curve
     return {
         CURVE,
         ProjectivePoint: Point,
@@ -10862,7 +10820,7 @@ function weierstrass(curveDef) {
             }
         },
     });
-    const numToNByteStr = (num) => bytesToHex(numberToBytesBE(num, CURVE.nByteLength));
+    const numToNByteHex = (num) => bytesToHex(numberToBytesBE(num, CURVE.nByteLength));
     function isBiggerThanHalfOrder(number) {
         const HALF = CURVE_ORDER >> _1n$1;
         return number > HALF;
@@ -10877,10 +10835,13 @@ function weierstrass(curveDef) {
      */
     class Signature {
         constructor(r, s, recovery) {
+            aInRange('r', r, _1n$1, CURVE_ORDER); // r in [1..N]
+            aInRange('s', s, _1n$1, CURVE_ORDER); // s in [1..N]
             this.r = r;
             this.s = s;
-            this.recovery = recovery;
-            this.assertValidity();
+            if (recovery != null)
+                this.recovery = recovery;
+            Object.freeze(this);
         }
         // pair (bytes of r, bytes of s)
         static fromCompact(hex) {
@@ -10894,10 +10855,11 @@ function weierstrass(curveDef) {
             const { r, s } = DER.toSig(ensureBytes('DER', hex));
             return new Signature(r, s);
         }
-        assertValidity() {
-            aInRange('r', this.r, _1n$1, CURVE_ORDER); // r in [1..N]
-            aInRange('s', this.s, _1n$1, CURVE_ORDER); // s in [1..N]
-        }
+        /**
+         * @todo remove
+         * @deprecated
+         */
+        assertValidity() { }
         addRecoveryBit(recovery) {
             return new Signature(this.r, this.s, recovery);
         }
@@ -10910,7 +10872,7 @@ function weierstrass(curveDef) {
             if (radj >= Fp.ORDER)
                 throw new Error('recovery id 2 or 3 invalid');
             const prefix = (rec & 1) === 0 ? '02' : '03';
-            const R = Point.fromHex(prefix + numToNByteStr(radj));
+            const R = Point.fromHex(prefix + numToNByteHex(radj));
             const ir = invN(radj); // r^-1
             const u1 = modN(-h * ir); // -hr^-1
             const u2 = modN(s * ir); // sr^-1
@@ -10932,14 +10894,14 @@ function weierstrass(curveDef) {
             return hexToBytes(this.toDERHex());
         }
         toDERHex() {
-            return DER.hexFromSig({ r: this.r, s: this.s });
+            return DER.hexFromSig(this);
         }
         // padded bytes of r, then padded bytes of s
         toCompactRawBytes() {
             return hexToBytes(this.toCompactHex());
         }
         toCompactHex() {
-            return numToNByteStr(this.r) + numToNByteStr(this.s);
+            return numToNByteHex(this.r) + numToNByteHex(this.s);
         }
     }
     const utils = {
@@ -11279,26 +11241,28 @@ function sqrtMod(y) {
 }
 const Fpk1 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
 /**
- * secp256k1 short weierstrass curve and ECDSA signatures over it.
+ * secp256k1 curve, ECDSA and ECDH methods.
+ *
+ * Field: `2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n`
  *
  * @example
+ * ```js
  * import { secp256k1 } from '@noble/curves/secp256k1';
- *
  * const priv = secp256k1.utils.randomPrivateKey();
  * const pub = secp256k1.getPublicKey(priv);
  * const msg = new Uint8Array(32).fill(1); // message hash (not message) in ecdsa
  * const sig = secp256k1.sign(msg, priv); // `{prehash: true}` option is available
  * const isValid = secp256k1.verify(sig, msg, pub) === true;
+ * ```
  */
 const secp256k1 = createCurve({
-    a: BigInt(0), // equation params: a, b
+    a: BigInt(0),
     b: BigInt(7),
-    Fp: Fpk1, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
-    n: secp256k1N, // Curve order, total count of valid points in the field
-    // Base point (x, y) aka generator point
+    Fp: Fpk1,
+    n: secp256k1N,
     Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
     Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
-    h: BigInt(1), // Cofactor
+    h: BigInt(1),
     lowS: true, // Allow only low-S signatures by default in sign() and verify()
     endo: {
         // Endomorphism, see above
@@ -11326,7 +11290,7 @@ const secp256k1 = createCurve({
             return { k1neg, k1, k2neg, k2 };
         },
     },
-}, sha256);
+}, sha256$1);
 // Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
 // https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
 BigInt(0);
@@ -11346,7 +11310,7 @@ const PUBLIC_KEY_BYTE_LENGTH = 33;
  * Hash message and verify signature with public key
  */
 function hashAndVerify(key, sig, msg) {
-    const p = sha256$1.digest(msg instanceof Uint8Array ? msg : msg.subarray());
+    const p = sha256$2.digest(msg instanceof Uint8Array ? msg : msg.subarray());
     if (isPromise(p)) {
         return p.then(({ digest }) => secp256k1.verify(sig, digest, key))
             .catch(err => {
@@ -11980,7 +11944,7 @@ class EnrCreator {
         }
         return ENR.create({
             ...kvs,
-            id: utf8ToBytes$2("v4"),
+            id: utf8ToBytes$1("v4"),
             secp256k1: publicKey
         });
     }