@cardanowall/crypto-core 0.2.0 → 0.3.0

package/dist/sealed-poe.cjs

@@ -49,6 +49,15 @@ var MLKEM768X25519_PUBLIC_KEY_LENGTH = 1216;
 var MLKEM768X25519_ENC_LENGTH = 1120;
 var MLKEM768X25519_SEED_LENGTH = 32;
 var MLKEM768X25519_ESEED_LENGTH = 64;
+function mlkem768x25519Keygen(seed) {
+  if (seed.length !== MLKEM768X25519_SEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${seed.length}`
+    );
+  }
+  const { secretKey, publicKey } = hybrid_js.XWing.keygen(seed);
+  return { secretSeed: secretKey, publicKey };
+}
 function mlkem768x25519Encapsulate(opts) {
   if (opts.publicKey.length !== MLKEM768X25519_PUBLIC_KEY_LENGTH) {
     throw new Error(
@@ -107,14 +116,6 @@ var EciesSealedPoeError = class extends Error {
     this.code = code;
   }
 };
-function encodeCanonicalCbor(value) {
-  return cbor2.encode(value, {
-    cde: true,
-    collapseBigInts: true,
-    rejectDuplicateKeys: true,
-    sortKeys: sorts.sortCoreDeterministic
-  });
-}
 
 // src/sealed-poe/slots-codec.ts
 var CHUNK_MAX_BYTES = 64;
@@ -139,27 +140,151 @@ function joinKemCt(chunks) {
   }
   return out;
 }
-function slotsToMacCbor(slots, kem) {
-  let value;
+function canonicalizeSlots(slots, kem) {
   if (kem === "x25519") {
-    value = slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
-  } else {
-    value = slots.map((s) => ({
-      // Canonicalize the chunk boundaries before the MAC commits to them:
-      // reassemble the logical ciphertext and re-split into canonical ≤ 64-byte
-      // chunks. The on-wire `kem_ct` array is a transport detail (the Cardano
-      // ledger's 64-byte metadatum cap), and a hostile or non-canonical chunking
-      // ([1, 63, …] instead of [64, …]) reassembles to the SAME bytes — so the
-      // MAC must be invariant to it. Committing to the verbatim wire chunks would
-      // let an attacker re-chunk an honest envelope and break the slots_mac match
-      // for an honest recipient. Honest (already-64B-chunked) records are
-      // unchanged; a real byte flip still changes the reassembled bytes and is
-      // still rejected.
-      kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
-      wrap: s.wrap
-    }));
-  }
-  return encodeCanonicalCbor(value);
+    return slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
+  }
+  return slots.map((s) => ({
+    kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
+    wrap: s.wrap
+  }));
+}
+function encodeCanonicalCbor(value) {
+  return cbor2.encode(value, {
+    cde: true,
+    collapseBigInts: true,
+    rejectDuplicateKeys: true,
+    sortKeys: sorts.sortCoreDeterministic
+  });
+}
+
+// src/sealed-poe/transcript.ts
+var CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-slots-transcript-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD = new TextEncoder().encode(
+  "cardano-poe-payload-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE = new TextEncoder().encode(
+  "cardano-poe-payload-passphrase-v1"
+);
+var CARDANO_POE_XWING_KEK_SALT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-xwing-kek-salt-v1"
+);
+if (CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length !== 31) {
+  throw new Error(
+    "CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX byte-length invariant violated (expected 31)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD.length !== 22) {
+  throw new Error("CARDANO_POE_HKDF_INFO_PAYLOAD byte-length invariant violated (expected 22)");
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE byte-length invariant violated (expected 33)"
+  );
+}
+if (CARDANO_POE_XWING_KEK_SALT_PREFIX.length !== 29) {
+  throw new Error("CARDANO_POE_XWING_KEK_SALT_PREFIX byte-length invariant violated (expected 29)");
+}
+var CARDANO_POE_PW_NORM_PROFILE = "cardano-poe-pw-norm-v1";
+var MAX_SLOTS = 1024;
+var MAX_DECODED_ENVELOPE_BYTES = 65536;
+var MAX_SEALED_PLAINTEXT = 274877906880;
+var MAX_SEALED_CIPHERTEXT = MAX_SEALED_PLAINTEXT + 16;
+function assertPlaintextWithinBound(plaintextLength) {
+  if (plaintextLength >= MAX_SEALED_PLAINTEXT) {
+    throw new SealedPayloadTooLargeError(
+      `plaintext length ${plaintextLength} is at or above the maximum sealed payload size ${MAX_SEALED_PLAINTEXT}`
+    );
+  }
+}
+function assertCiphertextWithinBound(ciphertextLength) {
+  if (ciphertextLength >= MAX_SEALED_CIPHERTEXT) {
+    throw new SealedPayloadTooLargeError(
+      `ciphertext length ${ciphertextLength} is at or above the maximum sealed ciphertext size ${MAX_SEALED_CIPHERTEXT}`
+    );
+  }
+}
+var SealedPayloadTooLargeError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "SealedPayloadTooLargeError";
+  }
+};
+function computeSlotsHash(args) {
+  const transcript = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots: canonicalizeSlots(args.slots, args.kem)
+  };
+  const encoded = encodeCanonicalCbor(transcript);
+  const message = new Uint8Array(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length + encoded.length);
+  message.set(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX, 0);
+  message.set(encoded, CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length);
+  return sha2_js.sha256(message);
+}
+function adContentSlots(args) {
+  const ad = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots_hash: args.slotsHash,
+    slots_mac: args.slotsMac
+  };
+  return encodeCanonicalCbor(ad);
+}
+function adContentPassphrase(args) {
+  const ad = {
+    scheme: 1,
+    path: "passphrase",
+    aead: "xchacha20-poly1305",
+    nonce: args.nonce,
+    passphrase: {
+      alg: args.passphrase.alg,
+      salt: args.passphrase.salt,
+      params: {
+        m: args.passphrase.params.m,
+        t: args.passphrase.params.t,
+        p: args.passphrase.params.p
+      },
+      normalization: CARDANO_POE_PW_NORM_PROFILE
+    }
+  };
+  return encodeCanonicalCbor(ad);
+}
+function slotsPayloadKey(args) {
+  return hkdfSha256({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD,
+    length: 32
+  });
+}
+function passphrasePayloadKey(args) {
+  return hkdfSha256({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE,
+    length: 32
+  });
+}
+function xwingKekSalt(args) {
+  const message = new Uint8Array(
+    CARDANO_POE_XWING_KEK_SALT_PREFIX.length + args.kemCt.length + args.pubR.length
+  );
+  let offset = 0;
+  message.set(CARDANO_POE_XWING_KEK_SALT_PREFIX, offset);
+  offset += CARDANO_POE_XWING_KEK_SALT_PREFIX.length;
+  message.set(args.kemCt, offset);
+  offset += args.kemCt.length;
+  message.set(args.pubR, offset);
+  return sha2_js.sha256(message);
 }
 
 // src/sealed-poe/wrap.ts
@@ -253,7 +378,7 @@ function wrapSlotMlkem768X25519(args) {
   }
   const kek = hkdfSha256({
     ikm: ss,
-    salt: EMPTY_SALT,
+    salt: xwingKekSalt({ kemCt: enc, pubR: args.pubR }),
     info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
     length: 32
   });
@@ -272,6 +397,7 @@ function eciesSealedPoeWrap(args) {
   const { plaintext, recipientPublicKeys } = args;
   const kem = args.kem ?? "x25519";
   const n = recipientPublicKeys.length;
+  assertPlaintextWithinBound(plaintext.length);
   if (n < 1) {
     throw new EciesSealedPoeError(
       "ENC_SLOTS_EMPTY",
@@ -341,6 +467,7 @@ function eciesSealedPoeWrap(args) {
     );
   }
   let envelope;
+  let slotsHash;
   if (kem === "x25519") {
     const slots = [];
     for (let i = 0; i < n; i++) {
@@ -356,14 +483,14 @@ function eciesSealedPoeWrap(args) {
     if (args.skipShuffle !== true) {
       csprngShuffle(slots);
     }
-    const slotsMac = computeSlotsMac(cek, slots, "x25519");
+    slotsHash = computeSlotsHash({ kem: "x25519", nonce, slots });
     envelope = {
       scheme: 1,
       aead: "xchacha20-poly1305",
       kem: "x25519",
       nonce,
       slots,
-      slots_mac: slotsMac
+      slots_mac: computeSlotsMac(cek, slotsHash)
     };
   } else {
     const slots = [];
@@ -379,34 +506,39 @@ function eciesSealedPoeWrap(args) {
     if (args.skipShuffle !== true) {
       csprngShuffle(slots);
     }
-    const slotsMac = computeSlotsMac(cek, slots, "mlkem768x25519");
+    slotsHash = computeSlotsHash({ kem: "mlkem768x25519", nonce, slots });
     envelope = {
       scheme: 1,
       aead: "xchacha20-poly1305",
       kem: "mlkem768x25519",
       nonce,
       slots,
-      slots_mac: slotsMac
+      slots_mac: computeSlotsMac(cek, slotsHash)
     };
   }
-  const adContent = concat(nonce, envelope.slots_mac);
+  const payloadKey = slotsPayloadKey({ cek, nonce });
+  const adContent = adContentSlots({
+    kem: envelope.kem,
+    nonce,
+    slotsHash,
+    slotsMac: envelope.slots_mac
+  });
   const ciphertext = xchacha20Poly1305Encrypt({
-    key: cek,
+    key: payloadKey,
     nonce,
     aad: adContent,
     plaintext
   });
   return { envelope, ciphertext };
 }
-function computeSlotsMac(cek, slots, kem) {
+function computeSlotsMac(cek, slotsHash) {
   const hmacKey = hkdfSha256({
     ikm: cek,
     salt: EMPTY_SALT,
     info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
     length: 32
   });
-  const slotsCbor = slotsToMacCbor(slots, kem);
-  const slotsMac = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+  const slotsMac = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsHash);
   if (slotsMac.length !== SLOTS_MAC_LENGTH) {
     throw new Error(`internal: slots_mac.length=${slotsMac.length}, expected ${SLOTS_MAC_LENGTH}`);
   }
@@ -438,6 +570,13 @@ function concat2(a, b) {
   out.set(b, a.length);
   return out;
 }
+function bytesKey(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) {
+    s += String.fromCharCode(bytes[i]);
+  }
+  return s;
+}
 function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
   if (envelope.scheme !== 1) {
     throw new EciesSealedPoeError(
@@ -461,6 +600,12 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
   if (n < 1) {
     throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
   }
+  if (n > MAX_SLOTS) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_TOO_MANY",
+      `envelope.slots.length=${n} exceeds MAX_SLOTS=${MAX_SLOTS}`
+    );
+  }
   if (envelope.nonce.length !== NONCE_LENGTH2) {
     throw new EciesSealedPoeError(
       "NONCE_LENGTH_MISMATCH",
@@ -473,6 +618,7 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
       `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
     );
   }
+  const seenKemMaterial = /* @__PURE__ */ new Set();
   if (envelope.kem === "x25519") {
     for (let i = 0; i < n; i++) {
       const slot = envelope.slots[i];
@@ -488,6 +634,14 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
           `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
         );
       }
+      const key = bytesKey(slot.epk);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].epk duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
     }
   } else {
     for (let i = 0; i < n; i++) {
@@ -505,8 +659,24 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
           `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
         );
       }
+      const key = bytesKey(enc);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].kem_ct duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
     }
   }
+  const perSlotBytes = envelope.kem === "x25519" ? X25519_PUBLIC_KEY_LENGTH2 + WRAP_LENGTH2 : MLKEM768X25519_ENC_LENGTH + WRAP_LENGTH2;
+  const decodedEnvelopeBytes = NONCE_LENGTH2 + SLOTS_MAC_LENGTH2 + n * perSlotBytes;
+  if (decodedEnvelopeBytes > MAX_DECODED_ENVELOPE_BYTES) {
+    throw new EciesSealedPoeError(
+      "ENC_ENVELOPE_TOO_LARGE",
+      `decoded envelope size ${decodedEnvelopeBytes} exceeds MAX_DECODED_ENVELOPE_BYTES=${MAX_DECODED_ENVELOPE_BYTES}`
+    );
+  }
   if (multiPrivKeys !== void 0) {
     for (let i = 0; i < multiPrivKeys.length; i++) {
       if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
@@ -525,60 +695,42 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
     }
   }
 }
+var ZERO_IKM_32 = new Uint8Array(32);
 function tryX25519Slot(args) {
-  if (args.liveSlot) {
-    try {
-      const shared = x25519Ecdh({
-        secretKey: args.recipientSecretKey,
-        theirPublicKey: args.slot.epk
-      });
-      const kek = hkdfSha256({
-        ikm: shared,
-        salt: concat2(args.slot.epk, args.pubRLocal),
-        info: CARDANO_POE_HKDF_INFO_KEK,
-        length: 32
-      });
-      return chacha20Poly1305Decrypt({
-        key: kek,
-        nonce: ZERO_NONCE_122,
-        aad: CARDANO_POE_HKDF_INFO_KEK,
-        ciphertext: args.slot.wrap
-      });
-    } catch (e) {
-      if (!(e instanceof AeadVerificationError) && !(e instanceof X25519LowOrderPointError)) {
-        throw e;
-      }
-      return null;
-    }
-  }
+  const salt = concat2(args.slot.epk, args.pubRLocal);
+  let shared;
   try {
-    const shared = x25519Ecdh({
+    shared = x25519Ecdh({
       secretKey: args.recipientSecretKey,
       theirPublicKey: args.slot.epk
     });
-    hkdfSha256({
-      ikm: shared,
-      salt: concat2(args.slot.epk, args.pubRLocal),
-      info: CARDANO_POE_HKDF_INFO_KEK,
-      length: 32
-    });
   } catch (e) {
     if (!(e instanceof X25519LowOrderPointError)) throw e;
+    hkdfSha256({ ikm: ZERO_IKM_32, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+    return null;
+  }
+  const kek = hkdfSha256({ ikm: shared, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+  try {
+    return chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad: CARDANO_POE_HKDF_INFO_KEK,
+      ciphertext: args.slot.wrap
+    });
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return null;
   }
-  return null;
 }
 function tryMlkem768X25519Slot(args) {
   const enc = joinKemCt(args.slot.kem_ct);
   const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
   const kek = hkdfSha256({
     ikm: ss,
-    salt: EMPTY_SALT2,
+    salt: xwingKekSalt({ kemCt: enc, pubR: args.pubR }),
     info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
     length: 32
   });
-  if (!args.liveSlot) {
-    return null;
-  }
   try {
     return chacha20Poly1305Decrypt({
       key: kek,
@@ -595,51 +747,43 @@ function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN,
   const n = envelope.slots.length;
   let cek = null;
   let matchedSlotIdx = -1;
+  let cekConflict = false;
+  const recordMatch = (candidate, i) => {
+    if (candidate === null) return;
+    if (cek === null) {
+      cek = candidate;
+      matchedSlotIdx = i;
+    } else if (!compareCt(candidate, cek)) {
+      cekConflict = true;
+    }
+  };
   if (envelope.kem === "x25519") {
     const pubRLocal = x25519PublicKey({ secretKey: recipientSecretKey });
     for (let i = 0; i < n; i++) {
       if (slotsAttemptedOut !== void 0) {
         slotsAttemptedOut.count = i + 1;
       }
-      const candidate = tryX25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        pubRLocal,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
+      recordMatch(tryX25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubRLocal }), i);
       if (cek !== null && !constantTimeN) break;
     }
   } else {
+    const pubR = mlkem768x25519Keygen(recipientSecretKey).publicKey;
     for (let i = 0; i < n; i++) {
       if (slotsAttemptedOut !== void 0) {
         slotsAttemptedOut.count = i + 1;
       }
-      const candidate = tryMlkem768X25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
+      recordMatch(tryMlkem768X25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubR }), i);
       if (cek !== null && !constantTimeN) break;
     }
   }
-  return cek === null ? null : { cek, slotIdx: matchedSlotIdx };
-}
-function tryRecipientUnwrap(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
-  return tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut)?.cek ?? null;
+  return cek === null ? null : { cek, slotIdx: matchedSlotIdx, cekConflict };
 }
-function slotsMacCborBytes(envelope) {
-  return slotsToMacCbor(
-    envelope.slots,
-    envelope.kem
-  );
+function slotsHashBytes(envelope) {
+  return computeSlotsHash({
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slots: envelope.slots
+  });
 }
 function eciesSealedPoeUnwrap(args) {
   const { envelope, ciphertext } = args;
@@ -668,34 +812,38 @@ function eciesSealedPoeUnwrap(args) {
   } else {
     assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
   }
+  assertCiphertextWithinBound(ciphertext.length);
+  const slotsHash = slotsHashBytes(envelope);
   let matchedCek = null;
   let anyCandidateRecovered = false;
   if (hasSingle) {
     const recipientSecretKey = args.recipientSecretKey;
-    const cek = tryRecipientUnwrap(
+    const candidate = tryRecipientUnwrapWithIdx(
       envelope,
       recipientSecretKey,
       constantTimeN,
       args._slotsAttemptedOut
     );
-    if (cek === null) {
+    if (candidate === null) {
       return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
     }
-    const slotsCbor = slotsMacCborBytes(envelope);
+    if (candidate.cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
     const hmacKey = hkdfSha256({
-      ikm: cek,
+      ikm: candidate.cek,
       salt: EMPTY_SALT2,
       info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
       length: 32
     });
-    const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+    const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsHash);
     if (!compareCt(slotsMacCalc, envelope.slots_mac)) {
       return { matched: false, reason: "TAMPERED_HEADER" };
     }
-    matchedCek = cek;
+    matchedCek = candidate.cek;
   } else {
-    const slotsCbor = slotsMacCborBytes(envelope);
     const recipientSecretKeys = multiPrivKeys;
+    let cekConflict = false;
     for (let k = 0; k < recipientSecretKeys.length; k++) {
       if (args._privsAttemptedOut !== void 0) {
         args._privsAttemptedOut.count = k + 1;
@@ -703,7 +851,7 @@ function eciesSealedPoeUnwrap(args) {
       if (args._slotsAttemptedOut !== void 0) {
         args._slotsAttemptedOut.count = 0;
       }
-      const cek = tryRecipientUnwrap(
+      const candidate = tryRecipientUnwrapWithIdx(
         envelope,
         recipientSecretKeys[k],
         constantTimeN,
@@ -712,20 +860,25 @@ function eciesSealedPoeUnwrap(args) {
       if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
         args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
       }
-      if (cek === null) continue;
+      if (candidate === null) continue;
+      if (candidate.cekConflict) cekConflict = true;
+      const cek = candidate.cek;
       const hmacKey = hkdfSha256({
         ikm: cek,
         salt: EMPTY_SALT2,
         info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
         length: 32
       });
-      const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+      const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsHash);
       if (compareCt(slotsMacCalc, envelope.slots_mac)) {
         matchedCek = cek;
         break;
       }
       anyCandidateRecovered = true;
     }
+    if (matchedCek !== null && cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
     if (matchedCek === null) {
       return {
         matched: false,
@@ -733,10 +886,16 @@ function eciesSealedPoeUnwrap(args) {
       };
     }
   }
-  const adContent = concat2(envelope.nonce, envelope.slots_mac);
+  const payloadKey = slotsPayloadKey({ cek: matchedCek, nonce: envelope.nonce });
+  const adContent = adContentSlots({
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slotsHash,
+    slotsMac: envelope.slots_mac
+  });
   try {
     const plaintext = xchacha20Poly1305Decrypt({
-      key: matchedCek,
+      key: payloadKey,
       nonce: envelope.nonce,
       aad: adContent,
       ciphertext
@@ -762,7 +921,7 @@ function eciesSealedPoeTrialDecrypt(args) {
     );
   }
   assertEnvelopeStructure(envelope, recipientSecretKeys, void 0);
-  const slotsCbor = slotsMacCborBytes(envelope);
+  const slotsHash = slotsHashBytes(envelope);
   let anyCandidateRecovered = false;
   for (let k = 0; k < recipientSecretKeys.length; k++) {
     if (args._privsAttemptedOut !== void 0) {
@@ -781,13 +940,17 @@ function eciesSealedPoeTrialDecrypt(args) {
       args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
     }
     if (candidate === null) continue;
+    if (candidate.cekConflict) {
+      anyCandidateRecovered = true;
+      continue;
+    }
     const hmacKey = hkdfSha256({
       ikm: candidate.cek,
       salt: EMPTY_SALT2,
       info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
       length: 32
     });
-    const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+    const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsHash);
     if (compareCt(slotsMacCalc, envelope.slots_mac)) {
       return { kind: "match", slotIdx: candidate.slotIdx, cek: candidate.cek };
     }
@@ -837,15 +1000,33 @@ function sealedEnvelopeFromParsed(enc) {
 
 exports.CARDANO_POE_HKDF_INFO_KEK = CARDANO_POE_HKDF_INFO_KEK;
 exports.CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519;
+exports.CARDANO_POE_HKDF_INFO_PAYLOAD = CARDANO_POE_HKDF_INFO_PAYLOAD;
+exports.CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE = CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE;
 exports.CARDANO_POE_HKDF_INFO_SLOTS_MAC = CARDANO_POE_HKDF_INFO_SLOTS_MAC;
+exports.CARDANO_POE_PW_NORM_PROFILE = CARDANO_POE_PW_NORM_PROFILE;
+exports.CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX = CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX;
+exports.CARDANO_POE_XWING_KEK_SALT_PREFIX = CARDANO_POE_XWING_KEK_SALT_PREFIX;
 exports.EciesSealedPoeError = EciesSealedPoeError;
+exports.MAX_DECODED_ENVELOPE_BYTES = MAX_DECODED_ENVELOPE_BYTES;
+exports.MAX_SEALED_CIPHERTEXT = MAX_SEALED_CIPHERTEXT;
+exports.MAX_SEALED_PLAINTEXT = MAX_SEALED_PLAINTEXT;
+exports.MAX_SLOTS = MAX_SLOTS;
+exports.SealedPayloadTooLargeError = SealedPayloadTooLargeError;
+exports.adContentPassphrase = adContentPassphrase;
+exports.adContentSlots = adContentSlots;
+exports.assertCiphertextWithinBound = assertCiphertextWithinBound;
+exports.assertPlaintextWithinBound = assertPlaintextWithinBound;
+exports.canonicalizeSlots = canonicalizeSlots;
 exports.chunkKemCt = chunkKemCt;
+exports.computeSlotsHash = computeSlotsHash;
 exports.eciesSealedPoeTrialDecrypt = eciesSealedPoeTrialDecrypt;
 exports.eciesSealedPoeUnwrap = eciesSealedPoeUnwrap;
 exports.eciesSealedPoeWrap = eciesSealedPoeWrap;
 exports.joinKemCt = joinKemCt;
+exports.passphrasePayloadKey = passphrasePayloadKey;
 exports.sealedEnvelopeFromParsed = sealedEnvelopeFromParsed;
-exports.slotsToMacCbor = slotsToMacCbor;
+exports.slotsPayloadKey = slotsPayloadKey;
 exports.uniformIndexBelow = uniformIndexBelow;
+exports.xwingKekSalt = xwingKekSalt;
 //# sourceMappingURL=sealed-poe.cjs.map
 //# sourceMappingURL=sealed-poe.cjs.map