@cardanowall/crypto-core 0.0.0

package/dist/sig.cjs

@@ -0,0 +1,77 @@
+'use strict';
+
+var ed = require('@noble/ed25519');
+var sha2_js = require('@noble/hashes/sha2.js');
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var ed__namespace = /*#__PURE__*/_interopNamespace(ed);
+
+// src/sig/ed25519.ts
+ed__namespace.hashes.sha512 = sha2_js.sha512;
+var L = ed__namespace.Point.CURVE().n;
+function signEd25519(opts) {
+  return ed__namespace.sign(opts.message, opts.seed);
+}
+function leBytesToBigInt(bytes) {
+  let value = 0n;
+  for (let i = bytes.length - 1; i >= 0; i--) {
+    value = value << 8n | BigInt(bytes[i]);
+  }
+  return value;
+}
+function verifyEd25519(opts) {
+  const { signature, message, publicKey } = opts;
+  if (signature.length !== 64 || publicKey.length !== 32) return false;
+  const S = leBytesToBigInt(signature.subarray(32, 64));
+  if (S >= L) return false;
+  let A;
+  let R;
+  try {
+    A = ed__namespace.Point.fromBytes(publicKey);
+    R = ed__namespace.Point.fromBytes(signature.subarray(0, 32));
+  } catch {
+    return false;
+  }
+  if (A.isSmallOrder() || R.isSmallOrder()) return false;
+  const k = leBytesToBigInt(ed__namespace.hash(concatBytes(signature.subarray(0, 32), publicKey, message))) % L;
+  const sB = S === 0n ? ed__namespace.Point.ZERO : ed__namespace.Point.BASE.multiplyUnsafe(S);
+  const kA = k === 0n ? ed__namespace.Point.ZERO : A.multiplyUnsafe(k);
+  return sB.subtract(kA).subtract(R).is0();
+}
+function concatBytes(...parts) {
+  let total = 0;
+  for (const p of parts) total += p.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const p of parts) {
+    out.set(p, offset);
+    offset += p.length;
+  }
+  return out;
+}
+function getPublicKeyEd25519(opts) {
+  return ed__namespace.getPublicKey(opts.seed);
+}
+
+exports.getPublicKeyEd25519 = getPublicKeyEd25519;
+exports.signEd25519 = signEd25519;
+exports.verifyEd25519 = verifyEd25519;
+//# sourceMappingURL=sig.cjs.map
+//# sourceMappingURL=sig.cjs.map

package/dist/sig.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/sig/ed25519.ts"],"names":["ed","sha512"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAGGA,aAAA,CAAA,MAAA,CAAO,MAAA,GAASC,cAAA;AAGnB,IAAM,CAAA,GAAOD,aAAA,CAAA,KAAA,CAAM,KAAA,EAAM,CAAE,CAAA;AAiBpB,SAAS,YAAY,IAAA,EAAmC;AAC7D,EAAA,OAAUA,aAAA,CAAA,IAAA,CAAK,IAAA,CAAK,OAAA,EAAS,IAAA,CAAK,IAAI,CAAA;AACxC;AAGA,SAAS,gBAAgB,KAAA,EAA2B;AAClD,EAAA,IAAI,KAAA,GAAQ,EAAA;AACZ,EAAA,KAAA,IAAS,IAAI,KAAA,CAAM,MAAA,GAAS,CAAA,EAAG,CAAA,IAAK,GAAG,CAAA,EAAA,EAAK;AAC1C,IAAA,KAAA,GAAS,KAAA,IAAS,EAAA,GAAM,MAAA,CAAO,KAAA,CAAM,CAAC,CAAE,CAAA;AAAA,EAC1C;AACA,EAAA,OAAO,KAAA;AACT;AAaO,SAAS,cAAc,IAAA,EAAkC;AAC9D,EAAA,MAAM,EAAE,SAAA,EAAW,OAAA,EAAS,SAAA,EAAU,GAAI,IAAA;AAC1C,EAAA,IAAI,UAAU,MAAA,KAAW,EAAA,IAAM,SAAA,CAAU,MAAA,KAAW,IAAI,OAAO,KAAA;AAG/D,EAAA,MAAM,IAAI,eAAA,CAAgB,SAAA,CAAU,QAAA,CAAS,EAAA,EAAI,EAAE,CAAC,CAAA;AACpD,EAAA,IAAI,CAAA,IAAK,GAAG,OAAO,KAAA;AAInB,EAAA,IAAI,CAAA;AACJ,EAAA,IAAI,CAAA;AACJ,EAAA,IAAI;AACF,IAAA,CAAA,GAAOA,aAAA,CAAA,KAAA,CAAM,UAAU,SAAS,CAAA;AAChC,IAAA,CAAA,GAAOA,oBAAM,SAAA,CAAU,SAAA,CAAU,QAAA,CAAS,CAAA,EAAG,EAAE,CAAC,CAAA;AAAA,EAClD,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AAIA,EAAA,IAAI,EAAE,YAAA,EAAa,IAAK,CAAA,CAAE,YAAA,IAAgB,OAAO,KAAA;AAGjD,EAAA,MAAM,CAAA,GACJ,eAAA,CAAmBA,aAAA,CAAA,IAAA,CAAK,WAAA,CAAY,SAAA,CAAU,QAAA,CAAS,CAAA,EAAG,EAAE,CAAA,EAAG,SAAA,EAAW,OAAO,CAAC,CAAC,CAAA,GAAI,CAAA;AAIzF,EAAA,MAAM,EAAA,GAAK,MAAM,EAAA,GAAQA,aAAA,CAAA,KAAA,CAAM,OAAUA,aAAA,CAAA,KAAA,CAAM,IAAA,CAAK,eAAe,CAAC,CAAA;AACpE,EAAA,MAAM,KAAK,CAAA,KAAM,EAAA,GAAQA,oBAAM,IAAA,GAAO,CAAA,CAAE,eAAe,CAAC,CAAA;AACxD,EAAA,OAAO,GAAG,QAAA,CAAS,EAAE,EAAE,QAAA,CAAS,CAAC,EAAE,GAAA,EAAI;AACzC;AAEA,SAAS,eAAe,KAAA,EAAiC;AACvD,EAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,EAAO,KAAA,IAAS,CAAA,CAAE,MAAA;AAClC,EAAA,MAAM,GAAA,GAAM,IAAI,UAAA,CAAW,KAAK,CAAA;AAChC,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,IAAA,GAAA,CAAI,GAAA,CAAI,GAAG,MAAM,CAAA;AACjB,IAAA,MAAA,IAAU,CAAA,CAAE,MAAA;AAAA,EACd;AACA,EAAA,OAAO,GAAA;AACT;AAEO,SAAS,oBAAoB,IAAA,EAA2C;AAC7E,EAAA,OAAUA,aAAA,CAAA,YAAA,CAAa,KAAK,IAAI,CAAA;AAClC","file":"sig.cjs","sourcesContent":["import * as ed from '@noble/ed25519';\nimport { sha512 } from '@noble/hashes/sha2.js';\n\ned.hashes.sha512 = sha512;\n\n// Ed25519 group order L (= 2^252 + 27742317777372353535851937790883648493).\nconst L = ed.Point.CURVE().n;\n\nexport interface SignEd25519Opts {\n  readonly seed: Uint8Array;\n  readonly message: Uint8Array;\n}\n\nexport interface VerifyEd25519Opts {\n  readonly publicKey: Uint8Array;\n  readonly message: Uint8Array;\n  readonly signature: Uint8Array;\n}\n\nexport interface GetPublicKeyEd25519Opts {\n  readonly seed: Uint8Array;\n}\n\nexport function signEd25519(opts: SignEd25519Opts): Uint8Array {\n  return ed.sign(opts.message, opts.seed);\n}\n\n// Little-endian 32-byte scalar → bigint.\nfunction leBytesToBigInt(bytes: Uint8Array): bigint {\n  let value = 0n;\n  for (let i = bytes.length - 1; i >= 0; i--) {\n    value = (value << 8n) | BigInt(bytes[i]!);\n  }\n  return value;\n}\n\n// Strict (non-cofactored) Ed25519 verification per RFC 8032 §5.1.7, matching\n// libsodium/PyNaCl `crypto_sign_verify_detached` and ed25519-dalek\n// `verify_strict`. The cofactor-less check rejects every small-order /\n// torsion-component edge case in the C2SP/CCTV corpus, which noble's\n// `{ zip215: false }` mode does NOT (it remains cofactored: it checks\n// `[8]([S]B - [k]A - R) == 0`, accepting torsion components).\n//\n// The verification equation is the unscaled `[S]B == R + [k]A`, rewritten as\n// `[S]B - [k]A - R == identity`. We reject S >= L (non-canonical scalar) and\n// any small-order A or R up front, so a torsion component can never be smuggled\n// through the cofactor multiplication the cofactored variant performs.\nexport function verifyEd25519(opts: VerifyEd25519Opts): boolean {\n  const { signature, message, publicKey } = opts;\n  if (signature.length !== 64 || publicKey.length !== 32) return false;\n\n  // S = LE(sig[32..64]); reject if not a canonical scalar (S >= L).\n  const S = leBytesToBigInt(signature.subarray(32, 64));\n  if (S >= L) return false;\n\n  // Decode A (public key) and R (sig[0..32]) with the canonical (non-zip215)\n  // point encoding; a non-canonical encoding throws and rejects.\n  let A: ed.Point;\n  let R: ed.Point;\n  try {\n    A = ed.Point.fromBytes(publicKey);\n    R = ed.Point.fromBytes(signature.subarray(0, 32));\n  } catch {\n    return false;\n  }\n\n  // Reject small-order (cofactor-torsion) A or R: this is exactly the strictness\n  // that distinguishes verify_strict from the cofactored check.\n  if (A.isSmallOrder() || R.isSmallOrder()) return false;\n\n  // k = SHA-512(R || A || M) reduced mod L.\n  const k =\n    leBytesToBigInt(ed.hash(concatBytes(signature.subarray(0, 32), publicKey, message))) % L;\n\n  // Accept iff [S]B - [k]A - R == identity. `multiplyUnsafe` returns the\n  // identity for a 0 scalar, but guard explicitly to avoid relying on that.\n  const sB = S === 0n ? ed.Point.ZERO : ed.Point.BASE.multiplyUnsafe(S);\n  const kA = k === 0n ? ed.Point.ZERO : A.multiplyUnsafe(k);\n  return sB.subtract(kA).subtract(R).is0();\n}\n\nfunction concatBytes(...parts: Uint8Array[]): Uint8Array {\n  let total = 0;\n  for (const p of parts) total += p.length;\n  const out = new Uint8Array(total);\n  let offset = 0;\n  for (const p of parts) {\n    out.set(p, offset);\n    offset += p.length;\n  }\n  return out;\n}\n\nexport function getPublicKeyEd25519(opts: GetPublicKeyEd25519Opts): Uint8Array {\n  return ed.getPublicKey(opts.seed);\n}\n"]}

package/dist/sig.d.cts

@@ -0,0 +1,17 @@
+interface SignEd25519Opts {
+    readonly seed: Uint8Array;
+    readonly message: Uint8Array;
+}
+interface VerifyEd25519Opts {
+    readonly publicKey: Uint8Array;
+    readonly message: Uint8Array;
+    readonly signature: Uint8Array;
+}
+interface GetPublicKeyEd25519Opts {
+    readonly seed: Uint8Array;
+}
+declare function signEd25519(opts: SignEd25519Opts): Uint8Array;
+declare function verifyEd25519(opts: VerifyEd25519Opts): boolean;
+declare function getPublicKeyEd25519(opts: GetPublicKeyEd25519Opts): Uint8Array;
+
+export { type GetPublicKeyEd25519Opts, type SignEd25519Opts, type VerifyEd25519Opts, getPublicKeyEd25519, signEd25519, verifyEd25519 };

package/dist/sig.d.ts

@@ -0,0 +1,17 @@
+interface SignEd25519Opts {
+    readonly seed: Uint8Array;
+    readonly message: Uint8Array;
+}
+interface VerifyEd25519Opts {
+    readonly publicKey: Uint8Array;
+    readonly message: Uint8Array;
+    readonly signature: Uint8Array;
+}
+interface GetPublicKeyEd25519Opts {
+    readonly seed: Uint8Array;
+}
+declare function signEd25519(opts: SignEd25519Opts): Uint8Array;
+declare function verifyEd25519(opts: VerifyEd25519Opts): boolean;
+declare function getPublicKeyEd25519(opts: GetPublicKeyEd25519Opts): Uint8Array;
+
+export { type GetPublicKeyEd25519Opts, type SignEd25519Opts, type VerifyEd25519Opts, getPublicKeyEd25519, signEd25519, verifyEd25519 };

package/dist/sig.js

@@ -0,0 +1,53 @@
+import * as ed from '@noble/ed25519';
+import { sha512 } from '@noble/hashes/sha2.js';
+
+// src/sig/ed25519.ts
+ed.hashes.sha512 = sha512;
+var L = ed.Point.CURVE().n;
+function signEd25519(opts) {
+  return ed.sign(opts.message, opts.seed);
+}
+function leBytesToBigInt(bytes) {
+  let value = 0n;
+  for (let i = bytes.length - 1; i >= 0; i--) {
+    value = value << 8n | BigInt(bytes[i]);
+  }
+  return value;
+}
+function verifyEd25519(opts) {
+  const { signature, message, publicKey } = opts;
+  if (signature.length !== 64 || publicKey.length !== 32) return false;
+  const S = leBytesToBigInt(signature.subarray(32, 64));
+  if (S >= L) return false;
+  let A;
+  let R;
+  try {
+    A = ed.Point.fromBytes(publicKey);
+    R = ed.Point.fromBytes(signature.subarray(0, 32));
+  } catch {
+    return false;
+  }
+  if (A.isSmallOrder() || R.isSmallOrder()) return false;
+  const k = leBytesToBigInt(ed.hash(concatBytes(signature.subarray(0, 32), publicKey, message))) % L;
+  const sB = S === 0n ? ed.Point.ZERO : ed.Point.BASE.multiplyUnsafe(S);
+  const kA = k === 0n ? ed.Point.ZERO : A.multiplyUnsafe(k);
+  return sB.subtract(kA).subtract(R).is0();
+}
+function concatBytes(...parts) {
+  let total = 0;
+  for (const p of parts) total += p.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const p of parts) {
+    out.set(p, offset);
+    offset += p.length;
+  }
+  return out;
+}
+function getPublicKeyEd25519(opts) {
+  return ed.getPublicKey(opts.seed);
+}
+
+export { getPublicKeyEd25519, signEd25519, verifyEd25519 };
+//# sourceMappingURL=sig.js.map
+//# sourceMappingURL=sig.js.map

package/dist/sig.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/sig/ed25519.ts"],"names":[],"mappings":";;;;AAGG,EAAA,CAAA,MAAA,CAAO,MAAA,GAAS,MAAA;AAGnB,IAAM,CAAA,GAAO,EAAA,CAAA,KAAA,CAAM,KAAA,EAAM,CAAE,CAAA;AAiBpB,SAAS,YAAY,IAAA,EAAmC;AAC7D,EAAA,OAAU,EAAA,CAAA,IAAA,CAAK,IAAA,CAAK,OAAA,EAAS,IAAA,CAAK,IAAI,CAAA;AACxC;AAGA,SAAS,gBAAgB,KAAA,EAA2B;AAClD,EAAA,IAAI,KAAA,GAAQ,EAAA;AACZ,EAAA,KAAA,IAAS,IAAI,KAAA,CAAM,MAAA,GAAS,CAAA,EAAG,CAAA,IAAK,GAAG,CAAA,EAAA,EAAK;AAC1C,IAAA,KAAA,GAAS,KAAA,IAAS,EAAA,GAAM,MAAA,CAAO,KAAA,CAAM,CAAC,CAAE,CAAA;AAAA,EAC1C;AACA,EAAA,OAAO,KAAA;AACT;AAaO,SAAS,cAAc,IAAA,EAAkC;AAC9D,EAAA,MAAM,EAAE,SAAA,EAAW,OAAA,EAAS,SAAA,EAAU,GAAI,IAAA;AAC1C,EAAA,IAAI,UAAU,MAAA,KAAW,EAAA,IAAM,SAAA,CAAU,MAAA,KAAW,IAAI,OAAO,KAAA;AAG/D,EAAA,MAAM,IAAI,eAAA,CAAgB,SAAA,CAAU,QAAA,CAAS,EAAA,EAAI,EAAE,CAAC,CAAA;AACpD,EAAA,IAAI,CAAA,IAAK,GAAG,OAAO,KAAA;AAInB,EAAA,IAAI,CAAA;AACJ,EAAA,IAAI,CAAA;AACJ,EAAA,IAAI;AACF,IAAA,CAAA,GAAO,EAAA,CAAA,KAAA,CAAM,UAAU,SAAS,CAAA;AAChC,IAAA,CAAA,GAAO,SAAM,SAAA,CAAU,SAAA,CAAU,QAAA,CAAS,CAAA,EAAG,EAAE,CAAC,CAAA;AAAA,EAClD,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AAIA,EAAA,IAAI,EAAE,YAAA,EAAa,IAAK,CAAA,CAAE,YAAA,IAAgB,OAAO,KAAA;AAGjD,EAAA,MAAM,CAAA,GACJ,eAAA,CAAmB,EAAA,CAAA,IAAA,CAAK,WAAA,CAAY,SAAA,CAAU,QAAA,CAAS,CAAA,EAAG,EAAE,CAAA,EAAG,SAAA,EAAW,OAAO,CAAC,CAAC,CAAA,GAAI,CAAA;AAIzF,EAAA,MAAM,EAAA,GAAK,MAAM,EAAA,GAAQ,EAAA,CAAA,KAAA,CAAM,OAAU,EAAA,CAAA,KAAA,CAAM,IAAA,CAAK,eAAe,CAAC,CAAA;AACpE,EAAA,MAAM,KAAK,CAAA,KAAM,EAAA,GAAQ,SAAM,IAAA,GAAO,CAAA,CAAE,eAAe,CAAC,CAAA;AACxD,EAAA,OAAO,GAAG,QAAA,CAAS,EAAE,EAAE,QAAA,CAAS,CAAC,EAAE,GAAA,EAAI;AACzC;AAEA,SAAS,eAAe,KAAA,EAAiC;AACvD,EAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,EAAO,KAAA,IAAS,CAAA,CAAE,MAAA;AAClC,EAAA,MAAM,GAAA,GAAM,IAAI,UAAA,CAAW,KAAK,CAAA;AAChC,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,IAAA,GAAA,CAAI,GAAA,CAAI,GAAG,MAAM,CAAA;AACjB,IAAA,MAAA,IAAU,CAAA,CAAE,MAAA;AAAA,EACd;AACA,EAAA,OAAO,GAAA;AACT;AAEO,SAAS,oBAAoB,IAAA,EAA2C;AAC7E,EAAA,OAAU,EAAA,CAAA,YAAA,CAAa,KAAK,IAAI,CAAA;AAClC","file":"sig.js","sourcesContent":["import * as ed from '@noble/ed25519';\nimport { sha512 } from '@noble/hashes/sha2.js';\n\ned.hashes.sha512 = sha512;\n\n// Ed25519 group order L (= 2^252 + 27742317777372353535851937790883648493).\nconst L = ed.Point.CURVE().n;\n\nexport interface SignEd25519Opts {\n  readonly seed: Uint8Array;\n  readonly message: Uint8Array;\n}\n\nexport interface VerifyEd25519Opts {\n  readonly publicKey: Uint8Array;\n  readonly message: Uint8Array;\n  readonly signature: Uint8Array;\n}\n\nexport interface GetPublicKeyEd25519Opts {\n  readonly seed: Uint8Array;\n}\n\nexport function signEd25519(opts: SignEd25519Opts): Uint8Array {\n  return ed.sign(opts.message, opts.seed);\n}\n\n// Little-endian 32-byte scalar → bigint.\nfunction leBytesToBigInt(bytes: Uint8Array): bigint {\n  let value = 0n;\n  for (let i = bytes.length - 1; i >= 0; i--) {\n    value = (value << 8n) | BigInt(bytes[i]!);\n  }\n  return value;\n}\n\n// Strict (non-cofactored) Ed25519 verification per RFC 8032 §5.1.7, matching\n// libsodium/PyNaCl `crypto_sign_verify_detached` and ed25519-dalek\n// `verify_strict`. The cofactor-less check rejects every small-order /\n// torsion-component edge case in the C2SP/CCTV corpus, which noble's\n// `{ zip215: false }` mode does NOT (it remains cofactored: it checks\n// `[8]([S]B - [k]A - R) == 0`, accepting torsion components).\n//\n// The verification equation is the unscaled `[S]B == R + [k]A`, rewritten as\n// `[S]B - [k]A - R == identity`. We reject S >= L (non-canonical scalar) and\n// any small-order A or R up front, so a torsion component can never be smuggled\n// through the cofactor multiplication the cofactored variant performs.\nexport function verifyEd25519(opts: VerifyEd25519Opts): boolean {\n  const { signature, message, publicKey } = opts;\n  if (signature.length !== 64 || publicKey.length !== 32) return false;\n\n  // S = LE(sig[32..64]); reject if not a canonical scalar (S >= L).\n  const S = leBytesToBigInt(signature.subarray(32, 64));\n  if (S >= L) return false;\n\n  // Decode A (public key) and R (sig[0..32]) with the canonical (non-zip215)\n  // point encoding; a non-canonical encoding throws and rejects.\n  let A: ed.Point;\n  let R: ed.Point;\n  try {\n    A = ed.Point.fromBytes(publicKey);\n    R = ed.Point.fromBytes(signature.subarray(0, 32));\n  } catch {\n    return false;\n  }\n\n  // Reject small-order (cofactor-torsion) A or R: this is exactly the strictness\n  // that distinguishes verify_strict from the cofactored check.\n  if (A.isSmallOrder() || R.isSmallOrder()) return false;\n\n  // k = SHA-512(R || A || M) reduced mod L.\n  const k =\n    leBytesToBigInt(ed.hash(concatBytes(signature.subarray(0, 32), publicKey, message))) % L;\n\n  // Accept iff [S]B - [k]A - R == identity. `multiplyUnsafe` returns the\n  // identity for a 0 scalar, but guard explicitly to avoid relying on that.\n  const sB = S === 0n ? ed.Point.ZERO : ed.Point.BASE.multiplyUnsafe(S);\n  const kA = k === 0n ? ed.Point.ZERO : A.multiplyUnsafe(k);\n  return sB.subtract(kA).subtract(R).is0();\n}\n\nfunction concatBytes(...parts: Uint8Array[]): Uint8Array {\n  let total = 0;\n  for (const p of parts) total += p.length;\n  const out = new Uint8Array(total);\n  let offset = 0;\n  for (const p of parts) {\n    out.set(p, offset);\n    offset += p.length;\n  }\n  return out;\n}\n\nexport function getPublicKeyEd25519(opts: GetPublicKeyEd25519Opts): Uint8Array {\n  return ed.getPublicKey(opts.seed);\n}\n"]}

package/dist/util.cjs

@@ -0,0 +1,36 @@
+'use strict';
+
+// src/util/compare-ct.ts
+function compareCt(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+
+// src/util/hex.ts
+function hexToBytes(hex) {
+  if ((hex.length & 1) !== 0) {
+    throw new Error(`hexToBytes: input length ${hex.length} is not even`);
+  }
+  const out = new Uint8Array(hex.length >>> 1);
+  for (let i = 0; i < out.length; i++) {
+    const hi = charToNibble(hex.charCodeAt(i * 2));
+    const lo = charToNibble(hex.charCodeAt(i * 2 + 1));
+    if (hi < 0 || lo < 0) {
+      throw new Error(`hexToBytes: non-hex character at offset ${i * 2}`);
+    }
+    out[i] = hi << 4 | lo;
+  }
+  return out;
+}
+function charToNibble(code) {
+  if (code >= 48 && code <= 57) return code - 48;
+  if (code >= 97 && code <= 102) return code - 87;
+  return -1;
+}
+
+exports.compareCt = compareCt;
+exports.hexToBytes = hexToBytes;
+//# sourceMappingURL=util.cjs.map
+//# sourceMappingURL=util.cjs.map

package/dist/util.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/util/compare-ct.ts","../src/util/hex.ts"],"names":[],"mappings":";;;AAKO,SAAS,SAAA,CAAU,GAAe,CAAA,EAAwB;AAC/D,EAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ,OAAO,KAAA;AAClC,EAAA,IAAI,IAAA,GAAO,CAAA;AAIX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,MAAA,EAAQ,CAAA,EAAA,EAAK,IAAA,IAAS,CAAA,CAAE,CAAC,CAAA,GAAgB,CAAA,CAAE,CAAC,CAAA;AAClE,EAAA,OAAO,IAAA,KAAS,CAAA;AAClB;;;ACPO,SAAS,WAAW,GAAA,EAAyB;AAClD,EAAA,IAAA,CAAK,GAAA,CAAI,MAAA,GAAS,CAAA,MAAO,CAAA,EAAG;AAC1B,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yBAAA,EAA4B,GAAA,CAAI,MAAM,CAAA,YAAA,CAAc,CAAA;AAAA,EACtE;AACA,EAAA,MAAM,GAAA,GAAM,IAAI,UAAA,CAAW,GAAA,CAAI,WAAW,CAAC,CAAA;AAC3C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,GAAA,CAAI,QAAQ,CAAA,EAAA,EAAK;AACnC,IAAA,MAAM,KAAK,YAAA,CAAa,GAAA,CAAI,UAAA,CAAW,CAAA,GAAI,CAAC,CAAC,CAAA;AAC7C,IAAA,MAAM,KAAK,YAAA,CAAa,GAAA,CAAI,WAAW,CAAA,GAAI,CAAA,GAAI,CAAC,CAAC,CAAA;AACjD,IAAA,IAAI,EAAA,GAAK,CAAA,IAAK,EAAA,GAAK,CAAA,EAAG;AACpB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,wCAAA,EAA2C,CAAA,GAAI,CAAC,CAAA,CAAE,CAAA;AAAA,IACpE;AACA,IAAA,GAAA,CAAI,CAAC,CAAA,GAAK,EAAA,IAAM,CAAA,GAAK,EAAA;AAAA,EACvB;AACA,EAAA,OAAO,GAAA;AACT;AAEA,SAAS,aAAa,IAAA,EAAsB;AAC1C,EAAA,IAAI,IAAA,IAAQ,EAAA,IAAM,IAAA,IAAQ,EAAA,SAAW,IAAA,GAAO,EAAA;AAC5C,EAAA,IAAI,IAAA,IAAQ,EAAA,IAAM,IAAA,IAAQ,GAAA,SAAY,IAAA,GAAO,EAAA;AAC7C,EAAA,OAAO,EAAA;AACT","file":"util.cjs","sourcesContent":["// Isomorphic constant-time byte-equality. crypto-core is browser-safe by\n// design, so we cannot import `node:crypto.timingSafeEqual` — webpack rejects\n// the `node:` scheme in the browser bundle. A pure-JS XOR loop is constant-time\n// for equal-length inputs; length mismatch is a deliberate early-return (the\n// API surface itself leaks length, same as node's timingSafeEqual which throws).\nexport function compareCt(a: Uint8Array, b: Uint8Array): boolean {\n  if (a.length !== b.length) return false;\n  let diff = 0;\n  // Lengths are equal and `i` stays in-bounds, so both indexes are always\n  // defined — no nullish guard is needed (and one would read as a guard for\n  // an impossible case).\n  for (let i = 0; i < a.length; i++) diff |= (a[i] as number) ^ (b[i] as number);\n  return diff === 0;\n}\n","// Lower-case hex → bytes decoder. Caller is responsible for normalising\n// case + stripping any 0x prefix; the input must match /^[0-9a-f]*$/ with\n// even length. The decoder allocates exactly one fresh Uint8Array and\n// returns it as-is so callers downstream can rely on reference identity\n// (e.g. caller-owns-zeroize discipline for raw-seed import: the caller can\n// wipe the exact buffer this function returned).\nexport function hexToBytes(hex: string): Uint8Array {\n  if ((hex.length & 1) !== 0) {\n    throw new Error(`hexToBytes: input length ${hex.length} is not even`);\n  }\n  const out = new Uint8Array(hex.length >>> 1);\n  for (let i = 0; i < out.length; i++) {\n    const hi = charToNibble(hex.charCodeAt(i * 2));\n    const lo = charToNibble(hex.charCodeAt(i * 2 + 1));\n    if (hi < 0 || lo < 0) {\n      throw new Error(`hexToBytes: non-hex character at offset ${i * 2}`);\n    }\n    out[i] = (hi << 4) | lo;\n  }\n  return out;\n}\n\nfunction charToNibble(code: number): number {\n  if (code >= 48 && code <= 57) return code - 48;\n  if (code >= 97 && code <= 102) return code - 87;\n  return -1;\n}\n"]}

package/dist/util.d.cts

@@ -0,0 +1,5 @@
+declare function compareCt(a: Uint8Array, b: Uint8Array): boolean;
+
+declare function hexToBytes(hex: string): Uint8Array;
+
+export { compareCt, hexToBytes };

package/dist/util.d.ts

@@ -0,0 +1,5 @@
+declare function compareCt(a: Uint8Array, b: Uint8Array): boolean;
+
+declare function hexToBytes(hex: string): Uint8Array;
+
+export { compareCt, hexToBytes };

package/dist/util.js

@@ -0,0 +1,33 @@
+// src/util/compare-ct.ts
+function compareCt(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+
+// src/util/hex.ts
+function hexToBytes(hex) {
+  if ((hex.length & 1) !== 0) {
+    throw new Error(`hexToBytes: input length ${hex.length} is not even`);
+  }
+  const out = new Uint8Array(hex.length >>> 1);
+  for (let i = 0; i < out.length; i++) {
+    const hi = charToNibble(hex.charCodeAt(i * 2));
+    const lo = charToNibble(hex.charCodeAt(i * 2 + 1));
+    if (hi < 0 || lo < 0) {
+      throw new Error(`hexToBytes: non-hex character at offset ${i * 2}`);
+    }
+    out[i] = hi << 4 | lo;
+  }
+  return out;
+}
+function charToNibble(code) {
+  if (code >= 48 && code <= 57) return code - 48;
+  if (code >= 97 && code <= 102) return code - 87;
+  return -1;
+}
+
+export { compareCt, hexToBytes };
+//# sourceMappingURL=util.js.map
+//# sourceMappingURL=util.js.map

package/dist/util.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/util/compare-ct.ts","../src/util/hex.ts"],"names":[],"mappings":";AAKO,SAAS,SAAA,CAAU,GAAe,CAAA,EAAwB;AAC/D,EAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ,OAAO,KAAA;AAClC,EAAA,IAAI,IAAA,GAAO,CAAA;AAIX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,MAAA,EAAQ,CAAA,EAAA,EAAK,IAAA,IAAS,CAAA,CAAE,CAAC,CAAA,GAAgB,CAAA,CAAE,CAAC,CAAA;AAClE,EAAA,OAAO,IAAA,KAAS,CAAA;AAClB;;;ACPO,SAAS,WAAW,GAAA,EAAyB;AAClD,EAAA,IAAA,CAAK,GAAA,CAAI,MAAA,GAAS,CAAA,MAAO,CAAA,EAAG;AAC1B,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yBAAA,EAA4B,GAAA,CAAI,MAAM,CAAA,YAAA,CAAc,CAAA;AAAA,EACtE;AACA,EAAA,MAAM,GAAA,GAAM,IAAI,UAAA,CAAW,GAAA,CAAI,WAAW,CAAC,CAAA;AAC3C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,GAAA,CAAI,QAAQ,CAAA,EAAA,EAAK;AACnC,IAAA,MAAM,KAAK,YAAA,CAAa,GAAA,CAAI,UAAA,CAAW,CAAA,GAAI,CAAC,CAAC,CAAA;AAC7C,IAAA,MAAM,KAAK,YAAA,CAAa,GAAA,CAAI,WAAW,CAAA,GAAI,CAAA,GAAI,CAAC,CAAC,CAAA;AACjD,IAAA,IAAI,EAAA,GAAK,CAAA,IAAK,EAAA,GAAK,CAAA,EAAG;AACpB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,wCAAA,EAA2C,CAAA,GAAI,CAAC,CAAA,CAAE,CAAA;AAAA,IACpE;AACA,IAAA,GAAA,CAAI,CAAC,CAAA,GAAK,EAAA,IAAM,CAAA,GAAK,EAAA;AAAA,EACvB;AACA,EAAA,OAAO,GAAA;AACT;AAEA,SAAS,aAAa,IAAA,EAAsB;AAC1C,EAAA,IAAI,IAAA,IAAQ,EAAA,IAAM,IAAA,IAAQ,EAAA,SAAW,IAAA,GAAO,EAAA;AAC5C,EAAA,IAAI,IAAA,IAAQ,EAAA,IAAM,IAAA,IAAQ,GAAA,SAAY,IAAA,GAAO,EAAA;AAC7C,EAAA,OAAO,EAAA;AACT","file":"util.js","sourcesContent":["// Isomorphic constant-time byte-equality. crypto-core is browser-safe by\n// design, so we cannot import `node:crypto.timingSafeEqual` — webpack rejects\n// the `node:` scheme in the browser bundle. A pure-JS XOR loop is constant-time\n// for equal-length inputs; length mismatch is a deliberate early-return (the\n// API surface itself leaks length, same as node's timingSafeEqual which throws).\nexport function compareCt(a: Uint8Array, b: Uint8Array): boolean {\n  if (a.length !== b.length) return false;\n  let diff = 0;\n  // Lengths are equal and `i` stays in-bounds, so both indexes are always\n  // defined — no nullish guard is needed (and one would read as a guard for\n  // an impossible case).\n  for (let i = 0; i < a.length; i++) diff |= (a[i] as number) ^ (b[i] as number);\n  return diff === 0;\n}\n","// Lower-case hex → bytes decoder. Caller is responsible for normalising\n// case + stripping any 0x prefix; the input must match /^[0-9a-f]*$/ with\n// even length. The decoder allocates exactly one fresh Uint8Array and\n// returns it as-is so callers downstream can rely on reference identity\n// (e.g. caller-owns-zeroize discipline for raw-seed import: the caller can\n// wipe the exact buffer this function returned).\nexport function hexToBytes(hex: string): Uint8Array {\n  if ((hex.length & 1) !== 0) {\n    throw new Error(`hexToBytes: input length ${hex.length} is not even`);\n  }\n  const out = new Uint8Array(hex.length >>> 1);\n  for (let i = 0; i < out.length; i++) {\n    const hi = charToNibble(hex.charCodeAt(i * 2));\n    const lo = charToNibble(hex.charCodeAt(i * 2 + 1));\n    if (hi < 0 || lo < 0) {\n      throw new Error(`hexToBytes: non-hex character at offset ${i * 2}`);\n    }\n    out[i] = (hi << 4) | lo;\n  }\n  return out;\n}\n\nfunction charToNibble(code: number): number {\n  if (code >= 48 && code <= 57) return code - 48;\n  if (code >= 97 && code <= 102) return code - 87;\n  return -1;\n}\n"]}

package/package.json

@@ -0,0 +1,122 @@
+{
+  "name": "@cardanowall/crypto-core",
+  "version": "0.0.0",
+  "type": "module",
+  "description": "Closed-catalogue cryptographic primitives for CIP-309 Proof-of-Existence (TypeScript reference implementation; byte-identical Python parity twin).",
+  "license": "Apache-2.0",
+  "author": "Cardanowall <hello@cardanowall.com>",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cardanowall/cip309-ts.git",
+    "directory": "packages/crypto-core"
+  },
+  "homepage": "https://github.com/cardanowall/cip309-ts#readme",
+  "bugs": {
+    "url": "https://github.com/cardanowall/cip309-ts/issues"
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "development": "./src/index.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    },
+    "./hash": {
+      "types": "./dist/hash.d.ts",
+      "development": "./src/hash/index.ts",
+      "import": "./dist/hash.js",
+      "require": "./dist/hash.cjs"
+    },
+    "./kdf": {
+      "types": "./dist/kdf.d.ts",
+      "development": "./src/kdf/index.ts",
+      "import": "./dist/kdf.js",
+      "require": "./dist/kdf.cjs"
+    },
+    "./sig": {
+      "types": "./dist/sig.d.ts",
+      "development": "./src/sig/index.ts",
+      "import": "./dist/sig.js",
+      "require": "./dist/sig.cjs"
+    },
+    "./kem": {
+      "types": "./dist/kem.d.ts",
+      "development": "./src/kem/index.ts",
+      "import": "./dist/kem.js",
+      "require": "./dist/kem.cjs"
+    },
+    "./aead": {
+      "types": "./dist/aead.d.ts",
+      "development": "./src/aead/index.ts",
+      "import": "./dist/aead.js",
+      "require": "./dist/aead.cjs"
+    },
+    "./util": {
+      "types": "./dist/util.d.ts",
+      "development": "./src/util/index.ts",
+      "import": "./dist/util.js",
+      "require": "./dist/util.cjs"
+    },
+    "./cbor": {
+      "types": "./dist/cbor.d.ts",
+      "development": "./src/cbor/index.ts",
+      "import": "./dist/cbor.js",
+      "require": "./dist/cbor.cjs"
+    },
+    "./cose": {
+      "types": "./dist/cose.d.ts",
+      "development": "./src/cose/index.ts",
+      "import": "./dist/cose.js",
+      "require": "./dist/cose.cjs"
+    },
+    "./seed-derive": {
+      "types": "./dist/seed-derive.d.ts",
+      "development": "./src/seed-derive/index.ts",
+      "import": "./dist/seed-derive.js",
+      "require": "./dist/seed-derive.cjs"
+    },
+    "./sealed-poe": {
+      "types": "./dist/sealed-poe.d.ts",
+      "development": "./src/sealed-poe/index.ts",
+      "import": "./dist/sealed-poe.js",
+      "require": "./dist/sealed-poe.cjs"
+    },
+    "./merkle": {
+      "types": "./dist/merkle.d.ts",
+      "development": "./src/merkle/index.ts",
+      "import": "./dist/merkle.js",
+      "require": "./dist/merkle.cjs"
+    },
+    "./recipient": {
+      "types": "./dist/recipient.d.ts",
+      "development": "./src/recipient/index.ts",
+      "import": "./dist/recipient.js",
+      "require": "./dist/recipient.cjs"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "devDependencies": {
+    "@scure/base": "2.2.0",
+    "tsup": "^8.5.1"
+  },
+  "dependencies": {
+    "@noble/ciphers": "^2.2.0",
+    "@noble/curves": "^2.2.0",
+    "@noble/ed25519": "^3.1.0",
+    "@noble/hashes": "^2.2.0",
+    "@noble/post-quantum": "^0.6.1",
+    "cbor2": "^2.3.0",
+    "hash-wasm": "4.12.0"
+  },
+  "scripts": {
+    "build": "tsup",
+    "typecheck": "tsc --noEmit -p tsconfig.json"
+  }
+}