@zoralabs/protocol-deployments 0.3.5-COMMENTS.2 → 0.3.5-COMMENTS.4

package/dist/{secp256k1-5CEPNAX3.js → secp256k1-NJATWSDZ.js}

@@ -10,12 +10,12 @@ import {
   rotr,
   toBytes,
   wrapConstructor
-} from "./chunk-5JV63AHR.js";
+} from "./chunk-FJ2PMLO3.js";
 import {
   __export
 } from "./chunk-3EJPJMEH.js";
 
-// ../../node_modules/.pnpm/@noble+hashes@1.4.0/node_modules/@noble/hashes/esm/_md.js
+// ../../node_modules/.pnpm/@noble+hashes@1.5.0/node_modules/@noble/hashes/esm/_md.js
 function setBigUint64(view, byteOffset, value, isLE) {
   if (typeof view.setBigUint64 === "function")
     return view.setBigUint64(byteOffset, value, isLE);
@@ -117,7 +117,7 @@ var HashMD = class extends Hash {
   }
 };
 
-// ../../node_modules/.pnpm/@noble+hashes@1.4.0/node_modules/@noble/hashes/esm/sha256.js
+// ../../node_modules/.pnpm/@noble+hashes@1.5.0/node_modules/@noble/hashes/esm/sha256.js
 var SHA256_K = /* @__PURE__ */ new Uint32Array([
   1116352408,
   1899447441,
@@ -267,9 +267,76 @@ var SHA256 = class extends HashMD {
 };
 var sha256 = /* @__PURE__ */ wrapConstructor(() => new SHA256());
 
-// ../../node_modules/.pnpm/@noble+curves@1.4.0/node_modules/@noble/curves/esm/abstract/utils.js
+// ../../node_modules/.pnpm/@noble+hashes@1.5.0/node_modules/@noble/hashes/esm/hmac.js
+var HMAC = class extends Hash {
+  constructor(hash2, _key) {
+    super();
+    this.finished = false;
+    this.destroyed = false;
+    hash(hash2);
+    const key = toBytes(_key);
+    this.iHash = hash2.create();
+    if (typeof this.iHash.update !== "function")
+      throw new Error("Expected instance of class which extends utils.Hash");
+    this.blockLen = this.iHash.blockLen;
+    this.outputLen = this.iHash.outputLen;
+    const blockLen = this.blockLen;
+    const pad = new Uint8Array(blockLen);
+    pad.set(key.length > blockLen ? hash2.create().update(key).digest() : key);
+    for (let i = 0; i < pad.length; i++)
+      pad[i] ^= 54;
+    this.iHash.update(pad);
+    this.oHash = hash2.create();
+    for (let i = 0; i < pad.length; i++)
+      pad[i] ^= 54 ^ 92;
+    this.oHash.update(pad);
+    pad.fill(0);
+  }
+  update(buf) {
+    exists(this);
+    this.iHash.update(buf);
+    return this;
+  }
+  digestInto(out) {
+    exists(this);
+    bytes(out, this.outputLen);
+    this.finished = true;
+    this.iHash.digestInto(out);
+    this.oHash.update(out);
+    this.oHash.digestInto(out);
+    this.destroy();
+  }
+  digest() {
+    const out = new Uint8Array(this.oHash.outputLen);
+    this.digestInto(out);
+    return out;
+  }
+  _cloneInto(to) {
+    to || (to = Object.create(Object.getPrototypeOf(this), {}));
+    const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
+    to = to;
+    to.finished = finished;
+    to.destroyed = destroyed;
+    to.blockLen = blockLen;
+    to.outputLen = outputLen;
+    to.oHash = oHash._cloneInto(to.oHash);
+    to.iHash = iHash._cloneInto(to.iHash);
+    return to;
+  }
+  destroy() {
+    this.destroyed = true;
+    this.oHash.destroy();
+    this.iHash.destroy();
+  }
+};
+var hmac = (hash2, key, message) => new HMAC(hash2, key).update(message).digest();
+hmac.create = (hash2, key) => new HMAC(hash2, key);
+
+// ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/abstract/utils.js
 var utils_exports = {};
 __export(utils_exports, {
+  aInRange: () => aInRange,
+  abool: () => abool,
   abytes: () => abytes,
   bitGet: () => bitGet,
   bitLen: () => bitLen,
@@ -284,7 +351,10 @@ __export(utils_exports, {
   equalBytes: () => equalBytes,
   hexToBytes: () => hexToBytes,
   hexToNumber: () => hexToNumber,
+  inRange: () => inRange,
   isBytes: () => isBytes,
+  memoized: () => memoized,
+  notImplemented: () => notImplemented,
   numberToBytesBE: () => numberToBytesBE,
   numberToBytesLE: () => numberToBytesLE,
   numberToHexUnpadded: () => numberToHexUnpadded,
@@ -292,9 +362,9 @@ __export(utils_exports, {
   utf8ToBytes: () => utf8ToBytes,
   validateObject: () => validateObject
 });
-var _0n = BigInt(0);
-var _1n = BigInt(1);
-var _2n = BigInt(2);
+var _0n = /* @__PURE__ */ BigInt(0);
+var _1n = /* @__PURE__ */ BigInt(1);
+var _2n = /* @__PURE__ */ BigInt(2);
 function isBytes(a) {
   return a instanceof Uint8Array || a != null && typeof a === "object" && a.constructor.name === "Uint8Array";
 }
@@ -302,6 +372,10 @@ function abytes(item) {
   if (!isBytes(item))
     throw new Error("Uint8Array expected");
 }
+function abool(title, value) {
+  if (typeof value !== "boolean")
+    throw new Error(`${title} must be valid boolean, got "${value}".`);
+}
 var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0"));
 function bytesToHex(bytes2) {
   abytes(bytes2);
@@ -311,8 +385,8 @@ function bytesToHex(bytes2) {
   }
   return hex;
 }
-function numberToHexUnpadded(num) {
-  const hex = num.toString(16);
+function numberToHexUnpadded(num2) {
+  const hex = num2.toString(16);
   return hex.length & 1 ? `0${hex}` : hex;
 }
 function hexToNumber(hex) {
@@ -411,6 +485,14 @@ function utf8ToBytes(str) {
     throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
   return new Uint8Array(new TextEncoder().encode(str));
 }
+var isPosBig = (n) => typeof n === "bigint" && _0n <= n;
+function inRange(n, min, max) {
+  return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
+}
+function aInRange(title, n, min, max) {
+  if (!inRange(n, min, max))
+    throw new Error(`expected valid ${title}: ${min} <= n < ${max}, got ${typeof n} ${n}`);
+}
 function bitLen(n) {
   let len;
   for (len = 0; n > _0n; n >>= _1n, len += 1)
@@ -503,8 +585,22 @@ function validateObject(object, validators, optValidators = {}) {
     checkField(fieldName, type, true);
   return object;
 }
+var notImplemented = () => {
+  throw new Error("not implemented");
+};
+function memoized(fn) {
+  const map = /* @__PURE__ */ new WeakMap();
+  return (arg, ...args) => {
+    const val = map.get(arg);
+    if (val !== void 0)
+      return val;
+    const computed = fn(arg, ...args);
+    map.set(arg, computed);
+    return computed;
+  };
+}
 
-// ../../node_modules/.pnpm/@noble+curves@1.4.0/node_modules/@noble/curves/esm/abstract/modular.js
+// ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/abstract/modular.js
 var _0n2 = BigInt(0);
 var _1n2 = BigInt(1);
 var _2n2 = BigInt(2);
@@ -518,7 +614,7 @@ function mod(a, b) {
   const result = a % b;
   return result >= _0n2 ? result : b + result;
 }
-function pow(num, power, modulo) {
+function pow(num2, power, modulo) {
   if (modulo <= _0n2 || power < _0n2)
     throw new Error("Expected power/modulo > 0");
   if (modulo === _1n2)
@@ -526,8 +622,8 @@ function pow(num, power, modulo) {
   let res = _1n2;
   while (power > _0n2) {
     if (power & _1n2)
-      res = res * num % modulo;
-    num = num * num % modulo;
+      res = res * num2 % modulo;
+    num2 = num2 * num2 % modulo;
     power >>= _1n2;
   }
   return res;
@@ -592,9 +688,9 @@ function tonelliShanks(P) {
           break;
         t2 = Fp2.sqr(t2);
       }
-      const ge2 = Fp2.pow(g, _1n2 << BigInt(r - m - 1));
-      g = Fp2.sqr(ge2);
-      x = Fp2.mul(x, ge2);
+      const ge = Fp2.pow(g, _1n2 << BigInt(r - m - 1));
+      g = Fp2.sqr(ge);
+      x = Fp2.mul(x, ge);
       b = Fp2.mul(b, g);
       r = m;
     }
@@ -660,15 +756,15 @@ function validateField(field) {
   }, initial);
   return validateObject(field, opts);
 }
-function FpPow(f, num, power) {
+function FpPow(f, num2, power) {
   if (power < _0n2)
     throw new Error("Expected power > 0");
   if (power === _0n2)
     return f.ONE;
   if (power === _1n2)
-    return num;
+    return num2;
   let p = f.ONE;
-  let d = num;
+  let d = num2;
   while (power > _0n2) {
     if (power & _1n2)
       p = f.mul(p, d);
@@ -679,18 +775,18 @@ function FpPow(f, num, power) {
 }
 function FpInvertBatch(f, nums) {
   const tmp = new Array(nums.length);
-  const lastMultiplied = nums.reduce((acc, num, i) => {
-    if (f.is0(num))
+  const lastMultiplied = nums.reduce((acc, num2, i) => {
+    if (f.is0(num2))
       return acc;
     tmp[i] = acc;
-    return f.mul(acc, num);
+    return f.mul(acc, num2);
   }, f.ONE);
   const inverted = f.inv(lastMultiplied);
-  nums.reduceRight((acc, num, i) => {
-    if (f.is0(num))
+  nums.reduceRight((acc, num2, i) => {
+    if (f.is0(num2))
       return acc;
     tmp[i] = f.mul(acc, tmp[i]);
-    return f.mul(acc, num);
+    return f.mul(acc, num2);
   }, inverted);
   return tmp;
 }
@@ -713,34 +809,34 @@ function Field(ORDER, bitLen2, isLE = false, redef = {}) {
     MASK: bitMask(BITS),
     ZERO: _0n2,
     ONE: _1n2,
-    create: (num) => mod(num, ORDER),
-    isValid: (num) => {
-      if (typeof num !== "bigint")
-        throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
-      return _0n2 <= num && num < ORDER;
+    create: (num2) => mod(num2, ORDER),
+    isValid: (num2) => {
+      if (typeof num2 !== "bigint")
+        throw new Error(`Invalid field element: expected bigint, got ${typeof num2}`);
+      return _0n2 <= num2 && num2 < ORDER;
     },
-    is0: (num) => num === _0n2,
-    isOdd: (num) => (num & _1n2) === _1n2,
-    neg: (num) => mod(-num, ORDER),
+    is0: (num2) => num2 === _0n2,
+    isOdd: (num2) => (num2 & _1n2) === _1n2,
+    neg: (num2) => mod(-num2, ORDER),
     eql: (lhs, rhs) => lhs === rhs,
-    sqr: (num) => mod(num * num, ORDER),
+    sqr: (num2) => mod(num2 * num2, ORDER),
     add: (lhs, rhs) => mod(lhs + rhs, ORDER),
     sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
     mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
-    pow: (num, power) => FpPow(f, num, power),
+    pow: (num2, power) => FpPow(f, num2, power),
     div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
     // Same as above, but doesn't normalize
-    sqrN: (num) => num * num,
+    sqrN: (num2) => num2 * num2,
     addN: (lhs, rhs) => lhs + rhs,
     subN: (lhs, rhs) => lhs - rhs,
     mulN: (lhs, rhs) => lhs * rhs,
-    inv: (num) => invert(num, ORDER),
+    inv: (num2) => invert(num2, ORDER),
     sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
     invertBatch: (lst) => FpInvertBatch(f, lst),
     // TODO: do we really need constant cmov?
     // We don't have const-time bigints anyway, so probably will be not very useful
     cmov: (a, b, c) => c ? b : a,
-    toBytes: (num) => isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES),
+    toBytes: (num2) => isLE ? numberToBytesLE(num2, BYTES) : numberToBytesBE(num2, BYTES),
     fromBytes: (bytes2) => {
       if (bytes2.length !== BYTES)
         throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes2.length}`);
@@ -765,20 +861,27 @@ function mapHashToField(key, fieldOrder, isLE = false) {
   const minLen = getMinHashLength(fieldOrder);
   if (len < 16 || len < minLen || len > 1024)
     throw new Error(`expected ${minLen}-1024 bytes of input, got ${len}`);
-  const num = isLE ? bytesToNumberBE(key) : bytesToNumberLE(key);
-  const reduced = mod(num, fieldOrder - _1n2) + _1n2;
+  const num2 = isLE ? bytesToNumberBE(key) : bytesToNumberLE(key);
+  const reduced = mod(num2, fieldOrder - _1n2) + _1n2;
   return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
 }
 
-// ../../node_modules/.pnpm/@noble+curves@1.4.0/node_modules/@noble/curves/esm/abstract/curve.js
+// ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/abstract/curve.js
 var _0n3 = BigInt(0);
 var _1n3 = BigInt(1);
+var pointPrecomputes = /* @__PURE__ */ new WeakMap();
+var pointWindowSizes = /* @__PURE__ */ new WeakMap();
 function wNAF(c, bits) {
   const constTimeNegate = (condition, item) => {
     const neg = item.negate();
     return condition ? neg : item;
   };
+  const validateW = (W) => {
+    if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
+      throw new Error(`Wrong window size=${W}, should be [1..${bits}]`);
+  };
   const opts = (W) => {
+    validateW(W);
     const windows = Math.ceil(bits / W) + 1;
     const windowSize = 2 ** (W - 1);
     return { windows, windowSize };
@@ -857,19 +960,62 @@ function wNAF(c, bits) {
       }
       return { p, f };
     },
-    wNAFCached(P, precomputesMap, n, transform) {
-      const W = P._WINDOW_SIZE || 1;
-      let comp = precomputesMap.get(P);
+    wNAFCached(P, n, transform) {
+      const W = pointWindowSizes.get(P) || 1;
+      let comp = pointPrecomputes.get(P);
       if (!comp) {
         comp = this.precomputeWindow(P, W);
-        if (W !== 1) {
-          precomputesMap.set(P, transform(comp));
-        }
+        if (W !== 1)
+          pointPrecomputes.set(P, transform(comp));
       }
       return this.wNAF(W, comp, n);
+    },
+    // We calculate precomputes for elliptic curve point multiplication
+    // using windowed method. This specifies window size and
+    // stores precomputed values. Usually only base point would be precomputed.
+    setWindowSize(P, W) {
+      validateW(W);
+      pointWindowSizes.set(P, W);
+      pointPrecomputes.delete(P);
     }
   };
 }
+function pippenger(c, field, points, scalars) {
+  if (!Array.isArray(points) || !Array.isArray(scalars) || scalars.length !== points.length)
+    throw new Error("arrays of points and scalars must have equal length");
+  scalars.forEach((s, i) => {
+    if (!field.isValid(s))
+      throw new Error(`wrong scalar at index ${i}`);
+  });
+  points.forEach((p, i) => {
+    if (!(p instanceof c))
+      throw new Error(`wrong point at index ${i}`);
+  });
+  const wbits = bitLen(BigInt(points.length));
+  const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1;
+  const MASK = (1 << windowSize) - 1;
+  const buckets = new Array(MASK + 1).fill(c.ZERO);
+  const lastBits = Math.floor((field.BITS - 1) / windowSize) * windowSize;
+  let sum = c.ZERO;
+  for (let i = lastBits; i >= 0; i -= windowSize) {
+    buckets.fill(c.ZERO);
+    for (let j = 0; j < scalars.length; j++) {
+      const scalar = scalars[j];
+      const wbits2 = Number(scalar >> BigInt(i) & BigInt(MASK));
+      buckets[wbits2] = buckets[wbits2].add(points[j]);
+    }
+    let resI = c.ZERO;
+    for (let j = buckets.length - 1, sumI = c.ZERO; j > 0; j--) {
+      sumI = sumI.add(buckets[j]);
+      resI = resI.add(sumI);
+    }
+    sum = sum.add(resI);
+    if (i !== 0)
+      for (let j = 0; j < windowSize; j++)
+        sum = sum.double();
+  }
+  return sum;
+}
 function validateBasic(curve) {
   validateField(curve.Fp);
   validateObject(curve, {
@@ -888,7 +1034,13 @@ function validateBasic(curve) {
   });
 }
 
-// ../../node_modules/.pnpm/@noble+curves@1.4.0/node_modules/@noble/curves/esm/abstract/weierstrass.js
+// ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/abstract/weierstrass.js
+function validateSigVerOpts(opts) {
+  if (opts.lowS !== void 0)
+    abool("lowS", opts.lowS);
+  if (opts.prehash !== void 0)
+    abool("prehash", opts.prehash);
+}
 function validatePointOpts(curve) {
   const opts = validateBasic(curve);
   validateObject(opts, {
@@ -922,48 +1074,99 @@ var DER = {
       super(m);
     }
   },
-  _parseInt(data) {
-    const { Err: E } = DER;
-    if (data.length < 2 || data[0] !== 2)
-      throw new E("Invalid signature integer tag");
-    const len = data[1];
-    const res = data.subarray(2, len + 2);
-    if (!len || res.length !== len)
-      throw new E("Invalid signature integer: wrong length");
-    if (res[0] & 128)
-      throw new E("Invalid signature integer: negative");
-    if (res[0] === 0 && !(res[1] & 128))
-      throw new E("Invalid signature integer: unnecessary leading zero");
-    return { d: b2n(res), l: data.subarray(len + 2) };
+  // Basic building block is TLV (Tag-Length-Value)
+  _tlv: {
+    encode: (tag, data) => {
+      const { Err: E } = DER;
+      if (tag < 0 || tag > 256)
+        throw new E("tlv.encode: wrong tag");
+      if (data.length & 1)
+        throw new E("tlv.encode: unpadded data");
+      const dataLen = data.length / 2;
+      const len = numberToHexUnpadded(dataLen);
+      if (len.length / 2 & 128)
+        throw new E("tlv.encode: long form length too big");
+      const lenLen = dataLen > 127 ? numberToHexUnpadded(len.length / 2 | 128) : "";
+      return `${numberToHexUnpadded(tag)}${lenLen}${len}${data}`;
+    },
+    // v - value, l - left bytes (unparsed)
+    decode(tag, data) {
+      const { Err: E } = DER;
+      let pos = 0;
+      if (tag < 0 || tag > 256)
+        throw new E("tlv.encode: wrong tag");
+      if (data.length < 2 || data[pos++] !== tag)
+        throw new E("tlv.decode: wrong tlv");
+      const first = data[pos++];
+      const isLong = !!(first & 128);
+      let length = 0;
+      if (!isLong)
+        length = first;
+      else {
+        const lenLen = first & 127;
+        if (!lenLen)
+          throw new E("tlv.decode(long): indefinite length not supported");
+        if (lenLen > 4)
+          throw new E("tlv.decode(long): byte length is too big");
+        const lengthBytes = data.subarray(pos, pos + lenLen);
+        if (lengthBytes.length !== lenLen)
+          throw new E("tlv.decode: length bytes not complete");
+        if (lengthBytes[0] === 0)
+          throw new E("tlv.decode(long): zero leftmost byte");
+        for (const b of lengthBytes)
+          length = length << 8 | b;
+        pos += lenLen;
+        if (length < 128)
+          throw new E("tlv.decode(long): not minimal encoding");
+      }
+      const v = data.subarray(pos, pos + length);
+      if (v.length !== length)
+        throw new E("tlv.decode: wrong value length");
+      return { v, l: data.subarray(pos + length) };
+    }
+  },
+  // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
+  // since we always use positive integers here. It must always be empty:
+  // - add zero byte if exists
+  // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
+  _int: {
+    encode(num2) {
+      const { Err: E } = DER;
+      if (num2 < _0n4)
+        throw new E("integer: negative integers are not allowed");
+      let hex = numberToHexUnpadded(num2);
+      if (Number.parseInt(hex[0], 16) & 8)
+        hex = "00" + hex;
+      if (hex.length & 1)
+        throw new E("unexpected assertion");
+      return hex;
+    },
+    decode(data) {
+      const { Err: E } = DER;
+      if (data[0] & 128)
+        throw new E("Invalid signature integer: negative");
+      if (data[0] === 0 && !(data[1] & 128))
+        throw new E("Invalid signature integer: unnecessary leading zero");
+      return b2n(data);
+    }
   },
   toSig(hex) {
-    const { Err: E } = DER;
+    const { Err: E, _int: int, _tlv: tlv } = DER;
     const data = typeof hex === "string" ? h2b(hex) : hex;
     abytes(data);
-    let l = data.length;
-    if (l < 2 || data[0] != 48)
-      throw new E("Invalid signature tag");
-    if (data[1] !== l - 2)
-      throw new E("Invalid signature: incorrect length");
-    const { d: r, l: sBytes } = DER._parseInt(data.subarray(2));
-    const { d: s, l: rBytesLeft } = DER._parseInt(sBytes);
-    if (rBytesLeft.length)
+    const { v: seqBytes, l: seqLeftBytes } = tlv.decode(48, data);
+    if (seqLeftBytes.length)
+      throw new E("Invalid signature: left bytes after parsing");
+    const { v: rBytes, l: rLeftBytes } = tlv.decode(2, seqBytes);
+    const { v: sBytes, l: sLeftBytes } = tlv.decode(2, rLeftBytes);
+    if (sLeftBytes.length)
       throw new E("Invalid signature: left bytes after parsing");
-    return { r, s };
+    return { r: int.decode(rBytes), s: int.decode(sBytes) };
   },
   hexFromSig(sig) {
-    const slice = (s2) => Number.parseInt(s2[0], 16) & 8 ? "00" + s2 : s2;
-    const h = (num) => {
-      const hex = num.toString(16);
-      return hex.length & 1 ? `0${hex}` : hex;
-    };
-    const s = slice(h(sig.s));
-    const r = slice(h(sig.r));
-    const shl = s.length / 2;
-    const rhl = r.length / 2;
-    const sl = h(shl);
-    const rl = h(rhl);
-    return `30${h(rhl + shl + 4)}02${rl}${r}02${sl}${s}`;
+    const { _tlv: tlv, _int: int } = DER;
+    const seq = `${tlv.encode(2, int.encode(sig.r))}${tlv.encode(2, int.encode(sig.s))}`;
+    return tlv.encode(48, seq);
   }
 };
 var _0n4 = BigInt(0);
@@ -974,6 +1177,7 @@ var _4n2 = BigInt(4);
 function weierstrassPoints(opts) {
   const CURVE = validatePointOpts(opts);
   const { Fp: Fp2 } = CURVE;
+  const Fn = Field(CURVE.n, CURVE.nBitLength);
   const toBytes2 = CURVE.toBytes || ((_c, point, _isCompressed) => {
     const a = point.toAffine();
     return concatBytes2(Uint8Array.from([4]), Fp2.toBytes(a.x), Fp2.toBytes(a.y));
@@ -992,15 +1196,11 @@ function weierstrassPoints(opts) {
   }
   if (!Fp2.eql(Fp2.sqr(CURVE.Gy), weierstrassEquation(CURVE.Gx)))
     throw new Error("bad generator point: equation left != right");
-  function isWithinCurveOrder(num) {
-    return typeof num === "bigint" && _0n4 < num && num < CURVE.n;
-  }
-  function assertGE(num) {
-    if (!isWithinCurveOrder(num))
-      throw new Error("Expected valid bigint: 0 < bigint < curve.n");
+  function isWithinCurveOrder(num2) {
+    return inRange(num2, _1n4, CURVE.n);
   }
   function normPrivateKeyToScalar(key) {
-    const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n } = CURVE;
+    const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n: N } = CURVE;
     if (lengths && typeof key !== "bigint") {
       if (isBytes(key))
         key = bytesToHex(key);
@@ -1008,22 +1208,54 @@ function weierstrassPoints(opts) {
         throw new Error("Invalid key");
       key = key.padStart(nByteLength * 2, "0");
     }
-    let num;
+    let num2;
     try {
-      num = typeof key === "bigint" ? key : bytesToNumberBE(ensureBytes("private key", key, nByteLength));
+      num2 = typeof key === "bigint" ? key : bytesToNumberBE(ensureBytes("private key", key, nByteLength));
     } catch (error) {
       throw new Error(`private key must be ${nByteLength} bytes, hex or bigint, not ${typeof key}`);
     }
     if (wrapPrivateKey)
-      num = mod(num, n);
-    assertGE(num);
-    return num;
+      num2 = mod(num2, N);
+    aInRange("private key", num2, _1n4, N);
+    return num2;
   }
-  const pointPrecomputes = /* @__PURE__ */ new Map();
   function assertPrjPoint(other) {
     if (!(other instanceof Point2))
       throw new Error("ProjectivePoint expected");
   }
+  const toAffineMemo = memoized((p, iz) => {
+    const { px: x, py: y, pz: z } = p;
+    if (Fp2.eql(z, Fp2.ONE))
+      return { x, y };
+    const is0 = p.is0();
+    if (iz == null)
+      iz = is0 ? Fp2.ONE : Fp2.inv(z);
+    const ax = Fp2.mul(x, iz);
+    const ay = Fp2.mul(y, iz);
+    const zz = Fp2.mul(z, iz);
+    if (is0)
+      return { x: Fp2.ZERO, y: Fp2.ZERO };
+    if (!Fp2.eql(zz, Fp2.ONE))
+      throw new Error("invZ was invalid");
+    return { x: ax, y: ay };
+  });
+  const assertValidMemo = memoized((p) => {
+    if (p.is0()) {
+      if (CURVE.allowInfinityPoint && !Fp2.is0(p.py))
+        return;
+      throw new Error("bad point: ZERO");
+    }
+    const { x, y } = p.toAffine();
+    if (!Fp2.isValid(x) || !Fp2.isValid(y))
+      throw new Error("bad point: x or y not FE");
+    const left = Fp2.sqr(y);
+    const right = weierstrassEquation(x);
+    if (!Fp2.eql(left, right))
+      throw new Error("bad point: equation left != right");
+    if (!p.isTorsionFree())
+      throw new Error("bad point: not in prime-order subgroup");
+    return true;
+  });
   class Point2 {
     constructor(px, py, pz) {
       this.px = px;
@@ -1035,6 +1267,7 @@ function weierstrassPoints(opts) {
         throw new Error("y required");
       if (pz == null || !Fp2.isValid(pz))
         throw new Error("z required");
+      Object.freeze(this);
     }
     // Does not validate if the point is on-curve.
     // Use fromHex instead, or call assertValidity() later.
@@ -1078,27 +1311,17 @@ function weierstrassPoints(opts) {
     static fromPrivateKey(privateKey) {
       return Point2.BASE.multiply(normPrivateKeyToScalar(privateKey));
     }
+    // Multiscalar Multiplication
+    static msm(points, scalars) {
+      return pippenger(Point2, Fn, points, scalars);
+    }
     // "Private method", don't use it directly
     _setWindowSize(windowSize) {
-      this._WINDOW_SIZE = windowSize;
-      pointPrecomputes.delete(this);
+      wnaf.setWindowSize(this, windowSize);
     }
     // A point on curve is valid if it conforms to equation.
     assertValidity() {
-      if (this.is0()) {
-        if (CURVE.allowInfinityPoint && !Fp2.is0(this.py))
-          return;
-        throw new Error("bad point: ZERO");
-      }
-      const { x, y } = this.toAffine();
-      if (!Fp2.isValid(x) || !Fp2.isValid(y))
-        throw new Error("bad point: x or y not FE");
-      const left = Fp2.sqr(y);
-      const right = weierstrassEquation(x);
-      if (!Fp2.eql(left, right))
-        throw new Error("bad point: equation left != right");
-      if (!this.isTorsionFree())
-        throw new Error("bad point: not in prime-order subgroup");
+      assertValidMemo(this);
     }
     hasEvenY() {
       const { y } = this.toAffine();
@@ -1225,27 +1448,24 @@ function weierstrassPoints(opts) {
       return this.equals(Point2.ZERO);
     }
     wNAF(n) {
-      return wnaf.wNAFCached(this, pointPrecomputes, n, (comp) => {
-        const toInv = Fp2.invertBatch(comp.map((p) => p.pz));
-        return comp.map((p, i) => p.toAffine(toInv[i])).map(Point2.fromAffine);
-      });
+      return wnaf.wNAFCached(this, n, Point2.normalizeZ);
     }
     /**
      * Non-constant-time multiplication. Uses double-and-add algorithm.
      * It's faster, but should only be used when you don't care about
      * an exposed private key e.g. sig verification, which works over *public* keys.
      */
-    multiplyUnsafe(n) {
+    multiplyUnsafe(sc) {
+      aInRange("scalar", sc, _0n4, CURVE.n);
       const I = Point2.ZERO;
-      if (n === _0n4)
+      if (sc === _0n4)
         return I;
-      assertGE(n);
-      if (n === _1n4)
+      if (sc === _1n4)
         return this;
       const { endo } = CURVE;
       if (!endo)
-        return wnaf.unsafeLadder(this, n);
-      let { k1neg, k1, k2neg, k2 } = endo.splitScalar(n);
+        return wnaf.unsafeLadder(this, sc);
+      let { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
       let k1p = I;
       let k2p = I;
       let d = this;
@@ -1275,12 +1495,11 @@ function weierstrassPoints(opts) {
      * @returns New point
      */
     multiply(scalar) {
-      assertGE(scalar);
-      let n = scalar;
+      const { endo, n: N } = CURVE;
+      aInRange("scalar", scalar, _1n4, N);
       let point, fake;
-      const { endo } = CURVE;
       if (endo) {
-        const { k1neg, k1, k2neg, k2 } = endo.splitScalar(n);
+        const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);
         let { p: k1p, f: f1p } = this.wNAF(k1);
         let { p: k2p, f: f2p } = this.wNAF(k2);
         k1p = wnaf.constTimeNegate(k1neg, k1p);
@@ -1289,7 +1508,7 @@ function weierstrassPoints(opts) {
         point = k1p.add(k2p);
         fake = f1p.add(f2p);
       } else {
-        const { p, f } = this.wNAF(n);
+        const { p, f } = this.wNAF(scalar);
         point = p;
         fake = f;
       }
@@ -1311,18 +1530,7 @@ function weierstrassPoints(opts) {
     // Can accept precomputed Z^-1 - for example, from invertBatch.
     // (x, y, z) ∋ (x=x/z, y=y/z)
     toAffine(iz) {
-      const { px: x, py: y, pz: z } = this;
-      const is0 = this.is0();
-      if (iz == null)
-        iz = is0 ? Fp2.ONE : Fp2.inv(z);
-      const ax = Fp2.mul(x, iz);
-      const ay = Fp2.mul(y, iz);
-      const zz = Fp2.mul(z, iz);
-      if (is0)
-        return { x: Fp2.ZERO, y: Fp2.ZERO };
-      if (!Fp2.eql(zz, Fp2.ONE))
-        throw new Error("invZ was invalid");
-      return { x: ax, y: ay };
+      return toAffineMemo(this, iz);
     }
     isTorsionFree() {
       const { h: cofactor, isTorsionFree } = CURVE;
@@ -1341,10 +1549,12 @@ function weierstrassPoints(opts) {
       return this.multiplyUnsafe(CURVE.h);
     }
     toRawBytes(isCompressed = true) {
+      abool("isCompressed", isCompressed);
       this.assertValidity();
       return toBytes2(Point2, this, isCompressed);
     }
     toHex(isCompressed = true) {
+      abool("isCompressed", isCompressed);
       return bytesToHex(this.toRawBytes(isCompressed));
     }
   }
@@ -1378,9 +1588,6 @@ function weierstrass(curveDef) {
   const { Fp: Fp2, n: CURVE_ORDER } = CURVE;
   const compressedLen = Fp2.BYTES + 1;
   const uncompressedLen = 2 * Fp2.BYTES + 1;
-  function isValidFieldElement(num) {
-    return _0n4 < num && num < Fp2.ORDER;
-  }
   function modN2(a) {
     return mod(a, CURVE_ORDER);
   }
@@ -1393,6 +1600,7 @@ function weierstrass(curveDef) {
       const a = point.toAffine();
       const x = Fp2.toBytes(a.x);
       const cat = concatBytes2;
+      abool("isCompressed", isCompressed);
       if (isCompressed) {
         return cat(Uint8Array.from([point.hasEvenY() ? 2 : 3]), x);
       } else {
@@ -1405,7 +1613,7 @@ function weierstrass(curveDef) {
       const tail = bytes2.subarray(1);
       if (len === compressedLen && (head === 2 || head === 3)) {
         const x = bytesToNumberBE(tail);
-        if (!isValidFieldElement(x))
+        if (!inRange(x, _1n4, Fp2.ORDER))
           throw new Error("Point is not on curve");
         const y2 = weierstrassEquation(x);
         let y;
@@ -1429,7 +1637,7 @@ function weierstrass(curveDef) {
       }
     }
   });
-  const numToNByteStr = (num) => bytesToHex(numberToBytesBE(num, CURVE.nByteLength));
+  const numToNByteStr = (num2) => bytesToHex(numberToBytesBE(num2, CURVE.nByteLength));
   function isBiggerThanHalfOrder(number) {
     const HALF = CURVE_ORDER >> _1n4;
     return number > HALF;
@@ -1458,10 +1666,8 @@ function weierstrass(curveDef) {
       return new Signature(r, s);
     }
     assertValidity() {
-      if (!isWithinCurveOrder(this.r))
-        throw new Error("r must be 0 < r < CURVE.n");
-      if (!isWithinCurveOrder(this.s))
-        throw new Error("s must be 0 < s < CURVE.n");
+      aInRange("r", this.r, _1n4, CURVE_ORDER);
+      aInRange("s", this.s, _1n4, CURVE_ORDER);
     }
     addRecoveryBit(recovery) {
       return new Signature(this.r, this.s, recovery);
@@ -1563,20 +1769,17 @@ function weierstrass(curveDef) {
     return b.multiply(normPrivateKeyToScalar(privateA)).toRawBytes(isCompressed);
   }
   const bits2int = CURVE.bits2int || function(bytes2) {
-    const num = bytesToNumberBE(bytes2);
+    const num2 = bytesToNumberBE(bytes2);
     const delta = bytes2.length * 8 - CURVE.nBitLength;
-    return delta > 0 ? num >> BigInt(delta) : num;
+    return delta > 0 ? num2 >> BigInt(delta) : num2;
   };
   const bits2int_modN = CURVE.bits2int_modN || function(bytes2) {
     return modN2(bits2int(bytes2));
   };
   const ORDER_MASK = bitMask(CURVE.nBitLength);
-  function int2octets(num) {
-    if (typeof num !== "bigint")
-      throw new Error("bigint expected");
-    if (!(_0n4 <= num && num < ORDER_MASK))
-      throw new Error(`bigint expected < 2^${CURVE.nBitLength}`);
-    return numberToBytesBE(num, CURVE.nByteLength);
+  function int2octets(num2) {
+    aInRange(`num < 2^${CURVE.nBitLength}`, num2, _0n4, ORDER_MASK);
+    return numberToBytesBE(num2, CURVE.nByteLength);
   }
   function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
     if (["recovered", "canonical"].some((k) => k in opts))
@@ -1586,6 +1789,7 @@ function weierstrass(curveDef) {
     if (lowS == null)
       lowS = true;
     msgHash = ensureBytes("msgHash", msgHash);
+    validateSigVerOpts(opts);
     if (prehash)
       msgHash = ensureBytes("prehashed msgHash", hash2(msgHash));
     const h1int = bits2int_modN(msgHash);
@@ -1634,6 +1838,7 @@ function weierstrass(curveDef) {
     publicKey = ensureBytes("publicKey", publicKey);
     if ("strict" in opts)
       throw new Error("options.strict was renamed to lowS");
+    validateSigVerOpts(opts);
     const { lowS, prehash } = opts;
     let _sig = void 0;
     let P;
@@ -1784,9 +1989,24 @@ function mapToCurveSimpleSWU(Fp2, opts) {
   };
 }
 
-// ../../node_modules/.pnpm/@noble+curves@1.4.0/node_modules/@noble/curves/esm/abstract/hash-to-curve.js
+// ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/_shortw_utils.js
+function getHash(hash2) {
+  return {
+    hash: hash2,
+    hmac: (key, ...msgs) => hmac(hash2, key, concatBytes(...msgs)),
+    randomBytes
+  };
+}
+function createCurve(curveDef, defHash) {
+  const create = (hash2) => weierstrass({ ...curveDef, ...getHash(hash2) });
+  return Object.freeze({ ...create(defHash), create });
+}
+
+// ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/abstract/hash-to-curve.js
 var os2ip = bytesToNumberBE;
 function i2osp(value, length) {
+  anum(value);
+  anum(length);
   if (value < 0 || value >= 1 << 8 * length) {
     throw new Error(`bad I2OSP call: value=${value} length=${length}`);
   }
@@ -1816,8 +2036,8 @@ function expand_message_xmd(msg, DST, lenInBytes, H) {
     DST = H(concatBytes2(utf8ToBytes("H2C-OVERSIZE-DST-"), DST));
   const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
   const ell = Math.ceil(lenInBytes / b_in_bytes);
-  if (ell > 255)
-    throw new Error("Invalid xmd length");
+  if (lenInBytes > 65535 || ell > 255)
+    throw new Error("expand_message_xmd: invalid lenInBytes");
   const DST_prime = concatBytes2(DST, i2osp(DST.length, 1));
   const Z_pad = i2osp(0, r_in_bytes);
   const l_i_b_str = i2osp(lenInBytes, 2);
@@ -1910,89 +2130,22 @@ function createHasher(Point2, mapToCurve, def) {
       const P = Point2.fromAffine(mapToCurve(u[0])).clearCofactor();
       P.assertValidity();
       return P;
+    },
+    // Same as encodeToCurve, but without hash
+    mapToCurve(scalars) {
+      if (!Array.isArray(scalars))
+        throw new Error("mapToCurve: expected array of bigints");
+      for (const i of scalars)
+        if (typeof i !== "bigint")
+          throw new Error(`mapToCurve: expected array of bigints, got ${i} in array`);
+      const P = Point2.fromAffine(mapToCurve(scalars)).clearCofactor();
+      P.assertValidity();
+      return P;
     }
   };
 }
 
-// ../../node_modules/.pnpm/@noble+hashes@1.4.0/node_modules/@noble/hashes/esm/hmac.js
-var HMAC = class extends Hash {
-  constructor(hash2, _key) {
-    super();
-    this.finished = false;
-    this.destroyed = false;
-    hash(hash2);
-    const key = toBytes(_key);
-    this.iHash = hash2.create();
-    if (typeof this.iHash.update !== "function")
-      throw new Error("Expected instance of class which extends utils.Hash");
-    this.blockLen = this.iHash.blockLen;
-    this.outputLen = this.iHash.outputLen;
-    const blockLen = this.blockLen;
-    const pad = new Uint8Array(blockLen);
-    pad.set(key.length > blockLen ? hash2.create().update(key).digest() : key);
-    for (let i = 0; i < pad.length; i++)
-      pad[i] ^= 54;
-    this.iHash.update(pad);
-    this.oHash = hash2.create();
-    for (let i = 0; i < pad.length; i++)
-      pad[i] ^= 54 ^ 92;
-    this.oHash.update(pad);
-    pad.fill(0);
-  }
-  update(buf) {
-    exists(this);
-    this.iHash.update(buf);
-    return this;
-  }
-  digestInto(out) {
-    exists(this);
-    bytes(out, this.outputLen);
-    this.finished = true;
-    this.iHash.digestInto(out);
-    this.oHash.update(out);
-    this.oHash.digestInto(out);
-    this.destroy();
-  }
-  digest() {
-    const out = new Uint8Array(this.oHash.outputLen);
-    this.digestInto(out);
-    return out;
-  }
-  _cloneInto(to) {
-    to || (to = Object.create(Object.getPrototypeOf(this), {}));
-    const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
-    to = to;
-    to.finished = finished;
-    to.destroyed = destroyed;
-    to.blockLen = blockLen;
-    to.outputLen = outputLen;
-    to.oHash = oHash._cloneInto(to.oHash);
-    to.iHash = iHash._cloneInto(to.iHash);
-    return to;
-  }
-  destroy() {
-    this.destroyed = true;
-    this.oHash.destroy();
-    this.iHash.destroy();
-  }
-};
-var hmac = (hash2, key, message) => new HMAC(hash2, key).update(message).digest();
-hmac.create = (hash2, key) => new HMAC(hash2, key);
-
-// ../../node_modules/.pnpm/@noble+curves@1.4.0/node_modules/@noble/curves/esm/_shortw_utils.js
-function getHash(hash2) {
-  return {
-    hash: hash2,
-    hmac: (key, ...msgs) => hmac(hash2, key, concatBytes(...msgs)),
-    randomBytes
-  };
-}
-function createCurve(curveDef, defHash) {
-  const create = (hash2) => weierstrass({ ...curveDef, ...getHash(hash2) });
-  return Object.freeze({ ...create(defHash), create });
-}
-
-// ../../node_modules/.pnpm/@noble+curves@1.4.0/node_modules/@noble/curves/esm/secp256k1.js
+// ../../node_modules/.pnpm/@noble+curves@1.6.0/node_modules/@noble/curves/esm/secp256k1.js
 var secp256k1P = BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f");
 var secp256k1N = BigInt("0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141");
 var _1n5 = BigInt(1);
@@ -2070,8 +2223,6 @@ var secp256k1 = createCurve({
   }
 }, sha256);
 var _0n5 = BigInt(0);
-var fe = (x) => typeof x === "bigint" && _0n5 < x && x < secp256k1P;
-var ge = (x) => typeof x === "bigint" && _0n5 < x && x < secp256k1N;
 var TAGGED_HASH_PREFIXES = {};
 function taggedHash(tag, ...messages) {
   let tagP = TAGGED_HASH_PREFIXES[tag];
@@ -2095,8 +2246,7 @@ function schnorrGetExtPubKey(priv) {
   return { scalar, bytes: pointToBytes(p) };
 }
 function lift_x(x) {
-  if (!fe(x))
-    throw new Error("bad x: need 0 < x < p");
+  aInRange("x", x, _1n5, secp256k1P);
   const xx = modP(x * x);
   const c = modP(xx * x + BigInt(7));
   let y = sqrtMod(c);
@@ -2106,8 +2256,9 @@ function lift_x(x) {
   p.assertValidity();
   return p;
 }
+var num = bytesToNumberBE;
 function challenge(...args) {
-  return modN(bytesToNumberBE(taggedHash("BIP0340/challenge", ...args)));
+  return modN(num(taggedHash("BIP0340/challenge", ...args)));
 }
 function schnorrGetPublicKey(privateKey) {
   return schnorrGetExtPubKey(privateKey).bytes;
@@ -2116,9 +2267,9 @@ function schnorrSign(message, privateKey, auxRand = randomBytes(32)) {
   const m = ensureBytes("message", message);
   const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey);
   const a = ensureBytes("auxRand", auxRand, 32);
-  const t = numTo32b(d ^ bytesToNumberBE(taggedHash("BIP0340/aux", a)));
+  const t = numTo32b(d ^ num(taggedHash("BIP0340/aux", a)));
   const rand = taggedHash("BIP0340/nonce", t, px, m);
-  const k_ = modN(bytesToNumberBE(rand));
+  const k_ = modN(num(rand));
   if (k_ === _0n5)
     throw new Error("sign failed: k is zero");
   const { bytes: rx, scalar: k } = schnorrGetExtPubKey(k_);
@@ -2135,12 +2286,12 @@ function schnorrVerify(signature, message, publicKey) {
   const m = ensureBytes("message", message);
   const pub = ensureBytes("publicKey", publicKey, 32);
   try {
-    const P = lift_x(bytesToNumberBE(pub));
-    const r = bytesToNumberBE(sig.subarray(0, 32));
-    if (!fe(r))
+    const P = lift_x(num(pub));
+    const r = num(sig.subarray(0, 32));
+    if (!inRange(r, _1n5, secp256k1P))
       return false;
-    const s = bytesToNumberBE(sig.subarray(32, 64));
-    if (!ge(s))
+    const s = num(sig.subarray(32, 64));
+    if (!inRange(s, _1n5, secp256k1N))
       return false;
     const e = challenge(numTo32b(r), pointToBytes(P), m);
     const R = GmulAdd(P, s, modN(-e));
@@ -2241,4 +2392,4 @@ export {
 @noble/curves/esm/secp256k1.js:
   (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
 */
-//# sourceMappingURL=secp256k1-5CEPNAX3.js.map
+//# sourceMappingURL=secp256k1-NJATWSDZ.js.map