shogun-core 5.2.0 → 5.2.1

package/dist/browser/defaultVendors-node_modules_noble_curves_esm_abstract_edwards_js-node_modules_noble_curves_es-a82056.shogun-core.js

@@ -0,0 +1,825 @@
+"use strict";
+(this["webpackChunkShogunCore"] = this["webpackChunkShogunCore"] || []).push([["defaultVendors-node_modules_noble_curves_esm_abstract_edwards_js-node_modules_noble_curves_es-a82056"],{
+
+/***/ "./node_modules/@noble/curves/esm/abstract/edwards.js":
+/*!************************************************************!*\
+  !*** ./node_modules/@noble/curves/esm/abstract/edwards.js ***!
+  \************************************************************/
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+__webpack_require__.r(__webpack_exports__);
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   PrimeEdwardsPoint: () => (/* binding */ PrimeEdwardsPoint),
+/* harmony export */   eddsa: () => (/* binding */ eddsa),
+/* harmony export */   edwards: () => (/* binding */ edwards),
+/* harmony export */   twistedEdwards: () => (/* binding */ twistedEdwards)
+/* harmony export */ });
+/* harmony import */ var _utils_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(/*! ../utils.js */ "./node_modules/@noble/curves/esm/utils.js");
+/* harmony import */ var _utils_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(/*! ../utils.js */ "./node_modules/@noble/hashes/esm/utils.js");
+/* harmony import */ var _curve_js__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(/*! ./curve.js */ "./node_modules/@noble/curves/esm/abstract/curve.js");
+/* harmony import */ var _modular_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(/*! ./modular.js */ "./node_modules/@noble/curves/esm/abstract/modular.js");
+/**
+ * Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².
+ * For design rationale of types / exports, see weierstrass module documentation.
+ * Untwisted Edwards curves exist, but they aren't used in real-world protocols.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+
+
+
+// Be friendly to bad ECMAScript parsers by not using bigint literals
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);
+function isEdValidXY(Fp, CURVE, x, y) {
+    const x2 = Fp.sqr(x);
+    const y2 = Fp.sqr(y);
+    const left = Fp.add(Fp.mul(CURVE.a, x2), y2);
+    const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));
+    return Fp.eql(left, right);
+}
+function edwards(params, extraOpts = {}) {
+    const validated = (0,_curve_js__WEBPACK_IMPORTED_MODULE_2__._createCurveFields)('edwards', params, extraOpts, extraOpts.FpFnLE);
+    const { Fp, Fn } = validated;
+    let CURVE = validated.CURVE;
+    const { h: cofactor } = CURVE;
+    (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__._validateObject)(extraOpts, {}, { uvRatio: 'function' });
+    // Important:
+    // There are some places where Fp.BYTES is used instead of nByteLength.
+    // So far, everything has been tested with curves of Fp.BYTES == nByteLength.
+    // TODO: test and find curves which behave otherwise.
+    const MASK = _2n << (BigInt(Fn.BYTES * 8) - _1n);
+    const modP = (n) => Fp.create(n); // Function overrides
+    // sqrt(u/v)
+    const uvRatio = extraOpts.uvRatio ||
+        ((u, v) => {
+            try {
+                return { isValid: true, value: Fp.sqrt(Fp.div(u, v)) };
+            }
+            catch (e) {
+                return { isValid: false, value: _0n };
+            }
+        });
+    // Validate whether the passed curve params are valid.
+    // equation ax² + y² = 1 + dx²y² should work for generator point.
+    if (!isEdValidXY(Fp, CURVE, CURVE.Gx, CURVE.Gy))
+        throw new Error('bad curve params: generator point');
+    /**
+     * Asserts coordinate is valid: 0 <= n < MASK.
+     * Coordinates >= Fp.ORDER are allowed for zip215.
+     */
+    function acoord(title, n, banZero = false) {
+        const min = banZero ? _1n : _0n;
+        (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.aInRange)('coordinate ' + title, n, min, MASK);
+        return n;
+    }
+    function aextpoint(other) {
+        if (!(other instanceof Point))
+            throw new Error('ExtendedPoint expected');
+    }
+    // Converts Extended point to default (x, y) coordinates.
+    // Can accept precomputed Z^-1 - for example, from invertBatch.
+    const toAffineMemo = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.memoized)((p, iz) => {
+        const { X, Y, Z } = p;
+        const is0 = p.is0();
+        if (iz == null)
+            iz = is0 ? _8n : Fp.inv(Z); // 8 was chosen arbitrarily
+        const x = modP(X * iz);
+        const y = modP(Y * iz);
+        const zz = Fp.mul(Z, iz);
+        if (is0)
+            return { x: _0n, y: _1n };
+        if (zz !== _1n)
+            throw new Error('invZ was invalid');
+        return { x, y };
+    });
+    const assertValidMemo = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.memoized)((p) => {
+        const { a, d } = CURVE;
+        if (p.is0())
+            throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
+        // Equation in affine coordinates: ax² + y² = 1 + dx²y²
+        // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
+        const { X, Y, Z, T } = p;
+        const X2 = modP(X * X); // X²
+        const Y2 = modP(Y * Y); // Y²
+        const Z2 = modP(Z * Z); // Z²
+        const Z4 = modP(Z2 * Z2); // Z⁴
+        const aX2 = modP(X2 * a); // aX²
+        const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
+        const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
+        if (left !== right)
+            throw new Error('bad point: equation left != right (1)');
+        // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
+        const XY = modP(X * Y);
+        const ZT = modP(Z * T);
+        if (XY !== ZT)
+            throw new Error('bad point: equation left != right (2)');
+        return true;
+    });
+    // Extended Point works in extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z, T=xy).
+    // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
+    class Point {
+        constructor(X, Y, Z, T) {
+            this.X = acoord('x', X);
+            this.Y = acoord('y', Y);
+            this.Z = acoord('z', Z, true);
+            this.T = acoord('t', T);
+            Object.freeze(this);
+        }
+        static CURVE() {
+            return CURVE;
+        }
+        static fromAffine(p) {
+            if (p instanceof Point)
+                throw new Error('extended point not allowed');
+            const { x, y } = p || {};
+            acoord('x', x);
+            acoord('y', y);
+            return new Point(x, y, _1n, modP(x * y));
+        }
+        // Uses algo from RFC8032 5.1.3.
+        static fromBytes(bytes, zip215 = false) {
+            const len = Fp.BYTES;
+            const { a, d } = CURVE;
+            bytes = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.copyBytes)((0,_utils_js__WEBPACK_IMPORTED_MODULE_0__._abytes2)(bytes, len, 'point'));
+            (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__._abool2)(zip215, 'zip215');
+            const normed = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.copyBytes)(bytes); // copy again, we'll manipulate it
+            const lastByte = bytes[len - 1]; // select last byte
+            normed[len - 1] = lastByte & ~0x80; // clear last bit
+            const y = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.bytesToNumberLE)(normed);
+            // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
+            // RFC8032 prohibits >= p, but ZIP215 doesn't
+            // zip215=true:  0 <= y < MASK (2^256 for ed25519)
+            // zip215=false: 0 <= y < P (2^255-19 for ed25519)
+            const max = zip215 ? MASK : Fp.ORDER;
+            (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.aInRange)('point.y', y, _0n, max);
+            // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
+            // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
+            const y2 = modP(y * y); // denominator is always non-0 mod p.
+            const u = modP(y2 - _1n); // u = y² - 1
+            const v = modP(d * y2 - a); // v = d y² + 1.
+            let { isValid, value: x } = uvRatio(u, v); // √(u/v)
+            if (!isValid)
+                throw new Error('bad point: invalid y coordinate');
+            const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper
+            const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit
+            if (!zip215 && x === _0n && isLastByteOdd)
+                // if x=0 and x_0 = 1, fail
+                throw new Error('bad point: x=0 and x_0=1');
+            if (isLastByteOdd !== isXOdd)
+                x = modP(-x); // if x_0 != x mod 2, set x = p-x
+            return Point.fromAffine({ x, y });
+        }
+        static fromHex(bytes, zip215 = false) {
+            return Point.fromBytes((0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.ensureBytes)('point', bytes), zip215);
+        }
+        get x() {
+            return this.toAffine().x;
+        }
+        get y() {
+            return this.toAffine().y;
+        }
+        precompute(windowSize = 8, isLazy = true) {
+            wnaf.createCache(this, windowSize);
+            if (!isLazy)
+                this.multiply(_2n); // random number
+            return this;
+        }
+        // Useful in fromAffine() - not for fromBytes(), which always created valid points.
+        assertValidity() {
+            assertValidMemo(this);
+        }
+        // Compare one point to another.
+        equals(other) {
+            aextpoint(other);
+            const { X: X1, Y: Y1, Z: Z1 } = this;
+            const { X: X2, Y: Y2, Z: Z2 } = other;
+            const X1Z2 = modP(X1 * Z2);
+            const X2Z1 = modP(X2 * Z1);
+            const Y1Z2 = modP(Y1 * Z2);
+            const Y2Z1 = modP(Y2 * Z1);
+            return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
+        }
+        is0() {
+            return this.equals(Point.ZERO);
+        }
+        negate() {
+            // Flips point sign to a negative one (-x, y in affine coords)
+            return new Point(modP(-this.X), this.Y, this.Z, modP(-this.T));
+        }
+        // Fast algo for doubling Extended Point.
+        // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
+        // Cost: 4M + 4S + 1*a + 6add + 1*2.
+        double() {
+            const { a } = CURVE;
+            const { X: X1, Y: Y1, Z: Z1 } = this;
+            const A = modP(X1 * X1); // A = X12
+            const B = modP(Y1 * Y1); // B = Y12
+            const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12
+            const D = modP(a * A); // D = a*A
+            const x1y1 = X1 + Y1;
+            const E = modP(modP(x1y1 * x1y1) - A - B); // E = (X1+Y1)2-A-B
+            const G = D + B; // G = D+B
+            const F = G - C; // F = G-C
+            const H = D - B; // H = D-B
+            const X3 = modP(E * F); // X3 = E*F
+            const Y3 = modP(G * H); // Y3 = G*H
+            const T3 = modP(E * H); // T3 = E*H
+            const Z3 = modP(F * G); // Z3 = F*G
+            return new Point(X3, Y3, Z3, T3);
+        }
+        // Fast algo for adding 2 Extended Points.
+        // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
+        // Cost: 9M + 1*a + 1*d + 7add.
+        add(other) {
+            aextpoint(other);
+            const { a, d } = CURVE;
+            const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
+            const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;
+            const A = modP(X1 * X2); // A = X1*X2
+            const B = modP(Y1 * Y2); // B = Y1*Y2
+            const C = modP(T1 * d * T2); // C = T1*d*T2
+            const D = modP(Z1 * Z2); // D = Z1*Z2
+            const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B
+            const F = D - C; // F = D-C
+            const G = D + C; // G = D+C
+            const H = modP(B - a * A); // H = B-a*A
+            const X3 = modP(E * F); // X3 = E*F
+            const Y3 = modP(G * H); // Y3 = G*H
+            const T3 = modP(E * H); // T3 = E*H
+            const Z3 = modP(F * G); // Z3 = F*G
+            return new Point(X3, Y3, Z3, T3);
+        }
+        subtract(other) {
+            return this.add(other.negate());
+        }
+        // Constant-time multiplication.
+        multiply(scalar) {
+            // 1 <= scalar < L
+            if (!Fn.isValidNot0(scalar))
+                throw new Error('invalid scalar: expected 1 <= sc < curve.n');
+            const { p, f } = wnaf.cached(this, scalar, (p) => (0,_curve_js__WEBPACK_IMPORTED_MODULE_2__.normalizeZ)(Point, p));
+            return (0,_curve_js__WEBPACK_IMPORTED_MODULE_2__.normalizeZ)(Point, [p, f])[0];
+        }
+        // Non-constant-time multiplication. Uses double-and-add algorithm.
+        // It's faster, but should only be used when you don't care about
+        // an exposed private key e.g. sig verification.
+        // Does NOT allow scalars higher than CURVE.n.
+        // Accepts optional accumulator to merge with multiply (important for sparse scalars)
+        multiplyUnsafe(scalar, acc = Point.ZERO) {
+            // 0 <= scalar < L
+            if (!Fn.isValid(scalar))
+                throw new Error('invalid scalar: expected 0 <= sc < curve.n');
+            if (scalar === _0n)
+                return Point.ZERO;
+            if (this.is0() || scalar === _1n)
+                return this;
+            return wnaf.unsafe(this, scalar, (p) => (0,_curve_js__WEBPACK_IMPORTED_MODULE_2__.normalizeZ)(Point, p), acc);
+        }
+        // Checks if point is of small order.
+        // If you add something to small order point, you will have "dirty"
+        // point with torsion component.
+        // Multiplies point by cofactor and checks if the result is 0.
+        isSmallOrder() {
+            return this.multiplyUnsafe(cofactor).is0();
+        }
+        // Multiplies point by curve order and checks if the result is 0.
+        // Returns `false` is the point is dirty.
+        isTorsionFree() {
+            return wnaf.unsafe(this, CURVE.n).is0();
+        }
+        // Converts Extended point to default (x, y) coordinates.
+        // Can accept precomputed Z^-1 - for example, from invertBatch.
+        toAffine(invertedZ) {
+            return toAffineMemo(this, invertedZ);
+        }
+        clearCofactor() {
+            if (cofactor === _1n)
+                return this;
+            return this.multiplyUnsafe(cofactor);
+        }
+        toBytes() {
+            const { x, y } = this.toAffine();
+            // Fp.toBytes() allows non-canonical encoding of y (>= p).
+            const bytes = Fp.toBytes(y);
+            // Each y has 2 valid points: (x, y), (x,-y).
+            // When compressing, it's enough to store y and use the last byte to encode sign of x
+            bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0;
+            return bytes;
+        }
+        toHex() {
+            return (0,_utils_js__WEBPACK_IMPORTED_MODULE_1__.bytesToHex)(this.toBytes());
+        }
+        toString() {
+            return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
+        }
+        // TODO: remove
+        get ex() {
+            return this.X;
+        }
+        get ey() {
+            return this.Y;
+        }
+        get ez() {
+            return this.Z;
+        }
+        get et() {
+            return this.T;
+        }
+        static normalizeZ(points) {
+            return (0,_curve_js__WEBPACK_IMPORTED_MODULE_2__.normalizeZ)(Point, points);
+        }
+        static msm(points, scalars) {
+            return (0,_curve_js__WEBPACK_IMPORTED_MODULE_2__.pippenger)(Point, Fn, points, scalars);
+        }
+        _setWindowSize(windowSize) {
+            this.precompute(windowSize);
+        }
+        toRawBytes() {
+            return this.toBytes();
+        }
+    }
+    // base / generator point
+    Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
+    // zero / infinity / identity point
+    Point.ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0
+    // math field
+    Point.Fp = Fp;
+    // scalar field
+    Point.Fn = Fn;
+    const wnaf = new _curve_js__WEBPACK_IMPORTED_MODULE_2__.wNAF(Point, Fn.BITS);
+    Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
+    return Point;
+}
+/**
+ * Base class for prime-order points like Ristretto255 and Decaf448.
+ * These points eliminate cofactor issues by representing equivalence classes
+ * of Edwards curve points.
+ */
+class PrimeEdwardsPoint {
+    constructor(ep) {
+        this.ep = ep;
+    }
+    // Static methods that must be implemented by subclasses
+    static fromBytes(_bytes) {
+        (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.notImplemented)();
+    }
+    static fromHex(_hex) {
+        (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.notImplemented)();
+    }
+    get x() {
+        return this.toAffine().x;
+    }
+    get y() {
+        return this.toAffine().y;
+    }
+    // Common implementations
+    clearCofactor() {
+        // no-op for prime-order groups
+        return this;
+    }
+    assertValidity() {
+        this.ep.assertValidity();
+    }
+    toAffine(invertedZ) {
+        return this.ep.toAffine(invertedZ);
+    }
+    toHex() {
+        return (0,_utils_js__WEBPACK_IMPORTED_MODULE_1__.bytesToHex)(this.toBytes());
+    }
+    toString() {
+        return this.toHex();
+    }
+    isTorsionFree() {
+        return true;
+    }
+    isSmallOrder() {
+        return false;
+    }
+    add(other) {
+        this.assertSame(other);
+        return this.init(this.ep.add(other.ep));
+    }
+    subtract(other) {
+        this.assertSame(other);
+        return this.init(this.ep.subtract(other.ep));
+    }
+    multiply(scalar) {
+        return this.init(this.ep.multiply(scalar));
+    }
+    multiplyUnsafe(scalar) {
+        return this.init(this.ep.multiplyUnsafe(scalar));
+    }
+    double() {
+        return this.init(this.ep.double());
+    }
+    negate() {
+        return this.init(this.ep.negate());
+    }
+    precompute(windowSize, isLazy) {
+        return this.init(this.ep.precompute(windowSize, isLazy));
+    }
+    /** @deprecated use `toBytes` */
+    toRawBytes() {
+        return this.toBytes();
+    }
+}
+/**
+ * Initializes EdDSA signatures over given Edwards curve.
+ */
+function eddsa(Point, cHash, eddsaOpts = {}) {
+    if (typeof cHash !== 'function')
+        throw new Error('"hash" function param is required');
+    (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__._validateObject)(eddsaOpts, {}, {
+        adjustScalarBytes: 'function',
+        randomBytes: 'function',
+        domain: 'function',
+        prehash: 'function',
+        mapToCurve: 'function',
+    });
+    const { prehash } = eddsaOpts;
+    const { BASE, Fp, Fn } = Point;
+    const randomBytes = eddsaOpts.randomBytes || _utils_js__WEBPACK_IMPORTED_MODULE_1__.randomBytes;
+    const adjustScalarBytes = eddsaOpts.adjustScalarBytes || ((bytes) => bytes);
+    const domain = eddsaOpts.domain ||
+        ((data, ctx, phflag) => {
+            (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__._abool2)(phflag, 'phflag');
+            if (ctx.length || phflag)
+                throw new Error('Contexts/pre-hash are not supported');
+            return data;
+        }); // NOOP
+    // Little-endian SHA512 with modulo n
+    function modN_LE(hash) {
+        return Fn.create((0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.bytesToNumberLE)(hash)); // Not Fn.fromBytes: it has length limit
+    }
+    // Get the hashed private scalar per RFC8032 5.1.5
+    function getPrivateScalar(key) {
+        const len = lengths.secretKey;
+        key = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.ensureBytes)('private key', key, len);
+        // Hash private key with curve's hash function to produce uniformingly random input
+        // Check byte lengths: ensure(64, h(ensure(32, key)))
+        const hashed = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.ensureBytes)('hashed private key', cHash(key), 2 * len);
+        const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE
+        const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)
+        const scalar = modN_LE(head); // The actual private scalar
+        return { head, prefix, scalar };
+    }
+    /** Convenience method that creates public key from scalar. RFC8032 5.1.5 */
+    function getExtendedPublicKey(secretKey) {
+        const { head, prefix, scalar } = getPrivateScalar(secretKey);
+        const point = BASE.multiply(scalar); // Point on Edwards curve aka public key
+        const pointBytes = point.toBytes();
+        return { head, prefix, scalar, point, pointBytes };
+    }
+    /** Calculates EdDSA pub key. RFC8032 5.1.5. */
+    function getPublicKey(secretKey) {
+        return getExtendedPublicKey(secretKey).pointBytes;
+    }
+    // int('LE', SHA512(dom2(F, C) || msgs)) mod N
+    function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {
+        const msg = (0,_utils_js__WEBPACK_IMPORTED_MODULE_1__.concatBytes)(...msgs);
+        return modN_LE(cHash(domain(msg, (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.ensureBytes)('context', context), !!prehash)));
+    }
+    /** Signs message with privateKey. RFC8032 5.1.6 */
+    function sign(msg, secretKey, options = {}) {
+        msg = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.ensureBytes)('message', msg);
+        if (prehash)
+            msg = prehash(msg); // for ed25519ph etc.
+        const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);
+        const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
+        const R = BASE.multiply(r).toBytes(); // R = rG
+        const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
+        const s = Fn.create(r + k * scalar); // S = (r + k * s) mod L
+        if (!Fn.isValid(s))
+            throw new Error('sign failed: invalid s'); // 0 <= s < L
+        const rs = (0,_utils_js__WEBPACK_IMPORTED_MODULE_1__.concatBytes)(R, Fn.toBytes(s));
+        return (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__._abytes2)(rs, lengths.signature, 'result');
+    }
+    // verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
+    const verifyOpts = { zip215: true };
+    /**
+     * Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
+     * An extended group equation is checked.
+     */
+    function verify(sig, msg, publicKey, options = verifyOpts) {
+        const { context, zip215 } = options;
+        const len = lengths.signature;
+        sig = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.ensureBytes)('signature', sig, len);
+        msg = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.ensureBytes)('message', msg);
+        publicKey = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.ensureBytes)('publicKey', publicKey, lengths.publicKey);
+        if (zip215 !== undefined)
+            (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__._abool2)(zip215, 'zip215');
+        if (prehash)
+            msg = prehash(msg); // for ed25519ph, etc
+        const mid = len / 2;
+        const r = sig.subarray(0, mid);
+        const s = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.bytesToNumberLE)(sig.subarray(mid, len));
+        let A, R, SB;
+        try {
+            // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
+            // zip215=true:  0 <= y < MASK (2^256 for ed25519)
+            // zip215=false: 0 <= y < P (2^255-19 for ed25519)
+            A = Point.fromBytes(publicKey, zip215);
+            R = Point.fromBytes(r, zip215);
+            SB = BASE.multiplyUnsafe(s); // 0 <= s < l is done inside
+        }
+        catch (error) {
+            return false;
+        }
+        if (!zip215 && A.isSmallOrder())
+            return false; // zip215 allows public keys of small order
+        const k = hashDomainToScalar(context, R.toBytes(), A.toBytes(), msg);
+        const RkA = R.add(A.multiplyUnsafe(k));
+        // Extended group equation
+        // [8][S]B = [8]R + [8][k]A'
+        return RkA.subtract(SB).clearCofactor().is0();
+    }
+    const _size = Fp.BYTES; // 32 for ed25519, 57 for ed448
+    const lengths = {
+        secretKey: _size,
+        publicKey: _size,
+        signature: 2 * _size,
+        seed: _size,
+    };
+    function randomSecretKey(seed = randomBytes(lengths.seed)) {
+        return (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__._abytes2)(seed, lengths.seed, 'seed');
+    }
+    function keygen(seed) {
+        const secretKey = utils.randomSecretKey(seed);
+        return { secretKey, publicKey: getPublicKey(secretKey) };
+    }
+    function isValidSecretKey(key) {
+        return (0,_utils_js__WEBPACK_IMPORTED_MODULE_1__.isBytes)(key) && key.length === Fn.BYTES;
+    }
+    function isValidPublicKey(key, zip215) {
+        try {
+            return !!Point.fromBytes(key, zip215);
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    const utils = {
+        getExtendedPublicKey,
+        randomSecretKey,
+        isValidSecretKey,
+        isValidPublicKey,
+        /**
+         * Converts ed public key to x public key. Uses formula:
+         * - ed25519:
+         *   - `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
+         *   - `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
+         * - ed448:
+         *   - `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
+         *   - `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
+         */
+        toMontgomery(publicKey) {
+            const { y } = Point.fromBytes(publicKey);
+            const size = lengths.publicKey;
+            const is25519 = size === 32;
+            if (!is25519 && size !== 57)
+                throw new Error('only defined for 25519 and 448');
+            const u = is25519 ? Fp.div(_1n + y, _1n - y) : Fp.div(y - _1n, y + _1n);
+            return Fp.toBytes(u);
+        },
+        toMontgomerySecret(secretKey) {
+            const size = lengths.secretKey;
+            (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__._abytes2)(secretKey, size);
+            const hashed = cHash(secretKey.subarray(0, size));
+            return adjustScalarBytes(hashed).subarray(0, size);
+        },
+        /** @deprecated */
+        randomPrivateKey: randomSecretKey,
+        /** @deprecated */
+        precompute(windowSize = 8, point = Point.BASE) {
+            return point.precompute(windowSize, false);
+        },
+    };
+    return Object.freeze({
+        keygen,
+        getPublicKey,
+        sign,
+        verify,
+        utils,
+        Point,
+        lengths,
+    });
+}
+function _eddsa_legacy_opts_to_new(c) {
+    const CURVE = {
+        a: c.a,
+        d: c.d,
+        p: c.Fp.ORDER,
+        n: c.n,
+        h: c.h,
+        Gx: c.Gx,
+        Gy: c.Gy,
+    };
+    const Fp = c.Fp;
+    const Fn = (0,_modular_js__WEBPACK_IMPORTED_MODULE_3__.Field)(CURVE.n, c.nBitLength, true);
+    const curveOpts = { Fp, Fn, uvRatio: c.uvRatio };
+    const eddsaOpts = {
+        randomBytes: c.randomBytes,
+        adjustScalarBytes: c.adjustScalarBytes,
+        domain: c.domain,
+        prehash: c.prehash,
+        mapToCurve: c.mapToCurve,
+    };
+    return { CURVE, curveOpts, hash: c.hash, eddsaOpts };
+}
+function _eddsa_new_output_to_legacy(c, eddsa) {
+    const Point = eddsa.Point;
+    const legacy = Object.assign({}, eddsa, {
+        ExtendedPoint: Point,
+        CURVE: c,
+        nBitLength: Point.Fn.BITS,
+        nByteLength: Point.Fn.BYTES,
+    });
+    return legacy;
+}
+// TODO: remove. Use eddsa
+function twistedEdwards(c) {
+    const { CURVE, curveOpts, hash, eddsaOpts } = _eddsa_legacy_opts_to_new(c);
+    const Point = edwards(CURVE, curveOpts);
+    const EDDSA = eddsa(Point, hash, eddsaOpts);
+    return _eddsa_new_output_to_legacy(c, EDDSA);
+}
+//# sourceMappingURL=edwards.js.map
+
+/***/ }),
+
+/***/ "./node_modules/@noble/curves/esm/abstract/montgomery.js":
+/*!***************************************************************!*\
+  !*** ./node_modules/@noble/curves/esm/abstract/montgomery.js ***!
+  \***************************************************************/
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+__webpack_require__.r(__webpack_exports__);
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   montgomery: () => (/* binding */ montgomery)
+/* harmony export */ });
+/* harmony import */ var _utils_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(/*! ../utils.js */ "./node_modules/@noble/curves/esm/utils.js");
+/* harmony import */ var _utils_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(/*! ../utils.js */ "./node_modules/@noble/hashes/esm/utils.js");
+/* harmony import */ var _modular_js__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(/*! ./modular.js */ "./node_modules/@noble/curves/esm/abstract/modular.js");
+/**
+ * Montgomery curve methods. It's not really whole montgomery curve,
+ * just bunch of very specific methods for X25519 / X448 from
+ * [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748)
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+
+
+const _0n = BigInt(0);
+const _1n = BigInt(1);
+const _2n = BigInt(2);
+function validateOpts(curve) {
+    (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__._validateObject)(curve, {
+        adjustScalarBytes: 'function',
+        powPminus2: 'function',
+    });
+    return Object.freeze({ ...curve });
+}
+function montgomery(curveDef) {
+    const CURVE = validateOpts(curveDef);
+    const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;
+    const is25519 = type === 'x25519';
+    if (!is25519 && type !== 'x448')
+        throw new Error('invalid type');
+    const randomBytes_ = rand || _utils_js__WEBPACK_IMPORTED_MODULE_1__.randomBytes;
+    const montgomeryBits = is25519 ? 255 : 448;
+    const fieldLen = is25519 ? 32 : 56;
+    const Gu = is25519 ? BigInt(9) : BigInt(5);
+    // RFC 7748 #5:
+    // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and
+    // (156326 - 2) / 4 = 39081 for curve448/X448
+    // const a = is25519 ? 156326n : 486662n;
+    const a24 = is25519 ? BigInt(121665) : BigInt(39081);
+    // RFC: x25519 "the resulting integer is of the form 2^254 plus
+    // eight times a value between 0 and 2^251 - 1 (inclusive)"
+    // x448: "2^447 plus four times a value between 0 and 2^445 - 1 (inclusive)"
+    const minScalar = is25519 ? _2n ** BigInt(254) : _2n ** BigInt(447);
+    const maxAdded = is25519
+        ? BigInt(8) * _2n ** BigInt(251) - _1n
+        : BigInt(4) * _2n ** BigInt(445) - _1n;
+    const maxScalar = minScalar + maxAdded + _1n; // (inclusive)
+    const modP = (n) => (0,_modular_js__WEBPACK_IMPORTED_MODULE_2__.mod)(n, P);
+    const GuBytes = encodeU(Gu);
+    function encodeU(u) {
+        return (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.numberToBytesLE)(modP(u), fieldLen);
+    }
+    function decodeU(u) {
+        const _u = (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.ensureBytes)('u coordinate', u, fieldLen);
+        // RFC: When receiving such an array, implementations of X25519
+        // (but not X448) MUST mask the most significant bit in the final byte.
+        if (is25519)
+            _u[31] &= 127; // 0b0111_1111
+        // RFC: Implementations MUST accept non-canonical values and process them as
+        // if they had been reduced modulo the field prime.  The non-canonical
+        // values are 2^255 - 19 through 2^255 - 1 for X25519 and 2^448 - 2^224
+        // - 1 through 2^448 - 1 for X448.
+        return modP((0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.bytesToNumberLE)(_u));
+    }
+    function decodeScalar(scalar) {
+        return (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.bytesToNumberLE)(adjustScalarBytes((0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.ensureBytes)('scalar', scalar, fieldLen)));
+    }
+    function scalarMult(scalar, u) {
+        const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));
+        // Some public keys are useless, of low-order. Curve author doesn't think
+        // it needs to be validated, but we do it nonetheless.
+        // https://cr.yp.to/ecdh.html#validate
+        if (pu === _0n)
+            throw new Error('invalid private or public key received');
+        return encodeU(pu);
+    }
+    // Computes public key from private. By doing scalar multiplication of base point.
+    function scalarMultBase(scalar) {
+        return scalarMult(scalar, GuBytes);
+    }
+    // cswap from RFC7748 "example code"
+    function cswap(swap, x_2, x_3) {
+        // dummy = mask(swap) AND (x_2 XOR x_3)
+        // Where mask(swap) is the all-1 or all-0 word of the same length as x_2
+        // and x_3, computed, e.g., as mask(swap) = 0 - swap.
+        const dummy = modP(swap * (x_2 - x_3));
+        x_2 = modP(x_2 - dummy); // x_2 = x_2 XOR dummy
+        x_3 = modP(x_3 + dummy); // x_3 = x_3 XOR dummy
+        return { x_2, x_3 };
+    }
+    /**
+     * Montgomery x-only multiplication ladder.
+     * @param pointU u coordinate (x) on Montgomery Curve 25519
+     * @param scalar by which the point would be multiplied
+     * @returns new Point on Montgomery curve
+     */
+    function montgomeryLadder(u, scalar) {
+        (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.aInRange)('u', u, _0n, P);
+        (0,_utils_js__WEBPACK_IMPORTED_MODULE_0__.aInRange)('scalar', scalar, minScalar, maxScalar);
+        const k = scalar;
+        const x_1 = u;
+        let x_2 = _1n;
+        let z_2 = _0n;
+        let x_3 = u;
+        let z_3 = _1n;
+        let swap = _0n;
+        for (let t = BigInt(montgomeryBits - 1); t >= _0n; t--) {
+            const k_t = (k >> t) & _1n;
+            swap ^= k_t;
+            ({ x_2, x_3 } = cswap(swap, x_2, x_3));
+            ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
+            swap = k_t;
+            const A = x_2 + z_2;
+            const AA = modP(A * A);
+            const B = x_2 - z_2;
+            const BB = modP(B * B);
+            const E = AA - BB;
+            const C = x_3 + z_3;
+            const D = x_3 - z_3;
+            const DA = modP(D * A);
+            const CB = modP(C * B);
+            const dacb = DA + CB;
+            const da_cb = DA - CB;
+            x_3 = modP(dacb * dacb);
+            z_3 = modP(x_1 * modP(da_cb * da_cb));
+            x_2 = modP(AA * BB);
+            z_2 = modP(E * (AA + modP(a24 * E)));
+        }
+        ({ x_2, x_3 } = cswap(swap, x_2, x_3));
+        ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
+        const z2 = powPminus2(z_2); // `Fp.pow(x, P - _2n)` is much slower equivalent
+        return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))
+    }
+    const lengths = {
+        secretKey: fieldLen,
+        publicKey: fieldLen,
+        seed: fieldLen,
+    };
+    const randomSecretKey = (seed = randomBytes_(fieldLen)) => {
+        (0,_utils_js__WEBPACK_IMPORTED_MODULE_1__.abytes)(seed, lengths.seed);
+        return seed;
+    };
+    function keygen(seed) {
+        const secretKey = randomSecretKey(seed);
+        return { secretKey, publicKey: scalarMultBase(secretKey) };
+    }
+    const utils = {
+        randomSecretKey,
+        randomPrivateKey: randomSecretKey,
+    };
+    return {
+        keygen,
+        getSharedSecret: (secretKey, publicKey) => scalarMult(secretKey, publicKey),
+        getPublicKey: (secretKey) => scalarMultBase(secretKey),
+        scalarMult,
+        scalarMultBase,
+        utils,
+        GuBytes: GuBytes.slice(),
+        lengths,
+    };
+}
+//# sourceMappingURL=montgomery.js.map
+
+/***/ })
+
+}]);
+//# sourceMappingURL=defaultVendors-node_modules_noble_curves_esm_abstract_edwards_js-node_modules_noble_curves_es-a82056.shogun-core.js.map