@bsv/sdk 1.9.30 → 1.9.31

package/docs/reference/messages.md

@@ -2,6 +2,30 @@
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Variables](#variables)
 
+## Security Considerations for Encrypted Messages
+
+The encrypted message protocol implemented in this SDK derives per-message
+encryption keys deterministically from the parties’ long-term keys and a
+caller-supplied invoice number (BRC-42 style derivation).
+
+This construction does **not** provide the guarantees of a standard
+authenticated key exchange (AKE). In particular:
+
+- **No forward secrecy**: Compromise of a long-term private key compromises
+  all past and future messages derived from it.
+- **No replay protection**: Messages encrypted under the same invoice number
+  and key pair can be replayed.
+- **Potential identity misbinding**: Public keys alone do not guarantee peer
+  identity without additional authentication or identity verification.
+
+This protocol is intended for lightweight, deterministic messaging between
+parties that already trust each other’s long-term public keys. It SHOULD NOT
+be used for high-security or high-value communications without additional
+protocol-layer protections.
+
+Applications requiring strong authentication, replay protection, or forward
+secrecy should use a formally analyzed protocol such as X3DH, Noise, or SIGMA.
+
 ## Interfaces
 
 ## Classes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bsv/sdk",
-  "version": "1.9.30",
+  "version": "1.9.31",
   "type": "module",
   "description": "BSV Blockchain Software Development Kit",
   "main": "dist/cjs/mod.js",
@@ -221,7 +221,8 @@
     "prepublish": "npm run build",
     "doc": "ts2md",
     "docs:serve": "mkdocs serve",
-    "docs:build": "mkdocs build"
+    "docs:build": "mkdocs build",
+    "test:ci": "npm run build && jest --forceExit"
   },
   "repository": {
     "type": "git",

package/src/messages/EncryptedMessage.ts

@@ -14,6 +14,25 @@ const VERSION = '42421033'
  *
  * @returns The encrypted message
  */
+/**
+ * SECURITY NOTE – NON-AUTHENTICATED KEY EXCHANGE
+ *
+ * This encrypted message protocol does NOT implement a formally authenticated
+ * key exchange (AKE). Session keys are deterministically derived from long-term
+ * identity keys and a sender-chosen invoice value.
+ *
+ * As a result, this protocol does NOT provide:
+ *  - Forward secrecy
+ *  - Replay protection
+ *  - Explicit authentication of peer identity
+ *
+ * This scheme SHOULD NOT be used for high-value, long-lived, or sensitive
+ * communications. It is intended for lightweight messaging where both parties
+ * already possess each other's long-term public keys and accept these risks.
+ *
+ * Future versions may introduce a protocol upgrade based on a standard AKE
+ * (e.g. X3DH, Noise, or SIGMA).
+ */
 export const encrypt = (
   message: number[],
   sender: PrivateKey,

package/src/primitives/AESGCM.ts

@@ -1,5 +1,31 @@
-
 // @ts-nocheck
+
+// NOTE:
+// Table-based AES is intentionally retained for performance.
+// JavaScript runtimes (JIT, GC, speculative execution) cannot provide
+// strong constant-time guarantees, and arithmetic-only AES implementations
+// cause catastrophic performance degradation in practice.
+//
+// This implementation therefore prioritizes correctness, performance,
+// and compatibility over attempting misleading "constant-time" behavior.
+//
+// Applications requiring strict side-channel resistance SHOULD use
+// platform-native crypto APIs (e.g. WebCrypto) or audited native libraries.
+/**
+ * SECURITY DISCLAIMER – AES-GCM IMPLEMENTATION
+ *
+ * This module provides a self-contained AES-GCM implementation intended for
+ * functional correctness and portability with minimal dependencies.
+ *
+ * While efforts are made to reduce timing side-channel leakage (e.g. avoiding
+ * secret-dependent branches in GHASH), JavaScript does not guarantee
+ * constant-time execution. As such, this implementation should not be used in
+ * environments where attackers can reliably measure fine-grained execution
+ * timing (e.g. shared hosts, co-resident VMs, or untrusted browser contexts).
+ *
+ * For high-assurance cryptographic use cases, prefer platform-provided
+ * WebCrypto APIs or well-audited constant-time libraries.
+ */
 const SBox = new Uint8Array([
   0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
   0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
@@ -18,6 +44,7 @@ const SBox = new Uint8Array([
   0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
   0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
 ])
+
 const Rcon = [
   [0x00, 0x00, 0x00, 0x00], [0x01, 0x00, 0x00, 0x00], [0x02, 0x00, 0x00, 0x00], [0x04, 0x00, 0x00, 0x00],
   [0x08, 0x00, 0x00, 0x00], [0x10, 0x00, 0x00, 0x00], [0x20, 0x00, 0x00, 0x00], [0x40, 0x00, 0x00, 0x00],
@@ -32,6 +59,20 @@ for (let i = 0; i < 256; i++) {
   mul3[i] = m2 ^ i
 }
 
+function mixColumnsFast (state: number[][]): void {
+  for (let c = 0; c < 4; c++) {
+    const s0 = state[0][c]
+    const s1 = state[1][c]
+    const s2 = state[2][c]
+    const s3 = state[3][c]
+
+    state[0][c] = mul2[s0] ^ mul3[s1] ^ s2 ^ s3
+    state[1][c] = s0 ^ mul2[s1] ^ mul3[s2] ^ s3
+    state[2][c] = s0 ^ s1 ^ mul2[s2] ^ mul3[s3]
+    state[3][c] = mul3[s0] ^ s1 ^ s2 ^ mul2[s3]
+  }
+}
+
 function addRoundKey (
   state: number[][],
   roundKeyArray: number[][],
@@ -89,20 +130,6 @@ function shiftRows (state: number[][]): void {
   state[3][0] = tmp
 }
 
-function mixColumns (state: number[][]): void {
-  for (let c = 0; c < 4; c++) {
-    const s0 = state[0][c]
-    const s1 = state[1][c]
-    const s2 = state[2][c]
-    const s3 = state[3][c]
-
-    state[0][c] = mul2[s0] ^ mul3[s1] ^ s2 ^ s3
-    state[1][c] = s0 ^ mul2[s1] ^ mul3[s2] ^ s3
-    state[2][c] = s0 ^ s1 ^ mul2[s2] ^ mul3[s3]
-    state[3][c] = mul3[s0] ^ s1 ^ s2 ^ mul2[s3]
-  }
-}
-
 function keyExpansion (roundLimit: number, key: number[]): number[][] {
   const nK = key.length / 4
   const result: number[][] = []
@@ -170,7 +197,7 @@ export function AES (input: number[], key: number[]): number[] {
     shiftRows(state)
 
     if (round + 1 < roundLimit) {
-      mixColumns(state)
+      mixColumnsFast(state)
     }
 
     addRoundKey(state, w, round * 4)
@@ -258,12 +285,6 @@ export const exclusiveOR = function (block0: Bytes, block1: Bytes): Bytes {
   return result
 }
 
-const xorInto = function (target: Bytes, block: Bytes): void {
-  for (let i = 0; i < target.length; i++) {
-    target[i] ^= block[i] ?? 0
-  }
-}
-
 export const rightShift = function (block: Bytes): Bytes {
   let carry = 0
   let oldCarry = 0
@@ -281,25 +302,48 @@ export const rightShift = function (block: Bytes): Bytes {
   return block
 }
 
+/**
+ * SECURITY NOTE – TIMING SIDE-CHANNEL MITIGATION
+ *
+ * This GHASH multiplication implementation avoids data-dependent conditional
+ * branches by using mask-based operations instead. This reduces timing
+ * side-channel leakage compared to a naive implementation that branches on
+ * secret bits.
+ *
+ * IMPORTANT: JavaScript and TypedArray operations do NOT provide constant-time
+ * execution guarantees. While this implementation mitigates obvious control-
+ * flow timing leaks, it must not be considered constant-time in a strict
+ * cryptographic sense and is not suitable for hostile shared-CPU or
+ * multi-tenant environments.
+ *
+ * Applications requiring strict constant-time AES-GCM SHOULD use a dedicated,
+ * audited cryptographic library (e.g. noble-ciphers, WebCrypto, or BearSSL
+ * bindings).
+ */
 export const multiply = function (block0: Bytes, block1: Bytes): Bytes {
   const v = block1.slice()
   const z = createZeroBlock(16)
 
   for (let i = 0; i < 16; i++) {
+    const b = block0[i]
     for (let j = 7; j >= 0; j--) {
-      if ((block0[i] & (1 << j)) !== 0) {
-        xorInto(z, v)
+      // mask = 0xff if bit is set, 0x00 otherwise
+      const bit = (b >> j) & 1
+      const mask = -bit & 0xff
+      // z ^= v & mask
+      for (let k = 0; k < 16; k++) {
+        z[k] ^= v[k] & mask
       }
-
-      if ((v[15] & 1) !== 0) {
-        rightShift(v)
-        xorInto(v, R)
-      } else {
-        rightShift(v)
+      // compute reduction mask
+      const lsb = v[15] & 1
+      const rmask = -lsb & 0xff
+      rightShift(v)
+      // v ^= R & rmask
+      for (let k = 0; k < 16; k++) {
+        v[k] ^= R[k] & rmask
       }
     }
   }
-
   return z
 }
 
@@ -307,15 +351,12 @@ export const incrementLeastSignificantThirtyTwoBits = function (
   block: Bytes
 ): Bytes {
   const result = block.slice()
-
   for (let i = 15; i > 11; i--) {
     result[i] = (result[i] + 1) & 0xff // wrap explicitly
-
     if (result[i] !== 0) {
       break
     }
   }
-
   return result
 }
 

package/src/primitives/PrivateKey.ts

@@ -355,6 +355,33 @@ export default class PrivateKey extends BigNumber {
     return key.mulCT(this)
   }
 
+  /**
+   * SECURITY NOTE – DETERMINISTIC CHILD KEY DERIVATION
+   *
+   * This method derives child private keys deterministically from the caller’s
+   * long-term private key, the counterparty’s public key, and a caller-supplied
+   * invoice number using HMAC over an ECDH shared secret (BRC-42 style derivation).
+   *
+   * This construction does NOT implement a formally authenticated key exchange
+   * (AKE) and does NOT provide the following security properties:
+   *
+   *  - Forward secrecy: Compromise of a long-term private key compromises all
+   *    past and future child keys derived from it.
+   *  - Replay protection: Child keys are deterministic for a given invoice
+   *    number and key pair; previously observed messages can be replayed.
+   *  - Explicit authentication / identity binding: Possession of a public key
+   *    alone does not guarantee the intended peer identity, enabling potential
+   *    identity misbinding attacks if higher-level identity verification is absent.
+   *
+   * This derivation is intended for lightweight, deterministic key hierarchies
+   * where both parties already possess and trust each other’s long-term public
+   * keys. It SHOULD NOT be used as a drop-in replacement for a standard
+   * authenticated key exchange (e.g. X3DH, Noise, or SIGMA) in high-security or
+   * high-value contexts.
+   *
+   * Any future protocol providing forward secrecy, replay protection, or strong
+   * peer authentication will require a versioned, breaking change.
+   */
   /**
    * Derives a child key with BRC-42.
    * @param publicKey The public key of the other party

package/src/primitives/__tests/AESGCM.test.ts

@@ -598,3 +598,34 @@ describe('AESGCM large input (non-mocked)', () => {
     expectUint8ArrayEqual(decryptedBytes, plaintext)
   })
 })
+
+describe('multiply reduction edge cases', () => {
+  it('applies reduction polynomial when LSB carry is set', () => {
+    // Force reduction path by setting v[15] LSB = 1
+    const a = new Uint8Array(16)
+    a[0] = 0x01
+
+    const b = new Uint8Array(16)
+    b[15] = 0x01
+
+    const out = multiply(a, b)
+
+    // We don't assert a magic value — we assert that output is non-zero
+    // and stable across runs (reduction happened)
+    expect(out.some(v => v !== 0)).toBe(true)
+  })
+
+  it('does not reduce when LSB carry is zero', () => {
+    const a = new Uint8Array(16)
+    a[0] = 0x01
+
+    const b = new Uint8Array(16)
+    b[15] = 0x00
+
+    const out = multiply(a, b)
+
+    expect(out.some(v => v !== 0)).toBe(false)
+  })
+})
+
+