shogun-core 5.2.0 → 5.2.1

package/dist/browser/defaultVendors-node_modules_noble_curves_esm_abstract_edwards_js-node_modules_noble_curves_es-a82056.shogun-core.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaultVendors-node_modules_noble_curves_esm_abstract_edwards_js-node_modules_noble_curves_es-a82056.shogun-core.js","mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACmO;AACrJ;AACzC;AACrC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,uCAAuC;AAC9C,sBAAsB,6DAAkB;AACxC,YAAY,SAAS;AACrB;AACA,YAAY,cAAc;AAC1B,IAAI,0DAAe,cAAc,IAAI,qBAAqB;AAC1D;AACA;AACA;AACA;AACA;AACA,sCAAsC;AACtC;AACA;AACA;AACA;AACA,yBAAyB;AACzB;AACA;AACA,yBAAyB;AACzB;AACA,SAAS;AACT;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,QAAQ,mDAAQ;AAChB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,yBAAyB,mDAAQ;AACjC,gBAAgB,UAAU;AAC1B;AACA;AACA,wCAAwC;AACxC;AACA;AACA;AACA;AACA,qBAAqB;AACrB;AACA;AACA,iBAAiB;AACjB,KAAK;AACL,4BAA4B,mDAAQ;AACpC,gBAAgB,OAAO;AACvB;AACA,gDAAgD;AAChD;AACA;AACA,gBAAgB,aAAa;AAC7B,gCAAgC;AAChC,gCAAgC;AAChC,gCAAgC;AAChC,kCAAkC;AAClC,kCAAkC;AAClC,gDAAgD;AAChD,0DAA0D;AAC1D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oBAAoB,OAAO;AAC3B;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oBAAoB,OAAO;AAC3B,oBAAoB,oDAAS,CAAC,mDAAM;AACpC,YAAY,kDAAK;AACjB,2BAA2B,oDAAS,SAAS;AAC7C,6CAA6C;AAC7C,gDAAgD;AAChD,sBAAsB,0DAAe;AACrC;AACA;AACA;AACA;AACA;AACA,YAAY,mDAAQ;AACpB;AACA;AACA,oCAAoC;AACpC,sCAAsC;AACtC,wCAAwC;AACxC,kBAAkB,oBAAoB,iBAAiB;AACvD;AACA;AACA,8CAA8C;AAC9C,2DAA2D;AAC3D;AACA;AACA;AACA;AACA,8BAA8B;AAC9B,sCAAsC,MAAM;AAC5C;AACA;AACA,mCAAmC,sDAAW;AAC9C;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oCAAoC;AACpC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oBAAoB,sBAAsB;AAC1C,oBAAoB,sBAAsB;AAC1C;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oBAAoB,IAAI;AACxB,oBAAoB,sBAAsB;AAC1C,qCAAqC;AACrC,qCAAqC;AACrC,iDAAiD;AACjD,mCAAmC;AACnC;AACA,uDAAuD;AACvD,6BAA6B;AAC7B,6BAA6B;AAC7B,6BAA6B;AAC7B,oCAAoC;AACpC,oCAAoC;AACpC,oCAAoC;AACpC,oCAAoC;AACpC;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oBAAoB,OAAO;AAC3B,oBAAoB,6BAA6B;AACjD,oBAAoB,6BAA6B;AACjD,qCAAqC;AACrC,qCAAqC;AACrC,yCAAyC;AACzC,qCAAqC;AACrC,2DAA2D;AAC3D,6BAA6B;AAC7B,6BAA6B;AAC7B,uCAAuC;AACvC,oCAAoC;AACpC,oCAAoC;AACpC,oCAAoC;AACpC,oCAAoC;AACpC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oBAAoB,OAAO,mCAAmC,qDAAU;AACxE,mBAAmB,qDAAU;AAC7B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oDAAoD,qDAAU;AAC9D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oBAAoB,OAAO;AAC3B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,mBAAmB,qDAAU;AAC7B;AACA;AACA,6BAA6B,mCAAmC;AAChE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,mBAAmB,qDAAU;AAC7B;AACA;AACA,mBAAmB,oDAAS;AAC5B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,gDAAgD;AAChD;AACA;AACA;AACA;AACA,qBAAqB,2CAAI;AACzB,8BAA8B;AAC9B;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA,QAAQ,yDAAc;AACtB;AACA;AACA,QAAQ,yDAAc;AACtB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAe,qDAAU;AACzB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,2CAA2C;AAClD;AACA;AACA,IAAI,0DAAe,cAAc;AACjC;AACA;AACA;AACA;AACA;AACA,KAAK;AACL,YAAY,UAAU;AACtB,YAAY,eAAe;AAC3B,iDAAiD,kDAAc;AAC/D;AACA;AACA;AACA,YAAY,kDAAK;AACjB;AACA;AACA;AACA,SAAS,GAAG;AACZ;AACA;AACA,yBAAyB,0DAAe,SAAS;AACjD;AACA;AACA;AACA;AACA,cAAc,sDAAW;AACzB;AACA;AACA,uBAAuB,sDAAW;AAClC,8DAA8D;AAC9D,mDAAmD;AACnD,sCAAsC;AACtC,iBAAiB;AACjB;AACA;AACA;AACA,gBAAgB,uBAAuB;AACvC,6CAA6C;AAC7C;AACA,iBAAiB;AACjB;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oBAAoB,sDAAW;AAC/B,yCAAyC,sDAAW;AACpD;AACA;AACA,8CAA8C;AAC9C,cAAc,sDAAW;AACzB;AACA,gCAAgC;AAChC,gBAAgB,6BAA6B;AAC7C,oEAAoE;AACpE,8CAA8C;AAC9C,2EAA2E;AAC3E,6CAA6C;AAC7C;AACA,uDAAuD;AACvD,mBAAmB,sDAAW;AAC9B,eAAe,mDAAM;AACrB;AACA;AACA,yBAAyB;AACzB;AACA;AACA;AACA;AACA;AACA,gBAAgB,kBAAkB;AAClC;AACA,cAAc,sDAAW;AACzB,cAAc,sDAAW;AACzB,oBAAoB,sDAAW;AAC/B;AACA,YAAY,kDAAK;AACjB;AACA,gCAAgC;AAChC;AACA;AACA,kBAAkB,0DAAe;AACjC;AACA;AACA;AACA;AACA;AACA;AACA;AACA,yCAAyC;AACzC;AACA;AACA;AACA;AACA;AACA,0BAA0B;AAC1B;AACA;AACA;AACA;AACA;AACA;AACA,4BAA4B;AAC5B;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAe,mDAAM;AACrB;AACA;AACA;AACA,iBAAiB;AACjB;AACA;AACA,eAAe,kDAAO;AACtB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oBAAoB,IAAI;AACxB;AACA;AACA;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA,YAAY,mDAAM;AAClB;AACA;AACA,SAAS;AACT;AACA;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAe,kDAAK;AACpB,wBAAwB;AACxB;AACA;AACA;AACA;AACA;AACA;AACA;AACA,aAAa;AACb;AACA;AACA;AACA,mCAAmC;AACnC;AACA;AACA;AACA;AACA,KAAK;AACL;AACA;AACA;AACO;AACP,YAAY,oCAAoC;AAChD;AACA;AACA;AACA;AACA,mC;;;;;;;;;;;;;;;;;AClnBA;AACA;AACA;AACA;AACA;AACA;AACA;AAC6H;AAC1F;AACnC;AACA;AACA;AACA;AACA,IAAI,0DAAe;AACnB;AACA;AACA,KAAK;AACL,2BAA2B,UAAU;AACrC;AACO;AACP;AACA,YAAY,4DAA4D;AACxE;AACA;AACA;AACA,iCAAiC,kDAAW;AAC5C;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,kDAAkD;AAClD,wBAAwB,gDAAG;AAC3B;AACA;AACA,eAAe,0DAAe;AAC9B;AACA;AACA,mBAAmB,sDAAW;AAC9B;AACA;AACA;AACA,2BAA2B;AAC3B;AACA;AACA;AACA;AACA,oBAAoB,0DAAe;AACnC;AACA;AACA,eAAe,0DAAe,mBAAmB,sDAAW;AAC5D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,iCAAiC;AACjC,iCAAiC;AACjC,iBAAiB;AACjB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,QAAQ,mDAAQ;AAChB,QAAQ,mDAAQ;AAChB;AACA;AACA;AACA;AACA;AACA;AACA;AACA,iDAAiD,UAAU;AAC3D;AACA;AACA,eAAe,WAAW;AAC1B,eAAe,qBAAqB;AACpC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,WAAW,WAAW;AACtB,WAAW,qBAAqB;AAChC,oCAAoC;AACpC,+BAA+B;AAC/B;AACA;AACA;AACA;AACA;AACA;AACA;AACA,QAAQ,iDAAM;AACd;AACA;AACA;AACA;AACA,iBAAiB;AACjB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,sC","sources":["webpack://ShogunCore/./node_modules/@noble/curves/esm/abstract/edwards.js","webpack://ShogunCore/./node_modules/@noble/curves/esm/abstract/montgomery.js"],"sourcesContent":["/**\n * Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².\n * For design rationale of types / exports, see weierstrass module documentation.\n * Untwisted Edwards curves exist, but they aren't used in real-world protocols.\n * @module\n */\n/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { _validateObject, _abool2 as abool, _abytes2 as abytes, aInRange, bytesToHex, bytesToNumberLE, concatBytes, copyBytes, ensureBytes, isBytes, memoized, notImplemented, randomBytes as randomBytesWeb, } from \"../utils.js\";\nimport { _createCurveFields, normalizeZ, pippenger, wNAF, } from \"./curve.js\";\nimport { Field } from \"./modular.js\";\n// Be friendly to bad ECMAScript parsers by not using bigint literals\n// prettier-ignore\nconst _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);\nfunction isEdValidXY(Fp, CURVE, x, y) {\n    const x2 = Fp.sqr(x);\n    const y2 = Fp.sqr(y);\n    const left = Fp.add(Fp.mul(CURVE.a, x2), y2);\n    const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));\n    return Fp.eql(left, right);\n}\nexport function edwards(params, extraOpts = {}) {\n    const validated = _createCurveFields('edwards', params, extraOpts, extraOpts.FpFnLE);\n    const { Fp, Fn } = validated;\n    let CURVE = validated.CURVE;\n    const { h: cofactor } = CURVE;\n    _validateObject(extraOpts, {}, { uvRatio: 'function' });\n    // Important:\n    // There are some places where Fp.BYTES is used instead of nByteLength.\n    // So far, everything has been tested with curves of Fp.BYTES == nByteLength.\n    // TODO: test and find curves which behave otherwise.\n    const MASK = _2n << (BigInt(Fn.BYTES * 8) - _1n);\n    const modP = (n) => Fp.create(n); // Function overrides\n    // sqrt(u/v)\n    const uvRatio = extraOpts.uvRatio ||\n        ((u, v) => {\n            try {\n                return { isValid: true, value: Fp.sqrt(Fp.div(u, v)) };\n            }\n            catch (e) {\n                return { isValid: false, value: _0n };\n            }\n        });\n    // Validate whether the passed curve params are valid.\n    // equation ax² + y² = 1 + dx²y² should work for generator point.\n    if (!isEdValidXY(Fp, CURVE, CURVE.Gx, CURVE.Gy))\n        throw new Error('bad curve params: generator point');\n    /**\n     * Asserts coordinate is valid: 0 <= n < MASK.\n     * Coordinates >= Fp.ORDER are allowed for zip215.\n     */\n    function acoord(title, n, banZero = false) {\n        const min = banZero ? _1n : _0n;\n        aInRange('coordinate ' + title, n, min, MASK);\n        return n;\n    }\n    function aextpoint(other) {\n        if (!(other instanceof Point))\n            throw new Error('ExtendedPoint expected');\n    }\n    // Converts Extended point to default (x, y) coordinates.\n    // Can accept precomputed Z^-1 - for example, from invertBatch.\n    const toAffineMemo = memoized((p, iz) => {\n        const { X, Y, Z } = p;\n        const is0 = p.is0();\n        if (iz == null)\n            iz = is0 ? _8n : Fp.inv(Z); // 8 was chosen arbitrarily\n        const x = modP(X * iz);\n        const y = modP(Y * iz);\n        const zz = Fp.mul(Z, iz);\n        if (is0)\n            return { x: _0n, y: _1n };\n        if (zz !== _1n)\n            throw new Error('invZ was invalid');\n        return { x, y };\n    });\n    const assertValidMemo = memoized((p) => {\n        const { a, d } = CURVE;\n        if (p.is0())\n            throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?\n        // Equation in affine coordinates: ax² + y² = 1 + dx²y²\n        // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²\n        const { X, Y, Z, T } = p;\n        const X2 = modP(X * X); // X²\n        const Y2 = modP(Y * Y); // Y²\n        const Z2 = modP(Z * Z); // Z²\n        const Z4 = modP(Z2 * Z2); // Z⁴\n        const aX2 = modP(X2 * a); // aX²\n        const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²\n        const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²\n        if (left !== right)\n            throw new Error('bad point: equation left != right (1)');\n        // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T\n        const XY = modP(X * Y);\n        const ZT = modP(Z * T);\n        if (XY !== ZT)\n            throw new Error('bad point: equation left != right (2)');\n        return true;\n    });\n    // Extended Point works in extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z, T=xy).\n    // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates\n    class Point {\n        constructor(X, Y, Z, T) {\n            this.X = acoord('x', X);\n            this.Y = acoord('y', Y);\n            this.Z = acoord('z', Z, true);\n            this.T = acoord('t', T);\n            Object.freeze(this);\n        }\n        static CURVE() {\n            return CURVE;\n        }\n        static fromAffine(p) {\n            if (p instanceof Point)\n                throw new Error('extended point not allowed');\n            const { x, y } = p || {};\n            acoord('x', x);\n            acoord('y', y);\n            return new Point(x, y, _1n, modP(x * y));\n        }\n        // Uses algo from RFC8032 5.1.3.\n        static fromBytes(bytes, zip215 = false) {\n            const len = Fp.BYTES;\n            const { a, d } = CURVE;\n            bytes = copyBytes(abytes(bytes, len, 'point'));\n            abool(zip215, 'zip215');\n            const normed = copyBytes(bytes); // copy again, we'll manipulate it\n            const lastByte = bytes[len - 1]; // select last byte\n            normed[len - 1] = lastByte & ~0x80; // clear last bit\n            const y = bytesToNumberLE(normed);\n            // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.\n            // RFC8032 prohibits >= p, but ZIP215 doesn't\n            // zip215=true:  0 <= y < MASK (2^256 for ed25519)\n            // zip215=false: 0 <= y < P (2^255-19 for ed25519)\n            const max = zip215 ? MASK : Fp.ORDER;\n            aInRange('point.y', y, _0n, max);\n            // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:\n            // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)\n            const y2 = modP(y * y); // denominator is always non-0 mod p.\n            const u = modP(y2 - _1n); // u = y² - 1\n            const v = modP(d * y2 - a); // v = d y² + 1.\n            let { isValid, value: x } = uvRatio(u, v); // √(u/v)\n            if (!isValid)\n                throw new Error('bad point: invalid y coordinate');\n            const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper\n            const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit\n            if (!zip215 && x === _0n && isLastByteOdd)\n                // if x=0 and x_0 = 1, fail\n                throw new Error('bad point: x=0 and x_0=1');\n            if (isLastByteOdd !== isXOdd)\n                x = modP(-x); // if x_0 != x mod 2, set x = p-x\n            return Point.fromAffine({ x, y });\n        }\n        static fromHex(bytes, zip215 = false) {\n            return Point.fromBytes(ensureBytes('point', bytes), zip215);\n        }\n        get x() {\n            return this.toAffine().x;\n        }\n        get y() {\n            return this.toAffine().y;\n        }\n        precompute(windowSize = 8, isLazy = true) {\n            wnaf.createCache(this, windowSize);\n            if (!isLazy)\n                this.multiply(_2n); // random number\n            return this;\n        }\n        // Useful in fromAffine() - not for fromBytes(), which always created valid points.\n        assertValidity() {\n            assertValidMemo(this);\n        }\n        // Compare one point to another.\n        equals(other) {\n            aextpoint(other);\n            const { X: X1, Y: Y1, Z: Z1 } = this;\n            const { X: X2, Y: Y2, Z: Z2 } = other;\n            const X1Z2 = modP(X1 * Z2);\n            const X2Z1 = modP(X2 * Z1);\n            const Y1Z2 = modP(Y1 * Z2);\n            const Y2Z1 = modP(Y2 * Z1);\n            return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;\n        }\n        is0() {\n            return this.equals(Point.ZERO);\n        }\n        negate() {\n            // Flips point sign to a negative one (-x, y in affine coords)\n            return new Point(modP(-this.X), this.Y, this.Z, modP(-this.T));\n        }\n        // Fast algo for doubling Extended Point.\n        // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd\n        // Cost: 4M + 4S + 1*a + 6add + 1*2.\n        double() {\n            const { a } = CURVE;\n            const { X: X1, Y: Y1, Z: Z1 } = this;\n            const A = modP(X1 * X1); // A = X12\n            const B = modP(Y1 * Y1); // B = Y12\n            const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12\n            const D = modP(a * A); // D = a*A\n            const x1y1 = X1 + Y1;\n            const E = modP(modP(x1y1 * x1y1) - A - B); // E = (X1+Y1)2-A-B\n            const G = D + B; // G = D+B\n            const F = G - C; // F = G-C\n            const H = D - B; // H = D-B\n            const X3 = modP(E * F); // X3 = E*F\n            const Y3 = modP(G * H); // Y3 = G*H\n            const T3 = modP(E * H); // T3 = E*H\n            const Z3 = modP(F * G); // Z3 = F*G\n            return new Point(X3, Y3, Z3, T3);\n        }\n        // Fast algo for adding 2 Extended Points.\n        // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd\n        // Cost: 9M + 1*a + 1*d + 7add.\n        add(other) {\n            aextpoint(other);\n            const { a, d } = CURVE;\n            const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;\n            const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;\n            const A = modP(X1 * X2); // A = X1*X2\n            const B = modP(Y1 * Y2); // B = Y1*Y2\n            const C = modP(T1 * d * T2); // C = T1*d*T2\n            const D = modP(Z1 * Z2); // D = Z1*Z2\n            const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B\n            const F = D - C; // F = D-C\n            const G = D + C; // G = D+C\n            const H = modP(B - a * A); // H = B-a*A\n            const X3 = modP(E * F); // X3 = E*F\n            const Y3 = modP(G * H); // Y3 = G*H\n            const T3 = modP(E * H); // T3 = E*H\n            const Z3 = modP(F * G); // Z3 = F*G\n            return new Point(X3, Y3, Z3, T3);\n        }\n        subtract(other) {\n            return this.add(other.negate());\n        }\n        // Constant-time multiplication.\n        multiply(scalar) {\n            // 1 <= scalar < L\n            if (!Fn.isValidNot0(scalar))\n                throw new Error('invalid scalar: expected 1 <= sc < curve.n');\n            const { p, f } = wnaf.cached(this, scalar, (p) => normalizeZ(Point, p));\n            return normalizeZ(Point, [p, f])[0];\n        }\n        // Non-constant-time multiplication. Uses double-and-add algorithm.\n        // It's faster, but should only be used when you don't care about\n        // an exposed private key e.g. sig verification.\n        // Does NOT allow scalars higher than CURVE.n.\n        // Accepts optional accumulator to merge with multiply (important for sparse scalars)\n        multiplyUnsafe(scalar, acc = Point.ZERO) {\n            // 0 <= scalar < L\n            if (!Fn.isValid(scalar))\n                throw new Error('invalid scalar: expected 0 <= sc < curve.n');\n            if (scalar === _0n)\n                return Point.ZERO;\n            if (this.is0() || scalar === _1n)\n                return this;\n            return wnaf.unsafe(this, scalar, (p) => normalizeZ(Point, p), acc);\n        }\n        // Checks if point is of small order.\n        // If you add something to small order point, you will have \"dirty\"\n        // point with torsion component.\n        // Multiplies point by cofactor and checks if the result is 0.\n        isSmallOrder() {\n            return this.multiplyUnsafe(cofactor).is0();\n        }\n        // Multiplies point by curve order and checks if the result is 0.\n        // Returns `false` is the point is dirty.\n        isTorsionFree() {\n            return wnaf.unsafe(this, CURVE.n).is0();\n        }\n        // Converts Extended point to default (x, y) coordinates.\n        // Can accept precomputed Z^-1 - for example, from invertBatch.\n        toAffine(invertedZ) {\n            return toAffineMemo(this, invertedZ);\n        }\n        clearCofactor() {\n            if (cofactor === _1n)\n                return this;\n            return this.multiplyUnsafe(cofactor);\n        }\n        toBytes() {\n            const { x, y } = this.toAffine();\n            // Fp.toBytes() allows non-canonical encoding of y (>= p).\n            const bytes = Fp.toBytes(y);\n            // Each y has 2 valid points: (x, y), (x,-y).\n            // When compressing, it's enough to store y and use the last byte to encode sign of x\n            bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0;\n            return bytes;\n        }\n        toHex() {\n            return bytesToHex(this.toBytes());\n        }\n        toString() {\n            return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;\n        }\n        // TODO: remove\n        get ex() {\n            return this.X;\n        }\n        get ey() {\n            return this.Y;\n        }\n        get ez() {\n            return this.Z;\n        }\n        get et() {\n            return this.T;\n        }\n        static normalizeZ(points) {\n            return normalizeZ(Point, points);\n        }\n        static msm(points, scalars) {\n            return pippenger(Point, Fn, points, scalars);\n        }\n        _setWindowSize(windowSize) {\n            this.precompute(windowSize);\n        }\n        toRawBytes() {\n            return this.toBytes();\n        }\n    }\n    // base / generator point\n    Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));\n    // zero / infinity / identity point\n    Point.ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0\n    // math field\n    Point.Fp = Fp;\n    // scalar field\n    Point.Fn = Fn;\n    const wnaf = new wNAF(Point, Fn.BITS);\n    Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.\n    return Point;\n}\n/**\n * Base class for prime-order points like Ristretto255 and Decaf448.\n * These points eliminate cofactor issues by representing equivalence classes\n * of Edwards curve points.\n */\nexport class PrimeEdwardsPoint {\n    constructor(ep) {\n        this.ep = ep;\n    }\n    // Static methods that must be implemented by subclasses\n    static fromBytes(_bytes) {\n        notImplemented();\n    }\n    static fromHex(_hex) {\n        notImplemented();\n    }\n    get x() {\n        return this.toAffine().x;\n    }\n    get y() {\n        return this.toAffine().y;\n    }\n    // Common implementations\n    clearCofactor() {\n        // no-op for prime-order groups\n        return this;\n    }\n    assertValidity() {\n        this.ep.assertValidity();\n    }\n    toAffine(invertedZ) {\n        return this.ep.toAffine(invertedZ);\n    }\n    toHex() {\n        return bytesToHex(this.toBytes());\n    }\n    toString() {\n        return this.toHex();\n    }\n    isTorsionFree() {\n        return true;\n    }\n    isSmallOrder() {\n        return false;\n    }\n    add(other) {\n        this.assertSame(other);\n        return this.init(this.ep.add(other.ep));\n    }\n    subtract(other) {\n        this.assertSame(other);\n        return this.init(this.ep.subtract(other.ep));\n    }\n    multiply(scalar) {\n        return this.init(this.ep.multiply(scalar));\n    }\n    multiplyUnsafe(scalar) {\n        return this.init(this.ep.multiplyUnsafe(scalar));\n    }\n    double() {\n        return this.init(this.ep.double());\n    }\n    negate() {\n        return this.init(this.ep.negate());\n    }\n    precompute(windowSize, isLazy) {\n        return this.init(this.ep.precompute(windowSize, isLazy));\n    }\n    /** @deprecated use `toBytes` */\n    toRawBytes() {\n        return this.toBytes();\n    }\n}\n/**\n * Initializes EdDSA signatures over given Edwards curve.\n */\nexport function eddsa(Point, cHash, eddsaOpts = {}) {\n    if (typeof cHash !== 'function')\n        throw new Error('\"hash\" function param is required');\n    _validateObject(eddsaOpts, {}, {\n        adjustScalarBytes: 'function',\n        randomBytes: 'function',\n        domain: 'function',\n        prehash: 'function',\n        mapToCurve: 'function',\n    });\n    const { prehash } = eddsaOpts;\n    const { BASE, Fp, Fn } = Point;\n    const randomBytes = eddsaOpts.randomBytes || randomBytesWeb;\n    const adjustScalarBytes = eddsaOpts.adjustScalarBytes || ((bytes) => bytes);\n    const domain = eddsaOpts.domain ||\n        ((data, ctx, phflag) => {\n            abool(phflag, 'phflag');\n            if (ctx.length || phflag)\n                throw new Error('Contexts/pre-hash are not supported');\n            return data;\n        }); // NOOP\n    // Little-endian SHA512 with modulo n\n    function modN_LE(hash) {\n        return Fn.create(bytesToNumberLE(hash)); // Not Fn.fromBytes: it has length limit\n    }\n    // Get the hashed private scalar per RFC8032 5.1.5\n    function getPrivateScalar(key) {\n        const len = lengths.secretKey;\n        key = ensureBytes('private key', key, len);\n        // Hash private key with curve's hash function to produce uniformingly random input\n        // Check byte lengths: ensure(64, h(ensure(32, key)))\n        const hashed = ensureBytes('hashed private key', cHash(key), 2 * len);\n        const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE\n        const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)\n        const scalar = modN_LE(head); // The actual private scalar\n        return { head, prefix, scalar };\n    }\n    /** Convenience method that creates public key from scalar. RFC8032 5.1.5 */\n    function getExtendedPublicKey(secretKey) {\n        const { head, prefix, scalar } = getPrivateScalar(secretKey);\n        const point = BASE.multiply(scalar); // Point on Edwards curve aka public key\n        const pointBytes = point.toBytes();\n        return { head, prefix, scalar, point, pointBytes };\n    }\n    /** Calculates EdDSA pub key. RFC8032 5.1.5. */\n    function getPublicKey(secretKey) {\n        return getExtendedPublicKey(secretKey).pointBytes;\n    }\n    // int('LE', SHA512(dom2(F, C) || msgs)) mod N\n    function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {\n        const msg = concatBytes(...msgs);\n        return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));\n    }\n    /** Signs message with privateKey. RFC8032 5.1.6 */\n    function sign(msg, secretKey, options = {}) {\n        msg = ensureBytes('message', msg);\n        if (prehash)\n            msg = prehash(msg); // for ed25519ph etc.\n        const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);\n        const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)\n        const R = BASE.multiply(r).toBytes(); // R = rG\n        const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)\n        const s = Fn.create(r + k * scalar); // S = (r + k * s) mod L\n        if (!Fn.isValid(s))\n            throw new Error('sign failed: invalid s'); // 0 <= s < L\n        const rs = concatBytes(R, Fn.toBytes(s));\n        return abytes(rs, lengths.signature, 'result');\n    }\n    // verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:\n    const verifyOpts = { zip215: true };\n    /**\n     * Verifies EdDSA signature against message and public key. RFC8032 5.1.7.\n     * An extended group equation is checked.\n     */\n    function verify(sig, msg, publicKey, options = verifyOpts) {\n        const { context, zip215 } = options;\n        const len = lengths.signature;\n        sig = ensureBytes('signature', sig, len);\n        msg = ensureBytes('message', msg);\n        publicKey = ensureBytes('publicKey', publicKey, lengths.publicKey);\n        if (zip215 !== undefined)\n            abool(zip215, 'zip215');\n        if (prehash)\n            msg = prehash(msg); // for ed25519ph, etc\n        const mid = len / 2;\n        const r = sig.subarray(0, mid);\n        const s = bytesToNumberLE(sig.subarray(mid, len));\n        let A, R, SB;\n        try {\n            // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.\n            // zip215=true:  0 <= y < MASK (2^256 for ed25519)\n            // zip215=false: 0 <= y < P (2^255-19 for ed25519)\n            A = Point.fromBytes(publicKey, zip215);\n            R = Point.fromBytes(r, zip215);\n            SB = BASE.multiplyUnsafe(s); // 0 <= s < l is done inside\n        }\n        catch (error) {\n            return false;\n        }\n        if (!zip215 && A.isSmallOrder())\n            return false; // zip215 allows public keys of small order\n        const k = hashDomainToScalar(context, R.toBytes(), A.toBytes(), msg);\n        const RkA = R.add(A.multiplyUnsafe(k));\n        // Extended group equation\n        // [8][S]B = [8]R + [8][k]A'\n        return RkA.subtract(SB).clearCofactor().is0();\n    }\n    const _size = Fp.BYTES; // 32 for ed25519, 57 for ed448\n    const lengths = {\n        secretKey: _size,\n        publicKey: _size,\n        signature: 2 * _size,\n        seed: _size,\n    };\n    function randomSecretKey(seed = randomBytes(lengths.seed)) {\n        return abytes(seed, lengths.seed, 'seed');\n    }\n    function keygen(seed) {\n        const secretKey = utils.randomSecretKey(seed);\n        return { secretKey, publicKey: getPublicKey(secretKey) };\n    }\n    function isValidSecretKey(key) {\n        return isBytes(key) && key.length === Fn.BYTES;\n    }\n    function isValidPublicKey(key, zip215) {\n        try {\n            return !!Point.fromBytes(key, zip215);\n        }\n        catch (error) {\n            return false;\n        }\n    }\n    const utils = {\n        getExtendedPublicKey,\n        randomSecretKey,\n        isValidSecretKey,\n        isValidPublicKey,\n        /**\n         * Converts ed public key to x public key. Uses formula:\n         * - ed25519:\n         *   - `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`\n         *   - `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`\n         * - ed448:\n         *   - `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`\n         *   - `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`\n         */\n        toMontgomery(publicKey) {\n            const { y } = Point.fromBytes(publicKey);\n            const size = lengths.publicKey;\n            const is25519 = size === 32;\n            if (!is25519 && size !== 57)\n                throw new Error('only defined for 25519 and 448');\n            const u = is25519 ? Fp.div(_1n + y, _1n - y) : Fp.div(y - _1n, y + _1n);\n            return Fp.toBytes(u);\n        },\n        toMontgomerySecret(secretKey) {\n            const size = lengths.secretKey;\n            abytes(secretKey, size);\n            const hashed = cHash(secretKey.subarray(0, size));\n            return adjustScalarBytes(hashed).subarray(0, size);\n        },\n        /** @deprecated */\n        randomPrivateKey: randomSecretKey,\n        /** @deprecated */\n        precompute(windowSize = 8, point = Point.BASE) {\n            return point.precompute(windowSize, false);\n        },\n    };\n    return Object.freeze({\n        keygen,\n        getPublicKey,\n        sign,\n        verify,\n        utils,\n        Point,\n        lengths,\n    });\n}\nfunction _eddsa_legacy_opts_to_new(c) {\n    const CURVE = {\n        a: c.a,\n        d: c.d,\n        p: c.Fp.ORDER,\n        n: c.n,\n        h: c.h,\n        Gx: c.Gx,\n        Gy: c.Gy,\n    };\n    const Fp = c.Fp;\n    const Fn = Field(CURVE.n, c.nBitLength, true);\n    const curveOpts = { Fp, Fn, uvRatio: c.uvRatio };\n    const eddsaOpts = {\n        randomBytes: c.randomBytes,\n        adjustScalarBytes: c.adjustScalarBytes,\n        domain: c.domain,\n        prehash: c.prehash,\n        mapToCurve: c.mapToCurve,\n    };\n    return { CURVE, curveOpts, hash: c.hash, eddsaOpts };\n}\nfunction _eddsa_new_output_to_legacy(c, eddsa) {\n    const Point = eddsa.Point;\n    const legacy = Object.assign({}, eddsa, {\n        ExtendedPoint: Point,\n        CURVE: c,\n        nBitLength: Point.Fn.BITS,\n        nByteLength: Point.Fn.BYTES,\n    });\n    return legacy;\n}\n// TODO: remove. Use eddsa\nexport function twistedEdwards(c) {\n    const { CURVE, curveOpts, hash, eddsaOpts } = _eddsa_legacy_opts_to_new(c);\n    const Point = edwards(CURVE, curveOpts);\n    const EDDSA = eddsa(Point, hash, eddsaOpts);\n    return _eddsa_new_output_to_legacy(c, EDDSA);\n}\n//# sourceMappingURL=edwards.js.map","/**\n * Montgomery curve methods. It's not really whole montgomery curve,\n * just bunch of very specific methods for X25519 / X448 from\n * [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748)\n * @module\n */\n/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { _validateObject, abytes, aInRange, bytesToNumberLE, ensureBytes, numberToBytesLE, randomBytes, } from \"../utils.js\";\nimport { mod } from \"./modular.js\";\nconst _0n = BigInt(0);\nconst _1n = BigInt(1);\nconst _2n = BigInt(2);\nfunction validateOpts(curve) {\n    _validateObject(curve, {\n        adjustScalarBytes: 'function',\n        powPminus2: 'function',\n    });\n    return Object.freeze({ ...curve });\n}\nexport function montgomery(curveDef) {\n    const CURVE = validateOpts(curveDef);\n    const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;\n    const is25519 = type === 'x25519';\n    if (!is25519 && type !== 'x448')\n        throw new Error('invalid type');\n    const randomBytes_ = rand || randomBytes;\n    const montgomeryBits = is25519 ? 255 : 448;\n    const fieldLen = is25519 ? 32 : 56;\n    const Gu = is25519 ? BigInt(9) : BigInt(5);\n    // RFC 7748 #5:\n    // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and\n    // (156326 - 2) / 4 = 39081 for curve448/X448\n    // const a = is25519 ? 156326n : 486662n;\n    const a24 = is25519 ? BigInt(121665) : BigInt(39081);\n    // RFC: x25519 \"the resulting integer is of the form 2^254 plus\n    // eight times a value between 0 and 2^251 - 1 (inclusive)\"\n    // x448: \"2^447 plus four times a value between 0 and 2^445 - 1 (inclusive)\"\n    const minScalar = is25519 ? _2n ** BigInt(254) : _2n ** BigInt(447);\n    const maxAdded = is25519\n        ? BigInt(8) * _2n ** BigInt(251) - _1n\n        : BigInt(4) * _2n ** BigInt(445) - _1n;\n    const maxScalar = minScalar + maxAdded + _1n; // (inclusive)\n    const modP = (n) => mod(n, P);\n    const GuBytes = encodeU(Gu);\n    function encodeU(u) {\n        return numberToBytesLE(modP(u), fieldLen);\n    }\n    function decodeU(u) {\n        const _u = ensureBytes('u coordinate', u, fieldLen);\n        // RFC: When receiving such an array, implementations of X25519\n        // (but not X448) MUST mask the most significant bit in the final byte.\n        if (is25519)\n            _u[31] &= 127; // 0b0111_1111\n        // RFC: Implementations MUST accept non-canonical values and process them as\n        // if they had been reduced modulo the field prime.  The non-canonical\n        // values are 2^255 - 19 through 2^255 - 1 for X25519 and 2^448 - 2^224\n        // - 1 through 2^448 - 1 for X448.\n        return modP(bytesToNumberLE(_u));\n    }\n    function decodeScalar(scalar) {\n        return bytesToNumberLE(adjustScalarBytes(ensureBytes('scalar', scalar, fieldLen)));\n    }\n    function scalarMult(scalar, u) {\n        const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));\n        // Some public keys are useless, of low-order. Curve author doesn't think\n        // it needs to be validated, but we do it nonetheless.\n        // https://cr.yp.to/ecdh.html#validate\n        if (pu === _0n)\n            throw new Error('invalid private or public key received');\n        return encodeU(pu);\n    }\n    // Computes public key from private. By doing scalar multiplication of base point.\n    function scalarMultBase(scalar) {\n        return scalarMult(scalar, GuBytes);\n    }\n    // cswap from RFC7748 \"example code\"\n    function cswap(swap, x_2, x_3) {\n        // dummy = mask(swap) AND (x_2 XOR x_3)\n        // Where mask(swap) is the all-1 or all-0 word of the same length as x_2\n        // and x_3, computed, e.g., as mask(swap) = 0 - swap.\n        const dummy = modP(swap * (x_2 - x_3));\n        x_2 = modP(x_2 - dummy); // x_2 = x_2 XOR dummy\n        x_3 = modP(x_3 + dummy); // x_3 = x_3 XOR dummy\n        return { x_2, x_3 };\n    }\n    /**\n     * Montgomery x-only multiplication ladder.\n     * @param pointU u coordinate (x) on Montgomery Curve 25519\n     * @param scalar by which the point would be multiplied\n     * @returns new Point on Montgomery curve\n     */\n    function montgomeryLadder(u, scalar) {\n        aInRange('u', u, _0n, P);\n        aInRange('scalar', scalar, minScalar, maxScalar);\n        const k = scalar;\n        const x_1 = u;\n        let x_2 = _1n;\n        let z_2 = _0n;\n        let x_3 = u;\n        let z_3 = _1n;\n        let swap = _0n;\n        for (let t = BigInt(montgomeryBits - 1); t >= _0n; t--) {\n            const k_t = (k >> t) & _1n;\n            swap ^= k_t;\n            ({ x_2, x_3 } = cswap(swap, x_2, x_3));\n            ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));\n            swap = k_t;\n            const A = x_2 + z_2;\n            const AA = modP(A * A);\n            const B = x_2 - z_2;\n            const BB = modP(B * B);\n            const E = AA - BB;\n            const C = x_3 + z_3;\n            const D = x_3 - z_3;\n            const DA = modP(D * A);\n            const CB = modP(C * B);\n            const dacb = DA + CB;\n            const da_cb = DA - CB;\n            x_3 = modP(dacb * dacb);\n            z_3 = modP(x_1 * modP(da_cb * da_cb));\n            x_2 = modP(AA * BB);\n            z_2 = modP(E * (AA + modP(a24 * E)));\n        }\n        ({ x_2, x_3 } = cswap(swap, x_2, x_3));\n        ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));\n        const z2 = powPminus2(z_2); // `Fp.pow(x, P - _2n)` is much slower equivalent\n        return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))\n    }\n    const lengths = {\n        secretKey: fieldLen,\n        publicKey: fieldLen,\n        seed: fieldLen,\n    };\n    const randomSecretKey = (seed = randomBytes_(fieldLen)) => {\n        abytes(seed, lengths.seed);\n        return seed;\n    };\n    function keygen(seed) {\n        const secretKey = randomSecretKey(seed);\n        return { secretKey, publicKey: scalarMultBase(secretKey) };\n    }\n    const utils = {\n        randomSecretKey,\n        randomPrivateKey: randomSecretKey,\n    };\n    return {\n        keygen,\n        getSharedSecret: (secretKey, publicKey) => scalarMult(secretKey, publicKey),\n        getPublicKey: (secretKey) => scalarMultBase(secretKey),\n        scalarMult,\n        scalarMultBase,\n        utils,\n        GuBytes: GuBytes.slice(),\n        lengths,\n    };\n}\n//# sourceMappingURL=montgomery.js.map"],"names":[],"sourceRoot":""}

package/dist/browser/defaultVendors-node_modules_noble_curves_esm_ed25519_js.shogun-core.js

@@ -0,0 +1,508 @@
+"use strict";
+(this["webpackChunkShogunCore"] = this["webpackChunkShogunCore"] || []).push([["defaultVendors-node_modules_noble_curves_esm_ed25519_js"],{
+
+/***/ "./node_modules/@noble/curves/esm/ed25519.js":
+/*!***************************************************!*\
+  !*** ./node_modules/@noble/curves/esm/ed25519.js ***!
+  \***************************************************/
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+__webpack_require__.r(__webpack_exports__);
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   ED25519_TORSION_SUBGROUP: () => (/* binding */ ED25519_TORSION_SUBGROUP),
+/* harmony export */   RistrettoPoint: () => (/* binding */ RistrettoPoint),
+/* harmony export */   ed25519: () => (/* binding */ ed25519),
+/* harmony export */   ed25519_hasher: () => (/* binding */ ed25519_hasher),
+/* harmony export */   ed25519ctx: () => (/* binding */ ed25519ctx),
+/* harmony export */   ed25519ph: () => (/* binding */ ed25519ph),
+/* harmony export */   edwardsToMontgomery: () => (/* binding */ edwardsToMontgomery),
+/* harmony export */   edwardsToMontgomeryPriv: () => (/* binding */ edwardsToMontgomeryPriv),
+/* harmony export */   edwardsToMontgomeryPub: () => (/* binding */ edwardsToMontgomeryPub),
+/* harmony export */   encodeToCurve: () => (/* binding */ encodeToCurve),
+/* harmony export */   hashToCurve: () => (/* binding */ hashToCurve),
+/* harmony export */   hashToRistretto255: () => (/* binding */ hashToRistretto255),
+/* harmony export */   hash_to_ristretto255: () => (/* binding */ hash_to_ristretto255),
+/* harmony export */   ristretto255: () => (/* binding */ ristretto255),
+/* harmony export */   ristretto255_hasher: () => (/* binding */ ristretto255_hasher),
+/* harmony export */   x25519: () => (/* binding */ x25519)
+/* harmony export */ });
+/* harmony import */ var _noble_hashes_sha2_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(/*! @noble/hashes/sha2.js */ "./node_modules/@noble/hashes/esm/sha2.js");
+/* harmony import */ var _noble_hashes_utils_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(/*! @noble/hashes/utils.js */ "./node_modules/@noble/hashes/esm/utils.js");
+/* harmony import */ var _abstract_curve_js__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(/*! ./abstract/curve.js */ "./node_modules/@noble/curves/esm/abstract/curve.js");
+/* harmony import */ var _abstract_edwards_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(/*! ./abstract/edwards.js */ "./node_modules/@noble/curves/esm/abstract/edwards.js");
+/* harmony import */ var _abstract_hash_to_curve_js__WEBPACK_IMPORTED_MODULE_4__ = __webpack_require__(/*! ./abstract/hash-to-curve.js */ "./node_modules/@noble/curves/esm/abstract/hash-to-curve.js");
+/* harmony import */ var _abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__ = __webpack_require__(/*! ./abstract/modular.js */ "./node_modules/@noble/curves/esm/abstract/modular.js");
+/* harmony import */ var _abstract_montgomery_js__WEBPACK_IMPORTED_MODULE_6__ = __webpack_require__(/*! ./abstract/montgomery.js */ "./node_modules/@noble/curves/esm/abstract/montgomery.js");
+/* harmony import */ var _utils_js__WEBPACK_IMPORTED_MODULE_7__ = __webpack_require__(/*! ./utils.js */ "./node_modules/@noble/curves/esm/utils.js");
+/**
+ * ed25519 Twisted Edwards curve with following addons:
+ * - X25519 ECDH
+ * - Ristretto cofactor elimination
+ * - Elligator hash-to-group / point indistinguishability
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+
+
+
+
+
+
+
+
+// prettier-ignore
+const _0n = /* @__PURE__ */ BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
+// prettier-ignore
+const _5n = BigInt(5), _8n = BigInt(8);
+// P = 2n**255n-19n
+const ed25519_CURVE_p = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed');
+// N = 2n**252n + 27742317777372353535851937790883648493n
+// a = Fp.create(BigInt(-1))
+// d = -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
+const ed25519_CURVE = /* @__PURE__ */ (() => ({
+    p: ed25519_CURVE_p,
+    n: BigInt('0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed'),
+    h: _8n,
+    a: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec'),
+    d: BigInt('0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3'),
+    Gx: BigInt('0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a'),
+    Gy: BigInt('0x6666666666666666666666666666666666666666666666666666666666666658'),
+}))();
+function ed25519_pow_2_252_3(x) {
+    // prettier-ignore
+    const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
+    const P = ed25519_CURVE_p;
+    const x2 = (x * x) % P;
+    const b2 = (x2 * x) % P; // x^3, 11
+    const b4 = ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.pow2)(b2, _2n, P) * b2) % P; // x^15, 1111
+    const b5 = ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.pow2)(b4, _1n, P) * x) % P; // x^31
+    const b10 = ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.pow2)(b5, _5n, P) * b5) % P;
+    const b20 = ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.pow2)(b10, _10n, P) * b10) % P;
+    const b40 = ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.pow2)(b20, _20n, P) * b20) % P;
+    const b80 = ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.pow2)(b40, _40n, P) * b40) % P;
+    const b160 = ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.pow2)(b80, _80n, P) * b80) % P;
+    const b240 = ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.pow2)(b160, _80n, P) * b80) % P;
+    const b250 = ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.pow2)(b240, _10n, P) * b10) % P;
+    const pow_p_5_8 = ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.pow2)(b250, _2n, P) * x) % P;
+    // ^ To pow to (p+3)/8, multiply it by x.
+    return { pow_p_5_8, b2 };
+}
+function adjustScalarBytes(bytes) {
+    // Section 5: For X25519, in order to decode 32 random bytes as an integer scalar,
+    // set the three least significant bits of the first byte
+    bytes[0] &= 248; // 0b1111_1000
+    // and the most significant bit of the last to zero,
+    bytes[31] &= 127; // 0b0111_1111
+    // set the second most significant bit of the last byte to 1
+    bytes[31] |= 64; // 0b0100_0000
+    return bytes;
+}
+// √(-1) aka √(a) aka 2^((p-1)/4)
+// Fp.sqrt(Fp.neg(1))
+const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
+// sqrt(u/v)
+function uvRatio(u, v) {
+    const P = ed25519_CURVE_p;
+    const v3 = (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.mod)(v * v * v, P); // v³
+    const v7 = (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.mod)(v3 * v3 * v, P); // v⁷
+    // (p+3)/8 and (p-5)/8
+    const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
+    let x = (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.mod)(u * v3 * pow, P); // (uv³)(uv⁷)^(p-5)/8
+    const vx2 = (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.mod)(v * x * x, P); // vx²
+    const root1 = x; // First root candidate
+    const root2 = (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.mod)(x * ED25519_SQRT_M1, P); // Second root candidate
+    const useRoot1 = vx2 === u; // If vx² = u (mod p), x is a square root
+    const useRoot2 = vx2 === (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.mod)(-u, P); // If vx² = -u, set x <-- x * 2^((p-1)/4)
+    const noRoot = vx2 === (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.mod)(-u * ED25519_SQRT_M1, P); // There is no valid root, vx² = -u√(-1)
+    if (useRoot1)
+        x = root1;
+    if (useRoot2 || noRoot)
+        x = root2; // We return root2 anyway, for const-time
+    if ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.isNegativeLE)(x, P))
+        x = (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.mod)(-x, P);
+    return { isValid: useRoot1 || useRoot2, value: x };
+}
+const Fp = /* @__PURE__ */ (() => (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.Field)(ed25519_CURVE.p, { isLE: true }))();
+const Fn = /* @__PURE__ */ (() => (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.Field)(ed25519_CURVE.n, { isLE: true }))();
+const ed25519Defaults = /* @__PURE__ */ (() => ({
+    ...ed25519_CURVE,
+    Fp,
+    hash: _noble_hashes_sha2_js__WEBPACK_IMPORTED_MODULE_0__.sha512,
+    adjustScalarBytes,
+    // dom2
+    // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
+    // Constant-time, u/√v
+    uvRatio,
+}))();
+/**
+ * ed25519 curve with EdDSA signatures.
+ * @example
+ * import { ed25519 } from '@noble/curves/ed25519';
+ * const { secretKey, publicKey } = ed25519.keygen();
+ * const msg = new TextEncoder().encode('hello');
+ * const sig = ed25519.sign(msg, priv);
+ * ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215
+ * ed25519.verify(sig, msg, pub, { zip215: false }); // RFC8032 / FIPS 186-5
+ */
+const ed25519 = /* @__PURE__ */ (() => (0,_abstract_edwards_js__WEBPACK_IMPORTED_MODULE_3__.twistedEdwards)(ed25519Defaults))();
+function ed25519_domain(data, ctx, phflag) {
+    if (ctx.length > 255)
+        throw new Error('Context is too big');
+    return (0,_noble_hashes_utils_js__WEBPACK_IMPORTED_MODULE_1__.concatBytes)((0,_noble_hashes_utils_js__WEBPACK_IMPORTED_MODULE_1__.utf8ToBytes)('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+}
+/** Context of ed25519. Uses context for domain separation. */
+const ed25519ctx = /* @__PURE__ */ (() => (0,_abstract_edwards_js__WEBPACK_IMPORTED_MODULE_3__.twistedEdwards)({
+    ...ed25519Defaults,
+    domain: ed25519_domain,
+}))();
+/** Prehashed version of ed25519. Accepts already-hashed messages in sign() and verify(). */
+const ed25519ph = /* @__PURE__ */ (() => (0,_abstract_edwards_js__WEBPACK_IMPORTED_MODULE_3__.twistedEdwards)(Object.assign({}, ed25519Defaults, {
+    domain: ed25519_domain,
+    prehash: _noble_hashes_sha2_js__WEBPACK_IMPORTED_MODULE_0__.sha512,
+})))();
+/**
+ * ECDH using curve25519 aka x25519.
+ * @example
+ * import { x25519 } from '@noble/curves/ed25519';
+ * const priv = 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4';
+ * const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c';
+ * x25519.getSharedSecret(priv, pub) === x25519.scalarMult(priv, pub); // aliases
+ * x25519.getPublicKey(priv) === x25519.scalarMultBase(priv);
+ * x25519.getPublicKey(x25519.utils.randomSecretKey());
+ */
+const x25519 = /* @__PURE__ */ (() => {
+    const P = Fp.ORDER;
+    return (0,_abstract_montgomery_js__WEBPACK_IMPORTED_MODULE_6__.montgomery)({
+        P,
+        type: 'x25519',
+        powPminus2: (x) => {
+            // x^(p-2) aka x^(2^255-21)
+            const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
+            return (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.mod)((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.pow2)(pow_p_5_8, _3n, P) * b2, P);
+        },
+        adjustScalarBytes,
+    });
+})();
+// Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
+// NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
+// SageMath returns different root first and everything falls apart
+const ELL2_C1 = /* @__PURE__ */ (() => (ed25519_CURVE_p + _3n) / _8n)(); // 1. c1 = (q + 3) / 8       # Integer arithmetic
+const ELL2_C2 = /* @__PURE__ */ (() => Fp.pow(_2n, ELL2_C1))(); // 2. c2 = 2^c1
+const ELL2_C3 = /* @__PURE__ */ (() => Fp.sqrt(Fp.neg(Fp.ONE)))(); // 3. c3 = sqrt(-1)
+// prettier-ignore
+function map_to_curve_elligator2_curve25519(u) {
+    const ELL2_C4 = (ed25519_CURVE_p - _5n) / _8n; // 4. c4 = (q - 5) / 8       # Integer arithmetic
+    const ELL2_J = BigInt(486662);
+    let tv1 = Fp.sqr(u); //  1.  tv1 = u^2
+    tv1 = Fp.mul(tv1, _2n); //  2.  tv1 = 2 * tv1
+    let xd = Fp.add(tv1, Fp.ONE); //  3.   xd = tv1 + 1         # Nonzero: -1 is square (mod p), tv1 is not
+    let x1n = Fp.neg(ELL2_J); //  4.  x1n = -J              # x1 = x1n / xd = -J / (1 + 2 * u^2)
+    let tv2 = Fp.sqr(xd); //  5.  tv2 = xd^2
+    let gxd = Fp.mul(tv2, xd); //  6.  gxd = tv2 * xd        # gxd = xd^3
+    let gx1 = Fp.mul(tv1, ELL2_J); //  7.  gx1 = J * tv1         # x1n + J * xd
+    gx1 = Fp.mul(gx1, x1n); //  8.  gx1 = gx1 * x1n       # x1n^2 + J * x1n * xd
+    gx1 = Fp.add(gx1, tv2); //  9.  gx1 = gx1 + tv2       # x1n^2 + J * x1n * xd + xd^2
+    gx1 = Fp.mul(gx1, x1n); //  10. gx1 = gx1 * x1n       # x1n^3 + J * x1n^2 * xd + x1n * xd^2
+    let tv3 = Fp.sqr(gxd); //  11. tv3 = gxd^2
+    tv2 = Fp.sqr(tv3); //  12. tv2 = tv3^2           # gxd^4
+    tv3 = Fp.mul(tv3, gxd); //  13. tv3 = tv3 * gxd       # gxd^3
+    tv3 = Fp.mul(tv3, gx1); //  14. tv3 = tv3 * gx1       # gx1 * gxd^3
+    tv2 = Fp.mul(tv2, tv3); //  15. tv2 = tv2 * tv3       # gx1 * gxd^7
+    let y11 = Fp.pow(tv2, ELL2_C4); //  16. y11 = tv2^c4        # (gx1 * gxd^7)^((p - 5) / 8)
+    y11 = Fp.mul(y11, tv3); //  17. y11 = y11 * tv3       # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8)
+    let y12 = Fp.mul(y11, ELL2_C3); //  18. y12 = y11 * c3
+    tv2 = Fp.sqr(y11); //  19. tv2 = y11^2
+    tv2 = Fp.mul(tv2, gxd); //  20. tv2 = tv2 * gxd
+    let e1 = Fp.eql(tv2, gx1); //  21.  e1 = tv2 == gx1
+    let y1 = Fp.cmov(y12, y11, e1); //  22.  y1 = CMOV(y12, y11, e1)  # If g(x1) is square, this is its sqrt
+    let x2n = Fp.mul(x1n, tv1); //  23. x2n = x1n * tv1       # x2 = x2n / xd = 2 * u^2 * x1n / xd
+    let y21 = Fp.mul(y11, u); //  24. y21 = y11 * u
+    y21 = Fp.mul(y21, ELL2_C2); //  25. y21 = y21 * c2
+    let y22 = Fp.mul(y21, ELL2_C3); //  26. y22 = y21 * c3
+    let gx2 = Fp.mul(gx1, tv1); //  27. gx2 = gx1 * tv1       # g(x2) = gx2 / gxd = 2 * u^2 * g(x1)
+    tv2 = Fp.sqr(y21); //  28. tv2 = y21^2
+    tv2 = Fp.mul(tv2, gxd); //  29. tv2 = tv2 * gxd
+    let e2 = Fp.eql(tv2, gx2); //  30.  e2 = tv2 == gx2
+    let y2 = Fp.cmov(y22, y21, e2); //  31.  y2 = CMOV(y22, y21, e2)  # If g(x2) is square, this is its sqrt
+    tv2 = Fp.sqr(y1); //  32. tv2 = y1^2
+    tv2 = Fp.mul(tv2, gxd); //  33. tv2 = tv2 * gxd
+    let e3 = Fp.eql(tv2, gx1); //  34.  e3 = tv2 == gx1
+    let xn = Fp.cmov(x2n, x1n, e3); //  35.  xn = CMOV(x2n, x1n, e3)  # If e3, x = x1, else x = x2
+    let y = Fp.cmov(y2, y1, e3); //  36.   y = CMOV(y2, y1, e3)    # If e3, y = y1, else y = y2
+    let e4 = Fp.isOdd(y); //  37.  e4 = sgn0(y) == 1        # Fix sign of y
+    y = Fp.cmov(y, Fp.neg(y), e3 !== e4); //  38.   y = CMOV(y, -y, e3 XOR e4)
+    return { xMn: xn, xMd: xd, yMn: y, yMd: _1n }; //  39. return (xn, xd, y, 1)
+}
+const ELL2_C1_EDWARDS = /* @__PURE__ */ (() => (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.FpSqrtEven)(Fp, Fp.neg(BigInt(486664))))(); // sgn0(c1) MUST equal 0
+function map_to_curve_elligator2_edwards25519(u) {
+    const { xMn, xMd, yMn, yMd } = map_to_curve_elligator2_curve25519(u); //  1.  (xMn, xMd, yMn, yMd) =
+    // map_to_curve_elligator2_curve25519(u)
+    let xn = Fp.mul(xMn, yMd); //  2.  xn = xMn * yMd
+    xn = Fp.mul(xn, ELL2_C1_EDWARDS); //  3.  xn = xn * c1
+    let xd = Fp.mul(xMd, yMn); //  4.  xd = xMd * yMn    # xn / xd = c1 * xM / yM
+    let yn = Fp.sub(xMn, xMd); //  5.  yn = xMn - xMd
+    let yd = Fp.add(xMn, xMd); //  6.  yd = xMn + xMd    # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
+    let tv1 = Fp.mul(xd, yd); //  7. tv1 = xd * yd
+    let e = Fp.eql(tv1, Fp.ZERO); //  8.   e = tv1 == 0
+    xn = Fp.cmov(xn, Fp.ZERO, e); //  9.  xn = CMOV(xn, 0, e)
+    xd = Fp.cmov(xd, Fp.ONE, e); //  10. xd = CMOV(xd, 1, e)
+    yn = Fp.cmov(yn, Fp.ONE, e); //  11. yn = CMOV(yn, 1, e)
+    yd = Fp.cmov(yd, Fp.ONE, e); //  12. yd = CMOV(yd, 1, e)
+    const [xd_inv, yd_inv] = (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.FpInvertBatch)(Fp, [xd, yd], true); // batch division
+    return { x: Fp.mul(xn, xd_inv), y: Fp.mul(yn, yd_inv) }; //  13. return (xn, xd, yn, yd)
+}
+/** Hashing to ed25519 points / field. RFC 9380 methods. */
+const ed25519_hasher = /* @__PURE__ */ (() => (0,_abstract_hash_to_curve_js__WEBPACK_IMPORTED_MODULE_4__.createHasher)(ed25519.Point, (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]), {
+    DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
+    encodeDST: 'edwards25519_XMD:SHA-512_ELL2_NU_',
+    p: ed25519_CURVE_p,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
+    hash: _noble_hashes_sha2_js__WEBPACK_IMPORTED_MODULE_0__.sha512,
+}))();
+// √(-1) aka √(a) aka 2^((p-1)/4)
+const SQRT_M1 = ED25519_SQRT_M1;
+// √(ad - 1)
+const SQRT_AD_MINUS_ONE = /* @__PURE__ */ BigInt('25063068953384623474111414158702152701244531502492656460079210482610430750235');
+// 1 / √(a-d)
+const INVSQRT_A_MINUS_D = /* @__PURE__ */ BigInt('54469307008909316920995813868745141605393597292927456921205312896311721017578');
+// 1-d²
+const ONE_MINUS_D_SQ = /* @__PURE__ */ BigInt('1159843021668779879193775521855586647937357759715417654439879720876111806838');
+// (d-1)²
+const D_MINUS_ONE_SQ = /* @__PURE__ */ BigInt('40440834346308536858101042469323190826248399146238708352240133220865137265952');
+// Calculates 1/√(number)
+const invertSqrt = (number) => uvRatio(_1n, number);
+const MAX_255B = /* @__PURE__ */ BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+const bytes255ToNumberLE = (bytes) => ed25519.Point.Fp.create((0,_utils_js__WEBPACK_IMPORTED_MODULE_7__.bytesToNumberLE)(bytes) & MAX_255B);
+/**
+ * Computes Elligator map for Ristretto255.
+ * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-B) and on
+ * the [website](https://ristretto.group/formulas/elligator.html).
+ */
+function calcElligatorRistrettoMap(r0) {
+    const { d } = ed25519_CURVE;
+    const P = ed25519_CURVE_p;
+    const mod = (n) => Fp.create(n);
+    const r = mod(SQRT_M1 * r0 * r0); // 1
+    const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
+    let c = BigInt(-1); // 3
+    const D = mod((c - d * r) * mod(r + d)); // 4
+    let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D); // 5
+    let s_ = mod(s * r0); // 6
+    if (!(0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.isNegativeLE)(s_, P))
+        s_ = mod(-s_);
+    if (!Ns_D_is_sq)
+        s = s_; // 7
+    if (!Ns_D_is_sq)
+        c = r; // 8
+    const Nt = mod(c * (r - _1n) * D_MINUS_ONE_SQ - D); // 9
+    const s2 = s * s;
+    const W0 = mod((s + s) * D); // 10
+    const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
+    const W2 = mod(_1n - s2); // 12
+    const W3 = mod(_1n + s2); // 13
+    return new ed25519.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
+}
+function ristretto255_map(bytes) {
+    (0,_noble_hashes_utils_js__WEBPACK_IMPORTED_MODULE_1__.abytes)(bytes, 64);
+    const r1 = bytes255ToNumberLE(bytes.subarray(0, 32));
+    const R1 = calcElligatorRistrettoMap(r1);
+    const r2 = bytes255ToNumberLE(bytes.subarray(32, 64));
+    const R2 = calcElligatorRistrettoMap(r2);
+    return new _RistrettoPoint(R1.add(R2));
+}
+/**
+ * Wrapper over Edwards Point for ristretto255.
+ *
+ * Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
+ * a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
+ * Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
+ * but it should work in its own namespace: do not combine those two.
+ * See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
+ */
+class _RistrettoPoint extends _abstract_edwards_js__WEBPACK_IMPORTED_MODULE_3__.PrimeEdwardsPoint {
+    constructor(ep) {
+        super(ep);
+    }
+    static fromAffine(ap) {
+        return new _RistrettoPoint(ed25519.Point.fromAffine(ap));
+    }
+    assertSame(other) {
+        if (!(other instanceof _RistrettoPoint))
+            throw new Error('RistrettoPoint expected');
+    }
+    init(ep) {
+        return new _RistrettoPoint(ep);
+    }
+    /** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
+    static hashToCurve(hex) {
+        return ristretto255_map((0,_utils_js__WEBPACK_IMPORTED_MODULE_7__.ensureBytes)('ristrettoHash', hex, 64));
+    }
+    static fromBytes(bytes) {
+        (0,_noble_hashes_utils_js__WEBPACK_IMPORTED_MODULE_1__.abytes)(bytes, 32);
+        const { a, d } = ed25519_CURVE;
+        const P = ed25519_CURVE_p;
+        const mod = (n) => Fp.create(n);
+        const s = bytes255ToNumberLE(bytes);
+        // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
+        // 3. Check that s is non-negative, or else abort
+        if (!(0,_utils_js__WEBPACK_IMPORTED_MODULE_7__.equalBytes)(Fp.toBytes(s), bytes) || (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.isNegativeLE)(s, P))
+            throw new Error('invalid ristretto255 encoding 1');
+        const s2 = mod(s * s);
+        const u1 = mod(_1n + a * s2); // 4 (a is -1)
+        const u2 = mod(_1n - a * s2); // 5
+        const u1_2 = mod(u1 * u1);
+        const u2_2 = mod(u2 * u2);
+        const v = mod(a * d * u1_2 - u2_2); // 6
+        const { isValid, value: I } = invertSqrt(mod(v * u2_2)); // 7
+        const Dx = mod(I * u2); // 8
+        const Dy = mod(I * Dx * v); // 9
+        let x = mod((s + s) * Dx); // 10
+        if ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.isNegativeLE)(x, P))
+            x = mod(-x); // 10
+        const y = mod(u1 * Dy); // 11
+        const t = mod(x * y); // 12
+        if (!isValid || (0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.isNegativeLE)(t, P) || y === _0n)
+            throw new Error('invalid ristretto255 encoding 2');
+        return new _RistrettoPoint(new ed25519.Point(x, y, _1n, t));
+    }
+    /**
+     * Converts ristretto-encoded string to ristretto point.
+     * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
+     * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
+     */
+    static fromHex(hex) {
+        return _RistrettoPoint.fromBytes((0,_utils_js__WEBPACK_IMPORTED_MODULE_7__.ensureBytes)('ristrettoHex', hex, 32));
+    }
+    static msm(points, scalars) {
+        return (0,_abstract_curve_js__WEBPACK_IMPORTED_MODULE_2__.pippenger)(_RistrettoPoint, ed25519.Point.Fn, points, scalars);
+    }
+    /**
+     * Encodes ristretto point to Uint8Array.
+     * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode).
+     */
+    toBytes() {
+        let { X, Y, Z, T } = this.ep;
+        const P = ed25519_CURVE_p;
+        const mod = (n) => Fp.create(n);
+        const u1 = mod(mod(Z + Y) * mod(Z - Y)); // 1
+        const u2 = mod(X * Y); // 2
+        // Square root always exists
+        const u2sq = mod(u2 * u2);
+        const { value: invsqrt } = invertSqrt(mod(u1 * u2sq)); // 3
+        const D1 = mod(invsqrt * u1); // 4
+        const D2 = mod(invsqrt * u2); // 5
+        const zInv = mod(D1 * D2 * T); // 6
+        let D; // 7
+        if ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.isNegativeLE)(T * zInv, P)) {
+            let _x = mod(Y * SQRT_M1);
+            let _y = mod(X * SQRT_M1);
+            X = _x;
+            Y = _y;
+            D = mod(D1 * INVSQRT_A_MINUS_D);
+        }
+        else {
+            D = D2; // 8
+        }
+        if ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.isNegativeLE)(X * zInv, P))
+            Y = mod(-Y); // 9
+        let s = mod((Z - Y) * D); // 10 (check footer's note, no sqrt(-a))
+        if ((0,_abstract_modular_js__WEBPACK_IMPORTED_MODULE_5__.isNegativeLE)(s, P))
+            s = mod(-s);
+        return Fp.toBytes(s); // 11
+    }
+    /**
+     * Compares two Ristretto points.
+     * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals).
+     */
+    equals(other) {
+        this.assertSame(other);
+        const { X: X1, Y: Y1 } = this.ep;
+        const { X: X2, Y: Y2 } = other.ep;
+        const mod = (n) => Fp.create(n);
+        // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
+        const one = mod(X1 * Y2) === mod(Y1 * X2);
+        const two = mod(Y1 * Y2) === mod(X1 * X2);
+        return one || two;
+    }
+    is0() {
+        return this.equals(_RistrettoPoint.ZERO);
+    }
+}
+// Do NOT change syntax: the following gymnastics is done,
+// because typescript strips comments, which makes bundlers disable tree-shaking.
+// prettier-ignore
+_RistrettoPoint.BASE = 
+/* @__PURE__ */ (() => new _RistrettoPoint(ed25519.Point.BASE))();
+// prettier-ignore
+_RistrettoPoint.ZERO = 
+/* @__PURE__ */ (() => new _RistrettoPoint(ed25519.Point.ZERO))();
+// prettier-ignore
+_RistrettoPoint.Fp = 
+/* @__PURE__ */ (() => Fp)();
+// prettier-ignore
+_RistrettoPoint.Fn = 
+/* @__PURE__ */ (() => Fn)();
+const ristretto255 = { Point: _RistrettoPoint };
+/** Hashing to ristretto255 points / field. RFC 9380 methods. */
+const ristretto255_hasher = {
+    hashToCurve(msg, options) {
+        const DST = options?.DST || 'ristretto255_XMD:SHA-512_R255MAP_RO_';
+        const xmd = (0,_abstract_hash_to_curve_js__WEBPACK_IMPORTED_MODULE_4__.expand_message_xmd)(msg, DST, 64, _noble_hashes_sha2_js__WEBPACK_IMPORTED_MODULE_0__.sha512);
+        return ristretto255_map(xmd);
+    },
+    hashToScalar(msg, options = { DST: _abstract_hash_to_curve_js__WEBPACK_IMPORTED_MODULE_4__._DST_scalar }) {
+        const xmd = (0,_abstract_hash_to_curve_js__WEBPACK_IMPORTED_MODULE_4__.expand_message_xmd)(msg, options.DST, 64, _noble_hashes_sha2_js__WEBPACK_IMPORTED_MODULE_0__.sha512);
+        return Fn.create((0,_utils_js__WEBPACK_IMPORTED_MODULE_7__.bytesToNumberLE)(xmd));
+    },
+};
+// export const ristretto255_oprf: OPRF = createORPF({
+//   name: 'ristretto255-SHA512',
+//   Point: RistrettoPoint,
+//   hash: sha512,
+//   hashToGroup: ristretto255_hasher.hashToCurve,
+//   hashToScalar: ristretto255_hasher.hashToScalar,
+// });
+/**
+ * Weird / bogus points, useful for debugging.
+ * All 8 ed25519 points of 8-torsion subgroup can be generated from the point
+ * T = `26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05`.
+ * ⟨T⟩ = { O, T, 2T, 3T, 4T, 5T, 6T, 7T }
+ */
+const ED25519_TORSION_SUBGROUP = [
+    '0100000000000000000000000000000000000000000000000000000000000000',
+    'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
+    '0000000000000000000000000000000000000000000000000000000000000080',
+    '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
+    'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+    '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
+    '0000000000000000000000000000000000000000000000000000000000000000',
+    'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
+];
+/** @deprecated use `ed25519.utils.toMontgomery` */
+function edwardsToMontgomeryPub(edwardsPub) {
+    return ed25519.utils.toMontgomery((0,_utils_js__WEBPACK_IMPORTED_MODULE_7__.ensureBytes)('pub', edwardsPub));
+}
+/** @deprecated use `ed25519.utils.toMontgomery` */
+const edwardsToMontgomery = edwardsToMontgomeryPub;
+/** @deprecated use `ed25519.utils.toMontgomerySecret` */
+function edwardsToMontgomeryPriv(edwardsPriv) {
+    return ed25519.utils.toMontgomerySecret((0,_utils_js__WEBPACK_IMPORTED_MODULE_7__.ensureBytes)('pub', edwardsPriv));
+}
+/** @deprecated use `ristretto255.Point` */
+const RistrettoPoint = _RistrettoPoint;
+/** @deprecated use `import { ed25519_hasher } from '@noble/curves/ed25519.js';` */
+const hashToCurve = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
+/** @deprecated use `import { ed25519_hasher } from '@noble/curves/ed25519.js';` */
+const encodeToCurve = /* @__PURE__ */ (() => ed25519_hasher.encodeToCurve)();
+/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
+const hashToRistretto255 = /* @__PURE__ */ (() => ristretto255_hasher.hashToCurve)();
+/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
+const hash_to_ristretto255 = /* @__PURE__ */ (() => ristretto255_hasher.hashToCurve)();
+//# sourceMappingURL=ed25519.js.map
+
+/***/ })
+
+}]);
+//# sourceMappingURL=defaultVendors-node_modules_noble_curves_esm_ed25519_js.shogun-core.js.map