@cardanowall/crypto-core 0.1.0 → 0.3.0

package/dist/index.js

@@ -361,7 +361,7 @@ function decodeCanonicalCbor(bytes) {
       ...cdeDecodeOptions,
       rejectStreaming: true,
       rejectDuplicateKeys: true,
-      // A CIP-309 record carries integers, byte/text strings, arrays, maps and
+      // A Label 309 record carries integers, byte/text strings, arrays, maps and
       // `null` — and nothing else. Without these rejections the major-type-7
       // surface leaks into the decoder: a float16/32/64 that happens to hold an
       // integral value (e.g. 1.0) silently decodes to the integer 1 and passes
@@ -421,7 +421,7 @@ function buildSigStructure(args) {
     args.payload
   ]);
 }
-function buildCip309SigStructure(args) {
+function buildLabel309SigStructure(args) {
   const toSign = new Uint8Array(
     CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length + args.recordBodyCbor.length
   );
@@ -512,21 +512,21 @@ var CoseSign1BuildError = class extends Error {
     this.code = code;
   }
 };
-function coseSign1Cip309Build(args) {
+function coseSign1Label309Build(args) {
   if (args.signerSecretKey === void 0 && args.signer === void 0) {
     throw new CoseSign1BuildError(
       "SIGNER_NOT_PROVIDED",
-      "coseSign1Cip309Build requires either signerSecretKey or signer"
+      "coseSign1Label309Build requires either signerSecretKey or signer"
     );
   }
   if (args.signerSecretKey !== void 0 && args.signer !== void 0) {
     throw new CoseSign1BuildError(
       "SIGNER_AND_SEED_BOTH_PROVIDED",
-      "coseSign1Cip309Build accepts signerSecretKey XOR signer (not both)"
+      "coseSign1Label309Build accepts signerSecretKey XOR signer (not both)"
     );
   }
   const protectedBytes = args.protectedHeader.size === 0 ? EMPTY_BYTES : encodeCanonicalCbor(args.protectedHeader);
-  const sigStructureBytes = buildCip309SigStructure({
+  const sigStructureBytes = buildLabel309SigStructure({
     bodyProtectedBytes: protectedBytes,
     recordBodyCbor: args.recordBodyCbor
   });
@@ -549,7 +549,7 @@ function coseSign1Cip309Build(args) {
     signature
   });
 }
-function coseSign1Cip309Verify(args) {
+function coseSign1Label309Verify(args) {
   let decoded;
   try {
     decoded = decodeCoseSign1(args.message);
@@ -616,7 +616,7 @@ function coseSign1Cip309Verify(args) {
       payload: hashedPayload
     });
   } else {
-    sigStructureBytes = buildCip309SigStructure({
+    sigStructureBytes = buildLabel309SigStructure({
       bodyProtectedBytes: decoded.protectedBytes,
       recordBodyCbor: args.detachedRecordBodyCbor
     });
@@ -775,27 +775,141 @@ function joinKemCt(chunks) {
   }
   return out;
 }
-function slotsToMacCbor(slots, kem) {
-  let value;
+function canonicalizeSlots(slots, kem) {
   if (kem === "x25519") {
-    value = slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
-  } else {
-    value = slots.map((s) => ({
-      // Canonicalize the chunk boundaries before the MAC commits to them:
-      // reassemble the logical ciphertext and re-split into canonical ≤ 64-byte
-      // chunks. The on-wire `kem_ct` array is a transport detail (the Cardano
-      // ledger's 64-byte metadatum cap), and a hostile or non-canonical chunking
-      // ([1, 63, …] instead of [64, …]) reassembles to the SAME bytes — so the
-      // MAC must be invariant to it. Committing to the verbatim wire chunks would
-      // let an attacker re-chunk an honest envelope and break the slots_mac match
-      // for an honest recipient. Honest (already-64B-chunked) records are
-      // unchanged; a real byte flip still changes the reassembled bytes and is
-      // still rejected.
-      kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
-      wrap: s.wrap
-    }));
-  }
-  return encodeCanonicalCbor(value);
+    return slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
+  }
+  return slots.map((s) => ({
+    kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
+    wrap: s.wrap
+  }));
+}
+var CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-slots-transcript-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD = new TextEncoder().encode(
+  "cardano-poe-payload-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE = new TextEncoder().encode(
+  "cardano-poe-payload-passphrase-v1"
+);
+var CARDANO_POE_XWING_KEK_SALT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-xwing-kek-salt-v1"
+);
+if (CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length !== 31) {
+  throw new Error(
+    "CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX byte-length invariant violated (expected 31)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD.length !== 22) {
+  throw new Error("CARDANO_POE_HKDF_INFO_PAYLOAD byte-length invariant violated (expected 22)");
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE byte-length invariant violated (expected 33)"
+  );
+}
+if (CARDANO_POE_XWING_KEK_SALT_PREFIX.length !== 29) {
+  throw new Error("CARDANO_POE_XWING_KEK_SALT_PREFIX byte-length invariant violated (expected 29)");
+}
+var CARDANO_POE_PW_NORM_PROFILE = "cardano-poe-pw-norm-v1";
+var MAX_SLOTS = 1024;
+var MAX_DECODED_ENVELOPE_BYTES = 65536;
+var MAX_SEALED_PLAINTEXT = 274877906880;
+var MAX_SEALED_CIPHERTEXT = MAX_SEALED_PLAINTEXT + 16;
+function assertPlaintextWithinBound(plaintextLength) {
+  if (plaintextLength >= MAX_SEALED_PLAINTEXT) {
+    throw new SealedPayloadTooLargeError(
+      `plaintext length ${plaintextLength} is at or above the maximum sealed payload size ${MAX_SEALED_PLAINTEXT}`
+    );
+  }
+}
+function assertCiphertextWithinBound(ciphertextLength) {
+  if (ciphertextLength >= MAX_SEALED_CIPHERTEXT) {
+    throw new SealedPayloadTooLargeError(
+      `ciphertext length ${ciphertextLength} is at or above the maximum sealed ciphertext size ${MAX_SEALED_CIPHERTEXT}`
+    );
+  }
+}
+var SealedPayloadTooLargeError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "SealedPayloadTooLargeError";
+  }
+};
+function computeSlotsHash(args) {
+  const transcript = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots: canonicalizeSlots(args.slots, args.kem)
+  };
+  const encoded = encodeCanonicalCbor(transcript);
+  const message = new Uint8Array(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length + encoded.length);
+  message.set(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX, 0);
+  message.set(encoded, CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length);
+  return sha256$1(message);
+}
+function adContentSlots(args) {
+  const ad = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots_hash: args.slotsHash,
+    slots_mac: args.slotsMac
+  };
+  return encodeCanonicalCbor(ad);
+}
+function adContentPassphrase(args) {
+  const ad = {
+    scheme: 1,
+    path: "passphrase",
+    aead: "xchacha20-poly1305",
+    nonce: args.nonce,
+    passphrase: {
+      alg: args.passphrase.alg,
+      salt: args.passphrase.salt,
+      params: {
+        m: args.passphrase.params.m,
+        t: args.passphrase.params.t,
+        p: args.passphrase.params.p
+      },
+      normalization: CARDANO_POE_PW_NORM_PROFILE
+    }
+  };
+  return encodeCanonicalCbor(ad);
+}
+function slotsPayloadKey(args) {
+  return hkdfSha256({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD,
+    length: 32
+  });
+}
+function passphrasePayloadKey(args) {
+  return hkdfSha256({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE,
+    length: 32
+  });
+}
+function xwingKekSalt(args) {
+  const message = new Uint8Array(
+    CARDANO_POE_XWING_KEK_SALT_PREFIX.length + args.kemCt.length + args.pubR.length
+  );
+  let offset = 0;
+  message.set(CARDANO_POE_XWING_KEK_SALT_PREFIX, offset);
+  offset += CARDANO_POE_XWING_KEK_SALT_PREFIX.length;
+  message.set(args.kemCt, offset);
+  offset += args.kemCt.length;
+  message.set(args.pubR, offset);
+  return sha256$1(message);
 }
 
 // src/sealed-poe/wrap.ts
@@ -889,7 +1003,7 @@ function wrapSlotMlkem768X25519(args) {
   }
   const kek = hkdfSha256({
     ikm: ss,
-    salt: EMPTY_SALT2,
+    salt: xwingKekSalt({ kemCt: enc, pubR: args.pubR }),
     info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
     length: 32
   });
@@ -908,6 +1022,7 @@ function eciesSealedPoeWrap(args) {
   const { plaintext, recipientPublicKeys } = args;
   const kem = args.kem ?? "x25519";
   const n = recipientPublicKeys.length;
+  assertPlaintextWithinBound(plaintext.length);
   if (n < 1) {
     throw new EciesSealedPoeError(
       "ENC_SLOTS_EMPTY",
@@ -977,6 +1092,7 @@ function eciesSealedPoeWrap(args) {
     );
   }
   let envelope;
+  let slotsHash;
   if (kem === "x25519") {
     const slots = [];
     for (let i = 0; i < n; i++) {
@@ -992,14 +1108,14 @@ function eciesSealedPoeWrap(args) {
     if (args.skipShuffle !== true) {
       csprngShuffle(slots);
     }
-    const slotsMac = computeSlotsMac(cek, slots, "x25519");
+    slotsHash = computeSlotsHash({ kem: "x25519", nonce, slots });
     envelope = {
       scheme: 1,
       aead: "xchacha20-poly1305",
       kem: "x25519",
       nonce,
       slots,
-      slots_mac: slotsMac
+      slots_mac: computeSlotsMac(cek, slotsHash)
     };
   } else {
     const slots = [];
@@ -1015,34 +1131,39 @@ function eciesSealedPoeWrap(args) {
     if (args.skipShuffle !== true) {
       csprngShuffle(slots);
     }
-    const slotsMac = computeSlotsMac(cek, slots, "mlkem768x25519");
+    slotsHash = computeSlotsHash({ kem: "mlkem768x25519", nonce, slots });
     envelope = {
       scheme: 1,
       aead: "xchacha20-poly1305",
       kem: "mlkem768x25519",
       nonce,
       slots,
-      slots_mac: slotsMac
+      slots_mac: computeSlotsMac(cek, slotsHash)
     };
   }
-  const adContent = concat(nonce, envelope.slots_mac);
+  const payloadKey = slotsPayloadKey({ cek, nonce });
+  const adContent = adContentSlots({
+    kem: envelope.kem,
+    nonce,
+    slotsHash,
+    slotsMac: envelope.slots_mac
+  });
   const ciphertext = xchacha20Poly1305Encrypt({
-    key: cek,
+    key: payloadKey,
     nonce,
     aad: adContent,
     plaintext
   });
   return { envelope, ciphertext };
 }
-function computeSlotsMac(cek, slots, kem) {
+function computeSlotsMac(cek, slotsHash) {
   const hmacKey = hkdfSha256({
     ikm: cek,
     salt: EMPTY_SALT2,
     info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
     length: 32
   });
-  const slotsCbor = slotsToMacCbor(slots, kem);
-  const slotsMac = hmac(sha256$1, hmacKey, slotsCbor);
+  const slotsMac = hmac(sha256$1, hmacKey, slotsHash);
   if (slotsMac.length !== SLOTS_MAC_LENGTH) {
     throw new Error(`internal: slots_mac.length=${slotsMac.length}, expected ${SLOTS_MAC_LENGTH}`);
   }
@@ -1064,6 +1185,13 @@ function concat2(a, b) {
   out.set(b, a.length);
   return out;
 }
+function bytesKey(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) {
+    s += String.fromCharCode(bytes[i]);
+  }
+  return s;
+}
 function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
   if (envelope.scheme !== 1) {
     throw new EciesSealedPoeError(
@@ -1087,6 +1215,12 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
   if (n < 1) {
     throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
   }
+  if (n > MAX_SLOTS) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_TOO_MANY",
+      `envelope.slots.length=${n} exceeds MAX_SLOTS=${MAX_SLOTS}`
+    );
+  }
   if (envelope.nonce.length !== NONCE_LENGTH2) {
     throw new EciesSealedPoeError(
       "NONCE_LENGTH_MISMATCH",
@@ -1099,6 +1233,7 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
       `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
     );
   }
+  const seenKemMaterial = /* @__PURE__ */ new Set();
   if (envelope.kem === "x25519") {
     for (let i = 0; i < n; i++) {
       const slot = envelope.slots[i];
@@ -1114,6 +1249,14 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
           `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
         );
       }
+      const key = bytesKey(slot.epk);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].epk duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
     }
   } else {
     for (let i = 0; i < n; i++) {
@@ -1131,8 +1274,24 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
           `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
         );
       }
+      const key = bytesKey(enc);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].kem_ct duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
     }
   }
+  const perSlotBytes = envelope.kem === "x25519" ? X25519_PUBLIC_KEY_LENGTH2 + WRAP_LENGTH2 : MLKEM768X25519_ENC_LENGTH + WRAP_LENGTH2;
+  const decodedEnvelopeBytes = NONCE_LENGTH2 + SLOTS_MAC_LENGTH2 + n * perSlotBytes;
+  if (decodedEnvelopeBytes > MAX_DECODED_ENVELOPE_BYTES) {
+    throw new EciesSealedPoeError(
+      "ENC_ENVELOPE_TOO_LARGE",
+      `decoded envelope size ${decodedEnvelopeBytes} exceeds MAX_DECODED_ENVELOPE_BYTES=${MAX_DECODED_ENVELOPE_BYTES}`
+    );
+  }
   if (multiPrivKeys !== void 0) {
     for (let i = 0; i < multiPrivKeys.length; i++) {
       if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
@@ -1151,60 +1310,42 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
     }
   }
 }
+var ZERO_IKM_32 = new Uint8Array(32);
 function tryX25519Slot(args) {
-  if (args.liveSlot) {
-    try {
-      const shared = x25519Ecdh({
-        secretKey: args.recipientSecretKey,
-        theirPublicKey: args.slot.epk
-      });
-      const kek = hkdfSha256({
-        ikm: shared,
-        salt: concat2(args.slot.epk, args.pubRLocal),
-        info: CARDANO_POE_HKDF_INFO_KEK,
-        length: 32
-      });
-      return chacha20Poly1305Decrypt({
-        key: kek,
-        nonce: ZERO_NONCE_122,
-        aad: CARDANO_POE_HKDF_INFO_KEK,
-        ciphertext: args.slot.wrap
-      });
-    } catch (e) {
-      if (!(e instanceof AeadVerificationError) && !(e instanceof X25519LowOrderPointError)) {
-        throw e;
-      }
-      return null;
-    }
-  }
+  const salt = concat2(args.slot.epk, args.pubRLocal);
+  let shared;
   try {
-    const shared = x25519Ecdh({
+    shared = x25519Ecdh({
       secretKey: args.recipientSecretKey,
       theirPublicKey: args.slot.epk
     });
-    hkdfSha256({
-      ikm: shared,
-      salt: concat2(args.slot.epk, args.pubRLocal),
-      info: CARDANO_POE_HKDF_INFO_KEK,
-      length: 32
-    });
   } catch (e) {
     if (!(e instanceof X25519LowOrderPointError)) throw e;
+    hkdfSha256({ ikm: ZERO_IKM_32, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+    return null;
+  }
+  const kek = hkdfSha256({ ikm: shared, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+  try {
+    return chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad: CARDANO_POE_HKDF_INFO_KEK,
+      ciphertext: args.slot.wrap
+    });
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return null;
   }
-  return null;
 }
 function tryMlkem768X25519Slot(args) {
   const enc = joinKemCt(args.slot.kem_ct);
   const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
   const kek = hkdfSha256({
     ikm: ss,
-    salt: EMPTY_SALT3,
+    salt: xwingKekSalt({ kemCt: enc, pubR: args.pubR }),
     info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
     length: 32
   });
-  if (!args.liveSlot) {
-    return null;
-  }
   try {
     return chacha20Poly1305Decrypt({
       key: kek,
@@ -1221,51 +1362,43 @@ function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN,
   const n = envelope.slots.length;
   let cek = null;
   let matchedSlotIdx = -1;
+  let cekConflict = false;
+  const recordMatch = (candidate, i) => {
+    if (candidate === null) return;
+    if (cek === null) {
+      cek = candidate;
+      matchedSlotIdx = i;
+    } else if (!compareCt(candidate, cek)) {
+      cekConflict = true;
+    }
+  };
   if (envelope.kem === "x25519") {
     const pubRLocal = x25519PublicKey({ secretKey: recipientSecretKey });
     for (let i = 0; i < n; i++) {
       if (slotsAttemptedOut !== void 0) {
         slotsAttemptedOut.count = i + 1;
       }
-      const candidate = tryX25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        pubRLocal,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
+      recordMatch(tryX25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubRLocal }), i);
       if (cek !== null && !constantTimeN) break;
     }
   } else {
+    const pubR = mlkem768x25519Keygen(recipientSecretKey).publicKey;
     for (let i = 0; i < n; i++) {
       if (slotsAttemptedOut !== void 0) {
         slotsAttemptedOut.count = i + 1;
       }
-      const candidate = tryMlkem768X25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
+      recordMatch(tryMlkem768X25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubR }), i);
       if (cek !== null && !constantTimeN) break;
     }
   }
-  return cek === null ? null : { cek, slotIdx: matchedSlotIdx };
-}
-function tryRecipientUnwrap(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
-  return tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut)?.cek ?? null;
+  return cek === null ? null : { cek, slotIdx: matchedSlotIdx, cekConflict };
 }
-function slotsMacCborBytes(envelope) {
-  return slotsToMacCbor(
-    envelope.slots,
-    envelope.kem
-  );
+function slotsHashBytes(envelope) {
+  return computeSlotsHash({
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slots: envelope.slots
+  });
 }
 function eciesSealedPoeUnwrap(args) {
   const { envelope, ciphertext } = args;
@@ -1294,34 +1427,38 @@ function eciesSealedPoeUnwrap(args) {
   } else {
     assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
   }
+  assertCiphertextWithinBound(ciphertext.length);
+  const slotsHash = slotsHashBytes(envelope);
   let matchedCek = null;
   let anyCandidateRecovered = false;
   if (hasSingle) {
     const recipientSecretKey = args.recipientSecretKey;
-    const cek = tryRecipientUnwrap(
+    const candidate = tryRecipientUnwrapWithIdx(
       envelope,
       recipientSecretKey,
       constantTimeN,
       args._slotsAttemptedOut
     );
-    if (cek === null) {
+    if (candidate === null) {
       return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
     }
-    const slotsCbor = slotsMacCborBytes(envelope);
+    if (candidate.cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
     const hmacKey = hkdfSha256({
-      ikm: cek,
+      ikm: candidate.cek,
       salt: EMPTY_SALT3,
       info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
       length: 32
     });
-    const slotsMacCalc = hmac(sha256$1, hmacKey, slotsCbor);
+    const slotsMacCalc = hmac(sha256$1, hmacKey, slotsHash);
     if (!compareCt(slotsMacCalc, envelope.slots_mac)) {
       return { matched: false, reason: "TAMPERED_HEADER" };
     }
-    matchedCek = cek;
+    matchedCek = candidate.cek;
   } else {
-    const slotsCbor = slotsMacCborBytes(envelope);
     const recipientSecretKeys = multiPrivKeys;
+    let cekConflict = false;
     for (let k = 0; k < recipientSecretKeys.length; k++) {
       if (args._privsAttemptedOut !== void 0) {
         args._privsAttemptedOut.count = k + 1;
@@ -1329,7 +1466,7 @@ function eciesSealedPoeUnwrap(args) {
       if (args._slotsAttemptedOut !== void 0) {
         args._slotsAttemptedOut.count = 0;
       }
-      const cek = tryRecipientUnwrap(
+      const candidate = tryRecipientUnwrapWithIdx(
         envelope,
         recipientSecretKeys[k],
         constantTimeN,
@@ -1338,20 +1475,25 @@ function eciesSealedPoeUnwrap(args) {
       if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
         args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
       }
-      if (cek === null) continue;
+      if (candidate === null) continue;
+      if (candidate.cekConflict) cekConflict = true;
+      const cek = candidate.cek;
       const hmacKey = hkdfSha256({
         ikm: cek,
         salt: EMPTY_SALT3,
         info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
         length: 32
       });
-      const slotsMacCalc = hmac(sha256$1, hmacKey, slotsCbor);
+      const slotsMacCalc = hmac(sha256$1, hmacKey, slotsHash);
       if (compareCt(slotsMacCalc, envelope.slots_mac)) {
         matchedCek = cek;
         break;
       }
       anyCandidateRecovered = true;
     }
+    if (matchedCek !== null && cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
     if (matchedCek === null) {
       return {
         matched: false,
@@ -1359,10 +1501,16 @@ function eciesSealedPoeUnwrap(args) {
       };
     }
   }
-  const adContent = concat2(envelope.nonce, envelope.slots_mac);
+  const payloadKey = slotsPayloadKey({ cek: matchedCek, nonce: envelope.nonce });
+  const adContent = adContentSlots({
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slotsHash,
+    slotsMac: envelope.slots_mac
+  });
   try {
     const plaintext = xchacha20Poly1305Decrypt({
-      key: matchedCek,
+      key: payloadKey,
       nonce: envelope.nonce,
       aad: adContent,
       ciphertext
@@ -1388,7 +1536,7 @@ function eciesSealedPoeTrialDecrypt(args) {
     );
   }
   assertEnvelopeStructure(envelope, recipientSecretKeys, void 0);
-  const slotsCbor = slotsMacCborBytes(envelope);
+  const slotsHash = slotsHashBytes(envelope);
   let anyCandidateRecovered = false;
   for (let k = 0; k < recipientSecretKeys.length; k++) {
     if (args._privsAttemptedOut !== void 0) {
@@ -1407,13 +1555,17 @@ function eciesSealedPoeTrialDecrypt(args) {
       args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
     }
     if (candidate === null) continue;
+    if (candidate.cekConflict) {
+      anyCandidateRecovered = true;
+      continue;
+    }
     const hmacKey = hkdfSha256({
       ikm: candidate.cek,
       salt: EMPTY_SALT3,
       info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
       length: 32
     });
-    const slotsMacCalc = hmac(sha256$1, hmacKey, slotsCbor);
+    const slotsMacCalc = hmac(sha256$1, hmacKey, slotsHash);
     if (compareCt(slotsMacCalc, envelope.slots_mac)) {
       return { kind: "match", slotIdx: candidate.slotIdx, cek: candidate.cek };
     }
@@ -1754,6 +1906,6 @@ function parseAgeRecipient(recipient) {
   throw new Error(`parseAgeRecipient: unrecognized recipient prefix "${hrp}"`);
 }
 
-export { AeadVerificationError, CARDANO_POE_HKDF_INFO_KEK, CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519, CARDANO_POE_HKDF_INFO_SLOTS_MAC, CARDANO_POE_SIG_DOMAIN_PREFIX, CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES, CanonicalCborError, CoseSign1BuildError, CoseVerifyError, EciesSealedPoeError, INFO_ED25519, INFO_MLKEM768X25519, INFO_X25519, LEAVES_LIST_FORMAT_V1, MERKLE_ALG_ID, MLKEM768X25519_ENC_LENGTH, MLKEM768X25519_ESEED_LENGTH, MLKEM768X25519_PUBLIC_KEY_LENGTH, MLKEM768X25519_SEED_LENGTH, MLKEM768X25519_SHARED_SECRET_LENGTH, MerkleLeavesListError, SeedDeriveError, X25519LowOrderPointError, argon2idV13, bech32DecodeNoLimit, bech32EncodeNoLimit, blake2b224, blake2b256, buildCip309SigStructure, buildSigStructure, chacha20Poly1305Decrypt, chacha20Poly1305Encrypt, chunkKemCt, compareCt, coseSign1Cip309Build, coseSign1Cip309Verify, decodeCanonicalCbor, decodeCbor, decodeCoseSign1, decodeLeavesList, deriveEd25519KeypairFromSeed, deriveMlKem768X25519KeypairFromSeed, deriveX25519KeypairFromSeed, dualHash, dualHashStream, eciesSealedPoeTrialDecrypt, eciesSealedPoeUnwrap, eciesSealedPoeWrap, encodeAgeX25519Recipient, encodeAgeXWingRecipient, encodeCanonicalCbor, encodeCoseSign1, encodeLeavesList, getPublicKeyEd25519, hexToBytes, hkdfSha256, joinKemCt, merkleSha2256InclusionProof, merkleSha2256Root, merkleSha2256VerifyInclusion, mlkem768x25519Decapsulate, mlkem768x25519Encapsulate, mlkem768x25519Keygen, parseAgeRecipient, parseCoseKeyEd25519, sealedEnvelopeFromParsed, sha256, signEd25519, slotsToMacCbor, uniformIndexBelow, verifyEd25519, x25519Ecdh, x25519Keygen, x25519PublicKey, xchacha20Poly1305Decrypt, xchacha20Poly1305Encrypt };
+export { AeadVerificationError, CARDANO_POE_HKDF_INFO_KEK, CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519, CARDANO_POE_HKDF_INFO_PAYLOAD, CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE, CARDANO_POE_HKDF_INFO_SLOTS_MAC, CARDANO_POE_PW_NORM_PROFILE, CARDANO_POE_SIG_DOMAIN_PREFIX, CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES, CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX, CARDANO_POE_XWING_KEK_SALT_PREFIX, CanonicalCborError, CoseSign1BuildError, CoseVerifyError, EciesSealedPoeError, INFO_ED25519, INFO_MLKEM768X25519, INFO_X25519, LEAVES_LIST_FORMAT_V1, MAX_DECODED_ENVELOPE_BYTES, MAX_SEALED_CIPHERTEXT, MAX_SEALED_PLAINTEXT, MAX_SLOTS, MERKLE_ALG_ID, MLKEM768X25519_ENC_LENGTH, MLKEM768X25519_ESEED_LENGTH, MLKEM768X25519_PUBLIC_KEY_LENGTH, MLKEM768X25519_SEED_LENGTH, MLKEM768X25519_SHARED_SECRET_LENGTH, MerkleLeavesListError, SealedPayloadTooLargeError, SeedDeriveError, X25519LowOrderPointError, adContentPassphrase, adContentSlots, argon2idV13, assertCiphertextWithinBound, assertPlaintextWithinBound, bech32DecodeNoLimit, bech32EncodeNoLimit, blake2b224, blake2b256, buildLabel309SigStructure, buildSigStructure, canonicalizeSlots, chacha20Poly1305Decrypt, chacha20Poly1305Encrypt, chunkKemCt, compareCt, computeSlotsHash, coseSign1Label309Build, coseSign1Label309Verify, decodeCanonicalCbor, decodeCbor, decodeCoseSign1, decodeLeavesList, deriveEd25519KeypairFromSeed, deriveMlKem768X25519KeypairFromSeed, deriveX25519KeypairFromSeed, dualHash, dualHashStream, eciesSealedPoeTrialDecrypt, eciesSealedPoeUnwrap, eciesSealedPoeWrap, encodeAgeX25519Recipient, encodeAgeXWingRecipient, encodeCanonicalCbor, encodeCoseSign1, encodeLeavesList, getPublicKeyEd25519, hexToBytes, hkdfSha256, joinKemCt, merkleSha2256InclusionProof, merkleSha2256Root, merkleSha2256VerifyInclusion, mlkem768x25519Decapsulate, mlkem768x25519Encapsulate, mlkem768x25519Keygen, parseAgeRecipient, parseCoseKeyEd25519, passphrasePayloadKey, sealedEnvelopeFromParsed, sha256, signEd25519, slotsPayloadKey, uniformIndexBelow, verifyEd25519, x25519Ecdh, x25519Keygen, x25519PublicKey, xchacha20Poly1305Decrypt, xchacha20Poly1305Encrypt, xwingKekSalt };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map