@f0rest8/metamorphic-crypto 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # @f0rest8/metamorphic-crypto
2
2
 
3
- Zero-knowledge end-to-end encryption with post-quantum hybrid KEM (ML-KEM-768/1024 + X25519).
3
+ Zero-knowledge end-to-end encryption with post-quantum hybrid KEM (ML-KEM-512/768/1024 + X25519).
4
4
 
5
5
  Built for [Metamorphic](https://metamorphic.app) and [Mosslet](https://mosslet.com) — privacy-first apps by [Moss Piglet Corporation](https://mosspiglet.dev) where all user data is encrypted client-side and the server only stores opaque ciphertext.
6
6
 
@@ -103,7 +103,17 @@ import { generateHybridKeyPair1024, sealForUserWithLevel } from "@f0rest8/metamo
103
103
 
104
104
  const pq5 = generateHybridKeyPair1024(); // { publicKey, secretKey } (ML-KEM-1024)
105
105
  const sealed = sealForUserWithLevel(plaintextBase64, x25519.publicKey, pq5.publicKey, "cat5");
106
- // unsealFromUser auto-detects Cat-3 vs Cat-5, no level param needed
106
+ // unsealFromUser auto-detects Cat-1 vs Cat-3 vs Cat-5, no level param needed
107
+ ```
108
+
109
+ ### Cat-1 (ML-KEM-512, opt-in)
110
+
111
+ ```js
112
+ import { generateHybridKeyPair512, sealForUserWithLevel } from "@f0rest8/metamorphic-crypto";
113
+
114
+ const pq1 = generateHybridKeyPair512(); // { publicKey, secretKey } (ML-KEM-512)
115
+ const sealed = sealForUserWithLevel(plaintextBase64, x25519.publicKey, pq1.publicKey, "cat1");
116
+ // unsealFromUser auto-detects the level from the version tag, no level param needed
107
117
  ```
108
118
 
109
119
  ### Private key management
@@ -212,10 +222,11 @@ across native Rust, WASM, and the Elixir NIF.
212
222
 
213
223
  | Level | ML-KEM | NIST Category | Equivalent | Default |
214
224
  |-------|--------|---------------|------------|---------|
225
+ | Cat-1 | 512 | 1 | ~AES-128 | No |
215
226
  | Cat-3 | 768 | 3 | ~AES-192 | Yes |
216
227
  | Cat-5 | 1024 | 5 | ~AES-256 | No |
217
228
 
218
- Decryption always auto-detects the level from the ciphertext version tag.
229
+ Decryption always auto-detects the level from the ciphertext version tag. NIST (FIPS 203) standardizes ML-KEM only at categories 1/3/5 — there is no category-2/4 set. The classical half is X25519 (~Cat-1 classical) at every tier; at Cat-3/Cat-5 the post-quantum half dominates and X25519 is the classical floor (standard hybrid-KEM practice).
219
230
 
220
231
  ## Security properties
221
232
 
@@ -72,6 +72,11 @@ export function generateHybridKeyPair(): any;
72
72
  */
73
73
  export function generateHybridKeyPair1024(): any;
74
74
 
75
+ /**
76
+ * Generate a ML-KEM-512 + X25519 keypair (Cat-1). Returns JSON: `{ publicKey, secretKey }`.
77
+ */
78
+ export function generateHybridKeyPair512(): any;
79
+
75
80
  /**
76
81
  * Generate a random 32-byte symmetric key (base64).
77
82
  */
@@ -123,7 +128,8 @@ export function sealForUser(plaintext_b64: string, public_key_b64: string, pq_pu
123
128
  /**
124
129
  * Seal plaintext bytes (base64) to a user's key(s) at a specific security level.
125
130
  *
126
- * `level` must be `"cat3"` (ML-KEM-768, default) or `"cat5"` (ML-KEM-1024).
131
+ * `level` must be `"cat1"` (ML-KEM-512), `"cat3"` (ML-KEM-768, default), or
132
+ * `"cat5"` (ML-KEM-1024).
127
133
  * If `pq_public_key_b64` is absent or empty, falls back to legacy X25519.
128
134
  */
129
135
  export function sealForUserWithLevel(plaintext_b64: string, public_key_b64: string, pq_public_key_b64: string | null | undefined, level: string): string;
@@ -192,6 +198,7 @@ export interface InitOutput {
192
198
  readonly sealForUser: (a: number, b: number, c: number, d: number, e: number, f: number, g: number) => void;
193
199
  readonly unsealFromUser: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number) => void;
194
200
  readonly sealForUserWithLevel: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number) => void;
201
+ readonly generateHybridKeyPair512: () => number;
195
202
  readonly generateHybridKeyPair: () => number;
196
203
  readonly generateHybridKeyPair1024: () => number;
197
204
  readonly isHybridCiphertext: (a: number, b: number) => number;
@@ -212,10 +219,10 @@ export interface InitOutput {
212
219
  readonly deriveSigningPublicKey: (a: number, b: number, c: number) => void;
213
220
  readonly sign: (a: number, b: number, c: number, d: number, e: number, f: number, g: number) => void;
214
221
  readonly verify: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number) => void;
222
+ readonly decryptPrivateKeyWithRecovery: (a: number, b: number, c: number, d: number, e: number) => void;
223
+ readonly decryptSecretboxToString: (a: number, b: number, c: number, d: number, e: number) => void;
215
224
  readonly encryptSecretboxString: (a: number, b: number, c: number, d: number, e: number) => void;
216
225
  readonly encryptPrivateKeyForRecovery: (a: number, b: number, c: number, d: number, e: number) => void;
217
- readonly decryptSecretboxToString: (a: number, b: number, c: number, d: number, e: number) => void;
218
- readonly decryptPrivateKeyWithRecovery: (a: number, b: number, c: number, d: number, e: number) => void;
219
226
  readonly __wbindgen_export: (a: number, b: number) => number;
220
227
  readonly __wbindgen_export2: (a: number, b: number, c: number, d: number) => number;
221
228
  readonly __wbindgen_export3: (a: number) => void;
@@ -439,6 +439,15 @@ export function generateHybridKeyPair1024() {
439
439
  return takeObject(ret);
440
440
  }
441
441
 
442
+ /**
443
+ * Generate a ML-KEM-512 + X25519 keypair (Cat-1). Returns JSON: `{ publicKey, secretKey }`.
444
+ * @returns {any}
445
+ */
446
+ export function generateHybridKeyPair512() {
447
+ const ret = wasm.generateHybridKeyPair512();
448
+ return takeObject(ret);
449
+ }
450
+
442
451
  /**
443
452
  * Generate a random 32-byte symmetric key (base64).
444
453
  * @returns {string}
@@ -653,7 +662,8 @@ export function sealForUser(plaintext_b64, public_key_b64, pq_public_key_b64) {
653
662
  /**
654
663
  * Seal plaintext bytes (base64) to a user's key(s) at a specific security level.
655
664
  *
656
- * `level` must be `"cat3"` (ML-KEM-768, default) or `"cat5"` (ML-KEM-1024).
665
+ * `level` must be `"cat1"` (ML-KEM-512), `"cat3"` (ML-KEM-768, default), or
666
+ * `"cat5"` (ML-KEM-1024).
657
667
  * If `pq_public_key_b64` is absent or empty, falls back to legacy X25519.
658
668
  * @param {string} plaintext_b64
659
669
  * @param {string} public_key_b64
Binary file
package/package.json CHANGED
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "name": "@f0rest8/metamorphic-crypto",
3
3
  "type": "module",
4
- "description": "Zero-knowledge end-to-end encryption with post-quantum hybrid KEM (ML-KEM-768/1024 + X25519)",
5
- "version": "0.5.0",
4
+ "description": "Zero-knowledge end-to-end encryption with post-quantum hybrid KEM (ML-KEM-512/768/1024 + X25519)",
5
+ "version": "0.6.0",
6
6
  "license": "MIT OR Apache-2.0",
7
7
  "repository": {
8
8
  "type": "git",