@f0rest8/metamorphic-crypto 0.5.0 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +14 -3
- package/metamorphic_crypto.d.ts +10 -3
- package/metamorphic_crypto.js +11 -1
- package/metamorphic_crypto_bg.wasm +0 -0
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# @f0rest8/metamorphic-crypto
|
|
2
2
|
|
|
3
|
-
Zero-knowledge end-to-end encryption with post-quantum hybrid KEM (ML-KEM-768/1024 + X25519).
|
|
3
|
+
Zero-knowledge end-to-end encryption with post-quantum hybrid KEM (ML-KEM-512/768/1024 + X25519).
|
|
4
4
|
|
|
5
5
|
Built for [Metamorphic](https://metamorphic.app) and [Mosslet](https://mosslet.com) — privacy-first apps by [Moss Piglet Corporation](https://mosspiglet.dev) where all user data is encrypted client-side and the server only stores opaque ciphertext.
|
|
6
6
|
|
|
@@ -103,7 +103,17 @@ import { generateHybridKeyPair1024, sealForUserWithLevel } from "@f0rest8/metamo
|
|
|
103
103
|
|
|
104
104
|
const pq5 = generateHybridKeyPair1024(); // { publicKey, secretKey } (ML-KEM-1024)
|
|
105
105
|
const sealed = sealForUserWithLevel(plaintextBase64, x25519.publicKey, pq5.publicKey, "cat5");
|
|
106
|
-
// unsealFromUser auto-detects Cat-3 vs Cat-5, no level param needed
|
|
106
|
+
// unsealFromUser auto-detects Cat-1 vs Cat-3 vs Cat-5, no level param needed
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
### Cat-1 (ML-KEM-512, opt-in)
|
|
110
|
+
|
|
111
|
+
```js
|
|
112
|
+
import { generateHybridKeyPair512, sealForUserWithLevel } from "@f0rest8/metamorphic-crypto";
|
|
113
|
+
|
|
114
|
+
const pq1 = generateHybridKeyPair512(); // { publicKey, secretKey } (ML-KEM-512)
|
|
115
|
+
const sealed = sealForUserWithLevel(plaintextBase64, x25519.publicKey, pq1.publicKey, "cat1");
|
|
116
|
+
// unsealFromUser auto-detects the level from the version tag, no level param needed
|
|
107
117
|
```
|
|
108
118
|
|
|
109
119
|
### Private key management
|
|
@@ -212,10 +222,11 @@ across native Rust, WASM, and the Elixir NIF.
|
|
|
212
222
|
|
|
213
223
|
| Level | ML-KEM | NIST Category | Equivalent | Default |
|
|
214
224
|
|-------|--------|---------------|------------|---------|
|
|
225
|
+
| Cat-1 | 512 | 1 | ~AES-128 | No |
|
|
215
226
|
| Cat-3 | 768 | 3 | ~AES-192 | Yes |
|
|
216
227
|
| Cat-5 | 1024 | 5 | ~AES-256 | No |
|
|
217
228
|
|
|
218
|
-
Decryption always auto-detects the level from the ciphertext version tag.
|
|
229
|
+
Decryption always auto-detects the level from the ciphertext version tag. NIST (FIPS 203) standardizes ML-KEM only at categories 1/3/5 — there is no category-2/4 set. The classical half is X25519 (~Cat-1 classical) at every tier; at Cat-3/Cat-5 the post-quantum half dominates and X25519 is the classical floor (standard hybrid-KEM practice).
|
|
219
230
|
|
|
220
231
|
## Security properties
|
|
221
232
|
|
package/metamorphic_crypto.d.ts
CHANGED
|
@@ -72,6 +72,11 @@ export function generateHybridKeyPair(): any;
|
|
|
72
72
|
*/
|
|
73
73
|
export function generateHybridKeyPair1024(): any;
|
|
74
74
|
|
|
75
|
+
/**
|
|
76
|
+
* Generate a ML-KEM-512 + X25519 keypair (Cat-1). Returns JSON: `{ publicKey, secretKey }`.
|
|
77
|
+
*/
|
|
78
|
+
export function generateHybridKeyPair512(): any;
|
|
79
|
+
|
|
75
80
|
/**
|
|
76
81
|
* Generate a random 32-byte symmetric key (base64).
|
|
77
82
|
*/
|
|
@@ -123,7 +128,8 @@ export function sealForUser(plaintext_b64: string, public_key_b64: string, pq_pu
|
|
|
123
128
|
/**
|
|
124
129
|
* Seal plaintext bytes (base64) to a user's key(s) at a specific security level.
|
|
125
130
|
*
|
|
126
|
-
* `level` must be `"
|
|
131
|
+
* `level` must be `"cat1"` (ML-KEM-512), `"cat3"` (ML-KEM-768, default), or
|
|
132
|
+
* `"cat5"` (ML-KEM-1024).
|
|
127
133
|
* If `pq_public_key_b64` is absent or empty, falls back to legacy X25519.
|
|
128
134
|
*/
|
|
129
135
|
export function sealForUserWithLevel(plaintext_b64: string, public_key_b64: string, pq_public_key_b64: string | null | undefined, level: string): string;
|
|
@@ -192,6 +198,7 @@ export interface InitOutput {
|
|
|
192
198
|
readonly sealForUser: (a: number, b: number, c: number, d: number, e: number, f: number, g: number) => void;
|
|
193
199
|
readonly unsealFromUser: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number) => void;
|
|
194
200
|
readonly sealForUserWithLevel: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number) => void;
|
|
201
|
+
readonly generateHybridKeyPair512: () => number;
|
|
195
202
|
readonly generateHybridKeyPair: () => number;
|
|
196
203
|
readonly generateHybridKeyPair1024: () => number;
|
|
197
204
|
readonly isHybridCiphertext: (a: number, b: number) => number;
|
|
@@ -212,10 +219,10 @@ export interface InitOutput {
|
|
|
212
219
|
readonly deriveSigningPublicKey: (a: number, b: number, c: number) => void;
|
|
213
220
|
readonly sign: (a: number, b: number, c: number, d: number, e: number, f: number, g: number) => void;
|
|
214
221
|
readonly verify: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number, i: number) => void;
|
|
222
|
+
readonly decryptPrivateKeyWithRecovery: (a: number, b: number, c: number, d: number, e: number) => void;
|
|
223
|
+
readonly decryptSecretboxToString: (a: number, b: number, c: number, d: number, e: number) => void;
|
|
215
224
|
readonly encryptSecretboxString: (a: number, b: number, c: number, d: number, e: number) => void;
|
|
216
225
|
readonly encryptPrivateKeyForRecovery: (a: number, b: number, c: number, d: number, e: number) => void;
|
|
217
|
-
readonly decryptSecretboxToString: (a: number, b: number, c: number, d: number, e: number) => void;
|
|
218
|
-
readonly decryptPrivateKeyWithRecovery: (a: number, b: number, c: number, d: number, e: number) => void;
|
|
219
226
|
readonly __wbindgen_export: (a: number, b: number) => number;
|
|
220
227
|
readonly __wbindgen_export2: (a: number, b: number, c: number, d: number) => number;
|
|
221
228
|
readonly __wbindgen_export3: (a: number) => void;
|
package/metamorphic_crypto.js
CHANGED
|
@@ -439,6 +439,15 @@ export function generateHybridKeyPair1024() {
|
|
|
439
439
|
return takeObject(ret);
|
|
440
440
|
}
|
|
441
441
|
|
|
442
|
+
/**
|
|
443
|
+
* Generate a ML-KEM-512 + X25519 keypair (Cat-1). Returns JSON: `{ publicKey, secretKey }`.
|
|
444
|
+
* @returns {any}
|
|
445
|
+
*/
|
|
446
|
+
export function generateHybridKeyPair512() {
|
|
447
|
+
const ret = wasm.generateHybridKeyPair512();
|
|
448
|
+
return takeObject(ret);
|
|
449
|
+
}
|
|
450
|
+
|
|
442
451
|
/**
|
|
443
452
|
* Generate a random 32-byte symmetric key (base64).
|
|
444
453
|
* @returns {string}
|
|
@@ -653,7 +662,8 @@ export function sealForUser(plaintext_b64, public_key_b64, pq_public_key_b64) {
|
|
|
653
662
|
/**
|
|
654
663
|
* Seal plaintext bytes (base64) to a user's key(s) at a specific security level.
|
|
655
664
|
*
|
|
656
|
-
* `level` must be `"
|
|
665
|
+
* `level` must be `"cat1"` (ML-KEM-512), `"cat3"` (ML-KEM-768, default), or
|
|
666
|
+
* `"cat5"` (ML-KEM-1024).
|
|
657
667
|
* If `pq_public_key_b64` is absent or empty, falls back to legacy X25519.
|
|
658
668
|
* @param {string} plaintext_b64
|
|
659
669
|
* @param {string} public_key_b64
|
|
Binary file
|
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@f0rest8/metamorphic-crypto",
|
|
3
3
|
"type": "module",
|
|
4
|
-
"description": "Zero-knowledge end-to-end encryption with post-quantum hybrid KEM (ML-KEM-768/1024 + X25519)",
|
|
5
|
-
"version": "0.
|
|
4
|
+
"description": "Zero-knowledge end-to-end encryption with post-quantum hybrid KEM (ML-KEM-512/768/1024 + X25519)",
|
|
5
|
+
"version": "0.6.0",
|
|
6
6
|
"license": "MIT OR Apache-2.0",
|
|
7
7
|
"repository": {
|
|
8
8
|
"type": "git",
|