@bcts/crypto 1.0.0-alpha.10

package/dist/index.iife.js

@@ -0,0 +1,652 @@
+var bctsCrypto = (function(exports, _noble_hashes_sha2_js, _noble_hashes_hmac_js, _noble_hashes_pbkdf2_js, _noble_hashes_hkdf_js, _noble_ciphers_chacha_js, _noble_curves_ed25519_js, _noble_curves_secp256k1_js, _bcts_rand, _noble_hashes_scrypt_js, _noble_hashes_argon2_js) {
+
+
+//#region src/error.ts
+/**
+	* AEAD-specific error for authentication failures
+	*/
+	var AeadError = class extends Error {
+		constructor(message = "AEAD authentication failed") {
+			super(message);
+			this.name = "AeadError";
+		}
+	};
+	/**
+	* Generic crypto error type
+	*/
+	var CryptoError = class CryptoError extends Error {
+		cause;
+		constructor(message, cause) {
+			super(message);
+			this.name = "CryptoError";
+			this.cause = cause;
+		}
+		/**
+		* Create a CryptoError for AEAD authentication failures.
+		*
+		* @param error - Optional underlying AeadError
+		* @returns A CryptoError wrapping the AEAD error
+		*/
+		static aead(error) {
+			return new CryptoError("AEAD error", error ?? new AeadError());
+		}
+		/**
+		* Create a CryptoError for invalid parameter values.
+		*
+		* @param message - Description of the invalid parameter
+		* @returns A CryptoError describing the invalid parameter
+		*/
+		static invalidParameter(message) {
+			return new CryptoError(`Invalid parameter: ${message}`);
+		}
+	};
+
+//#endregion
+//#region src/memzero.ts
+/**
+	* Securely zero out a typed array.
+	*
+	* **IMPORTANT: This is a best-effort implementation.** Unlike the Rust reference
+	* implementation which uses `std::ptr::write_volatile()` for guaranteed volatile
+	* writes, JavaScript engines and JIT compilers can still potentially optimize
+	* away these zeroing operations. The check at the end helps prevent optimization,
+	* but it is not foolproof.
+	*
+	* For truly sensitive cryptographic operations, consider using the Web Crypto API's
+	* `crypto.subtle` with non-extractable keys when possible, as it provides stronger
+	* guarantees than what can be achieved with pure JavaScript.
+	*
+	* This function attempts to prevent the compiler from optimizing away
+	* the zeroing operation by using a verification check after the zeroing loop.
+	*/
+	function memzero(data) {
+		const len = data.length;
+		for (let i = 0; i < len; i++) data[i] = 0;
+		if (data.length > 0 && data[0] !== 0) throw new Error("memzero failed");
+	}
+	/**
+	* Securely zero out an array of Uint8Arrays.
+	*/
+	function memzeroVecVecU8(arrays) {
+		for (const arr of arrays) memzero(arr);
+	}
+
+//#endregion
+//#region src/hash.ts
+	const CRC32_SIZE = 4;
+	const SHA256_SIZE = 32;
+	const SHA512_SIZE = 64;
+	const CRC32_TABLE = new Uint32Array(256);
+	for (let i = 0; i < 256; i++) {
+		let crc = i;
+		for (let j = 0; j < 8; j++) crc = (crc & 1) !== 0 ? crc >>> 1 ^ 3988292384 : crc >>> 1;
+		CRC32_TABLE[i] = crc >>> 0;
+	}
+	/**
+	* Calculate CRC-32 checksum
+	*/
+	function crc32(data) {
+		let crc = 4294967295;
+		for (const byte of data) crc = CRC32_TABLE[(crc ^ byte) & 255] ^ crc >>> 8;
+		return (crc ^ 4294967295) >>> 0;
+	}
+	/**
+	* Calculate CRC-32 checksum and return as a 4-byte big-endian array
+	*/
+	function crc32Data(data) {
+		return crc32DataOpt(data, false);
+	}
+	/**
+	* Calculate CRC-32 checksum and return as a 4-byte array
+	* @param data - Input data
+	* @param littleEndian - If true, returns little-endian; otherwise big-endian
+	*/
+	function crc32DataOpt(data, littleEndian) {
+		const checksum = crc32(data);
+		const result = new Uint8Array(4);
+		new DataView(result.buffer).setUint32(0, checksum, littleEndian);
+		return result;
+	}
+	/**
+	* Calculate SHA-256 hash
+	*/
+	function sha256(data) {
+		return (0, _noble_hashes_sha2_js.sha256)(data);
+	}
+	/**
+	* Calculate double SHA-256 hash (SHA-256 of SHA-256)
+	* This is the standard Bitcoin hashing function
+	*/
+	function doubleSha256(message) {
+		return sha256(sha256(message));
+	}
+	/**
+	* Calculate SHA-512 hash
+	*/
+	function sha512(data) {
+		return (0, _noble_hashes_sha2_js.sha512)(data);
+	}
+	/**
+	* Calculate HMAC-SHA-256
+	*/
+	function hmacSha256(key, message) {
+		return (0, _noble_hashes_hmac_js.hmac)(_noble_hashes_sha2_js.sha256, key, message);
+	}
+	/**
+	* Calculate HMAC-SHA-512
+	*/
+	function hmacSha512(key, message) {
+		return (0, _noble_hashes_hmac_js.hmac)(_noble_hashes_sha2_js.sha512, key, message);
+	}
+	/**
+	* Derive a key using PBKDF2 with HMAC-SHA-256
+	*/
+	function pbkdf2HmacSha256(password, salt, iterations, keyLen) {
+		return (0, _noble_hashes_pbkdf2_js.pbkdf2)(_noble_hashes_sha2_js.sha256, password, salt, {
+			c: iterations,
+			dkLen: keyLen
+		});
+	}
+	/**
+	* Derive a key using PBKDF2 with HMAC-SHA-512
+	*/
+	function pbkdf2HmacSha512(password, salt, iterations, keyLen) {
+		return (0, _noble_hashes_pbkdf2_js.pbkdf2)(_noble_hashes_sha2_js.sha512, password, salt, {
+			c: iterations,
+			dkLen: keyLen
+		});
+	}
+	/**
+	* Derive a key using HKDF with HMAC-SHA-256
+	*/
+	function hkdfHmacSha256(keyMaterial, salt, keyLen) {
+		return (0, _noble_hashes_hkdf_js.hkdf)(_noble_hashes_sha2_js.sha256, keyMaterial, salt, void 0, keyLen);
+	}
+	/**
+	* Derive a key using HKDF with HMAC-SHA-512
+	*/
+	function hkdfHmacSha512(keyMaterial, salt, keyLen) {
+		return (0, _noble_hashes_hkdf_js.hkdf)(_noble_hashes_sha2_js.sha512, keyMaterial, salt, void 0, keyLen);
+	}
+
+//#endregion
+//#region src/symmetric-encryption.ts
+	const SYMMETRIC_KEY_SIZE = 32;
+	const SYMMETRIC_NONCE_SIZE = 12;
+	const SYMMETRIC_AUTH_SIZE = 16;
+	/**
+	* Encrypt data using ChaCha20-Poly1305 AEAD cipher.
+	*
+	* **Security Warning**: The nonce MUST be unique for every encryption operation
+	* with the same key. Reusing a nonce completely breaks the security of the
+	* encryption scheme and can reveal plaintext.
+	*
+	* @param plaintext - The data to encrypt
+	* @param key - 32-byte encryption key
+	* @param nonce - 12-byte nonce (MUST be unique per encryption with the same key)
+	* @returns Tuple of [ciphertext, authTag] where authTag is 16 bytes
+	* @throws {CryptoError} If key is not 32 bytes or nonce is not 12 bytes
+	*/
+	function aeadChaCha20Poly1305Encrypt(plaintext, key, nonce) {
+		return aeadChaCha20Poly1305EncryptWithAad(plaintext, key, nonce, new Uint8Array(0));
+	}
+	/**
+	* Encrypt data using ChaCha20-Poly1305 AEAD cipher with additional authenticated data.
+	*
+	* **Security Warning**: The nonce MUST be unique for every encryption operation
+	* with the same key. Reusing a nonce completely breaks the security of the
+	* encryption scheme and can reveal plaintext.
+	*
+	* @param plaintext - The data to encrypt
+	* @param key - 32-byte encryption key
+	* @param nonce - 12-byte nonce (MUST be unique per encryption with the same key)
+	* @param aad - Additional authenticated data (not encrypted, but integrity-protected)
+	* @returns Tuple of [ciphertext, authTag] where authTag is 16 bytes
+	* @throws {CryptoError} If key is not 32 bytes or nonce is not 12 bytes
+	*/
+	function aeadChaCha20Poly1305EncryptWithAad(plaintext, key, nonce, aad) {
+		if (key.length !== SYMMETRIC_KEY_SIZE) throw CryptoError.invalidParameter(`Key must be ${SYMMETRIC_KEY_SIZE} bytes`);
+		if (nonce.length !== SYMMETRIC_NONCE_SIZE) throw CryptoError.invalidParameter(`Nonce must be ${SYMMETRIC_NONCE_SIZE} bytes`);
+		const sealed = (0, _noble_ciphers_chacha_js.chacha20poly1305)(key, nonce, aad).encrypt(plaintext);
+		return [sealed.slice(0, sealed.length - SYMMETRIC_AUTH_SIZE), sealed.slice(sealed.length - SYMMETRIC_AUTH_SIZE)];
+	}
+	/**
+	* Decrypt data using ChaCha20-Poly1305 AEAD cipher.
+	*
+	* @param ciphertext - The encrypted data
+	* @param key - 32-byte encryption key (must match key used for encryption)
+	* @param nonce - 12-byte nonce (must match nonce used for encryption)
+	* @param authTag - 16-byte authentication tag from encryption
+	* @returns Decrypted plaintext
+	* @throws {CryptoError} If key/nonce/authTag sizes are invalid
+	* @throws {CryptoError} If authentication fails (tampered data or wrong key/nonce)
+	*/
+	function aeadChaCha20Poly1305Decrypt(ciphertext, key, nonce, authTag) {
+		return aeadChaCha20Poly1305DecryptWithAad(ciphertext, key, nonce, new Uint8Array(0), authTag);
+	}
+	/**
+	* Decrypt data using ChaCha20-Poly1305 AEAD cipher with additional authenticated data.
+	*
+	* @param ciphertext - The encrypted data
+	* @param key - 32-byte encryption key (must match key used for encryption)
+	* @param nonce - 12-byte nonce (must match nonce used for encryption)
+	* @param aad - Additional authenticated data (must exactly match AAD used for encryption)
+	* @param authTag - 16-byte authentication tag from encryption
+	* @returns Decrypted plaintext
+	* @throws {CryptoError} If key/nonce/authTag sizes are invalid
+	* @throws {CryptoError} If authentication fails (tampered data, wrong key/nonce, or AAD mismatch)
+	*/
+	function aeadChaCha20Poly1305DecryptWithAad(ciphertext, key, nonce, aad, authTag) {
+		if (key.length !== SYMMETRIC_KEY_SIZE) throw CryptoError.invalidParameter(`Key must be ${SYMMETRIC_KEY_SIZE} bytes`);
+		if (nonce.length !== SYMMETRIC_NONCE_SIZE) throw CryptoError.invalidParameter(`Nonce must be ${SYMMETRIC_NONCE_SIZE} bytes`);
+		if (authTag.length !== SYMMETRIC_AUTH_SIZE) throw CryptoError.invalidParameter(`Auth tag must be ${SYMMETRIC_AUTH_SIZE} bytes`);
+		const sealed = new Uint8Array(ciphertext.length + authTag.length);
+		sealed.set(ciphertext);
+		sealed.set(authTag, ciphertext.length);
+		try {
+			return (0, _noble_ciphers_chacha_js.chacha20poly1305)(key, nonce, aad).decrypt(sealed);
+		} catch (error) {
+			const aeadError = new AeadError(`Decryption failed: ${error instanceof Error ? error.message : "authentication error"}`);
+			throw CryptoError.aead(aeadError);
+		}
+	}
+
+//#endregion
+//#region src/public-key-encryption.ts
+	const GENERIC_PRIVATE_KEY_SIZE = 32;
+	const GENERIC_PUBLIC_KEY_SIZE = 32;
+	const X25519_PRIVATE_KEY_SIZE = 32;
+	const X25519_PUBLIC_KEY_SIZE = 32;
+	/**
+	* Derive an X25519 agreement private key from key material.
+	* Uses HKDF with "agreement" as domain separation salt.
+	*/
+	function deriveAgreementPrivateKey(keyMaterial) {
+		return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("agreement"), X25519_PRIVATE_KEY_SIZE);
+	}
+	/**
+	* Derive a signing private key from key material.
+	* Uses HKDF with "signing" as domain separation salt.
+	*/
+	function deriveSigningPrivateKey(keyMaterial) {
+		return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("signing"), 32);
+	}
+	/**
+	* Generate a new random X25519 private key.
+	*/
+	function x25519NewPrivateKeyUsing(rng) {
+		return rng.randomData(X25519_PRIVATE_KEY_SIZE);
+	}
+	/**
+	* Derive an X25519 public key from a private key.
+	*/
+	function x25519PublicKeyFromPrivateKey(privateKey) {
+		if (privateKey.length !== X25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${X25519_PRIVATE_KEY_SIZE} bytes`);
+		return _noble_curves_ed25519_js.x25519.getPublicKey(privateKey);
+	}
+	/**
+	* Compute a shared secret using X25519 key agreement (ECDH).
+	*
+	* **Security Note**: The resulting shared secret should be used with a KDF
+	* (like HKDF) before using it as an encryption key. Never use the raw
+	* shared secret directly for encryption.
+	*
+	* @param x25519Private - 32-byte X25519 private key
+	* @param x25519Public - 32-byte X25519 public key from the other party
+	* @returns 32-byte shared secret
+	* @throws {Error} If private key is not 32 bytes or public key is not 32 bytes
+	*/
+	function x25519SharedKey(x25519Private, x25519Public) {
+		if (x25519Private.length !== X25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${X25519_PRIVATE_KEY_SIZE} bytes`);
+		if (x25519Public.length !== X25519_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${X25519_PUBLIC_KEY_SIZE} bytes`);
+		return _noble_curves_ed25519_js.x25519.getSharedSecret(x25519Private, x25519Public);
+	}
+
+//#endregion
+//#region src/ecdsa-keys.ts
+	const ECDSA_PRIVATE_KEY_SIZE = 32;
+	const ECDSA_PUBLIC_KEY_SIZE = 33;
+	const ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE = 65;
+	const ECDSA_MESSAGE_HASH_SIZE = 32;
+	const ECDSA_SIGNATURE_SIZE = 64;
+	const SCHNORR_PUBLIC_KEY_SIZE = 32;
+	/**
+	* Generate a new random ECDSA private key using secp256k1.
+	*
+	* Note: Unlike some implementations, this directly returns the random bytes
+	* without validation. The secp256k1 library will handle any edge cases when
+	* the key is used.
+	*/
+	function ecdsaNewPrivateKeyUsing(rng) {
+		return rng.randomData(ECDSA_PRIVATE_KEY_SIZE);
+	}
+	/**
+	* Derive a compressed ECDSA public key from a private key.
+	*/
+	function ecdsaPublicKeyFromPrivateKey(privateKey) {
+		if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+		return _noble_curves_secp256k1_js.secp256k1.getPublicKey(privateKey, true);
+	}
+	/**
+	* Decompress a compressed public key to uncompressed format.
+	*/
+	function ecdsaDecompressPublicKey(compressed) {
+		if (compressed.length !== ECDSA_PUBLIC_KEY_SIZE) throw new Error(`Compressed public key must be ${ECDSA_PUBLIC_KEY_SIZE} bytes`);
+		return _noble_curves_secp256k1_js.secp256k1.Point.fromBytes(compressed).toBytes(false);
+	}
+	/**
+	* Compress an uncompressed public key.
+	*/
+	function ecdsaCompressPublicKey(uncompressed) {
+		if (uncompressed.length !== ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE) throw new Error(`Uncompressed public key must be ${ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE} bytes`);
+		return _noble_curves_secp256k1_js.secp256k1.Point.fromBytes(uncompressed).toBytes(true);
+	}
+	/**
+	* Derive an ECDSA private key from key material using HKDF.
+	*
+	* Note: This directly returns the HKDF output without validation,
+	* matching the Rust reference implementation behavior.
+	*/
+	function ecdsaDerivePrivateKey(keyMaterial) {
+		return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("signing"), ECDSA_PRIVATE_KEY_SIZE);
+	}
+	/**
+	* Extract the x-only (Schnorr) public key from a private key.
+	* This is used for BIP-340 Schnorr signatures.
+	*/
+	function schnorrPublicKeyFromPrivateKey(privateKey) {
+		if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+		return _noble_curves_secp256k1_js.secp256k1.getPublicKey(privateKey, false).slice(1, 33);
+	}
+
+//#endregion
+//#region src/ecdsa-signing.ts
+/**
+	* Sign a message using ECDSA with secp256k1.
+	*
+	* The message is hashed with double SHA-256 before signing (Bitcoin standard).
+	*
+	* **Security Note**: The private key must be kept secret. ECDSA requires
+	* cryptographically secure random nonces internally; this is handled by
+	* the underlying library using RFC 6979 deterministic nonces.
+	*
+	* @param privateKey - 32-byte secp256k1 private key
+	* @param message - Message to sign (any length, will be double-SHA256 hashed)
+	* @returns 64-byte compact signature (r || s format)
+	* @throws {Error} If private key is not 32 bytes
+	*/
+	function ecdsaSign(privateKey, message) {
+		if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+		const messageHash = doubleSha256(message);
+		return _noble_curves_secp256k1_js.secp256k1.sign(messageHash, privateKey, { prehash: false });
+	}
+	/**
+	* Verify an ECDSA signature with secp256k1.
+	*
+	* The message is hashed with double SHA-256 before verification (Bitcoin standard).
+	*
+	* @param publicKey - 33-byte compressed secp256k1 public key
+	* @param signature - 64-byte compact signature (r || s format)
+	* @param message - Original message that was signed
+	* @returns `true` if signature is valid, `false` if signature verification fails
+	* @throws {Error} If public key is not 33 bytes or signature is not 64 bytes
+	*/
+	function ecdsaVerify(publicKey, signature, message) {
+		if (publicKey.length !== ECDSA_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${ECDSA_PUBLIC_KEY_SIZE} bytes`);
+		if (signature.length !== ECDSA_SIGNATURE_SIZE) throw new Error(`Signature must be ${ECDSA_SIGNATURE_SIZE} bytes`);
+		try {
+			const messageHash = doubleSha256(message);
+			return _noble_curves_secp256k1_js.secp256k1.verify(signature, messageHash, publicKey, { prehash: false });
+		} catch {
+			return false;
+		}
+	}
+
+//#endregion
+//#region src/schnorr-signing.ts
+	const SCHNORR_SIGNATURE_SIZE = 64;
+	/**
+	* Sign a message using Schnorr signature (BIP-340).
+	* Uses secure random auxiliary randomness.
+	*
+	* @param ecdsaPrivateKey - 32-byte private key
+	* @param message - Message to sign (not pre-hashed, per BIP-340)
+	* @returns 64-byte Schnorr signature
+	*/
+	function schnorrSign(ecdsaPrivateKey, message) {
+		return schnorrSignUsing(ecdsaPrivateKey, message, new _bcts_rand.SecureRandomNumberGenerator());
+	}
+	/**
+	* Sign a message using Schnorr signature with a custom RNG.
+	*
+	* @param ecdsaPrivateKey - 32-byte private key
+	* @param message - Message to sign
+	* @param rng - Random number generator for auxiliary randomness
+	* @returns 64-byte Schnorr signature
+	*/
+	function schnorrSignUsing(ecdsaPrivateKey, message, rng) {
+		return schnorrSignWithAuxRand(ecdsaPrivateKey, message, rng.randomData(32));
+	}
+	/**
+	* Sign a message using Schnorr signature with specific auxiliary randomness.
+	* This is useful for deterministic signing in tests.
+	*
+	* @param ecdsaPrivateKey - 32-byte private key
+	* @param message - Message to sign
+	* @param auxRand - 32-byte auxiliary randomness (per BIP-340)
+	* @returns 64-byte Schnorr signature
+	*/
+	function schnorrSignWithAuxRand(ecdsaPrivateKey, message, auxRand) {
+		if (ecdsaPrivateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+		if (auxRand.length !== 32) throw new Error("Auxiliary randomness must be 32 bytes");
+		return _noble_curves_secp256k1_js.schnorr.sign(message, ecdsaPrivateKey, auxRand);
+	}
+	/**
+	* Verify a Schnorr signature (BIP-340).
+	*
+	* @param schnorrPublicKey - 32-byte x-only public key
+	* @param signature - 64-byte Schnorr signature
+	* @param message - Original message
+	* @returns true if signature is valid
+	*/
+	function schnorrVerify(schnorrPublicKey, signature, message) {
+		if (schnorrPublicKey.length !== SCHNORR_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${SCHNORR_PUBLIC_KEY_SIZE} bytes`);
+		if (signature.length !== SCHNORR_SIGNATURE_SIZE) throw new Error(`Signature must be ${SCHNORR_SIGNATURE_SIZE} bytes`);
+		try {
+			return _noble_curves_secp256k1_js.schnorr.verify(signature, message, schnorrPublicKey);
+		} catch {
+			return false;
+		}
+	}
+
+//#endregion
+//#region src/ed25519-signing.ts
+	const ED25519_PUBLIC_KEY_SIZE = 32;
+	const ED25519_PRIVATE_KEY_SIZE = 32;
+	const ED25519_SIGNATURE_SIZE = 64;
+	/**
+	* Generate a new random Ed25519 private key.
+	*/
+	function ed25519NewPrivateKeyUsing(rng) {
+		return rng.randomData(ED25519_PRIVATE_KEY_SIZE);
+	}
+	/**
+	* Derive an Ed25519 public key from a private key.
+	*/
+	function ed25519PublicKeyFromPrivateKey(privateKey) {
+		if (privateKey.length !== ED25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ED25519_PRIVATE_KEY_SIZE} bytes`);
+		return _noble_curves_ed25519_js.ed25519.getPublicKey(privateKey);
+	}
+	/**
+	* Sign a message using Ed25519.
+	*
+	* **Security Note**: The private key must be kept secret. The same private key
+	* can safely sign multiple messages.
+	*
+	* @param privateKey - 32-byte Ed25519 private key
+	* @param message - Message to sign (any length)
+	* @returns 64-byte Ed25519 signature
+	* @throws {Error} If private key is not 32 bytes
+	*/
+	function ed25519Sign(privateKey, message) {
+		if (privateKey.length !== ED25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ED25519_PRIVATE_KEY_SIZE} bytes`);
+		return _noble_curves_ed25519_js.ed25519.sign(message, privateKey);
+	}
+	/**
+	* Verify an Ed25519 signature.
+	*
+	* @param publicKey - 32-byte Ed25519 public key
+	* @param message - Original message that was signed
+	* @param signature - 64-byte Ed25519 signature
+	* @returns `true` if signature is valid, `false` if signature verification fails
+	* @throws {Error} If public key is not 32 bytes or signature is not 64 bytes
+	*/
+	function ed25519Verify(publicKey, message, signature) {
+		if (publicKey.length !== ED25519_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${ED25519_PUBLIC_KEY_SIZE} bytes`);
+		if (signature.length !== ED25519_SIGNATURE_SIZE) throw new Error(`Signature must be ${ED25519_SIGNATURE_SIZE} bytes`);
+		try {
+			return _noble_curves_ed25519_js.ed25519.verify(signature, message, publicKey);
+		} catch {
+			return false;
+		}
+	}
+
+//#endregion
+//#region src/scrypt.ts
+/**
+	* Derive a key using Scrypt with recommended parameters.
+	* Uses N=2^15 (32768), r=8, p=1 as recommended defaults.
+	*
+	* @param password - Password or passphrase
+	* @param salt - Salt value
+	* @param outputLen - Desired output length
+	* @returns Derived key
+	*/
+	function scrypt(password, salt, outputLen) {
+		return scryptOpt(password, salt, outputLen, 15, 8, 1);
+	}
+	/**
+	* Derive a key using Scrypt with custom parameters.
+	*
+	* @param password - Password or passphrase
+	* @param salt - Salt value
+	* @param outputLen - Desired output length
+	* @param logN - Log2 of the CPU/memory cost parameter N (must be <64)
+	* @param r - Block size parameter (must be >0)
+	* @param p - Parallelization parameter (must be >0)
+	* @returns Derived key
+	*/
+	function scryptOpt(password, salt, outputLen, logN, r, p) {
+		if (logN >= 64) throw new Error("logN must be <64");
+		if (r === 0) throw new Error("r must be >0");
+		if (p === 0) throw new Error("p must be >0");
+		return (0, _noble_hashes_scrypt_js.scrypt)(password, salt, {
+			N: 1 << logN,
+			r,
+			p,
+			dkLen: outputLen
+		});
+	}
+
+//#endregion
+//#region src/argon.ts
+/**
+	* Derive a key using Argon2id with default parameters.
+	*
+	* @param password - Password or passphrase
+	* @param salt - Salt value (must be at least 8 bytes)
+	* @param outputLen - Desired output length
+	* @returns Derived key
+	*/
+	function argon2idHash(password, salt, outputLen) {
+		return argon2idHashOpt(password, salt, outputLen, 3, 65536, 4);
+	}
+	/**
+	* Derive a key using Argon2id with custom parameters.
+	*
+	* @param password - Password or passphrase
+	* @param salt - Salt value (must be at least 8 bytes)
+	* @param outputLen - Desired output length
+	* @param iterations - Number of iterations (t)
+	* @param memory - Memory in KiB (m)
+	* @param parallelism - Degree of parallelism (p)
+	* @returns Derived key
+	*/
+	function argon2idHashOpt(password, salt, outputLen, iterations, memory, parallelism) {
+		return (0, _noble_hashes_argon2_js.argon2id)(password, salt, {
+			t: iterations,
+			m: memory,
+			p: parallelism,
+			dkLen: outputLen
+		});
+	}
+
+//#endregion
+exports.AeadError = AeadError;
+exports.CRC32_SIZE = CRC32_SIZE;
+exports.CryptoError = CryptoError;
+exports.ECDSA_MESSAGE_HASH_SIZE = ECDSA_MESSAGE_HASH_SIZE;
+exports.ECDSA_PRIVATE_KEY_SIZE = ECDSA_PRIVATE_KEY_SIZE;
+exports.ECDSA_PUBLIC_KEY_SIZE = ECDSA_PUBLIC_KEY_SIZE;
+exports.ECDSA_SIGNATURE_SIZE = ECDSA_SIGNATURE_SIZE;
+exports.ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE = ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE;
+exports.ED25519_PRIVATE_KEY_SIZE = ED25519_PRIVATE_KEY_SIZE;
+exports.ED25519_PUBLIC_KEY_SIZE = ED25519_PUBLIC_KEY_SIZE;
+exports.ED25519_SIGNATURE_SIZE = ED25519_SIGNATURE_SIZE;
+exports.GENERIC_PRIVATE_KEY_SIZE = GENERIC_PRIVATE_KEY_SIZE;
+exports.GENERIC_PUBLIC_KEY_SIZE = GENERIC_PUBLIC_KEY_SIZE;
+exports.SCHNORR_PUBLIC_KEY_SIZE = SCHNORR_PUBLIC_KEY_SIZE;
+exports.SCHNORR_SIGNATURE_SIZE = SCHNORR_SIGNATURE_SIZE;
+exports.SHA256_SIZE = SHA256_SIZE;
+exports.SHA512_SIZE = SHA512_SIZE;
+exports.SYMMETRIC_AUTH_SIZE = SYMMETRIC_AUTH_SIZE;
+exports.SYMMETRIC_KEY_SIZE = SYMMETRIC_KEY_SIZE;
+exports.SYMMETRIC_NONCE_SIZE = SYMMETRIC_NONCE_SIZE;
+exports.X25519_PRIVATE_KEY_SIZE = X25519_PRIVATE_KEY_SIZE;
+exports.X25519_PUBLIC_KEY_SIZE = X25519_PUBLIC_KEY_SIZE;
+exports.aeadChaCha20Poly1305Decrypt = aeadChaCha20Poly1305Decrypt;
+exports.aeadChaCha20Poly1305DecryptWithAad = aeadChaCha20Poly1305DecryptWithAad;
+exports.aeadChaCha20Poly1305Encrypt = aeadChaCha20Poly1305Encrypt;
+exports.aeadChaCha20Poly1305EncryptWithAad = aeadChaCha20Poly1305EncryptWithAad;
+exports.argon2idHash = argon2idHash;
+exports.argon2idHashOpt = argon2idHashOpt;
+exports.crc32 = crc32;
+exports.crc32Data = crc32Data;
+exports.crc32DataOpt = crc32DataOpt;
+exports.deriveAgreementPrivateKey = deriveAgreementPrivateKey;
+exports.deriveSigningPrivateKey = deriveSigningPrivateKey;
+exports.doubleSha256 = doubleSha256;
+exports.ecdsaCompressPublicKey = ecdsaCompressPublicKey;
+exports.ecdsaDecompressPublicKey = ecdsaDecompressPublicKey;
+exports.ecdsaDerivePrivateKey = ecdsaDerivePrivateKey;
+exports.ecdsaNewPrivateKeyUsing = ecdsaNewPrivateKeyUsing;
+exports.ecdsaPublicKeyFromPrivateKey = ecdsaPublicKeyFromPrivateKey;
+exports.ecdsaSign = ecdsaSign;
+exports.ecdsaVerify = ecdsaVerify;
+exports.ed25519NewPrivateKeyUsing = ed25519NewPrivateKeyUsing;
+exports.ed25519PublicKeyFromPrivateKey = ed25519PublicKeyFromPrivateKey;
+exports.ed25519Sign = ed25519Sign;
+exports.ed25519Verify = ed25519Verify;
+exports.hkdfHmacSha256 = hkdfHmacSha256;
+exports.hkdfHmacSha512 = hkdfHmacSha512;
+exports.hmacSha256 = hmacSha256;
+exports.hmacSha512 = hmacSha512;
+exports.memzero = memzero;
+exports.memzeroVecVecU8 = memzeroVecVecU8;
+exports.pbkdf2HmacSha256 = pbkdf2HmacSha256;
+exports.pbkdf2HmacSha512 = pbkdf2HmacSha512;
+exports.schnorrPublicKeyFromPrivateKey = schnorrPublicKeyFromPrivateKey;
+exports.schnorrSign = schnorrSign;
+exports.schnorrSignUsing = schnorrSignUsing;
+exports.schnorrSignWithAuxRand = schnorrSignWithAuxRand;
+exports.schnorrVerify = schnorrVerify;
+exports.scrypt = scrypt;
+exports.scryptOpt = scryptOpt;
+exports.sha256 = sha256;
+exports.sha512 = sha512;
+exports.x25519NewPrivateKeyUsing = x25519NewPrivateKeyUsing;
+exports.x25519PublicKeyFromPrivateKey = x25519PublicKeyFromPrivateKey;
+exports.x25519SharedKey = x25519SharedKey;
+return exports;
+})({}, nobleHashesSha2, nobleHashesHmac, nobleHashesPbkdf2, nobleHashesHkdf, nobleCiphersChacha, nobleCurvesEd25519, nobleCurvesSecp256k1, bctsRand, nobleHashesScrypt, nobleHashesArgon2);
+//# sourceMappingURL=index.iife.js.map