@cardanowall/crypto-core 0.0.0

package/dist/sealed-poe.cjs

@@ -0,0 +1,851 @@
+'use strict';
+
+var utils_js = require('@noble/ciphers/utils.js');
+var hmac_js = require('@noble/hashes/hmac.js');
+var sha2_js = require('@noble/hashes/sha2.js');
+var chacha_js = require('@noble/ciphers/chacha.js');
+var hkdf_js = require('@noble/hashes/hkdf.js');
+var hybrid_js = require('@noble/post-quantum/hybrid.js');
+var ed25519_js = require('@noble/curves/ed25519.js');
+var cbor2 = require('cbor2');
+var sorts = require('cbor2/sorts');
+
+// src/sealed-poe/wrap.ts
+
+// src/aead/errors.ts
+var AeadVerificationError = class extends Error {
+  code = "aead_verification_failed";
+  constructor(message, options) {
+    super(message, options);
+    this.name = "AeadVerificationError";
+  }
+};
+
+// src/aead/chacha20-poly1305.ts
+function chacha20Poly1305Encrypt(opts) {
+  return chacha_js.chacha20poly1305(opts.key, opts.nonce, opts.aad).encrypt(opts.plaintext);
+}
+function chacha20Poly1305Decrypt(opts) {
+  try {
+    return chacha_js.chacha20poly1305(opts.key, opts.nonce, opts.aad).decrypt(opts.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError("chacha20-poly1305 decrypt failed", { cause });
+  }
+}
+function xchacha20Poly1305Encrypt(opts) {
+  return chacha_js.xchacha20poly1305(opts.key, opts.nonce, opts.aad).encrypt(opts.plaintext);
+}
+function xchacha20Poly1305Decrypt(opts) {
+  try {
+    return chacha_js.xchacha20poly1305(opts.key, opts.nonce, opts.aad).decrypt(opts.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError("xchacha20-poly1305 decrypt failed", { cause });
+  }
+}
+function hkdfSha256(opts) {
+  return hkdf_js.hkdf(sha2_js.sha256, opts.ikm, opts.salt, opts.info, opts.length);
+}
+var MLKEM768X25519_PUBLIC_KEY_LENGTH = 1216;
+var MLKEM768X25519_ENC_LENGTH = 1120;
+var MLKEM768X25519_SEED_LENGTH = 32;
+var MLKEM768X25519_ESEED_LENGTH = 64;
+function mlkem768x25519Encapsulate(opts) {
+  if (opts.publicKey.length !== MLKEM768X25519_PUBLIC_KEY_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 public key must be ${MLKEM768X25519_PUBLIC_KEY_LENGTH} bytes, got ${opts.publicKey.length}`
+    );
+  }
+  if (opts.eseed !== void 0 && opts.eseed.length !== MLKEM768X25519_ESEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 eseed must be ${MLKEM768X25519_ESEED_LENGTH} bytes, got ${opts.eseed.length}`
+    );
+  }
+  const { cipherText, sharedSecret } = hybrid_js.XWing.encapsulate(opts.publicKey, opts.eseed);
+  return { enc: cipherText, ss: sharedSecret };
+}
+function mlkem768x25519Decapsulate(opts) {
+  if (opts.secretSeed.length !== MLKEM768X25519_SEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 secret seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${opts.secretSeed.length}`
+    );
+  }
+  if (opts.enc.length !== MLKEM768X25519_ENC_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 enc must be ${MLKEM768X25519_ENC_LENGTH} bytes, got ${opts.enc.length}`
+    );
+  }
+  return hybrid_js.XWing.decapsulate(opts.enc, opts.secretSeed);
+}
+var X25519LowOrderPointError = class extends Error {
+  code = "X25519_LOW_ORDER_POINT";
+  constructor(options) {
+    super("x25519 ECDH rejected: peer public key is a small-order point", options);
+    this.name = "X25519LowOrderPointError";
+  }
+};
+var NOBLE_LOW_ORDER_MESSAGE = "invalid private or public key received";
+function x25519PublicKey(opts) {
+  return ed25519_js.x25519.getPublicKey(opts.secretKey);
+}
+function x25519Ecdh(opts) {
+  try {
+    return ed25519_js.x25519.getSharedSecret(opts.secretKey, opts.theirPublicKey);
+  } catch (e) {
+    if (e instanceof Error && e.message === NOBLE_LOW_ORDER_MESSAGE) {
+      throw new X25519LowOrderPointError({ cause: e });
+    }
+    throw e;
+  }
+}
+
+// src/sealed-poe/errors.ts
+var EciesSealedPoeError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "EciesSealedPoeError";
+    this.code = code;
+  }
+};
+function encodeCanonicalCbor(value) {
+  return cbor2.encode(value, {
+    cde: true,
+    collapseBigInts: true,
+    rejectDuplicateKeys: true,
+    sortKeys: sorts.sortCoreDeterministic
+  });
+}
+
+// src/sealed-poe/slots-codec.ts
+var CHUNK_MAX_BYTES = 64;
+function chunkKemCt(value) {
+  if (value.length === 0) {
+    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
+  }
+  const chunks = [];
+  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
+    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
+  }
+  return chunks;
+}
+function joinKemCt(chunks) {
+  let total = 0;
+  for (const c of chunks) total += c.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
+  }
+  return out;
+}
+function slotsToMacCbor(slots, kem) {
+  let value;
+  if (kem === "x25519") {
+    value = slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
+  } else {
+    value = slots.map((s) => ({
+      // Canonicalize the chunk boundaries before the MAC commits to them:
+      // reassemble the logical ciphertext and re-split into canonical ≤ 64-byte
+      // chunks. The on-wire `kem_ct` array is a transport detail (the Cardano
+      // ledger's 64-byte metadatum cap), and a hostile or non-canonical chunking
+      // ([1, 63, …] instead of [64, …]) reassembles to the SAME bytes — so the
+      // MAC must be invariant to it. Committing to the verbatim wire chunks would
+      // let an attacker re-chunk an honest envelope and break the slots_mac match
+      // for an honest recipient. Honest (already-64B-chunked) records are
+      // unchanged; a real byte flip still changes the reassembled bytes and is
+      // still rejected.
+      kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
+      wrap: s.wrap
+    }));
+  }
+  return encodeCanonicalCbor(value);
+}
+
+// src/sealed-poe/wrap.ts
+var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
+var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
+  "cardano-poe-kek-mlkem768x25519-v1"
+);
+var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
+  "cardano-poe-slots-mac-v1"
+);
+var ZERO_NONCE_12 = new Uint8Array(12);
+var EMPTY_SALT = new Uint8Array(0);
+var X25519_PUBLIC_KEY_LENGTH = 32;
+var X25519_SECRET_KEY_LENGTH = 32;
+var CEK_LENGTH = 32;
+var NONCE_LENGTH = 24;
+var WRAP_LENGTH = 48;
+var SLOTS_MAC_LENGTH = 32;
+if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
+  throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
+}
+if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
+  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
+}
+if (ZERO_NONCE_12.length !== 12) {
+  throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
+}
+function concat(a, b) {
+  const out = new Uint8Array(a.length + b.length);
+  out.set(a, 0);
+  out.set(b, a.length);
+  return out;
+}
+function uniformIndexBelow(m) {
+  const limit = 4294967296 - 4294967296 % m;
+  const buf = new Uint32Array(1);
+  let x;
+  do {
+    crypto.getRandomValues(buf);
+    x = buf[0];
+  } while (x >= limit);
+  return x % m;
+}
+function csprngShuffle(arr) {
+  for (let i = arr.length - 1; i > 0; i--) {
+    const j = uniformIndexBelow(i + 1);
+    const tmp = arr[i];
+    arr[i] = arr[j];
+    arr[j] = tmp;
+  }
+}
+function wrapSlotX25519(args) {
+  const privEph = args.privEph ?? utils_js.randomBytes(X25519_SECRET_KEY_LENGTH);
+  if (privEph.length !== X25519_SECRET_KEY_LENGTH) {
+    throw new EciesSealedPoeError(
+      "INVALID_EPHEMERAL_SECRET_LENGTH",
+      `ephemeralSecrets[${args.slotIdx}] MUST be exactly ${X25519_SECRET_KEY_LENGTH} bytes, got ${privEph.length}`
+    );
+  }
+  const epk = x25519PublicKey({ secretKey: privEph });
+  const shared = x25519Ecdh({ secretKey: privEph, theirPublicKey: args.pubR });
+  const kek = hkdfSha256({
+    ikm: shared,
+    salt: concat(epk, args.pubR),
+    info: CARDANO_POE_HKDF_INFO_KEK,
+    length: 32
+  });
+  const wrap = chacha20Poly1305Encrypt({
+    key: kek,
+    nonce: ZERO_NONCE_12,
+    aad: CARDANO_POE_HKDF_INFO_KEK,
+    plaintext: args.cek
+  });
+  if (wrap.length !== WRAP_LENGTH) {
+    throw new Error(`internal: wrap.length=${wrap.length}, expected ${WRAP_LENGTH}`);
+  }
+  return { epk, wrap };
+}
+function wrapSlotMlkem768X25519(args) {
+  const { enc, ss } = mlkem768x25519Encapsulate({
+    publicKey: args.pubR,
+    ...args.eseed !== void 0 ? { eseed: args.eseed } : {}
+  });
+  if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
+    throw new Error(`internal: enc.length=${enc.length}, expected ${MLKEM768X25519_ENC_LENGTH}`);
+  }
+  const kek = hkdfSha256({
+    ikm: ss,
+    salt: EMPTY_SALT,
+    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+    length: 32
+  });
+  const wrap = chacha20Poly1305Encrypt({
+    key: kek,
+    nonce: ZERO_NONCE_12,
+    aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+    plaintext: args.cek
+  });
+  if (wrap.length !== WRAP_LENGTH) {
+    throw new Error(`internal: wrap.length=${wrap.length}, expected ${WRAP_LENGTH}`);
+  }
+  return { kem_ct: chunkKemCt(enc), wrap };
+}
+function eciesSealedPoeWrap(args) {
+  const { plaintext, recipientPublicKeys } = args;
+  const kem = args.kem ?? "x25519";
+  const n = recipientPublicKeys.length;
+  if (n < 1) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_EMPTY",
+      `recipientPublicKeys.length=${n} must be >= 1`
+    );
+  }
+  const expectedPubLen = kem === "x25519" ? X25519_PUBLIC_KEY_LENGTH : MLKEM768X25519_PUBLIC_KEY_LENGTH;
+  for (let i = 0; i < n; i++) {
+    const pub = recipientPublicKeys[i];
+    if (pub === void 0 || pub.length !== expectedPubLen) {
+      throw new EciesSealedPoeError(
+        "KEM_EPK_LENGTH_MISMATCH",
+        `recipientPublicKeys[${i}] MUST be exactly ${expectedPubLen} bytes for kem='${kem}'`
+      );
+    }
+  }
+  if (kem === "x25519") {
+    if (args.eseeds !== void 0) {
+      throw new EciesSealedPoeError(
+        "EPHEMERAL_SECRETS_COUNT_MISMATCH",
+        "eseeds is an X-Wing (mlkem768x25519) override and MUST NOT be supplied for kem='x25519'"
+      );
+    }
+    if (args.ephemeralSecrets !== void 0 && args.ephemeralSecrets.length !== n) {
+      throw new EciesSealedPoeError(
+        "EPHEMERAL_SECRETS_COUNT_MISMATCH",
+        `ephemeralSecrets.length=${args.ephemeralSecrets.length} must match recipientPublicKeys.length=${n}`
+      );
+    }
+  } else {
+    if (args.ephemeralSecrets !== void 0) {
+      throw new EciesSealedPoeError(
+        "EPHEMERAL_SECRETS_COUNT_MISMATCH",
+        "ephemeralSecrets is an X25519 override and MUST NOT be supplied for kem='mlkem768x25519'"
+      );
+    }
+    if (args.eseeds !== void 0) {
+      if (args.eseeds.length !== n) {
+        throw new EciesSealedPoeError(
+          "EPHEMERAL_SECRETS_COUNT_MISMATCH",
+          `eseeds.length=${args.eseeds.length} must match recipientPublicKeys.length=${n}`
+        );
+      }
+      for (let i = 0; i < n; i++) {
+        const eseed = args.eseeds[i];
+        if (eseed.length !== MLKEM768X25519_ESEED_LENGTH) {
+          throw new EciesSealedPoeError(
+            "INVALID_EPHEMERAL_SECRET_LENGTH",
+            `eseeds[${i}] MUST be exactly ${MLKEM768X25519_ESEED_LENGTH} bytes, got ${eseed.length}`
+          );
+        }
+      }
+    }
+  }
+  const cek = args.cek ?? utils_js.randomBytes(CEK_LENGTH);
+  const nonce = args.nonce ?? utils_js.randomBytes(NONCE_LENGTH);
+  if (cek.length !== CEK_LENGTH) {
+    throw new EciesSealedPoeError(
+      "INVALID_CEK_LENGTH",
+      `cek MUST be exactly ${CEK_LENGTH} bytes, got ${cek.length}`
+    );
+  }
+  if (nonce.length !== NONCE_LENGTH) {
+    throw new EciesSealedPoeError(
+      "NONCE_LENGTH_MISMATCH",
+      `nonce MUST be exactly ${NONCE_LENGTH} bytes, got ${nonce.length}`
+    );
+  }
+  let envelope;
+  if (kem === "x25519") {
+    const slots = [];
+    for (let i = 0; i < n; i++) {
+      slots.push(
+        wrapSlotX25519({
+          pubR: recipientPublicKeys[i],
+          privEph: args.ephemeralSecrets ? args.ephemeralSecrets[i] : void 0,
+          cek,
+          slotIdx: i
+        })
+      );
+    }
+    if (args.skipShuffle !== true) {
+      csprngShuffle(slots);
+    }
+    const slotsMac = computeSlotsMac(cek, slots, "x25519");
+    envelope = {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "x25519",
+      nonce,
+      slots,
+      slots_mac: slotsMac
+    };
+  } else {
+    const slots = [];
+    for (let i = 0; i < n; i++) {
+      slots.push(
+        wrapSlotMlkem768X25519({
+          pubR: recipientPublicKeys[i],
+          eseed: args.eseeds ? args.eseeds[i] : void 0,
+          cek
+        })
+      );
+    }
+    if (args.skipShuffle !== true) {
+      csprngShuffle(slots);
+    }
+    const slotsMac = computeSlotsMac(cek, slots, "mlkem768x25519");
+    envelope = {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "mlkem768x25519",
+      nonce,
+      slots,
+      slots_mac: slotsMac
+    };
+  }
+  const adContent = concat(nonce, envelope.slots_mac);
+  const ciphertext = xchacha20Poly1305Encrypt({
+    key: cek,
+    nonce,
+    aad: adContent,
+    plaintext
+  });
+  return { envelope, ciphertext };
+}
+function computeSlotsMac(cek, slots, kem) {
+  const hmacKey = hkdfSha256({
+    ikm: cek,
+    salt: EMPTY_SALT,
+    info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+    length: 32
+  });
+  const slotsCbor = slotsToMacCbor(slots, kem);
+  const slotsMac = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+  if (slotsMac.length !== SLOTS_MAC_LENGTH) {
+    throw new Error(`internal: slots_mac.length=${slotsMac.length}, expected ${SLOTS_MAC_LENGTH}`);
+  }
+  return slotsMac;
+}
+
+// src/util/compare-ct.ts
+function compareCt(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+
+// src/sealed-poe/unwrap.ts
+function selectBundleSecrets(envelope, bundle) {
+  return envelope.kem === "x25519" ? bundle.x25519PrivateKeys : bundle.mlkem768x25519SecretSeeds;
+}
+var ZERO_NONCE_122 = new Uint8Array(12);
+var EMPTY_SALT2 = new Uint8Array(0);
+var X25519_SECRET_KEY_LENGTH2 = 32;
+var X25519_PUBLIC_KEY_LENGTH2 = 32;
+var NONCE_LENGTH2 = 24;
+var WRAP_LENGTH2 = 48;
+var SLOTS_MAC_LENGTH2 = 32;
+function concat2(a, b) {
+  const out = new Uint8Array(a.length + b.length);
+  out.set(a, 0);
+  out.set(b, a.length);
+  return out;
+}
+function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
+  if (envelope.scheme !== 1) {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_ENC_VERSION",
+      `envelope.scheme=${String(envelope.scheme)} unsupported (expected 1)`
+    );
+  }
+  if (envelope.aead !== "xchacha20-poly1305") {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_AEAD_ALG",
+      `envelope.aead=${String(envelope.aead)} unsupported (expected 'xchacha20-poly1305')`
+    );
+  }
+  if (envelope.kem !== "x25519" && envelope.kem !== "mlkem768x25519") {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_KEM_ALG",
+      `envelope.kem=${String(envelope.kem)} unsupported (expected 'x25519' or 'mlkem768x25519')`
+    );
+  }
+  const n = envelope.slots.length;
+  if (n < 1) {
+    throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
+  }
+  if (envelope.nonce.length !== NONCE_LENGTH2) {
+    throw new EciesSealedPoeError(
+      "NONCE_LENGTH_MISMATCH",
+      `envelope.nonce MUST be exactly ${NONCE_LENGTH2} bytes, got ${envelope.nonce.length}`
+    );
+  }
+  if (envelope.slots_mac.length !== SLOTS_MAC_LENGTH2) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_MAC_INVALID_LENGTH",
+      `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
+    );
+  }
+  if (envelope.kem === "x25519") {
+    for (let i = 0; i < n; i++) {
+      const slot = envelope.slots[i];
+      if (slot.epk.length !== X25519_PUBLIC_KEY_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "KEM_EPK_LENGTH_MISMATCH",
+          `envelope.slots[${i}].epk MUST be exactly ${X25519_PUBLIC_KEY_LENGTH2} bytes, got ${slot.epk.length}`
+        );
+      }
+      if (slot.wrap.length !== WRAP_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "WRAP_LENGTH_MISMATCH",
+          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
+        );
+      }
+    }
+  } else {
+    for (let i = 0; i < n; i++) {
+      const slot = envelope.slots[i];
+      const enc = joinKemCt(slot.kem_ct);
+      if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
+        throw new EciesSealedPoeError(
+          "KEM_CT_LENGTH_MISMATCH",
+          `envelope.slots[${i}].kem_ct MUST reassemble to exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${enc.length}`
+        );
+      }
+      if (slot.wrap.length !== WRAP_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "WRAP_LENGTH_MISMATCH",
+          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
+        );
+      }
+    }
+  }
+  if (multiPrivKeys !== void 0) {
+    for (let i = 0; i < multiPrivKeys.length; i++) {
+      if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "INVALID_RECIPIENT_KEY",
+          `recipientSecretKeys[${i}] MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${multiPrivKeys[i].length}`
+        );
+      }
+    }
+  } else if (singlePrivKey !== void 0) {
+    if (singlePrivKey.length !== X25519_SECRET_KEY_LENGTH2) {
+      throw new EciesSealedPoeError(
+        "INVALID_RECIPIENT_KEY",
+        `recipientSecretKey MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${singlePrivKey.length}`
+      );
+    }
+  }
+}
+function tryX25519Slot(args) {
+  if (args.liveSlot) {
+    try {
+      const shared = x25519Ecdh({
+        secretKey: args.recipientSecretKey,
+        theirPublicKey: args.slot.epk
+      });
+      const kek = hkdfSha256({
+        ikm: shared,
+        salt: concat2(args.slot.epk, args.pubRLocal),
+        info: CARDANO_POE_HKDF_INFO_KEK,
+        length: 32
+      });
+      return chacha20Poly1305Decrypt({
+        key: kek,
+        nonce: ZERO_NONCE_122,
+        aad: CARDANO_POE_HKDF_INFO_KEK,
+        ciphertext: args.slot.wrap
+      });
+    } catch (e) {
+      if (!(e instanceof AeadVerificationError) && !(e instanceof X25519LowOrderPointError)) {
+        throw e;
+      }
+      return null;
+    }
+  }
+  try {
+    const shared = x25519Ecdh({
+      secretKey: args.recipientSecretKey,
+      theirPublicKey: args.slot.epk
+    });
+    hkdfSha256({
+      ikm: shared,
+      salt: concat2(args.slot.epk, args.pubRLocal),
+      info: CARDANO_POE_HKDF_INFO_KEK,
+      length: 32
+    });
+  } catch (e) {
+    if (!(e instanceof X25519LowOrderPointError)) throw e;
+  }
+  return null;
+}
+function tryMlkem768X25519Slot(args) {
+  const enc = joinKemCt(args.slot.kem_ct);
+  const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
+  const kek = hkdfSha256({
+    ikm: ss,
+    salt: EMPTY_SALT2,
+    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+    length: 32
+  });
+  if (!args.liveSlot) {
+    return null;
+  }
+  try {
+    return chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+      ciphertext: args.slot.wrap
+    });
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return null;
+  }
+}
+function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
+  const n = envelope.slots.length;
+  let cek = null;
+  let matchedSlotIdx = -1;
+  if (envelope.kem === "x25519") {
+    const pubRLocal = x25519PublicKey({ secretKey: recipientSecretKey });
+    for (let i = 0; i < n; i++) {
+      if (slotsAttemptedOut !== void 0) {
+        slotsAttemptedOut.count = i + 1;
+      }
+      const candidate = tryX25519Slot({
+        slot: envelope.slots[i],
+        recipientSecretKey,
+        pubRLocal,
+        liveSlot: cek === null
+      });
+      if (cek === null && candidate !== null) {
+        cek = candidate;
+        matchedSlotIdx = i;
+      }
+      if (cek !== null && !constantTimeN) break;
+    }
+  } else {
+    for (let i = 0; i < n; i++) {
+      if (slotsAttemptedOut !== void 0) {
+        slotsAttemptedOut.count = i + 1;
+      }
+      const candidate = tryMlkem768X25519Slot({
+        slot: envelope.slots[i],
+        recipientSecretKey,
+        liveSlot: cek === null
+      });
+      if (cek === null && candidate !== null) {
+        cek = candidate;
+        matchedSlotIdx = i;
+      }
+      if (cek !== null && !constantTimeN) break;
+    }
+  }
+  return cek === null ? null : { cek, slotIdx: matchedSlotIdx };
+}
+function tryRecipientUnwrap(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
+  return tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut)?.cek ?? null;
+}
+function slotsMacCborBytes(envelope) {
+  return slotsToMacCbor(
+    envelope.slots,
+    envelope.kem
+  );
+}
+function eciesSealedPoeUnwrap(args) {
+  const { envelope, ciphertext } = args;
+  const constantTimeN = args.constantTimeN ?? true;
+  const hasSingle = "recipientSecretKey" in args;
+  const hasBundle = "recipientKeyBundle" in args;
+  const multiPrivKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : "recipientSecretKeys" in args ? args.recipientSecretKeys : void 0;
+  const hasMulti = multiPrivKeys !== void 0;
+  if (hasSingle === hasMulti) {
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "exactly one of recipientSecretKey / recipientSecretKeys / recipientKeyBundle MUST be supplied"
+    );
+  }
+  if (hasMulti && multiPrivKeys.length === 0) {
+    if (hasBundle) {
+      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+    }
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "recipientSecretKeys MUST be a non-empty array, got length=0"
+    );
+  }
+  if (hasMulti) {
+    assertEnvelopeStructure(envelope, multiPrivKeys, void 0);
+  } else {
+    assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
+  }
+  let matchedCek = null;
+  let anyCandidateRecovered = false;
+  if (hasSingle) {
+    const recipientSecretKey = args.recipientSecretKey;
+    const cek = tryRecipientUnwrap(
+      envelope,
+      recipientSecretKey,
+      constantTimeN,
+      args._slotsAttemptedOut
+    );
+    if (cek === null) {
+      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+    }
+    const slotsCbor = slotsMacCborBytes(envelope);
+    const hmacKey = hkdfSha256({
+      ikm: cek,
+      salt: EMPTY_SALT2,
+      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+      length: 32
+    });
+    const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+    if (!compareCt(slotsMacCalc, envelope.slots_mac)) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
+    matchedCek = cek;
+  } else {
+    const slotsCbor = slotsMacCborBytes(envelope);
+    const recipientSecretKeys = multiPrivKeys;
+    for (let k = 0; k < recipientSecretKeys.length; k++) {
+      if (args._privsAttemptedOut !== void 0) {
+        args._privsAttemptedOut.count = k + 1;
+      }
+      if (args._slotsAttemptedOut !== void 0) {
+        args._slotsAttemptedOut.count = 0;
+      }
+      const cek = tryRecipientUnwrap(
+        envelope,
+        recipientSecretKeys[k],
+        constantTimeN,
+        args._slotsAttemptedOut
+      );
+      if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
+        args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
+      }
+      if (cek === null) continue;
+      const hmacKey = hkdfSha256({
+        ikm: cek,
+        salt: EMPTY_SALT2,
+        info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+        length: 32
+      });
+      const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+      if (compareCt(slotsMacCalc, envelope.slots_mac)) {
+        matchedCek = cek;
+        break;
+      }
+      anyCandidateRecovered = true;
+    }
+    if (matchedCek === null) {
+      return {
+        matched: false,
+        reason: anyCandidateRecovered ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
+      };
+    }
+  }
+  const adContent = concat2(envelope.nonce, envelope.slots_mac);
+  try {
+    const plaintext = xchacha20Poly1305Decrypt({
+      key: matchedCek,
+      nonce: envelope.nonce,
+      aad: adContent,
+      ciphertext
+    });
+    return { matched: true, plaintext };
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return { matched: false, reason: "TAMPERED_CIPHERTEXT" };
+  }
+}
+function eciesSealedPoeTrialDecrypt(args) {
+  const { envelope } = args;
+  const constantTimeN = args.constantTimeN ?? true;
+  const hasBundle = "recipientKeyBundle" in args;
+  const recipientSecretKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : args.recipientSecretKeys;
+  if (recipientSecretKeys.length === 0) {
+    if (hasBundle) {
+      return { kind: "no_aead_pass" };
+    }
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "recipientSecretKeys MUST be a non-empty array, got length=0"
+    );
+  }
+  assertEnvelopeStructure(envelope, recipientSecretKeys, void 0);
+  const slotsCbor = slotsMacCborBytes(envelope);
+  let anyCandidateRecovered = false;
+  for (let k = 0; k < recipientSecretKeys.length; k++) {
+    if (args._privsAttemptedOut !== void 0) {
+      args._privsAttemptedOut.count = k + 1;
+    }
+    if (args._slotsAttemptedOut !== void 0) {
+      args._slotsAttemptedOut.count = 0;
+    }
+    const candidate = tryRecipientUnwrapWithIdx(
+      envelope,
+      recipientSecretKeys[k],
+      constantTimeN,
+      args._slotsAttemptedOut
+    );
+    if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
+      args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
+    }
+    if (candidate === null) continue;
+    const hmacKey = hkdfSha256({
+      ikm: candidate.cek,
+      salt: EMPTY_SALT2,
+      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+      length: 32
+    });
+    const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+    if (compareCt(slotsMacCalc, envelope.slots_mac)) {
+      return { kind: "match", slotIdx: candidate.slotIdx, cek: candidate.cek };
+    }
+    anyCandidateRecovered = true;
+  }
+  return anyCandidateRecovered ? { kind: "aead_pass_no_mac_match" } : { kind: "no_aead_pass" };
+}
+
+// src/sealed-poe/envelope-from-parsed.ts
+function sealedEnvelopeFromParsed(enc) {
+  if (enc.scheme !== 1 || enc.aead !== "xchacha20-poly1305") return null;
+  if (enc.nonce === void 0 || enc.slots_mac === void 0) return null;
+  const slots = enc.slots;
+  if (slots === void 0 || slots.length < 1) return null;
+  if (enc.kem === "x25519") {
+    const x25519Slots = [];
+    for (const s of slots) {
+      if (s.epk === void 0 || s.wrap === void 0) return null;
+      x25519Slots.push({ epk: s.epk, wrap: s.wrap });
+    }
+    return {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "x25519",
+      nonce: enc.nonce,
+      slots: x25519Slots,
+      slots_mac: enc.slots_mac
+    };
+  }
+  if (enc.kem === "mlkem768x25519") {
+    const hybridSlots = [];
+    for (const s of slots) {
+      if (s.kem_ct === void 0 || s.wrap === void 0) return null;
+      hybridSlots.push({ kem_ct: s.kem_ct, wrap: s.wrap });
+    }
+    return {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "mlkem768x25519",
+      nonce: enc.nonce,
+      slots: hybridSlots,
+      slots_mac: enc.slots_mac
+    };
+  }
+  return null;
+}
+
+exports.CARDANO_POE_HKDF_INFO_KEK = CARDANO_POE_HKDF_INFO_KEK;
+exports.CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519;
+exports.CARDANO_POE_HKDF_INFO_SLOTS_MAC = CARDANO_POE_HKDF_INFO_SLOTS_MAC;
+exports.EciesSealedPoeError = EciesSealedPoeError;
+exports.chunkKemCt = chunkKemCt;
+exports.eciesSealedPoeTrialDecrypt = eciesSealedPoeTrialDecrypt;
+exports.eciesSealedPoeUnwrap = eciesSealedPoeUnwrap;
+exports.eciesSealedPoeWrap = eciesSealedPoeWrap;
+exports.joinKemCt = joinKemCt;
+exports.sealedEnvelopeFromParsed = sealedEnvelopeFromParsed;
+exports.slotsToMacCbor = slotsToMacCbor;
+exports.uniformIndexBelow = uniformIndexBelow;
+//# sourceMappingURL=sealed-poe.cjs.map
+//# sourceMappingURL=sealed-poe.cjs.map