@cardanowall/sdk-ts 0.3.0 → 0.5.0

package/dist/identity/index.js

@@ -11,10 +11,11 @@ import { anumber, abytes, randomBytes as randomBytes$1, u32, swap32IfBE } from '
 import { FFTCore, reverseBits } from '@noble/curves/abstract/fft.js';
 import * as ed from '@noble/ed25519';
 import '@noble/ciphers/utils.js';
+import { chacha20poly1305 } from '@noble/ciphers/chacha.js';
 import { hmac } from '@noble/hashes/hmac.js';
-import { xchacha20poly1305, chacha20poly1305 } from '@noble/ciphers/chacha.js';
 import { encode } from 'cbor2';
 import { sortCoreDeterministic } from 'cbor2/sorts';
+import 'hash-wasm';
 
 // ../crypto-core/dist/seed-derive.js
 var abytesDoc = abytes;
@@ -845,16 +846,6 @@ function chacha20Poly1305Decrypt(opts2) {
     throw new AeadVerificationError("chacha20-poly1305 decrypt failed", { cause });
   }
 }
-function xchacha20Poly1305Decrypt(opts2) {
-  try {
-    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
-  } catch (cause) {
-    throw new AeadVerificationError("xchacha20-poly1305 decrypt failed", { cause });
-  }
-}
-function hkdfSha2562(opts2) {
-  return hkdf(sha256, opts2.ikm, opts2.salt, opts2.info, opts2.length);
-}
 var MLKEM768X25519_ENC_LENGTH = 1120;
 var MLKEM768X25519_SEED_LENGTH2 = 32;
 function mlkem768x25519Keygen2(seed) {
@@ -900,6 +891,9 @@ function x25519Ecdh(opts2) {
     throw e;
   }
 }
+function hkdfSha2562(opts2) {
+  return hkdf(sha256, opts2.ikm, opts2.salt, opts2.info, opts2.length);
+}
 var EciesSealedPoeError = class extends Error {
   code;
   constructor(code, message, options) {
@@ -908,36 +902,138 @@ var EciesSealedPoeError = class extends Error {
     this.code = code;
   }
 };
-var CHUNK_MAX_BYTES = 64;
-function chunkKemCt(value) {
-  if (value.length === 0) {
-    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
+var CHUNK_SIZE = 65536;
+var TAG_SIZE = 16;
+var NONCE_LENGTH = 12;
+var COUNTER_LENGTH = 11;
+var SEALED_CHUNK_SIZE = CHUNK_SIZE + TAG_SIZE;
+var PAYLOAD_KEY_LENGTH = 32;
+var EMPTY_AAD = new Uint8Array(0);
+var StreamTamperedError = class extends Error {
+  code = "TAMPERED_CIPHERTEXT";
+  constructor(message, options) {
+    super(message, options);
+    this.name = "StreamTamperedError";
+  }
+};
+var ChunkNonce = class {
+  nonce = new Uint8Array(NONCE_LENGTH);
+  finished = false;
+  next(final) {
+    if (this.finished) {
+      throw new Error("STREAM: no chunks may follow the final chunk");
+    }
+    if (final) {
+      this.finished = true;
+      this.nonce[COUNTER_LENGTH] = 1;
+    }
+    const out = this.nonce.slice();
+    this.increment();
+    return out;
   }
-  const chunks = [];
-  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
-    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
+  get done() {
+    return this.finished;
   }
-  return chunks;
-}
-function joinKemCt(chunks) {
-  let total = 0;
-  for (const c of chunks) total += c.length;
-  const out = new Uint8Array(total);
-  let offset = 0;
-  for (const c of chunks) {
-    out.set(c, offset);
-    offset += c.length;
+  increment() {
+    for (let i = COUNTER_LENGTH - 1; i >= 0; i--) {
+      const v = this.nonce[i] + 1 & 255;
+      this.nonce[i] = v;
+      if (v !== 0) return;
+    }
+    throw new Error("STREAM: chunk counter overflow");
+  }
+};
+function assertPayloadKey(payloadKey) {
+  if (payloadKey.length !== PAYLOAD_KEY_LENGTH) {
+    throw new Error(
+      `STREAM: payloadKey MUST be exactly ${PAYLOAD_KEY_LENGTH} bytes, got ${payloadKey.length}`
+    );
   }
-  return out;
 }
-function canonicalizeSlots(slots, kem) {
-  if (kem === "x25519") {
-    return slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
+var StreamOpener = class {
+  payloadKey;
+  nonce = new ChunkNonce();
+  chunkIndex = 0;
+  constructor(payloadKey) {
+    assertPayloadKey(payloadKey);
+    this.payloadKey = payloadKey;
   }
-  return slots.map((s) => ({
-    kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
-    wrap: s.wrap
-  }));
+  openChunk(sealedChunk, final) {
+    if (sealedChunk.length < TAG_SIZE) {
+      throw new StreamTamperedError(
+        `STREAM: sealed chunk shorter than the ${TAG_SIZE}-byte tag floor`
+      );
+    }
+    if (!final && sealedChunk.length !== SEALED_CHUNK_SIZE) {
+      throw new StreamTamperedError(
+        `STREAM: non-final sealed chunk MUST be exactly ${SEALED_CHUNK_SIZE} bytes, got ${sealedChunk.length}`
+      );
+    }
+    if (final && sealedChunk.length > SEALED_CHUNK_SIZE) {
+      throw new StreamTamperedError(
+        `STREAM: final sealed chunk MUST be at most ${SEALED_CHUNK_SIZE} bytes, got ${sealedChunk.length}`
+      );
+    }
+    if (final && sealedChunk.length === TAG_SIZE && this.chunkIndex > 0) {
+      throw new StreamTamperedError("STREAM: zero-length final chunk on a non-empty stream");
+    }
+    let plaintext;
+    try {
+      plaintext = chacha20Poly1305Decrypt({
+        key: this.payloadKey,
+        nonce: this.nonce.next(final),
+        aad: EMPTY_AAD,
+        ciphertext: sealedChunk
+      });
+    } catch (e) {
+      if (!(e instanceof AeadVerificationError)) throw e;
+      throw new StreamTamperedError(`STREAM: chunk ${this.chunkIndex} tag verification failed`, {
+        cause: e
+      });
+    }
+    this.chunkIndex += 1;
+    return plaintext;
+  }
+};
+function streamOpen(args) {
+  const { ciphertext } = args;
+  const total = ciphertext.length;
+  if (total < TAG_SIZE) {
+    throw new StreamTamperedError(
+      `STREAM: ciphertext shorter than the ${TAG_SIZE}-byte single-tag floor`
+    );
+  }
+  const rem = total % SEALED_CHUNK_SIZE;
+  let nonFinalCount;
+  let finalSealedLength;
+  if (rem === 0) {
+    nonFinalCount = total / SEALED_CHUNK_SIZE - 1;
+    finalSealedLength = SEALED_CHUNK_SIZE;
+  } else if (rem >= TAG_SIZE) {
+    nonFinalCount = (total - rem) / SEALED_CHUNK_SIZE;
+    finalSealedLength = rem;
+  } else {
+    throw new StreamTamperedError("STREAM: trailing bytes cannot form a well-formed final chunk");
+  }
+  if (nonFinalCount > 0 && finalSealedLength === TAG_SIZE) {
+    throw new StreamTamperedError("STREAM: zero-length final chunk on a non-empty stream");
+  }
+  const opener = new StreamOpener(args.payloadKey);
+  const out = new Uint8Array(nonFinalCount * CHUNK_SIZE + finalSealedLength - TAG_SIZE);
+  let readOffset = 0;
+  let writeOffset = 0;
+  for (let i = 0; i < nonFinalCount; i++) {
+    const plaintext = opener.openChunk(
+      ciphertext.subarray(readOffset, readOffset + SEALED_CHUNK_SIZE),
+      false
+    );
+    out.set(plaintext, writeOffset);
+    readOffset += SEALED_CHUNK_SIZE;
+    writeOffset += CHUNK_SIZE;
+  }
+  const finalPlaintext = opener.openChunk(ciphertext.subarray(readOffset), true);
+  out.set(finalPlaintext, writeOffset);
+  return out;
 }
 function encodeCanonicalCbor(value) {
   return encode(value, {
@@ -947,23 +1043,54 @@ function encodeCanonicalCbor(value) {
     sortKeys: sortCoreDeterministic
   });
 }
+var CARDANO_POE_ITEM_HASHES_PREFIX = new TextEncoder().encode(
+  "cardano-poe-item-hashes-v1"
+);
 var CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX = new TextEncoder().encode(
   "cardano-poe-slots-transcript-v1"
 );
+var CARDANO_POE_PASSPHRASE_TRANSCRIPT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-passphrase-transcript-v1"
+);
+var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
+  "cardano-poe-slots-mac-v1"
+);
+var CARDANO_POE_HKDF_INFO_PASSPHRASE_MAC = new TextEncoder().encode(
+  "cardano-poe-passphrase-mac-v1"
+);
 var CARDANO_POE_HKDF_INFO_PAYLOAD = new TextEncoder().encode(
   "cardano-poe-payload-v1"
 );
 var CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE = new TextEncoder().encode(
   "cardano-poe-payload-passphrase-v1"
 );
+var CARDANO_POE_X25519_KEK_SALT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-x25519-kek-salt-v1"
+);
 var CARDANO_POE_XWING_KEK_SALT_PREFIX = new TextEncoder().encode(
   "cardano-poe-xwing-kek-salt-v1"
 );
+if (CARDANO_POE_ITEM_HASHES_PREFIX.length !== 26) {
+  throw new Error("CARDANO_POE_ITEM_HASHES_PREFIX byte-length invariant violated (expected 26)");
+}
 if (CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length !== 31) {
   throw new Error(
     "CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX byte-length invariant violated (expected 31)"
   );
 }
+if (CARDANO_POE_PASSPHRASE_TRANSCRIPT_PREFIX.length !== 36) {
+  throw new Error(
+    "CARDANO_POE_PASSPHRASE_TRANSCRIPT_PREFIX byte-length invariant violated (expected 36)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
+  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
+}
+if (CARDANO_POE_HKDF_INFO_PASSPHRASE_MAC.length !== 29) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_PASSPHRASE_MAC byte-length invariant violated (expected 29)"
+  );
+}
 if (CARDANO_POE_HKDF_INFO_PAYLOAD.length !== 22) {
   throw new Error("CARDANO_POE_HKDF_INFO_PAYLOAD byte-length invariant violated (expected 22)");
 }
@@ -972,52 +1099,62 @@ if (CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE.length !== 33) {
     "CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE byte-length invariant violated (expected 33)"
   );
 }
+if (CARDANO_POE_X25519_KEK_SALT_PREFIX.length !== 30) {
+  throw new Error(
+    "CARDANO_POE_X25519_KEK_SALT_PREFIX byte-length invariant violated (expected 30)"
+  );
+}
 if (CARDANO_POE_XWING_KEK_SALT_PREFIX.length !== 29) {
   throw new Error("CARDANO_POE_XWING_KEK_SALT_PREFIX byte-length invariant violated (expected 29)");
 }
 var MAX_SLOTS = 1024;
 var MAX_DECODED_ENVELOPE_BYTES = 65536;
-var MAX_SEALED_PLAINTEXT = 274877906880;
-var MAX_SEALED_CIPHERTEXT = MAX_SEALED_PLAINTEXT + 16;
-function assertCiphertextWithinBound(ciphertextLength) {
-  if (ciphertextLength >= MAX_SEALED_CIPHERTEXT) {
-    throw new SealedPayloadTooLargeError(
-      `ciphertext length ${ciphertextLength} is at or above the maximum sealed ciphertext size ${MAX_SEALED_CIPHERTEXT}`
-    );
+var EMPTY_SALT2 = new Uint8Array(0);
+function labelledSha256(prefix, ...parts) {
+  let total = prefix.length;
+  for (const p of parts) total += p.length;
+  const message = new Uint8Array(total);
+  message.set(prefix, 0);
+  let offset = prefix.length;
+  for (const p of parts) {
+    message.set(p, offset);
+    offset += p.length;
   }
+  return sha256(message);
 }
-var SealedPayloadTooLargeError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "SealedPayloadTooLargeError";
+function itemHashesHash(hashes3) {
+  if (Object.keys(hashes3).length === 0) {
+    throw new EciesSealedPoeError(
+      "ENC_REQUIRES_CONTENT_HASH",
+      "hashes MUST carry at least one content-hash entry"
+    );
   }
-};
+  return labelledSha256(CARDANO_POE_ITEM_HASHES_PREFIX, encodeCanonicalCbor(hashes3));
+}
 function computeSlotsHash(args) {
+  const slots = args.kem === "x25519" ? args.slots.map((s) => ({ epk: s.epk, wrap: s.wrap })) : args.slots.map((s) => ({
+    kem_ct: s.kem_ct,
+    wrap: s.wrap
+  }));
   const transcript = {
     scheme: 1,
     path: "slots",
-    aead: "xchacha20-poly1305",
+    aead: args.aead,
     kem: args.kem,
     nonce: args.nonce,
-    slots: canonicalizeSlots(args.slots, args.kem)
+    slots,
+    hashes_hash: args.hashesHash
   };
-  const encoded = encodeCanonicalCbor(transcript);
-  const message = new Uint8Array(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length + encoded.length);
-  message.set(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX, 0);
-  message.set(encoded, CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length);
-  return sha256(message);
+  return labelledSha256(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX, encodeCanonicalCbor(transcript));
 }
-function adContentSlots(args) {
-  const ad = {
-    scheme: 1,
-    path: "slots",
-    aead: "xchacha20-poly1305",
-    kem: args.kem,
-    nonce: args.nonce,
-    slots_hash: args.slotsHash,
-    slots_mac: args.slotsMac
-  };
-  return encodeCanonicalCbor(ad);
+function computeSlotsMac(args) {
+  const macKey = hkdfSha2562({
+    ikm: args.cek,
+    salt: EMPTY_SALT2,
+    info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+    length: 32
+  });
+  return hmac(sha256, macKey, args.slotsHash);
 }
 function slotsPayloadKey(args) {
   return hkdfSha2562({
@@ -1027,25 +1164,17 @@ function slotsPayloadKey(args) {
     length: 32
   });
 }
+function x25519KekSalt(args) {
+  return labelledSha256(CARDANO_POE_X25519_KEK_SALT_PREFIX, args.nonce, args.epk, args.pubR);
+}
 function xwingKekSalt(args) {
-  const message = new Uint8Array(
-    CARDANO_POE_XWING_KEK_SALT_PREFIX.length + args.kemCt.length + args.pubR.length
-  );
-  let offset = 0;
-  message.set(CARDANO_POE_XWING_KEK_SALT_PREFIX, offset);
-  offset += CARDANO_POE_XWING_KEK_SALT_PREFIX.length;
-  message.set(args.kemCt, offset);
-  offset += args.kemCt.length;
-  message.set(args.pubR, offset);
-  return sha256(message);
+  return labelledSha256(CARDANO_POE_XWING_KEK_SALT_PREFIX, args.nonce, args.kemCt, args.pubR);
 }
+var SEALED_POE_AEAD = "chacha20-poly1305-stream64k";
 var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
 var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
   "cardano-poe-kek-mlkem768x25519-v1"
 );
-var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
-  "cardano-poe-slots-mac-v1"
-);
 var ZERO_NONCE_12 = new Uint8Array(12);
 if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
   throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
@@ -1055,9 +1184,6 @@ if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
     "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
   );
 }
-if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
-  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
-}
 if (ZERO_NONCE_12.length !== 12) {
   throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
 }
@@ -1067,22 +1193,56 @@ function compareCt(a, b) {
   for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
   return diff === 0;
 }
+var CEK_LENGTH2 = 32;
+function newSlotAcceptanceState() {
+  return {
+    foundBit: 0,
+    conflictBit: 0,
+    selectedCek: new Uint8Array(CEK_LENGTH2),
+    selectedSlotIdx: -1
+  };
+}
+function foldSlotAcceptance(state, ok, candidateCek, slotIdx) {
+  if (candidateCek.length !== CEK_LENGTH2) {
+    throw new Error(
+      `candidate CEK MUST be exactly ${CEK_LENGTH2} bytes, got ${candidateCek.length}`
+    );
+  }
+  const okBit = ok & 1;
+  const firstBit = okBit & (state.foundBit ^ 1);
+  const firstByteMask = -firstBit & 255;
+  const firstWordMask = -firstBit | 0;
+  let diff = 0;
+  for (let i = 0; i < CEK_LENGTH2; i++) {
+    diff |= candidateCek[i] ^ state.selectedCek[i];
+  }
+  const neqBit = (diff | -diff) >>> 31 & 1;
+  state.conflictBit |= okBit & state.foundBit & neqBit;
+  for (let i = 0; i < CEK_LENGTH2; i++) {
+    state.selectedCek[i] = candidateCek[i] & firstByteMask | state.selectedCek[i] & ~firstByteMask & 255;
+  }
+  state.selectedSlotIdx = slotIdx & firstWordMask | state.selectedSlotIdx & ~firstWordMask;
+  state.foundBit |= okBit;
+}
+function finishSlotAcceptance(state) {
+  const found = state.foundBit === 1;
+  return {
+    found,
+    cekConflict: state.conflictBit === 1,
+    selectedCek: found ? state.selectedCek : null,
+    selectedSlotIdx: state.selectedSlotIdx
+  };
+}
 function selectBundleSecrets(envelope, bundle) {
   return envelope.kem === "x25519" ? bundle.x25519PrivateKeys : bundle.mlkem768x25519SecretSeeds;
 }
 var ZERO_NONCE_122 = new Uint8Array(12);
-var EMPTY_SALT22 = new Uint8Array(0);
+var CEK_LENGTH3 = 32;
 var X25519_SECRET_KEY_LENGTH2 = 32;
 var X25519_PUBLIC_KEY_LENGTH2 = 32;
-var NONCE_LENGTH2 = 24;
+var NONCE_LENGTH3 = 24;
 var WRAP_LENGTH2 = 48;
 var SLOTS_MAC_LENGTH2 = 32;
-function concat2(a, b) {
-  const out = new Uint8Array(a.length + b.length);
-  out.set(a, 0);
-  out.set(b, a.length);
-  return out;
-}
 function bytesKey(bytes) {
   let s = "";
   for (let i = 0; i < bytes.length; i++) {
@@ -1093,14 +1253,14 @@ function bytesKey(bytes) {
 function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
   if (envelope.scheme !== 1) {
     throw new EciesSealedPoeError(
-      "UNSUPPORTED_ENC_VERSION",
+      "UNSUPPORTED_ENVELOPE_SCHEME",
       `envelope.scheme=${String(envelope.scheme)} unsupported (expected 1)`
     );
   }
-  if (envelope.aead !== "xchacha20-poly1305") {
+  if (envelope.aead !== SEALED_POE_AEAD) {
     throw new EciesSealedPoeError(
       "UNSUPPORTED_AEAD_ALG",
-      `envelope.aead=${String(envelope.aead)} unsupported (expected 'xchacha20-poly1305')`
+      `envelope.aead=${String(envelope.aead)} unsupported (expected '${SEALED_POE_AEAD}')`
     );
   }
   if (envelope.kem !== "x25519" && envelope.kem !== "mlkem768x25519") {
@@ -1119,10 +1279,10 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
       `envelope.slots.length=${n} exceeds MAX_SLOTS=${MAX_SLOTS}`
     );
   }
-  if (envelope.nonce.length !== NONCE_LENGTH2) {
+  if (envelope.nonce.length !== NONCE_LENGTH3) {
     throw new EciesSealedPoeError(
       "NONCE_LENGTH_MISMATCH",
-      `envelope.nonce MUST be exactly ${NONCE_LENGTH2} bytes, got ${envelope.nonce.length}`
+      `envelope.nonce MUST be exactly ${NONCE_LENGTH3} bytes, got ${envelope.nonce.length}`
     );
   }
   if (envelope.slots_mac.length !== SLOTS_MAC_LENGTH2) {
@@ -1159,11 +1319,10 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
   } else {
     for (let i = 0; i < n; i++) {
       const slot = envelope.slots[i];
-      const enc = joinKemCt(slot.kem_ct);
-      if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
+      if (slot.kem_ct.length !== MLKEM768X25519_ENC_LENGTH) {
         throw new EciesSealedPoeError(
           "KEM_CT_LENGTH_MISMATCH",
-          `envelope.slots[${i}].kem_ct MUST reassemble to exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${enc.length}`
+          `envelope.slots[${i}].kem_ct MUST be exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${slot.kem_ct.length}`
         );
       }
       if (slot.wrap.length !== WRAP_LENGTH2) {
@@ -1172,7 +1331,7 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
           `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
         );
       }
-      const key = bytesKey(enc);
+      const key = bytesKey(slot.kem_ct);
       if (seenKemMaterial.has(key)) {
         throw new EciesSealedPoeError(
           "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
@@ -1183,7 +1342,7 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
     }
   }
   const perSlotBytes = envelope.kem === "x25519" ? X25519_PUBLIC_KEY_LENGTH2 + WRAP_LENGTH2 : MLKEM768X25519_ENC_LENGTH + WRAP_LENGTH2;
-  const decodedEnvelopeBytes = NONCE_LENGTH2 + SLOTS_MAC_LENGTH2 + n * perSlotBytes;
+  const decodedEnvelopeBytes = NONCE_LENGTH3 + SLOTS_MAC_LENGTH2 + n * perSlotBytes;
   if (decodedEnvelopeBytes > MAX_DECODED_ENVELOPE_BYTES) {
     throw new EciesSealedPoeError(
       "ENC_ENVELOPE_TOO_LARGE",
@@ -1209,66 +1368,63 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
   }
 }
 var ZERO_IKM_32 = new Uint8Array(32);
-function tryX25519Slot(args) {
-  const salt = concat2(args.slot.epk, args.pubRLocal);
-  let shared;
+var DUMMY_CEK_32 = new Uint8Array(32);
+function wrapOpenOrDummy(kek, aad, wrap) {
   try {
-    shared = x25519Ecdh({
-      secretKey: args.recipientSecretKey,
-      theirPublicKey: args.slot.epk
+    const plaintext = chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad,
+      ciphertext: wrap
     });
+    if (plaintext.length === CEK_LENGTH3) {
+      return { ok: 1, candidate: plaintext };
+    }
+    return { ok: 0, candidate: DUMMY_CEK_32 };
   } catch (e) {
-    if (!(e instanceof X25519LowOrderPointError)) throw e;
-    hkdfSha2562({ ikm: ZERO_IKM_32, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
-    return null;
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return { ok: 0, candidate: DUMMY_CEK_32 };
   }
-  const kek = hkdfSha2562({ ikm: shared, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+}
+function tryX25519Slot(args) {
+  const salt = x25519KekSalt({ nonce: args.nonce, epk: args.slot.epk, pubR: args.pubRLocal });
+  let kemOk = 1;
+  let kek;
   try {
-    return chacha20Poly1305Decrypt({
-      key: kek,
-      nonce: ZERO_NONCE_122,
-      aad: CARDANO_POE_HKDF_INFO_KEK,
-      ciphertext: args.slot.wrap
+    const shared = x25519Ecdh({
+      secretKey: args.recipientSecretKey,
+      theirPublicKey: args.slot.epk
     });
+    kek = hkdfSha2562({ ikm: shared, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
   } catch (e) {
-    if (!(e instanceof AeadVerificationError)) throw e;
-    return null;
+    if (!(e instanceof X25519LowOrderPointError)) throw e;
+    kemOk = 0;
+    kek = hkdfSha2562({ ikm: ZERO_IKM_32, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
   }
+  const opened = wrapOpenOrDummy(kek, CARDANO_POE_HKDF_INFO_KEK, args.slot.wrap);
+  return { ok: kemOk & opened.ok, candidate: opened.candidate };
 }
 function tryMlkem768X25519Slot(args) {
-  const enc = joinKemCt(args.slot.kem_ct);
-  const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
+  const ss = mlkem768x25519Decapsulate({
+    secretSeed: args.recipientSecretKey,
+    enc: args.slot.kem_ct
+  });
   const kek = hkdfSha2562({
     ikm: ss,
-    salt: xwingKekSalt({ kemCt: enc, pubR: args.pubR }),
+    salt: xwingKekSalt({ nonce: args.nonce, kemCt: args.slot.kem_ct, pubR: args.pubR }),
     info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
     length: 32
   });
-  try {
-    return chacha20Poly1305Decrypt({
-      key: kek,
-      nonce: ZERO_NONCE_122,
-      aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
-      ciphertext: args.slot.wrap
-    });
-  } catch (e) {
-    if (!(e instanceof AeadVerificationError)) throw e;
-    return null;
-  }
+  return wrapOpenOrDummy(kek, CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519, args.slot.wrap);
 }
-function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
+function runPrivPass(envelope, recipientSecretKey, slotsHash, slotsAttemptedOut) {
   const n = envelope.slots.length;
-  let cek = null;
-  let matchedSlotIdx = -1;
-  let cekConflict = false;
-  const recordMatch = (candidate, i) => {
-    if (candidate === null) return;
-    if (cek === null) {
-      cek = candidate;
-      matchedSlotIdx = i;
-    } else if (!compareCt(candidate, cek)) {
-      cekConflict = true;
-    }
+  const state = newSlotAcceptanceState();
+  let anyOpenedBit = 0;
+  const acceptSlot = (slot, i) => {
+    anyOpenedBit |= slot.ok;
+    const macOk = Number(compareCt(computeSlotsMac({ cek: slot.candidate, slotsHash }), envelope.slots_mac)) & 1;
+    foldSlotAcceptance(state, slot.ok & macOk, slot.candidate, i);
   };
   if (envelope.kem === "x25519") {
     const pubRLocal = x25519PublicKey2({ secretKey: recipientSecretKey });
@@ -1276,8 +1432,15 @@ function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN,
       if (slotsAttemptedOut !== void 0) {
         slotsAttemptedOut.count = i + 1;
       }
-      recordMatch(tryX25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubRLocal }), i);
-      if (cek !== null && !constantTimeN) break;
+      acceptSlot(
+        tryX25519Slot({
+          slot: envelope.slots[i],
+          nonce: envelope.nonce,
+          recipientSecretKey,
+          pubRLocal
+        }),
+        i
+      );
     }
   } else {
     const pubR = mlkem768x25519Keygen2(recipientSecretKey).publicKey;
@@ -1285,22 +1448,37 @@ function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN,
       if (slotsAttemptedOut !== void 0) {
         slotsAttemptedOut.count = i + 1;
       }
-      recordMatch(tryMlkem768X25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubR }), i);
-      if (cek !== null && !constantTimeN) break;
+      acceptSlot(
+        tryMlkem768X25519Slot({
+          slot: envelope.slots[i],
+          nonce: envelope.nonce,
+          recipientSecretKey,
+          pubR
+        }),
+        i
+      );
     }
   }
-  return cek === null ? null : { cek, slotIdx: matchedSlotIdx, cekConflict };
+  const outcome = finishSlotAcceptance(state);
+  return {
+    found: outcome.found,
+    selectedCek: outcome.selectedCek,
+    selectedSlotIdx: outcome.selectedSlotIdx,
+    cekConflict: outcome.cekConflict,
+    anyOpened: anyOpenedBit === 1
+  };
 }
-function slotsHashBytes(envelope) {
+function slotsHashBytes(envelope, hashes3) {
   return computeSlotsHash({
+    aead: envelope.aead,
     kem: envelope.kem,
     nonce: envelope.nonce,
-    slots: envelope.slots
+    slots: envelope.slots,
+    hashesHash: itemHashesHash(hashes3)
   });
 }
 function eciesSealedPoeUnwrap(args) {
   const { envelope, ciphertext } = args;
-  const constantTimeN = args.constantTimeN ?? true;
   const hasSingle = "recipientSecretKey" in args;
   const hasBundle = "recipientKeyBundle" in args;
   const multiPrivKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : "recipientSecretKeys" in args ? args.recipientSecretKeys : void 0;
@@ -1325,100 +1503,47 @@ function eciesSealedPoeUnwrap(args) {
   } else {
     assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
   }
-  assertCiphertextWithinBound(ciphertext.length);
-  const slotsHash = slotsHashBytes(envelope);
+  const slotsHash = slotsHashBytes(envelope, args.hashes);
   let matchedCek = null;
-  let anyCandidateRecovered = false;
-  if (hasSingle) {
-    const recipientSecretKey = args.recipientSecretKey;
-    const candidate = tryRecipientUnwrapWithIdx(
-      envelope,
-      recipientSecretKey,
-      constantTimeN,
-      args._slotsAttemptedOut
-    );
-    if (candidate === null) {
-      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+  let anyOpenedAcrossPrivs = false;
+  const privKeys = hasMulti ? multiPrivKeys : [args.recipientSecretKey];
+  for (let k = 0; k < privKeys.length; k++) {
+    if (args._privsAttemptedOut !== void 0) {
+      args._privsAttemptedOut.count = k + 1;
     }
-    if (candidate.cekConflict) {
-      return { matched: false, reason: "TAMPERED_HEADER" };
+    if (args._slotsAttemptedOut !== void 0) {
+      args._slotsAttemptedOut.count = 0;
     }
-    const hmacKey = hkdfSha2562({
-      ikm: candidate.cek,
-      salt: EMPTY_SALT22,
-      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
-      length: 32
-    });
-    const slotsMacCalc = hmac(sha256, hmacKey, slotsHash);
-    if (!compareCt(slotsMacCalc, envelope.slots_mac)) {
-      return { matched: false, reason: "TAMPERED_HEADER" };
-    }
-    matchedCek = candidate.cek;
-  } else {
-    const recipientSecretKeys = multiPrivKeys;
-    let cekConflict = false;
-    for (let k = 0; k < recipientSecretKeys.length; k++) {
-      if (args._privsAttemptedOut !== void 0) {
-        args._privsAttemptedOut.count = k + 1;
-      }
-      if (args._slotsAttemptedOut !== void 0) {
-        args._slotsAttemptedOut.count = 0;
-      }
-      const candidate = tryRecipientUnwrapWithIdx(
-        envelope,
-        recipientSecretKeys[k],
-        constantTimeN,
-        args._slotsAttemptedOut
-      );
-      if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
-        args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
-      }
-      if (candidate === null) continue;
-      if (candidate.cekConflict) cekConflict = true;
-      const cek = candidate.cek;
-      const hmacKey = hkdfSha2562({
-        ikm: cek,
-        salt: EMPTY_SALT22,
-        info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
-        length: 32
-      });
-      const slotsMacCalc = hmac(sha256, hmacKey, slotsHash);
-      if (compareCt(slotsMacCalc, envelope.slots_mac)) {
-        matchedCek = cek;
-        break;
-      }
-      anyCandidateRecovered = true;
+    const pass = runPrivPass(envelope, privKeys[k], slotsHash, args._slotsAttemptedOut);
+    if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
+      args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
     }
-    if (matchedCek !== null && cekConflict) {
+    anyOpenedAcrossPrivs = anyOpenedAcrossPrivs || pass.anyOpened;
+    if (!pass.found) continue;
+    if (pass.cekConflict) {
       return { matched: false, reason: "TAMPERED_HEADER" };
     }
-    if (matchedCek === null) {
-      return {
-        matched: false,
-        reason: anyCandidateRecovered ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
-      };
-    }
+    matchedCek = pass.selectedCek;
+    break;
+  }
+  if (matchedCek === null) {
+    return {
+      matched: false,
+      reason: anyOpenedAcrossPrivs ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
+    };
   }
-  const payloadKey = slotsPayloadKey({ cek: matchedCek, nonce: envelope.nonce });
-  const adContent = adContentSlots({
-    kem: envelope.kem,
-    nonce: envelope.nonce,
-    slotsHash,
-    slotsMac: envelope.slots_mac
-  });
   try {
-    const plaintext = xchacha20Poly1305Decrypt({
-      key: payloadKey,
-      nonce: envelope.nonce,
-      aad: adContent,
+    const plaintext = streamOpen({
+      payloadKey: slotsPayloadKey({ cek: matchedCek, nonce: envelope.nonce }),
       ciphertext
     });
     return { matched: true, plaintext };
   } catch (e) {
-    if (!(e instanceof AeadVerificationError)) throw e;
+    if (!(e instanceof StreamTamperedError)) throw e;
     return { matched: false, reason: "TAMPERED_CIPHERTEXT" };
   }
 }
+new TextEncoder();
 ed.hashes.sha512 = sha512;
 ed.Point.CURVE().n;
 function signEd25519(opts2) {
@@ -1460,6 +1585,7 @@ function decryptSealedFromSeed(args) {
   return eciesSealedPoeUnwrap({
     envelope: args.envelope,
     ciphertext: args.ciphertext,
+    hashes: args.hashes,
     recipientKeyBundle: recipientKeyBundleFromSeed(args.seed)
   });
 }