@bcts/crypto 1.0.0-alpha.5

package/dist/index.cjs

@@ -0,0 +1,658 @@
+let __noble_hashes_sha2 = require("@noble/hashes/sha2");
+let __noble_hashes_hmac = require("@noble/hashes/hmac");
+let __noble_hashes_pbkdf2 = require("@noble/hashes/pbkdf2");
+let __noble_hashes_hkdf = require("@noble/hashes/hkdf");
+let __noble_ciphers_chacha = require("@noble/ciphers/chacha");
+let __noble_curves_ed25519 = require("@noble/curves/ed25519");
+let __noble_curves_secp256k1 = require("@noble/curves/secp256k1");
+let __bcts_rand = require("@bcts/rand");
+let __noble_hashes_scrypt = require("@noble/hashes/scrypt");
+let __noble_hashes_argon2 = require("@noble/hashes/argon2");
+
+//#region src/error.ts
+/**
+* AEAD-specific error for authentication failures
+*/
+var AeadError = class extends Error {
+	constructor(message = "AEAD authentication failed") {
+		super(message);
+		this.name = "AeadError";
+	}
+};
+/**
+* Generic crypto error type
+*/
+var CryptoError = class CryptoError extends Error {
+	cause;
+	constructor(message, cause) {
+		super(message);
+		this.name = "CryptoError";
+		this.cause = cause;
+	}
+	/**
+	* Create a CryptoError for AEAD authentication failures.
+	*
+	* @param error - Optional underlying AeadError
+	* @returns A CryptoError wrapping the AEAD error
+	*/
+	static aead(error) {
+		return new CryptoError("AEAD error", error ?? new AeadError());
+	}
+	/**
+	* Create a CryptoError for invalid parameter values.
+	*
+	* @param message - Description of the invalid parameter
+	* @returns A CryptoError describing the invalid parameter
+	*/
+	static invalidParameter(message) {
+		return new CryptoError(`Invalid parameter: ${message}`);
+	}
+};
+
+//#endregion
+//#region src/memzero.ts
+/**
+* Securely zero out a typed array.
+*
+* **IMPORTANT: This is a best-effort implementation.** Unlike the Rust reference
+* implementation which uses `std::ptr::write_volatile()` for guaranteed volatile
+* writes, JavaScript engines and JIT compilers can still potentially optimize
+* away these zeroing operations. The check at the end helps prevent optimization,
+* but it is not foolproof.
+*
+* For truly sensitive cryptographic operations, consider using the Web Crypto API's
+* `crypto.subtle` with non-extractable keys when possible, as it provides stronger
+* guarantees than what can be achieved with pure JavaScript.
+*
+* This function attempts to prevent the compiler from optimizing away
+* the zeroing operation by using a verification check after the zeroing loop.
+*/
+function memzero(data) {
+	const len = data.length;
+	for (let i = 0; i < len; i++) data[i] = 0;
+	if (data.length > 0 && data[0] !== 0) throw new Error("memzero failed");
+}
+/**
+* Securely zero out an array of Uint8Arrays.
+*/
+function memzeroVecVecU8(arrays) {
+	for (const arr of arrays) memzero(arr);
+}
+
+//#endregion
+//#region src/hash.ts
+const CRC32_SIZE = 4;
+const SHA256_SIZE = 32;
+const SHA512_SIZE = 64;
+const CRC32_TABLE = new Uint32Array(256);
+for (let i = 0; i < 256; i++) {
+	let crc = i;
+	for (let j = 0; j < 8; j++) crc = (crc & 1) !== 0 ? crc >>> 1 ^ 3988292384 : crc >>> 1;
+	CRC32_TABLE[i] = crc >>> 0;
+}
+/**
+* Calculate CRC-32 checksum
+*/
+function crc32(data) {
+	let crc = 4294967295;
+	for (const byte of data) crc = CRC32_TABLE[(crc ^ byte) & 255] ^ crc >>> 8;
+	return (crc ^ 4294967295) >>> 0;
+}
+/**
+* Calculate CRC-32 checksum and return as a 4-byte big-endian array
+*/
+function crc32Data(data) {
+	return crc32DataOpt(data, false);
+}
+/**
+* Calculate CRC-32 checksum and return as a 4-byte array
+* @param data - Input data
+* @param littleEndian - If true, returns little-endian; otherwise big-endian
+*/
+function crc32DataOpt(data, littleEndian) {
+	const checksum = crc32(data);
+	const result = new Uint8Array(4);
+	new DataView(result.buffer).setUint32(0, checksum, littleEndian);
+	return result;
+}
+/**
+* Calculate SHA-256 hash
+*/
+function sha256(data) {
+	return (0, __noble_hashes_sha2.sha256)(data);
+}
+/**
+* Calculate double SHA-256 hash (SHA-256 of SHA-256)
+* This is the standard Bitcoin hashing function
+*/
+function doubleSha256(message) {
+	return sha256(sha256(message));
+}
+/**
+* Calculate SHA-512 hash
+*/
+function sha512(data) {
+	return (0, __noble_hashes_sha2.sha512)(data);
+}
+/**
+* Calculate HMAC-SHA-256
+*/
+function hmacSha256(key, message) {
+	return (0, __noble_hashes_hmac.hmac)(__noble_hashes_sha2.sha256, key, message);
+}
+/**
+* Calculate HMAC-SHA-512
+*/
+function hmacSha512(key, message) {
+	return (0, __noble_hashes_hmac.hmac)(__noble_hashes_sha2.sha512, key, message);
+}
+/**
+* Derive a key using PBKDF2 with HMAC-SHA-256
+*/
+function pbkdf2HmacSha256(password, salt, iterations, keyLen) {
+	return (0, __noble_hashes_pbkdf2.pbkdf2)(__noble_hashes_sha2.sha256, password, salt, {
+		c: iterations,
+		dkLen: keyLen
+	});
+}
+/**
+* Derive a key using PBKDF2 with HMAC-SHA-512
+*/
+function pbkdf2HmacSha512(password, salt, iterations, keyLen) {
+	return (0, __noble_hashes_pbkdf2.pbkdf2)(__noble_hashes_sha2.sha512, password, salt, {
+		c: iterations,
+		dkLen: keyLen
+	});
+}
+/**
+* Derive a key using HKDF with HMAC-SHA-256
+*/
+function hkdfHmacSha256(keyMaterial, salt, keyLen) {
+	return (0, __noble_hashes_hkdf.hkdf)(__noble_hashes_sha2.sha256, keyMaterial, salt, void 0, keyLen);
+}
+/**
+* Derive a key using HKDF with HMAC-SHA-512
+*/
+function hkdfHmacSha512(keyMaterial, salt, keyLen) {
+	return (0, __noble_hashes_hkdf.hkdf)(__noble_hashes_sha2.sha512, keyMaterial, salt, void 0, keyLen);
+}
+
+//#endregion
+//#region src/symmetric-encryption.ts
+const SYMMETRIC_KEY_SIZE = 32;
+const SYMMETRIC_NONCE_SIZE = 12;
+const SYMMETRIC_AUTH_SIZE = 16;
+/**
+* Encrypt data using ChaCha20-Poly1305 AEAD cipher.
+*
+* **Security Warning**: The nonce MUST be unique for every encryption operation
+* with the same key. Reusing a nonce completely breaks the security of the
+* encryption scheme and can reveal plaintext.
+*
+* @param plaintext - The data to encrypt
+* @param key - 32-byte encryption key
+* @param nonce - 12-byte nonce (MUST be unique per encryption with the same key)
+* @returns Tuple of [ciphertext, authTag] where authTag is 16 bytes
+* @throws {CryptoError} If key is not 32 bytes or nonce is not 12 bytes
+*/
+function aeadChaCha20Poly1305Encrypt(plaintext, key, nonce) {
+	return aeadChaCha20Poly1305EncryptWithAad(plaintext, key, nonce, new Uint8Array(0));
+}
+/**
+* Encrypt data using ChaCha20-Poly1305 AEAD cipher with additional authenticated data.
+*
+* **Security Warning**: The nonce MUST be unique for every encryption operation
+* with the same key. Reusing a nonce completely breaks the security of the
+* encryption scheme and can reveal plaintext.
+*
+* @param plaintext - The data to encrypt
+* @param key - 32-byte encryption key
+* @param nonce - 12-byte nonce (MUST be unique per encryption with the same key)
+* @param aad - Additional authenticated data (not encrypted, but integrity-protected)
+* @returns Tuple of [ciphertext, authTag] where authTag is 16 bytes
+* @throws {CryptoError} If key is not 32 bytes or nonce is not 12 bytes
+*/
+function aeadChaCha20Poly1305EncryptWithAad(plaintext, key, nonce, aad) {
+	if (key.length !== SYMMETRIC_KEY_SIZE) throw CryptoError.invalidParameter(`Key must be ${SYMMETRIC_KEY_SIZE} bytes`);
+	if (nonce.length !== SYMMETRIC_NONCE_SIZE) throw CryptoError.invalidParameter(`Nonce must be ${SYMMETRIC_NONCE_SIZE} bytes`);
+	const sealed = (0, __noble_ciphers_chacha.chacha20poly1305)(key, nonce, aad).encrypt(plaintext);
+	return [sealed.slice(0, sealed.length - SYMMETRIC_AUTH_SIZE), sealed.slice(sealed.length - SYMMETRIC_AUTH_SIZE)];
+}
+/**
+* Decrypt data using ChaCha20-Poly1305 AEAD cipher.
+*
+* @param ciphertext - The encrypted data
+* @param key - 32-byte encryption key (must match key used for encryption)
+* @param nonce - 12-byte nonce (must match nonce used for encryption)
+* @param authTag - 16-byte authentication tag from encryption
+* @returns Decrypted plaintext
+* @throws {CryptoError} If key/nonce/authTag sizes are invalid
+* @throws {CryptoError} If authentication fails (tampered data or wrong key/nonce)
+*/
+function aeadChaCha20Poly1305Decrypt(ciphertext, key, nonce, authTag) {
+	return aeadChaCha20Poly1305DecryptWithAad(ciphertext, key, nonce, new Uint8Array(0), authTag);
+}
+/**
+* Decrypt data using ChaCha20-Poly1305 AEAD cipher with additional authenticated data.
+*
+* @param ciphertext - The encrypted data
+* @param key - 32-byte encryption key (must match key used for encryption)
+* @param nonce - 12-byte nonce (must match nonce used for encryption)
+* @param aad - Additional authenticated data (must exactly match AAD used for encryption)
+* @param authTag - 16-byte authentication tag from encryption
+* @returns Decrypted plaintext
+* @throws {CryptoError} If key/nonce/authTag sizes are invalid
+* @throws {CryptoError} If authentication fails (tampered data, wrong key/nonce, or AAD mismatch)
+*/
+function aeadChaCha20Poly1305DecryptWithAad(ciphertext, key, nonce, aad, authTag) {
+	if (key.length !== SYMMETRIC_KEY_SIZE) throw CryptoError.invalidParameter(`Key must be ${SYMMETRIC_KEY_SIZE} bytes`);
+	if (nonce.length !== SYMMETRIC_NONCE_SIZE) throw CryptoError.invalidParameter(`Nonce must be ${SYMMETRIC_NONCE_SIZE} bytes`);
+	if (authTag.length !== SYMMETRIC_AUTH_SIZE) throw CryptoError.invalidParameter(`Auth tag must be ${SYMMETRIC_AUTH_SIZE} bytes`);
+	const sealed = new Uint8Array(ciphertext.length + authTag.length);
+	sealed.set(ciphertext);
+	sealed.set(authTag, ciphertext.length);
+	try {
+		return (0, __noble_ciphers_chacha.chacha20poly1305)(key, nonce, aad).decrypt(sealed);
+	} catch (error) {
+		const aeadError = new AeadError(`Decryption failed: ${error instanceof Error ? error.message : "authentication error"}`);
+		throw CryptoError.aead(aeadError);
+	}
+}
+
+//#endregion
+//#region src/public-key-encryption.ts
+const GENERIC_PRIVATE_KEY_SIZE = 32;
+const GENERIC_PUBLIC_KEY_SIZE = 32;
+const X25519_PRIVATE_KEY_SIZE = 32;
+const X25519_PUBLIC_KEY_SIZE = 32;
+/**
+* Derive an X25519 agreement private key from key material.
+* Uses HKDF with "agreement" as domain separation salt.
+*/
+function deriveAgreementPrivateKey(keyMaterial) {
+	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("agreement"), X25519_PRIVATE_KEY_SIZE);
+}
+/**
+* Derive a signing private key from key material.
+* Uses HKDF with "signing" as domain separation salt.
+*/
+function deriveSigningPrivateKey(keyMaterial) {
+	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("signing"), 32);
+}
+/**
+* Generate a new random X25519 private key.
+*/
+function x25519NewPrivateKeyUsing(rng) {
+	return rng.randomData(X25519_PRIVATE_KEY_SIZE);
+}
+/**
+* Derive an X25519 public key from a private key.
+*/
+function x25519PublicKeyFromPrivateKey(privateKey) {
+	if (privateKey.length !== X25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${X25519_PRIVATE_KEY_SIZE} bytes`);
+	return __noble_curves_ed25519.x25519.getPublicKey(privateKey);
+}
+/**
+* Compute a shared secret using X25519 key agreement (ECDH).
+*
+* **Security Note**: The resulting shared secret should be used with a KDF
+* (like HKDF) before using it as an encryption key. Never use the raw
+* shared secret directly for encryption.
+*
+* @param x25519Private - 32-byte X25519 private key
+* @param x25519Public - 32-byte X25519 public key from the other party
+* @returns 32-byte shared secret
+* @throws {Error} If private key is not 32 bytes or public key is not 32 bytes
+*/
+function x25519SharedKey(x25519Private, x25519Public) {
+	if (x25519Private.length !== X25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${X25519_PRIVATE_KEY_SIZE} bytes`);
+	if (x25519Public.length !== X25519_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${X25519_PUBLIC_KEY_SIZE} bytes`);
+	return __noble_curves_ed25519.x25519.getSharedSecret(x25519Private, x25519Public);
+}
+
+//#endregion
+//#region src/ecdsa-keys.ts
+const ECDSA_PRIVATE_KEY_SIZE = 32;
+const ECDSA_PUBLIC_KEY_SIZE = 33;
+const ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE = 65;
+const ECDSA_MESSAGE_HASH_SIZE = 32;
+const ECDSA_SIGNATURE_SIZE = 64;
+const SCHNORR_PUBLIC_KEY_SIZE = 32;
+/**
+* Generate a new random ECDSA private key using secp256k1.
+*
+* Note: Unlike some implementations, this directly returns the random bytes
+* without validation. The secp256k1 library will handle any edge cases when
+* the key is used.
+*/
+function ecdsaNewPrivateKeyUsing(rng) {
+	return rng.randomData(ECDSA_PRIVATE_KEY_SIZE);
+}
+/**
+* Derive a compressed ECDSA public key from a private key.
+*/
+function ecdsaPublicKeyFromPrivateKey(privateKey) {
+	if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	return __noble_curves_secp256k1.secp256k1.getPublicKey(privateKey, true);
+}
+/**
+* Decompress a compressed public key to uncompressed format.
+*/
+function ecdsaDecompressPublicKey(compressed) {
+	if (compressed.length !== ECDSA_PUBLIC_KEY_SIZE) throw new Error(`Compressed public key must be ${ECDSA_PUBLIC_KEY_SIZE} bytes`);
+	return __noble_curves_secp256k1.secp256k1.ProjectivePoint.fromHex(compressed).toRawBytes(false);
+}
+/**
+* Compress an uncompressed public key.
+*/
+function ecdsaCompressPublicKey(uncompressed) {
+	if (uncompressed.length !== ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE) throw new Error(`Uncompressed public key must be ${ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE} bytes`);
+	return __noble_curves_secp256k1.secp256k1.ProjectivePoint.fromHex(uncompressed).toRawBytes(true);
+}
+/**
+* Derive an ECDSA private key from key material using HKDF.
+*
+* Note: This directly returns the HKDF output without validation,
+* matching the Rust reference implementation behavior.
+*/
+function ecdsaDerivePrivateKey(keyMaterial) {
+	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("signing"), ECDSA_PRIVATE_KEY_SIZE);
+}
+/**
+* Extract the x-only (Schnorr) public key from a private key.
+* This is used for BIP-340 Schnorr signatures.
+*/
+function schnorrPublicKeyFromPrivateKey(privateKey) {
+	if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	return __noble_curves_secp256k1.secp256k1.getPublicKey(privateKey, false).slice(1, 33);
+}
+
+//#endregion
+//#region src/ecdsa-signing.ts
+/**
+* Sign a message using ECDSA with secp256k1.
+*
+* The message is hashed with double SHA-256 before signing (Bitcoin standard).
+*
+* **Security Note**: The private key must be kept secret. ECDSA requires
+* cryptographically secure random nonces internally; this is handled by
+* the underlying library using RFC 6979 deterministic nonces.
+*
+* @param privateKey - 32-byte secp256k1 private key
+* @param message - Message to sign (any length, will be double-SHA256 hashed)
+* @returns 64-byte compact signature (r || s format)
+* @throws {Error} If private key is not 32 bytes
+*/
+function ecdsaSign(privateKey, message) {
+	if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	const messageHash = doubleSha256(message);
+	return __noble_curves_secp256k1.secp256k1.sign(messageHash, privateKey).toCompactRawBytes();
+}
+/**
+* Verify an ECDSA signature with secp256k1.
+*
+* The message is hashed with double SHA-256 before verification (Bitcoin standard).
+*
+* @param publicKey - 33-byte compressed secp256k1 public key
+* @param signature - 64-byte compact signature (r || s format)
+* @param message - Original message that was signed
+* @returns `true` if signature is valid, `false` if signature verification fails
+* @throws {Error} If public key is not 33 bytes or signature is not 64 bytes
+*/
+function ecdsaVerify(publicKey, signature, message) {
+	if (publicKey.length !== ECDSA_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${ECDSA_PUBLIC_KEY_SIZE} bytes`);
+	if (signature.length !== ECDSA_SIGNATURE_SIZE) throw new Error(`Signature must be ${ECDSA_SIGNATURE_SIZE} bytes`);
+	try {
+		const messageHash = doubleSha256(message);
+		return __noble_curves_secp256k1.secp256k1.verify(signature, messageHash, publicKey);
+	} catch {
+		return false;
+	}
+}
+
+//#endregion
+//#region src/schnorr-signing.ts
+const SCHNORR_SIGNATURE_SIZE = 64;
+/**
+* Sign a message using Schnorr signature (BIP-340).
+* Uses secure random auxiliary randomness.
+*
+* @param ecdsaPrivateKey - 32-byte private key
+* @param message - Message to sign (not pre-hashed, per BIP-340)
+* @returns 64-byte Schnorr signature
+*/
+function schnorrSign(ecdsaPrivateKey, message) {
+	return schnorrSignUsing(ecdsaPrivateKey, message, new __bcts_rand.SecureRandomNumberGenerator());
+}
+/**
+* Sign a message using Schnorr signature with a custom RNG.
+*
+* @param ecdsaPrivateKey - 32-byte private key
+* @param message - Message to sign
+* @param rng - Random number generator for auxiliary randomness
+* @returns 64-byte Schnorr signature
+*/
+function schnorrSignUsing(ecdsaPrivateKey, message, rng) {
+	return schnorrSignWithAuxRand(ecdsaPrivateKey, message, rng.randomData(32));
+}
+/**
+* Sign a message using Schnorr signature with specific auxiliary randomness.
+* This is useful for deterministic signing in tests.
+*
+* @param ecdsaPrivateKey - 32-byte private key
+* @param message - Message to sign
+* @param auxRand - 32-byte auxiliary randomness (per BIP-340)
+* @returns 64-byte Schnorr signature
+*/
+function schnorrSignWithAuxRand(ecdsaPrivateKey, message, auxRand) {
+	if (ecdsaPrivateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	if (auxRand.length !== 32) throw new Error("Auxiliary randomness must be 32 bytes");
+	return __noble_curves_secp256k1.schnorr.sign(message, ecdsaPrivateKey, auxRand);
+}
+/**
+* Verify a Schnorr signature (BIP-340).
+*
+* @param schnorrPublicKey - 32-byte x-only public key
+* @param signature - 64-byte Schnorr signature
+* @param message - Original message
+* @returns true if signature is valid
+*/
+function schnorrVerify(schnorrPublicKey, signature, message) {
+	if (schnorrPublicKey.length !== SCHNORR_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${SCHNORR_PUBLIC_KEY_SIZE} bytes`);
+	if (signature.length !== SCHNORR_SIGNATURE_SIZE) throw new Error(`Signature must be ${SCHNORR_SIGNATURE_SIZE} bytes`);
+	try {
+		return __noble_curves_secp256k1.schnorr.verify(signature, message, schnorrPublicKey);
+	} catch {
+		return false;
+	}
+}
+
+//#endregion
+//#region src/ed25519-signing.ts
+const ED25519_PUBLIC_KEY_SIZE = 32;
+const ED25519_PRIVATE_KEY_SIZE = 32;
+const ED25519_SIGNATURE_SIZE = 64;
+/**
+* Generate a new random Ed25519 private key.
+*/
+function ed25519NewPrivateKeyUsing(rng) {
+	return rng.randomData(ED25519_PRIVATE_KEY_SIZE);
+}
+/**
+* Derive an Ed25519 public key from a private key.
+*/
+function ed25519PublicKeyFromPrivateKey(privateKey) {
+	if (privateKey.length !== ED25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ED25519_PRIVATE_KEY_SIZE} bytes`);
+	return __noble_curves_ed25519.ed25519.getPublicKey(privateKey);
+}
+/**
+* Sign a message using Ed25519.
+*
+* **Security Note**: The private key must be kept secret. The same private key
+* can safely sign multiple messages.
+*
+* @param privateKey - 32-byte Ed25519 private key
+* @param message - Message to sign (any length)
+* @returns 64-byte Ed25519 signature
+* @throws {Error} If private key is not 32 bytes
+*/
+function ed25519Sign(privateKey, message) {
+	if (privateKey.length !== ED25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ED25519_PRIVATE_KEY_SIZE} bytes`);
+	return __noble_curves_ed25519.ed25519.sign(message, privateKey);
+}
+/**
+* Verify an Ed25519 signature.
+*
+* @param publicKey - 32-byte Ed25519 public key
+* @param message - Original message that was signed
+* @param signature - 64-byte Ed25519 signature
+* @returns `true` if signature is valid, `false` if signature verification fails
+* @throws {Error} If public key is not 32 bytes or signature is not 64 bytes
+*/
+function ed25519Verify(publicKey, message, signature) {
+	if (publicKey.length !== ED25519_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${ED25519_PUBLIC_KEY_SIZE} bytes`);
+	if (signature.length !== ED25519_SIGNATURE_SIZE) throw new Error(`Signature must be ${ED25519_SIGNATURE_SIZE} bytes`);
+	try {
+		return __noble_curves_ed25519.ed25519.verify(signature, message, publicKey);
+	} catch {
+		return false;
+	}
+}
+
+//#endregion
+//#region src/scrypt.ts
+/**
+* Derive a key using Scrypt with recommended parameters.
+* Uses N=2^15 (32768), r=8, p=1 as recommended defaults.
+*
+* @param password - Password or passphrase
+* @param salt - Salt value
+* @param outputLen - Desired output length
+* @returns Derived key
+*/
+function scrypt(password, salt, outputLen) {
+	return scryptOpt(password, salt, outputLen, 15, 8, 1);
+}
+/**
+* Derive a key using Scrypt with custom parameters.
+*
+* @param password - Password or passphrase
+* @param salt - Salt value
+* @param outputLen - Desired output length
+* @param logN - Log2 of the CPU/memory cost parameter N (must be <64)
+* @param r - Block size parameter (must be >0)
+* @param p - Parallelization parameter (must be >0)
+* @returns Derived key
+*/
+function scryptOpt(password, salt, outputLen, logN, r, p) {
+	if (logN >= 64) throw new Error("logN must be <64");
+	if (r === 0) throw new Error("r must be >0");
+	if (p === 0) throw new Error("p must be >0");
+	return (0, __noble_hashes_scrypt.scrypt)(password, salt, {
+		N: 1 << logN,
+		r,
+		p,
+		dkLen: outputLen
+	});
+}
+
+//#endregion
+//#region src/argon.ts
+/**
+* Derive a key using Argon2id with default parameters.
+*
+* @param password - Password or passphrase
+* @param salt - Salt value (must be at least 8 bytes)
+* @param outputLen - Desired output length
+* @returns Derived key
+*/
+function argon2idHash(password, salt, outputLen) {
+	return argon2idHashOpt(password, salt, outputLen, 3, 65536, 4);
+}
+/**
+* Derive a key using Argon2id with custom parameters.
+*
+* @param password - Password or passphrase
+* @param salt - Salt value (must be at least 8 bytes)
+* @param outputLen - Desired output length
+* @param iterations - Number of iterations (t)
+* @param memory - Memory in KiB (m)
+* @param parallelism - Degree of parallelism (p)
+* @returns Derived key
+*/
+function argon2idHashOpt(password, salt, outputLen, iterations, memory, parallelism) {
+	return (0, __noble_hashes_argon2.argon2id)(password, salt, {
+		t: iterations,
+		m: memory,
+		p: parallelism,
+		dkLen: outputLen
+	});
+}
+
+//#endregion
+exports.AeadError = AeadError;
+exports.CRC32_SIZE = CRC32_SIZE;
+exports.CryptoError = CryptoError;
+exports.ECDSA_MESSAGE_HASH_SIZE = ECDSA_MESSAGE_HASH_SIZE;
+exports.ECDSA_PRIVATE_KEY_SIZE = ECDSA_PRIVATE_KEY_SIZE;
+exports.ECDSA_PUBLIC_KEY_SIZE = ECDSA_PUBLIC_KEY_SIZE;
+exports.ECDSA_SIGNATURE_SIZE = ECDSA_SIGNATURE_SIZE;
+exports.ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE = ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE;
+exports.ED25519_PRIVATE_KEY_SIZE = ED25519_PRIVATE_KEY_SIZE;
+exports.ED25519_PUBLIC_KEY_SIZE = ED25519_PUBLIC_KEY_SIZE;
+exports.ED25519_SIGNATURE_SIZE = ED25519_SIGNATURE_SIZE;
+exports.GENERIC_PRIVATE_KEY_SIZE = GENERIC_PRIVATE_KEY_SIZE;
+exports.GENERIC_PUBLIC_KEY_SIZE = GENERIC_PUBLIC_KEY_SIZE;
+exports.SCHNORR_PUBLIC_KEY_SIZE = SCHNORR_PUBLIC_KEY_SIZE;
+exports.SCHNORR_SIGNATURE_SIZE = SCHNORR_SIGNATURE_SIZE;
+exports.SHA256_SIZE = SHA256_SIZE;
+exports.SHA512_SIZE = SHA512_SIZE;
+exports.SYMMETRIC_AUTH_SIZE = SYMMETRIC_AUTH_SIZE;
+exports.SYMMETRIC_KEY_SIZE = SYMMETRIC_KEY_SIZE;
+exports.SYMMETRIC_NONCE_SIZE = SYMMETRIC_NONCE_SIZE;
+exports.X25519_PRIVATE_KEY_SIZE = X25519_PRIVATE_KEY_SIZE;
+exports.X25519_PUBLIC_KEY_SIZE = X25519_PUBLIC_KEY_SIZE;
+exports.aeadChaCha20Poly1305Decrypt = aeadChaCha20Poly1305Decrypt;
+exports.aeadChaCha20Poly1305DecryptWithAad = aeadChaCha20Poly1305DecryptWithAad;
+exports.aeadChaCha20Poly1305Encrypt = aeadChaCha20Poly1305Encrypt;
+exports.aeadChaCha20Poly1305EncryptWithAad = aeadChaCha20Poly1305EncryptWithAad;
+exports.argon2idHash = argon2idHash;
+exports.argon2idHashOpt = argon2idHashOpt;
+exports.crc32 = crc32;
+exports.crc32Data = crc32Data;
+exports.crc32DataOpt = crc32DataOpt;
+exports.deriveAgreementPrivateKey = deriveAgreementPrivateKey;
+exports.deriveSigningPrivateKey = deriveSigningPrivateKey;
+exports.doubleSha256 = doubleSha256;
+exports.ecdsaCompressPublicKey = ecdsaCompressPublicKey;
+exports.ecdsaDecompressPublicKey = ecdsaDecompressPublicKey;
+exports.ecdsaDerivePrivateKey = ecdsaDerivePrivateKey;
+exports.ecdsaNewPrivateKeyUsing = ecdsaNewPrivateKeyUsing;
+exports.ecdsaPublicKeyFromPrivateKey = ecdsaPublicKeyFromPrivateKey;
+exports.ecdsaSign = ecdsaSign;
+exports.ecdsaVerify = ecdsaVerify;
+exports.ed25519NewPrivateKeyUsing = ed25519NewPrivateKeyUsing;
+exports.ed25519PublicKeyFromPrivateKey = ed25519PublicKeyFromPrivateKey;
+exports.ed25519Sign = ed25519Sign;
+exports.ed25519Verify = ed25519Verify;
+exports.hkdfHmacSha256 = hkdfHmacSha256;
+exports.hkdfHmacSha512 = hkdfHmacSha512;
+exports.hmacSha256 = hmacSha256;
+exports.hmacSha512 = hmacSha512;
+exports.memzero = memzero;
+exports.memzeroVecVecU8 = memzeroVecVecU8;
+exports.pbkdf2HmacSha256 = pbkdf2HmacSha256;
+exports.pbkdf2HmacSha512 = pbkdf2HmacSha512;
+exports.schnorrPublicKeyFromPrivateKey = schnorrPublicKeyFromPrivateKey;
+exports.schnorrSign = schnorrSign;
+exports.schnorrSignUsing = schnorrSignUsing;
+exports.schnorrSignWithAuxRand = schnorrSignWithAuxRand;
+exports.schnorrVerify = schnorrVerify;
+exports.scrypt = scrypt;
+exports.scryptOpt = scryptOpt;
+exports.sha256 = sha256;
+exports.sha512 = sha512;
+exports.x25519NewPrivateKeyUsing = x25519NewPrivateKeyUsing;
+exports.x25519PublicKeyFromPrivateKey = x25519PublicKeyFromPrivateKey;
+exports.x25519SharedKey = x25519SharedKey;
+//# sourceMappingURL=index.cjs.map