@cardanowall/sdk-ts 0.2.0 → 0.4.0

package/dist/identity/index.cjs

@@ -13,10 +13,11 @@ var utils_js = require('@noble/hashes/utils.js');
 var fft_js = require('@noble/curves/abstract/fft.js');
 var ed = require('@noble/ed25519');
 require('@noble/ciphers/utils.js');
-var hmac_js = require('@noble/hashes/hmac.js');
 var chacha_js = require('@noble/ciphers/chacha.js');
+var hmac_js = require('@noble/hashes/hmac.js');
 var cbor2 = require('cbor2');
 var sorts = require('cbor2/sorts');
+require('hash-wasm');
 
 function _interopNamespace(e) {
   if (e && e.__esModule) return e;
@@ -867,18 +868,17 @@ function chacha20Poly1305Decrypt(opts2) {
     throw new AeadVerificationError("chacha20-poly1305 decrypt failed", { cause });
   }
 }
-function xchacha20Poly1305Decrypt(opts2) {
-  try {
-    return chacha_js.xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
-  } catch (cause) {
-    throw new AeadVerificationError("xchacha20-poly1305 decrypt failed", { cause });
-  }
-}
-function hkdfSha2562(opts2) {
-  return hkdf_js.hkdf(sha2_js.sha256, opts2.ikm, opts2.salt, opts2.info, opts2.length);
-}
 var MLKEM768X25519_ENC_LENGTH = 1120;
 var MLKEM768X25519_SEED_LENGTH2 = 32;
+function mlkem768x25519Keygen2(seed) {
+  if (seed.length !== MLKEM768X25519_SEED_LENGTH2) {
+    throw new Error(
+      `mlkem768x25519 seed must be ${MLKEM768X25519_SEED_LENGTH2} bytes, got ${seed.length}`
+    );
+  }
+  const { secretKey, publicKey } = XWing.keygen(seed);
+  return { secretSeed: secretKey, publicKey };
+}
 function mlkem768x25519Decapsulate(opts2) {
   if (opts2.secretSeed.length !== MLKEM768X25519_SEED_LENGTH2) {
     throw new Error(
@@ -913,6 +913,9 @@ function x25519Ecdh(opts2) {
     throw e;
   }
 }
+function hkdfSha2562(opts2) {
+  return hkdf_js.hkdf(sha2_js.sha256, opts2.ikm, opts2.salt, opts2.info, opts2.length);
+}
 var EciesSealedPoeError = class extends Error {
   code;
   constructor(code, message, options) {
@@ -921,6 +924,139 @@ var EciesSealedPoeError = class extends Error {
     this.code = code;
   }
 };
+var CHUNK_SIZE = 65536;
+var TAG_SIZE = 16;
+var NONCE_LENGTH = 12;
+var COUNTER_LENGTH = 11;
+var SEALED_CHUNK_SIZE = CHUNK_SIZE + TAG_SIZE;
+var PAYLOAD_KEY_LENGTH = 32;
+var EMPTY_AAD = new Uint8Array(0);
+var StreamTamperedError = class extends Error {
+  code = "TAMPERED_CIPHERTEXT";
+  constructor(message, options) {
+    super(message, options);
+    this.name = "StreamTamperedError";
+  }
+};
+var ChunkNonce = class {
+  nonce = new Uint8Array(NONCE_LENGTH);
+  finished = false;
+  next(final) {
+    if (this.finished) {
+      throw new Error("STREAM: no chunks may follow the final chunk");
+    }
+    if (final) {
+      this.finished = true;
+      this.nonce[COUNTER_LENGTH] = 1;
+    }
+    const out = this.nonce.slice();
+    this.increment();
+    return out;
+  }
+  get done() {
+    return this.finished;
+  }
+  increment() {
+    for (let i = COUNTER_LENGTH - 1; i >= 0; i--) {
+      const v = this.nonce[i] + 1 & 255;
+      this.nonce[i] = v;
+      if (v !== 0) return;
+    }
+    throw new Error("STREAM: chunk counter overflow");
+  }
+};
+function assertPayloadKey(payloadKey) {
+  if (payloadKey.length !== PAYLOAD_KEY_LENGTH) {
+    throw new Error(
+      `STREAM: payloadKey MUST be exactly ${PAYLOAD_KEY_LENGTH} bytes, got ${payloadKey.length}`
+    );
+  }
+}
+var StreamOpener = class {
+  payloadKey;
+  nonce = new ChunkNonce();
+  chunkIndex = 0;
+  constructor(payloadKey) {
+    assertPayloadKey(payloadKey);
+    this.payloadKey = payloadKey;
+  }
+  openChunk(sealedChunk, final) {
+    if (sealedChunk.length < TAG_SIZE) {
+      throw new StreamTamperedError(
+        `STREAM: sealed chunk shorter than the ${TAG_SIZE}-byte tag floor`
+      );
+    }
+    if (!final && sealedChunk.length !== SEALED_CHUNK_SIZE) {
+      throw new StreamTamperedError(
+        `STREAM: non-final sealed chunk MUST be exactly ${SEALED_CHUNK_SIZE} bytes, got ${sealedChunk.length}`
+      );
+    }
+    if (final && sealedChunk.length > SEALED_CHUNK_SIZE) {
+      throw new StreamTamperedError(
+        `STREAM: final sealed chunk MUST be at most ${SEALED_CHUNK_SIZE} bytes, got ${sealedChunk.length}`
+      );
+    }
+    if (final && sealedChunk.length === TAG_SIZE && this.chunkIndex > 0) {
+      throw new StreamTamperedError("STREAM: zero-length final chunk on a non-empty stream");
+    }
+    let plaintext;
+    try {
+      plaintext = chacha20Poly1305Decrypt({
+        key: this.payloadKey,
+        nonce: this.nonce.next(final),
+        aad: EMPTY_AAD,
+        ciphertext: sealedChunk
+      });
+    } catch (e) {
+      if (!(e instanceof AeadVerificationError)) throw e;
+      throw new StreamTamperedError(`STREAM: chunk ${this.chunkIndex} tag verification failed`, {
+        cause: e
+      });
+    }
+    this.chunkIndex += 1;
+    return plaintext;
+  }
+};
+function streamOpen(args) {
+  const { ciphertext } = args;
+  const total = ciphertext.length;
+  if (total < TAG_SIZE) {
+    throw new StreamTamperedError(
+      `STREAM: ciphertext shorter than the ${TAG_SIZE}-byte single-tag floor`
+    );
+  }
+  const rem = total % SEALED_CHUNK_SIZE;
+  let nonFinalCount;
+  let finalSealedLength;
+  if (rem === 0) {
+    nonFinalCount = total / SEALED_CHUNK_SIZE - 1;
+    finalSealedLength = SEALED_CHUNK_SIZE;
+  } else if (rem >= TAG_SIZE) {
+    nonFinalCount = (total - rem) / SEALED_CHUNK_SIZE;
+    finalSealedLength = rem;
+  } else {
+    throw new StreamTamperedError("STREAM: trailing bytes cannot form a well-formed final chunk");
+  }
+  if (nonFinalCount > 0 && finalSealedLength === TAG_SIZE) {
+    throw new StreamTamperedError("STREAM: zero-length final chunk on a non-empty stream");
+  }
+  const opener = new StreamOpener(args.payloadKey);
+  const out = new Uint8Array(nonFinalCount * CHUNK_SIZE + finalSealedLength - TAG_SIZE);
+  let readOffset = 0;
+  let writeOffset = 0;
+  for (let i = 0; i < nonFinalCount; i++) {
+    const plaintext = opener.openChunk(
+      ciphertext.subarray(readOffset, readOffset + SEALED_CHUNK_SIZE),
+      false
+    );
+    out.set(plaintext, writeOffset);
+    readOffset += SEALED_CHUNK_SIZE;
+    writeOffset += CHUNK_SIZE;
+  }
+  const finalPlaintext = opener.openChunk(ciphertext.subarray(readOffset), true);
+  out.set(finalPlaintext, writeOffset);
+  return out;
+}
 function encodeCanonicalCbor(value) {
   return cbor2.encode(value, {
     cde: true,
@@ -929,57 +1065,138 @@ function encodeCanonicalCbor(value) {
     sortKeys: sorts.sortCoreDeterministic
   });
 }
-var CHUNK_MAX_BYTES = 64;
-function chunkKemCt(value) {
-  if (value.length === 0) {
-    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
-  }
-  const chunks = [];
-  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
-    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
-  }
-  return chunks;
-}
-function joinKemCt(chunks) {
-  let total = 0;
-  for (const c of chunks) total += c.length;
-  const out = new Uint8Array(total);
-  let offset = 0;
-  for (const c of chunks) {
-    out.set(c, offset);
-    offset += c.length;
+var CARDANO_POE_ITEM_HASHES_PREFIX = new TextEncoder().encode(
+  "cardano-poe-item-hashes-v1"
+);
+var CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-slots-transcript-v1"
+);
+var CARDANO_POE_PASSPHRASE_TRANSCRIPT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-passphrase-transcript-v1"
+);
+var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
+  "cardano-poe-slots-mac-v1"
+);
+var CARDANO_POE_HKDF_INFO_PASSPHRASE_MAC = new TextEncoder().encode(
+  "cardano-poe-passphrase-mac-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD = new TextEncoder().encode(
+  "cardano-poe-payload-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE = new TextEncoder().encode(
+  "cardano-poe-payload-passphrase-v1"
+);
+var CARDANO_POE_X25519_KEK_SALT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-x25519-kek-salt-v1"
+);
+var CARDANO_POE_XWING_KEK_SALT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-xwing-kek-salt-v1"
+);
+if (CARDANO_POE_ITEM_HASHES_PREFIX.length !== 26) {
+  throw new Error("CARDANO_POE_ITEM_HASHES_PREFIX byte-length invariant violated (expected 26)");
+}
+if (CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length !== 31) {
+  throw new Error(
+    "CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX byte-length invariant violated (expected 31)"
+  );
+}
+if (CARDANO_POE_PASSPHRASE_TRANSCRIPT_PREFIX.length !== 36) {
+  throw new Error(
+    "CARDANO_POE_PASSPHRASE_TRANSCRIPT_PREFIX byte-length invariant violated (expected 36)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
+  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
+}
+if (CARDANO_POE_HKDF_INFO_PASSPHRASE_MAC.length !== 29) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_PASSPHRASE_MAC byte-length invariant violated (expected 29)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD.length !== 22) {
+  throw new Error("CARDANO_POE_HKDF_INFO_PAYLOAD byte-length invariant violated (expected 22)");
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE byte-length invariant violated (expected 33)"
+  );
+}
+if (CARDANO_POE_X25519_KEK_SALT_PREFIX.length !== 30) {
+  throw new Error(
+    "CARDANO_POE_X25519_KEK_SALT_PREFIX byte-length invariant violated (expected 30)"
+  );
+}
+if (CARDANO_POE_XWING_KEK_SALT_PREFIX.length !== 29) {
+  throw new Error("CARDANO_POE_XWING_KEK_SALT_PREFIX byte-length invariant violated (expected 29)");
+}
+var MAX_SLOTS = 1024;
+var MAX_DECODED_ENVELOPE_BYTES = 65536;
+var EMPTY_SALT2 = new Uint8Array(0);
+function labelledSha256(prefix, ...parts) {
+  let total = prefix.length;
+  for (const p of parts) total += p.length;
+  const message = new Uint8Array(total);
+  message.set(prefix, 0);
+  let offset = prefix.length;
+  for (const p of parts) {
+    message.set(p, offset);
+    offset += p.length;
   }
-  return out;
+  return sha2_js.sha256(message);
 }
-function slotsToMacCbor(slots, kem) {
-  let value;
-  if (kem === "x25519") {
-    value = slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
-  } else {
-    value = slots.map((s) => ({
-      // Canonicalize the chunk boundaries before the MAC commits to them:
-      // reassemble the logical ciphertext and re-split into canonical ≤ 64-byte
-      // chunks. The on-wire `kem_ct` array is a transport detail (the Cardano
-      // ledger's 64-byte metadatum cap), and a hostile or non-canonical chunking
-      // ([1, 63, …] instead of [64, …]) reassembles to the SAME bytes — so the
-      // MAC must be invariant to it. Committing to the verbatim wire chunks would
-      // let an attacker re-chunk an honest envelope and break the slots_mac match
-      // for an honest recipient. Honest (already-64B-chunked) records are
-      // unchanged; a real byte flip still changes the reassembled bytes and is
-      // still rejected.
-      kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
-      wrap: s.wrap
-    }));
+function itemHashesHash(hashes3) {
+  if (Object.keys(hashes3).length === 0) {
+    throw new EciesSealedPoeError(
+      "ENC_REQUIRES_CONTENT_HASH",
+      "hashes MUST carry at least one content-hash entry"
+    );
   }
-  return encodeCanonicalCbor(value);
+  return labelledSha256(CARDANO_POE_ITEM_HASHES_PREFIX, encodeCanonicalCbor(hashes3));
+}
+function computeSlotsHash(args) {
+  const slots = args.kem === "x25519" ? args.slots.map((s) => ({ epk: s.epk, wrap: s.wrap })) : args.slots.map((s) => ({
+    kem_ct: s.kem_ct,
+    wrap: s.wrap
+  }));
+  const transcript = {
+    scheme: 1,
+    path: "slots",
+    aead: args.aead,
+    kem: args.kem,
+    nonce: args.nonce,
+    slots,
+    hashes_hash: args.hashesHash
+  };
+  return labelledSha256(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX, encodeCanonicalCbor(transcript));
+}
+function computeSlotsMac(args) {
+  const macKey = hkdfSha2562({
+    ikm: args.cek,
+    salt: EMPTY_SALT2,
+    info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+    length: 32
+  });
+  return hmac_js.hmac(sha2_js.sha256, macKey, args.slotsHash);
+}
+function slotsPayloadKey(args) {
+  return hkdfSha2562({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD,
+    length: 32
+  });
 }
+function x25519KekSalt(args) {
+  return labelledSha256(CARDANO_POE_X25519_KEK_SALT_PREFIX, args.nonce, args.epk, args.pubR);
+}
+function xwingKekSalt(args) {
+  return labelledSha256(CARDANO_POE_XWING_KEK_SALT_PREFIX, args.nonce, args.kemCt, args.pubR);
+}
+var SEALED_POE_AEAD = "chacha20-poly1305-stream64k";
 var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
 var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
   "cardano-poe-kek-mlkem768x25519-v1"
 );
-var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
-  "cardano-poe-slots-mac-v1"
-);
 var ZERO_NONCE_12 = new Uint8Array(12);
 if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
   throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
@@ -989,9 +1206,6 @@ if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
     "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
   );
 }
-if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
-  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
-}
 if (ZERO_NONCE_12.length !== 12) {
   throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
 }
@@ -1001,33 +1215,74 @@ function compareCt(a, b) {
   for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
   return diff === 0;
 }
+var CEK_LENGTH2 = 32;
+function newSlotAcceptanceState() {
+  return {
+    foundBit: 0,
+    conflictBit: 0,
+    selectedCek: new Uint8Array(CEK_LENGTH2),
+    selectedSlotIdx: -1
+  };
+}
+function foldSlotAcceptance(state, ok, candidateCek, slotIdx) {
+  if (candidateCek.length !== CEK_LENGTH2) {
+    throw new Error(
+      `candidate CEK MUST be exactly ${CEK_LENGTH2} bytes, got ${candidateCek.length}`
+    );
+  }
+  const okBit = ok & 1;
+  const firstBit = okBit & (state.foundBit ^ 1);
+  const firstByteMask = -firstBit & 255;
+  const firstWordMask = -firstBit | 0;
+  let diff = 0;
+  for (let i = 0; i < CEK_LENGTH2; i++) {
+    diff |= candidateCek[i] ^ state.selectedCek[i];
+  }
+  const neqBit = (diff | -diff) >>> 31 & 1;
+  state.conflictBit |= okBit & state.foundBit & neqBit;
+  for (let i = 0; i < CEK_LENGTH2; i++) {
+    state.selectedCek[i] = candidateCek[i] & firstByteMask | state.selectedCek[i] & ~firstByteMask & 255;
+  }
+  state.selectedSlotIdx = slotIdx & firstWordMask | state.selectedSlotIdx & ~firstWordMask;
+  state.foundBit |= okBit;
+}
+function finishSlotAcceptance(state) {
+  const found = state.foundBit === 1;
+  return {
+    found,
+    cekConflict: state.conflictBit === 1,
+    selectedCek: found ? state.selectedCek : null,
+    selectedSlotIdx: state.selectedSlotIdx
+  };
+}
 function selectBundleSecrets(envelope, bundle) {
   return envelope.kem === "x25519" ? bundle.x25519PrivateKeys : bundle.mlkem768x25519SecretSeeds;
 }
 var ZERO_NONCE_122 = new Uint8Array(12);
-var EMPTY_SALT22 = new Uint8Array(0);
+var CEK_LENGTH3 = 32;
 var X25519_SECRET_KEY_LENGTH2 = 32;
 var X25519_PUBLIC_KEY_LENGTH2 = 32;
-var NONCE_LENGTH2 = 24;
+var NONCE_LENGTH3 = 24;
 var WRAP_LENGTH2 = 48;
 var SLOTS_MAC_LENGTH2 = 32;
-function concat2(a, b) {
-  const out = new Uint8Array(a.length + b.length);
-  out.set(a, 0);
-  out.set(b, a.length);
-  return out;
+function bytesKey(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) {
+    s += String.fromCharCode(bytes[i]);
+  }
+  return s;
 }
 function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
   if (envelope.scheme !== 1) {
     throw new EciesSealedPoeError(
-      "UNSUPPORTED_ENC_VERSION",
+      "UNSUPPORTED_ENVELOPE_SCHEME",
       `envelope.scheme=${String(envelope.scheme)} unsupported (expected 1)`
     );
   }
-  if (envelope.aead !== "xchacha20-poly1305") {
+  if (envelope.aead !== SEALED_POE_AEAD) {
     throw new EciesSealedPoeError(
       "UNSUPPORTED_AEAD_ALG",
-      `envelope.aead=${String(envelope.aead)} unsupported (expected 'xchacha20-poly1305')`
+      `envelope.aead=${String(envelope.aead)} unsupported (expected '${SEALED_POE_AEAD}')`
     );
   }
   if (envelope.kem !== "x25519" && envelope.kem !== "mlkem768x25519") {
@@ -1040,10 +1295,16 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
   if (n < 1) {
     throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
   }
-  if (envelope.nonce.length !== NONCE_LENGTH2) {
+  if (n > MAX_SLOTS) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_TOO_MANY",
+      `envelope.slots.length=${n} exceeds MAX_SLOTS=${MAX_SLOTS}`
+    );
+  }
+  if (envelope.nonce.length !== NONCE_LENGTH3) {
     throw new EciesSealedPoeError(
       "NONCE_LENGTH_MISMATCH",
-      `envelope.nonce MUST be exactly ${NONCE_LENGTH2} bytes, got ${envelope.nonce.length}`
+      `envelope.nonce MUST be exactly ${NONCE_LENGTH3} bytes, got ${envelope.nonce.length}`
     );
   }
   if (envelope.slots_mac.length !== SLOTS_MAC_LENGTH2) {
@@ -1052,6 +1313,7 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
       `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
     );
   }
+  const seenKemMaterial = /* @__PURE__ */ new Set();
   if (envelope.kem === "x25519") {
     for (let i = 0; i < n; i++) {
       const slot = envelope.slots[i];
@@ -1067,15 +1329,22 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
           `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
         );
       }
+      const key = bytesKey(slot.epk);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].epk duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
     }
   } else {
     for (let i = 0; i < n; i++) {
       const slot = envelope.slots[i];
-      const enc = joinKemCt(slot.kem_ct);
-      if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
+      if (slot.kem_ct.length !== MLKEM768X25519_ENC_LENGTH) {
         throw new EciesSealedPoeError(
           "KEM_CT_LENGTH_MISMATCH",
-          `envelope.slots[${i}].kem_ct MUST reassemble to exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${enc.length}`
+          `envelope.slots[${i}].kem_ct MUST be exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${slot.kem_ct.length}`
         );
       }
       if (slot.wrap.length !== WRAP_LENGTH2) {
@@ -1084,8 +1353,24 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
           `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
         );
       }
+      const key = bytesKey(slot.kem_ct);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].kem_ct duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
     }
   }
+  const perSlotBytes = envelope.kem === "x25519" ? X25519_PUBLIC_KEY_LENGTH2 + WRAP_LENGTH2 : MLKEM768X25519_ENC_LENGTH + WRAP_LENGTH2;
+  const decodedEnvelopeBytes = NONCE_LENGTH3 + SLOTS_MAC_LENGTH2 + n * perSlotBytes;
+  if (decodedEnvelopeBytes > MAX_DECODED_ENVELOPE_BYTES) {
+    throw new EciesSealedPoeError(
+      "ENC_ENVELOPE_TOO_LARGE",
+      `decoded envelope size ${decodedEnvelopeBytes} exceeds MAX_DECODED_ENVELOPE_BYTES=${MAX_DECODED_ENVELOPE_BYTES}`
+    );
+  }
   if (multiPrivKeys !== void 0) {
     for (let i = 0; i < multiPrivKeys.length; i++) {
       if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
@@ -1104,125 +1389,118 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
     }
   }
 }
-function tryX25519Slot(args) {
-  if (args.liveSlot) {
-    try {
-      const shared = x25519Ecdh({
-        secretKey: args.recipientSecretKey,
-        theirPublicKey: args.slot.epk
-      });
-      const kek = hkdfSha2562({
-        ikm: shared,
-        salt: concat2(args.slot.epk, args.pubRLocal),
-        info: CARDANO_POE_HKDF_INFO_KEK,
-        length: 32
-      });
-      return chacha20Poly1305Decrypt({
-        key: kek,
-        nonce: ZERO_NONCE_122,
-        aad: CARDANO_POE_HKDF_INFO_KEK,
-        ciphertext: args.slot.wrap
-      });
-    } catch (e) {
-      if (!(e instanceof AeadVerificationError) && !(e instanceof X25519LowOrderPointError)) {
-        throw e;
-      }
-      return null;
+var ZERO_IKM_32 = new Uint8Array(32);
+var DUMMY_CEK_32 = new Uint8Array(32);
+function wrapOpenOrDummy(kek, aad, wrap) {
+  try {
+    const plaintext = chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad,
+      ciphertext: wrap
+    });
+    if (plaintext.length === CEK_LENGTH3) {
+      return { ok: 1, candidate: plaintext };
     }
+    return { ok: 0, candidate: DUMMY_CEK_32 };
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return { ok: 0, candidate: DUMMY_CEK_32 };
   }
+}
+function tryX25519Slot(args) {
+  const salt = x25519KekSalt({ nonce: args.nonce, epk: args.slot.epk, pubR: args.pubRLocal });
+  let kemOk = 1;
+  let kek;
   try {
     const shared = x25519Ecdh({
       secretKey: args.recipientSecretKey,
       theirPublicKey: args.slot.epk
     });
-    hkdfSha2562({
-      ikm: shared,
-      salt: concat2(args.slot.epk, args.pubRLocal),
-      info: CARDANO_POE_HKDF_INFO_KEK,
-      length: 32
-    });
+    kek = hkdfSha2562({ ikm: shared, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
   } catch (e) {
     if (!(e instanceof X25519LowOrderPointError)) throw e;
+    kemOk = 0;
+    kek = hkdfSha2562({ ikm: ZERO_IKM_32, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
   }
-  return null;
+  const opened = wrapOpenOrDummy(kek, CARDANO_POE_HKDF_INFO_KEK, args.slot.wrap);
+  return { ok: kemOk & opened.ok, candidate: opened.candidate };
 }
 function tryMlkem768X25519Slot(args) {
-  const enc = joinKemCt(args.slot.kem_ct);
-  const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
+  const ss = mlkem768x25519Decapsulate({
+    secretSeed: args.recipientSecretKey,
+    enc: args.slot.kem_ct
+  });
   const kek = hkdfSha2562({
     ikm: ss,
-    salt: EMPTY_SALT22,
+    salt: xwingKekSalt({ nonce: args.nonce, kemCt: args.slot.kem_ct, pubR: args.pubR }),
     info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
     length: 32
   });
-  if (!args.liveSlot) {
-    return null;
-  }
-  try {
-    return chacha20Poly1305Decrypt({
-      key: kek,
-      nonce: ZERO_NONCE_122,
-      aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
-      ciphertext: args.slot.wrap
-    });
-  } catch (e) {
-    if (!(e instanceof AeadVerificationError)) throw e;
-    return null;
-  }
+  return wrapOpenOrDummy(kek, CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519, args.slot.wrap);
 }
-function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
+function runPrivPass(envelope, recipientSecretKey, slotsHash, slotsAttemptedOut) {
   const n = envelope.slots.length;
-  let cek = null;
-  let matchedSlotIdx = -1;
+  const state = newSlotAcceptanceState();
+  let anyOpenedBit = 0;
+  const acceptSlot = (slot, i) => {
+    anyOpenedBit |= slot.ok;
+    const macOk = Number(compareCt(computeSlotsMac({ cek: slot.candidate, slotsHash }), envelope.slots_mac)) & 1;
+    foldSlotAcceptance(state, slot.ok & macOk, slot.candidate, i);
+  };
   if (envelope.kem === "x25519") {
     const pubRLocal = x25519PublicKey2({ secretKey: recipientSecretKey });
     for (let i = 0; i < n; i++) {
       if (slotsAttemptedOut !== void 0) {
         slotsAttemptedOut.count = i + 1;
       }
-      const candidate = tryX25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        pubRLocal,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
-      if (cek !== null && !constantTimeN) break;
+      acceptSlot(
+        tryX25519Slot({
+          slot: envelope.slots[i],
+          nonce: envelope.nonce,
+          recipientSecretKey,
+          pubRLocal
+        }),
+        i
+      );
     }
   } else {
+    const pubR = mlkem768x25519Keygen2(recipientSecretKey).publicKey;
     for (let i = 0; i < n; i++) {
       if (slotsAttemptedOut !== void 0) {
         slotsAttemptedOut.count = i + 1;
       }
-      const candidate = tryMlkem768X25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
-      if (cek !== null && !constantTimeN) break;
+      acceptSlot(
+        tryMlkem768X25519Slot({
+          slot: envelope.slots[i],
+          nonce: envelope.nonce,
+          recipientSecretKey,
+          pubR
+        }),
+        i
+      );
     }
   }
-  return cek === null ? null : { cek, slotIdx: matchedSlotIdx };
-}
-function tryRecipientUnwrap(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
-  return tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut)?.cek ?? null;
+  const outcome = finishSlotAcceptance(state);
+  return {
+    found: outcome.found,
+    selectedCek: outcome.selectedCek,
+    selectedSlotIdx: outcome.selectedSlotIdx,
+    cekConflict: outcome.cekConflict,
+    anyOpened: anyOpenedBit === 1
+  };
 }
-function slotsMacCborBytes(envelope) {
-  return slotsToMacCbor(
-    envelope.slots,
-    envelope.kem
-  );
+function slotsHashBytes(envelope, hashes3) {
+  return computeSlotsHash({
+    aead: envelope.aead,
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slots: envelope.slots,
+    hashesHash: itemHashesHash(hashes3)
+  });
 }
 function eciesSealedPoeUnwrap(args) {
   const { envelope, ciphertext } = args;
-  const constantTimeN = args.constantTimeN ?? true;
   const hasSingle = "recipientSecretKey" in args;
   const hasBundle = "recipientKeyBundle" in args;
   const multiPrivKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : "recipientSecretKeys" in args ? args.recipientSecretKeys : void 0;
@@ -1247,85 +1525,47 @@ function eciesSealedPoeUnwrap(args) {
   } else {
     assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
   }
+  const slotsHash = slotsHashBytes(envelope, args.hashes);
   let matchedCek = null;
-  let anyCandidateRecovered = false;
-  if (hasSingle) {
-    const recipientSecretKey = args.recipientSecretKey;
-    const cek = tryRecipientUnwrap(
-      envelope,
-      recipientSecretKey,
-      constantTimeN,
-      args._slotsAttemptedOut
-    );
-    if (cek === null) {
-      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+  let anyOpenedAcrossPrivs = false;
+  const privKeys = hasMulti ? multiPrivKeys : [args.recipientSecretKey];
+  for (let k = 0; k < privKeys.length; k++) {
+    if (args._privsAttemptedOut !== void 0) {
+      args._privsAttemptedOut.count = k + 1;
     }
-    const slotsCbor = slotsMacCborBytes(envelope);
-    const hmacKey = hkdfSha2562({
-      ikm: cek,
-      salt: EMPTY_SALT22,
-      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
-      length: 32
-    });
-    const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
-    if (!compareCt(slotsMacCalc, envelope.slots_mac)) {
-      return { matched: false, reason: "TAMPERED_HEADER" };
+    if (args._slotsAttemptedOut !== void 0) {
+      args._slotsAttemptedOut.count = 0;
     }
-    matchedCek = cek;
-  } else {
-    const slotsCbor = slotsMacCborBytes(envelope);
-    const recipientSecretKeys = multiPrivKeys;
-    for (let k = 0; k < recipientSecretKeys.length; k++) {
-      if (args._privsAttemptedOut !== void 0) {
-        args._privsAttemptedOut.count = k + 1;
-      }
-      if (args._slotsAttemptedOut !== void 0) {
-        args._slotsAttemptedOut.count = 0;
-      }
-      const cek = tryRecipientUnwrap(
-        envelope,
-        recipientSecretKeys[k],
-        constantTimeN,
-        args._slotsAttemptedOut
-      );
-      if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
-        args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
-      }
-      if (cek === null) continue;
-      const hmacKey = hkdfSha2562({
-        ikm: cek,
-        salt: EMPTY_SALT22,
-        info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
-        length: 32
-      });
-      const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
-      if (compareCt(slotsMacCalc, envelope.slots_mac)) {
-        matchedCek = cek;
-        break;
-      }
-      anyCandidateRecovered = true;
+    const pass = runPrivPass(envelope, privKeys[k], slotsHash, args._slotsAttemptedOut);
+    if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
+      args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
     }
-    if (matchedCek === null) {
-      return {
-        matched: false,
-        reason: anyCandidateRecovered ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
-      };
+    anyOpenedAcrossPrivs = anyOpenedAcrossPrivs || pass.anyOpened;
+    if (!pass.found) continue;
+    if (pass.cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
     }
+    matchedCek = pass.selectedCek;
+    break;
+  }
+  if (matchedCek === null) {
+    return {
+      matched: false,
+      reason: anyOpenedAcrossPrivs ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
+    };
   }
-  const adContent = concat2(envelope.nonce, envelope.slots_mac);
   try {
-    const plaintext = xchacha20Poly1305Decrypt({
-      key: matchedCek,
-      nonce: envelope.nonce,
-      aad: adContent,
+    const plaintext = streamOpen({
+      payloadKey: slotsPayloadKey({ cek: matchedCek, nonce: envelope.nonce }),
       ciphertext
     });
     return { matched: true, plaintext };
   } catch (e) {
-    if (!(e instanceof AeadVerificationError)) throw e;
+    if (!(e instanceof StreamTamperedError)) throw e;
     return { matched: false, reason: "TAMPERED_CIPHERTEXT" };
   }
 }
+new TextEncoder();
 ed__namespace.hashes.sha512 = sha2_js.sha512;
 ed__namespace.Point.CURVE().n;
 function signEd25519(opts2) {
@@ -1367,6 +1607,7 @@ function decryptSealedFromSeed(args) {
   return eciesSealedPoeUnwrap({
     envelope: args.envelope,
     ciphertext: args.ciphertext,
+    hashes: args.hashes,
     recipientKeyBundle: recipientKeyBundleFromSeed(args.seed)
   });
 }