@bcts/crypto 1.0.0-alpha.10

package/dist/index.iife.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.iife.js","names":["nobleSha256","nobleSha512","x25519","secp256k1","secp256k1","SecureRandomNumberGenerator","schnorr","ed25519"],"sources":["../src/error.ts","../src/memzero.ts","../src/hash.ts","../src/symmetric-encryption.ts","../src/public-key-encryption.ts","../src/ecdsa-keys.ts","../src/ecdsa-signing.ts","../src/schnorr-signing.ts","../src/ed25519-signing.ts","../src/scrypt.ts","../src/argon.ts"],"sourcesContent":["// Ported from bc-crypto-rust/src/error.rs\n\n/**\n * AEAD-specific error for authentication failures\n */\nexport class AeadError extends Error {\n  constructor(message = \"AEAD authentication failed\") {\n    super(message);\n    this.name = \"AeadError\";\n  }\n}\n\n/**\n * Generic crypto error type\n */\nexport class CryptoError extends Error {\n  override readonly cause?: Error | undefined;\n\n  constructor(message: string, cause?: Error) {\n    super(message);\n    this.name = \"CryptoError\";\n    this.cause = cause;\n  }\n\n  /**\n   * Create a CryptoError for AEAD authentication failures.\n   *\n   * @param error - Optional underlying AeadError\n   * @returns A CryptoError wrapping the AEAD error\n   */\n  static aead(error?: AeadError): CryptoError {\n    return new CryptoError(\"AEAD error\", error ?? new AeadError());\n  }\n\n  /**\n   * Create a CryptoError for invalid parameter values.\n   *\n   * @param message - Description of the invalid parameter\n   * @returns A CryptoError describing the invalid parameter\n   */\n  static invalidParameter(message: string): CryptoError {\n    return new CryptoError(`Invalid parameter: ${message}`);\n  }\n}\n\n/**\n * Result type for crypto operations (using standard Error)\n */\nexport type CryptoResult<T> = T;\n","// Ported from bc-crypto-rust/src/memzero.rs\n\n/**\n * Securely zero out a typed array.\n *\n * **IMPORTANT: This is a best-effort implementation.** Unlike the Rust reference\n * implementation which uses `std::ptr::write_volatile()` for guaranteed volatile\n * writes, JavaScript engines and JIT compilers can still potentially optimize\n * away these zeroing operations. The check at the end helps prevent optimization,\n * but it is not foolproof.\n *\n * For truly sensitive cryptographic operations, consider using the Web Crypto API's\n * `crypto.subtle` with non-extractable keys when possible, as it provides stronger\n * guarantees than what can be achieved with pure JavaScript.\n *\n * This function attempts to prevent the compiler from optimizing away\n * the zeroing operation by using a verification check after the zeroing loop.\n */\nexport function memzero(data: Uint8Array | Uint32Array): void {\n  const len = data.length;\n  for (let i = 0; i < len; i++) {\n    data[i] = 0;\n  }\n  // Force a side effect to prevent optimization\n  if (data.length > 0 && data[0] !== 0) {\n    throw new Error(\"memzero failed\");\n  }\n}\n\n/**\n * Securely zero out an array of Uint8Arrays.\n */\nexport function memzeroVecVecU8(arrays: Uint8Array[]): void {\n  for (const arr of arrays) {\n    memzero(arr);\n  }\n}\n","// Ported from bc-crypto-rust/src/hash.rs\n\nimport { sha256 as nobleSha256, sha512 as nobleSha512 } from \"@noble/hashes/sha2.js\";\nimport { hmac } from \"@noble/hashes/hmac.js\";\nimport { pbkdf2 } from \"@noble/hashes/pbkdf2.js\";\nimport { hkdf } from \"@noble/hashes/hkdf.js\";\n\n// Constants\nexport const CRC32_SIZE = 4;\nexport const SHA256_SIZE = 32;\nexport const SHA512_SIZE = 64;\n\n// CRC-32 lookup table (IEEE polynomial 0xedb88320)\nconst CRC32_TABLE = new Uint32Array(256);\nfor (let i = 0; i < 256; i++) {\n  let crc = i;\n  for (let j = 0; j < 8; j++) {\n    crc = (crc & 1) !== 0 ? (crc >>> 1) ^ 0xedb88320 : crc >>> 1;\n  }\n  CRC32_TABLE[i] = crc >>> 0;\n}\n\n/**\n * Calculate CRC-32 checksum\n */\nexport function crc32(data: Uint8Array): number {\n  let crc = 0xffffffff;\n  for (const byte of data) {\n    crc = CRC32_TABLE[(crc ^ byte) & 0xff] ^ (crc >>> 8);\n  }\n  return (crc ^ 0xffffffff) >>> 0;\n}\n\n/**\n * Calculate CRC-32 checksum and return as a 4-byte big-endian array\n */\nexport function crc32Data(data: Uint8Array): Uint8Array {\n  return crc32DataOpt(data, false);\n}\n\n/**\n * Calculate CRC-32 checksum and return as a 4-byte array\n * @param data - Input data\n * @param littleEndian - If true, returns little-endian; otherwise big-endian\n */\nexport function crc32DataOpt(data: Uint8Array, littleEndian: boolean): Uint8Array {\n  const checksum = crc32(data);\n  const result = new Uint8Array(4);\n  const view = new DataView(result.buffer);\n  view.setUint32(0, checksum, littleEndian);\n  return result;\n}\n\n/**\n * Calculate SHA-256 hash\n */\nexport function sha256(data: Uint8Array): Uint8Array {\n  return nobleSha256(data);\n}\n\n/**\n * Calculate double SHA-256 hash (SHA-256 of SHA-256)\n * This is the standard Bitcoin hashing function\n */\nexport function doubleSha256(message: Uint8Array): Uint8Array {\n  return sha256(sha256(message));\n}\n\n/**\n * Calculate SHA-512 hash\n */\nexport function sha512(data: Uint8Array): Uint8Array {\n  return nobleSha512(data);\n}\n\n/**\n * Calculate HMAC-SHA-256\n */\nexport function hmacSha256(key: Uint8Array, message: Uint8Array): Uint8Array {\n  return hmac(nobleSha256, key, message);\n}\n\n/**\n * Calculate HMAC-SHA-512\n */\nexport function hmacSha512(key: Uint8Array, message: Uint8Array): Uint8Array {\n  return hmac(nobleSha512, key, message);\n}\n\n/**\n * Derive a key using PBKDF2 with HMAC-SHA-256\n */\nexport function pbkdf2HmacSha256(\n  password: Uint8Array,\n  salt: Uint8Array,\n  iterations: number,\n  keyLen: number,\n): Uint8Array {\n  return pbkdf2(nobleSha256, password, salt, { c: iterations, dkLen: keyLen });\n}\n\n/**\n * Derive a key using PBKDF2 with HMAC-SHA-512\n */\nexport function pbkdf2HmacSha512(\n  password: Uint8Array,\n  salt: Uint8Array,\n  iterations: number,\n  keyLen: number,\n): Uint8Array {\n  return pbkdf2(nobleSha512, password, salt, { c: iterations, dkLen: keyLen });\n}\n\n/**\n * Derive a key using HKDF with HMAC-SHA-256\n */\nexport function hkdfHmacSha256(\n  keyMaterial: Uint8Array,\n  salt: Uint8Array,\n  keyLen: number,\n): Uint8Array {\n  return hkdf(nobleSha256, keyMaterial, salt, undefined, keyLen);\n}\n\n/**\n * Derive a key using HKDF with HMAC-SHA-512\n */\nexport function hkdfHmacSha512(\n  keyMaterial: Uint8Array,\n  salt: Uint8Array,\n  keyLen: number,\n): Uint8Array {\n  return hkdf(nobleSha512, keyMaterial, salt, undefined, keyLen);\n}\n","// Ported from bc-crypto-rust/src/symmetric_encryption.rs\n\nimport { chacha20poly1305 } from \"@noble/ciphers/chacha.js\";\nimport { CryptoError, AeadError } from \"./error.js\";\n\n// Constants\nexport const SYMMETRIC_KEY_SIZE = 32;\nexport const SYMMETRIC_NONCE_SIZE = 12;\nexport const SYMMETRIC_AUTH_SIZE = 16;\n\n/**\n * Encrypt data using ChaCha20-Poly1305 AEAD cipher.\n *\n * **Security Warning**: The nonce MUST be unique for every encryption operation\n * with the same key. Reusing a nonce completely breaks the security of the\n * encryption scheme and can reveal plaintext.\n *\n * @param plaintext - The data to encrypt\n * @param key - 32-byte encryption key\n * @param nonce - 12-byte nonce (MUST be unique per encryption with the same key)\n * @returns Tuple of [ciphertext, authTag] where authTag is 16 bytes\n * @throws {CryptoError} If key is not 32 bytes or nonce is not 12 bytes\n */\nexport function aeadChaCha20Poly1305Encrypt(\n  plaintext: Uint8Array,\n  key: Uint8Array,\n  nonce: Uint8Array,\n): [Uint8Array, Uint8Array] {\n  return aeadChaCha20Poly1305EncryptWithAad(plaintext, key, nonce, new Uint8Array(0));\n}\n\n/**\n * Encrypt data using ChaCha20-Poly1305 AEAD cipher with additional authenticated data.\n *\n * **Security Warning**: The nonce MUST be unique for every encryption operation\n * with the same key. Reusing a nonce completely breaks the security of the\n * encryption scheme and can reveal plaintext.\n *\n * @param plaintext - The data to encrypt\n * @param key - 32-byte encryption key\n * @param nonce - 12-byte nonce (MUST be unique per encryption with the same key)\n * @param aad - Additional authenticated data (not encrypted, but integrity-protected)\n * @returns Tuple of [ciphertext, authTag] where authTag is 16 bytes\n * @throws {CryptoError} If key is not 32 bytes or nonce is not 12 bytes\n */\nexport function aeadChaCha20Poly1305EncryptWithAad(\n  plaintext: Uint8Array,\n  key: Uint8Array,\n  nonce: Uint8Array,\n  aad: Uint8Array,\n): [Uint8Array, Uint8Array] {\n  if (key.length !== SYMMETRIC_KEY_SIZE) {\n    throw CryptoError.invalidParameter(`Key must be ${SYMMETRIC_KEY_SIZE} bytes`);\n  }\n  if (nonce.length !== SYMMETRIC_NONCE_SIZE) {\n    throw CryptoError.invalidParameter(`Nonce must be ${SYMMETRIC_NONCE_SIZE} bytes`);\n  }\n\n  const cipher = chacha20poly1305(key, nonce, aad);\n  const sealed = cipher.encrypt(plaintext);\n\n  // The sealed output contains ciphertext + 16-byte auth tag\n  const ciphertext = sealed.slice(0, sealed.length - SYMMETRIC_AUTH_SIZE);\n  const authTag = sealed.slice(sealed.length - SYMMETRIC_AUTH_SIZE);\n\n  return [ciphertext, authTag];\n}\n\n/**\n * Decrypt data using ChaCha20-Poly1305 AEAD cipher.\n *\n * @param ciphertext - The encrypted data\n * @param key - 32-byte encryption key (must match key used for encryption)\n * @param nonce - 12-byte nonce (must match nonce used for encryption)\n * @param authTag - 16-byte authentication tag from encryption\n * @returns Decrypted plaintext\n * @throws {CryptoError} If key/nonce/authTag sizes are invalid\n * @throws {CryptoError} If authentication fails (tampered data or wrong key/nonce)\n */\nexport function aeadChaCha20Poly1305Decrypt(\n  ciphertext: Uint8Array,\n  key: Uint8Array,\n  nonce: Uint8Array,\n  authTag: Uint8Array,\n): Uint8Array {\n  return aeadChaCha20Poly1305DecryptWithAad(ciphertext, key, nonce, new Uint8Array(0), authTag);\n}\n\n/**\n * Decrypt data using ChaCha20-Poly1305 AEAD cipher with additional authenticated data.\n *\n * @param ciphertext - The encrypted data\n * @param key - 32-byte encryption key (must match key used for encryption)\n * @param nonce - 12-byte nonce (must match nonce used for encryption)\n * @param aad - Additional authenticated data (must exactly match AAD used for encryption)\n * @param authTag - 16-byte authentication tag from encryption\n * @returns Decrypted plaintext\n * @throws {CryptoError} If key/nonce/authTag sizes are invalid\n * @throws {CryptoError} If authentication fails (tampered data, wrong key/nonce, or AAD mismatch)\n */\nexport function aeadChaCha20Poly1305DecryptWithAad(\n  ciphertext: Uint8Array,\n  key: Uint8Array,\n  nonce: Uint8Array,\n  aad: Uint8Array,\n  authTag: Uint8Array,\n): Uint8Array {\n  if (key.length !== SYMMETRIC_KEY_SIZE) {\n    throw CryptoError.invalidParameter(`Key must be ${SYMMETRIC_KEY_SIZE} bytes`);\n  }\n  if (nonce.length !== SYMMETRIC_NONCE_SIZE) {\n    throw CryptoError.invalidParameter(`Nonce must be ${SYMMETRIC_NONCE_SIZE} bytes`);\n  }\n  if (authTag.length !== SYMMETRIC_AUTH_SIZE) {\n    throw CryptoError.invalidParameter(`Auth tag must be ${SYMMETRIC_AUTH_SIZE} bytes`);\n  }\n\n  // Combine ciphertext and auth tag for decryption\n  const sealed = new Uint8Array(ciphertext.length + authTag.length);\n  sealed.set(ciphertext);\n  sealed.set(authTag, ciphertext.length);\n\n  try {\n    const cipher = chacha20poly1305(key, nonce, aad);\n    return cipher.decrypt(sealed);\n  } catch (error) {\n    // Preserve the original error for debugging while wrapping in our error type\n    const aeadError = new AeadError(\n      `Decryption failed: ${error instanceof Error ? error.message : \"authentication error\"}`,\n    );\n    throw CryptoError.aead(aeadError);\n  }\n}\n","// Ported from bc-crypto-rust/src/public_key_encryption.rs\n\nimport { x25519 } from \"@noble/curves/ed25519.js\";\nimport type { RandomNumberGenerator } from \"@bcts/rand\";\nimport { hkdfHmacSha256 } from \"./hash.js\";\n\n// Constants\nexport const GENERIC_PRIVATE_KEY_SIZE = 32;\nexport const GENERIC_PUBLIC_KEY_SIZE = 32;\nexport const X25519_PRIVATE_KEY_SIZE = 32;\nexport const X25519_PUBLIC_KEY_SIZE = 32;\n\n/**\n * Derive an X25519 agreement private key from key material.\n * Uses HKDF with \"agreement\" as domain separation salt.\n */\nexport function deriveAgreementPrivateKey(keyMaterial: Uint8Array): Uint8Array {\n  const salt = new TextEncoder().encode(\"agreement\");\n  return hkdfHmacSha256(keyMaterial, salt, X25519_PRIVATE_KEY_SIZE);\n}\n\n/**\n * Derive a signing private key from key material.\n * Uses HKDF with \"signing\" as domain separation salt.\n */\nexport function deriveSigningPrivateKey(keyMaterial: Uint8Array): Uint8Array {\n  const salt = new TextEncoder().encode(\"signing\");\n  return hkdfHmacSha256(keyMaterial, salt, 32);\n}\n\n/**\n * Generate a new random X25519 private key.\n */\nexport function x25519NewPrivateKeyUsing(rng: RandomNumberGenerator): Uint8Array {\n  return rng.randomData(X25519_PRIVATE_KEY_SIZE);\n}\n\n/**\n * Derive an X25519 public key from a private key.\n */\nexport function x25519PublicKeyFromPrivateKey(privateKey: Uint8Array): Uint8Array {\n  if (privateKey.length !== X25519_PRIVATE_KEY_SIZE) {\n    throw new Error(`Private key must be ${X25519_PRIVATE_KEY_SIZE} bytes`);\n  }\n  return x25519.getPublicKey(privateKey);\n}\n\n/**\n * Compute a shared secret using X25519 key agreement (ECDH).\n *\n * **Security Note**: The resulting shared secret should be used with a KDF\n * (like HKDF) before using it as an encryption key. Never use the raw\n * shared secret directly for encryption.\n *\n * @param x25519Private - 32-byte X25519 private key\n * @param x25519Public - 32-byte X25519 public key from the other party\n * @returns 32-byte shared secret\n * @throws {Error} If private key is not 32 bytes or public key is not 32 bytes\n */\nexport function x25519SharedKey(x25519Private: Uint8Array, x25519Public: Uint8Array): Uint8Array {\n  if (x25519Private.length !== X25519_PRIVATE_KEY_SIZE) {\n    throw new Error(`Private key must be ${X25519_PRIVATE_KEY_SIZE} bytes`);\n  }\n  if (x25519Public.length !== X25519_PUBLIC_KEY_SIZE) {\n    throw new Error(`Public key must be ${X25519_PUBLIC_KEY_SIZE} bytes`);\n  }\n  return x25519.getSharedSecret(x25519Private, x25519Public);\n}\n","// Ported from bc-crypto-rust/src/ecdsa_keys.rs\n\nimport { secp256k1 } from \"@noble/curves/secp256k1.js\";\nimport type { RandomNumberGenerator } from \"@bcts/rand\";\nimport { hkdfHmacSha256 } from \"./hash.js\";\n\n// Constants\nexport const ECDSA_PRIVATE_KEY_SIZE = 32;\nexport const ECDSA_PUBLIC_KEY_SIZE = 33; // Compressed\nexport const ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE = 65;\nexport const ECDSA_MESSAGE_HASH_SIZE = 32;\nexport const ECDSA_SIGNATURE_SIZE = 64;\nexport const SCHNORR_PUBLIC_KEY_SIZE = 32; // x-only\n\n/**\n * Generate a new random ECDSA private key using secp256k1.\n *\n * Note: Unlike some implementations, this directly returns the random bytes\n * without validation. The secp256k1 library will handle any edge cases when\n * the key is used.\n */\nexport function ecdsaNewPrivateKeyUsing(rng: RandomNumberGenerator): Uint8Array {\n  return rng.randomData(ECDSA_PRIVATE_KEY_SIZE);\n}\n\n/**\n * Derive a compressed ECDSA public key from a private key.\n */\nexport function ecdsaPublicKeyFromPrivateKey(privateKey: Uint8Array): Uint8Array {\n  if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) {\n    throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);\n  }\n  return secp256k1.getPublicKey(privateKey, true); // true = compressed\n}\n\n/**\n * Decompress a compressed public key to uncompressed format.\n */\nexport function ecdsaDecompressPublicKey(compressed: Uint8Array): Uint8Array {\n  if (compressed.length !== ECDSA_PUBLIC_KEY_SIZE) {\n    throw new Error(`Compressed public key must be ${ECDSA_PUBLIC_KEY_SIZE} bytes`);\n  }\n  const point = secp256k1.Point.fromBytes(compressed);\n  return point.toBytes(false); // false = uncompressed\n}\n\n/**\n * Compress an uncompressed public key.\n */\nexport function ecdsaCompressPublicKey(uncompressed: Uint8Array): Uint8Array {\n  if (uncompressed.length !== ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE) {\n    throw new Error(`Uncompressed public key must be ${ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE} bytes`);\n  }\n  const point = secp256k1.Point.fromBytes(uncompressed);\n  return point.toBytes(true); // true = compressed\n}\n\n/**\n * Derive an ECDSA private key from key material using HKDF.\n *\n * Note: This directly returns the HKDF output without validation,\n * matching the Rust reference implementation behavior.\n */\nexport function ecdsaDerivePrivateKey(keyMaterial: Uint8Array): Uint8Array {\n  const salt = new TextEncoder().encode(\"signing\");\n  return hkdfHmacSha256(keyMaterial, salt, ECDSA_PRIVATE_KEY_SIZE);\n}\n\n/**\n * Extract the x-only (Schnorr) public key from a private key.\n * This is used for BIP-340 Schnorr signatures.\n */\nexport function schnorrPublicKeyFromPrivateKey(privateKey: Uint8Array): Uint8Array {\n  if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) {\n    throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);\n  }\n  // Get the full public key and extract just the x-coordinate\n  const fullPubKey = secp256k1.getPublicKey(privateKey, false); // uncompressed\n  // Skip the 0x04 prefix and take only x-coordinate (first 32 bytes after prefix)\n  return fullPubKey.slice(1, 33);\n}\n","// Ported from bc-crypto-rust/src/ecdsa_signing.rs\n\nimport { secp256k1 } from \"@noble/curves/secp256k1.js\";\nimport { doubleSha256 } from \"./hash.js\";\nimport {\n  ECDSA_PRIVATE_KEY_SIZE,\n  ECDSA_PUBLIC_KEY_SIZE,\n  ECDSA_SIGNATURE_SIZE,\n} from \"./ecdsa-keys.js\";\n\n/**\n * Sign a message using ECDSA with secp256k1.\n *\n * The message is hashed with double SHA-256 before signing (Bitcoin standard).\n *\n * **Security Note**: The private key must be kept secret. ECDSA requires\n * cryptographically secure random nonces internally; this is handled by\n * the underlying library using RFC 6979 deterministic nonces.\n *\n * @param privateKey - 32-byte secp256k1 private key\n * @param message - Message to sign (any length, will be double-SHA256 hashed)\n * @returns 64-byte compact signature (r || s format)\n * @throws {Error} If private key is not 32 bytes\n */\nexport function ecdsaSign(privateKey: Uint8Array, message: Uint8Array): Uint8Array {\n  if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) {\n    throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);\n  }\n\n  const messageHash = doubleSha256(message);\n  // prehash: false because we already hashed the message with doubleSha256\n  return secp256k1.sign(messageHash, privateKey, { prehash: false });\n}\n\n/**\n * Verify an ECDSA signature with secp256k1.\n *\n * The message is hashed with double SHA-256 before verification (Bitcoin standard).\n *\n * @param publicKey - 33-byte compressed secp256k1 public key\n * @param signature - 64-byte compact signature (r || s format)\n * @param message - Original message that was signed\n * @returns `true` if signature is valid, `false` if signature verification fails\n * @throws {Error} If public key is not 33 bytes or signature is not 64 bytes\n */\nexport function ecdsaVerify(\n  publicKey: Uint8Array,\n  signature: Uint8Array,\n  message: Uint8Array,\n): boolean {\n  if (publicKey.length !== ECDSA_PUBLIC_KEY_SIZE) {\n    throw new Error(`Public key must be ${ECDSA_PUBLIC_KEY_SIZE} bytes`);\n  }\n  if (signature.length !== ECDSA_SIGNATURE_SIZE) {\n    throw new Error(`Signature must be ${ECDSA_SIGNATURE_SIZE} bytes`);\n  }\n\n  try {\n    const messageHash = doubleSha256(message);\n    // prehash: false because we already hashed the message with doubleSha256\n    return secp256k1.verify(signature, messageHash, publicKey, { prehash: false });\n  } catch {\n    return false;\n  }\n}\n","// Ported from bc-crypto-rust/src/schnorr_signing.rs\n\nimport { schnorr } from \"@noble/curves/secp256k1.js\";\nimport type { RandomNumberGenerator } from \"@bcts/rand\";\nimport { SecureRandomNumberGenerator } from \"@bcts/rand\";\nimport { ECDSA_PRIVATE_KEY_SIZE, SCHNORR_PUBLIC_KEY_SIZE } from \"./ecdsa-keys.js\";\n\n// Constants\nexport const SCHNORR_SIGNATURE_SIZE = 64;\n\n/**\n * Sign a message using Schnorr signature (BIP-340).\n * Uses secure random auxiliary randomness.\n *\n * @param ecdsaPrivateKey - 32-byte private key\n * @param message - Message to sign (not pre-hashed, per BIP-340)\n * @returns 64-byte Schnorr signature\n */\nexport function schnorrSign(ecdsaPrivateKey: Uint8Array, message: Uint8Array): Uint8Array {\n  const rng = new SecureRandomNumberGenerator();\n  return schnorrSignUsing(ecdsaPrivateKey, message, rng);\n}\n\n/**\n * Sign a message using Schnorr signature with a custom RNG.\n *\n * @param ecdsaPrivateKey - 32-byte private key\n * @param message - Message to sign\n * @param rng - Random number generator for auxiliary randomness\n * @returns 64-byte Schnorr signature\n */\nexport function schnorrSignUsing(\n  ecdsaPrivateKey: Uint8Array,\n  message: Uint8Array,\n  rng: RandomNumberGenerator,\n): Uint8Array {\n  const auxRand = rng.randomData(32);\n  return schnorrSignWithAuxRand(ecdsaPrivateKey, message, auxRand);\n}\n\n/**\n * Sign a message using Schnorr signature with specific auxiliary randomness.\n * This is useful for deterministic signing in tests.\n *\n * @param ecdsaPrivateKey - 32-byte private key\n * @param message - Message to sign\n * @param auxRand - 32-byte auxiliary randomness (per BIP-340)\n * @returns 64-byte Schnorr signature\n */\nexport function schnorrSignWithAuxRand(\n  ecdsaPrivateKey: Uint8Array,\n  message: Uint8Array,\n  auxRand: Uint8Array,\n): Uint8Array {\n  if (ecdsaPrivateKey.length !== ECDSA_PRIVATE_KEY_SIZE) {\n    throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);\n  }\n  if (auxRand.length !== 32) {\n    throw new Error(\"Auxiliary randomness must be 32 bytes\");\n  }\n\n  return schnorr.sign(message, ecdsaPrivateKey, auxRand);\n}\n\n/**\n * Verify a Schnorr signature (BIP-340).\n *\n * @param schnorrPublicKey - 32-byte x-only public key\n * @param signature - 64-byte Schnorr signature\n * @param message - Original message\n * @returns true if signature is valid\n */\nexport function schnorrVerify(\n  schnorrPublicKey: Uint8Array,\n  signature: Uint8Array,\n  message: Uint8Array,\n): boolean {\n  if (schnorrPublicKey.length !== SCHNORR_PUBLIC_KEY_SIZE) {\n    throw new Error(`Public key must be ${SCHNORR_PUBLIC_KEY_SIZE} bytes`);\n  }\n  if (signature.length !== SCHNORR_SIGNATURE_SIZE) {\n    throw new Error(`Signature must be ${SCHNORR_SIGNATURE_SIZE} bytes`);\n  }\n\n  try {\n    return schnorr.verify(signature, message, schnorrPublicKey);\n  } catch {\n    return false;\n  }\n}\n","// Ported from bc-crypto-rust/src/ed25519_signing.rs\n\nimport { ed25519 } from \"@noble/curves/ed25519.js\";\nimport type { RandomNumberGenerator } from \"@bcts/rand\";\n\n// Constants\nexport const ED25519_PUBLIC_KEY_SIZE = 32;\nexport const ED25519_PRIVATE_KEY_SIZE = 32;\nexport const ED25519_SIGNATURE_SIZE = 64;\n\n/**\n * Generate a new random Ed25519 private key.\n */\nexport function ed25519NewPrivateKeyUsing(rng: RandomNumberGenerator): Uint8Array {\n  return rng.randomData(ED25519_PRIVATE_KEY_SIZE);\n}\n\n/**\n * Derive an Ed25519 public key from a private key.\n */\nexport function ed25519PublicKeyFromPrivateKey(privateKey: Uint8Array): Uint8Array {\n  if (privateKey.length !== ED25519_PRIVATE_KEY_SIZE) {\n    throw new Error(`Private key must be ${ED25519_PRIVATE_KEY_SIZE} bytes`);\n  }\n  return ed25519.getPublicKey(privateKey);\n}\n\n/**\n * Sign a message using Ed25519.\n *\n * **Security Note**: The private key must be kept secret. The same private key\n * can safely sign multiple messages.\n *\n * @param privateKey - 32-byte Ed25519 private key\n * @param message - Message to sign (any length)\n * @returns 64-byte Ed25519 signature\n * @throws {Error} If private key is not 32 bytes\n */\nexport function ed25519Sign(privateKey: Uint8Array, message: Uint8Array): Uint8Array {\n  if (privateKey.length !== ED25519_PRIVATE_KEY_SIZE) {\n    throw new Error(`Private key must be ${ED25519_PRIVATE_KEY_SIZE} bytes`);\n  }\n  return ed25519.sign(message, privateKey);\n}\n\n/**\n * Verify an Ed25519 signature.\n *\n * @param publicKey - 32-byte Ed25519 public key\n * @param message - Original message that was signed\n * @param signature - 64-byte Ed25519 signature\n * @returns `true` if signature is valid, `false` if signature verification fails\n * @throws {Error} If public key is not 32 bytes or signature is not 64 bytes\n */\nexport function ed25519Verify(\n  publicKey: Uint8Array,\n  message: Uint8Array,\n  signature: Uint8Array,\n): boolean {\n  if (publicKey.length !== ED25519_PUBLIC_KEY_SIZE) {\n    throw new Error(`Public key must be ${ED25519_PUBLIC_KEY_SIZE} bytes`);\n  }\n  if (signature.length !== ED25519_SIGNATURE_SIZE) {\n    throw new Error(`Signature must be ${ED25519_SIGNATURE_SIZE} bytes`);\n  }\n\n  try {\n    return ed25519.verify(signature, message, publicKey);\n  } catch {\n    return false;\n  }\n}\n","// Ported from bc-crypto-rust/src/scrypt.rs\n\nimport { scrypt as nobleScrypt } from \"@noble/hashes/scrypt.js\";\n\n/**\n * Derive a key using Scrypt with recommended parameters.\n * Uses N=2^15 (32768), r=8, p=1 as recommended defaults.\n *\n * @param password - Password or passphrase\n * @param salt - Salt value\n * @param outputLen - Desired output length\n * @returns Derived key\n */\nexport function scrypt(password: Uint8Array, salt: Uint8Array, outputLen: number): Uint8Array {\n  return scryptOpt(password, salt, outputLen, 15, 8, 1);\n}\n\n/**\n * Derive a key using Scrypt with custom parameters.\n *\n * @param password - Password or passphrase\n * @param salt - Salt value\n * @param outputLen - Desired output length\n * @param logN - Log2 of the CPU/memory cost parameter N (must be <64)\n * @param r - Block size parameter (must be >0)\n * @param p - Parallelization parameter (must be >0)\n * @returns Derived key\n */\nexport function scryptOpt(\n  password: Uint8Array,\n  salt: Uint8Array,\n  outputLen: number,\n  logN: number,\n  r: number,\n  p: number,\n): Uint8Array {\n  if (logN >= 64) {\n    throw new Error(\"logN must be <64\");\n  }\n  if (r === 0) {\n    throw new Error(\"r must be >0\");\n  }\n  if (p === 0) {\n    throw new Error(\"p must be >0\");\n  }\n\n  const N = 1 << logN; // 2^logN\n\n  return nobleScrypt(password, salt, { N, r, p, dkLen: outputLen });\n}\n","// Ported from bc-crypto-rust/src/argon.rs\n\nimport { argon2id } from \"@noble/hashes/argon2.js\";\n\n/**\n * Derive a key using Argon2id with default parameters.\n *\n * @param password - Password or passphrase\n * @param salt - Salt value (must be at least 8 bytes)\n * @param outputLen - Desired output length\n * @returns Derived key\n */\nexport function argon2idHash(\n  password: Uint8Array,\n  salt: Uint8Array,\n  outputLen: number,\n): Uint8Array {\n  // Use default parameters similar to the Rust implementation\n  return argon2idHashOpt(password, salt, outputLen, 3, 65536, 4);\n}\n\n/**\n * Derive a key using Argon2id with custom parameters.\n *\n * @param password - Password or passphrase\n * @param salt - Salt value (must be at least 8 bytes)\n * @param outputLen - Desired output length\n * @param iterations - Number of iterations (t)\n * @param memory - Memory in KiB (m)\n * @param parallelism - Degree of parallelism (p)\n * @returns Derived key\n */\nexport function argon2idHashOpt(\n  password: Uint8Array,\n  salt: Uint8Array,\n  outputLen: number,\n  iterations: number,\n  memory: number,\n  parallelism: number,\n): Uint8Array {\n  return argon2id(password, salt, {\n    t: iterations,\n    m: memory,\n    p: parallelism,\n    dkLen: outputLen,\n  });\n}\n"],"mappings":";;;;;;;CAKA,IAAa,YAAb,cAA+B,MAAM;EACnC,YAAY,UAAU,8BAA8B;AAClD,SAAM,QAAQ;AACd,QAAK,OAAO;;;;;;CAOhB,IAAa,cAAb,MAAa,oBAAoB,MAAM;EACrC,AAAkB;EAElB,YAAY,SAAiB,OAAe;AAC1C,SAAM,QAAQ;AACd,QAAK,OAAO;AACZ,QAAK,QAAQ;;;;;;;;EASf,OAAO,KAAK,OAAgC;AAC1C,UAAO,IAAI,YAAY,cAAc,SAAS,IAAI,WAAW,CAAC;;;;;;;;EAShE,OAAO,iBAAiB,SAA8B;AACpD,UAAO,IAAI,YAAY,sBAAsB,UAAU;;;;;;;;;;;;;;;;;;;;;;CCvB3D,SAAgB,QAAQ,MAAsC;EAC5D,MAAM,MAAM,KAAK;AACjB,OAAK,IAAI,IAAI,GAAG,IAAI,KAAK,IACvB,MAAK,KAAK;AAGZ,MAAI,KAAK,SAAS,KAAK,KAAK,OAAO,EACjC,OAAM,IAAI,MAAM,iBAAiB;;;;;CAOrC,SAAgB,gBAAgB,QAA4B;AAC1D,OAAK,MAAM,OAAO,OAChB,SAAQ,IAAI;;;;;CC1BhB,MAAa,aAAa;CAC1B,MAAa,cAAc;CAC3B,MAAa,cAAc;CAG3B,MAAM,cAAc,IAAI,YAAY,IAAI;AACxC,MAAK,IAAI,IAAI,GAAG,IAAI,KAAK,KAAK;EAC5B,IAAI,MAAM;AACV,OAAK,IAAI,IAAI,GAAG,IAAI,GAAG,IACrB,QAAO,MAAM,OAAO,IAAK,QAAQ,IAAK,aAAa,QAAQ;AAE7D,cAAY,KAAK,QAAQ;;;;;CAM3B,SAAgB,MAAM,MAA0B;EAC9C,IAAI,MAAM;AACV,OAAK,MAAM,QAAQ,KACjB,OAAM,aAAa,MAAM,QAAQ,OAAS,QAAQ;AAEpD,UAAQ,MAAM,gBAAgB;;;;;CAMhC,SAAgB,UAAU,MAA8B;AACtD,SAAO,aAAa,MAAM,MAAM;;;;;;;CAQlC,SAAgB,aAAa,MAAkB,cAAmC;EAChF,MAAM,WAAW,MAAM,KAAK;EAC5B,MAAM,SAAS,IAAI,WAAW,EAAE;AAEhC,EADa,IAAI,SAAS,OAAO,OAAO,CACnC,UAAU,GAAG,UAAU,aAAa;AACzC,SAAO;;;;;CAMT,SAAgB,OAAO,MAA8B;AACnD,2CAAmB,KAAK;;;;;;CAO1B,SAAgB,aAAa,SAAiC;AAC5D,SAAO,OAAO,OAAO,QAAQ,CAAC;;;;;CAMhC,SAAgB,OAAO,MAA8B;AACnD,2CAAmB,KAAK;;;;;CAM1B,SAAgB,WAAW,KAAiB,SAAiC;AAC3E,yCAAYA,8BAAa,KAAK,QAAQ;;;;;CAMxC,SAAgB,WAAW,KAAiB,SAAiC;AAC3E,yCAAYC,8BAAa,KAAK,QAAQ;;;;;CAMxC,SAAgB,iBACd,UACA,MACA,YACA,QACY;AACZ,6CAAcD,8BAAa,UAAU,MAAM;GAAE,GAAG;GAAY,OAAO;GAAQ,CAAC;;;;;CAM9E,SAAgB,iBACd,UACA,MACA,YACA,QACY;AACZ,6CAAcC,8BAAa,UAAU,MAAM;GAAE,GAAG;GAAY,OAAO;GAAQ,CAAC;;;;;CAM9E,SAAgB,eACd,aACA,MACA,QACY;AACZ,yCAAYD,8BAAa,aAAa,MAAM,QAAW,OAAO;;;;;CAMhE,SAAgB,eACd,aACA,MACA,QACY;AACZ,yCAAYC,8BAAa,aAAa,MAAM,QAAW,OAAO;;;;;CC9HhE,MAAa,qBAAqB;CAClC,MAAa,uBAAuB;CACpC,MAAa,sBAAsB;;;;;;;;;;;;;;CAenC,SAAgB,4BACd,WACA,KACA,OAC0B;AAC1B,SAAO,mCAAmC,WAAW,KAAK,OAAO,IAAI,WAAW,EAAE,CAAC;;;;;;;;;;;;;;;;CAiBrF,SAAgB,mCACd,WACA,KACA,OACA,KAC0B;AAC1B,MAAI,IAAI,WAAW,mBACjB,OAAM,YAAY,iBAAiB,eAAe,mBAAmB,QAAQ;AAE/E,MAAI,MAAM,WAAW,qBACnB,OAAM,YAAY,iBAAiB,iBAAiB,qBAAqB,QAAQ;EAInF,MAAM,wDAD0B,KAAK,OAAO,IAAI,CAC1B,QAAQ,UAAU;AAMxC,SAAO,CAHY,OAAO,MAAM,GAAG,OAAO,SAAS,oBAAoB,EACvD,OAAO,MAAM,OAAO,SAAS,oBAAoB,CAErC;;;;;;;;;;;;;CAc9B,SAAgB,4BACd,YACA,KACA,OACA,SACY;AACZ,SAAO,mCAAmC,YAAY,KAAK,OAAO,IAAI,WAAW,EAAE,EAAE,QAAQ;;;;;;;;;;;;;;CAe/F,SAAgB,mCACd,YACA,KACA,OACA,KACA,SACY;AACZ,MAAI,IAAI,WAAW,mBACjB,OAAM,YAAY,iBAAiB,eAAe,mBAAmB,QAAQ;AAE/E,MAAI,MAAM,WAAW,qBACnB,OAAM,YAAY,iBAAiB,iBAAiB,qBAAqB,QAAQ;AAEnF,MAAI,QAAQ,WAAW,oBACrB,OAAM,YAAY,iBAAiB,oBAAoB,oBAAoB,QAAQ;EAIrF,MAAM,SAAS,IAAI,WAAW,WAAW,SAAS,QAAQ,OAAO;AACjE,SAAO,IAAI,WAAW;AACtB,SAAO,IAAI,SAAS,WAAW,OAAO;AAEtC,MAAI;AAEF,yDADgC,KAAK,OAAO,IAAI,CAClC,QAAQ,OAAO;WACtB,OAAO;GAEd,MAAM,YAAY,IAAI,UACpB,sBAAsB,iBAAiB,QAAQ,MAAM,UAAU,yBAChE;AACD,SAAM,YAAY,KAAK,UAAU;;;;;;CC3HrC,MAAa,2BAA2B;CACxC,MAAa,0BAA0B;CACvC,MAAa,0BAA0B;CACvC,MAAa,yBAAyB;;;;;CAMtC,SAAgB,0BAA0B,aAAqC;AAE7E,SAAO,eAAe,aADT,IAAI,aAAa,CAAC,OAAO,YAAY,EACT,wBAAwB;;;;;;CAOnE,SAAgB,wBAAwB,aAAqC;AAE3E,SAAO,eAAe,aADT,IAAI,aAAa,CAAC,OAAO,UAAU,EACP,GAAG;;;;;CAM9C,SAAgB,yBAAyB,KAAwC;AAC/E,SAAO,IAAI,WAAW,wBAAwB;;;;;CAMhD,SAAgB,8BAA8B,YAAoC;AAChF,MAAI,WAAW,WAAW,wBACxB,OAAM,IAAI,MAAM,uBAAuB,wBAAwB,QAAQ;AAEzE,SAAOC,gCAAO,aAAa,WAAW;;;;;;;;;;;;;;CAexC,SAAgB,gBAAgB,eAA2B,cAAsC;AAC/F,MAAI,cAAc,WAAW,wBAC3B,OAAM,IAAI,MAAM,uBAAuB,wBAAwB,QAAQ;AAEzE,MAAI,aAAa,WAAW,uBAC1B,OAAM,IAAI,MAAM,sBAAsB,uBAAuB,QAAQ;AAEvE,SAAOA,gCAAO,gBAAgB,eAAe,aAAa;;;;;CC3D5D,MAAa,yBAAyB;CACtC,MAAa,wBAAwB;CACrC,MAAa,qCAAqC;CAClD,MAAa,0BAA0B;CACvC,MAAa,uBAAuB;CACpC,MAAa,0BAA0B;;;;;;;;CASvC,SAAgB,wBAAwB,KAAwC;AAC9E,SAAO,IAAI,WAAW,uBAAuB;;;;;CAM/C,SAAgB,6BAA6B,YAAoC;AAC/E,MAAI,WAAW,WAAW,uBACxB,OAAM,IAAI,MAAM,uBAAuB,uBAAuB,QAAQ;AAExE,SAAOC,qCAAU,aAAa,YAAY,KAAK;;;;;CAMjD,SAAgB,yBAAyB,YAAoC;AAC3E,MAAI,WAAW,WAAW,sBACxB,OAAM,IAAI,MAAM,iCAAiC,sBAAsB,QAAQ;AAGjF,SADcA,qCAAU,MAAM,UAAU,WAAW,CACtC,QAAQ,MAAM;;;;;CAM7B,SAAgB,uBAAuB,cAAsC;AAC3E,MAAI,aAAa,WAAW,mCAC1B,OAAM,IAAI,MAAM,mCAAmC,mCAAmC,QAAQ;AAGhG,SADcA,qCAAU,MAAM,UAAU,aAAa,CACxC,QAAQ,KAAK;;;;;;;;CAS5B,SAAgB,sBAAsB,aAAqC;AAEzE,SAAO,eAAe,aADT,IAAI,aAAa,CAAC,OAAO,UAAU,EACP,uBAAuB;;;;;;CAOlE,SAAgB,+BAA+B,YAAoC;AACjF,MAAI,WAAW,WAAW,uBACxB,OAAM,IAAI,MAAM,uBAAuB,uBAAuB,QAAQ;AAKxE,SAFmBA,qCAAU,aAAa,YAAY,MAAM,CAE1C,MAAM,GAAG,GAAG;;;;;;;;;;;;;;;;;;;CCvDhC,SAAgB,UAAU,YAAwB,SAAiC;AACjF,MAAI,WAAW,WAAW,uBACxB,OAAM,IAAI,MAAM,uBAAuB,uBAAuB,QAAQ;EAGxE,MAAM,cAAc,aAAa,QAAQ;AAEzC,SAAOC,qCAAU,KAAK,aAAa,YAAY,EAAE,SAAS,OAAO,CAAC;;;;;;;;;;;;;CAcpE,SAAgB,YACd,WACA,WACA,SACS;AACT,MAAI,UAAU,WAAW,sBACvB,OAAM,IAAI,MAAM,sBAAsB,sBAAsB,QAAQ;AAEtE,MAAI,UAAU,WAAW,qBACvB,OAAM,IAAI,MAAM,qBAAqB,qBAAqB,QAAQ;AAGpE,MAAI;GACF,MAAM,cAAc,aAAa,QAAQ;AAEzC,UAAOA,qCAAU,OAAO,WAAW,aAAa,WAAW,EAAE,SAAS,OAAO,CAAC;UACxE;AACN,UAAO;;;;;;CCtDX,MAAa,yBAAyB;;;;;;;;;CAUtC,SAAgB,YAAY,iBAA6B,SAAiC;AAExF,SAAO,iBAAiB,iBAAiB,SAD7B,IAAIC,wCAA6B,CACS;;;;;;;;;;CAWxD,SAAgB,iBACd,iBACA,SACA,KACY;AAEZ,SAAO,uBAAuB,iBAAiB,SAD/B,IAAI,WAAW,GAAG,CAC8B;;;;;;;;;;;CAYlE,SAAgB,uBACd,iBACA,SACA,SACY;AACZ,MAAI,gBAAgB,WAAW,uBAC7B,OAAM,IAAI,MAAM,uBAAuB,uBAAuB,QAAQ;AAExE,MAAI,QAAQ,WAAW,GACrB,OAAM,IAAI,MAAM,wCAAwC;AAG1D,SAAOC,mCAAQ,KAAK,SAAS,iBAAiB,QAAQ;;;;;;;;;;CAWxD,SAAgB,cACd,kBACA,WACA,SACS;AACT,MAAI,iBAAiB,WAAW,wBAC9B,OAAM,IAAI,MAAM,sBAAsB,wBAAwB,QAAQ;AAExE,MAAI,UAAU,WAAW,uBACvB,OAAM,IAAI,MAAM,qBAAqB,uBAAuB,QAAQ;AAGtE,MAAI;AACF,UAAOA,mCAAQ,OAAO,WAAW,SAAS,iBAAiB;UACrD;AACN,UAAO;;;;;;CCjFX,MAAa,0BAA0B;CACvC,MAAa,2BAA2B;CACxC,MAAa,yBAAyB;;;;CAKtC,SAAgB,0BAA0B,KAAwC;AAChF,SAAO,IAAI,WAAW,yBAAyB;;;;;CAMjD,SAAgB,+BAA+B,YAAoC;AACjF,MAAI,WAAW,WAAW,yBACxB,OAAM,IAAI,MAAM,uBAAuB,yBAAyB,QAAQ;AAE1E,SAAOC,iCAAQ,aAAa,WAAW;;;;;;;;;;;;;CAczC,SAAgB,YAAY,YAAwB,SAAiC;AACnF,MAAI,WAAW,WAAW,yBACxB,OAAM,IAAI,MAAM,uBAAuB,yBAAyB,QAAQ;AAE1E,SAAOA,iCAAQ,KAAK,SAAS,WAAW;;;;;;;;;;;CAY1C,SAAgB,cACd,WACA,SACA,WACS;AACT,MAAI,UAAU,WAAW,wBACvB,OAAM,IAAI,MAAM,sBAAsB,wBAAwB,QAAQ;AAExE,MAAI,UAAU,WAAW,uBACvB,OAAM,IAAI,MAAM,qBAAqB,uBAAuB,QAAQ;AAGtE,MAAI;AACF,UAAOA,iCAAQ,OAAO,WAAW,SAAS,UAAU;UAC9C;AACN,UAAO;;;;;;;;;;;;;;;CCxDX,SAAgB,OAAO,UAAsB,MAAkB,WAA+B;AAC5F,SAAO,UAAU,UAAU,MAAM,WAAW,IAAI,GAAG,EAAE;;;;;;;;;;;;;CAcvD,SAAgB,UACd,UACA,MACA,WACA,MACA,GACA,GACY;AACZ,MAAI,QAAQ,GACV,OAAM,IAAI,MAAM,mBAAmB;AAErC,MAAI,MAAM,EACR,OAAM,IAAI,MAAM,eAAe;AAEjC,MAAI,MAAM,EACR,OAAM,IAAI,MAAM,eAAe;AAKjC,6CAAmB,UAAU,MAAM;GAAE,GAF3B,KAAK;GAEyB;GAAG;GAAG,OAAO;GAAW,CAAC;;;;;;;;;;;;;CCpCnE,SAAgB,aACd,UACA,MACA,WACY;AAEZ,SAAO,gBAAgB,UAAU,MAAM,WAAW,GAAG,OAAO,EAAE;;;;;;;;;;;;;CAchE,SAAgB,gBACd,UACA,MACA,WACA,YACA,QACA,aACY;AACZ,+CAAgB,UAAU,MAAM;GAC9B,GAAG;GACH,GAAG;GACH,GAAG;GACH,OAAO;GACR,CAAC"}

package/dist/index.mjs

@@ -0,0 +1,594 @@
+import { sha256 as sha256$1, sha512 as sha512$1 } from "@noble/hashes/sha2.js";
+import { hmac } from "@noble/hashes/hmac.js";
+import { pbkdf2 } from "@noble/hashes/pbkdf2.js";
+import { hkdf } from "@noble/hashes/hkdf.js";
+import { chacha20poly1305 } from "@noble/ciphers/chacha.js";
+import { ed25519, x25519 } from "@noble/curves/ed25519.js";
+import { schnorr, secp256k1 } from "@noble/curves/secp256k1.js";
+import { SecureRandomNumberGenerator } from "@bcts/rand";
+import { scrypt as scrypt$1 } from "@noble/hashes/scrypt.js";
+import { argon2id } from "@noble/hashes/argon2.js";
+
+//#region src/error.ts
+/**
+* AEAD-specific error for authentication failures
+*/
+var AeadError = class extends Error {
+	constructor(message = "AEAD authentication failed") {
+		super(message);
+		this.name = "AeadError";
+	}
+};
+/**
+* Generic crypto error type
+*/
+var CryptoError = class CryptoError extends Error {
+	cause;
+	constructor(message, cause) {
+		super(message);
+		this.name = "CryptoError";
+		this.cause = cause;
+	}
+	/**
+	* Create a CryptoError for AEAD authentication failures.
+	*
+	* @param error - Optional underlying AeadError
+	* @returns A CryptoError wrapping the AEAD error
+	*/
+	static aead(error) {
+		return new CryptoError("AEAD error", error ?? new AeadError());
+	}
+	/**
+	* Create a CryptoError for invalid parameter values.
+	*
+	* @param message - Description of the invalid parameter
+	* @returns A CryptoError describing the invalid parameter
+	*/
+	static invalidParameter(message) {
+		return new CryptoError(`Invalid parameter: ${message}`);
+	}
+};
+
+//#endregion
+//#region src/memzero.ts
+/**
+* Securely zero out a typed array.
+*
+* **IMPORTANT: This is a best-effort implementation.** Unlike the Rust reference
+* implementation which uses `std::ptr::write_volatile()` for guaranteed volatile
+* writes, JavaScript engines and JIT compilers can still potentially optimize
+* away these zeroing operations. The check at the end helps prevent optimization,
+* but it is not foolproof.
+*
+* For truly sensitive cryptographic operations, consider using the Web Crypto API's
+* `crypto.subtle` with non-extractable keys when possible, as it provides stronger
+* guarantees than what can be achieved with pure JavaScript.
+*
+* This function attempts to prevent the compiler from optimizing away
+* the zeroing operation by using a verification check after the zeroing loop.
+*/
+function memzero(data) {
+	const len = data.length;
+	for (let i = 0; i < len; i++) data[i] = 0;
+	if (data.length > 0 && data[0] !== 0) throw new Error("memzero failed");
+}
+/**
+* Securely zero out an array of Uint8Arrays.
+*/
+function memzeroVecVecU8(arrays) {
+	for (const arr of arrays) memzero(arr);
+}
+
+//#endregion
+//#region src/hash.ts
+const CRC32_SIZE = 4;
+const SHA256_SIZE = 32;
+const SHA512_SIZE = 64;
+const CRC32_TABLE = new Uint32Array(256);
+for (let i = 0; i < 256; i++) {
+	let crc = i;
+	for (let j = 0; j < 8; j++) crc = (crc & 1) !== 0 ? crc >>> 1 ^ 3988292384 : crc >>> 1;
+	CRC32_TABLE[i] = crc >>> 0;
+}
+/**
+* Calculate CRC-32 checksum
+*/
+function crc32(data) {
+	let crc = 4294967295;
+	for (const byte of data) crc = CRC32_TABLE[(crc ^ byte) & 255] ^ crc >>> 8;
+	return (crc ^ 4294967295) >>> 0;
+}
+/**
+* Calculate CRC-32 checksum and return as a 4-byte big-endian array
+*/
+function crc32Data(data) {
+	return crc32DataOpt(data, false);
+}
+/**
+* Calculate CRC-32 checksum and return as a 4-byte array
+* @param data - Input data
+* @param littleEndian - If true, returns little-endian; otherwise big-endian
+*/
+function crc32DataOpt(data, littleEndian) {
+	const checksum = crc32(data);
+	const result = new Uint8Array(4);
+	new DataView(result.buffer).setUint32(0, checksum, littleEndian);
+	return result;
+}
+/**
+* Calculate SHA-256 hash
+*/
+function sha256(data) {
+	return sha256$1(data);
+}
+/**
+* Calculate double SHA-256 hash (SHA-256 of SHA-256)
+* This is the standard Bitcoin hashing function
+*/
+function doubleSha256(message) {
+	return sha256(sha256(message));
+}
+/**
+* Calculate SHA-512 hash
+*/
+function sha512(data) {
+	return sha512$1(data);
+}
+/**
+* Calculate HMAC-SHA-256
+*/
+function hmacSha256(key, message) {
+	return hmac(sha256$1, key, message);
+}
+/**
+* Calculate HMAC-SHA-512
+*/
+function hmacSha512(key, message) {
+	return hmac(sha512$1, key, message);
+}
+/**
+* Derive a key using PBKDF2 with HMAC-SHA-256
+*/
+function pbkdf2HmacSha256(password, salt, iterations, keyLen) {
+	return pbkdf2(sha256$1, password, salt, {
+		c: iterations,
+		dkLen: keyLen
+	});
+}
+/**
+* Derive a key using PBKDF2 with HMAC-SHA-512
+*/
+function pbkdf2HmacSha512(password, salt, iterations, keyLen) {
+	return pbkdf2(sha512$1, password, salt, {
+		c: iterations,
+		dkLen: keyLen
+	});
+}
+/**
+* Derive a key using HKDF with HMAC-SHA-256
+*/
+function hkdfHmacSha256(keyMaterial, salt, keyLen) {
+	return hkdf(sha256$1, keyMaterial, salt, void 0, keyLen);
+}
+/**
+* Derive a key using HKDF with HMAC-SHA-512
+*/
+function hkdfHmacSha512(keyMaterial, salt, keyLen) {
+	return hkdf(sha512$1, keyMaterial, salt, void 0, keyLen);
+}
+
+//#endregion
+//#region src/symmetric-encryption.ts
+const SYMMETRIC_KEY_SIZE = 32;
+const SYMMETRIC_NONCE_SIZE = 12;
+const SYMMETRIC_AUTH_SIZE = 16;
+/**
+* Encrypt data using ChaCha20-Poly1305 AEAD cipher.
+*
+* **Security Warning**: The nonce MUST be unique for every encryption operation
+* with the same key. Reusing a nonce completely breaks the security of the
+* encryption scheme and can reveal plaintext.
+*
+* @param plaintext - The data to encrypt
+* @param key - 32-byte encryption key
+* @param nonce - 12-byte nonce (MUST be unique per encryption with the same key)
+* @returns Tuple of [ciphertext, authTag] where authTag is 16 bytes
+* @throws {CryptoError} If key is not 32 bytes or nonce is not 12 bytes
+*/
+function aeadChaCha20Poly1305Encrypt(plaintext, key, nonce) {
+	return aeadChaCha20Poly1305EncryptWithAad(plaintext, key, nonce, new Uint8Array(0));
+}
+/**
+* Encrypt data using ChaCha20-Poly1305 AEAD cipher with additional authenticated data.
+*
+* **Security Warning**: The nonce MUST be unique for every encryption operation
+* with the same key. Reusing a nonce completely breaks the security of the
+* encryption scheme and can reveal plaintext.
+*
+* @param plaintext - The data to encrypt
+* @param key - 32-byte encryption key
+* @param nonce - 12-byte nonce (MUST be unique per encryption with the same key)
+* @param aad - Additional authenticated data (not encrypted, but integrity-protected)
+* @returns Tuple of [ciphertext, authTag] where authTag is 16 bytes
+* @throws {CryptoError} If key is not 32 bytes or nonce is not 12 bytes
+*/
+function aeadChaCha20Poly1305EncryptWithAad(plaintext, key, nonce, aad) {
+	if (key.length !== SYMMETRIC_KEY_SIZE) throw CryptoError.invalidParameter(`Key must be ${SYMMETRIC_KEY_SIZE} bytes`);
+	if (nonce.length !== SYMMETRIC_NONCE_SIZE) throw CryptoError.invalidParameter(`Nonce must be ${SYMMETRIC_NONCE_SIZE} bytes`);
+	const sealed = chacha20poly1305(key, nonce, aad).encrypt(plaintext);
+	return [sealed.slice(0, sealed.length - SYMMETRIC_AUTH_SIZE), sealed.slice(sealed.length - SYMMETRIC_AUTH_SIZE)];
+}
+/**
+* Decrypt data using ChaCha20-Poly1305 AEAD cipher.
+*
+* @param ciphertext - The encrypted data
+* @param key - 32-byte encryption key (must match key used for encryption)
+* @param nonce - 12-byte nonce (must match nonce used for encryption)
+* @param authTag - 16-byte authentication tag from encryption
+* @returns Decrypted plaintext
+* @throws {CryptoError} If key/nonce/authTag sizes are invalid
+* @throws {CryptoError} If authentication fails (tampered data or wrong key/nonce)
+*/
+function aeadChaCha20Poly1305Decrypt(ciphertext, key, nonce, authTag) {
+	return aeadChaCha20Poly1305DecryptWithAad(ciphertext, key, nonce, new Uint8Array(0), authTag);
+}
+/**
+* Decrypt data using ChaCha20-Poly1305 AEAD cipher with additional authenticated data.
+*
+* @param ciphertext - The encrypted data
+* @param key - 32-byte encryption key (must match key used for encryption)
+* @param nonce - 12-byte nonce (must match nonce used for encryption)
+* @param aad - Additional authenticated data (must exactly match AAD used for encryption)
+* @param authTag - 16-byte authentication tag from encryption
+* @returns Decrypted plaintext
+* @throws {CryptoError} If key/nonce/authTag sizes are invalid
+* @throws {CryptoError} If authentication fails (tampered data, wrong key/nonce, or AAD mismatch)
+*/
+function aeadChaCha20Poly1305DecryptWithAad(ciphertext, key, nonce, aad, authTag) {
+	if (key.length !== SYMMETRIC_KEY_SIZE) throw CryptoError.invalidParameter(`Key must be ${SYMMETRIC_KEY_SIZE} bytes`);
+	if (nonce.length !== SYMMETRIC_NONCE_SIZE) throw CryptoError.invalidParameter(`Nonce must be ${SYMMETRIC_NONCE_SIZE} bytes`);
+	if (authTag.length !== SYMMETRIC_AUTH_SIZE) throw CryptoError.invalidParameter(`Auth tag must be ${SYMMETRIC_AUTH_SIZE} bytes`);
+	const sealed = new Uint8Array(ciphertext.length + authTag.length);
+	sealed.set(ciphertext);
+	sealed.set(authTag, ciphertext.length);
+	try {
+		return chacha20poly1305(key, nonce, aad).decrypt(sealed);
+	} catch (error) {
+		const aeadError = new AeadError(`Decryption failed: ${error instanceof Error ? error.message : "authentication error"}`);
+		throw CryptoError.aead(aeadError);
+	}
+}
+
+//#endregion
+//#region src/public-key-encryption.ts
+const GENERIC_PRIVATE_KEY_SIZE = 32;
+const GENERIC_PUBLIC_KEY_SIZE = 32;
+const X25519_PRIVATE_KEY_SIZE = 32;
+const X25519_PUBLIC_KEY_SIZE = 32;
+/**
+* Derive an X25519 agreement private key from key material.
+* Uses HKDF with "agreement" as domain separation salt.
+*/
+function deriveAgreementPrivateKey(keyMaterial) {
+	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("agreement"), X25519_PRIVATE_KEY_SIZE);
+}
+/**
+* Derive a signing private key from key material.
+* Uses HKDF with "signing" as domain separation salt.
+*/
+function deriveSigningPrivateKey(keyMaterial) {
+	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("signing"), 32);
+}
+/**
+* Generate a new random X25519 private key.
+*/
+function x25519NewPrivateKeyUsing(rng) {
+	return rng.randomData(X25519_PRIVATE_KEY_SIZE);
+}
+/**
+* Derive an X25519 public key from a private key.
+*/
+function x25519PublicKeyFromPrivateKey(privateKey) {
+	if (privateKey.length !== X25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${X25519_PRIVATE_KEY_SIZE} bytes`);
+	return x25519.getPublicKey(privateKey);
+}
+/**
+* Compute a shared secret using X25519 key agreement (ECDH).
+*
+* **Security Note**: The resulting shared secret should be used with a KDF
+* (like HKDF) before using it as an encryption key. Never use the raw
+* shared secret directly for encryption.
+*
+* @param x25519Private - 32-byte X25519 private key
+* @param x25519Public - 32-byte X25519 public key from the other party
+* @returns 32-byte shared secret
+* @throws {Error} If private key is not 32 bytes or public key is not 32 bytes
+*/
+function x25519SharedKey(x25519Private, x25519Public) {
+	if (x25519Private.length !== X25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${X25519_PRIVATE_KEY_SIZE} bytes`);
+	if (x25519Public.length !== X25519_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${X25519_PUBLIC_KEY_SIZE} bytes`);
+	return x25519.getSharedSecret(x25519Private, x25519Public);
+}
+
+//#endregion
+//#region src/ecdsa-keys.ts
+const ECDSA_PRIVATE_KEY_SIZE = 32;
+const ECDSA_PUBLIC_KEY_SIZE = 33;
+const ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE = 65;
+const ECDSA_MESSAGE_HASH_SIZE = 32;
+const ECDSA_SIGNATURE_SIZE = 64;
+const SCHNORR_PUBLIC_KEY_SIZE = 32;
+/**
+* Generate a new random ECDSA private key using secp256k1.
+*
+* Note: Unlike some implementations, this directly returns the random bytes
+* without validation. The secp256k1 library will handle any edge cases when
+* the key is used.
+*/
+function ecdsaNewPrivateKeyUsing(rng) {
+	return rng.randomData(ECDSA_PRIVATE_KEY_SIZE);
+}
+/**
+* Derive a compressed ECDSA public key from a private key.
+*/
+function ecdsaPublicKeyFromPrivateKey(privateKey) {
+	if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	return secp256k1.getPublicKey(privateKey, true);
+}
+/**
+* Decompress a compressed public key to uncompressed format.
+*/
+function ecdsaDecompressPublicKey(compressed) {
+	if (compressed.length !== ECDSA_PUBLIC_KEY_SIZE) throw new Error(`Compressed public key must be ${ECDSA_PUBLIC_KEY_SIZE} bytes`);
+	return secp256k1.Point.fromBytes(compressed).toBytes(false);
+}
+/**
+* Compress an uncompressed public key.
+*/
+function ecdsaCompressPublicKey(uncompressed) {
+	if (uncompressed.length !== ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE) throw new Error(`Uncompressed public key must be ${ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE} bytes`);
+	return secp256k1.Point.fromBytes(uncompressed).toBytes(true);
+}
+/**
+* Derive an ECDSA private key from key material using HKDF.
+*
+* Note: This directly returns the HKDF output without validation,
+* matching the Rust reference implementation behavior.
+*/
+function ecdsaDerivePrivateKey(keyMaterial) {
+	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("signing"), ECDSA_PRIVATE_KEY_SIZE);
+}
+/**
+* Extract the x-only (Schnorr) public key from a private key.
+* This is used for BIP-340 Schnorr signatures.
+*/
+function schnorrPublicKeyFromPrivateKey(privateKey) {
+	if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	return secp256k1.getPublicKey(privateKey, false).slice(1, 33);
+}
+
+//#endregion
+//#region src/ecdsa-signing.ts
+/**
+* Sign a message using ECDSA with secp256k1.
+*
+* The message is hashed with double SHA-256 before signing (Bitcoin standard).
+*
+* **Security Note**: The private key must be kept secret. ECDSA requires
+* cryptographically secure random nonces internally; this is handled by
+* the underlying library using RFC 6979 deterministic nonces.
+*
+* @param privateKey - 32-byte secp256k1 private key
+* @param message - Message to sign (any length, will be double-SHA256 hashed)
+* @returns 64-byte compact signature (r || s format)
+* @throws {Error} If private key is not 32 bytes
+*/
+function ecdsaSign(privateKey, message) {
+	if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	const messageHash = doubleSha256(message);
+	return secp256k1.sign(messageHash, privateKey, { prehash: false });
+}
+/**
+* Verify an ECDSA signature with secp256k1.
+*
+* The message is hashed with double SHA-256 before verification (Bitcoin standard).
+*
+* @param publicKey - 33-byte compressed secp256k1 public key
+* @param signature - 64-byte compact signature (r || s format)
+* @param message - Original message that was signed
+* @returns `true` if signature is valid, `false` if signature verification fails
+* @throws {Error} If public key is not 33 bytes or signature is not 64 bytes
+*/
+function ecdsaVerify(publicKey, signature, message) {
+	if (publicKey.length !== ECDSA_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${ECDSA_PUBLIC_KEY_SIZE} bytes`);
+	if (signature.length !== ECDSA_SIGNATURE_SIZE) throw new Error(`Signature must be ${ECDSA_SIGNATURE_SIZE} bytes`);
+	try {
+		const messageHash = doubleSha256(message);
+		return secp256k1.verify(signature, messageHash, publicKey, { prehash: false });
+	} catch {
+		return false;
+	}
+}
+
+//#endregion
+//#region src/schnorr-signing.ts
+const SCHNORR_SIGNATURE_SIZE = 64;
+/**
+* Sign a message using Schnorr signature (BIP-340).
+* Uses secure random auxiliary randomness.
+*
+* @param ecdsaPrivateKey - 32-byte private key
+* @param message - Message to sign (not pre-hashed, per BIP-340)
+* @returns 64-byte Schnorr signature
+*/
+function schnorrSign(ecdsaPrivateKey, message) {
+	return schnorrSignUsing(ecdsaPrivateKey, message, new SecureRandomNumberGenerator());
+}
+/**
+* Sign a message using Schnorr signature with a custom RNG.
+*
+* @param ecdsaPrivateKey - 32-byte private key
+* @param message - Message to sign
+* @param rng - Random number generator for auxiliary randomness
+* @returns 64-byte Schnorr signature
+*/
+function schnorrSignUsing(ecdsaPrivateKey, message, rng) {
+	return schnorrSignWithAuxRand(ecdsaPrivateKey, message, rng.randomData(32));
+}
+/**
+* Sign a message using Schnorr signature with specific auxiliary randomness.
+* This is useful for deterministic signing in tests.
+*
+* @param ecdsaPrivateKey - 32-byte private key
+* @param message - Message to sign
+* @param auxRand - 32-byte auxiliary randomness (per BIP-340)
+* @returns 64-byte Schnorr signature
+*/
+function schnorrSignWithAuxRand(ecdsaPrivateKey, message, auxRand) {
+	if (ecdsaPrivateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	if (auxRand.length !== 32) throw new Error("Auxiliary randomness must be 32 bytes");
+	return schnorr.sign(message, ecdsaPrivateKey, auxRand);
+}
+/**
+* Verify a Schnorr signature (BIP-340).
+*
+* @param schnorrPublicKey - 32-byte x-only public key
+* @param signature - 64-byte Schnorr signature
+* @param message - Original message
+* @returns true if signature is valid
+*/
+function schnorrVerify(schnorrPublicKey, signature, message) {
+	if (schnorrPublicKey.length !== SCHNORR_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${SCHNORR_PUBLIC_KEY_SIZE} bytes`);
+	if (signature.length !== SCHNORR_SIGNATURE_SIZE) throw new Error(`Signature must be ${SCHNORR_SIGNATURE_SIZE} bytes`);
+	try {
+		return schnorr.verify(signature, message, schnorrPublicKey);
+	} catch {
+		return false;
+	}
+}
+
+//#endregion
+//#region src/ed25519-signing.ts
+const ED25519_PUBLIC_KEY_SIZE = 32;
+const ED25519_PRIVATE_KEY_SIZE = 32;
+const ED25519_SIGNATURE_SIZE = 64;
+/**
+* Generate a new random Ed25519 private key.
+*/
+function ed25519NewPrivateKeyUsing(rng) {
+	return rng.randomData(ED25519_PRIVATE_KEY_SIZE);
+}
+/**
+* Derive an Ed25519 public key from a private key.
+*/
+function ed25519PublicKeyFromPrivateKey(privateKey) {
+	if (privateKey.length !== ED25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ED25519_PRIVATE_KEY_SIZE} bytes`);
+	return ed25519.getPublicKey(privateKey);
+}
+/**
+* Sign a message using Ed25519.
+*
+* **Security Note**: The private key must be kept secret. The same private key
+* can safely sign multiple messages.
+*
+* @param privateKey - 32-byte Ed25519 private key
+* @param message - Message to sign (any length)
+* @returns 64-byte Ed25519 signature
+* @throws {Error} If private key is not 32 bytes
+*/
+function ed25519Sign(privateKey, message) {
+	if (privateKey.length !== ED25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ED25519_PRIVATE_KEY_SIZE} bytes`);
+	return ed25519.sign(message, privateKey);
+}
+/**
+* Verify an Ed25519 signature.
+*
+* @param publicKey - 32-byte Ed25519 public key
+* @param message - Original message that was signed
+* @param signature - 64-byte Ed25519 signature
+* @returns `true` if signature is valid, `false` if signature verification fails
+* @throws {Error} If public key is not 32 bytes or signature is not 64 bytes
+*/
+function ed25519Verify(publicKey, message, signature) {
+	if (publicKey.length !== ED25519_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${ED25519_PUBLIC_KEY_SIZE} bytes`);
+	if (signature.length !== ED25519_SIGNATURE_SIZE) throw new Error(`Signature must be ${ED25519_SIGNATURE_SIZE} bytes`);
+	try {
+		return ed25519.verify(signature, message, publicKey);
+	} catch {
+		return false;
+	}
+}
+
+//#endregion
+//#region src/scrypt.ts
+/**
+* Derive a key using Scrypt with recommended parameters.
+* Uses N=2^15 (32768), r=8, p=1 as recommended defaults.
+*
+* @param password - Password or passphrase
+* @param salt - Salt value
+* @param outputLen - Desired output length
+* @returns Derived key
+*/
+function scrypt(password, salt, outputLen) {
+	return scryptOpt(password, salt, outputLen, 15, 8, 1);
+}
+/**
+* Derive a key using Scrypt with custom parameters.
+*
+* @param password - Password or passphrase
+* @param salt - Salt value
+* @param outputLen - Desired output length
+* @param logN - Log2 of the CPU/memory cost parameter N (must be <64)
+* @param r - Block size parameter (must be >0)
+* @param p - Parallelization parameter (must be >0)
+* @returns Derived key
+*/
+function scryptOpt(password, salt, outputLen, logN, r, p) {
+	if (logN >= 64) throw new Error("logN must be <64");
+	if (r === 0) throw new Error("r must be >0");
+	if (p === 0) throw new Error("p must be >0");
+	return scrypt$1(password, salt, {
+		N: 1 << logN,
+		r,
+		p,
+		dkLen: outputLen
+	});
+}
+
+//#endregion
+//#region src/argon.ts
+/**
+* Derive a key using Argon2id with default parameters.
+*
+* @param password - Password or passphrase
+* @param salt - Salt value (must be at least 8 bytes)
+* @param outputLen - Desired output length
+* @returns Derived key
+*/
+function argon2idHash(password, salt, outputLen) {
+	return argon2idHashOpt(password, salt, outputLen, 3, 65536, 4);
+}
+/**
+* Derive a key using Argon2id with custom parameters.
+*
+* @param password - Password or passphrase
+* @param salt - Salt value (must be at least 8 bytes)
+* @param outputLen - Desired output length
+* @param iterations - Number of iterations (t)
+* @param memory - Memory in KiB (m)
+* @param parallelism - Degree of parallelism (p)
+* @returns Derived key
+*/
+function argon2idHashOpt(password, salt, outputLen, iterations, memory, parallelism) {
+	return argon2id(password, salt, {
+		t: iterations,
+		m: memory,
+		p: parallelism,
+		dkLen: outputLen
+	});
+}
+
+//#endregion
+export { AeadError, CRC32_SIZE, CryptoError, ECDSA_MESSAGE_HASH_SIZE, ECDSA_PRIVATE_KEY_SIZE, ECDSA_PUBLIC_KEY_SIZE, ECDSA_SIGNATURE_SIZE, ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE, ED25519_PRIVATE_KEY_SIZE, ED25519_PUBLIC_KEY_SIZE, ED25519_SIGNATURE_SIZE, GENERIC_PRIVATE_KEY_SIZE, GENERIC_PUBLIC_KEY_SIZE, SCHNORR_PUBLIC_KEY_SIZE, SCHNORR_SIGNATURE_SIZE, SHA256_SIZE, SHA512_SIZE, SYMMETRIC_AUTH_SIZE, SYMMETRIC_KEY_SIZE, SYMMETRIC_NONCE_SIZE, X25519_PRIVATE_KEY_SIZE, X25519_PUBLIC_KEY_SIZE, aeadChaCha20Poly1305Decrypt, aeadChaCha20Poly1305DecryptWithAad, aeadChaCha20Poly1305Encrypt, aeadChaCha20Poly1305EncryptWithAad, argon2idHash, argon2idHashOpt, crc32, crc32Data, crc32DataOpt, deriveAgreementPrivateKey, deriveSigningPrivateKey, doubleSha256, ecdsaCompressPublicKey, ecdsaDecompressPublicKey, ecdsaDerivePrivateKey, ecdsaNewPrivateKeyUsing, ecdsaPublicKeyFromPrivateKey, ecdsaSign, ecdsaVerify, ed25519NewPrivateKeyUsing, ed25519PublicKeyFromPrivateKey, ed25519Sign, ed25519Verify, hkdfHmacSha256, hkdfHmacSha512, hmacSha256, hmacSha512, memzero, memzeroVecVecU8, pbkdf2HmacSha256, pbkdf2HmacSha512, schnorrPublicKeyFromPrivateKey, schnorrSign, schnorrSignUsing, schnorrSignWithAuxRand, schnorrVerify, scrypt, scryptOpt, sha256, sha512, x25519NewPrivateKeyUsing, x25519PublicKeyFromPrivateKey, x25519SharedKey };
+//# sourceMappingURL=index.mjs.map