@bcts/crypto 1.0.0-alpha.8 → 1.0.0-beta.0

package/dist/index.mjs

@@ -1,86 +1,38 @@
-import { sha256 as sha256$1, sha512 as sha512$1 } from "@noble/hashes/sha2";
-import { hmac } from "@noble/hashes/hmac";
-import { pbkdf2 } from "@noble/hashes/pbkdf2";
-import { hkdf } from "@noble/hashes/hkdf";
-import { chacha20poly1305 } from "@noble/ciphers/chacha";
-import { ed25519, x25519 } from "@noble/curves/ed25519";
-import { schnorr, secp256k1 } from "@noble/curves/secp256k1";
+import { t as __exportAll } from "./chunk-DQk6qfdC.mjs";
+import { sha256 as sha256$1, sha512 as sha512$1 } from "@noble/hashes/sha2.js";
+import { hmac } from "@noble/hashes/hmac.js";
+import { pbkdf2 } from "@noble/hashes/pbkdf2.js";
+import { hkdf } from "@noble/hashes/hkdf.js";
+import { chacha20poly1305 } from "@noble/ciphers/chacha.js";
+import { ed25519, x25519 } from "@noble/curves/ed25519.js";
+import { schnorr, secp256k1 } from "@noble/curves/secp256k1.js";
 import { SecureRandomNumberGenerator } from "@bcts/rand";
-import { scrypt as scrypt$1 } from "@noble/hashes/scrypt";
-import { argon2id } from "@noble/hashes/argon2";
+import { scrypt as scrypt$1 } from "@noble/hashes/scrypt.js";
+import { argon2id as argon2id$1 } from "@noble/hashes/argon2.js";
 
-//#region src/error.ts
-/**
-* AEAD-specific error for authentication failures
-*/
-var AeadError = class extends Error {
-	constructor(message = "AEAD authentication failed") {
-		super(message);
-		this.name = "AeadError";
-	}
-};
-/**
-* Generic crypto error type
-*/
-var CryptoError = class CryptoError extends Error {
-	cause;
-	constructor(message, cause) {
-		super(message);
-		this.name = "CryptoError";
-		this.cause = cause;
-	}
-	/**
-	* Create a CryptoError for AEAD authentication failures.
-	*
-	* @param error - Optional underlying AeadError
-	* @returns A CryptoError wrapping the AEAD error
-	*/
-	static aead(error) {
-		return new CryptoError("AEAD error", error ?? new AeadError());
-	}
-	/**
-	* Create a CryptoError for invalid parameter values.
-	*
-	* @param message - Description of the invalid parameter
-	* @returns A CryptoError describing the invalid parameter
-	*/
-	static invalidParameter(message) {
-		return new CryptoError(`Invalid parameter: ${message}`);
-	}
-};
-
-//#endregion
-//#region src/memzero.ts
+//#region src/hash.ts
 /**
-* Securely zero out a typed array.
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
 *
-* **IMPORTANT: This is a best-effort implementation.** Unlike the Rust reference
-* implementation which uses `std::ptr::write_volatile()` for guaranteed volatile
-* writes, JavaScript engines and JIT compilers can still potentially optimize
-* away these zeroing operations. The check at the end helps prevent optimization,
-* but it is not foolproof.
-*
-* For truly sensitive cryptographic operations, consider using the Web Crypto API's
-* `crypto.subtle` with non-extractable keys when possible, as it provides stronger
-* guarantees than what can be achieved with pure JavaScript.
-*
-* This function attempts to prevent the compiler from optimizing away
-* the zeroing operation by using a verification check after the zeroing loop.
 */
-function memzero(data) {
-	const len = data.length;
-	for (let i = 0; i < len; i++) data[i] = 0;
-	if (data.length > 0 && data[0] !== 0) throw new Error("memzero failed");
-}
-/**
-* Securely zero out an array of Uint8Arrays.
-*/
-function memzeroVecVecU8(arrays) {
-	for (const arr of arrays) memzero(arr);
-}
-
-//#endregion
-//#region src/hash.ts
+var hash_exports = /* @__PURE__ */ __exportAll({
+	CRC32_SIZE: () => 4,
+	SHA256_SIZE: () => 32,
+	SHA512_SIZE: () => 64,
+	crc32: () => crc32,
+	crc32Data: () => crc32Data,
+	crc32DataOpt: () => crc32DataOpt,
+	doubleSha256: () => doubleSha256,
+	hkdfHmacSha256: () => hkdfHmacSha256,
+	hkdfHmacSha512: () => hkdfHmacSha512,
+	hmacSha256: () => hmacSha256,
+	hmacSha512: () => hmacSha512,
+	pbkdf2HmacSha256: () => pbkdf2HmacSha256,
+	pbkdf2HmacSha512: () => pbkdf2HmacSha512,
+	sha256: () => sha256,
+	sha512: () => sha512
+});
 const CRC32_SIZE = 4;
 const SHA256_SIZE = 32;
 const SHA512_SIZE = 64;
@@ -177,8 +129,103 @@ function hkdfHmacSha512(keyMaterial, salt, keyLen) {
 	return hkdf(sha512$1, keyMaterial, salt, void 0, keyLen);
 }
 
+//#endregion
+//#region src/error.ts
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
+/**
+* AEAD-specific error for authentication failures
+*/
+var AeadError = class extends Error {
+	constructor(message = "AEAD authentication failed") {
+		super(message);
+		this.name = "AeadError";
+	}
+};
+/**
+* Generic crypto error type
+*/
+var CryptoError = class CryptoError extends Error {
+	cause;
+	constructor(message, cause) {
+		super(message);
+		this.name = "CryptoError";
+		this.cause = cause;
+	}
+	/**
+	* Create a CryptoError for AEAD authentication failures.
+	*
+	* @param error - Optional underlying AeadError
+	* @returns A CryptoError wrapping the AEAD error
+	*/
+	static aead(error) {
+		return new CryptoError("AEAD error", error ?? new AeadError());
+	}
+	/**
+	* Create a CryptoError for invalid parameter values.
+	*
+	* **TS-specific.** Rust's `bc_crypto::Error` enum has no
+	* `InvalidParameter` variant; size validation in Rust is enforced at
+	* compile time via fixed-size array references (e.g. `&[u8; 32]`) or
+	* via `panic!`/`expect(...)` for runtime checks. The TS port has no
+	* fixed-size array types, so it surfaces those same conditions through
+	* a thrown `CryptoError.invalidParameter(...)`. Catching this is
+	* equivalent to defensive guards around an `expect`-style panic on the
+	* Rust side.
+	*
+	* @param message - Description of the invalid parameter
+	* @returns A CryptoError describing the invalid parameter
+	*/
+	static invalidParameter(message) {
+		return new CryptoError(`Invalid parameter: ${message}`);
+	}
+};
+
+//#endregion
+//#region src/memzero.ts
+/**
+* Securely zero out a typed array.
+*
+* Mirrors Rust `bc_crypto::memzero<T>(s: &mut [T])`. The Rust impl uses
+* `std::ptr::write_volatile()` to guarantee the writes survive optimization;
+* JavaScript has no equivalent primitive, so this is **best-effort** — JIT
+* compilers may still elide the loop, though the post-hoc verification
+* check forces the engine to keep the writes observable.
+*
+* For truly sensitive cryptographic operations, consider using the Web
+* Crypto API's `crypto.subtle` with non-extractable keys when possible, as
+* it provides stronger guarantees than what can be achieved with pure
+* JavaScript.
+*
+* Accepts any of the standard numeric typed arrays — `Uint8Array`,
+* `Uint8ClampedArray`, `Uint16Array`, `Uint32Array`, `Int8Array`,
+* `Int16Array`, `Int32Array`, `Float32Array`, `Float64Array` — matching
+* Rust's generic `&mut [T]`. (`BigInt64Array` / `BigUint64Array` are
+* excluded because their elements are `bigint`, not `number`; if that
+* support is needed, add a dedicated overload.)
+*/
+function memzero(data) {
+	const len = data.length;
+	for (let i = 0; i < len; i++) data[i] = 0;
+	if (data.length > 0 && data[0] !== 0) throw new Error("memzero failed");
+}
+/**
+* Securely zero out an array of Uint8Arrays.
+*/
+function memzeroVecVecU8(arrays) {
+	for (const arr of arrays) memzero(arr);
+}
+
 //#endregion
 //#region src/symmetric-encryption.ts
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
 const SYMMETRIC_KEY_SIZE = 32;
 const SYMMETRIC_NONCE_SIZE = 12;
 const SYMMETRIC_AUTH_SIZE = 16;
@@ -213,10 +260,10 @@ function aeadChaCha20Poly1305Encrypt(plaintext, key, nonce) {
 * @throws {CryptoError} If key is not 32 bytes or nonce is not 12 bytes
 */
 function aeadChaCha20Poly1305EncryptWithAad(plaintext, key, nonce, aad) {
-	if (key.length !== SYMMETRIC_KEY_SIZE) throw CryptoError.invalidParameter(`Key must be ${SYMMETRIC_KEY_SIZE} bytes`);
-	if (nonce.length !== SYMMETRIC_NONCE_SIZE) throw CryptoError.invalidParameter(`Nonce must be ${SYMMETRIC_NONCE_SIZE} bytes`);
+	if (key.length !== 32) throw CryptoError.invalidParameter(`Key must be ${32} bytes`);
+	if (nonce.length !== 12) throw CryptoError.invalidParameter(`Nonce must be ${12} bytes`);
 	const sealed = chacha20poly1305(key, nonce, aad).encrypt(plaintext);
-	return [sealed.slice(0, sealed.length - SYMMETRIC_AUTH_SIZE), sealed.slice(sealed.length - SYMMETRIC_AUTH_SIZE)];
+	return [sealed.slice(0, sealed.length - 16), sealed.slice(sealed.length - 16)];
 }
 /**
 * Decrypt data using ChaCha20-Poly1305 AEAD cipher.
@@ -245,9 +292,9 @@ function aeadChaCha20Poly1305Decrypt(ciphertext, key, nonce, authTag) {
 * @throws {CryptoError} If authentication fails (tampered data, wrong key/nonce, or AAD mismatch)
 */
 function aeadChaCha20Poly1305DecryptWithAad(ciphertext, key, nonce, aad, authTag) {
-	if (key.length !== SYMMETRIC_KEY_SIZE) throw CryptoError.invalidParameter(`Key must be ${SYMMETRIC_KEY_SIZE} bytes`);
-	if (nonce.length !== SYMMETRIC_NONCE_SIZE) throw CryptoError.invalidParameter(`Nonce must be ${SYMMETRIC_NONCE_SIZE} bytes`);
-	if (authTag.length !== SYMMETRIC_AUTH_SIZE) throw CryptoError.invalidParameter(`Auth tag must be ${SYMMETRIC_AUTH_SIZE} bytes`);
+	if (key.length !== 32) throw CryptoError.invalidParameter(`Key must be ${32} bytes`);
+	if (nonce.length !== 12) throw CryptoError.invalidParameter(`Nonce must be ${12} bytes`);
+	if (authTag.length !== 16) throw CryptoError.invalidParameter(`Auth tag must be ${16} bytes`);
 	const sealed = new Uint8Array(ciphertext.length + authTag.length);
 	sealed.set(ciphertext);
 	sealed.set(authTag, ciphertext.length);
@@ -261,8 +308,11 @@ function aeadChaCha20Poly1305DecryptWithAad(ciphertext, key, nonce, aad, authTag
 
 //#endregion
 //#region src/public-key-encryption.ts
-const GENERIC_PRIVATE_KEY_SIZE = 32;
-const GENERIC_PUBLIC_KEY_SIZE = 32;
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
 const X25519_PRIVATE_KEY_SIZE = 32;
 const X25519_PUBLIC_KEY_SIZE = 32;
 /**
@@ -270,7 +320,7 @@ const X25519_PUBLIC_KEY_SIZE = 32;
 * Uses HKDF with "agreement" as domain separation salt.
 */
 function deriveAgreementPrivateKey(keyMaterial) {
-	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("agreement"), X25519_PRIVATE_KEY_SIZE);
+	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("agreement"), 32);
 }
 /**
 * Derive a signing private key from key material.
@@ -283,35 +333,52 @@ function deriveSigningPrivateKey(keyMaterial) {
 * Generate a new random X25519 private key.
 */
 function x25519NewPrivateKeyUsing(rng) {
-	return rng.randomData(X25519_PRIVATE_KEY_SIZE);
+	return rng.randomData(32);
 }
 /**
 * Derive an X25519 public key from a private key.
 */
 function x25519PublicKeyFromPrivateKey(privateKey) {
-	if (privateKey.length !== X25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${X25519_PRIVATE_KEY_SIZE} bytes`);
+	if (privateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
 	return x25519.getPublicKey(privateKey);
 }
+const SYMMETRIC_KEY_SIZE$1 = 32;
 /**
-* Compute a shared secret using X25519 key agreement (ECDH).
+* Compute a shared symmetric key using X25519 key agreement (ECDH).
+*
+* This function performs X25519 Diffie-Hellman key agreement and then
+* derives a symmetric key using HKDF-SHA256 with "agreement" as the salt.
+* This matches the Rust bc-crypto implementation for cross-platform compatibility.
 *
-* **Security Note**: The resulting shared secret should be used with a KDF
-* (like HKDF) before using it as an encryption key. Never use the raw
-* shared secret directly for encryption.
+* **Low-order public key handling.** The underlying `@noble/curves` X25519
+* implementation rejects low-order public keys (where the u-coordinate is
+* `0`) by throwing `'invalid private or public key received'`. Rust's
+* `x25519-dalek` (v2.0-rc.2) instead silently produces the all-zero shared
+* secret. This means an adversarial low-order public key fed in via TS
+* surfaces as an exception, while in Rust it would yield an HKDF-derived
+* key from a zero shared secret. For honest inputs both implementations
+* produce byte-identical results; the TS port's stricter behaviour is a
+* security improvement, not a parity bug.
 *
 * @param x25519Private - 32-byte X25519 private key
 * @param x25519Public - 32-byte X25519 public key from the other party
-* @returns 32-byte shared secret
+* @returns 32-byte derived symmetric key
 * @throws {Error} If private key is not 32 bytes or public key is not 32 bytes
+* @throws {Error} If the public key is low-order (`@noble/curves`-specific guard)
 */
 function x25519SharedKey(x25519Private, x25519Public) {
-	if (x25519Private.length !== X25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${X25519_PRIVATE_KEY_SIZE} bytes`);
-	if (x25519Public.length !== X25519_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${X25519_PUBLIC_KEY_SIZE} bytes`);
-	return x25519.getSharedSecret(x25519Private, x25519Public);
+	if (x25519Private.length !== 32) throw new Error(`Private key must be ${32} bytes`);
+	if (x25519Public.length !== 32) throw new Error(`Public key must be ${32} bytes`);
+	return hkdfHmacSha256(x25519.getSharedSecret(x25519Private, x25519Public), new TextEncoder().encode("agreement"), SYMMETRIC_KEY_SIZE$1);
 }
 
 //#endregion
 //#region src/ecdsa-keys.ts
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
 const ECDSA_PRIVATE_KEY_SIZE = 32;
 const ECDSA_PUBLIC_KEY_SIZE = 33;
 const ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE = 65;
@@ -326,28 +393,28 @@ const SCHNORR_PUBLIC_KEY_SIZE = 32;
 * the key is used.
 */
 function ecdsaNewPrivateKeyUsing(rng) {
-	return rng.randomData(ECDSA_PRIVATE_KEY_SIZE);
+	return rng.randomData(32);
 }
 /**
 * Derive a compressed ECDSA public key from a private key.
 */
 function ecdsaPublicKeyFromPrivateKey(privateKey) {
-	if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	if (privateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
 	return secp256k1.getPublicKey(privateKey, true);
 }
 /**
 * Decompress a compressed public key to uncompressed format.
 */
 function ecdsaDecompressPublicKey(compressed) {
-	if (compressed.length !== ECDSA_PUBLIC_KEY_SIZE) throw new Error(`Compressed public key must be ${ECDSA_PUBLIC_KEY_SIZE} bytes`);
-	return secp256k1.ProjectivePoint.fromHex(compressed).toRawBytes(false);
+	if (compressed.length !== 33) throw new Error(`Compressed public key must be ${33} bytes`);
+	return secp256k1.Point.fromBytes(compressed).toBytes(false);
 }
 /**
 * Compress an uncompressed public key.
 */
 function ecdsaCompressPublicKey(uncompressed) {
-	if (uncompressed.length !== ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE) throw new Error(`Uncompressed public key must be ${ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE} bytes`);
-	return secp256k1.ProjectivePoint.fromHex(uncompressed).toRawBytes(true);
+	if (uncompressed.length !== 65) throw new Error(`Uncompressed public key must be ${65} bytes`);
+	return secp256k1.Point.fromBytes(uncompressed).toBytes(true);
 }
 /**
 * Derive an ECDSA private key from key material using HKDF.
@@ -356,20 +423,25 @@ function ecdsaCompressPublicKey(uncompressed) {
 * matching the Rust reference implementation behavior.
 */
 function ecdsaDerivePrivateKey(keyMaterial) {
-	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("signing"), ECDSA_PRIVATE_KEY_SIZE);
+	return hkdfHmacSha256(keyMaterial, new TextEncoder().encode("signing"), 32);
 }
 /**
 * Extract the x-only (Schnorr) public key from a private key.
 * This is used for BIP-340 Schnorr signatures.
 */
 function schnorrPublicKeyFromPrivateKey(privateKey) {
-	if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	if (privateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
 	return secp256k1.getPublicKey(privateKey, false).slice(1, 33);
 }
 
 //#endregion
 //#region src/ecdsa-signing.ts
 /**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
+/**
 * Sign a message using ECDSA with secp256k1.
 *
 * The message is hashed with double SHA-256 before signing (Bitcoin standard).
@@ -384,9 +456,9 @@ function schnorrPublicKeyFromPrivateKey(privateKey) {
 * @throws {Error} If private key is not 32 bytes
 */
 function ecdsaSign(privateKey, message) {
-	if (privateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	if (privateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
 	const messageHash = doubleSha256(message);
-	return secp256k1.sign(messageHash, privateKey).toCompactRawBytes();
+	return secp256k1.sign(messageHash, privateKey, { prehash: false });
 }
 /**
 * Verify an ECDSA signature with secp256k1.
@@ -400,11 +472,11 @@ function ecdsaSign(privateKey, message) {
 * @throws {Error} If public key is not 33 bytes or signature is not 64 bytes
 */
 function ecdsaVerify(publicKey, signature, message) {
-	if (publicKey.length !== ECDSA_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${ECDSA_PUBLIC_KEY_SIZE} bytes`);
-	if (signature.length !== ECDSA_SIGNATURE_SIZE) throw new Error(`Signature must be ${ECDSA_SIGNATURE_SIZE} bytes`);
+	if (publicKey.length !== 33) throw new Error(`Public key must be ${33} bytes`);
+	if (signature.length !== 64) throw new Error(`Signature must be ${64} bytes`);
 	try {
 		const messageHash = doubleSha256(message);
-		return secp256k1.verify(signature, messageHash, publicKey);
+		return secp256k1.verify(signature, messageHash, publicKey, { prehash: false });
 	} catch {
 		return false;
 	}
@@ -412,6 +484,11 @@ function ecdsaVerify(publicKey, signature, message) {
 
 //#endregion
 //#region src/schnorr-signing.ts
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
 const SCHNORR_SIGNATURE_SIZE = 64;
 /**
 * Sign a message using Schnorr signature (BIP-340).
@@ -445,7 +522,7 @@ function schnorrSignUsing(ecdsaPrivateKey, message, rng) {
 * @returns 64-byte Schnorr signature
 */
 function schnorrSignWithAuxRand(ecdsaPrivateKey, message, auxRand) {
-	if (ecdsaPrivateKey.length !== ECDSA_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ECDSA_PRIVATE_KEY_SIZE} bytes`);
+	if (ecdsaPrivateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
 	if (auxRand.length !== 32) throw new Error("Auxiliary randomness must be 32 bytes");
 	return schnorr.sign(message, ecdsaPrivateKey, auxRand);
 }
@@ -458,8 +535,8 @@ function schnorrSignWithAuxRand(ecdsaPrivateKey, message, auxRand) {
 * @returns true if signature is valid
 */
 function schnorrVerify(schnorrPublicKey, signature, message) {
-	if (schnorrPublicKey.length !== SCHNORR_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${SCHNORR_PUBLIC_KEY_SIZE} bytes`);
-	if (signature.length !== SCHNORR_SIGNATURE_SIZE) throw new Error(`Signature must be ${SCHNORR_SIGNATURE_SIZE} bytes`);
+	if (schnorrPublicKey.length !== 32) throw new Error(`Public key must be ${32} bytes`);
+	if (signature.length !== 64) throw new Error(`Signature must be ${64} bytes`);
 	try {
 		return schnorr.verify(signature, message, schnorrPublicKey);
 	} catch {
@@ -469,6 +546,11 @@ function schnorrVerify(schnorrPublicKey, signature, message) {
 
 //#endregion
 //#region src/ed25519-signing.ts
+/**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
 const ED25519_PUBLIC_KEY_SIZE = 32;
 const ED25519_PRIVATE_KEY_SIZE = 32;
 const ED25519_SIGNATURE_SIZE = 64;
@@ -476,13 +558,13 @@ const ED25519_SIGNATURE_SIZE = 64;
 * Generate a new random Ed25519 private key.
 */
 function ed25519NewPrivateKeyUsing(rng) {
-	return rng.randomData(ED25519_PRIVATE_KEY_SIZE);
+	return rng.randomData(32);
 }
 /**
 * Derive an Ed25519 public key from a private key.
 */
 function ed25519PublicKeyFromPrivateKey(privateKey) {
-	if (privateKey.length !== ED25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ED25519_PRIVATE_KEY_SIZE} bytes`);
+	if (privateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
 	return ed25519.getPublicKey(privateKey);
 }
 /**
@@ -497,7 +579,7 @@ function ed25519PublicKeyFromPrivateKey(privateKey) {
 * @throws {Error} If private key is not 32 bytes
 */
 function ed25519Sign(privateKey, message) {
-	if (privateKey.length !== ED25519_PRIVATE_KEY_SIZE) throw new Error(`Private key must be ${ED25519_PRIVATE_KEY_SIZE} bytes`);
+	if (privateKey.length !== 32) throw new Error(`Private key must be ${32} bytes`);
 	return ed25519.sign(message, privateKey);
 }
 /**
@@ -510,8 +592,8 @@ function ed25519Sign(privateKey, message) {
 * @throws {Error} If public key is not 32 bytes or signature is not 64 bytes
 */
 function ed25519Verify(publicKey, message, signature) {
-	if (publicKey.length !== ED25519_PUBLIC_KEY_SIZE) throw new Error(`Public key must be ${ED25519_PUBLIC_KEY_SIZE} bytes`);
-	if (signature.length !== ED25519_SIGNATURE_SIZE) throw new Error(`Signature must be ${ED25519_SIGNATURE_SIZE} bytes`);
+	if (publicKey.length !== 32) throw new Error(`Public key must be ${32} bytes`);
+	if (signature.length !== 64) throw new Error(`Signature must be ${64} bytes`);
 	try {
 		return ed25519.verify(signature, message, publicKey);
 	} catch {
@@ -522,8 +604,16 @@ function ed25519Verify(publicKey, message, signature) {
 //#endregion
 //#region src/scrypt.ts
 /**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
+/**
 * Derive a key using Scrypt with recommended parameters.
-* Uses N=2^15 (32768), r=8, p=1 as recommended defaults.
+*
+* Mirrors Rust `bc_crypto::scrypt` which calls `scrypt::Params::recommended()`.
+* The recommended parameters per the upstream `scrypt` crate are
+* `log_n = 17` (N = 2^17 = 131072), `r = 8`, `p = 1`.
 *
 * @param password - Password or passphrase
 * @param salt - Salt value
@@ -531,7 +621,7 @@ function ed25519Verify(publicKey, message, signature) {
 * @returns Derived key
 */
 function scrypt(password, salt, outputLen) {
-	return scryptOpt(password, salt, outputLen, 15, 8, 1);
+	return scryptOpt(password, salt, outputLen, 17, 8, 1);
 }
 /**
 * Derive a key using Scrypt with custom parameters.
@@ -559,15 +649,24 @@ function scryptOpt(password, salt, outputLen, logN, r, p) {
 //#endregion
 //#region src/argon.ts
 /**
+* Copyright © 2023-2026 Blockchain Commons, LLC
+* Copyright © 2025-2026 Parity Technologies
+*
+*/
+/**
 * Derive a key using Argon2id with default parameters.
 *
+* Mirrors Rust `bc_crypto::argon2id` which calls `Argon2::default()`. The
+* upstream `argon2` crate's defaults are `t = 2` iterations, `m = 19 * 1024
+* = 19456` KiB of memory, `p = 1` lane (per `argon2-0.5.x/src/params.rs`).
+*
 * @param password - Password or passphrase
 * @param salt - Salt value (must be at least 8 bytes)
 * @param outputLen - Desired output length
 * @returns Derived key
 */
-function argon2idHash(password, salt, outputLen) {
-	return argon2idHashOpt(password, salt, outputLen, 3, 65536, 4);
+function argon2id(password, salt, outputLen) {
+	return argon2idHashOpt(password, salt, outputLen, 2, 19456, 1);
 }
 /**
 * Derive a key using Argon2id with custom parameters.
@@ -581,7 +680,7 @@ function argon2idHash(password, salt, outputLen) {
 * @returns Derived key
 */
 function argon2idHashOpt(password, salt, outputLen, iterations, memory, parallelism) {
-	return argon2id(password, salt, {
+	return argon2id$1(password, salt, {
 		t: iterations,
 		m: memory,
 		p: parallelism,
@@ -590,5 +689,5 @@ function argon2idHashOpt(password, salt, outputLen, iterations, memory, parallel
 }
 
 //#endregion
-export { AeadError, CRC32_SIZE, CryptoError, ECDSA_MESSAGE_HASH_SIZE, ECDSA_PRIVATE_KEY_SIZE, ECDSA_PUBLIC_KEY_SIZE, ECDSA_SIGNATURE_SIZE, ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE, ED25519_PRIVATE_KEY_SIZE, ED25519_PUBLIC_KEY_SIZE, ED25519_SIGNATURE_SIZE, GENERIC_PRIVATE_KEY_SIZE, GENERIC_PUBLIC_KEY_SIZE, SCHNORR_PUBLIC_KEY_SIZE, SCHNORR_SIGNATURE_SIZE, SHA256_SIZE, SHA512_SIZE, SYMMETRIC_AUTH_SIZE, SYMMETRIC_KEY_SIZE, SYMMETRIC_NONCE_SIZE, X25519_PRIVATE_KEY_SIZE, X25519_PUBLIC_KEY_SIZE, aeadChaCha20Poly1305Decrypt, aeadChaCha20Poly1305DecryptWithAad, aeadChaCha20Poly1305Encrypt, aeadChaCha20Poly1305EncryptWithAad, argon2idHash, argon2idHashOpt, crc32, crc32Data, crc32DataOpt, deriveAgreementPrivateKey, deriveSigningPrivateKey, doubleSha256, ecdsaCompressPublicKey, ecdsaDecompressPublicKey, ecdsaDerivePrivateKey, ecdsaNewPrivateKeyUsing, ecdsaPublicKeyFromPrivateKey, ecdsaSign, ecdsaVerify, ed25519NewPrivateKeyUsing, ed25519PublicKeyFromPrivateKey, ed25519Sign, ed25519Verify, hkdfHmacSha256, hkdfHmacSha512, hmacSha256, hmacSha512, memzero, memzeroVecVecU8, pbkdf2HmacSha256, pbkdf2HmacSha512, schnorrPublicKeyFromPrivateKey, schnorrSign, schnorrSignUsing, schnorrSignWithAuxRand, schnorrVerify, scrypt, scryptOpt, sha256, sha512, x25519NewPrivateKeyUsing, x25519PublicKeyFromPrivateKey, x25519SharedKey };
+export { AeadError, CRC32_SIZE, CryptoError, ECDSA_MESSAGE_HASH_SIZE, ECDSA_PRIVATE_KEY_SIZE, ECDSA_PUBLIC_KEY_SIZE, ECDSA_SIGNATURE_SIZE, ECDSA_UNCOMPRESSED_PUBLIC_KEY_SIZE, ED25519_PRIVATE_KEY_SIZE, ED25519_PUBLIC_KEY_SIZE, ED25519_SIGNATURE_SIZE, SCHNORR_PUBLIC_KEY_SIZE, SCHNORR_SIGNATURE_SIZE, SHA256_SIZE, SHA512_SIZE, SYMMETRIC_AUTH_SIZE, SYMMETRIC_KEY_SIZE, SYMMETRIC_NONCE_SIZE, X25519_PRIVATE_KEY_SIZE, X25519_PUBLIC_KEY_SIZE, aeadChaCha20Poly1305Decrypt, aeadChaCha20Poly1305DecryptWithAad, aeadChaCha20Poly1305Encrypt, aeadChaCha20Poly1305EncryptWithAad, argon2id, deriveAgreementPrivateKey, deriveSigningPrivateKey, doubleSha256, ecdsaCompressPublicKey, ecdsaDecompressPublicKey, ecdsaDerivePrivateKey, ecdsaNewPrivateKeyUsing, ecdsaPublicKeyFromPrivateKey, ecdsaSign, ecdsaVerify, ed25519NewPrivateKeyUsing, ed25519PublicKeyFromPrivateKey, ed25519Sign, ed25519Verify, hash_exports as hash, hkdfHmacSha256, hmacSha256, hmacSha512, memzero, memzeroVecVecU8, pbkdf2HmacSha256, schnorrPublicKeyFromPrivateKey, schnorrSign, schnorrSignUsing, schnorrSignWithAuxRand, schnorrVerify, scrypt, scryptOpt, sha256, sha512, x25519NewPrivateKeyUsing, x25519PublicKeyFromPrivateKey, x25519SharedKey };
 //# sourceMappingURL=index.mjs.map