@blamejs/core 0.7.106 → 0.8.0

package/lib/pqc-software.js

@@ -0,0 +1,195 @@
+"use strict";
+/**
+ * b.pqcSoftware — pure-JS post-quantum primitives sourced from the
+ * vendored @noble/post-quantum bundle (lib/vendor/noble-post-quantum.cjs).
+ *
+ * Usable server-side and client-side. Ciphertexts are FIPS 203
+ * conformant in both directions — encapsulating with Node's WebCrypto
+ * ML-KEM-1024 (used by b.crypto.encrypt / b.middleware.apiEncrypt)
+ * decapsulates with b.pqcSoftware.ml_kem_1024 and vice versa.
+ *
+ * Operator wiring:
+ *
+ *   - Server-side: import b.pqcSoftware directly. Use it as the
+ *     primary PQC path on Node releases without the experimental
+ *     WebCrypto ML-KEM extension, or for reference-implementation
+ *     interop testing against Node WebCrypto / hardware HSMs.
+ *
+ *   - Client-side: re-bundle this module or import @noble/post-quantum
+ *     directly into the build that ships b.middleware.apiEncrypt.client.
+ *
+ * Defaults pin to the highest cat-5 level:
+ *
+ *   - DEFAULT_KEM         = ML-KEM-1024 (FIPS 203)
+ *   - DEFAULT_LATTICE_SIG = ML-DSA-87   (FIPS 204)
+ *   - DEFAULT_HASH_SIG    = SLH-DSA-SHAKE-256f (FIPS 205)
+ *
+ * Public surface (b.pqcSoftware.*):
+ *
+ *   .ml_kem_1024 / .ml_kem_768 / .ml_kem_512   — FIPS 203 KEM objects
+ *   .ml_dsa_87 / .ml_dsa_65 / .ml_dsa_44       — FIPS 204 lattice sig
+ *   .slh_dsa_shake_256f / 192f / 128f          — FIPS 205 (SHAKE)
+ *   .slh_dsa_sha2_256f / 192f / 128f           — FIPS 205 (SHA-2)
+ *
+ *   .DEFAULT_KEM         — alias to ml_kem_1024
+ *   .DEFAULT_LATTICE_SIG — alias to ml_dsa_87
+ *   .DEFAULT_HASH_SIG    — alias to slh_dsa_shake_256f
+ *
+ *   .isAvailable()    — boolean: is the vendored bundle loadable?
+ *   .listAlgorithms() — string[] of algorithm names
+ *
+ * Each KEM / signature object exposes `keygen()` / `encapsulate()` /
+ * `decapsulate()` (KEMs) or `keygen()` / `sign()` / `verify()`
+ * (signatures), matching the @noble/post-quantum API directly.
+ *
+ * Operators chaining this into other primitives:
+ *
+ *   var pqc = b.pqcSoftware;
+ *   var kp  = pqc.DEFAULT_KEM.keygen();
+ *   var enc = pqc.DEFAULT_KEM.encapsulate(kp.publicKey);
+ *   //  enc.cipherText / enc.sharedSecret
+ *
+ * Note on availability: the bundle is a build artifact in
+ * lib/vendor/noble-post-quantum.cjs. In tightly-locked deployments
+ * where operators stripped the vendor directory, .isAvailable()
+ * returns false and the module exposes a stub that throws on every
+ * primitive call.
+ */
+
+var { defineClass } = require("./framework-error");
+var PqcError = defineClass("PqcError", { alwaysPermanent: true });
+
+var _vendoredOnce = null;
+var _loadError    = null;
+
+function _load() {
+  if (_vendoredOnce !== null || _loadError !== null) return _vendoredOnce;
+  try {
+    // Inline-require: deliberate — the vendored bundle is loaded
+    // on-demand so deployments that strip lib/vendor/ still boot
+    // without crashing on first import of this module. Stub fallback
+    // is below.
+    _vendoredOnce = require("./vendor/noble-post-quantum.cjs"); // allow:inline-require — graceful-fallback shim
+    return _vendoredOnce;
+  } catch (e) {
+    _loadError = e;
+    _vendoredOnce = null;
+    return null;
+  }
+}
+
+function _stubFor(name) {
+  return {
+    info: { type: name, available: false },
+    keygen:      function () { _throwUnavailable(name); },
+    encapsulate: function () { _throwUnavailable(name); },
+    decapsulate: function () { _throwUnavailable(name); },
+    sign:        function () { _throwUnavailable(name); },
+    verify:      function () { _throwUnavailable(name); },
+  };
+}
+
+function _throwUnavailable(name) {
+  throw new PqcError("pqc-software/unavailable",
+    "b.pqcSoftware." + name + ": vendored bundle lib/vendor/noble-post-quantum.cjs " +
+    "could not be loaded (" + (_loadError && _loadError.message || "unknown") + ") — " +
+    "if this is a deliberately-stripped deployment, use Node WebCrypto ML-KEM " +
+    "(b.crypto.encrypt / decrypt) instead. To restore: " +
+    "scripts/vendor-update.sh @noble/post-quantum");
+}
+
+function _accessor(name) {
+  var bundle = _load();
+  if (!bundle) return _stubFor(name);
+  var algo = bundle[name];
+  if (!algo) return _stubFor(name);
+  return algo;
+}
+
+function isAvailable() {
+  return _load() !== null;
+}
+
+function listAlgorithms() {
+  if (!isAvailable()) return [];
+  return [
+    "ml_kem_512", "ml_kem_768", "ml_kem_1024",
+    "ml_dsa_44",  "ml_dsa_65",  "ml_dsa_87",
+    "slh_dsa_sha2_128f",  "slh_dsa_sha2_192f",  "slh_dsa_sha2_256f",
+    "slh_dsa_shake_128f", "slh_dsa_shake_192f", "slh_dsa_shake_256f",
+  ];
+}
+
+// Each accessor delegates to the bundle on demand. Naming follows
+// the framework's underscore-separated convention; the bundle uses
+// the same names with `_` already, so they map 1:1.
+var pqc = {
+  PqcError:  PqcError,
+  isAvailable:    isAvailable,
+  listAlgorithms: listAlgorithms,
+};
+
+Object.defineProperty(pqc, "ml_kem_512", {
+  enumerable: true,
+  get: function () { return _accessor("ml_kem512"); },
+});
+Object.defineProperty(pqc, "ml_kem_768", {
+  enumerable: true,
+  get: function () { return _accessor("ml_kem768"); },
+});
+Object.defineProperty(pqc, "ml_kem_1024", {
+  enumerable: true,
+  get: function () { return _accessor("ml_kem1024"); },
+});
+Object.defineProperty(pqc, "ml_dsa_44", {
+  enumerable: true,
+  get: function () { return _accessor("ml_dsa44"); },
+});
+Object.defineProperty(pqc, "ml_dsa_65", {
+  enumerable: true,
+  get: function () { return _accessor("ml_dsa65"); },
+});
+Object.defineProperty(pqc, "ml_dsa_87", {
+  enumerable: true,
+  get: function () { return _accessor("ml_dsa87"); },
+});
+Object.defineProperty(pqc, "slh_dsa_sha2_128f", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_sha2_128f"); },
+});
+Object.defineProperty(pqc, "slh_dsa_sha2_192f", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_sha2_192f"); },
+});
+Object.defineProperty(pqc, "slh_dsa_sha2_256f", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_sha2_256f"); },
+});
+Object.defineProperty(pqc, "slh_dsa_shake_128f", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_shake_128f"); },
+});
+Object.defineProperty(pqc, "slh_dsa_shake_192f", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_shake_192f"); },
+});
+Object.defineProperty(pqc, "slh_dsa_shake_256f", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_shake_256f"); },
+});
+
+// Security-first defaults — highest level wins.
+Object.defineProperty(pqc, "DEFAULT_KEM", {
+  enumerable: true,
+  get: function () { return _accessor("ml_kem1024"); },
+});
+Object.defineProperty(pqc, "DEFAULT_LATTICE_SIG", {
+  enumerable: true,
+  get: function () { return _accessor("ml_dsa87"); },
+});
+Object.defineProperty(pqc, "DEFAULT_HASH_SIG", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_shake_256f"); },
+});
+
+module.exports = pqc;

package/lib/vault/index.js

@@ -290,10 +290,13 @@ function getMode() {
   return currentMode;
 }
 
+var vaultAad = require("../vault-aad");
+
 module.exports = {
   init:                  init,
   seal:                  seal,
   unseal:                unseal,
+  aad:                   vaultAad,
   getKeysJson:           getKeysJson,
   getCurrentPassphrase:  getCurrentPassphrase,
   getMode:               getMode,

package/lib/vault-aad.js

@@ -0,0 +1,259 @@
+"use strict";
+/**
+ * b.vault.aad — AAD-bound sealed-column primitive.
+ *
+ * `b.vault.seal(plaintext)` produces a ciphertext that decrypts back
+ * to the same plaintext regardless of WHICH row / column / table the
+ * value was sealed for. An attacker with write access to the database
+ * (or an audit-log replay) can copy a sealed value from a benign row
+ * (e.g. their own user record) into a sensitive row (e.g. another
+ * user's PII column), and the value decrypts cleanly. Application
+ * code that gates on the field's value alone won't notice.
+ *
+ * AAD-bound sealed columns close that gap. The seal binds to an
+ * Additional Authenticated Data tuple (table, rowId, column,
+ * schemaVersion) so the AEAD tag fails on any decrypt where the AAD
+ * differs — copy-paste, replay, schema-version-rollback all surface
+ * as a refused decrypt.
+ *
+ * Public surface (b.vault.aad.*):
+ *
+ *   .seal(plaintext, aadParts)
+ *     → "vault.aad:<base64>"  (refuses null/undefined)
+ *
+ *   .unseal(value, aadParts)
+ *     → plaintext             (throws on AEAD mismatch)
+ *
+ *   .buildColumnAad({ table, rowId, column, schemaVersion })
+ *     → canonical-form string suitable for seal/unseal
+ *
+ *   .buildContextAad(parts)
+ *     → canonical-form string from arbitrary { field: value } parts;
+ *       sorted-keys + length-prefixed encoding so two callers with
+ *       the same logical context always produce the same AAD bytes.
+ *
+ *   .isAadSealed(value) → boolean
+ *
+ * Per the framework's security-first stance:
+ *   - Symmetric key derivation uses HKDF-SHAKE256 (matching the
+ *     vault's KDF) over the vault root key concatenated with the
+ *     canonicalized AAD.
+ *   - AEAD: XChaCha20-Poly1305 with the AAD threaded into the tag.
+ *   - 24-byte nonce, generated fresh per-seal via
+ *     b.crypto.generateBytes — collision probability negligible.
+ *
+ * The vault must be initialized before sealAad / unsealAad — same
+ * post-init contract as plain `vault.seal`.
+ */
+
+var lazyRequire     = require("./lazy-require");
+var validateOpts    = require("./validate-opts");
+var C               = require("./constants");
+var { defineClass } = require("./framework-error");
+var VaultAadError = defineClass("VaultAadError", { alwaysPermanent: true });
+
+var crypto = lazyRequire(function () { return require("./crypto"); });
+var vault  = lazyRequire(function () { return require("./vault"); });
+var audit  = lazyRequire(function () { return require("./audit"); });
+
+var AAD_PREFIX  = "vault.aad:";
+var AAD_VERSION = 1;
+
+// ---- Canonical AAD construction ----
+//
+// AAD bytes MUST be deterministic for any two calls describing the
+// same logical context (same table, same row, same column, same
+// schemaVersion). Sorted-keys + length-prefixed encoding gets us
+// determinism regardless of the operator's iteration order.
+
+function _canonicalize(parts) {
+  if (!parts || typeof parts !== "object" || Array.isArray(parts)) {
+    throw new VaultAadError("vault-aad/bad-aad",
+      "AAD must be a plain object — got " + typeof parts);
+  }
+  var keys = Object.keys(parts).sort();          // allow:bare-canonicalize-walk — AEAD AAD canonicalization has its own length-prefixed contract
+  if (keys.length === 0) {
+    throw new VaultAadError("vault-aad/bad-aad",
+      "AAD must have at least one field");
+  }
+  var chunks = [];
+  chunks.push(Buffer.from([AAD_VERSION]));
+  for (var i = 0; i < keys.length; i += 1) {
+    var key = keys[i];
+    if (key === "__proto__" || key === "constructor" || key === "prototype") {
+      throw new VaultAadError("vault-aad/bad-aad",
+        "AAD field name " + JSON.stringify(key) + " is forbidden (poisoned key)");
+    }
+    if (typeof parts[key] !== "string" && typeof parts[key] !== "number" &&
+        typeof parts[key] !== "boolean") {
+      throw new VaultAadError("vault-aad/bad-aad",
+        "AAD field " + JSON.stringify(key) + " must be string / number / boolean — got " +
+        typeof parts[key]);
+    }
+    var keyBuf = Buffer.from(key, "utf8");
+    var valBuf = Buffer.from(String(parts[key]), "utf8");
+    var keyLenBuf = Buffer.alloc(2);
+    keyLenBuf.writeUInt16BE(keyBuf.length);
+    var valLenBuf = Buffer.alloc(4);
+    valLenBuf.writeUInt32BE(valBuf.length);
+    chunks.push(keyLenBuf, keyBuf, valLenBuf, valBuf);
+  }
+  return Buffer.concat(chunks);                  // allow:handrolled-buffer-collect — AAD canonicalization, bounded by length-prefixed field shape
+}
+
+function buildColumnAad(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "table", "rowId", "column", "schemaVersion",
+  ], "vault.aad.buildColumnAad");
+  validateOpts.requireNonEmptyString(opts.table,
+    "buildColumnAad: table", VaultAadError, "vault-aad/bad-aad");
+  validateOpts.requireNonEmptyString(opts.column,
+    "buildColumnAad: column", VaultAadError, "vault-aad/bad-aad");
+  if (opts.rowId == null) {
+    throw new VaultAadError("vault-aad/bad-aad",
+      "buildColumnAad: rowId is required");
+  }
+  return {
+    table:         opts.table,
+    rowId:         String(opts.rowId),
+    column:        opts.column,
+    schemaVersion: opts.schemaVersion != null ? String(opts.schemaVersion) : "1",
+  };
+}
+
+function buildContextAad(parts) {
+  if (!parts || typeof parts !== "object" || Array.isArray(parts)) {
+    throw new VaultAadError("vault-aad/bad-aad",
+      "buildContextAad: parts must be a plain object");
+  }
+  var out = {};
+  for (var k in parts) {
+    if (!Object.prototype.hasOwnProperty.call(parts, k)) continue;
+    if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
+    if (parts[k] == null) continue;
+    out[k] = parts[k];
+  }
+  if (Object.keys(out).length === 0) {
+    throw new VaultAadError("vault-aad/bad-aad",
+      "buildContextAad: at least one non-null field required");
+  }
+  return out;
+}
+
+// ---- key derivation ----
+//
+// Per-row symmetric key = SHAKE256("vault.aad/v1/" || rootKey || aadBytes,
+// 32 bytes). Constant-domain prefix prevents key collision with other
+// uses of the vault root.
+
+function _deriveKey(aadBytes) {
+  var keysJson = vault().getKeysJson();
+  // The vault keys JSON includes the active keypair PEMs. We hash the
+  // whole serialized form to get a stable per-vault root secret —
+  // this is a deterministic derivation; rotating vault keys produces
+  // a different root and breaks all prior AAD-sealed values (operator
+  // intent: rotation = re-seal).
+  var rootHash = crypto().sha3Hash(keysJson);
+  var prefix   = Buffer.from("vault.aad/v1/", "utf8");
+  var rootBuf  = Buffer.from(rootHash, "hex");
+  var input    = Buffer.concat([prefix, rootBuf, aadBytes]);
+  return crypto().kdf(input, C.BYTES.bytes(32));
+}
+
+function seal(plaintext, aadParts) {
+  if (plaintext == null) {
+    throw new VaultAadError("vault-aad/bad-input",
+      "seal: plaintext is required (use null/undefined-stripping at the call site)");
+  }
+  if (typeof plaintext !== "string") plaintext = String(plaintext);
+  if (plaintext.length === 0) {
+    throw new VaultAadError("vault-aad/bad-input",
+      "seal: plaintext must be non-empty");
+  }
+  if (plaintext.indexOf(AAD_PREFIX) === 0) {
+    throw new VaultAadError("vault-aad/already-sealed",
+      "seal: value is already AAD-sealed (refuses to double-seal)");
+  }
+  var aadBytes = _canonicalize(aadParts);
+  var key = _deriveKey(aadBytes);
+  var ptBuf = Buffer.from(plaintext, "utf8");
+  var packed = crypto().encryptPacked(ptBuf, key, aadBytes);
+
+  try {
+    audit().safeEmit({
+      action:   "vault.aad.sealed",
+      outcome:  "success",
+      actor:    null,
+      metadata: {
+        aadKeys: Object.keys(aadParts).sort(),    // allow:bare-canonicalize-walk — audit-emit metadata, not for signing
+        bytes:   ptBuf.length,
+      },
+    });
+  } catch (_e) { /* drop-silent */ }
+
+  return AAD_PREFIX + packed.toString("base64");
+}
+
+function unseal(value, aadParts) {
+  if (value == null || typeof value !== "string") {
+    throw new VaultAadError("vault-aad/bad-input",
+      "unseal: value must be a non-empty string");
+  }
+  if (value.indexOf(AAD_PREFIX) !== 0) {
+    throw new VaultAadError("vault-aad/not-sealed",
+      "unseal: value is not AAD-sealed (missing " + JSON.stringify(AAD_PREFIX) + " prefix)");
+  }
+  var aadBytes = _canonicalize(aadParts);
+  var key = _deriveKey(aadBytes);
+  var packed;
+  try { packed = Buffer.from(value.slice(AAD_PREFIX.length), "base64"); }
+  catch (e) {
+    throw new VaultAadError("vault-aad/bad-format",
+      "unseal: base64 decode failed - " + e.message);
+  }
+  var pt;
+  try { pt = crypto().decryptPacked(packed, key, aadBytes); }
+  catch (e) {
+    try {
+      audit().safeEmit({
+        action:   "vault.aad.unseal_failed",
+        outcome:  "denied",
+        actor:    null,
+        metadata: {
+          aadKeys: Object.keys(aadParts).sort(),  // allow:bare-canonicalize-walk — audit-emit metadata, not for signing
+          reason:  e.message,
+        },
+      });
+    } catch (_e) { /* drop-silent */ }
+    throw new VaultAadError("vault-aad/aead-mismatch",
+      "unseal: AEAD authentication failed — value may have been tampered, " +
+      "copied from a different row, or sealed under different AAD");
+  }
+  return pt.toString("utf8");
+}
+
+function isAadSealed(value) {
+  return typeof value === "string" && value.indexOf(AAD_PREFIX) === 0;
+}
+
+// Operator-side helper: re-seal a value from one AAD context to
+// another (used when migrating row IDs, schema version bumps, etc.).
+// Authenticates the source AAD before producing the new ciphertext —
+// no key material exposed.
+function reseal(value, fromAad, toAad) {
+  var plaintext = unseal(value, fromAad);
+  return seal(plaintext, toAad);
+}
+
+module.exports = {
+  seal:               seal,
+  unseal:             unseal,
+  reseal:             reseal,
+  isAadSealed:        isAadSealed,
+  buildColumnAad:     buildColumnAad,
+  buildContextAad:    buildContextAad,
+  AAD_PREFIX:         AAD_PREFIX,
+  AAD_VERSION:        AAD_VERSION,
+  VaultAadError:      VaultAadError,
+};

package/lib/vendor/MANIFEST.json

@@ -18,6 +18,35 @@
         "server": "sha256:5d539dfc9ef47121d4c09bd7256d76448a1f5ac47ee09ac44c78ff6a062af9ab"
       }
     },
+    "@noble/post-quantum": {
+      "version": "0.6.1",
+      "license": "MIT",
+      "author": "Paul Miller",
+      "source": "https://github.com/paulmillr/noble-post-quantum",
+      "_about": "FIPS 203 / 204 / 205 PQC algorithms in pure JS. First-class on both server-side and client-side — interoperable with Node's built-in WebCrypto ML-KEM (a ciphertext encapsulated with Node ML-KEM-1024 decapsulates correctly with b.pqcSoftware.ml_kem_1024 and vice versa). Operators wire it server-side via `b.pqcSoftware.{ml_kem_1024,ml_dsa_87,slh_dsa_shake_256f,...}` (security-first defaults are the highest cat-5 levels), or re-bundle for browser / mobile clients shipping b.middleware.apiEncrypt.client. Older Node versions without the experimental WebCrypto ML-KEM extension can use the vendored bundle as the primary PQC path.",
+      "exports": [
+        "ml_kem512",
+        "ml_kem768",
+        "ml_kem1024",
+        "ml_dsa44",
+        "ml_dsa65",
+        "ml_dsa87",
+        "slh_dsa_sha2_128f",
+        "slh_dsa_sha2_192f",
+        "slh_dsa_sha2_256f",
+        "slh_dsa_shake_128f",
+        "slh_dsa_shake_192f",
+        "slh_dsa_shake_256f"
+      ],
+      "files": {
+        "server": "lib/vendor/noble-post-quantum.cjs"
+      },
+      "bundler": "esbuild --format=cjs --minify --platform=node",
+      "bundledAt": "2026-05-06",
+      "hashes": {
+        "server": "sha256:f9190309daadca4c2e2cc2b76beaa6b96e463429cc3c390bd9f0ceaf7b588c68"
+      }
+    },
     "@simplewebauthn/server": {
       "version": "13.3.0",
       "license": "MIT",

package/lib/vendor/noble-post-quantum.cjs

@@ -0,0 +1,18 @@
+// @noble/post-quantum v0.6.1 — vendored from Paul Miller
+// License: MIT — https://github.com/paulmillr/noble-post-quantum
+// Bundled with esbuild. Exports: ml_kem512 / ml_kem768 / ml_kem1024 (FIPS 203 KEM),
+//   ml_dsa44 / ml_dsa65 / ml_dsa87 (FIPS 204 lattice signatures),
+//   slh_dsa_sha2_*f / slh_dsa_shake_*f (FIPS 205 hash signatures).
+var Nt=Object.defineProperty;var ar=Object.getOwnPropertyDescriptor;var fr=Object.getOwnPropertyNames;var ur=Object.prototype.hasOwnProperty;var dr=(e,t)=>{for(var n in t)Nt(e,n,{get:t[n],enumerable:!0})},lr=(e,t,n,r)=>{if(t&&typeof t=="object"||typeof t=="function")for(let o of fr(t))!ur.call(e,o)&&o!==n&&Nt(e,o,{get:()=>t[o],enumerable:!(r=ar(t,o))||r.enumerable});return e};var hr=e=>lr(Nt({},"__esModule",{value:!0}),e);var Zr={};dr(Zr,{ml_dsa44:()=>Wn,ml_dsa65:()=>$n,ml_dsa87:()=>Vn,ml_kem1024:()=>jn,ml_kem512:()=>Kn,ml_kem768:()=>Pn,slh_dsa_sha2_128f:()=>sr,slh_dsa_sha2_192f:()=>cr,slh_dsa_sha2_256f:()=>ir,slh_dsa_shake_128f:()=>er,slh_dsa_shake_192f:()=>tr,slh_dsa_shake_256f:()=>nr});module.exports=hr(Zr);var _t=BigInt(4294967295),nn=BigInt(32);function pr(e,t=!1){return t?{h:Number(e&_t),l:Number(e>>nn&_t)}:{h:Number(e>>nn&_t)|0,l:Number(e&_t)|0}}function kt(e,t=!1){let n=e.length,r=new Uint32Array(n),o=new Uint32Array(n);for(let c=0;c<n;c++){let{h:s,l:i}=pr(e[c],t);[r[c],o[c]]=[s,i]}return[r,o]}var Mt=(e,t,n)=>e>>>n,Kt=(e,t,n)=>e<<32-n|t>>>n,We=(e,t,n)=>e>>>n|t<<32-n,$e=(e,t,n)=>e<<32-n|t>>>n,ut=(e,t,n)=>e<<64-n|t>>>n-32,dt=(e,t,n)=>e>>>n-32|t<<64-n;var rn=(e,t,n)=>e<<n|t>>>32-n,on=(e,t,n)=>t<<n|e>>>32-n,sn=(e,t,n)=>t<<n-32|e>>>64-n,cn=(e,t,n)=>e<<n-32|t>>>64-n;function Be(e,t,n,r){let o=(t>>>0)+(r>>>0);return{h:e+n+(o/2**32|0)|0,l:o|0}}var an=(e,t,n)=>(e>>>0)+(t>>>0)+(n>>>0),fn=(e,t,n,r)=>t+n+r+(e/2**32|0)|0,un=(e,t,n,r)=>(e>>>0)+(t>>>0)+(n>>>0)+(r>>>0),dn=(e,t,n,r,o)=>t+n+r+o+(e/2**32|0)|0,ln=(e,t,n,r,o)=>(e>>>0)+(t>>>0)+(n>>>0)+(r>>>0)+(o>>>0),hn=(e,t,n,r,o,c)=>t+n+r+o+c+(e/2**32|0)|0;function yr(e){return e instanceof Uint8Array||ArrayBuffer.isView(e)&&e.constructor.name==="Uint8Array"&&"BYTES_PER_ELEMENT"in e&&e.BYTES_PER_ELEMENT===1}function Ve(e,t=""){if(typeof e!="number"){let n=t&&`"${t}" `;throw new TypeError(`${n}expected number, got ${typeof e}`)}if(!Number.isSafeInteger(e)||e<0){let n=t&&`"${t}" `;throw new RangeError(`${n}expected integer >= 0, got ${e}`)}}function Q(e,t,n=""){let r=yr(e),o=e?.length,c=t!==void 0;if(!r||c&&o!==t){let s=n&&`"${n}" `,i=c?` of length ${t}`:"",a=r?`length=${o}`:`type=${typeof e}`,w=s+"expected Uint8Array"+i+", got "+a;throw r?new RangeError(w):new TypeError(w)}return e}function xn(e){if(typeof e!="function"||typeof e.create!="function")throw new TypeError("Hash must wrapped by utils.createHasher");if(Ve(e.outputLen),Ve(e.blockLen),e.outputLen<1)throw new Error('"outputLen" must be >= 1');if(e.blockLen<1)throw new Error('"blockLen" must be >= 1')}function He(e,t=!0){if(e.destroyed)throw new Error("Hash instance has been destroyed");if(t&&e.finished)throw new Error("Hash#digest() has already been called")}function et(e,t){Q(e,void 0,"digestInto() output");let n=t.outputLen;if(e.length<n)throw new RangeError('"digestInto() output" expected to be of length >='+n)}function Bt(e){return new Uint32Array(e.buffer,e.byteOffset,Math.floor(e.byteLength/4))}function Ee(...e){for(let t=0;t<e.length;t++)e[t].fill(0)}function Xe(e){return new DataView(e.buffer,e.byteOffset,e.byteLength)}function ke(e,t){return e<<32-t|e>>>t}var yn=new Uint8Array(new Uint32Array([287454020]).buffer)[0]===68;function br(e){return e<<24&4278190080|e<<8&16711680|e>>>8&65280|e>>>24&255}function gr(e){for(let t=0;t<e.length;t++)e[t]=br(e[t]);return e}var tt=yn?e=>e:gr,bn=typeof Uint8Array.from([]).toHex=="function"&&typeof Uint8Array.fromHex=="function",wr=Array.from({length:256},(e,t)=>t.toString(16).padStart(2,"0"));function gn(e){if(Q(e),bn)return e.toHex();let t="";for(let n=0;n<e.length;n++)t+=wr[e[n]];return t}var Oe={_0:48,_9:57,A:65,F:70,a:97,f:102};function pn(e){if(e>=Oe._0&&e<=Oe._9)return e-Oe._0;if(e>=Oe.A&&e<=Oe.F)return e-(Oe.A-10);if(e>=Oe.a&&e<=Oe.f)return e-(Oe.a-10)}function wn(e){if(typeof e!="string")throw new TypeError("hex string expected, got "+typeof e);if(bn)try{return Uint8Array.fromHex(e)}catch(o){throw o instanceof SyntaxError?new RangeError(o.message):o}let t=e.length,n=t/2;if(t%2)throw new RangeError("hex string expected, got unpadded hex of length "+t);let r=new Uint8Array(n);for(let o=0,c=0;o<n;o++,c+=2){let s=pn(e.charCodeAt(c)),i=pn(e.charCodeAt(c+1));if(s===void 0||i===void 0){let a=e[c]+e[c+1];throw new RangeError('hex string expected, got non-hex character "'+a+'" at index '+c)}r[o]=s*16+i}return r}function Ye(...e){let t=0;for(let r=0;r<e.length;r++){let o=e[r];Q(o),t+=o.length}let n=new Uint8Array(t);for(let r=0,o=0;r<e.length;r++){let c=e[r];n.set(c,o),o+=c.length}return n}function nt(e,t={}){let n=(o,c)=>e(c).update(o).digest(),r=e(void 0);return n.outputLen=r.outputLen,n.blockLen=r.blockLen,n.canXOF=r.canXOF,n.create=o=>e(o),Object.assign(n,t),Object.freeze(n)}function mn(e=32){Ve(e,"bytesLength");let t=typeof globalThis=="object"?globalThis.crypto:null;if(typeof t?.getRandomValues!="function")throw new Error("crypto.getRandomValues must be defined");if(e>65536)throw new RangeError(`"bytesLength" expected <= 65536, got ${e}`);return t.getRandomValues(new Uint8Array(e))}var Fe=e=>({oid:Uint8Array.from([6,9,96,134,72,1,101,3,4,2,e])});var mr=BigInt(0),lt=BigInt(1),Ar=BigInt(2),Tr=BigInt(7),Er=BigInt(256),_r=BigInt(113),En=[],_n=[],kn=[];for(let e=0,t=lt,n=1,r=0;e<24;e++){[n,r]=[r,(2*n+3*r)%5],En.push(2*(5*r+n)),_n.push((e+1)*(e+2)/2%64);let o=mr;for(let c=0;c<7;c++)t=(t<<lt^(t>>Tr)*_r)%Er,t&Ar&&(o^=lt<<(lt<<BigInt(c))-lt);kn.push(o)}var Bn=kt(kn,!0),kr=Bn[0],Br=Bn[1],An=(e,t,n)=>n>32?sn(e,t,n):rn(e,t,n),Tn=(e,t,n)=>n>32?cn(e,t,n):on(e,t,n);function Lr(e,t=24){if(Ve(t,"rounds"),t<1||t>24)throw new Error('"rounds" expected integer 1..24');let n=new Uint32Array(10);for(let r=24-t;r<24;r++){for(let s=0;s<10;s++)n[s]=e[s]^e[s+10]^e[s+20]^e[s+30]^e[s+40];for(let s=0;s<10;s+=2){let i=(s+8)%10,a=(s+2)%10,w=n[a],h=n[a+1],y=An(w,h,1)^n[i],_=Tn(w,h,1)^n[i+1];for(let k=0;k<50;k+=10)e[s+k]^=y,e[s+k+1]^=_}let o=e[2],c=e[3];for(let s=0;s<24;s++){let i=_n[s],a=An(o,c,i),w=Tn(o,c,i),h=En[s];o=e[h],c=e[h+1],e[h]=a,e[h+1]=w}for(let s=0;s<50;s+=10){let i=e[s],a=e[s+1],w=e[s+2],h=e[s+3];e[s]^=~e[s+2]&e[s+4],e[s+1]^=~e[s+3]&e[s+5],e[s+2]^=~e[s+4]&e[s+6],e[s+3]^=~e[s+5]&e[s+7],e[s+4]^=~e[s+6]&e[s+8],e[s+5]^=~e[s+7]&e[s+9],e[s+6]^=~e[s+8]&i,e[s+7]^=~e[s+9]&a,e[s+8]^=~i&w,e[s+9]^=~a&h}e[0]^=kr[r],e[1]^=Br[r]}Ee(n)}var Lt=class e{state;pos=0;posOut=0;finished=!1;state32;destroyed=!1;blockLen;suffix;outputLen;canXOF;enableXOF=!1;rounds;constructor(t,n,r,o=!1,c=24){if(this.blockLen=t,this.suffix=n,this.outputLen=r,this.enableXOF=o,this.canXOF=o,this.rounds=c,Ve(r,"outputLen"),!(0<t&&t<200))throw new Error("only keccak-f1600 function is supported");this.state=new Uint8Array(200),this.state32=Bt(this.state)}clone(){return this._cloneInto()}keccak(){tt(this.state32),Lr(this.state32,this.rounds),tt(this.state32),this.posOut=0,this.pos=0}update(t){He(this),Q(t);let{blockLen:n,state:r}=this,o=t.length;for(let c=0;c<o;){let s=Math.min(n-this.pos,o-c);for(let i=0;i<s;i++)r[this.pos++]^=t[c++];this.pos===n&&this.keccak()}return this}finish(){if(this.finished)return;this.finished=!0;let{state:t,suffix:n,pos:r,blockLen:o}=this;t[r]^=n,(n&128)!==0&&r===o-1&&this.keccak(),t[o-1]^=128,this.keccak()}writeInto(t){He(this,!1),Q(t),this.finish();let n=this.state,{blockLen:r}=this;for(let o=0,c=t.length;o<c;){this.posOut>=r&&this.keccak();let s=Math.min(r-this.posOut,c-o);t.set(n.subarray(this.posOut,this.posOut+s),o),this.posOut+=s,o+=s}return t}xofInto(t){if(!this.enableXOF)throw new Error("XOF is not possible for this instance");return this.writeInto(t)}xof(t){return Ve(t),this.xofInto(new Uint8Array(t))}digestInto(t){if(et(t,this),this.finished)throw new Error("digest() was already called");this.writeInto(t.subarray(0,this.outputLen)),this.destroy()}digest(){let t=new Uint8Array(this.outputLen);return this.digestInto(t),t}destroy(){this.destroyed=!0,Ee(this.state)}_cloneInto(t){let{blockLen:n,suffix:r,outputLen:o,rounds:c,enableXOF:s}=this;return t||=new e(n,r,o,s,c),t.blockLen=n,t.state32.set(this.state32),t.pos=this.pos,t.posOut=this.posOut,t.finished=this.finished,t.rounds=c,t.suffix=r,t.outputLen=o,t.enableXOF=s,t.canXOF=this.canXOF,t.destroyed=this.destroyed,t}},Ln=(e,t,n,r={})=>nt(()=>new Lt(t,e,n),r);var On=Ln(6,136,32,Fe(8));var Hn=Ln(6,72,64,Fe(10));var Sn=(e,t,n,r={})=>nt((o={})=>new Lt(t,e,o.dkLen===void 0?n:o.dkLen,!0),r),In=Sn(31,168,16,Fe(11)),re=Sn(31,136,32,Fe(12));function Pt(e){if(!Number.isSafeInteger(e)||e<0||e>4294967295)throw new Error("wrong u32 integer:"+e);return e}function Un(e){return Pt(e),(e&e-1)===0&&e!==0}function jt(e,t){if(Pt(e),!Number.isSafeInteger(t)||t<0||t>32)throw new Error(`expected integer 0 <= bits <= 32, got ${t}`);let n=0;for(let r=0;r<t;r++,e>>>=1)n=n<<1|e&1;return n>>>0}function Cn(e){return Pt(e),31-Math.clz32(e)}function Rn(e){let t=e.length;if(!Un(t))throw new Error("expected positive power-of-two length, got "+t);let n=Cn(t);for(let r=0;r<t;r++){let o=jt(r,n);if(r<o){let c=e[r];e[r]=e[o],e[o]=c}}return e}var vt=(e,t)=>{let{N:n,roots:r,dit:o,invertButterflies:c=!1,skipStages:s=0,brp:i=!0}=t,a=Cn(n);if(!Un(n))throw new Error("FFT: Polynomial size should be power of two");if(r.length!==n)throw new Error(`FFT: wrong roots length: expected ${n}, got ${r.length}`);let w=o!==c;return h=>{if(h.length!==n)throw new Error("FFT: wrong Polynomial length");o&&i&&Rn(h);for(let y=0,_=1;y<a-s;y++){let k=o?y+1+s:a-y,O=1<<k,E=O>>1,U=n>>k;for(let N=0;N<n;N+=O)for(let b=0,l=_++;b<E;b++){let I=c?o?n-l:l:b*U,F=N+b,P=N+b+E,v=r[I],K=h[P],g=h[F];if(w){let M=e.mul(K,v);h[F]=e.add(g,M),h[P]=e.sub(g,M)}else c?(h[F]=e.add(K,g),h[P]=e.mul(e.sub(K,g),v)):(h[F]=e.add(g,K),h[P]=e.mul(e.sub(g,K),v))}}return!o&&i&&Rn(h),h}};var be=Q;var Se=mn;function Ie(e,t){if(e.length!==t.length)return!1;let n=0;for(let r=0;r<e.length;r++)n|=e[r]^t[r];return n===0}function rt(e){return Uint8Array.from(Q(e))}function Dt(e){if(Object.prototype.toString.call(e)!=="[object Object]")throw new TypeError("expected valid options object")}function Ze(e){Dt(e),e.context!==void 0&&Q(e.context,void 0,"opts.context")}function Ne(e){Ze(e),e.extraEntropy!==!1&&e.extraEntropy!==void 0&&Q(e.extraEntropy,void 0,"opts.extraEntropy")}function ce(e,...t){let n=o=>typeof o=="number"?o:o.bytesLen,r=t.reduce((o,c)=>o+n(c),0);return{bytesLen:r,encode:o=>{let c=new Uint8Array(r);for(let s=0,i=0;s<t.length;s++){let a=t[s],w=n(a),h=typeof a=="number"?o[s]:a.encode(o[s]);Q(h,w,e),c.set(h,i),typeof a!="number"&&h.fill(0),i+=w}return c},decode:o=>{Q(o,r,e);let c=[];for(let s of t){let i=n(s),a=o.subarray(0,i);c.push(typeof s=="number"?a:s.decode(a)),o=o.subarray(i)}return c}}}function ge(e,t){let n=e,r=t*n.bytesLen;return{bytesLen:r,encode:o=>{if(o.length!==t)throw new RangeError(`vecCoder.encode: wrong length=${o.length}. Expected: ${t}`);let c=new Uint8Array(r);for(let s=0,i=0;s<o.length;s++){let a=n.encode(o[s]);c.set(a,i),a.fill(0),i+=a.length}return c},decode:o=>{Q(o,r);let c=[];for(let s=0;s<o.length;s+=n.bytesLen)c.push(n.decode(o.subarray(s,s+n.bytesLen)));return c}}}function V(...e){for(let t of e)if(Array.isArray(t))for(let n of t)n.fill(0);else t.fill(0)}function qe(e){if(!Number.isSafeInteger(e)||e<0||e>32)throw new RangeError(`expected bits in [0..32], got ${e}`);return e===32?4294967295:~(-1<<e)>>>0}var Fn=Uint8Array.of();function ot(e,t=Fn){if(Q(e),Q(t),t.length>255)throw new RangeError("context should be 255 bytes or less");return Ye(new Uint8Array([0,t.length]),t,e)}var Or=Uint8Array.from([6,9,96,134,72,1,101,3,4,2]);function Ot(e,t=0){if(!e.oid||!Ie(e.oid.subarray(0,10),Or))throw new Error("hash.oid is invalid: expected NIST hash");let n=e.outputLen*8/2;if(t>n)throw new Error("Pre-hash security strength too low: "+n+", required: "+t)}function st(e,t,n=Fn){if(Q(t),Q(n),n.length>255)throw new RangeError("context should be 255 bytes or less");let r=e(t);return Ye(new Uint8Array([1,n.length]),n,e.oid,r)}var Ht=e=>{let{newPoly:t,N:n,Q:r,F:o,ROOT_OF_UNITY:c,brvBits:s,isKyber:i}=e,a=(b,l=r)=>{let I=b%l|0;return(I>=0?I|0:l+I|0)|0},w=(b,l=r)=>{let I=a(b,l)|0;return(I>l>>1?I-l|0:I)|0};function h(){let b=t(n);for(let l=0;l<n;l++){let I=jt(l,s),F=BigInt(c)**BigInt(I)%BigInt(r);b[l]=Number(F)|0}return b}let y=h(),_={add:(b,l)=>a((b|0)+(l|0))|0,sub:(b,l)=>a((b|0)-(l|0))|0,mul:(b,l)=>a((b|0)*(l|0))|0,inv:b=>{throw new Error("not implemented")}},k={N:n,roots:y,invertButterflies:!0,skipStages:i?1:0,brp:!1},O=vt(_,{dit:!1,...k}),E=vt(_,{dit:!0,...k}),U={encode:b=>O(b),decode:b=>{E(b);for(let l=0;l<b.length;l++)b[l]=a(o*b[l]);return b}};return{mod:a,smod:w,nttZetas:y,NTT:{encode:b=>U.encode(b),decode:b=>U.decode(b)},bitsCoder:(b,l)=>{let I=qe(b),F=b*(n/8);return{bytesLen:F,encode:P=>{let v=P,K=new Uint8Array(F);for(let g=0,M=0,J=0,$=0;g<v.length;g++)for(M|=(l.encode(v[g])&I)<<J,J+=b;J>=8;J-=8,M>>=8)K[$++]=M&qe(J);return K},decode:P=>{let v=t(n);for(let K=0,g=0,M=0,J=0;K<P.length;K++)for(g|=P[K]<<M,M+=8;M>=b;M-=b,g>>=b)v[J++]=l.decode(g&I);return v}}}}},Nn=e=>(t,n)=>{n||(n=e.blockLen);let r=new Uint8Array(t.length+2);r.set(t);let o=t.length,c=new Uint8Array(n),s=e.create({}),i=0,a=0;return{stats:()=>({calls:i,xofs:a}),get:(w,h)=>(r[o+0]=w,r[o+1]=h,s.destroy(),s=e.create({}).update(r),i++,()=>(a++,s.xofInto(c))),clean:()=>{s.destroy(),V(c,r)}}},ct=Nn(In),St=Nn(re);var le=256,we=3329,Hr=3303,Sr=17,ye=Ht({N:le,Q:we,F:Hr,ROOT_OF_UNITY:Sr,newPoly:e=>new Uint16Array(e),brvBits:7,isKyber:!0}),Gt=Object.freeze({512:Object.freeze({N:le,Q:we,K:2,ETA1:3,ETA2:2,du:10,dv:4,RBGstrength:128}),768:Object.freeze({N:le,Q:we,K:3,ETA1:2,ETA2:2,du:10,dv:4,RBGstrength:192}),1024:Object.freeze({N:le,Q:we,K:4,ETA1:2,ETA2:2,du:11,dv:5,RBGstrength:256})}),Ir=e=>{if(e>=12)return{encode:n=>n,decode:n=>n>=we?n-we:n};let t=2**(e-1);return{encode:n=>((n<<e)+we/2)/we,decode:n=>n*we+t>>>e}},Rr=e=>ye.bitsCoder(e,e===12?{encode:t=>t,decode:t=>t>=we?t-we:t}:{encode:t=>t,decode:t=>t}),ht=e=>e===12?Rr(12):ye.bitsCoder(e,Ir(e));function Qe(e,t){let n=e,r=t;for(let o=0;o<le;o++)n[o]=ye.mod(n[o]+r[o])}function Ur(e,t){let n=e,r=t;for(let o=0;o<le;o++)n[o]=ye.mod(n[o]-r[o])}function Cr(e,t,n,r,o){let c=ye.mod(t*r*o+e*n),s=ye.mod(e*r+t*n);return{c0:c,c1:s}}function It(e,t){let n=e,r=t;for(let o=0;o<le/2;o++){let c=ye.nttZetas[64+(o>>1)];o&1&&(c=-c);let{c0:s,c1:i}=Cr(n[2*o+0],n[2*o+1],r[2*o+0],r[2*o+1],c);n[2*o+0]=s,n[2*o+1]=i}return n}function Mn(e){let t=e,n=new Uint16Array(le);for(let r=0;r<le;){let o=t();if(o.length%3)throw new Error("SampleNTT: unaligned block");for(let c=0;r<le&&c+3<=o.length;c+=3){let s=(o[c+0]>>0|o[c+1]<<8)&4095,i=(o[c+1]>>4|o[c+2]<<4)&4095;s<we&&(n[r++]=s),r<le&&i<we&&(n[r++]=i)}}return n}var Fr=(e,t)=>{let n=new Uint16Array(le),r=Bt(e);tt(r);let o=0;for(let c=0,s=0,i=0,a=0;c<r.length;c++){let w=r[c];for(let h=0;h<32;h++)i+=w&1,w>>=1,o+=1,o===t?(a=i,i=0):o===2*t&&(n[s++]=ye.mod(a-i),i=0,o=0)}if(tt(r),o)throw new Error(`sampleCBD: leftover bits: ${o}`);return n};function pt(e,t,n,r){return Fr(e(r*le/4,t,n),r)}var Nr=e=>{let t=e,{K:n,PRF:r,XOF:o,HASH512:c,ETA1:s,ETA2:i,du:a,dv:w}=t,h=ht(1),y=ht(w),_=ht(a),k=ce("publicKey",ge(ht(12),n),32),O=ge(ht(12),n),E=ce("ciphertext",ge(_,n),y),U=ce("seed",32,32);return{secretCoder:O,lengths:{secretKey:O.bytesLen,publicKey:k.bytesLen,cipherText:E.bytesLen},keygen:N=>{be(N,32,"seed");let b=new Uint8Array(33);b.set(N),b[32]=n;let l=c(b),[I,F]=U.decode(l),P=[],v=[];for(let M=0;M<n;M++)P.push(ye.NTT.encode(pt(r,F,M,s)));let K=o(I);for(let M=0;M<n;M++){let J=ye.NTT.encode(pt(r,F,n+M,s));for(let $=0;$<n;$++){let fe=Mn(K.get($,M));Qe(J,It(fe,P[$]))}v.push(J)}K.clean();let g={publicKey:k.encode([v,I]),secretKey:O.encode(P)};return V(I,F,P,v,b,l),g},encrypt:(N,b,l)=>{let[I,F]=k.decode(N),P=[];for(let $=0;$<n;$++)P.push(ye.NTT.encode(pt(r,l,$,s)));let v=o(F),K=new Uint16Array(le),g=[];for(let $=0;$<n;$++){let fe=pt(r,l,n+$,i),Ae=new Uint16Array(le);for(let pe=0;pe<n;pe++){let Ge=Mn(v.get($,pe));Qe(Ae,It(Ge,P[pe]))}Qe(fe,ye.NTT.decode(Ae)),g.push(fe),Qe(K,It(I[$],P[$])),V(Ae)}v.clean();let M=pt(r,l,2*n,i);Qe(M,ye.NTT.decode(K));let J=h.decode(b);return Qe(J,M),V(I,P,K,M),E.encode([g,J])},decrypt:(N,b)=>{let[l,I]=E.decode(N),F=O.decode(b),P=new Uint16Array(le);for(let v=0;v<n;v++)Qe(P,It(F[v],ye.NTT.encode(l[v])));return Ur(I,ye.NTT.decode(P)),V(P,F,l),h.encode(I)}}};function Mr(e){let t=e,n=Nr(t),{HASH256:r,HASH512:o,KDF:c}=t,{secretCoder:s,lengths:i}=n,a=ce("secretKey",i.secretKey,i.publicKey,32,32),w=32,h=64,y=Object.freeze({...i,seed:64,msg:w,msgRand:w,secretKey:a.bytesLen});return Object.freeze({info:Object.freeze({type:"ml-kem"}),lengths:y,keygen:(_=Se(h))=>{be(_,h,"seed");let{publicKey:k,secretKey:O}=n.keygen(_.subarray(0,32)),E=r(k),U=a.encode([O,k,E,_.subarray(32)]);return V(O,E),{publicKey:k,secretKey:U}},getPublicKey:_=>{let[k,O,E,U]=a.decode(_);return Uint8Array.from(O)},encapsulate:(_,k=Se(w))=>{be(_,i.publicKey,"publicKey"),be(k,w,"message");let O=_.subarray(0,384*e.K),E=s.encode(s.decode(rt(O)));if(!Ie(E,O))throw V(E),new Error("ML-KEM.encapsulate: wrong publicKey modulus");V(E);let U=o.create().update(k).update(r(_)).digest(),N=n.encrypt(_,k,U.subarray(32,64));return V(U.subarray(32)),{cipherText:N,sharedSecret:U.subarray(0,32)}},decapsulate:(_,k)=>{be(k,a.bytesLen,"secretKey"),be(_,i.cipherText,"cipherText");let O=a.bytesLen-96,E=O+32,U=r(k.subarray(O/2,E));if(!Ie(U,k.subarray(E,E+32)))throw new Error("invalid secretKey: hash check failed");let[N,b,l,I]=a.decode(k),F=n.decrypt(_,N),P=o.create().update(F).update(l).digest(),v=P.subarray(0,32),K=n.encrypt(b,F,P.subarray(32,64)),g=Ie(_,K),M=c.create({dkLen:32}).update(I).update(_).digest();return V(F,K,g?M:v),g?v:M}})}function Kr(e,t,n){return re.create({dkLen:e}).update(t).update(new Uint8Array([n])).digest()}var Pr={HASH256:On,HASH512:Hn,KDF:re,XOF:ct,PRF:Kr},zt=e=>Mr({...Pr,...e}),Kn=zt(Gt[512]),Pn=zt(Gt[768]),jn=zt(Gt[1024]);function vn(e,t=""){if(typeof e!="boolean"){let n=t&&`"${t}" `;throw new TypeError(n+"expected boolean, got type="+typeof e)}return e}function Dn(e){Dt(e),e.externalMu!==void 0&&vn(e.externalMu,"opts.externalMu")}var Z=256,Pe=8380417,jr=1753,vr=8347681,Je=13,Wt=Math.floor((Pe-1)/88)|0,$t=Math.floor((Pe-1)/32)|0,Vt=Object.freeze({2:Object.freeze({K:4,L:4,D:Je,GAMMA1:2**17,GAMMA2:Wt,TAU:39,ETA:2,OMEGA:80}),3:Object.freeze({K:6,L:5,D:Je,GAMMA1:2**19,GAMMA2:$t,TAU:49,ETA:4,OMEGA:55}),5:Object.freeze({K:8,L:7,D:Je,GAMMA1:2**19,GAMMA2:$t,TAU:60,ETA:2,OMEGA:75})}),me=e=>new Int32Array(e),W=Ht({N:Z,Q:Pe,F:vr,ROOT_OF_UNITY:jr,newPoly:me,isKyber:!1,brvBits:8}),Gn=e=>e,xt=(e,t=Gn,n=Gn)=>W.bitsCoder(e,{encode:r=>t(n(r)),decode:r=>n(t(r))}),Me=(e,t)=>{let n=e,r=t;for(let o=0;o<n.length;o++)n[o]=W.mod(n[o]+r[o]);return n},zn=(e,t)=>{let n=e,r=t;for(let o=0;o<n.length;o++)n[o]=W.mod(n[o]-r[o]);return n},Dr=e=>{let t=e;for(let n=0;n<Z;n++)t[n]<<=Je;return t},yt=(e,t)=>{let n=e;for(let r=0;r<Z;r++)if(Math.abs(W.smod(n[r]))>=t)return!0;return!1},Ke=(e,t)=>{let n=e,r=t,o=me(Z);for(let c=0;c<n.length;c++)o[c]=W.mod(n[c]*r[c]);return o};function Rt(e){let t=e,n=me(Z);for(let r=0;r<Z;){let o=t();if(o.length%3)throw new Error("RejNTTPoly: unaligned block");for(let c=0;r<Z&&c<=o.length-3;c+=3){let s=(o[c+0]|o[c+1]<<8|o[c+2]<<16)&8388607;s<Pe&&(n[r++]=s)}}return n}function Xt(e){let t=e,{K:n,L:r,GAMMA1:o,GAMMA2:c,TAU:s,ETA:i,OMEGA:a}=t,{CRH_BYTES:w,TR_BYTES:h,C_TILDE_BYTES:y,XOF128:_,XOF256:k,securityLevel:O}=t;if(![2,4].includes(i))throw new Error("Wrong ETA");if(![1<<17,1<<19].includes(o))throw new Error("Wrong GAMMA1");if(![Wt,$t].includes(c))throw new Error("Wrong GAMMA2");let E=s*i,U=p=>{let L=W.mod(p),T=W.smod(L,2*c)|0;return L-T===Pe-1?{r1:0,r0:T-1|0}:{r1:Math.floor((L-T)/(2*c))|0,r0:T}},N=p=>U(p).r1,b=p=>U(p).r0,l=(p,L)=>p<=c||p>Pe-c||p===Pe-c&&L===0?0:1,I=(p,L)=>{let T=Math.floor((Pe-1)/(2*c)),{r1:x,r0:u}=U(L);return p===1?u>0?W.mod(x+1,T)|0:W.mod(x-1,T)|0:x|0},F=p=>{let L=W.mod(p),T=W.smod(L,2**Je)|0;return{r1:Math.floor((L-T)/2**Je)|0,r0:T}},P={bytesLen:a+n,encode:p=>{let L=p;if(L===!1)throw new Error("hint.encode: hint is false");let T=new Uint8Array(a+n);for(let x=0,u=0;x<n;x++){for(let f=0;f<Z;f++)L[x][f]!==0&&(T[u++]=f);T[a+x]=u}return T},decode:p=>{let L=[],T=0;for(let x=0;x<n;x++){let u=me(Z);if(p[a+x]<T||p[a+x]>a)return!1;for(let f=T;f<p[a+x];f++){if(f>T&&p[f]<=p[f-1])return!1;u[p[f]]=1}T=p[a+x],L.push(u)}for(let x=T;x<a;x++)if(p[x]!==0)return!1;return L}},v=xt(i===2?3:4,p=>i-p,p=>{if(!(-i<=p&&p<=i))throw new Error(`malformed key s1/s3 ${p} outside of ETA range [${-i}, ${i}]`);return p}),K=xt(13,p=>(1<<Je-1)-p),g=xt(10),M=xt(o===1<<17?18:20,p=>W.smod(o-p)),J=xt(c===Wt?6:4),$=ge(J,n),fe=ce("publicKey",32,ge(g,n)),Ae=ce("secretKey",32,32,h,ge(v,r),ge(v,n),ge(K,n)),pe=ce("signature",y,ge(M,r),P),Ge=i===2?p=>p<15?2-p%5:!1:p=>p<9?4-p:!1;function ft(p){let L=p,T=me(Z);for(let x=0;x<Z;){let u=L();for(let f=0;x<Z&&f<u.length;f+=1){let A=Ge(u[f]&15),d=Ge(u[f]>>4&15);A!==!1&&(T[x++]=A),x<Z&&d!==!1&&(T[x++]=d)}}return T}let gt=p=>{let L=me(Z),T=re.create({}).update(p),x=new Uint8Array(re.blockLen);T.xofInto(x);let u=x.slice(0,8);for(let f=Z-s,A=8,d=0,B=0;f<Z;f++){let H=f+1;for(;H>f;)H=x[A++],!(A<re.blockLen)&&(T.xofInto(x),A=0);L[f]=L[H],L[H]=1-((u[d]>>B++&1)<<1),B>=8&&(d++,B=0)}return L},wt=p=>{let L=p,T=me(Z),x=me(Z);for(let u=0;u<L.length;u++){let{r0:f,r1:A}=F(L[u]);T[u]=f,x[u]=A}return{r0:T,r1:x}},mt=(p,L)=>{let T=p,x=L;for(let u=0;u<Z;u++)T[u]=I(x[u],T[u]);return T},At=(p,L)=>{let T=p,x=L,u=me(Z),f=0;for(let A=0;A<Z;A++){let d=l(T[A],x[A]);u[A]=d,f+=d}return{v:u,cnt:f}},ze=32,Ue=ce("seed",32,64,32),ue=Object.freeze({info:Object.freeze({type:"internal-ml-dsa"}),lengths:Object.freeze({secretKey:Ae.bytesLen,publicKey:fe.bytesLen,seed:32,signature:pe.bytesLen,signRand:ze}),keygen:p=>{let L=new Uint8Array(34),T=p===void 0;T&&(p=Se(32)),be(p,32,"seed"),L.set(p),T&&V(p),L[32]=n,L[33]=r;let[x,u,f]=Ue.decode(re(L,{dkLen:Ue.bytesLen})),A=k(u),d=[];for(let m=0;m<r;m++)d.push(ft(A.get(m&255,m>>8&255)));let B=[];for(let m=r;m<r+n;m++)B.push(ft(A.get(m&255,m>>8&255)));let H=d.map(m=>W.NTT.encode(m.slice())),R=[],C=[],G=_(x),S=me(Z);for(let m=0;m<n;m++){V(S);for(let Y=0;Y<r;Y++){let oe=Rt(G.get(Y,m));Me(S,Ke(oe,H[Y]))}W.NTT.decode(S);let{r0:X,r1:q}=wt(Me(S,B[m]));R.push(X),C.push(q)}let j=fe.encode([x,C]),D=re(j,{dkLen:h}),ee=Ae.encode([x,f,D,d,B,R]);return G.clean(),A.clean(),V(x,u,f,d,B,H,S,R,C,D,L),{publicKey:j,secretKey:ee}},getPublicKey:p=>{let[L,T,x,u,f,A]=Ae.decode(p),d=_(L),B=u.map(C=>W.NTT.encode(C.slice())),H=[],R=me(Z);for(let C=0;C<n;C++){R.fill(0);for(let S=0;S<r;S++){let j=Rt(d.get(S,C));Me(R,Ke(j,B[S]))}W.NTT.decode(R),Me(R,f[C]);let{r1:G}=wt(R);H.push(G)}return d.clean(),V(R,B,A,u,f),fe.encode([L,H])},sign:(p,L,T={})=>{Ne(T),Dn(T);let{extraEntropy:x,externalMu:u=!1}=T,[f,A,d,B,H,R]=Ae.decode(L),C=[],G=_(f);for(let m=0;m<n;m++){let X=[];for(let q=0;q<r;q++)X.push(Rt(G.get(q,m)));C.push(X)}G.clean();for(let m=0;m<r;m++)W.NTT.encode(B[m]);for(let m=0;m<n;m++)W.NTT.encode(H[m]),W.NTT.encode(R[m]);let S=u?p:re.create({dkLen:w}).update(d).update(p).digest(),j=x===!1?new Uint8Array(32):x===void 0?Se(ze):x;be(j,32,"extraEntropy");let D=re.create({dkLen:w}).update(A).update(j).update(S).digest();be(D,w);let ee=k(D,M.bytesLen);e:for(let m=0;;){let X=[];for(let z=0;z<r;z++,m++)X.push(M.decode(ee.get(m&255,m>>8)()));let q=X.map(z=>W.NTT.encode(z.slice())),Y=[];for(let z=0;z<n;z++){let ne=me(Z);for(let ie=0;ie<r;ie++)Me(ne,Ke(C[z][ie],q[ie]));W.NTT.decode(ne),Y.push(ne)}let oe=Y.map(z=>z.map(N)),te=re.create({dkLen:y}).update(S).update($.encode(oe)).digest(),de=W.NTT.encode(gt(te)),Te=B.map(z=>Ke(z,de));for(let z=0;z<r;z++)if(Me(W.NTT.decode(Te[z]),X[z]),yt(Te[z],o-E))continue e;let _e=0,se=[];for(let z=0;z<n;z++){let ne=W.NTT.decode(Ke(H[z],de)),ie=zn(Y[z],ne).map(b);if(yt(ie,c-E))continue e;let xe=W.NTT.decode(Ke(R[z],de));if(yt(xe,c))continue e;Me(ie,xe);let Le=At(ie,oe[z]);se.push(Le.v),_e+=Le.cnt}if(_e>a)continue;ee.clean();let Ce=pe.encode([te,Te,se]);return V(te,Te,se,de,oe,Y,q,X,D,B,H,R,...C),u||V(S),Ce}throw new Error("Unreachable code path reached, report this error")},verify:(p,L,T,x={})=>{Dn(x);let{externalMu:u=!1}=x,[f,A]=fe.decode(T),d=re(T,{dkLen:h});if(p.length!==pe.bytesLen)return!1;let[B,H,R]=pe.decode(p);if(R===!1)return!1;for(let m=0;m<r;m++)if(yt(H[m],o-E))return!1;let C=u?L:re.create({dkLen:w}).update(d).update(L).digest(),G=W.NTT.encode(gt(B)),S=H.map(m=>m.slice());for(let m=0;m<r;m++)W.NTT.encode(S[m]);let j=[],D=_(f);for(let m=0;m<n;m++){let X=Ke(W.NTT.encode(Dr(A[m])),G),q=me(Z);for(let oe=0;oe<r;oe++){let te=Rt(D.get(oe,m));Me(q,Ke(te,S[oe]))}let Y=W.NTT.decode(zn(q,X));j.push(mt(Y,R[m]))}D.clean();let ee=re.create({dkLen:y}).update(C).update($.encode(j)).digest();for(let m of R)if(!(m.reduce((q,Y)=>q+Y,0)<=a))return!1;for(let m of H)if(yt(m,o-E))return!1;return Ie(B,ee)}});return Object.freeze({info:Object.freeze({type:"ml-dsa"}),internal:ue,securityLevel:O,keygen:ue.keygen,lengths:ue.lengths,getPublicKey:ue.getPublicKey,sign:(p,L,T={})=>{Ne(T);let x=ot(p,T.context),u=ue.sign(x,L,T);return V(x),u},verify:(p,L,T,x={})=>(Ze(x),ue.verify(p,ot(L,x.context),T)),prehash:p=>(Ot(p,O),Object.freeze({info:Object.freeze({type:"hashml-dsa"}),securityLevel:O,lengths:ue.lengths,keygen:ue.keygen,getPublicKey:ue.getPublicKey,sign:(L,T,x={})=>{Ne(x);let u=st(p,L,x.context),f=ue.sign(u,T,x);return V(u),f},verify:(L,T,x,u={})=>(Ze(u),ue.verify(L,st(p,T,u.context),x))}))})}var Wn=Xt({...Vt[2],CRH_BYTES:64,TR_BYTES:64,C_TILDE_BYTES:32,XOF128:ct,XOF256:St,securityLevel:128}),$n=Xt({...Vt[3],CRH_BYTES:64,TR_BYTES:64,C_TILDE_BYTES:48,XOF128:ct,XOF256:St,securityLevel:192}),Vn=Xt({...Vt[5],CRH_BYTES:64,TR_BYTES:64,C_TILDE_BYTES:64,XOF128:ct,XOF256:St,securityLevel:256});var Ut=class{oHash;iHash;blockLen;outputLen;canXOF=!1;finished=!1;destroyed=!1;constructor(t,n){if(xn(t),Q(n,void 0,"key"),this.iHash=t.create(),typeof this.iHash.update!="function")throw new Error("Expected instance of class which extends utils.Hash");this.blockLen=this.iHash.blockLen,this.outputLen=this.iHash.outputLen;let r=this.blockLen,o=new Uint8Array(r);o.set(n.length>r?t.create().update(n).digest():n);for(let c=0;c<o.length;c++)o[c]^=54;this.iHash.update(o),this.oHash=t.create();for(let c=0;c<o.length;c++)o[c]^=106;this.oHash.update(o),Ee(o)}update(t){return He(this),this.iHash.update(t),this}digestInto(t){He(this),et(t,this),this.finished=!0;let n=t.subarray(0,this.outputLen);this.iHash.digestInto(n),this.oHash.update(n),this.oHash.digestInto(n),this.destroy()}digest(){let t=new Uint8Array(this.oHash.outputLen);return this.digestInto(t),t}_cloneInto(t){t||=Object.create(Object.getPrototypeOf(this),{});let{oHash:n,iHash:r,finished:o,destroyed:c,blockLen:s,outputLen:i}=this;return t=t,t.finished=o,t.destroyed=c,t.blockLen=s,t.outputLen=i,t.oHash=n._cloneInto(t.oHash),t.iHash=r._cloneInto(t.iHash),t}clone(){return this._cloneInto()}destroy(){this.destroyed=!0,this.oHash.destroy(),this.iHash.destroy()}},Xn=(()=>{let e=((t,n,r)=>new Ut(t,n).update(r).digest());return e.create=(t,n)=>new Ut(t,n),e})();function Yn(e,t,n){return e&t^~e&n}function Zn(e,t,n){return e&t^e&n^t&n}var bt=class{blockLen;outputLen;canXOF=!1;padOffset;isLE;buffer;view;finished=!1;length=0;pos=0;destroyed=!1;constructor(t,n,r,o){this.blockLen=t,this.outputLen=n,this.padOffset=r,this.isLE=o,this.buffer=new Uint8Array(t),this.view=Xe(this.buffer)}update(t){He(this),Q(t);let{view:n,buffer:r,blockLen:o}=this,c=t.length;for(let s=0;s<c;){let i=Math.min(o-this.pos,c-s);if(i===o){let a=Xe(t);for(;o<=c-s;s+=o)this.process(a,s);continue}r.set(t.subarray(s,s+i),this.pos),this.pos+=i,s+=i,this.pos===o&&(this.process(n,0),this.pos=0)}return this.length+=t.length,this.roundClean(),this}digestInto(t){He(this),et(t,this),this.finished=!0;let{buffer:n,view:r,blockLen:o,isLE:c}=this,{pos:s}=this;n[s++]=128,Ee(this.buffer.subarray(s)),this.padOffset>o-s&&(this.process(r,0),s=0);for(let y=s;y<o;y++)n[y]=0;r.setBigUint64(o-8,BigInt(this.length*8),c),this.process(r,0);let i=Xe(t),a=this.outputLen;if(a%4)throw new Error("_sha2: outputLen must be aligned to 32bit");let w=a/4,h=this.get();if(w>h.length)throw new Error("_sha2: outputLen bigger than state");for(let y=0;y<w;y++)i.setUint32(4*y,h[y],c)}digest(){let{buffer:t,outputLen:n}=this;this.digestInto(t);let r=t.slice(0,n);return this.destroy(),r}_cloneInto(t){t||=new this.constructor,t.set(...this.get());let{blockLen:n,buffer:r,length:o,finished:c,destroyed:s,pos:i}=this;return t.destroyed=s,t.finished=c,t.length=o,t.pos=i,o%n&&t.buffer.set(r),t}clone(){return this._cloneInto()}},Re=Uint32Array.from([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]);var ae=Uint32Array.from([1779033703,4089235720,3144134277,2227873595,1013904242,4271175723,2773480762,1595750129,1359893119,2917565137,2600822924,725511199,528734635,4215389547,1541459225,327033209]);var Gr=Uint32Array.from([1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298]),je=new Uint32Array(64),Yt=class extends bt{constructor(t){super(64,t,8,!1)}get(){let{A:t,B:n,C:r,D:o,E:c,F:s,G:i,H:a}=this;return[t,n,r,o,c,s,i,a]}set(t,n,r,o,c,s,i,a){this.A=t|0,this.B=n|0,this.C=r|0,this.D=o|0,this.E=c|0,this.F=s|0,this.G=i|0,this.H=a|0}process(t,n){for(let y=0;y<16;y++,n+=4)je[y]=t.getUint32(n,!1);for(let y=16;y<64;y++){let _=je[y-15],k=je[y-2],O=ke(_,7)^ke(_,18)^_>>>3,E=ke(k,17)^ke(k,19)^k>>>10;je[y]=E+je[y-7]+O+je[y-16]|0}let{A:r,B:o,C:c,D:s,E:i,F:a,G:w,H:h}=this;for(let y=0;y<64;y++){let _=ke(i,6)^ke(i,11)^ke(i,25),k=h+_+Yn(i,a,w)+Gr[y]+je[y]|0,E=(ke(r,2)^ke(r,13)^ke(r,22))+Zn(r,o,c)|0;h=w,w=a,a=i,i=s+k|0,s=c,c=o,o=r,r=k+E|0}r=r+this.A|0,o=o+this.B|0,c=c+this.C|0,s=s+this.D|0,i=i+this.E|0,a=a+this.F|0,w=w+this.G|0,h=h+this.H|0,this.set(r,o,c,s,i,a,w,h)}roundClean(){Ee(je)}destroy(){this.destroyed=!0,this.set(0,0,0,0,0,0,0,0),Ee(this.buffer)}},Zt=class extends Yt{A=Re[0]|0;B=Re[1]|0;C=Re[2]|0;D=Re[3]|0;E=Re[4]|0;F=Re[5]|0;G=Re[6]|0;H=Re[7]|0;constructor(){super(32)}};var qn=kt(["0x428a2f98d728ae22","0x7137449123ef65cd","0xb5c0fbcfec4d3b2f","0xe9b5dba58189dbbc","0x3956c25bf348b538","0x59f111f1b605d019","0x923f82a4af194f9b","0xab1c5ed5da6d8118","0xd807aa98a3030242","0x12835b0145706fbe","0x243185be4ee4b28c","0x550c7dc3d5ffb4e2","0x72be5d74f27b896f","0x80deb1fe3b1696b1","0x9bdc06a725c71235","0xc19bf174cf692694","0xe49b69c19ef14ad2","0xefbe4786384f25e3","0x0fc19dc68b8cd5b5","0x240ca1cc77ac9c65","0x2de92c6f592b0275","0x4a7484aa6ea6e483","0x5cb0a9dcbd41fbd4","0x76f988da831153b5","0x983e5152ee66dfab","0xa831c66d2db43210","0xb00327c898fb213f","0xbf597fc7beef0ee4","0xc6e00bf33da88fc2","0xd5a79147930aa725","0x06ca6351e003826f","0x142929670a0e6e70","0x27b70a8546d22ffc","0x2e1b21385c26c926","0x4d2c6dfc5ac42aed","0x53380d139d95b3df","0x650a73548baf63de","0x766a0abb3c77b2a8","0x81c2c92e47edaee6","0x92722c851482353b","0xa2bfe8a14cf10364","0xa81a664bbc423001","0xc24b8b70d0f89791","0xc76c51a30654be30","0xd192e819d6ef5218","0xd69906245565a910","0xf40e35855771202a","0x106aa07032bbd1b8","0x19a4c116b8d2d0c8","0x1e376c085141ab53","0x2748774cdf8eeb99","0x34b0bcb5e19b48a8","0x391c0cb3c5c95a63","0x4ed8aa4ae3418acb","0x5b9cca4f7763e373","0x682e6ff3d6b2b8a3","0x748f82ee5defb2fc","0x78a5636f43172f60","0x84c87814a1f0ab72","0x8cc702081a6439ec","0x90befffa23631e28","0xa4506cebde82bde9","0xbef9a3f7b2c67915","0xc67178f2e372532b","0xca273eceea26619c","0xd186b8c721c0c207","0xeada7dd6cde0eb1e","0xf57d4f7fee6ed178","0x06f067aa72176fba","0x0a637dc5a2c898a6","0x113f9804bef90dae","0x1b710b35131c471b","0x28db77f523047d84","0x32caab7b40c72493","0x3c9ebe0a15c9bebc","0x431d67c49c100d4c","0x4cc5d4becb3e42b6","0x597f299cfc657e2a","0x5fcb6fab3ad6faec","0x6c44198c4a475817"].map(e=>BigInt(e))),zr=qn[0],Wr=qn[1],ve=new Uint32Array(80),De=new Uint32Array(80),qt=class extends bt{constructor(t){super(128,t,16,!1)}get(){let{Ah:t,Al:n,Bh:r,Bl:o,Ch:c,Cl:s,Dh:i,Dl:a,Eh:w,El:h,Fh:y,Fl:_,Gh:k,Gl:O,Hh:E,Hl:U}=this;return[t,n,r,o,c,s,i,a,w,h,y,_,k,O,E,U]}set(t,n,r,o,c,s,i,a,w,h,y,_,k,O,E,U){this.Ah=t|0,this.Al=n|0,this.Bh=r|0,this.Bl=o|0,this.Ch=c|0,this.Cl=s|0,this.Dh=i|0,this.Dl=a|0,this.Eh=w|0,this.El=h|0,this.Fh=y|0,this.Fl=_|0,this.Gh=k|0,this.Gl=O|0,this.Hh=E|0,this.Hl=U|0}process(t,n){for(let l=0;l<16;l++,n+=4)ve[l]=t.getUint32(n),De[l]=t.getUint32(n+=4);for(let l=16;l<80;l++){let I=ve[l-15]|0,F=De[l-15]|0,P=We(I,F,1)^We(I,F,8)^Mt(I,F,7),v=$e(I,F,1)^$e(I,F,8)^Kt(I,F,7),K=ve[l-2]|0,g=De[l-2]|0,M=We(K,g,19)^ut(K,g,61)^Mt(K,g,6),J=$e(K,g,19)^dt(K,g,61)^Kt(K,g,6),$=un(v,J,De[l-7],De[l-16]),fe=dn($,P,M,ve[l-7],ve[l-16]);ve[l]=fe|0,De[l]=$|0}let{Ah:r,Al:o,Bh:c,Bl:s,Ch:i,Cl:a,Dh:w,Dl:h,Eh:y,El:_,Fh:k,Fl:O,Gh:E,Gl:U,Hh:N,Hl:b}=this;for(let l=0;l<80;l++){let I=We(y,_,14)^We(y,_,18)^ut(y,_,41),F=$e(y,_,14)^$e(y,_,18)^dt(y,_,41),P=y&k^~y&E,v=_&O^~_&U,K=ln(b,F,v,Wr[l],De[l]),g=hn(K,N,I,P,zr[l],ve[l]),M=K|0,J=We(r,o,28)^ut(r,o,34)^ut(r,o,39),$=$e(r,o,28)^dt(r,o,34)^dt(r,o,39),fe=r&c^r&i^c&i,Ae=o&s^o&a^s&a;N=E|0,b=U|0,E=k|0,U=O|0,k=y|0,O=_|0,{h:y,l:_}=Be(w|0,h|0,g|0,M|0),w=i|0,h=a|0,i=c|0,a=s|0,c=r|0,s=o|0;let pe=an(M,$,Ae);r=fn(pe,g,J,fe),o=pe|0}({h:r,l:o}=Be(this.Ah|0,this.Al|0,r|0,o|0)),{h:c,l:s}=Be(this.Bh|0,this.Bl|0,c|0,s|0),{h:i,l:a}=Be(this.Ch|0,this.Cl|0,i|0,a|0),{h:w,l:h}=Be(this.Dh|0,this.Dl|0,w|0,h|0),{h:y,l:_}=Be(this.Eh|0,this.El|0,y|0,_|0),{h:k,l:O}=Be(this.Fh|0,this.Fl|0,k|0,O|0),{h:E,l:U}=Be(this.Gh|0,this.Gl|0,E|0,U|0),{h:N,l:b}=Be(this.Hh|0,this.Hl|0,N|0,b|0),this.set(r,o,c,s,i,a,w,h,y,_,k,O,E,U,N,b)}roundClean(){Ee(ve,De)}destroy(){this.destroyed=!0,Ee(this.buffer),this.set(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)}},Qt=class extends qt{Ah=ae[0]|0;Al=ae[1]|0;Bh=ae[2]|0;Bl=ae[3]|0;Ch=ae[4]|0;Cl=ae[5]|0;Dh=ae[6]|0;Dl=ae[7]|0;Eh=ae[8]|0;El=ae[9]|0;Fh=ae[10]|0;Fl=ae[11]|0;Gh=ae[12]|0;Gl=ae[13]|0;Hh=ae[14]|0;Hl=ae[15]|0;constructor(){super(64)}};var Ct=nt(()=>new Zt,Fe(1));var Qn=nt(()=>new Qt,Fe(3));var it=Object.freeze({"128f":Object.freeze({W:16,N:16,H:66,D:22,K:33,A:6,securityLevel:128}),"128s":Object.freeze({W:16,N:16,H:63,D:7,K:14,A:12,securityLevel:128}),"192f":Object.freeze({W:16,N:24,H:66,D:22,K:33,A:8,securityLevel:192}),"192s":Object.freeze({W:16,N:24,H:63,D:7,K:17,A:14,securityLevel:192}),"256f":Object.freeze({W:16,N:32,H:68,D:17,K:35,A:9,securityLevel:256}),"256s":Object.freeze({W:16,N:32,H:64,D:8,K:22,A:14,securityLevel:256})}),he={WOTS:0,WOTSPK:1,HASHTREE:2,FORSTREE:3,FORSPK:4,WOTSPRF:5,FORSPRF:6};function $r(e){if(typeof e!="string")throw new Error("hex string expected, got "+typeof e);return BigInt(e===""?"0":"0x"+e)}function Jn(e){return $r(gn(e))}function Vr(e,t){return wn(e.toString(16).padStart(t*2,"0"))}var Jt=(e,t)=>{let n=qe(t);return r=>{let o=new Uint32Array(e);for(let c=0,s=0,i=0,a=0;c<e;c++){for(;i<t;)a=a<<8|r[s++],i+=8;i-=t,o[c]=a>>>i&n}return o}};function en(e){return(1n<<BigInt(e))-1n}function at(e,t){let n=t,{N:r,W:o,H:c,D:s,K:i,A:a,securityLevel:w}=e,h=n.getContext(e);if(o!==16)throw new Error("Unsupported Winternitz parameter");let y=4,_=Math.floor(8*r/y),k=r<=8?2:r<=136?3:4,O=Math.floor(c/s),E=_+k,U=22,N=0,b=1,l=9,I=12,F=13,P=17,v=18,K=21;n.isCompressed||(U=32,N+=3,b+=7,l+=10,I+=10,F+=10,P+=10,v+=10,K+=10);let g=(u,f=new Uint8Array(U))=>{let{type:A,height:d,tree:B,layer:H,index:R,chain:C,hash:G,keypair:S}=u,{subtreeAddr:j,keypairAddr:D}=u,ee=Xe(f);return d!==void 0&&(f[P]=d),H!==void 0&&(f[N]=H),A!==void 0&&(f[l]=A),C!==void 0&&(f[P]=C),G!==void 0&&(f[K]=G),R!==void 0&&ee.setUint32(v,R,!1),j&&f.set(j.subarray(0,b+8)),B!==void 0&&ee.setBigUint64(b,B,!1),S!==void 0&&(f[F]=S,O>8&&(f[I]=S>>>8)),D&&(f.set(D.subarray(0,b+8)),f[F]=D[F],O>8&&(f[I]=D[I])),f},M=Jt(k,y),J=u=>{let f=Jt(_,y)(u),A=0;for(let H=0;H<f.length;H++)A+=o-1-f[H];A<<=(8-k*y%8)%8;let d=M(Vr(A,Math.ceil(k*y/8))),B=new Uint32Array(E);return B.set(f),B.set(d,f.length),B},$=Jt(i,a),fe=O*(s-1),Ae=O,pe=ce("hashedMessage",Math.ceil(a*i/8),Math.ceil(fe/8),Math.ceil(O/8)),Ge=(u,f,A,d)=>{let H=d.Hmsg(u,f,A,pe.bytesLen),[R,C,G]=pe.decode(H),S=Jn(C)&en(fe),j=Number(Jn(G))&qe(Ae);return{tree:S,leafIdx:j,md:R}},ft=(u,f)=>function(d,B,H,R,C){let G=d,S=f,j=(1<<u)-1,D=new Uint8Array(u*r),ee=new Uint8Array(u*r);for(let m=0;;m++){let X=new Uint8Array(2*r),q=X.subarray(0,r),Y=X.subarray(r),oe=m+H;Y.set(S(B,oe,G,C));let te=0;for(let de=m,Te=H,_e=B;;te++,de>>>=1,_e>>>=1,Te>>>=1){if(te===u)return{root:Y,authPath:ee};if((de^_e)===1&&ee.subarray(te*r).set(Y),(de&1)===0&&m<j)break;g({height:te+1,index:(de>>1)+(Te>>1)},R),q.set(D.subarray(te*r).subarray(0,r)),Y.set(G.thashN(2,X,R))}D.subarray(te*r).set(Y)}throw new Error("Unreachable code path reached, report this error")},gt=ft(O,(u,f,A,d)=>{let B=A,H=new Uint8Array(E*r),R=f===u?0:-1>>>0;g({keypair:f},d.leafAddr),g({keypair:f},d.pkAddr);for(let C=0;C<E;C++){let G=d.wotsSteps[C]|R,S=H.subarray(C*r,(C+1)*r);g({chain:C,hash:0,type:he.WOTSPRF},d.leafAddr),S.set(B.PRFaddr(d.leafAddr)),g({type:he.WOTS},d.leafAddr);for(let j=0;j===G&&d.wotsSig.subarray(C*r).set(S),j!==o-1;j++)g({hash:j},d.leafAddr),S.set(B.thash1(S,d.leafAddr))}return B.thashN(E,H,d.pkAddr)}),wt=ft(a,(u,f,A,d)=>{let B=A;g({type:he.FORSPRF,index:f},d);let H=B.PRFaddr(d);return g({type:he.FORSTREE},d),B.thash1(H,d)}),mt=(u,f,A,d,B=new Uint8Array(r))=>{g({type:he.HASHTREE},A);let H={wotsSig:new Uint8Array(L.bytesLen),wotsSteps:J(B),leafAddr:g({subtreeAddr:f}),pkAddr:g({type:he.WOTSPK,subtreeAddr:f})},{root:R,authPath:C}=gt(u,d,0,A,H);return{root:R,sigWots:H.wotsSig.subarray(0,E*r),sigAuth:C}},At=(u,f,A,d,B,H,R)=>{let C=H,G=new Uint8Array(2*r),S=G.subarray(0,r),j=G.subarray(r,2*r);(f&1)!==0?(j.set(u.subarray(0,r)),S.set(d.subarray(0,r))):(S.set(u.subarray(0,r)),j.set(d.subarray(0,r))),f>>>=1,A>>>=1;for(let D=0;D<B-1;D++,f>>=1,A>>=1){g({height:D+1,index:f+A},R);let ee=d.subarray((D+1)*r,(D+2)*r);(f&1)!==0?(j.set(C.thashN(2,G,R)),S.set(ee)):(G.set(C.thashN(2,G,R)),j.set(ee))}return g({height:B,index:f+A},R),C.thashN(2,G,R)},ze=ce("seed",r,r,r),Ue=ce("publicKey",r,r),ue=ce("secretKey",r,r,Ue.bytesLen),p=ge(ce("fors",r,r*a),i),L=ge(ce("wots",E*r,O*r),s),T=ce("signature",r,p,L),x=Object.freeze({info:Object.freeze({type:"internal-slh-dsa"}),lengths:Object.freeze({publicKey:Ue.bytesLen,secretKey:ue.bytesLen,signature:T.bytesLen,seed:ze.bytesLen,signRand:r}),keygen(u){u!==void 0&&be(u,ze.bytesLen,"seed"),u=u===void 0?Se(ze.bytesLen):rt(u);let[f,A,d]=ze.decode(u),B=h(d,f),H=g({layer:s-1}),R=g({layer:s-1}),{root:C}=mt(B,R,H,-1>>>0),G=Ue.encode([d,C]),S=ue.encode([f,A,G]);return B.clean(),V(f,A,C,R,H),{publicKey:G,secretKey:S}},getPublicKey:u=>{let[f,A,d]=ue.decode(u);return Uint8Array.from(d)},sign:(u,f,A={})=>{Ne(A);let{extraEntropy:d}=A,[B,H,R]=ue.decode(f),[C,G]=Ue.decode(R);d===!1?d=rt(C):d===void 0?d=Se(r):d=rt(d),be(d,r);let S=h(C,B),j=S.PRFmsg(H,d,u),{tree:D,leafIdx:ee,md:m}=Ge(j,R,u,S),X=g({type:he.WOTS,tree:D,keypair:ee}),q=[],Y=g({keypairAddr:X}),oe=g({keypairAddr:X}),te=$(m),de=[];for(let ne=0;ne<te.length;ne++){let ie=ne<<a;g({type:he.FORSPRF,height:0,index:te[ne]+ie},oe);let xe=S.PRFaddr(oe);g({type:he.FORSTREE},oe);let{root:Le,authPath:Tt}=wt(S,te[ne],ie,oe,Y);q.push(Le),de.push([xe,Tt])}let Te=g({type:he.FORSPK,keypairAddr:X}),_e=S.thashN(i,Ye(...q),Te),se=g({type:he.HASHTREE}),Ce=[];for(let ne=0;ne<s;ne++,D>>=BigInt(O)){g({tree:D,layer:ne},se),g({subtreeAddr:se,keypair:ee},X);let{sigWots:ie,sigAuth:xe,root:Le}=mt(S,X,se,ee,_e);_e.set(Le),V(Le),Ce.push([ie,xe]),ee=Number(D&en(O))}S.clean();let z=T.encode([j,de,Ce]);return V(j,d,se,X,Y,oe,te,q),z},verify:(u,f,A)=>{let[d,B]=Ue.decode(A),[H,R,C]=T.decode(u),G=A;if(u.length!==T.bytesLen)return!1;let S=h(d),{tree:j,leafIdx:D,md:ee}=Ge(H,G,f,S),m=g({type:he.WOTS,tree:j,keypair:D}),X=[],q=g({type:he.FORSTREE,keypairAddr:m}),Y=$(ee);for(let se=0;se<R.length;se++){let[Ce,z]=R[se],ne=se<<a;g({height:0,index:Y[se]+ne},q);let ie=S.thash1(Ce,q);X.push(At(ie,Y[se],ne,z,a,S,q))}let oe=g({type:he.FORSPK,keypairAddr:m}),te=S.thashN(i,Ye(...X),oe),de=g({type:he.HASHTREE}),Te=g({type:he.WOTSPK}),_e=new Uint8Array(E*r);for(let se=0;se<C.length;se++,j>>=BigInt(O)){let[Ce,z]=C[se];g({tree:j,layer:se},de),g({subtreeAddr:de,keypair:D},m),g({keypairAddr:m},Te);let ne=J(te);for(let xe=0;xe<E;xe++){g({chain:xe},m);let Le=o-1-ne[xe],Tt=ne[xe],Ft=_e.subarray(xe*r);Ft.set(Ce.subarray(xe*r,(xe+1)*r));for(let Et=Tt;Et<Tt+Le&&Et<o;Et++)g({hash:Et},m),Ft.set(S.thash1(Ft,m))}let ie=S.thashN(E,_e,Te);te=At(ie,D,0,z,O,S,de),D=Number(j&en(O))}return Ie(te,B)}});return Object.freeze({info:Object.freeze({type:"slh-dsa"}),internal:x,securityLevel:w,lengths:x.lengths,keygen:x.keygen,getPublicKey:x.getPublicKey,sign:(u,f,A={})=>{Ne(A);let d=ot(u,A.context),B=x.sign(d,f,A);return V(d),B},verify:(u,f,A,d={})=>(Ze(d),x.verify(u,ot(f,d.context),A)),prehash:u=>{Ot(u,w);let f=u;return Object.freeze({info:Object.freeze({type:"hashslh-dsa"}),lengths:x.lengths,keygen:x.keygen,getPublicKey:x.getPublicKey,sign:(A,d,B={})=>{Ne(B);let H=st(f,A,B.context),R=x.sign(H,d,B);return V(H),R},verify:(A,d,B,H={})=>(Ze(H),x.verify(A,st(f,d,H.context),B))})}})}var Xr=()=>e=>(t,n)=>{let{N:r}=e,o={prf:0,thash:0,hmsg:0,gen_message_random:0},c=re.create({}).update(t),s=c.clone(),i=(a,w,h)=>(o.thash++,c._cloneInto(s).update(h).update(w.subarray(0,a*r)).xof(r));return{PRFaddr:a=>{if(!n)throw new Error("no sk seed");return o.prf++,c._cloneInto(s).update(a).update(n).xof(r)},PRFmsg:(a,w,h)=>(o.gen_message_random++,re.create({}).update(a).update(w).update(h).digest().subarray(0,r)),Hmsg:(a,w,h,y)=>(o.hmsg++,re.create({}).update(a.subarray(0,r)).update(w).update(h).xof(y)),thash1:i.bind(null,1),thashN:i,clean:()=>{c.destroy(),s.destroy()}}},tn={getContext:Xr()},er=at(it["128f"],tn);var tr=at(it["192f"],tn);var nr=at(it["256f"],tn);var rr=(e,t)=>n=>(r,o)=>{let{N:c}=n,s={prf:0,thash:0,hmsg:0,gen_message_random:0,mgf1:0},i=new Uint8Array(4),a=Xe(i),w=e.create().update(r).update(new Uint8Array(e.blockLen-c)),h=t.create().update(r).update(new Uint8Array(t.blockLen-c)),y=w.clone(),_=h.clone();function k(E,U,N){s.mgf1++;let b=new Uint8Array(Math.ceil(U/N.outputLen)*N.outputLen);if(U>2**32)throw new Error("mask too long");for(let l=0,I=b;I.length;l++)a.setUint32(0,l,!1),N.create().update(E).update(i).digestInto(I),I=I.subarray(N.outputLen);return V(b.subarray(U)),b.subarray(0,U)}let O=(E,U,N)=>(b,l,I)=>(s.thash++,U._cloneInto(N).update(I).update(l.subarray(0,b*c)).digest().subarray(0,c));return{PRFaddr:E=>{if(!o)throw new Error("No sk seed");return s.prf++,w._cloneInto(y).update(E).update(o).digest().subarray(0,c)},PRFmsg:(E,U,N)=>(s.gen_message_random++,Xn.create(t,E).update(U).update(N).digest().subarray(0,c)),Hmsg:(E,U,N,b)=>{s.hmsg++;let l=Ye(E.subarray(0,c),U.subarray(0,c),t.create().update(E.subarray(0,c)).update(U).update(N).digest());return k(l,b,t)},thash1:O(e,w,y).bind(null,1),thashN:O(t,h,_),clean:()=>{w.destroy(),h.destroy(),y.destroy(),_.destroy()}}},Yr={isCompressed:!0,getContext:rr(Ct,Ct)},or={isCompressed:!0,getContext:rr(Ct,Qn)},sr=at(it["128f"],Yr);var cr=at(it["192f"],or);var ir=at(it["256f"],or);0&&(module.exports={ml_dsa44,ml_dsa65,ml_dsa87,ml_kem1024,ml_kem512,ml_kem768,slh_dsa_sha2_128f,slh_dsa_sha2_192f,slh_dsa_sha2_256f,slh_dsa_shake_128f,slh_dsa_shake_192f,slh_dsa_shake_256f});
+/*! Bundled license information:
+
+@noble/post-quantum/utils.js:
+@noble/post-quantum/_crystals.js:
+@noble/post-quantum/ml-kem.js:
+@noble/post-quantum/ml-dsa.js:
+@noble/post-quantum/slh-dsa.js:
+  (*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) *)
+
+@noble/curves/utils.js:
+  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+*/