@digitaldefiance/node-ecies-lib 4.5.19 → 4.6.3

package/src/interfaces/stream-progress.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Progress information for streaming operations
+ */
+export interface IStreamProgress {
+    /** Total bytes processed so far */
+    bytesProcessed: number;
+    /** Total bytes to process (undefined for unknown-length streams) */
+    totalBytes?: number;
+    /** Number of chunks processed */
+    chunksProcessed: number;
+    /** Percentage complete (0-100, undefined if totalBytes unknown) */
+    percentComplete?: number;
+    /** Current throughput in bytes per second */
+    throughputBytesPerSec: number;
+    /** Estimated time remaining in seconds (undefined if totalBytes unknown) */
+    estimatedTimeRemaining?: number;
+    /** Timestamp when operation started */
+    startTime: number;
+    /** Elapsed time in milliseconds */
+    elapsedTime: number;
+}
+//# sourceMappingURL=stream-progress.d.ts.map

package/src/interfaces/stream-progress.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stream-progress.d.ts","sourceRoot":"","sources":["../../../../../packages/digitaldefiance-node-ecies-lib/src/interfaces/stream-progress.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,oEAAoE;IACpE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,eAAe,EAAE,MAAM,CAAC;IACxB,mEAAmE;IACnE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,6CAA6C;IAC7C,qBAAqB,EAAE,MAAM,CAAC;IAC9B,4EAA4E;IAC5E,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,uCAAuC;IACvC,SAAS,EAAE,MAAM,CAAC;IAClB,mCAAmC;IACnC,WAAW,EAAE,MAAM,CAAC;CACrB"}

package/src/interfaces/stream-progress.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=stream-progress.js.map

package/src/interfaces/stream-progress.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stream-progress.js","sourceRoot":"","sources":["../../../../../packages/digitaldefiance-node-ecies-lib/src/interfaces/stream-progress.ts"],"names":[],"mappings":""}

package/src/interfaces/voting-consts.d.ts

@@ -0,0 +1,86 @@
+/**
+ * Constants for voting operations using Paillier homomorphic encryption.
+ * These values are critical for cryptographic operations and should be consistent
+ * across all implementations (ecies-lib, node-ecies-lib, BrightChain).
+ *
+ * This file is separated from voting.service.ts to avoid circular dependencies
+ * with isolated-public.ts and isolated-private.ts.
+ */
+export interface IVotingConsts {
+    /**
+     * Info string used in HKDF for prime generation.
+     * This provides domain separation in the key derivation process.
+     */
+    readonly PRIME_GEN_INFO: 'PaillierPrimeGen';
+    /**
+     * Number of iterations for Miller-Rabin primality test.
+     * With 256 rounds, probability of false positive is < 2^-512.
+     */
+    readonly PRIME_TEST_ITERATIONS: 256;
+    /**
+     * Bit length for Paillier key pair generation.
+     * 3072 bits provides ~128-bit security level (NIST recommended).
+     */
+    readonly KEYPAIR_BIT_LENGTH: 3072;
+    /**
+     * Offset of the public key in the key pair buffer.
+     * Used for buffer serialization calculations.
+     */
+    readonly PUB_KEY_OFFSET: 768;
+    /**
+     * HKDF output length in bytes.
+     * SHA-512 produces 64 bytes.
+     */
+    readonly HKDF_LENGTH: 64;
+    /**
+     * HMAC algorithm for HKDF key derivation.
+     */
+    readonly HMAC_ALGORITHM: 'sha512';
+    /**
+     * Hash algorithm for key ID generation and HMAC tagging.
+     */
+    readonly HASH_ALGORITHM: 'sha256';
+    /**
+     * Radix for bit string representation (binary).
+     */
+    readonly BITS_RADIX: 2;
+    /**
+     * Radix for key serialization (hexadecimal).
+     */
+    readonly KEY_RADIX: 16;
+    /**
+     * Format for key serialization.
+     */
+    readonly KEY_FORMAT: 'hex';
+    /**
+     * Format for digest output.
+     */
+    readonly DIGEST_FORMAT: 'hex';
+    /**
+     * Version number for key serialization format.
+     */
+    readonly KEY_VERSION: 1;
+    /**
+     * Magic bytes for identifying BrightChain voting keys.
+     */
+    readonly KEY_MAGIC: 'BCVK';
+    /**
+     * Maximum attempts to generate a valid prime in DRBG.
+     */
+    readonly DRBG_PRIME_ATTEMPTS: 20000;
+    /**
+     * Length of key ID in bytes (SHA-256 output).
+     */
+    readonly KEY_ID_LENGTH: 32;
+    /**
+     * Length of instance ID in bytes (SHA-256 output).
+     */
+    readonly INSTANCE_ID_LENGTH: 32;
+}
+/**
+ * Constants for voting operations using Paillier homomorphic encryption.
+ * These values are critical for cryptographic operations and MUST match
+ * across all implementations (ecies-lib, node-ecies-lib, BrightChain).
+ */
+export declare const VOTING: IVotingConsts;
+//# sourceMappingURL=voting-consts.d.ts.map

package/src/interfaces/voting-consts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"voting-consts.d.ts","sourceRoot":"","sources":["../../../../../packages/digitaldefiance-node-ecies-lib/src/interfaces/voting-consts.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,MAAM,WAAW,aAAa;IAC5B;;;OAGG;IACH,QAAQ,CAAC,cAAc,EAAE,kBAAkB,CAAC;IAE5C;;;OAGG;IACH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,CAAC;IAEpC;;;OAGG;IACH,QAAQ,CAAC,kBAAkB,EAAE,IAAI,CAAC;IAElC;;;OAGG;IACH,QAAQ,CAAC,cAAc,EAAE,GAAG,CAAC;IAE7B;;;OAGG;IACH,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;IAEzB;;OAEG;IACH,QAAQ,CAAC,cAAc,EAAE,QAAQ,CAAC;IAElC;;OAEG;IACH,QAAQ,CAAC,cAAc,EAAE,QAAQ,CAAC;IAElC;;OAEG;IACH,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IAEvB;;OAEG;IACH,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC;IAEvB;;OAEG;IACH,QAAQ,CAAC,UAAU,EAAE,KAAK,CAAC;IAE3B;;OAEG;IACH,QAAQ,CAAC,aAAa,EAAE,KAAK,CAAC;IAE9B;;OAEG;IACH,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;IAExB;;OAEG;IACH,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAE3B;;OAEG;IACH,QAAQ,CAAC,mBAAmB,EAAE,KAAK,CAAC;IAEpC;;OAEG;IACH,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC;IAE3B;;OAEG;IACH,QAAQ,CAAC,kBAAkB,EAAE,EAAE,CAAC;CACjC;AAED;;;;GAIG;AACH,eAAO,MAAM,MAAM,EAAE,aAiBnB,CAAC"}

package/src/interfaces/voting-consts.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VOTING = void 0;
+/**
+ * Constants for voting operations using Paillier homomorphic encryption.
+ * These values are critical for cryptographic operations and MUST match
+ * across all implementations (ecies-lib, node-ecies-lib, BrightChain).
+ */
+exports.VOTING = Object.freeze({
+    PRIME_GEN_INFO: 'PaillierPrimeGen',
+    PRIME_TEST_ITERATIONS: 256,
+    KEYPAIR_BIT_LENGTH: 3072,
+    PUB_KEY_OFFSET: 768,
+    HKDF_LENGTH: 64,
+    HMAC_ALGORITHM: 'sha512',
+    HASH_ALGORITHM: 'sha256',
+    BITS_RADIX: 2,
+    KEY_RADIX: 16,
+    KEY_FORMAT: 'hex',
+    DIGEST_FORMAT: 'hex',
+    KEY_VERSION: 1,
+    KEY_MAGIC: 'BCVK',
+    DRBG_PRIME_ATTEMPTS: 20000,
+    KEY_ID_LENGTH: 32,
+    INSTANCE_ID_LENGTH: 32,
+});
+//# sourceMappingURL=voting-consts.js.map

package/src/interfaces/voting-consts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"voting-consts.js","sourceRoot":"","sources":["../../../../../packages/digitaldefiance-node-ecies-lib/src/interfaces/voting-consts.ts"],"names":[],"mappings":";;;AA+FA;;;;GAIG;AACU,QAAA,MAAM,GAAkB,MAAM,CAAC,MAAM,CAAC;IACjD,cAAc,EAAE,kBAA2B;IAC3C,qBAAqB,EAAE,GAAY;IACnC,kBAAkB,EAAE,IAAa;IACjC,cAAc,EAAE,GAAY;IAC5B,WAAW,EAAE,EAAW;IACxB,cAAc,EAAE,QAAiB;IACjC,cAAc,EAAE,QAAiB;IACjC,UAAU,EAAE,CAAU;IACtB,SAAS,EAAE,EAAW;IACtB,UAAU,EAAE,KAAc;IAC1B,aAAa,EAAE,KAAc;IAC7B,WAAW,EAAE,CAAU;IACvB,SAAS,EAAE,MAAe;IAC1B,mBAAmB,EAAE,KAAc;IACnC,aAAa,EAAE,EAAW;IAC1B,kBAAkB,EAAE,EAAW;CAChC,CAAC,CAAC"}

package/src/interfaces/wallet-seed.d.ts

@@ -0,0 +1,7 @@
+import { SecureBuffer } from '@digitaldefiance/ecies-lib';
+import { Wallet } from '@ethereumjs/wallet';
+export interface IWalletSeed {
+    wallet: Wallet;
+    seed: SecureBuffer;
+}
+//# sourceMappingURL=wallet-seed.d.ts.map

package/src/interfaces/wallet-seed.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wallet-seed.d.ts","sourceRoot":"","sources":["../../../../../packages/digitaldefiance-node-ecies-lib/src/interfaces/wallet-seed.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,YAAY,CAAC;CACpB"}

package/src/interfaces/wallet-seed.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=wallet-seed.js.map

package/src/interfaces/wallet-seed.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wallet-seed.js","sourceRoot":"","sources":["../../../../../packages/digitaldefiance-node-ecies-lib/src/interfaces/wallet-seed.ts"],"names":[],"mappings":""}

package/src/interfaces/wrapped-key-consts.d.ts

@@ -0,0 +1,7 @@
+export interface IWrappedKeyConsts {
+    SALT_SIZE: number;
+    IV_SIZE: number;
+    MASTER_KEY_SIZE: number;
+    MIN_ITERATIONS: number;
+}
+//# sourceMappingURL=wrapped-key-consts.d.ts.map

package/src/interfaces/wrapped-key-consts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wrapped-key-consts.d.ts","sourceRoot":"","sources":["../../../../../packages/digitaldefiance-node-ecies-lib/src/interfaces/wrapped-key-consts.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,EAAE,MAAM,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;CACxB"}

package/src/interfaces/wrapped-key-consts.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=wrapped-key-consts.js.map

package/src/interfaces/wrapped-key-consts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wrapped-key-consts.js","sourceRoot":"","sources":["../../../../../packages/digitaldefiance-node-ecies-lib/src/interfaces/wrapped-key-consts.ts"],"names":[],"mappings":""}

package/src/isolated-private.d.ts

@@ -0,0 +1,62 @@
+import { IIsolatedPrivateKey } from '@digitaldefiance/ecies-lib';
+import { PrivateKey } from 'paillier-bigint';
+import { IsolatedPublicKey } from './isolated-public';
+/**
+ * IsolatedPrivateKey extends Paillier PrivateKey with instance isolation validation.
+ *
+ * This class ensures that:
+ * - Decryption only works with ciphertexts encrypted by the matching IsolatedPublicKey instance
+ * - Instance ID verification prevents cross-instance decryption attacks
+ * - HMAC validation ensures ciphertext integrity
+ *
+ * The private key stores the original keyId and instanceId from construction time,
+ * and validates them before any decryption operation.
+ */
+export declare class IsolatedPrivateKey extends PrivateKey implements IIsolatedPrivateKey<Buffer, 'sync'> {
+    /**
+     * Original keyId from the IsolatedPublicKey at construction time
+     */
+    private readonly _originalKeyId;
+    /**
+     * Original instanceId from the IsolatedPublicKey at construction time
+     */
+    private readonly _originalInstanceId;
+    /**
+     * Reference to the original IsolatedPublicKey
+     */
+    private readonly _originalPublicKey;
+    constructor(lambda: bigint, mu: bigint, publicKey: IsolatedPublicKey);
+    /**
+     * Converts hex string to Buffer
+     */
+    private hexToBuffer;
+    /**
+     * Converts Buffer to hex string
+     */
+    private bufferToHex;
+    /**
+     * Compares two Buffers for equality
+     */
+    private bufferEquals;
+    /**
+     * Decrypts a tagged ciphertext after validating instance ID and HMAC
+     */
+    decryptIsolated(taggedCiphertext: bigint): bigint;
+    /**
+     * Synchronous decrypt override (throws error - use decryptIsolated instead)
+     */
+    decrypt(_taggedCiphertext: bigint): bigint;
+    /**
+     * Gets a copy of the original keyId
+     */
+    getOriginalKeyId(): Buffer;
+    /**
+     * Gets a copy of the original instanceId
+     */
+    getOriginalInstanceId(): Buffer;
+    /**
+     * Gets the original public key reference
+     */
+    getOriginalPublicKey(): IsolatedPublicKey;
+}
+//# sourceMappingURL=isolated-private.d.ts.map

package/src/isolated-private.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isolated-private.d.ts","sourceRoot":"","sources":["../../../../packages/digitaldefiance-node-ecies-lib/src/isolated-private.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,UAAU,EAAa,MAAM,iBAAiB,CAAC;AAKxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD;;;;;;;;;;GAUG;AACH,qBAAa,kBACX,SAAQ,UACR,YAAW,mBAAmB,CAAC,MAAM,EAAE,MAAM,CAAC;IAE9C;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IAExC;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAS;IAE7C;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAoB;gBAE3C,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,iBAAiB;IAepE;;OAEG;IACH,OAAO,CAAC,WAAW;IAOnB;;OAEG;IACH,OAAO,CAAC,WAAW;IAInB;;OAEG;IACH,OAAO,CAAC,YAAY;IAIpB;;OAEG;IACI,eAAe,CAAC,gBAAgB,EAAE,MAAM,GAAG,MAAM;IAsDxD;;OAEG;IAEM,OAAO,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM;IAInD;;OAEG;IACI,gBAAgB,IAAI,MAAM;IAIjC;;OAEG;IACI,qBAAqB,IAAI,MAAM;IAItC;;OAEG;IACI,oBAAoB,IAAI,iBAAiB;CAGjD"}

package/src/isolated-private.js

@@ -0,0 +1,139 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IsolatedPrivateKey = void 0;
+const crypto_1 = require("crypto");
+const paillier_bigint_1 = require("paillier-bigint");
+const voting_error_type_1 = require("./enumerations/voting-error-type");
+const voting_1 = require("./errors/voting");
+const voting_consts_1 = require("./interfaces/voting-consts");
+const isolated_public_1 = require("./isolated-public");
+/**
+ * IsolatedPrivateKey extends Paillier PrivateKey with instance isolation validation.
+ *
+ * This class ensures that:
+ * - Decryption only works with ciphertexts encrypted by the matching IsolatedPublicKey instance
+ * - Instance ID verification prevents cross-instance decryption attacks
+ * - HMAC validation ensures ciphertext integrity
+ *
+ * The private key stores the original keyId and instanceId from construction time,
+ * and validates them before any decryption operation.
+ */
+class IsolatedPrivateKey extends paillier_bigint_1.PrivateKey {
+    /**
+     * Original keyId from the IsolatedPublicKey at construction time
+     */
+    _originalKeyId;
+    /**
+     * Original instanceId from the IsolatedPublicKey at construction time
+     */
+    _originalInstanceId;
+    /**
+     * Reference to the original IsolatedPublicKey
+     */
+    _originalPublicKey;
+    constructor(lambda, mu, publicKey) {
+        if (!isolated_public_1.IsolatedPublicKey.isIsolatedPublicKey(publicKey)) {
+            throw new voting_1.VotingError(voting_error_type_1.VotingErrorType.InvalidPublicKeyFormat);
+        }
+        // Create a base PublicKey instance for the parent constructor
+        const basePublicKey = new paillier_bigint_1.PublicKey(publicKey.n, publicKey.g);
+        super(lambda, mu, basePublicKey);
+        // Store the isolated public key for our own use
+        this._originalKeyId = publicKey.getKeyId();
+        this._originalInstanceId = publicKey.getInstanceId();
+        this._originalPublicKey = publicKey;
+    }
+    /**
+     * Converts hex string to Buffer
+     */
+    hexToBuffer(hex) {
+        if (hex.length % 2 !== 0) {
+            hex = '0' + hex;
+        }
+        return Buffer.from(hex, 'hex');
+    }
+    /**
+     * Converts Buffer to hex string
+     */
+    bufferToHex(bytes) {
+        return bytes.toString('hex');
+    }
+    /**
+     * Compares two Buffers for equality
+     */
+    bufferEquals(a, b) {
+        return Buffer.compare(a, b) === 0;
+    }
+    /**
+     * Decrypts a tagged ciphertext after validating instance ID and HMAC
+     */
+    decryptIsolated(taggedCiphertext) {
+        // First verify if we're using a recovered key by checking the public key instance
+        if (!isolated_public_1.IsolatedPublicKey.isIsolatedPublicKey(this._originalPublicKey)) {
+            throw new voting_1.VotingError(voting_error_type_1.VotingErrorType.InvalidPublicKeyFormat);
+        }
+        // Compare instance IDs before any ciphertext operations
+        const currentInstanceId = this._originalPublicKey.getInstanceId();
+        // This check must happen before any ciphertext operations
+        if (!this.bufferEquals(currentInstanceId, this._originalInstanceId)) {
+            throw new voting_1.VotingError(voting_error_type_1.VotingErrorType.InstanceIdMismatch);
+        }
+        // Now that we've verified the instance ID, we can proceed with ciphertext operations
+        try {
+            const hmacLength = 64;
+            const ciphertextString = taggedCiphertext.toString(voting_consts_1.VOTING.KEY_RADIX);
+            const receivedHmac = ciphertextString.slice(-hmacLength);
+            const ciphertextHex = ciphertextString.slice(0, -hmacLength);
+            const ciphertextBigInt = BigInt(`0x${ciphertextHex}`);
+            // Create HMAC key from originalKeyId + originalInstanceId
+            const hmacKeyMaterial = Buffer.concat([
+                this._originalKeyId,
+                this._originalInstanceId,
+            ]);
+            // Calculate expected HMAC
+            const ciphertextBytes = Buffer.from(ciphertextBigInt.toString(voting_consts_1.VOTING.KEY_RADIX), 'utf8');
+            const hmac = (0, crypto_1.createHmac)('sha256', hmacKeyMaterial);
+            hmac.update(ciphertextBytes);
+            const expectedHmac = this.bufferToHex(hmac.digest());
+            // Verify HMAC
+            if (receivedHmac !== expectedHmac) {
+                throw new voting_1.VotingError(voting_error_type_1.VotingErrorType.InvalidCiphertextHmac);
+            }
+            // Finally decrypt the ciphertext using the parent class implementation
+            return super.decrypt(ciphertextBigInt);
+        }
+        catch (error) {
+            if (error instanceof voting_1.VotingError) {
+                throw error;
+            }
+            throw new voting_1.VotingError(voting_error_type_1.VotingErrorType.InvalidPrivateKeyBufferFailedToParse);
+        }
+    }
+    /**
+     * Synchronous decrypt override (throws error - use decryptIsolated instead)
+     */
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    decrypt(_taggedCiphertext) {
+        throw new voting_1.VotingError(voting_error_type_1.VotingErrorType.KeyPairValidationFailed);
+    }
+    /**
+     * Gets a copy of the original keyId
+     */
+    getOriginalKeyId() {
+        return Buffer.from(this._originalKeyId);
+    }
+    /**
+     * Gets a copy of the original instanceId
+     */
+    getOriginalInstanceId() {
+        return Buffer.from(this._originalInstanceId);
+    }
+    /**
+     * Gets the original public key reference
+     */
+    getOriginalPublicKey() {
+        return this._originalPublicKey;
+    }
+}
+exports.IsolatedPrivateKey = IsolatedPrivateKey;
+//# sourceMappingURL=isolated-private.js.map

package/src/isolated-private.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isolated-private.js","sourceRoot":"","sources":["../../../../packages/digitaldefiance-node-ecies-lib/src/isolated-private.ts"],"names":[],"mappings":";;;AAAA,mCAAoC;AAGpC,qDAAwD;AAExD,wEAAmE;AACnE,4CAA8C;AAC9C,8DAAoD;AACpD,uDAAsD;AAEtD;;;;;;;;;;GAUG;AACH,MAAa,kBACX,SAAQ,4BAAU;IAGlB;;OAEG;IACc,cAAc,CAAS;IAExC;;OAEG;IACc,mBAAmB,CAAS;IAE7C;;OAEG;IACc,kBAAkB,CAAoB;IAEvD,YAAY,MAAc,EAAE,EAAU,EAAE,SAA4B;QAClE,IAAI,CAAC,mCAAiB,CAAC,mBAAmB,CAAC,SAAS,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,oBAAW,CAAC,mCAAe,CAAC,sBAAsB,CAAC,CAAC;QAChE,CAAC;QAED,8DAA8D;QAC9D,MAAM,aAAa,GAAG,IAAI,2BAAS,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;QAC9D,KAAK,CAAC,MAAM,EAAE,EAAE,EAAE,aAAa,CAAC,CAAC;QAEjC,gDAAgD;QAChD,IAAI,CAAC,cAAc,GAAG,SAAS,CAAC,QAAQ,EAAE,CAAC;QAC3C,IAAI,CAAC,mBAAmB,GAAG,SAAS,CAAC,aAAa,EAAE,CAAC;QACrD,IAAI,CAAC,kBAAkB,GAAG,SAAS,CAAC;IACtC,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,GAAW;QAC7B,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;QAClB,CAAC;QACD,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACjC,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,KAAa;QAC/B,OAAO,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,CAAS,EAAE,CAAS;QACvC,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACI,eAAe,CAAC,gBAAwB;QAC7C,kFAAkF;QAClF,IAAI,CAAC,mCAAiB,CAAC,mBAAmB,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACpE,MAAM,IAAI,oBAAW,CAAC,mCAAe,CAAC,sBAAsB,CAAC,CAAC;QAChE,CAAC;QAED,wDAAwD;QACxD,MAAM,iBAAiB,GAAG,IAAI,CAAC,kBAAkB,CAAC,aAAa,EAAE,CAAC;QAElE,0DAA0D;QAC1D,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,iBAAiB,EAAE,IAAI,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACpE,MAAM,IAAI,oBAAW,CAAC,mCAAe,CAAC,kBAAkB,CAAC,CAAC;QAC5D,CAAC;QAED,qFAAqF;QACrF,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,EAAE,CAAC;YACtB,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,QAAQ,CAAC,sBAAM,CAAC,SAAS,CAAC,CAAC;YACrE,MAAM,YAAY,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC,UAAU,CAAC,CAAC;YACzD,MAAM,aAAa,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC;YAC7D,MAAM,gBAAgB,GAAG,MAAM,CAAC,KAAK,aAAa,EAAE,CAAC,CAAC;YAEtD,0DAA0D;YAC1D,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,CAAC;gBACpC,IAAI,CAAC,cAAc;gBACnB,IAAI,CAAC,mBAAmB;aACzB,CAAC,CAAC;YAEH,0BAA0B;YAC1B,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CACjC,gBAAgB,CAAC,QAAQ,CAAC,sBAAM,CAAC,SAAS,CAAC,EAC3C,MAAM,CACP,CAAC;YACF,MAAM,IAAI,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;YACnD,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;YAC7B,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YAErD,cAAc;YACd,IAAI,YAAY,KAAK,YAAY,EAAE,CAAC;gBAClC,MAAM,IAAI,oBAAW,CAAC,mCAAe,CAAC,qBAAqB,CAAC,CAAC;YAC/D,CAAC;YAED,uEAAuE;YACvE,OAAO,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACzC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,oBAAW,EAAE,CAAC;gBACjC,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,oBAAW,CACnB,mCAAe,CAAC,oCAAoC,CACrD,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,6DAA6D;IACpD,OAAO,CAAC,iBAAyB;QACxC,MAAM,IAAI,oBAAW,CAAC,mCAAe,CAAC,uBAAuB,CAAC,CAAC;IACjE,CAAC;IAED;;OAEG;IACI,gBAAgB;QACrB,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACI,qBAAqB;QAC1B,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACI,oBAAoB;QACzB,OAAO,IAAI,CAAC,kBAAkB,CAAC;IACjC,CAAC;CACF;AA/ID,gDA+IC"}

package/src/isolated-public.d.ts

@@ -0,0 +1,118 @@
+import { IIsolatedPublicKey } from '@digitaldefiance/ecies-lib';
+import { PublicKey } from 'paillier-bigint';
+/**
+ * IsolatedPublicKey extends Paillier PublicKey with instance isolation capabilities.
+ *
+ * This class provides:
+ * - keyId: A deterministic SHA-256 hash of the public key 'n' value for verification
+ * - instanceId: A unique identifier per key instance to prevent cross-instance operations
+ * - HMAC-tagged ciphertexts that bind encrypted values to a specific key instance
+ *
+ * Instance isolation ensures that ciphertexts encrypted with one instance cannot be
+ * used with another instance, even if they share the same underlying key material.
+ * This is critical for voting systems where ballot tampering must be prevented.
+ */
+export declare class IsolatedPublicKey extends PublicKey implements IIsolatedPublicKey<Buffer, 'sync'> {
+    /**
+     * Type guard to check if a PublicKey is an IsolatedPublicKey
+     */
+    static isIsolatedPublicKey(key: PublicKey): key is IsolatedPublicKey;
+    /**
+     * Deterministic identifier derived from the public key (SHA-256 of 'n')
+     */
+    readonly keyId: Buffer;
+    /**
+     * Original instance ID generated at construction time
+     */
+    private readonly _originalInstanceId;
+    /**
+     * Current instance ID (can be updated via updateInstanceId())
+     */
+    private _currentInstanceId;
+    /**
+     * Unique salt used for instance ID generation
+     */
+    private readonly uniqueInstanceSalt;
+    /**
+     * Updates the current instance ID to a new random value.
+     * This invalidates all previously encrypted ciphertexts.
+     */
+    updateInstanceId(): void;
+    /**
+     * Generates a deterministic instance ID from keyId, n, and a unique salt
+     */
+    private generateInstanceId;
+    /**
+     * SHA-256 hash using Node.js crypto
+     */
+    private sha256;
+    /**
+     * Converts hex string to Buffer
+     */
+    private hexToBuffer;
+    /**
+     * Converts Buffer to hex string
+     */
+    private bufferToHex;
+    constructor(n: bigint, g: bigint, keyId: Buffer);
+    /**
+     * Static factory method to create IsolatedPublicKey synchronously
+     */
+    static create(n: bigint, g: bigint, keyId: Buffer): IsolatedPublicKey;
+    /**
+     * Static factory method to create IsolatedPublicKey from deserialized data
+     * Used when reconstructing a key from a buffer with a stored instanceId
+     */
+    static fromBuffer(n: bigint, g: bigint, keyId: Buffer, instanceId: Buffer): IsolatedPublicKey;
+    /**
+     * Returns a copy of the keyId
+     */
+    getKeyId(): Buffer;
+    /**
+     * Returns a copy of the current instance ID
+     */
+    getInstanceId(): Buffer;
+    /**
+     * Tags a ciphertext with an HMAC using keyId + instanceId
+     * Returns a new bigint with the HMAC appended
+     */
+    private tagCiphertext;
+    /**
+     * Extracts and validates the instance ID from a tagged ciphertext
+     * Returns the instance ID if valid, or zero-filled buffer if invalid
+     */
+    extractInstanceId(ciphertext: bigint): Buffer;
+    /**
+     * Encrypts a message and tags it with instance HMAC
+     */
+    encryptIsolated(m: bigint): bigint;
+    /**
+     * Synchronous encrypt override (throws error - use encryptIsolated instead)
+     */
+    encrypt(_m: bigint): bigint;
+    /**
+     * Multiplies a ciphertext by a constant, preserving instance HMAC
+     */
+    multiplyIsolated(ciphertext: bigint, constant: bigint): bigint;
+    /**
+     * Synchronous multiply override (throws error - use multiplyIsolated instead)
+     */
+    multiply(_ciphertext: bigint, _constant: bigint): bigint;
+    /**
+     * Adds two ciphertexts, preserving instance HMAC
+     */
+    additionIsolated(a: bigint, b: bigint): bigint;
+    /**
+     * Synchronous addition override (throws error - use additionIsolated instead)
+     */
+    addition(_a: bigint, _b: bigint): bigint;
+    /**
+     * Verifies that the keyId matches the SHA-256 hash of the public key 'n'
+     */
+    verifyKeyId(): void;
+    /**
+     * Compares two Buffers for equality
+     */
+    private bufferEquals;
+}
+//# sourceMappingURL=isolated-public.d.ts.map

package/src/isolated-public.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isolated-public.d.ts","sourceRoot":"","sources":["../../../../packages/digitaldefiance-node-ecies-lib/src/isolated-public.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAM5C;;;;;;;;;;;GAWG;AACH,qBAAa,iBACX,SAAQ,SACR,YAAW,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC;IAE7C;;OAEG;WACW,mBAAmB,CAAC,GAAG,EAAE,SAAS,GAAG,GAAG,IAAI,iBAAiB;IAI3E;;OAEG;IACH,SAAgB,KAAK,EAAE,MAAM,CAAC;IAE9B;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAS;IAE7C;;OAEG;IACH,OAAO,CAAC,kBAAkB,CAAS;IAEnC;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAS;IAE5C;;;OAGG;IACI,gBAAgB,IAAI,IAAI;IAS/B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAkB1B;;OAEG;IACH,OAAO,CAAC,MAAM;IAId;;OAEG;IACH,OAAO,CAAC,WAAW;IAOnB;;OAEG;IACH,OAAO,CAAC,WAAW;gBAIP,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM;IAgB/C;;OAEG;WACW,MAAM,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,iBAAiB;IAsC5E;;;OAGG;WACW,UAAU,CACtB,CAAC,EAAE,MAAM,EACT,CAAC,EAAE,MAAM,EACT,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,GACjB,iBAAiB;IA8BpB;;OAEG;IACI,QAAQ,IAAI,MAAM;IAIzB;;OAEG;IACI,aAAa,IAAI,MAAM;IAI9B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAuBrB;;;OAGG;IACI,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM;IAiCpD;;OAEG;IACI,eAAe,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM;IAMzC;;OAEG;IAEM,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM;IAIpC;;OAEG;IACI,gBAAgB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM;IAmBrE;;OAEG;IAEM,QAAQ,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM;IAIjE;;OAEG;IACI,gBAAgB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM;IAuBrD;;OAEG;IAEM,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,MAAM;IAIjD;;OAEG;IACI,WAAW,IAAI,IAAI;IAa1B;;OAEG;IACH,OAAO,CAAC,YAAY;CAGrB"}