@bcts/crypto 1.0.0-alpha.8 → 1.0.0-beta.0

package/dist/index.cjs

@@ -1,86 +1,55 @@
-let __noble_hashes_sha2 = require("@noble/hashes/sha2");
-let __noble_hashes_hmac = require("@noble/hashes/hmac");
-let __noble_hashes_pbkdf2 = require("@noble/hashes/pbkdf2");
-let __noble_hashes_hkdf = require("@noble/hashes/hkdf");
-let __noble_ciphers_chacha = require("@noble/ciphers/chacha");
-let __noble_curves_ed25519 = require("@noble/curves/ed25519");
-let __noble_curves_secp256k1 = require("@noble/curves/secp256k1");
-let __bcts_rand = require("@bcts/rand");
-let __noble_hashes_scrypt = require("@noble/hashes/scrypt");
-let __noble_hashes_argon2 = require("@noble/hashes/argon2");
-
-//#region src/error.ts
-/**
-* AEAD-specific error for authentication failures
-*/
-var AeadError = class extends Error {
-	constructor(message = "AEAD authentication failed") {
-		super(message);
-		this.name = "AeadError";
-	}
-};
-/**
-* Generic crypto error type
-*/
-var CryptoError = class CryptoError extends Error {
-	cause;
-	constructor(message, cause) {
-		super(message);
-		this.name = "CryptoError";
-		this.cause = cause;
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+//#region \0rolldown/runtime.js
+var __defProp = Object.defineProperty;
+var __exportAll = (all, no_symbols) => {
+	let target = {};
+	for (var name in all) {
+		__defProp(target, name, {
+			get: all[name],
+			enumerable: true
+		});
 	}
-	/**
-	* Create a CryptoError for AEAD authentication failures.
-	*
-	* @param error - Optional underlying AeadError
-	* @returns A CryptoError wrapping the AEAD error
-	*/
-	static aead(error) {
-		return new CryptoError("AEAD error", error ?? new AeadError());
-	}
-	/**
-	* Create a CryptoError for invalid parameter values.
-	*
-	* @param message - Description of the invalid parameter
-	* @returns A CryptoError describing the invalid parameter
-	*/
-	static invalidParameter(message) {
-		return new CryptoError(`Invalid parameter: ${message}`);
+	if (!no_symbols) {
+		__defProp(target, Symbol.toStringTag, { value: "Module" });
 	}
+	return target;
 };
 
 //#endregion
-//#region src/memzero.ts
+let _noble_hashes_sha2_js = require("@noble/hashes/sha2.js");
+let _noble_hashes_hmac_js = require("@noble/hashes/hmac.js");
+let _noble_hashes_pbkdf2_js = require("@noble/hashes/pbkdf2.js");
+let _noble_hashes_hkdf_js = require("@noble/hashes/hkdf.js");
+let _noble_ciphers_chacha_js = require("@noble/ciphers/chacha.js");
+let _noble_curves_ed25519_js = require("@noble/curves/ed25519.js");
+let _noble_curves_secp256k1_js = require("@noble/curves/secp256k1.js");
+let _bcts_rand = require("@bcts/rand");
+let _noble_hashes_scrypt_js = require("@noble/hashes/scrypt.js");
+let _noble_hashes_argon2_js = require("@noble/hashes/argon2.js");
+
+//#region src/hash.ts
 /**
-* Securely zero out a typed array.
-*
-* **IMPORTANT: This is a best-effort implementation.** Unlike the Rust reference
-* implementation which uses `std::ptr::write_volatile()` for guaranteed volatile
-* writes, JavaScript engines and JIT compilers can still potentially optimize
-* away these zeroing operations. The check at the end helps prevent optimization,
-* but it is not foolproof.
-*
-* For truly sensitive cryptographic operations, consider using the Web Crypto API's
-* `crypto.subtle` with non-extractable keys when possible, as it provides stronger
-* guarantees than what can be achieved with pure JavaScript.
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
 *
-* This function attempts to prevent the compiler from optimizing away
-* the zeroing operation by using a verification check after the zeroing loop.
 */
-function memzero(data) {
-	const len = data.length;
-	for (let i = 0; i < len; i++) data[i] = 0;
-	if (data.length > 0 && data[0] !== 0) throw new Error("memzero failed");
-}
-/**
-* Securely zero out an array of Uint8Arrays.
-*/
-function memzeroVecVecU8(arrays) {
-	for (const arr of arrays) memzero(arr);
-}
-
-//#endregion
-//#region src/hash.ts
+var hash_exports = /* @__PURE__ */ __exportAll({
+	CRC32_SIZE: () => 4,
+	SHA256_SIZE: () => 32,
+	SHA512_SIZE: () => 64,
+	crc32: () => crc32,
+	crc32Data: () => crc32Data,
+	crc32DataOpt: () => crc32DataOpt,
+	doubleSha256: () => doubleSha256,
+	hkdfHmacSha256: () => hkdfHmacSha256,
+	hkdfHmacSha512: () => hkdfHmacSha512,
+	hmacSha256: () => hmacSha256,
+	hmacSha512: () => hmacSha512,
+	pbkdf2HmacSha256: () => pbkdf2HmacSha256,
+	pbkdf2HmacSha512: () => pbkdf2HmacSha512,
+	sha256: () => sha256,
+	sha512: () => sha512
+});
 const CRC32_SIZE = 4;
 const SHA256_SIZE = 32;
 const SHA512_SIZE = 64;
@@ -119,7 +88,7 @@ function crc32DataOpt(data, littleEndian) {
 * Calculate SHA-256 hash
 */
 function sha256(data) {
-	return (0, __noble_hashes_sha2.sha256)(data);
+	return (0, _noble_hashes_sha2_js.sha256)(data);
 }
 /**
 * Calculate double SHA-256 hash (SHA-256 of SHA-256)
@@ -132,25 +101,25 @@ function doubleSha256(message) {
 * Calculate SHA-512 hash
 */
 function sha512(data) {
-	return (0, __noble_hashes_sha2.sha512)(data);
+	return (0, _noble_hashes_sha2_js.sha512)(data);
 }
 /**
 * Calculate HMAC-SHA-256
 */
 function hmacSha256(key, message) {
-	return (0, __noble_hashes_hmac.hmac)(__noble_hashes_sha2.sha256, key, message);
+	return (0, _noble_hashes_hmac_js.hmac)(_noble_hashes_sha2_js.sha256, key, message);
 }
 /**
 * Calculate HMAC-SHA-512
 */
 function hmacSha512(key, message) {
-	return (0, __noble_hashes_hmac.hmac)(__noble_hashes_sha2.sha512, key, message);
+	return (0, _noble_hashes_hmac_js.hmac)(_noble_hashes_sha2_js.sha512, key, message);
 }
 /**
 * Derive a key using PBKDF2 with HMAC-SHA-256
 */
 function pbkdf2HmacSha256(password, salt, iterations, keyLen) {
-	return (0, __noble_hashes_pbkdf2.pbkdf2)(__noble_hashes_sha2.sha256, password, salt, {
+	return (0, _noble_hashes_pbkdf2_js.pbkdf2)(_noble_hashes_sha2_js.sha256, password, salt, {
 		c: iterations,
 		dkLen: keyLen
 	});
@@ -159,7 +128,7 @@ function pbkdf2HmacSha256(password, salt, iterations, keyLen) {
 * Derive a key using PBKDF2 with HMAC-SHA-512
 */
 function pbkdf2HmacSha512(password, salt, iterations, keyLen) {
-	return (0, __noble_hashes_pbkdf2.pbkdf2)(__noble_hashes_sha2.sha512, password, salt, {
+	return (0, _noble_hashes_pbkdf2_js.pbkdf2)(_noble_hashes_sha2_js.sha512, password, salt, {
 		c: iterations,
 		dkLen: keyLen
 	});
@@ -168,17 +137,112 @@ function pbkdf2HmacSha512(password, salt, iterations, keyLen) {
 * Derive a key using HKDF with HMAC-SHA-256
 */
 function hkdfHmacSha256(keyMaterial, salt, keyLen) {
-	return (0, __noble_hashes_hkdf.hkdf)(__noble_hashes_sha2.sha256, keyMaterial, salt, void 0, keyLen);
+	return (0, _noble_hashes_hkdf_js.hkdf)(_noble_hashes_sha2_js.sha256, keyMaterial, salt, void 0, keyLen);
 }
 /**
 * Derive a key using HKDF with HMAC-SHA-512
 */
 function hkdfHmacSha512(keyMaterial, salt, keyLen) {
-	return (0, __noble_hashes_hkdf.hkdf)(__noble_hashes_sha2.sha512, keyMaterial, salt, void 0, keyLen);
+	return (0, _noble_hashes_hkdf_js.hkdf)(_noble_hashes_sha2_js.sha512, keyMaterial, salt, void 0, keyLen);
+}
+
+//#endregion
+//#region src/error.ts
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
+/**
+* AEAD-specific error for authentication failures
+*/
+var AeadError = class extends Error {
+	constructor(message = "AEAD authentication failed") {
+		super(message);
+		this.name = "AeadError";
+	}
+};
+/**
+* Generic crypto error type
+*/
+var CryptoError = class CryptoError extends Error {
+	cause;
+	constructor(message, cause) {
+		super(message);
+		this.name = "CryptoError";
+		this.cause = cause;
+	}
+	/**
+	* Create a CryptoError for AEAD authentication failures.
+	*
+	* @param error - Optional underlying AeadError
+	* @returns A CryptoError wrapping the AEAD error
+	*/
+	static aead(error) {
+		return new CryptoError("AEAD error", error ?? new AeadError());
+	}
+	/**
+	* Create a CryptoError for invalid parameter values.
+	*
+	* **TS-specific.** Rust's `bc_crypto::Error` enum has no
+	* `InvalidParameter` variant; size validation in Rust is enforced at
+	* compile time via fixed-size array references (e.g. `&[u8; 32]`) or
+	* via `panic!`/`expect(...)` for runtime checks. The TS port has no
+	* fixed-size array types, so it surfaces those same conditions through
+	* a thrown `CryptoError.invalidParameter(...)`. Catching this is
+	* equivalent to defensive guards around an `expect`-style panic on the
+	* Rust side.
+	*
+	* @param message - Description of the invalid parameter
+	* @returns A CryptoError describing the invalid parameter
+	*/
+	static invalidParameter(message) {
+		return new CryptoError(`Invalid parameter: ${message}`);
+	}
+};
+
+//#endregion
+//#region src/memzero.ts
+/**
+* Securely zero out a typed array.
+*
+* Mirrors Rust `bc_crypto::memzero<T>(s: &mut [T])`. The Rust impl uses
+* `std::ptr::write_volatile()` to guarantee the writes survive optimization;
+* JavaScript has no equivalent primitive, so this is **best-effort** — JIT
+* compilers may still elide the loop, though the post-hoc verification
+* check forces the engine to keep the writes observable.
+*
+* For truly sensitive cryptographic operations, consider using the Web
+* Crypto API's `crypto.subtle` with non-extractable keys when possible, as
+* it provides stronger guarantees than what can be achieved with pure
+* JavaScript.
+*
+* Accepts any of the standard numeric typed arrays — `Uint8Array`,
+* `Uint8ClampedArray`, `Uint16Array`, `Uint32Array`, `Int8Array`,
+* `Int16Array`, `Int32Array`, `Float32Array`, `Float64Array` — matching
+* Rust's generic `&mut [T]`. (`BigInt64Array` / `BigUint64Array` are
+* excluded because their elements are `bigint`, not `number`; if that
+* support is needed, add a dedicated overload.)
+*/
+function memzero(data) {
+	const len = data.length;
+	for (let i = 0; i < len; i++) data[i] = 0;
+	if (data.length > 0 && data[0] !== 0) throw new Error("memzero failed");
+}
+/**
+* Securely zero out an array of Uint8Arrays.
+*/
+function memzeroVecVecU8(arrays) {
+	for (const arr of arrays) memzero(arr);
 }
 
 //#endregion
 //#region src/symmetric-encryption.ts
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
 const SYMMETRIC_KEY_SIZE = 32;
 const SYMMETRIC_NONCE_SIZE = 12;
 const SYMMETRIC_AUTH_SIZE = 16;
@@ -213,10 +277,10 @@ function aeadChaCha20Poly1305Encrypt(plaintext, key, nonce) {
 * @throws {CryptoError} If key is not 32 bytes or nonce is not 12 bytes
 */
 function aeadChaCha20Poly1305EncryptWithAad(plaintext, key, nonce, aad) {
-	if (key.length !== SYMMETRIC_KEY_SIZE) throw CryptoError.invalidParameter(`Key must be ${SYMMETRIC_KEY_SIZE} bytes`);
-	if (nonce.length !== SYMMETRIC_NONCE_SIZE) throw CryptoError.invalidParameter(`Nonce must be ${SYMMETRIC_NONCE_SIZE} bytes`);
-	const sealed = (0, __noble_ciphers_chacha.chacha20poly1305)(key, nonce, aad).encrypt(plaintext);
-	return [sealed.slice(0, sealed.length - SYMMETRIC_AUTH_SIZE), sealed.slice(sealed.length - SYMMETRIC_AUTH_SIZE)];
+	if (key.length !== 32) throw CryptoError.invalidParameter(`Key must be ${32} bytes`);
+	if (nonce.length !== 12) throw CryptoError.invalidParameter(`Nonce must be ${12} bytes`);
+	const sealed = (0, _noble_ciphers_chacha_js.chacha20poly1305)(key, nonce, aad).encrypt(plaintext);
+	return [sealed.slice(0, sealed.length - 16), sealed.slice(sealed.length - 16)];
 }
 /**
 * Decrypt data using ChaCha20-Poly1305 AEAD cipher.
@@ -245,14 +309,14 @@ function aeadChaCha20Poly1305Decrypt(ciphertext, key, nonce, authTag) {
 * @throws {CryptoError} If authentication fails (tampered data, wrong key/nonce, or AAD mismatch)
 */
 function aeadChaCha20Poly1305DecryptWithAad(ciphertext, key, nonce, aad, authTag) {
-	if (key.length !== SYMMETRIC_KEY_SIZE) throw CryptoError.invalidParameter(`Key must be ${SYMMETRIC_KEY_SIZE} bytes`);
-	if (nonce.length !== SYMMETRIC_NONCE_SIZE) throw CryptoError.invalidParameter(`Nonce must be ${SYMMETRIC_NONCE_SIZE} bytes`);
-	if (authTag.length !== SYMMETRIC_AUTH_SIZE) throw CryptoError.invalidParameter(`Auth tag must be ${SYMMETRIC_AUTH_SIZE} bytes`);
+	if (key.length !== 32) throw CryptoError.invalidParameter(`Key must be ${32} bytes`);
+	if (nonce.length !== 12) throw CryptoError.invalidParameter(`Nonce must be ${12} bytes`);
+	if (authTag.length !== 16) throw CryptoError.invalidParameter(`Auth tag must be ${16} bytes`);
 	const sealed = new Uint8Array(ciphertext.length + authTag.length);
 	sealed.set(ciphertext);
 	sealed.set(authTag, ciphertext.length);
 	try {
-		return (0, __noble_ciphers_chacha.chacha20poly1305)(key, nonce, aad).decrypt(sealed);
+		return (0, _noble_ciphers_chacha_js.chacha20poly1305)(key, nonce, aad).decrypt(sealed);
 	} catch (error) {
 		const aeadError = new AeadError(`Decryption failed: ${error instanceof Error ? error.message : "authentication error"}`);
 		throw CryptoError.aead(aeadError);
@@ -261,8 +325,11 @@ function aeadChaCha20Poly1305DecryptWithAad(ciphertext, key, nonce, aad, authTag
 
 //#endregion
 //#region src/public-key-encryption.ts
-const GENERIC_PRIVATE_KEY_SIZE = 32;
-const GENERIC_PUBLIC_KEY_SIZE = 32;
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
 const X25519_PRIVATE_KEY_SIZE = 32;
 const X25519_PUBLIC_KEY_SIZE = 32;
 /**
@@ -270,7 +337,7 @@ const X25519_PUBLIC_KEY_SIZE = 32;
 * Uses HKDF with "agreement" as domain separation salt.
 */
 function deriveAgreementPrivateKey(keyMaterial) {
-	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("agreement"), X25519_PRIVATE_KEY_SIZE);
+	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("agreement"), 32);
 }
 /**
 * Derive a signing private key from key material.
@@ -283,35 +350,52 @@ function deriveSigningPrivateKey(keyMaterial) {
 * Generate a new random X25519 private key.
 */
 function x25519NewPrivateKeyUsing(rng) {
-	return rng.randomData(X25519_PRIVATE_KEY_SIZE);
+	return rng.randomData(32);
 }
 /**
 * Derive an X25519 public key from a private key.
 */
 function x25519PublicKeyFromPrivateKey(privateKey) {
-	if (privateKey.length !== X25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${X25519_PRIVATE_KEY_SIZE} bytes`);
-	return __noble_curves_ed25519.x25519.getPublicKey(privateKey);
+	if (privateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
+	return _noble_curves_ed25519_js.x25519.getPublicKey(privateKey);
 }
+const SYMMETRIC_KEY_SIZE$1 = 32;
 /**
-* Compute a shared secret using X25519 key agreement (ECDH).
+* Compute a shared symmetric key using X25519 key agreement (ECDH).
 *
-* **Security Note**: The resulting shared secret should be used with a KDF
-* (like HKDF) before using it as an encryption key. Never use the raw
-* shared secret directly for encryption.
+* This function performs X25519 Diffie-Hellman key agreement and then
+* derives a symmetric key using HKDF-SHA256 with "agreement" as the salt.
+* This matches the Rust bc-crypto implementation for cross-platform compatibility.
+*
+* **Low-order public key handling.** The underlying `@noble/curves` X25519
+* implementation rejects low-order public keys (where the u-coordinate is
+* `0`) by throwing `'invalid private or public key received'`. Rust's
+* `x25519-dalek` (v2.0-rc.2) instead silently produces the all-zero shared
+* secret. This means an adversarial low-order public key fed in via TS
+* surfaces as an exception, while in Rust it would yield an HKDF-derived
+* key from a zero shared secret. For honest inputs both implementations
+* produce byte-identical results; the TS port's stricter behaviour is a
+* security improvement, not a parity bug.
 *
 * @param x25519Private - 32-byte X25519 private key
 * @param x25519Public - 32-byte X25519 public key from the other party
-* @returns 32-byte shared secret
+* @returns 32-byte derived symmetric key
 * @throws {Error} If private key is not 32 bytes or public key is not 32 bytes
+* @throws {Error} If the public key is low-order (`@noble/curves`-specific guard)
 */
 function x25519SharedKey(x25519Private, x25519Public) {
-	if (x25519Private.length !== X25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${X25519_PRIVATE_KEY_SIZE} bytes`);
-	if (x25519Public.length !== X25519_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${X25519_PUBLIC_KEY_SIZE} bytes`);
-	return __noble_curves_ed25519.x25519.getSharedSecret(x25519Private, x25519Public);
+	if (x25519Private.length !== 32) throw new Error(`Private key must be ${32} bytes`);
+	if (x25519Public.length !== 32) throw new Error(`Public key must be ${32} bytes`);
+	return hkdfHmacSha256(_noble_curves_ed25519_js.x25519.getSharedSecret(x25519Private, x25519Public), new TextEncoder().encode("agreement"), SYMMETRIC_KEY_SIZE$1);
 }
 
 //#endregion
 //#region src/ecdsa-keys.ts
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
 const ECDSA_PRIVATE_KEY_SIZE = 32;
 const ECDSA_PUBLIC_KEY_SIZE = 33;
 const ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE = 65;
@@ -326,28 +410,28 @@ const SCHNORR_PUBLIC_KEY_SIZE = 32;
 * the key is used.
 */
 function ecdsaNewPrivateKeyUsing(rng) {
-	return rng.randomData(ECDSA_PRIVATE_KEY_SIZE);
+	return rng.randomData(32);
 }
 /**
 * Derive a compressed ECDSA public key from a private key.
 */
 function ecdsaPublicKeyFromPrivateKey(privateKey) {
-	if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
-	return __noble_curves_secp256k1.secp256k1.getPublicKey(privateKey, true);
+	if (privateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
+	return _noble_curves_secp256k1_js.secp256k1.getPublicKey(privateKey, true);
 }
 /**
 * Decompress a compressed public key to uncompressed format.
 */
 function ecdsaDecompressPublicKey(compressed) {
-	if (compressed.length !== ECDSA_PUBLIC_KEY_SIZE) throw new Error(`Compressed public key must be ${ECDSA_PUBLIC_KEY_SIZE} bytes`);
-	return __noble_curves_secp256k1.secp256k1.ProjectivePoint.fromHex(compressed).toRawBytes(false);
+	if (compressed.length !== 33) throw new Error(`Compressed public key must be ${33} bytes`);
+	return _noble_curves_secp256k1_js.secp256k1.Point.fromBytes(compressed).toBytes(false);
 }
 /**
 * Compress an uncompressed public key.
 */
 function ecdsaCompressPublicKey(uncompressed) {
-	if (uncompressed.length !== ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE) throw new Error(`Uncompressed public key must be ${ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE} bytes`);
-	return __noble_curves_secp256k1.secp256k1.ProjectivePoint.fromHex(uncompressed).toRawBytes(true);
+	if (uncompressed.length !== 65) throw new Error(`Uncompressed public key must be ${65} bytes`);
+	return _noble_curves_secp256k1_js.secp256k1.Point.fromBytes(uncompressed).toBytes(true);
 }
 /**
 * Derive an ECDSA private key from key material using HKDF.
@@ -356,20 +440,25 @@ function ecdsaCompressPublicKey(uncompressed) {
 * matching the Rust reference implementation behavior.
 */
 function ecdsaDerivePrivateKey(keyMaterial) {
-	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("signing"), ECDSA_PRIVATE_KEY_SIZE);
+	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("signing"), 32);
 }
 /**
 * Extract the x-only (Schnorr) public key from a private key.
 * This is used for BIP-340 Schnorr signatures.
 */
 function schnorrPublicKeyFromPrivateKey(privateKey) {
-	if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
-	return __noble_curves_secp256k1.secp256k1.getPublicKey(privateKey, false).slice(1, 33);
+	if (privateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
+	return _noble_curves_secp256k1_js.secp256k1.getPublicKey(privateKey, false).slice(1, 33);
 }
 
 //#endregion
 //#region src/ecdsa-signing.ts
 /**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
+/**
 * Sign a message using ECDSA with secp256k1.
 *
 * The message is hashed with double SHA-256 before signing (Bitcoin standard).
@@ -384,9 +473,9 @@ function schnorrPublicKeyFromPrivateKey(privateKey) {
 * @throws {Error} If private key is not 32 bytes
 */
 function ecdsaSign(privateKey, message) {
-	if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	if (privateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
 	const messageHash = doubleSha256(message);
-	return __noble_curves_secp256k1.secp256k1.sign(messageHash, privateKey).toCompactRawBytes();
+	return _noble_curves_secp256k1_js.secp256k1.sign(messageHash, privateKey, { prehash: false });
 }
 /**
 * Verify an ECDSA signature with secp256k1.
@@ -400,11 +489,11 @@ function ecdsaSign(privateKey, message) {
 * @throws {Error} If public key is not 33 bytes or signature is not 64 bytes
 */
 function ecdsaVerify(publicKey, signature, message) {
-	if (publicKey.length !== ECDSA_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${ECDSA_PUBLIC_KEY_SIZE} bytes`);
-	if (signature.length !== ECDSA_SIGNATURE_SIZE) throw new Error(`Signature must be ${ECDSA_SIGNATURE_SIZE} bytes`);
+	if (publicKey.length !== 33) throw new Error(`Public key must be ${33} bytes`);
+	if (signature.length !== 64) throw new Error(`Signature must be ${64} bytes`);
 	try {
 		const messageHash = doubleSha256(message);
-		return __noble_curves_secp256k1.secp256k1.verify(signature, messageHash, publicKey);
+		return _noble_curves_secp256k1_js.secp256k1.verify(signature, messageHash, publicKey, { prehash: false });
 	} catch {
 		return false;
 	}
@@ -412,6 +501,11 @@ function ecdsaVerify(publicKey, signature, message) {
 
 //#endregion
 //#region src/schnorr-signing.ts
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
 const SCHNORR_SIGNATURE_SIZE = 64;
 /**
 * Sign a message using Schnorr signature (BIP-340).
@@ -422,7 +516,7 @@ const SCHNORR_SIGNATURE_SIZE = 64;
 * @returns 64-byte Schnorr signature
 */
 function schnorrSign(ecdsaPrivateKey, message) {
-	return schnorrSignUsing(ecdsaPrivateKey, message, new __bcts_rand.SecureRandomNumberGenerator());
+	return schnorrSignUsing(ecdsaPrivateKey, message, new _bcts_rand.SecureRandomNumberGenerator());
 }
 /**
 * Sign a message using Schnorr signature with a custom RNG.
@@ -445,9 +539,9 @@ function schnorrSignUsing(ecdsaPrivateKey, message, rng) {
 * @returns 64-byte Schnorr signature
 */
 function schnorrSignWithAuxRand(ecdsaPrivateKey, message, auxRand) {
-	if (ecdsaPrivateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	if (ecdsaPrivateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
 	if (auxRand.length !== 32) throw new Error("Auxiliary randomness must be 32 bytes");
-	return __noble_curves_secp256k1.schnorr.sign(message, ecdsaPrivateKey, auxRand);
+	return _noble_curves_secp256k1_js.schnorr.sign(message, ecdsaPrivateKey, auxRand);
 }
 /**
 * Verify a Schnorr signature (BIP-340).
@@ -458,10 +552,10 @@ function schnorrSignWithAuxRand(ecdsaPrivateKey, message, auxRand) {
 * @returns true if signature is valid
 */
 function schnorrVerify(schnorrPublicKey, signature, message) {
-	if (schnorrPublicKey.length !== SCHNORR_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${SCHNORR_PUBLIC_KEY_SIZE} bytes`);
-	if (signature.length !== SCHNORR_SIGNATURE_SIZE) throw new Error(`Signature must be ${SCHNORR_SIGNATURE_SIZE} bytes`);
+	if (schnorrPublicKey.length !== 32) throw new Error(`Public key must be ${32} bytes`);
+	if (signature.length !== 64) throw new Error(`Signature must be ${64} bytes`);
 	try {
-		return __noble_curves_secp256k1.schnorr.verify(signature, message, schnorrPublicKey);
+		return _noble_curves_secp256k1_js.schnorr.verify(signature, message, schnorrPublicKey);
 	} catch {
 		return false;
 	}
@@ -469,6 +563,11 @@ function schnorrVerify(schnorrPublicKey, signature, message) {
 
 //#endregion
 //#region src/ed25519-signing.ts
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
 const ED25519_PUBLIC_KEY_SIZE = 32;
 const ED25519_PRIVATE_KEY_SIZE = 32;
 const ED25519_SIGNATURE_SIZE = 64;
@@ -476,14 +575,14 @@ const ED25519_SIGNATURE_SIZE = 64;
 * Generate a new random Ed25519 private key.
 */
 function ed25519NewPrivateKeyUsing(rng) {
-	return rng.randomData(ED25519_PRIVATE_KEY_SIZE);
+	return rng.randomData(32);
 }
 /**
 * Derive an Ed25519 public key from a private key.
 */
 function ed25519PublicKeyFromPrivateKey(privateKey) {
-	if (privateKey.length !== ED25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ED25519_PRIVATE_KEY_SIZE} bytes`);
-	return __noble_curves_ed25519.ed25519.getPublicKey(privateKey);
+	if (privateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
+	return _noble_curves_ed25519_js.ed25519.getPublicKey(privateKey);
 }
 /**
 * Sign a message using Ed25519.
@@ -497,8 +596,8 @@ function ed25519PublicKeyFromPrivateKey(privateKey) {
 * @throws {Error} If private key is not 32 bytes
 */
 function ed25519Sign(privateKey, message) {
-	if (privateKey.length !== ED25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ED25519_PRIVATE_KEY_SIZE} bytes`);
-	return __noble_curves_ed25519.ed25519.sign(message, privateKey);
+	if (privateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
+	return _noble_curves_ed25519_js.ed25519.sign(message, privateKey);
 }
 /**
 * Verify an Ed25519 signature.
@@ -510,10 +609,10 @@ function ed25519Sign(privateKey, message) {
 * @throws {Error} If public key is not 32 bytes or signature is not 64 bytes
 */
 function ed25519Verify(publicKey, message, signature) {
-	if (publicKey.length !== ED25519_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${ED25519_PUBLIC_KEY_SIZE} bytes`);
-	if (signature.length !== ED25519_SIGNATURE_SIZE) throw new Error(`Signature must be ${ED25519_SIGNATURE_SIZE} bytes`);
+	if (publicKey.length !== 32) throw new Error(`Public key must be ${32} bytes`);
+	if (signature.length !== 64) throw new Error(`Signature must be ${64} bytes`);
 	try {
-		return __noble_curves_ed25519.ed25519.verify(signature, message, publicKey);
+		return _noble_curves_ed25519_js.ed25519.verify(signature, message, publicKey);
 	} catch {
 		return false;
 	}
@@ -522,8 +621,16 @@ function ed25519Verify(publicKey, message, signature) {
 //#endregion
 //#region src/scrypt.ts
 /**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
+/**
 * Derive a key using Scrypt with recommended parameters.
-* Uses N=2^15 (32768), r=8, p=1 as recommended defaults.
+*
+* Mirrors Rust `bc_crypto::scrypt` which calls `scrypt::Params::recommended()`.
+* The recommended parameters per the upstream `scrypt` crate are
+* `log_n = 17` (N = 2^17 = 131072), `r = 8`, `p = 1`.
 *
 * @param password - Password or passphrase
 * @param salt - Salt value
@@ -531,7 +638,7 @@ function ed25519Verify(publicKey, message, signature) {
 * @returns Derived key
 */
 function scrypt(password, salt, outputLen) {
-	return scryptOpt(password, salt, outputLen, 15, 8, 1);
+	return scryptOpt(password, salt, outputLen, 17, 8, 1);
 }
 /**
 * Derive a key using Scrypt with custom parameters.
@@ -548,7 +655,7 @@ function scryptOpt(password, salt, outputLen, logN, r, p) {
 	if (logN >= 64) throw new Error("logN must be <64");
 	if (r === 0) throw new Error("r must be >0");
 	if (p === 0) throw new Error("p must be >0");
-	return (0, __noble_hashes_scrypt.scrypt)(password, salt, {
+	return (0, _noble_hashes_scrypt_js.scrypt)(password, salt, {
 		N: 1 << logN,
 		r,
 		p,
@@ -559,15 +666,24 @@ function scryptOpt(password, salt, outputLen, logN, r, p) {
 //#endregion
 //#region src/argon.ts
 /**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
+/**
 * Derive a key using Argon2id with default parameters.
 *
+* Mirrors Rust `bc_crypto::argon2id` which calls `Argon2::default()`. The
+* upstream `argon2` crate's defaults are `t = 2` iterations, `m = 19 * 1024
+* = 19456` KiB of memory, `p = 1` lane (per `argon2-0.5.x/src/params.rs`).
+*
 * @param password - Password or passphrase
 * @param salt - Salt value (must be at least 8 bytes)
 * @param outputLen - Desired output length
 * @returns Derived key
 */
-function argon2idHash(password, salt, outputLen) {
-	return argon2idHashOpt(password, salt, outputLen, 3, 65536, 4);
+function argon2id(password, salt, outputLen) {
+	return argon2idHashOpt(password, salt, outputLen, 2, 19456, 1);
 }
 /**
 * Derive a key using Argon2id with custom parameters.
@@ -581,7 +697,7 @@ function argon2idHash(password, salt, outputLen) {
 * @returns Derived key
 */
 function argon2idHashOpt(password, salt, outputLen, iterations, memory, parallelism) {
-	return (0, __noble_hashes_argon2.argon2id)(password, salt, {
+	return (0, _noble_hashes_argon2_js.argon2id)(password, salt, {
 		t: iterations,
 		m: memory,
 		p: parallelism,
@@ -601,8 +717,6 @@ exports.ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE = ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE;
 exports.ED25519_PRIVATE_KEY_SIZE = ED25519_PRIVATE_KEY_SIZE;
 exports.ED25519_PUBLIC_KEY_SIZE = ED25519_PUBLIC_KEY_SIZE;
 exports.ED25519_SIGNATURE_SIZE = ED25519_SIGNATURE_SIZE;
-exports.GENERIC_PRIVATE_KEY_SIZE = GENERIC_PRIVATE_KEY_SIZE;
-exports.GENERIC_PUBLIC_KEY_SIZE = GENERIC_PUBLIC_KEY_SIZE;
 exports.SCHNORR_PUBLIC_KEY_SIZE = SCHNORR_PUBLIC_KEY_SIZE;
 exports.SCHNORR_SIGNATURE_SIZE = SCHNORR_SIGNATURE_SIZE;
 exports.SHA256_SIZE = SHA256_SIZE;
@@ -616,11 +730,7 @@ exports.aeadChaCha20Poly1305Decrypt = aeadChaCha20Poly1305Decrypt;
 exports.aeadChaCha20Poly1305DecryptWithAad = aeadChaCha20Poly1305DecryptWithAad;
 exports.aeadChaCha20Poly1305Encrypt = aeadChaCha20Poly1305Encrypt;
 exports.aeadChaCha20Poly1305EncryptWithAad = aeadChaCha20Poly1305EncryptWithAad;
-exports.argon2idHash = argon2idHash;
-exports.argon2idHashOpt = argon2idHashOpt;
-exports.crc32 = crc32;
-exports.crc32Data = crc32Data;
-exports.crc32DataOpt = crc32DataOpt;
+exports.argon2id = argon2id;
 exports.deriveAgreementPrivateKey = deriveAgreementPrivateKey;
 exports.deriveSigningPrivateKey = deriveSigningPrivateKey;
 exports.doubleSha256 = doubleSha256;
@@ -635,14 +745,18 @@ exports.ed25519NewPrivateKeyUsing = ed25519NewPrivateKeyUsing;
 exports.ed25519PublicKeyFromPrivateKey = ed25519PublicKeyFromPrivateKey;
 exports.ed25519Sign = ed25519Sign;
 exports.ed25519Verify = ed25519Verify;
+Object.defineProperty(exports, 'hash', {
+  enumerable: true,
+  get: function () {
+    return hash_exports;
+  }
+});
 exports.hkdfHmacSha256 = hkdfHmacSha256;
-exports.hkdfHmacSha512 = hkdfHmacSha512;
 exports.hmacSha256 = hmacSha256;
 exports.hmacSha512 = hmacSha512;
 exports.memzero = memzero;
 exports.memzeroVecVecU8 = memzeroVecVecU8;
 exports.pbkdf2HmacSha256 = pbkdf2HmacSha256;
-exports.pbkdf2HmacSha512 = pbkdf2HmacSha512;
 exports.schnorrPublicKeyFromPrivateKey = schnorrPublicKeyFromPrivateKey;
 exports.schnorrSign = schnorrSign;
 exports.schnorrSignUsing = schnorrSignUsing;