@haneullabs/seal 0.1.0 → 1.1.1

package/dist/bls12381.mjs

@@ -0,0 +1,135 @@
+import { bls12_381 } from "@noble/curves/bls12-381.js";
+import { bytesToNumberBE, bytesToNumberLE, numberToBytesBE } from "@noble/curves/utils.js";
+
+//#region src/bls12381.ts
+var G1Element = class G1Element {
+	static {
+		this.SIZE = 48;
+	}
+	constructor(point) {
+		this.point = point;
+	}
+	static generator() {
+		return new G1Element(bls12_381.G1.Point.BASE);
+	}
+	static fromBytes(bytes) {
+		try {
+			return new G1Element(bls12_381.G1.Point.fromBytes(bytes));
+		} catch {
+			throw new Error("Invalid G1 point");
+		}
+	}
+	toBytes() {
+		return this.point.toBytes();
+	}
+	multiply(scalar) {
+		return new G1Element(this.point.multiply(scalar.scalar));
+	}
+	add(other) {
+		return new G1Element(this.point.add(other.point));
+	}
+	subtract(other) {
+		return new G1Element(this.point.subtract(other.point));
+	}
+	static hashToCurve(data) {
+		return new G1Element(bls12_381.G1.Point.fromAffine(bls12_381.G1.hashToCurve(data).toAffine()));
+	}
+	pairing(other) {
+		return new GTElement(bls12_381.pairing(this.point, other.point));
+	}
+};
+var G2Element = class G2Element {
+	static {
+		this.SIZE = 96;
+	}
+	constructor(point) {
+		this.point = point;
+	}
+	static generator() {
+		return new G2Element(bls12_381.G2.Point.BASE);
+	}
+	static fromBytes(bytes) {
+		try {
+			return new G2Element(bls12_381.G2.Point.fromBytes(bytes));
+		} catch {
+			throw new Error("Invalid G2 point");
+		}
+	}
+	toBytes() {
+		return this.point.toBytes();
+	}
+	multiply(scalar) {
+		return new G2Element(this.point.multiply(scalar.scalar));
+	}
+	add(other) {
+		return new G2Element(this.point.add(other.point));
+	}
+	static hashToCurve(data) {
+		return new G2Element(bls12_381.G2.Point.fromAffine(bls12_381.G2.hashToCurve(data).toAffine()));
+	}
+	equals(other) {
+		return this.point.equals(other.point);
+	}
+};
+var GTElement = class GTElement {
+	static {
+		this.SIZE = 576;
+	}
+	constructor(element) {
+		this.element = element;
+	}
+	toBytes() {
+		const P = [
+			0,
+			3,
+			1,
+			4,
+			2,
+			5
+		];
+		const PAIR_SIZE = GTElement.SIZE / P.length;
+		const bytes = bls12_381.fields.Fp12.toBytes(this.element);
+		const result = new Uint8Array(GTElement.SIZE);
+		for (let i = 0; i < P.length; i++) {
+			const sourceStart = P[i] * PAIR_SIZE;
+			const sourceEnd = sourceStart + PAIR_SIZE;
+			const targetStart = i * PAIR_SIZE;
+			result.set(bytes.subarray(sourceStart, sourceEnd), targetStart);
+		}
+		return result;
+	}
+	equals(other) {
+		return bls12_381.fields.Fp12.eql(this.element, other.element);
+	}
+};
+var Scalar = class Scalar {
+	static {
+		this.SIZE = 32;
+	}
+	constructor(scalar) {
+		this.scalar = scalar;
+	}
+	static fromBigint(scalar) {
+		if (scalar < 0n || scalar >= bls12_381.fields.Fr.ORDER) throw new Error("Scalar out of range");
+		return new Scalar(scalar);
+	}
+	static random() {
+		const randomSecretKey = bls12_381.utils.randomSecretKey();
+		return Scalar.fromBytes(randomSecretKey);
+	}
+	toBytes() {
+		return numberToBytesBE(this.scalar, Scalar.SIZE);
+	}
+	static fromBytes(bytes) {
+		if (bytes.length !== Scalar.SIZE) throw new Error("Invalid scalar length");
+		return this.fromBigint(bytesToNumberBE(bytes));
+	}
+	static fromBytesLE(bytes) {
+		if (bytes.length !== Scalar.SIZE) throw new Error("Invalid scalar length");
+		return this.fromBigint(bytesToNumberLE(bytes));
+	}
+};
+
+//#endregion
+export { G1Element, G2Element, Scalar };
+//# sourceMappingURL=bls12381.mjs.map

package/dist/bls12381.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"bls12381.mjs","names":[],"sources":["../src/bls12381.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport type { Fp2, Fp12 } from '@noble/curves/abstract/tower.js';\nimport type { WeierstrassPoint } from '@noble/curves/abstract/weierstrass.js';\nimport { bls12_381 } from '@noble/curves/bls12-381.js';\nimport { bytesToNumberBE, bytesToNumberLE, numberToBytesBE } from '@noble/curves/utils.js';\n\nexport class G1Element {\n\tpoint: WeierstrassPoint<bigint>;\n\n\tpublic static readonly SIZE = 48;\n\n\tconstructor(point: WeierstrassPoint<bigint>) {\n\t\tthis.point = point;\n\t}\n\n\tstatic generator(): G1Element {\n\t\treturn new G1Element(bls12_381.G1.Point.BASE);\n\t}\n\n\tstatic fromBytes(bytes: Uint8Array): G1Element {\n\t\ttry {\n\t\t\treturn new G1Element(bls12_381.G1.Point.fromBytes(bytes));\n\t\t} catch {\n\t\t\tthrow new Error('Invalid G1 point');\n\t\t}\n\t}\n\n\ttoBytes(): Uint8Array<ArrayBuffer> {\n\t\treturn this.point.toBytes() as Uint8Array<ArrayBuffer>;\n\t}\n\n\tmultiply(scalar: Scalar): G1Element {\n\t\treturn new G1Element(this.point.multiply(scalar.scalar));\n\t}\n\n\tadd(other: G1Element): G1Element {\n\t\treturn new G1Element(this.point.add(other.point));\n\t}\n\n\tsubtract(other: G1Element): G1Element {\n\t\treturn new G1Element(this.point.subtract(other.point));\n\t}\n\n\tstatic hashToCurve(data: Uint8Array): G1Element {\n\t\treturn new G1Element(bls12_381.G1.Point.fromAffine(bls12_381.G1.hashToCurve(data).toAffine()));\n\t}\n\n\tpairing(other: G2Element): GTElement {\n\t\treturn new GTElement(bls12_381.pairing(this.point, other.point));\n\t}\n}\n\nexport class G2Element {\n\tpoint: WeierstrassPoint<Fp2>;\n\n\tpublic static readonly SIZE = 96;\n\n\tconstructor(point: WeierstrassPoint<Fp2>) {\n\t\tthis.point = point;\n\t}\n\n\tstatic generator(): G2Element {\n\t\treturn new G2Element(bls12_381.G2.Point.BASE);\n\t}\n\n\tstatic fromBytes(bytes: Uint8Array): G2Element {\n\t\ttry {\n\t\t\treturn new G2Element(bls12_381.G2.Point.fromBytes(bytes));\n\t\t} catch {\n\t\t\tthrow new Error('Invalid G2 point');\n\t\t}\n\t}\n\n\ttoBytes(): Uint8Array<ArrayBuffer> {\n\t\treturn this.point.toBytes() as Uint8Array<ArrayBuffer>;\n\t}\n\n\tmultiply(scalar: Scalar): G2Element {\n\t\treturn new G2Element(this.point.multiply(scalar.scalar));\n\t}\n\n\tadd(other: G2Element): G2Element {\n\t\treturn new G2Element(this.point.add(other.point));\n\t}\n\n\tstatic hashToCurve(data: Uint8Array): G2Element {\n\t\treturn new G2Element(bls12_381.G2.Point.fromAffine(bls12_381.G2.hashToCurve(data).toAffine()));\n\t}\n\n\tequals(other: G2Element): boolean {\n\t\treturn this.point.equals(other.point);\n\t}\n}\n\nexport class GTElement {\n\telement: Fp12;\n\n\tpublic static readonly SIZE = 576;\n\n\tconstructor(element: Fp12) {\n\t\tthis.element = element;\n\t}\n\n\ttoBytes(): Uint8Array<ArrayBuffer> {\n\t\t// This permutation reorders the 6 pairs of coefficients of the GT element for compatability with the Rust and Move implementations.\n\t\t//\n\t\t// The permutation P may be computed as:\n\t\t// for i in 0..3 {\n\t\t//   for j in 0..2 {\n\t\t//     P[2 * i + j] = i + 3 * j;\n\t\t//   }\n\t\t// }\n\t\tconst P = [0, 3, 1, 4, 2, 5];\n\t\tconst PAIR_SIZE = GTElement.SIZE / P.length;\n\n\t\tconst bytes = bls12_381.fields.Fp12.toBytes(this.element);\n\t\tconst result = new Uint8Array(GTElement.SIZE);\n\n\t\tfor (let i = 0; i < P.length; i++) {\n\t\t\tconst sourceStart = P[i] * PAIR_SIZE;\n\t\t\tconst sourceEnd = sourceStart + PAIR_SIZE;\n\t\t\tconst targetStart = i * PAIR_SIZE;\n\t\t\tresult.set(bytes.subarray(sourceStart, sourceEnd), targetStart);\n\t\t}\n\n\t\treturn result;\n\t}\n\n\tequals(other: GTElement): boolean {\n\t\treturn bls12_381.fields.Fp12.eql(this.element, other.element);\n\t}\n}\n\nexport class Scalar {\n\tscalar: bigint;\n\n\tpublic static readonly SIZE = 32;\n\n\tconstructor(scalar: bigint) {\n\t\tthis.scalar = scalar;\n\t}\n\n\tstatic fromBigint(scalar: bigint): Scalar {\n\t\tif (scalar < 0n || scalar >= bls12_381.fields.Fr.ORDER) {\n\t\t\tthrow new Error('Scalar out of range');\n\t\t}\n\t\treturn new Scalar(scalar);\n\t}\n\n\tstatic random(): Scalar {\n\t\tconst randomSecretKey = bls12_381.utils.randomSecretKey();\n\t\treturn Scalar.fromBytes(randomSecretKey)!;\n\t}\n\n\ttoBytes(): Uint8Array {\n\t\treturn numberToBytesBE(this.scalar, Scalar.SIZE);\n\t}\n\n\tstatic fromBytes(bytes: Uint8Array): Scalar {\n\t\tif (bytes.length !== Scalar.SIZE) {\n\t\t\tthrow new Error('Invalid scalar length');\n\t\t}\n\t\treturn this.fromBigint(bytesToNumberBE(bytes));\n\t}\n\n\tstatic fromBytesLE(bytes: Uint8Array): Scalar {\n\t\tif (bytes.length !== Scalar.SIZE) {\n\t\t\tthrow new Error('Invalid scalar length');\n\t\t}\n\t\treturn this.fromBigint(bytesToNumberLE(bytes));\n\t}\n}\n"],"mappings":";;;;AAQA,IAAa,YAAb,MAAa,UAAU;;cAGQ;;CAE9B,YAAY,OAAiC;AAC5C,OAAK,QAAQ;;CAGd,OAAO,YAAuB;AAC7B,SAAO,IAAI,UAAU,UAAU,GAAG,MAAM,KAAK;;CAG9C,OAAO,UAAU,OAA8B;AAC9C,MAAI;AACH,UAAO,IAAI,UAAU,UAAU,GAAG,MAAM,UAAU,MAAM,CAAC;UAClD;AACP,SAAM,IAAI,MAAM,mBAAmB;;;CAIrC,UAAmC;AAClC,SAAO,KAAK,MAAM,SAAS;;CAG5B,SAAS,QAA2B;AACnC,SAAO,IAAI,UAAU,KAAK,MAAM,SAAS,OAAO,OAAO,CAAC;;CAGzD,IAAI,OAA6B;AAChC,SAAO,IAAI,UAAU,KAAK,MAAM,IAAI,MAAM,MAAM,CAAC;;CAGlD,SAAS,OAA6B;AACrC,SAAO,IAAI,UAAU,KAAK,MAAM,SAAS,MAAM,MAAM,CAAC;;CAGvD,OAAO,YAAY,MAA6B;AAC/C,SAAO,IAAI,UAAU,UAAU,GAAG,MAAM,WAAW,UAAU,GAAG,YAAY,KAAK,CAAC,UAAU,CAAC,CAAC;;CAG/F,QAAQ,OAA6B;AACpC,SAAO,IAAI,UAAU,UAAU,QAAQ,KAAK,OAAO,MAAM,MAAM,CAAC;;;AAIlE,IAAa,YAAb,MAAa,UAAU;;cAGQ;;CAE9B,YAAY,OAA8B;AACzC,OAAK,QAAQ;;CAGd,OAAO,YAAuB;AAC7B,SAAO,IAAI,UAAU,UAAU,GAAG,MAAM,KAAK;;CAG9C,OAAO,UAAU,OAA8B;AAC9C,MAAI;AACH,UAAO,IAAI,UAAU,UAAU,GAAG,MAAM,UAAU,MAAM,CAAC;UAClD;AACP,SAAM,IAAI,MAAM,mBAAmB;;;CAIrC,UAAmC;AAClC,SAAO,KAAK,MAAM,SAAS;;CAG5B,SAAS,QAA2B;AACnC,SAAO,IAAI,UAAU,KAAK,MAAM,SAAS,OAAO,OAAO,CAAC;;CAGzD,IAAI,OAA6B;AAChC,SAAO,IAAI,UAAU,KAAK,MAAM,IAAI,MAAM,MAAM,CAAC;;CAGlD,OAAO,YAAY,MAA6B;AAC/C,SAAO,IAAI,UAAU,UAAU,GAAG,MAAM,WAAW,UAAU,GAAG,YAAY,KAAK,CAAC,UAAU,CAAC,CAAC;;CAG/F,OAAO,OAA2B;AACjC,SAAO,KAAK,MAAM,OAAO,MAAM,MAAM;;;AAIvC,IAAa,YAAb,MAAa,UAAU;;cAGQ;;CAE9B,YAAY,SAAe;AAC1B,OAAK,UAAU;;CAGhB,UAAmC;EASlC,MAAM,IAAI;GAAC;GAAG;GAAG;GAAG;GAAG;GAAG;GAAE;EAC5B,MAAM,YAAY,UAAU,OAAO,EAAE;EAErC,MAAM,QAAQ,UAAU,OAAO,KAAK,QAAQ,KAAK,QAAQ;EACzD,MAAM,SAAS,IAAI,WAAW,UAAU,KAAK;AAE7C,OAAK,IAAI,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;GAClC,MAAM,cAAc,EAAE,KAAK;GAC3B,MAAM,YAAY,cAAc;GAChC,MAAM,cAAc,IAAI;AACxB,UAAO,IAAI,MAAM,SAAS,aAAa,UAAU,EAAE,YAAY;;AAGhE,SAAO;;CAGR,OAAO,OAA2B;AACjC,SAAO,UAAU,OAAO,KAAK,IAAI,KAAK,SAAS,MAAM,QAAQ;;;AAI/D,IAAa,SAAb,MAAa,OAAO;;cAGW;;CAE9B,YAAY,QAAgB;AAC3B,OAAK,SAAS;;CAGf,OAAO,WAAW,QAAwB;AACzC,MAAI,SAAS,MAAM,UAAU,UAAU,OAAO,GAAG,MAChD,OAAM,IAAI,MAAM,sBAAsB;AAEvC,SAAO,IAAI,OAAO,OAAO;;CAG1B,OAAO,SAAiB;EACvB,MAAM,kBAAkB,UAAU,MAAM,iBAAiB;AACzD,SAAO,OAAO,UAAU,gBAAgB;;CAGzC,UAAsB;AACrB,SAAO,gBAAgB,KAAK,QAAQ,OAAO,KAAK;;CAGjD,OAAO,UAAU,OAA2B;AAC3C,MAAI,MAAM,WAAW,OAAO,KAC3B,OAAM,IAAI,MAAM,wBAAwB;AAEzC,SAAO,KAAK,WAAW,gBAAgB,MAAM,CAAC;;CAG/C,OAAO,YAAY,OAA2B;AAC7C,MAAI,MAAM,WAAW,OAAO,KAC3B,OAAM,IAAI,MAAM,wBAAwB;AAEzC,SAAO,KAAK,WAAW,gBAAgB,MAAM,CAAC"}

package/dist/client.d.mts

@@ -0,0 +1,105 @@
+import { G2Element } from "./bls12381.mjs";
+import { DecryptOptions, EncryptOptions, FetchKeysOptions, GetDerivedKeysOptions, SealClientOptions } from "./types.mjs";
+import { DerivedKey, KeyServer } from "./key-server.mjs";
+
+//#region src/client.d.ts
+declare class SealClient {
+  #private;
+  constructor(options: SealClientOptions);
+  /**
+   * Return an encrypted message under the identity.
+   *
+   * @param kemType - The type of KEM to use.
+   * @param demType - The type of DEM to use.
+   * @param threshold - The threshold for the TSS encryption.
+   * @param packageId - the packageId namespace.
+   * @param id - the identity to use.
+   * @param data - the data to encrypt.
+   * @param aad - optional additional authenticated data.
+   * @returns The bcs bytes of the encrypted object containing all metadata and the 256-bit symmetric key that was used to encrypt the object.
+   * 	Since the symmetric key can be used to decrypt, it should not be shared but can be used e.g. for backup.
+   */
+  encrypt({
+    kemType,
+    demType,
+    threshold,
+    packageId,
+    id,
+    data,
+    aad
+  }: EncryptOptions): Promise<{
+    encryptedObject: Uint8Array<ArrayBuffer>;
+    key: Uint8Array<ArrayBuffer>;
+  }>;
+  /**
+   * Decrypt the given encrypted bytes using cached keys.
+   * Calls fetchKeys in case one or more of the required keys is not cached yet.
+   * The function throws an error if the client's key servers are not a subset of
+   * the encrypted object's key servers or if the threshold cannot be met.
+   *
+   * If checkShareConsistency is true, the decrypted shares are checked for consistency, meaning that
+   * any combination of at least threshold shares should either succesfully combine to the plaintext or fail.
+   * This is useful in case the encryptor is not trusted and the decryptor wants to ensure all decryptors
+   * receive the same output (e.g., for onchain encrypted voting).
+   *
+   * @param data - The encrypted bytes to decrypt.
+   * @param sessionKey - The session key to use.
+   * @param txBytes - The transaction bytes to use (that calls seal_approve* functions).
+   * @param checkShareConsistency - If true, the shares are checked for consistency.
+   * @param checkLEEncoding - If true, the encryption is also checked using an LE encoded nonce.
+   * @returns - The decrypted plaintext corresponding to ciphertext.
+   */
+  decrypt({
+    data,
+    sessionKey,
+    txBytes,
+    checkShareConsistency,
+    checkLEEncoding
+  }: DecryptOptions): Promise<Uint8Array<ArrayBufferLike>>;
+  getKeyServers(): Promise<Map<string, KeyServer>>;
+  /**
+   * Get the public keys for the given services.
+   * If all public keys are not in the cache, they are retrieved.
+   *
+   * @param services - The services to get the public keys for.
+   * @returns The public keys for the given services in the same order as the given services.
+   */
+  getPublicKeys(services: string[]): Promise<G2Element[]>;
+  /**
+   * Fetch keys from the key servers and update the cache.
+   *
+   * It is recommended to call this function once for all ids of all encrypted objects if
+   * there are multiple, then call decrypt for each object. This avoids calling fetchKey
+   * individually for each decrypt.
+   *
+   * @param ids - The ids of the encrypted objects.
+   * @param txBytes - The transaction bytes to use (that calls seal_approve* functions).
+   * @param sessionKey - The session key to use.
+   * @param threshold - The threshold for the TSS encryptions. The function returns when a threshold of key servers had returned keys for all ids.
+   */
+  fetchKeys({
+    ids,
+    txBytes,
+    sessionKey,
+    threshold
+  }: FetchKeysOptions): Promise<void>;
+  /**
+   * Get derived keys from the given services.
+   *
+   * @param id - The id of the encrypted object.
+   * @param txBytes - The transaction bytes to use (that calls seal_approve* functions).
+   * @param sessionKey - The session key to use.
+   * @param threshold - The threshold.
+   * @returns - Derived keys for the given services that are in the cache as a "service object ID" -> derived key map. If the call is succesful, exactly threshold keys will be returned.
+   */
+  getDerivedKeys({
+    kemType,
+    id,
+    txBytes,
+    sessionKey,
+    threshold
+  }: GetDerivedKeysOptions): Promise<Map<string, DerivedKey>>;
+}
+//#endregion
+export { SealClient };
+//# sourceMappingURL=client.d.mts.map

package/dist/client.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.mts","names":[],"sources":["../src/client.ts"],"mappings":";;;;;cAmDa,UAAA;EAAA;cAWA,OAAA,EAAS,iBAAA;EAyCpB;;;;;;;;;;;;;EAFK,OAAA,CAAA;IACL,OAAA;IACA,OAAA;IACA,SAAA;IACA,SAAA;IACA,EAAA;IACA,IAAA;IACA;EAAA,GACE,cAAA,GAAc,OAAA;;;;EAyDd;;;;;;;;;;;;;;;;;;EANG,OAAA,CAAA;IACL,IAAA;IACA,UAAA;IACA,OAAA;IACA,qBAAA;IACA;EAAA,GACE,cAAA,GAAc,OAAA,CAAA,UAAA,CAAA,eAAA;EAqDX,aAAA,CAAA,GAAiB,OAAA,CAAQ,GAAA,SAAY,SAAA;EAuNxC;;;;;;;EAtMG,aAAA,CAAc,QAAA,aAAqB,OAAA,CAAQ,SAAA;EA9K5B;;;;;;;;;;;;EAoQf,SAAA,CAAA;IAAY,GAAA;IAAK,OAAA;IAAS,UAAA;IAAY;EAAA,GAAa,gBAAA,GAAgB,OAAA;EAvNxE;;;;;;;;;EAiUK,cAAA,CAAA;IACL,OAAA;IACA,EAAA;IACA,OAAA;IACA,UAAA;IACA;EAAA,GACE,qBAAA,GAAwB,OAAA,CAAQ,GAAA,SAAY,UAAA;AAAA"}

package/dist/client.mjs

@@ -0,0 +1,274 @@
+import { EncryptedObject } from "./bcs.mjs";
+import { G1Element, G2Element } from "./bls12381.mjs";
+import { InconsistentKeyServersError, InvalidClientOptionsError, InvalidKeyServerError, InvalidPackageError, InvalidThresholdError, TooManyFailedFetchKeyRequestsError, toMajorityError } from "./error.mjs";
+import { count, createFullId } from "./utils.mjs";
+import { AesGcm256, Hmac256Ctr } from "./dem.mjs";
+import { BonehFranklinBLS12381Services } from "./ibe.mjs";
+import { decrypt } from "./decrypt.mjs";
+import { DemType, KemType, encrypt } from "./encrypt.mjs";
+import { BonehFranklinBLS12381DerivedKey, fetchKeysForAllIds, retrieveKeyServers, verifyKeyServer } from "./key-server.mjs";
+
+//#region src/client.ts
+var SealClient = class {
+	#haneulClient;
+	#configs;
+	#keyServers = null;
+	#verifyKeyServers;
+	#cachedKeys = /* @__PURE__ */ new Map();
+	#cachedPublicKeys = /* @__PURE__ */ new Map();
+	#timeout;
+	#totalWeight;
+	constructor(options) {
+		this.#haneulClient = options.haneulClient;
+		if (new Set(options.serverConfigs.map((s) => s.objectId)).size !== options.serverConfigs.length) throw new InvalidClientOptionsError("Duplicate object IDs");
+		if (options.serverConfigs.some((s) => s.apiKeyName && !s.apiKey || !s.apiKeyName && s.apiKey)) throw new InvalidClientOptionsError("Both apiKeyName and apiKey must be provided or not provided for all key servers");
+		this.#configs = new Map(options.serverConfigs.map((server) => [server.objectId, server]));
+		this.#totalWeight = options.serverConfigs.map((server) => server.weight).reduce((sum, term) => sum + term, 0);
+		this.#verifyKeyServers = options.verifyKeyServers ?? true;
+		this.#timeout = options.timeout ?? 1e4;
+	}
+	/**
+	* Return an encrypted message under the identity.
+	*
+	* @param kemType - The type of KEM to use.
+	* @param demType - The type of DEM to use.
+	* @param threshold - The threshold for the TSS encryption.
+	* @param packageId - the packageId namespace.
+	* @param id - the identity to use.
+	* @param data - the data to encrypt.
+	* @param aad - optional additional authenticated data.
+	* @returns The bcs bytes of the encrypted object containing all metadata and the 256-bit symmetric key that was used to encrypt the object.
+	* 	Since the symmetric key can be used to decrypt, it should not be shared but can be used e.g. for backup.
+	*/
+	async encrypt({ kemType = KemType.BonehFranklinBLS12381DemCCA, demType = DemType.AesGcm256, threshold, packageId, id, data, aad = new Uint8Array() }) {
+		const packageObj = await this.#haneulClient.core.getObject({ objectId: packageId });
+		if (String(packageObj.object.version) !== "1") throw new InvalidPackageError(`Package ${packageId} is not the first version`);
+		return encrypt({
+			keyServers: await this.#getWeightedKeyServers(),
+			kemType,
+			threshold,
+			packageId,
+			id,
+			encryptionInput: this.#createEncryptionInput(demType, data, aad)
+		});
+	}
+	#createEncryptionInput(type, data, aad) {
+		switch (type) {
+			case DemType.AesGcm256: return new AesGcm256(data, aad);
+			case DemType.Hmac256Ctr: return new Hmac256Ctr(data, aad);
+		}
+	}
+	/**
+	* Decrypt the given encrypted bytes using cached keys.
+	* Calls fetchKeys in case one or more of the required keys is not cached yet.
+	* The function throws an error if the client's key servers are not a subset of
+	* the encrypted object's key servers or if the threshold cannot be met.
+	*
+	* If checkShareConsistency is true, the decrypted shares are checked for consistency, meaning that
+	* any combination of at least threshold shares should either succesfully combine to the plaintext or fail.
+	* This is useful in case the encryptor is not trusted and the decryptor wants to ensure all decryptors
+	* receive the same output (e.g., for onchain encrypted voting).
+	*
+	* @param data - The encrypted bytes to decrypt.
+	* @param sessionKey - The session key to use.
+	* @param txBytes - The transaction bytes to use (that calls seal_approve* functions).
+	* @param checkShareConsistency - If true, the shares are checked for consistency.
+	* @param checkLEEncoding - If true, the encryption is also checked using an LE encoded nonce.
+	* @returns - The decrypted plaintext corresponding to ciphertext.
+	*/
+	async decrypt({ data, sessionKey, txBytes, checkShareConsistency, checkLEEncoding }) {
+		const encryptedObject = EncryptedObject.parse(data);
+		this.#validateEncryptionServices(encryptedObject.services.map((s) => s[0]), encryptedObject.threshold);
+		await this.fetchKeys({
+			ids: [encryptedObject.id],
+			txBytes,
+			sessionKey,
+			threshold: encryptedObject.threshold
+		});
+		if (checkShareConsistency) {
+			const publicKeys = await this.getPublicKeys(encryptedObject.services.map(([objectId, _]) => objectId));
+			return decrypt({
+				encryptedObject,
+				keys: this.#cachedKeys,
+				publicKeys,
+				checkLEEncoding: false
+			});
+		}
+		return decrypt({
+			encryptedObject,
+			keys: this.#cachedKeys,
+			checkLEEncoding
+		});
+	}
+	#weight(objectId) {
+		return this.#configs.get(objectId)?.weight ?? 0;
+	}
+	#validateEncryptionServices(services, threshold) {
+		if (services.some((objectId) => {
+			const countInClient = this.#weight(objectId);
+			return countInClient > 0 && countInClient !== count(services, objectId);
+		})) throw new InconsistentKeyServersError(`Client's key servers must be a subset of the encrypted object's key servers`);
+		if (threshold > this.#totalWeight) throw new InvalidThresholdError(`Invalid threshold ${threshold} for ${this.#totalWeight} servers`);
+	}
+	async getKeyServers() {
+		if (!this.#keyServers) this.#keyServers = this.#loadKeyServers().catch((error) => {
+			this.#keyServers = null;
+			throw error;
+		});
+		return this.#keyServers;
+	}
+	/**
+	* Get the public keys for the given services.
+	* If all public keys are not in the cache, they are retrieved.
+	*
+	* @param services - The services to get the public keys for.
+	* @returns The public keys for the given services in the same order as the given services.
+	*/
+	async getPublicKeys(services) {
+		const keyServers = await this.getKeyServers();
+		const missingKeyServers = services.filter((objectId) => !keyServers.has(objectId) && !this.#cachedPublicKeys.has(objectId));
+		if (missingKeyServers.length > 0) (await retrieveKeyServers({
+			objectIds: missingKeyServers,
+			client: this.#haneulClient,
+			configs: this.#configs
+		})).forEach((keyServer) => this.#cachedPublicKeys.set(keyServer.objectId, G2Element.fromBytes(keyServer.pk)));
+		return services.map((objectId) => {
+			const keyServer = keyServers.get(objectId);
+			if (keyServer) return G2Element.fromBytes(keyServer.pk);
+			return this.#cachedPublicKeys.get(objectId);
+		});
+	}
+	/**
+	* Returns a list of key servers with multiplicity according to their weights.
+	* The list is used for encryption.
+	*/
+	async #getWeightedKeyServers() {
+		const keyServers = await this.getKeyServers();
+		const keyServersWithMultiplicity = [];
+		for (const [objectId, config] of this.#configs) {
+			const keyServer = keyServers.get(objectId);
+			for (let i = 0; i < config.weight; i++) keyServersWithMultiplicity.push(keyServer);
+		}
+		return keyServersWithMultiplicity;
+	}
+	async #loadKeyServers() {
+		const keyServers = await retrieveKeyServers({
+			objectIds: [...this.#configs.keys()],
+			client: this.#haneulClient,
+			configs: this.#configs
+		});
+		if (keyServers.length === 0) throw new InvalidKeyServerError("No key servers found");
+		if (this.#verifyKeyServers) await Promise.all(keyServers.map(async (server) => {
+			if (server.serverType === "Committee") return;
+			const config = this.#configs.get(server.objectId);
+			if (!await verifyKeyServer(server, this.#timeout, config?.apiKeyName, config?.apiKey)) throw new InvalidKeyServerError(`Key server ${server.objectId} is not valid`);
+		}));
+		return new Map(keyServers.map((server) => [server.objectId, server]));
+	}
+	/**
+	* Fetch keys from the key servers and update the cache.
+	*
+	* It is recommended to call this function once for all ids of all encrypted objects if
+	* there are multiple, then call decrypt for each object. This avoids calling fetchKey
+	* individually for each decrypt.
+	*
+	* @param ids - The ids of the encrypted objects.
+	* @param txBytes - The transaction bytes to use (that calls seal_approve* functions).
+	* @param sessionKey - The session key to use.
+	* @param threshold - The threshold for the TSS encryptions. The function returns when a threshold of key servers had returned keys for all ids.
+	*/
+	async fetchKeys({ ids, txBytes, sessionKey, threshold }) {
+		if (threshold > this.#totalWeight || threshold < 1) throw new InvalidThresholdError(`Invalid threshold ${threshold} servers with weights ${JSON.stringify(this.#configs)}`);
+		const keyServers = await this.getKeyServers();
+		const fullIds = ids.map((id) => createFullId(sessionKey.getPackageId(), id));
+		let completedWeight = 0;
+		const remainingKeyServers = [];
+		let remainingKeyServersWeight = 0;
+		for (const objectId of keyServers.keys()) if (fullIds.every((fullId) => this.#cachedKeys.has(`${fullId}:${objectId}`))) completedWeight += this.#weight(objectId);
+		else {
+			remainingKeyServers.push(objectId);
+			remainingKeyServersWeight += this.#weight(objectId);
+		}
+		if (completedWeight >= threshold) return;
+		const certificate = await sessionKey.getCertificate();
+		const signedRequest = await sessionKey.createRequestParams(txBytes);
+		const controller = new AbortController();
+		const errors = [];
+		const keyFetches = remainingKeyServers.map(async (objectId) => {
+			const server = keyServers.get(objectId);
+			try {
+				const config = this.#configs.get(objectId);
+				const allKeys = await fetchKeysForAllIds({
+					url: server.url,
+					requestSignature: signedRequest.requestSignature,
+					transactionBytes: txBytes,
+					encKey: signedRequest.encKey,
+					encKeyPk: signedRequest.encKeyPk,
+					encVerificationKey: signedRequest.encVerificationKey,
+					certificate,
+					timeout: this.#timeout,
+					apiKeyName: config?.apiKeyName,
+					apiKey: config?.apiKey,
+					signal: controller.signal
+				});
+				for (const { fullId, key } of allKeys) {
+					const keyElement = G1Element.fromBytes(key);
+					if (!BonehFranklinBLS12381Services.verifyUserSecretKey(keyElement, fullId, G2Element.fromBytes(server.pk))) {
+						console.warn("Received invalid key from key server " + server.objectId);
+						continue;
+					}
+					this.#cachedKeys.set(`${fullId}:${server.objectId}`, keyElement);
+				}
+				if (fullIds.every((fullId) => this.#cachedKeys.has(`${fullId}:${server.objectId}`))) {
+					completedWeight += this.#weight(objectId);
+					if (completedWeight >= threshold) controller.abort();
+				}
+			} catch (error) {
+				if (!controller.signal.aborted) errors.push(error);
+			} finally {
+				remainingKeyServersWeight -= this.#weight(objectId);
+				if (remainingKeyServersWeight < threshold - completedWeight) controller.abort(new TooManyFailedFetchKeyRequestsError());
+			}
+		});
+		await Promise.allSettled(keyFetches);
+		if (completedWeight < threshold) throw toMajorityError(errors);
+	}
+	/**
+	* Get derived keys from the given services.
+	*
+	* @param id - The id of the encrypted object.
+	* @param txBytes - The transaction bytes to use (that calls seal_approve* functions).
+	* @param sessionKey - The session key to use.
+	* @param threshold - The threshold.
+	* @returns - Derived keys for the given services that are in the cache as a "service object ID" -> derived key map. If the call is succesful, exactly threshold keys will be returned.
+	*/
+	async getDerivedKeys({ kemType = KemType.BonehFranklinBLS12381DemCCA, id, txBytes, sessionKey, threshold }) {
+		switch (kemType) {
+			case KemType.BonehFranklinBLS12381DemCCA:
+				const keyServers = await this.getKeyServers();
+				if (threshold > this.#totalWeight) throw new InvalidThresholdError(`Invalid threshold ${threshold} for ${this.#totalWeight} servers`);
+				await this.fetchKeys({
+					ids: [id],
+					txBytes,
+					sessionKey,
+					threshold
+				});
+				const fullId = createFullId(sessionKey.getPackageId(), id);
+				const derivedKeys = /* @__PURE__ */ new Map();
+				let weight = 0;
+				for (const objectId of keyServers.keys()) {
+					const cachedKey = this.#cachedKeys.get(`${fullId}:${objectId}`);
+					if (cachedKey) {
+						derivedKeys.set(objectId, new BonehFranklinBLS12381DerivedKey(cachedKey));
+						weight += this.#weight(objectId);
+						if (weight >= threshold) break;
+					}
+				}
+				return derivedKeys;
+		}
+	}
+};
+
+//#endregion
+export { SealClient };
+//# sourceMappingURL=client.mjs.map

package/dist/client.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.mjs","names":["#haneulClient","#configs","#totalWeight","#verifyKeyServers","#timeout","#getWeightedKeyServers","#createEncryptionInput","#validateEncryptionServices","#cachedKeys","#weight","#keyServers","#loadKeyServers","#cachedPublicKeys"],"sources":["../src/client.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { EncryptedObject } from './bcs.js';\nimport { G1Element, G2Element } from './bls12381.js';\nimport { decrypt } from './decrypt.js';\nimport type { EncryptionInput } from './dem.js';\nimport { AesGcm256, Hmac256Ctr } from './dem.js';\nimport { DemType, encrypt, KemType } from './encrypt.js';\nimport {\n\tInconsistentKeyServersError,\n\tInvalidClientOptionsError,\n\tInvalidKeyServerError,\n\tInvalidPackageError,\n\tInvalidThresholdError,\n\ttoMajorityError,\n\tTooManyFailedFetchKeyRequestsError,\n} from './error.js';\nimport { BonehFranklinBLS12381Services } from './ibe.js';\nimport {\n\tBonehFranklinBLS12381DerivedKey,\n\tretrieveKeyServers,\n\tverifyKeyServer,\n\tfetchKeysForAllIds,\n} from './key-server.js';\nimport type { DerivedKey, KeyServer } from './key-server.js';\nimport type {\n\tDecryptOptions,\n\tEncryptOptions,\n\tFetchKeysOptions,\n\tGetDerivedKeysOptions,\n\tKeyCacheKey,\n\tKeyServerConfig,\n\tSealClientOptions,\n\tSealCompatibleClient,\n\tSealOptions,\n} from './types.js';\nimport { createFullId, count } from './utils.js';\n\nexport function seal<Name = 'seal'>({ name = 'seal' as Name, ...options }: SealOptions<Name>) {\n\treturn {\n\t\tname,\n\t\tregister: (client: SealCompatibleClient) => {\n\t\t\treturn new SealClient({\n\t\t\t\thaneulClient: client,\n\t\t\t\t...options,\n\t\t\t});\n\t\t},\n\t};\n}\n\nexport class SealClient {\n\t#haneulClient: SealCompatibleClient;\n\t#configs: Map<string, KeyServerConfig>;\n\t#keyServers: Promise<Map<string, KeyServer>> | null = null;\n\t#verifyKeyServers: boolean;\n\t// A caching map for: fullId:object_id -> partial key.\n\t#cachedKeys = new Map<KeyCacheKey, G1Element>();\n\t#cachedPublicKeys = new Map<string, G2Element>();\n\t#timeout: number;\n\t#totalWeight: number;\n\n\tconstructor(options: SealClientOptions) {\n\t\tthis.#haneulClient = options.haneulClient;\n\n\t\tif (\n\t\t\tnew Set(options.serverConfigs.map((s) => s.objectId)).size !== options.serverConfigs.length\n\t\t) {\n\t\t\tthrow new InvalidClientOptionsError('Duplicate object IDs');\n\t\t}\n\n\t\tif (\n\t\t\toptions.serverConfigs.some((s) => (s.apiKeyName && !s.apiKey) || (!s.apiKeyName && s.apiKey))\n\t\t) {\n\t\t\tthrow new InvalidClientOptionsError(\n\t\t\t\t'Both apiKeyName and apiKey must be provided or not provided for all key servers',\n\t\t\t);\n\t\t}\n\n\t\tthis.#configs = new Map(options.serverConfigs.map((server) => [server.objectId, server]));\n\t\tthis.#totalWeight = options.serverConfigs\n\t\t\t.map((server) => server.weight)\n\t\t\t.reduce((sum, term) => sum + term, 0);\n\n\t\tthis.#verifyKeyServers = options.verifyKeyServers ?? true;\n\t\tthis.#timeout = options.timeout ?? 10_000;\n\t}\n\n\t/**\n\t * Return an encrypted message under the identity.\n\t *\n\t * @param kemType - The type of KEM to use.\n\t * @param demType - The type of DEM to use.\n\t * @param threshold - The threshold for the TSS encryption.\n\t * @param packageId - the packageId namespace.\n\t * @param id - the identity to use.\n\t * @param data - the data to encrypt.\n\t * @param aad - optional additional authenticated data.\n\t * @returns The bcs bytes of the encrypted object containing all metadata and the 256-bit symmetric key that was used to encrypt the object.\n\t * \tSince the symmetric key can be used to decrypt, it should not be shared but can be used e.g. for backup.\n\t */\n\tasync encrypt({\n\t\tkemType = KemType.BonehFranklinBLS12381DemCCA,\n\t\tdemType = DemType.AesGcm256,\n\t\tthreshold,\n\t\tpackageId,\n\t\tid,\n\t\tdata,\n\t\taad = new Uint8Array(),\n\t}: EncryptOptions) {\n\t\tconst packageObj = await this.#haneulClient.core.getObject({ objectId: packageId });\n\t\tif (String(packageObj.object.version) !== '1') {\n\t\t\tthrow new InvalidPackageError(`Package ${packageId} is not the first version`);\n\t\t}\n\n\t\treturn encrypt({\n\t\t\tkeyServers: await this.#getWeightedKeyServers(),\n\t\t\tkemType,\n\t\t\tthreshold,\n\t\t\tpackageId,\n\t\t\tid,\n\t\t\tencryptionInput: this.#createEncryptionInput(\n\t\t\t\tdemType,\n\t\t\t\tdata as Uint8Array<ArrayBuffer>,\n\t\t\t\taad as Uint8Array<ArrayBuffer>,\n\t\t\t),\n\t\t});\n\t}\n\n\t#createEncryptionInput(\n\t\ttype: DemType,\n\t\tdata: Uint8Array<ArrayBuffer>,\n\t\taad: Uint8Array<ArrayBuffer>,\n\t): EncryptionInput {\n\t\tswitch (type) {\n\t\t\tcase DemType.AesGcm256:\n\t\t\t\treturn new AesGcm256(data, aad);\n\t\t\tcase DemType.Hmac256Ctr:\n\t\t\t\treturn new Hmac256Ctr(data, aad);\n\t\t}\n\t}\n\n\t/**\n\t * Decrypt the given encrypted bytes using cached keys.\n\t * Calls fetchKeys in case one or more of the required keys is not cached yet.\n\t * The function throws an error if the client's key servers are not a subset of\n\t * the encrypted object's key servers or if the threshold cannot be met.\n\t *\n\t * If checkShareConsistency is true, the decrypted shares are checked for consistency, meaning that\n\t * any combination of at least threshold shares should either succesfully combine to the plaintext or fail.\n\t * This is useful in case the encryptor is not trusted and the decryptor wants to ensure all decryptors\n\t * receive the same output (e.g., for onchain encrypted voting).\n\t *\n\t * @param data - The encrypted bytes to decrypt.\n\t * @param sessionKey - The session key to use.\n\t * @param txBytes - The transaction bytes to use (that calls seal_approve* functions).\n\t * @param checkShareConsistency - If true, the shares are checked for consistency.\n\t * @param checkLEEncoding - If true, the encryption is also checked using an LE encoded nonce.\n\t * @returns - The decrypted plaintext corresponding to ciphertext.\n\t */\n\tasync decrypt({\n\t\tdata,\n\t\tsessionKey,\n\t\ttxBytes,\n\t\tcheckShareConsistency,\n\t\tcheckLEEncoding,\n\t}: DecryptOptions) {\n\t\tconst encryptedObject = EncryptedObject.parse(data);\n\n\t\tthis.#validateEncryptionServices(\n\t\t\tencryptedObject.services.map((s) => s[0]),\n\t\t\tencryptedObject.threshold,\n\t\t);\n\n\t\tawait this.fetchKeys({\n\t\t\tids: [encryptedObject.id],\n\t\t\ttxBytes,\n\t\t\tsessionKey,\n\t\t\tthreshold: encryptedObject.threshold,\n\t\t});\n\n\t\tif (checkShareConsistency) {\n\t\t\tconst publicKeys = await this.getPublicKeys(\n\t\t\t\tencryptedObject.services.map(([objectId, _]) => objectId),\n\t\t\t);\n\t\t\treturn decrypt({\n\t\t\t\tencryptedObject,\n\t\t\t\tkeys: this.#cachedKeys,\n\t\t\t\tpublicKeys,\n\t\t\t\tcheckLEEncoding: false, // We intentionally do not support other encodings here\n\t\t\t});\n\t\t}\n\t\treturn decrypt({ encryptedObject, keys: this.#cachedKeys, checkLEEncoding });\n\t}\n\n\t#weight(objectId: string) {\n\t\treturn this.#configs.get(objectId)?.weight ?? 0;\n\t}\n\n\t#validateEncryptionServices(services: string[], threshold: number) {\n\t\t// Check that the client's key servers are a subset of the encrypted object's key servers.\n\t\tif (\n\t\t\tservices.some((objectId) => {\n\t\t\t\tconst countInClient = this.#weight(objectId);\n\t\t\t\treturn countInClient > 0 && countInClient !== count(services, objectId);\n\t\t\t})\n\t\t) {\n\t\t\tthrow new InconsistentKeyServersError(\n\t\t\t\t`Client's key servers must be a subset of the encrypted object's key servers`,\n\t\t\t);\n\t\t}\n\t\t// Check that the threshold can be met with the client's key servers.\n\t\tif (threshold > this.#totalWeight) {\n\t\t\tthrow new InvalidThresholdError(\n\t\t\t\t`Invalid threshold ${threshold} for ${this.#totalWeight} servers`,\n\t\t\t);\n\t\t}\n\t}\n\n\tasync getKeyServers(): Promise<Map<string, KeyServer>> {\n\t\tif (!this.#keyServers) {\n\t\t\tthis.#keyServers = this.#loadKeyServers().catch((error) => {\n\t\t\t\tthis.#keyServers = null;\n\t\t\t\tthrow error;\n\t\t\t});\n\t\t}\n\t\treturn this.#keyServers;\n\t}\n\n\t/**\n\t * Get the public keys for the given services.\n\t * If all public keys are not in the cache, they are retrieved.\n\t *\n\t * @param services - The services to get the public keys for.\n\t * @returns The public keys for the given services in the same order as the given services.\n\t */\n\tasync getPublicKeys(services: string[]): Promise<G2Element[]> {\n\t\tconst keyServers = await this.getKeyServers();\n\n\t\t// Collect the key servers not already in store or cache.\n\t\tconst missingKeyServers = services.filter(\n\t\t\t(objectId) => !keyServers.has(objectId) && !this.#cachedPublicKeys.has(objectId),\n\t\t);\n\n\t\t// If there are missing key servers, retrieve them and update the cache.\n\t\tif (missingKeyServers.length > 0) {\n\t\t\t(\n\t\t\t\tawait retrieveKeyServers({\n\t\t\t\t\tobjectIds: missingKeyServers,\n\t\t\t\t\tclient: this.#haneulClient,\n\t\t\t\t\tconfigs: this.#configs,\n\t\t\t\t})\n\t\t\t).forEach((keyServer) =>\n\t\t\t\tthis.#cachedPublicKeys.set(keyServer.objectId, G2Element.fromBytes(keyServer.pk)),\n\t\t\t);\n\t\t}\n\n\t\treturn services.map((objectId) => {\n\t\t\tconst keyServer = keyServers.get(objectId);\n\t\t\tif (keyServer) {\n\t\t\t\treturn G2Element.fromBytes(keyServer.pk);\n\t\t\t}\n\t\t\treturn this.#cachedPublicKeys.get(objectId)!;\n\t\t});\n\t}\n\n\t/**\n\t * Returns a list of key servers with multiplicity according to their weights.\n\t * The list is used for encryption.\n\t */\n\tasync #getWeightedKeyServers() {\n\t\tconst keyServers = await this.getKeyServers();\n\t\tconst keyServersWithMultiplicity = [];\n\t\tfor (const [objectId, config] of this.#configs) {\n\t\t\tconst keyServer = keyServers.get(objectId)!;\n\t\t\tfor (let i = 0; i < config.weight; i++) {\n\t\t\t\tkeyServersWithMultiplicity.push(keyServer);\n\t\t\t}\n\t\t}\n\t\treturn keyServersWithMultiplicity;\n\t}\n\n\tasync #loadKeyServers(): Promise<Map<string, KeyServer>> {\n\t\tconst keyServers = await retrieveKeyServers({\n\t\t\tobjectIds: [...this.#configs.keys()],\n\t\t\tclient: this.#haneulClient,\n\t\t\tconfigs: this.#configs,\n\t\t});\n\n\t\tif (keyServers.length === 0) {\n\t\t\tthrow new InvalidKeyServerError('No key servers found');\n\t\t}\n\n\t\tif (this.#verifyKeyServers) {\n\t\t\tawait Promise.all(\n\t\t\t\tkeyServers.map(async (server) => {\n\t\t\t\t\t// Skip /service verification for committee key server type since the request goes through an aggregator.\n\t\t\t\t\tif (server.serverType === 'Committee') {\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t\tconst config = this.#configs.get(server.objectId);\n\t\t\t\t\tif (!(await verifyKeyServer(server, this.#timeout, config?.apiKeyName, config?.apiKey))) {\n\t\t\t\t\t\tthrow new InvalidKeyServerError(`Key server ${server.objectId} is not valid`);\n\t\t\t\t\t}\n\t\t\t\t}),\n\t\t\t);\n\t\t}\n\t\treturn new Map(keyServers.map((server) => [server.objectId, server]));\n\t}\n\n\t/**\n\t * Fetch keys from the key servers and update the cache.\n\t *\n\t * It is recommended to call this function once for all ids of all encrypted objects if\n\t * there are multiple, then call decrypt for each object. This avoids calling fetchKey\n\t * individually for each decrypt.\n\t *\n\t * @param ids - The ids of the encrypted objects.\n\t * @param txBytes - The transaction bytes to use (that calls seal_approve* functions).\n\t * @param sessionKey - The session key to use.\n\t * @param threshold - The threshold for the TSS encryptions. The function returns when a threshold of key servers had returned keys for all ids.\n\t */\n\tasync fetchKeys({ ids, txBytes, sessionKey, threshold }: FetchKeysOptions) {\n\t\tif (threshold > this.#totalWeight || threshold < 1) {\n\t\t\tthrow new InvalidThresholdError(\n\t\t\t\t`Invalid threshold ${threshold} servers with weights ${JSON.stringify(this.#configs)}`,\n\t\t\t);\n\t\t}\n\t\tconst keyServers = await this.getKeyServers();\n\t\tconst fullIds = ids.map((id) => createFullId(sessionKey.getPackageId(), id));\n\n\t\t// Count a server as completed if it has keys for all fullIds.\n\t\t// Duplicated key server ids will be counted towards the threshold.\n\t\tlet completedWeight = 0;\n\t\tconst remainingKeyServers = [];\n\t\tlet remainingKeyServersWeight = 0;\n\t\tfor (const objectId of keyServers.keys()) {\n\t\t\tif (fullIds.every((fullId) => this.#cachedKeys.has(`${fullId}:${objectId}`))) {\n\t\t\t\tcompletedWeight += this.#weight(objectId);\n\t\t\t} else {\n\t\t\t\tremainingKeyServers.push(objectId);\n\t\t\t\tremainingKeyServersWeight += this.#weight(objectId);\n\t\t\t}\n\t\t}\n\n\t\t// Return early if we have enough keys from cache.\n\t\tif (completedWeight >= threshold) {\n\t\t\treturn;\n\t\t}\n\n\t\tconst certificate = await sessionKey.getCertificate();\n\t\tconst signedRequest = await sessionKey.createRequestParams(txBytes);\n\n\t\tconst controller = new AbortController();\n\t\tconst errors: Error[] = [];\n\n\t\tconst keyFetches = remainingKeyServers.map(async (objectId) => {\n\t\t\tconst server = keyServers.get(objectId)!;\n\t\t\ttry {\n\t\t\t\tconst config = this.#configs.get(objectId);\n\t\t\t\tconst allKeys = await fetchKeysForAllIds({\n\t\t\t\t\turl: server.url,\n\t\t\t\t\trequestSignature: signedRequest.requestSignature,\n\t\t\t\t\ttransactionBytes: txBytes,\n\t\t\t\t\tencKey: signedRequest.encKey,\n\t\t\t\t\tencKeyPk: signedRequest.encKeyPk,\n\t\t\t\t\tencVerificationKey: signedRequest.encVerificationKey,\n\t\t\t\t\tcertificate,\n\t\t\t\t\ttimeout: this.#timeout,\n\t\t\t\t\tapiKeyName: config?.apiKeyName,\n\t\t\t\t\tapiKey: config?.apiKey,\n\t\t\t\t\tsignal: controller.signal,\n\t\t\t\t});\n\t\t\t\t// Check validity of the keys and add them to the cache.\n\t\t\t\tfor (const { fullId, key } of allKeys) {\n\t\t\t\t\tconst keyElement = G1Element.fromBytes(key);\n\t\t\t\t\tif (\n\t\t\t\t\t\t!BonehFranklinBLS12381Services.verifyUserSecretKey(\n\t\t\t\t\t\t\tkeyElement,\n\t\t\t\t\t\t\tfullId,\n\t\t\t\t\t\t\tG2Element.fromBytes(server.pk),\n\t\t\t\t\t\t)\n\t\t\t\t\t) {\n\t\t\t\t\t\tconsole.warn('Received invalid key from key server ' + server.objectId);\n\t\t\t\t\t\tcontinue;\n\t\t\t\t\t}\n\t\t\t\t\tthis.#cachedKeys.set(`${fullId}:${server.objectId}`, keyElement);\n\t\t\t\t}\n\n\t\t\t\t// Check if all the receivedIds are consistent with the requested fullIds.\n\t\t\t\t// If so, consider the key server got all keys and mark as completed.\n\t\t\t\tif (fullIds.every((fullId) => this.#cachedKeys.has(`${fullId}:${server.objectId}`))) {\n\t\t\t\t\tcompletedWeight += this.#weight(objectId);\n\n\t\t\t\t\t// Return early if the completed servers is more than the threshold.\n\t\t\t\t\tif (completedWeight >= threshold) {\n\t\t\t\t\t\tcontroller.abort();\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t} catch (error) {\n\t\t\t\tif (!controller.signal.aborted) {\n\t\t\t\t\terrors.push(error as Error);\n\t\t\t\t}\n\t\t\t} finally {\n\t\t\t\t// If there are too many errors that the threshold is not attainable, return early with error.\n\t\t\t\tremainingKeyServersWeight -= this.#weight(objectId);\n\t\t\t\tif (remainingKeyServersWeight < threshold - completedWeight) {\n\t\t\t\t\tcontroller.abort(new TooManyFailedFetchKeyRequestsError());\n\t\t\t\t}\n\t\t\t}\n\t\t});\n\n\t\tawait Promise.allSettled(keyFetches);\n\n\t\tif (completedWeight < threshold) {\n\t\t\tthrow toMajorityError(errors);\n\t\t}\n\t}\n\n\t/**\n\t * Get derived keys from the given services.\n\t *\n\t * @param id - The id of the encrypted object.\n\t * @param txBytes - The transaction bytes to use (that calls seal_approve* functions).\n\t * @param sessionKey - The session key to use.\n\t * @param threshold - The threshold.\n\t * @returns - Derived keys for the given services that are in the cache as a \"service object ID\" -> derived key map. If the call is succesful, exactly threshold keys will be returned.\n\t */\n\tasync getDerivedKeys({\n\t\tkemType = KemType.BonehFranklinBLS12381DemCCA,\n\t\tid,\n\t\ttxBytes,\n\t\tsessionKey,\n\t\tthreshold,\n\t}: GetDerivedKeysOptions): Promise<Map<string, DerivedKey>> {\n\t\tswitch (kemType) {\n\t\t\tcase KemType.BonehFranklinBLS12381DemCCA:\n\t\t\t\tconst keyServers = await this.getKeyServers();\n\t\t\t\tif (threshold > this.#totalWeight) {\n\t\t\t\t\tthrow new InvalidThresholdError(\n\t\t\t\t\t\t`Invalid threshold ${threshold} for ${this.#totalWeight} servers`,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tawait this.fetchKeys({\n\t\t\t\t\tids: [id],\n\t\t\t\t\ttxBytes,\n\t\t\t\t\tsessionKey,\n\t\t\t\t\tthreshold,\n\t\t\t\t});\n\n\t\t\t\t// After calling fetchKeys, we can be sure that there are at least `threshold` of the required keys in the cache.\n\t\t\t\t// It is also checked there that the KeyServerType is BonehFranklinBLS12381 for all services.\n\n\t\t\t\tconst fullId = createFullId(sessionKey.getPackageId(), id);\n\n\t\t\t\tconst derivedKeys = new Map();\n\t\t\t\tlet weight = 0;\n\t\t\t\tfor (const objectId of keyServers.keys()) {\n\t\t\t\t\t// The code below assumes that the KeyServerType is BonehFranklinBLS12381.\n\t\t\t\t\tconst cachedKey = this.#cachedKeys.get(`${fullId}:${objectId}`);\n\t\t\t\t\tif (cachedKey) {\n\t\t\t\t\t\tderivedKeys.set(objectId, new BonehFranklinBLS12381DerivedKey(cachedKey));\n\t\t\t\t\t\tweight += this.#weight(objectId);\n\t\t\t\t\t\tif (weight >= threshold) {\n\t\t\t\t\t\t\t// We have enough keys, so we can stop.\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\treturn derivedKeys;\n\t\t}\n\t}\n}\n"],"mappings":";;;;;;;;;;;AAmDA,IAAa,aAAb,MAAwB;CACvB;CACA;CACA,cAAsD;CACtD;CAEA,8BAAc,IAAI,KAA6B;CAC/C,oCAAoB,IAAI,KAAwB;CAChD;CACA;CAEA,YAAY,SAA4B;AACvC,QAAKA,eAAgB,QAAQ;AAE7B,MACC,IAAI,IAAI,QAAQ,cAAc,KAAK,MAAM,EAAE,SAAS,CAAC,CAAC,SAAS,QAAQ,cAAc,OAErF,OAAM,IAAI,0BAA0B,uBAAuB;AAG5D,MACC,QAAQ,cAAc,MAAM,MAAO,EAAE,cAAc,CAAC,EAAE,UAAY,CAAC,EAAE,cAAc,EAAE,OAAQ,CAE7F,OAAM,IAAI,0BACT,kFACA;AAGF,QAAKC,UAAW,IAAI,IAAI,QAAQ,cAAc,KAAK,WAAW,CAAC,OAAO,UAAU,OAAO,CAAC,CAAC;AACzF,QAAKC,cAAe,QAAQ,cAC1B,KAAK,WAAW,OAAO,OAAO,CAC9B,QAAQ,KAAK,SAAS,MAAM,MAAM,EAAE;AAEtC,QAAKC,mBAAoB,QAAQ,oBAAoB;AACrD,QAAKC,UAAW,QAAQ,WAAW;;;;;;;;;;;;;;;CAgBpC,MAAM,QAAQ,EACb,UAAU,QAAQ,6BAClB,UAAU,QAAQ,WAClB,WACA,WACA,IACA,MACA,MAAM,IAAI,YAAY,IACJ;EAClB,MAAM,aAAa,MAAM,MAAKJ,aAAc,KAAK,UAAU,EAAE,UAAU,WAAW,CAAC;AACnF,MAAI,OAAO,WAAW,OAAO,QAAQ,KAAK,IACzC,OAAM,IAAI,oBAAoB,WAAW,UAAU,2BAA2B;AAG/E,SAAO,QAAQ;GACd,YAAY,MAAM,MAAKK,uBAAwB;GAC/C;GACA;GACA;GACA;GACA,iBAAiB,MAAKC,sBACrB,SACA,MACA,IACA;GACD,CAAC;;CAGH,uBACC,MACA,MACA,KACkB;AAClB,UAAQ,MAAR;GACC,KAAK,QAAQ,UACZ,QAAO,IAAI,UAAU,MAAM,IAAI;GAChC,KAAK,QAAQ,WACZ,QAAO,IAAI,WAAW,MAAM,IAAI;;;;;;;;;;;;;;;;;;;;;CAsBnC,MAAM,QAAQ,EACb,MACA,YACA,SACA,uBACA,mBACkB;EAClB,MAAM,kBAAkB,gBAAgB,MAAM,KAAK;AAEnD,QAAKC,2BACJ,gBAAgB,SAAS,KAAK,MAAM,EAAE,GAAG,EACzC,gBAAgB,UAChB;AAED,QAAM,KAAK,UAAU;GACpB,KAAK,CAAC,gBAAgB,GAAG;GACzB;GACA;GACA,WAAW,gBAAgB;GAC3B,CAAC;AAEF,MAAI,uBAAuB;GAC1B,MAAM,aAAa,MAAM,KAAK,cAC7B,gBAAgB,SAAS,KAAK,CAAC,UAAU,OAAO,SAAS,CACzD;AACD,UAAO,QAAQ;IACd;IACA,MAAM,MAAKC;IACX;IACA,iBAAiB;IACjB,CAAC;;AAEH,SAAO,QAAQ;GAAE;GAAiB,MAAM,MAAKA;GAAa;GAAiB,CAAC;;CAG7E,QAAQ,UAAkB;AACzB,SAAO,MAAKP,QAAS,IAAI,SAAS,EAAE,UAAU;;CAG/C,4BAA4B,UAAoB,WAAmB;AAElE,MACC,SAAS,MAAM,aAAa;GAC3B,MAAM,gBAAgB,MAAKQ,OAAQ,SAAS;AAC5C,UAAO,gBAAgB,KAAK,kBAAkB,MAAM,UAAU,SAAS;IACtE,CAEF,OAAM,IAAI,4BACT,8EACA;AAGF,MAAI,YAAY,MAAKP,YACpB,OAAM,IAAI,sBACT,qBAAqB,UAAU,OAAO,MAAKA,YAAa,UACxD;;CAIH,MAAM,gBAAiD;AACtD,MAAI,CAAC,MAAKQ,WACT,OAAKA,aAAc,MAAKC,gBAAiB,CAAC,OAAO,UAAU;AAC1D,SAAKD,aAAc;AACnB,SAAM;IACL;AAEH,SAAO,MAAKA;;;;;;;;;CAUb,MAAM,cAAc,UAA0C;EAC7D,MAAM,aAAa,MAAM,KAAK,eAAe;EAG7C,MAAM,oBAAoB,SAAS,QACjC,aAAa,CAAC,WAAW,IAAI,SAAS,IAAI,CAAC,MAAKE,iBAAkB,IAAI,SAAS,CAChF;AAGD,MAAI,kBAAkB,SAAS,EAC9B,EACC,MAAM,mBAAmB;GACxB,WAAW;GACX,QAAQ,MAAKZ;GACb,SAAS,MAAKC;GACd,CAAC,EACD,SAAS,cACV,MAAKW,iBAAkB,IAAI,UAAU,UAAU,UAAU,UAAU,UAAU,GAAG,CAAC,CACjF;AAGF,SAAO,SAAS,KAAK,aAAa;GACjC,MAAM,YAAY,WAAW,IAAI,SAAS;AAC1C,OAAI,UACH,QAAO,UAAU,UAAU,UAAU,GAAG;AAEzC,UAAO,MAAKA,iBAAkB,IAAI,SAAS;IAC1C;;;;;;CAOH,OAAMP,wBAAyB;EAC9B,MAAM,aAAa,MAAM,KAAK,eAAe;EAC7C,MAAM,6BAA6B,EAAE;AACrC,OAAK,MAAM,CAAC,UAAU,WAAW,MAAKJ,SAAU;GAC/C,MAAM,YAAY,WAAW,IAAI,SAAS;AAC1C,QAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IAClC,4BAA2B,KAAK,UAAU;;AAG5C,SAAO;;CAGR,OAAMU,iBAAmD;EACxD,MAAM,aAAa,MAAM,mBAAmB;GAC3C,WAAW,CAAC,GAAG,MAAKV,QAAS,MAAM,CAAC;GACpC,QAAQ,MAAKD;GACb,SAAS,MAAKC;GACd,CAAC;AAEF,MAAI,WAAW,WAAW,EACzB,OAAM,IAAI,sBAAsB,uBAAuB;AAGxD,MAAI,MAAKE,iBACR,OAAM,QAAQ,IACb,WAAW,IAAI,OAAO,WAAW;AAEhC,OAAI,OAAO,eAAe,YACzB;GAED,MAAM,SAAS,MAAKF,QAAS,IAAI,OAAO,SAAS;AACjD,OAAI,CAAE,MAAM,gBAAgB,QAAQ,MAAKG,SAAU,QAAQ,YAAY,QAAQ,OAAO,CACrF,OAAM,IAAI,sBAAsB,cAAc,OAAO,SAAS,eAAe;IAE7E,CACF;AAEF,SAAO,IAAI,IAAI,WAAW,KAAK,WAAW,CAAC,OAAO,UAAU,OAAO,CAAC,CAAC;;;;;;;;;;;;;;CAetE,MAAM,UAAU,EAAE,KAAK,SAAS,YAAY,aAA+B;AAC1E,MAAI,YAAY,MAAKF,eAAgB,YAAY,EAChD,OAAM,IAAI,sBACT,qBAAqB,UAAU,wBAAwB,KAAK,UAAU,MAAKD,QAAS,GACpF;EAEF,MAAM,aAAa,MAAM,KAAK,eAAe;EAC7C,MAAM,UAAU,IAAI,KAAK,OAAO,aAAa,WAAW,cAAc,EAAE,GAAG,CAAC;EAI5E,IAAI,kBAAkB;EACtB,MAAM,sBAAsB,EAAE;EAC9B,IAAI,4BAA4B;AAChC,OAAK,MAAM,YAAY,WAAW,MAAM,CACvC,KAAI,QAAQ,OAAO,WAAW,MAAKO,WAAY,IAAI,GAAG,OAAO,GAAG,WAAW,CAAC,CAC3E,oBAAmB,MAAKC,OAAQ,SAAS;OACnC;AACN,uBAAoB,KAAK,SAAS;AAClC,gCAA6B,MAAKA,OAAQ,SAAS;;AAKrD,MAAI,mBAAmB,UACtB;EAGD,MAAM,cAAc,MAAM,WAAW,gBAAgB;EACrD,MAAM,gBAAgB,MAAM,WAAW,oBAAoB,QAAQ;EAEnE,MAAM,aAAa,IAAI,iBAAiB;EACxC,MAAM,SAAkB,EAAE;EAE1B,MAAM,aAAa,oBAAoB,IAAI,OAAO,aAAa;GAC9D,MAAM,SAAS,WAAW,IAAI,SAAS;AACvC,OAAI;IACH,MAAM,SAAS,MAAKR,QAAS,IAAI,SAAS;IAC1C,MAAM,UAAU,MAAM,mBAAmB;KACxC,KAAK,OAAO;KACZ,kBAAkB,cAAc;KAChC,kBAAkB;KAClB,QAAQ,cAAc;KACtB,UAAU,cAAc;KACxB,oBAAoB,cAAc;KAClC;KACA,SAAS,MAAKG;KACd,YAAY,QAAQ;KACpB,QAAQ,QAAQ;KAChB,QAAQ,WAAW;KACnB,CAAC;AAEF,SAAK,MAAM,EAAE,QAAQ,SAAS,SAAS;KACtC,MAAM,aAAa,UAAU,UAAU,IAAI;AAC3C,SACC,CAAC,8BAA8B,oBAC9B,YACA,QACA,UAAU,UAAU,OAAO,GAAG,CAC9B,EACA;AACD,cAAQ,KAAK,0CAA0C,OAAO,SAAS;AACvE;;AAED,WAAKI,WAAY,IAAI,GAAG,OAAO,GAAG,OAAO,YAAY,WAAW;;AAKjE,QAAI,QAAQ,OAAO,WAAW,MAAKA,WAAY,IAAI,GAAG,OAAO,GAAG,OAAO,WAAW,CAAC,EAAE;AACpF,wBAAmB,MAAKC,OAAQ,SAAS;AAGzC,SAAI,mBAAmB,UACtB,YAAW,OAAO;;YAGZ,OAAO;AACf,QAAI,CAAC,WAAW,OAAO,QACtB,QAAO,KAAK,MAAe;aAEnB;AAET,iCAA6B,MAAKA,OAAQ,SAAS;AACnD,QAAI,4BAA4B,YAAY,gBAC3C,YAAW,MAAM,IAAI,oCAAoC,CAAC;;IAG3D;AAEF,QAAM,QAAQ,WAAW,WAAW;AAEpC,MAAI,kBAAkB,UACrB,OAAM,gBAAgB,OAAO;;;;;;;;;;;CAa/B,MAAM,eAAe,EACpB,UAAU,QAAQ,6BAClB,IACA,SACA,YACA,aAC2D;AAC3D,UAAQ,SAAR;GACC,KAAK,QAAQ;IACZ,MAAM,aAAa,MAAM,KAAK,eAAe;AAC7C,QAAI,YAAY,MAAKP,YACpB,OAAM,IAAI,sBACT,qBAAqB,UAAU,OAAO,MAAKA,YAAa,UACxD;AAEF,UAAM,KAAK,UAAU;KACpB,KAAK,CAAC,GAAG;KACT;KACA;KACA;KACA,CAAC;IAKF,MAAM,SAAS,aAAa,WAAW,cAAc,EAAE,GAAG;IAE1D,MAAM,8BAAc,IAAI,KAAK;IAC7B,IAAI,SAAS;AACb,SAAK,MAAM,YAAY,WAAW,MAAM,EAAE;KAEzC,MAAM,YAAY,MAAKM,WAAY,IAAI,GAAG,OAAO,GAAG,WAAW;AAC/D,SAAI,WAAW;AACd,kBAAY,IAAI,UAAU,IAAI,gCAAgC,UAAU,CAAC;AACzE,gBAAU,MAAKC,OAAQ,SAAS;AAChC,UAAI,UAAU,UAEb;;;AAIH,WAAO"}

package/dist/decrypt.mjs

@@ -0,0 +1,53 @@
+import { G2Element } from "./bls12381.mjs";
+import { InvalidCiphertextError, UnsupportedFeatureError } from "./error.mjs";
+import { createFullId, equals } from "./utils.mjs";
+import { AesGcm256, Hmac256Ctr } from "./dem.mjs";
+import { KeyPurpose, deriveKey } from "./kdf.mjs";
+import { BonehFranklinBLS12381Services, decryptRandomness, verifyNonce, verifyNonceWithLE } from "./ibe.mjs";
+import { combine, interpolate } from "./shamir.mjs";
+import { fromHex } from "@haneullabs/bcs";
+
+//#region src/decrypt.ts
+/**
+* Decrypt the given encrypted bytes with the given cached secret keys for the full ID.
+* It's assumed that fetchKeys has been called to fetch the secret keys for enough key servers
+* otherwise, this will throw an error.
+* Also, it's assumed that the keys were verified by the caller.
+*
+* If publicKeys are provided, the decrypted shares are checked for consistency, meaning that
+* any combination of at least threshold shares should either succesfully combine to the plaintext or fail.
+*
+* @returns - The decrypted plaintext corresponding to ciphertext.
+*/
+async function decrypt({ encryptedObject, keys, publicKeys, checkLEEncoding }) {
+	if (!encryptedObject.encryptedShares.BonehFranklinBLS12381) throw new UnsupportedFeatureError("Encryption mode not supported");
+	const fullId = createFullId(encryptedObject.packageId, encryptedObject.id);
+	const inKeystore = encryptedObject.services.map((_, i) => i).filter((i) => keys.has(`${fullId}:${encryptedObject.services[i][0]}`));
+	if (inKeystore.length < encryptedObject.threshold) throw new Error("Not enough shares. Please fetch more keys.");
+	const encryptedShares = encryptedObject.encryptedShares.BonehFranklinBLS12381.encryptedShares;
+	if (encryptedShares.length !== encryptedObject.services.length) throw new InvalidCiphertextError(`Mismatched shares ${encryptedShares.length} and services ${encryptedObject.services.length}`);
+	const nonce = G2Element.fromBytes(encryptedObject.encryptedShares.BonehFranklinBLS12381.nonce);
+	const shares = inKeystore.map((i) => {
+		const [objectId, index] = encryptedObject.services[i];
+		return {
+			index,
+			share: BonehFranklinBLS12381Services.decrypt(nonce, keys.get(`${fullId}:${objectId}`), encryptedShares[i], fromHex(fullId), [objectId, index])
+		};
+	});
+	const baseKey = combine(shares);
+	const randomnessKey = deriveKey(KeyPurpose.EncryptedRandomness, baseKey, encryptedShares, encryptedObject.threshold, encryptedObject.services.map(([objectIds, _]) => objectIds));
+	const randomness = decryptRandomness(encryptedObject.encryptedShares.BonehFranklinBLS12381.encryptedRandomness, randomnessKey);
+	if (!(checkLEEncoding ? verifyNonceWithLE(nonce, randomness) : verifyNonce(nonce, randomness))) throw new InvalidCiphertextError("Invalid nonce");
+	if (publicKeys !== void 0) {
+		const polynomial = interpolate(shares);
+		if (BonehFranklinBLS12381Services.decryptAllSharesUsingRandomness(randomness, encryptedShares, encryptedObject.services, publicKeys, nonce, fromHex(fullId)).some(({ index, share }) => !equals(polynomial(index), share))) throw new InvalidCiphertextError("Invalid shares");
+	}
+	const demKey = deriveKey(KeyPurpose.DEM, baseKey, encryptedShares, encryptedObject.threshold, encryptedObject.services.map(([objectId, _]) => objectId));
+	if (encryptedObject.ciphertext.Aes256Gcm) return AesGcm256.decrypt(demKey, encryptedObject.ciphertext);
+	else if (encryptedObject.ciphertext.Hmac256Ctr) return Hmac256Ctr.decrypt(demKey, encryptedObject.ciphertext);
+	else throw new InvalidCiphertextError("Invalid ciphertext type");
+}
+
+//#endregion
+export { decrypt };
+//# sourceMappingURL=decrypt.mjs.map

package/dist/decrypt.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt.mjs","names":[],"sources":["../src/decrypt.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex } from '@haneullabs/bcs';\n\nimport type { EncryptedObject } from './bcs.js';\nimport type { G1Element } from './bls12381.js';\nimport { G2Element } from './bls12381.js';\nimport { AesGcm256, Hmac256Ctr } from './dem.js';\nimport { InvalidCiphertextError, UnsupportedFeatureError } from './error.js';\nimport {\n\tBonehFranklinBLS12381Services,\n\tdecryptRandomness,\n\tverifyNonce,\n\tverifyNonceWithLE,\n} from './ibe.js';\nimport { deriveKey, KeyPurpose } from './kdf.js';\nimport type { KeyCacheKey } from './types.js';\nimport { createFullId, equals } from './utils.js';\nimport { combine, interpolate } from './shamir.js';\n\nexport interface DecryptOptions {\n\tencryptedObject: typeof EncryptedObject.$inferType;\n\tkeys: Map<KeyCacheKey, G1Element>;\n\tpublicKeys?: G2Element[];\n\tcheckLEEncoding?: boolean;\n}\n\n/**\n * Decrypt the given encrypted bytes with the given cached secret keys for the full ID.\n * It's assumed that fetchKeys has been called to fetch the secret keys for enough key servers\n * otherwise, this will throw an error.\n * Also, it's assumed that the keys were verified by the caller.\n *\n * If publicKeys are provided, the decrypted shares are checked for consistency, meaning that\n * any combination of at least threshold shares should either succesfully combine to the plaintext or fail.\n *\n * @returns - The decrypted plaintext corresponding to ciphertext.\n */\nexport async function decrypt({\n\tencryptedObject,\n\tkeys,\n\tpublicKeys,\n\tcheckLEEncoding,\n}: DecryptOptions): Promise<Uint8Array> {\n\tif (!encryptedObject.encryptedShares.BonehFranklinBLS12381) {\n\t\tthrow new UnsupportedFeatureError('Encryption mode not supported');\n\t}\n\n\tconst fullId = createFullId(encryptedObject.packageId, encryptedObject.id);\n\n\t// Get the indices of the service whose keys are in the keystore.\n\tconst inKeystore = encryptedObject.services\n\t\t.map((_, i) => i)\n\t\t.filter((i) => keys.has(`${fullId}:${encryptedObject.services[i][0]}`));\n\n\tif (inKeystore.length < encryptedObject.threshold) {\n\t\tthrow new Error('Not enough shares. Please fetch more keys.');\n\t}\n\n\tconst encryptedShares = encryptedObject.encryptedShares.BonehFranklinBLS12381.encryptedShares;\n\tif (encryptedShares.length !== encryptedObject.services.length) {\n\t\tthrow new InvalidCiphertextError(\n\t\t\t`Mismatched shares ${encryptedShares.length} and services ${encryptedObject.services.length}`,\n\t\t);\n\t}\n\n\tconst nonce = G2Element.fromBytes(encryptedObject.encryptedShares.BonehFranklinBLS12381.nonce);\n\n\t// Decrypt each share.\n\tconst shares = inKeystore.map((i) => {\n\t\tconst [objectId, index] = encryptedObject.services[i];\n\t\t// Use the index as the unique info parameter to allow for multiple shares per key server.\n\t\tconst share = BonehFranklinBLS12381Services.decrypt(\n\t\t\tnonce,\n\t\t\tkeys.get(`${fullId}:${objectId}`)!,\n\t\t\tencryptedShares[i],\n\t\t\tfromHex(fullId),\n\t\t\t[objectId, index],\n\t\t) as Uint8Array<ArrayBuffer>;\n\t\treturn { index, share };\n\t});\n\n\t// Combine the decrypted shares into the key\n\tconst baseKey = combine(shares);\n\n\t// Decrypt randomness\n\tconst randomnessKey = deriveKey(\n\t\tKeyPurpose.EncryptedRandomness,\n\t\tbaseKey,\n\t\tencryptedShares,\n\t\tencryptedObject.threshold,\n\t\tencryptedObject.services.map(([objectIds, _]) => objectIds),\n\t);\n\tconst randomness = decryptRandomness(\n\t\tencryptedObject.encryptedShares.BonehFranklinBLS12381.encryptedRandomness,\n\t\trandomnessKey,\n\t);\n\n\t// Verify that the nonce was created with the randomness.\n\tif (!(checkLEEncoding ? verifyNonceWithLE(nonce, randomness) : verifyNonce(nonce, randomness))) {\n\t\tthrow new InvalidCiphertextError('Invalid nonce');\n\t}\n\n\t// If public keys are provided, check consistency of the shares.\n\tconst checkShareConsistency = publicKeys !== undefined;\n\tif (checkShareConsistency) {\n\t\tconst polynomial = interpolate(shares);\n\t\tconst allShares = BonehFranklinBLS12381Services.decryptAllSharesUsingRandomness(\n\t\t\trandomness,\n\t\t\tencryptedShares,\n\t\t\tencryptedObject.services,\n\t\t\tpublicKeys,\n\t\t\tnonce,\n\t\t\tfromHex(fullId),\n\t\t);\n\t\tif (allShares.some(({ index, share }) => !equals(polynomial(index), share))) {\n\t\t\tthrow new InvalidCiphertextError('Invalid shares');\n\t\t}\n\t}\n\n\t// Derive the DEM key\n\tconst demKey = deriveKey(\n\t\tKeyPurpose.DEM,\n\t\tbaseKey,\n\t\tencryptedShares,\n\t\tencryptedObject.threshold,\n\t\tencryptedObject.services.map(([objectId, _]) => objectId),\n\t);\n\n\t// Decrypt the ciphertext\n\tif (encryptedObject.ciphertext.Aes256Gcm) {\n\t\treturn AesGcm256.decrypt(demKey, encryptedObject.ciphertext);\n\t} else if (encryptedObject.ciphertext.Hmac256Ctr) {\n\t\treturn Hmac256Ctr.decrypt(demKey, encryptedObject.ciphertext);\n\t} else {\n\t\tthrow new InvalidCiphertextError('Invalid ciphertext type');\n\t}\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAuCA,eAAsB,QAAQ,EAC7B,iBACA,MACA,YACA,mBACuC;AACvC,KAAI,CAAC,gBAAgB,gBAAgB,sBACpC,OAAM,IAAI,wBAAwB,gCAAgC;CAGnE,MAAM,SAAS,aAAa,gBAAgB,WAAW,gBAAgB,GAAG;CAG1E,MAAM,aAAa,gBAAgB,SACjC,KAAK,GAAG,MAAM,EAAE,CAChB,QAAQ,MAAM,KAAK,IAAI,GAAG,OAAO,GAAG,gBAAgB,SAAS,GAAG,KAAK,CAAC;AAExE,KAAI,WAAW,SAAS,gBAAgB,UACvC,OAAM,IAAI,MAAM,6CAA6C;CAG9D,MAAM,kBAAkB,gBAAgB,gBAAgB,sBAAsB;AAC9E,KAAI,gBAAgB,WAAW,gBAAgB,SAAS,OACvD,OAAM,IAAI,uBACT,qBAAqB,gBAAgB,OAAO,gBAAgB,gBAAgB,SAAS,SACrF;CAGF,MAAM,QAAQ,UAAU,UAAU,gBAAgB,gBAAgB,sBAAsB,MAAM;CAG9F,MAAM,SAAS,WAAW,KAAK,MAAM;EACpC,MAAM,CAAC,UAAU,SAAS,gBAAgB,SAAS;AASnD,SAAO;GAAE;GAAO,OAPF,8BAA8B,QAC3C,OACA,KAAK,IAAI,GAAG,OAAO,GAAG,WAAW,EACjC,gBAAgB,IAChB,QAAQ,OAAO,EACf,CAAC,UAAU,MAAM,CACjB;GACsB;GACtB;CAGF,MAAM,UAAU,QAAQ,OAAO;CAG/B,MAAM,gBAAgB,UACrB,WAAW,qBACX,SACA,iBACA,gBAAgB,WAChB,gBAAgB,SAAS,KAAK,CAAC,WAAW,OAAO,UAAU,CAC3D;CACD,MAAM,aAAa,kBAClB,gBAAgB,gBAAgB,sBAAsB,qBACtD,cACA;AAGD,KAAI,EAAE,kBAAkB,kBAAkB,OAAO,WAAW,GAAG,YAAY,OAAO,WAAW,EAC5F,OAAM,IAAI,uBAAuB,gBAAgB;AAKlD,KAD8B,eAAe,QAClB;EAC1B,MAAM,aAAa,YAAY,OAAO;AAStC,MARkB,8BAA8B,gCAC/C,YACA,iBACA,gBAAgB,UAChB,YACA,OACA,QAAQ,OAAO,CACf,CACa,MAAM,EAAE,OAAO,YAAY,CAAC,OAAO,WAAW,MAAM,EAAE,MAAM,CAAC,CAC1E,OAAM,IAAI,uBAAuB,iBAAiB;;CAKpD,MAAM,SAAS,UACd,WAAW,KACX,SACA,iBACA,gBAAgB,WAChB,gBAAgB,SAAS,KAAK,CAAC,UAAU,OAAO,SAAS,CACzD;AAGD,KAAI,gBAAgB,WAAW,UAC9B,QAAO,UAAU,QAAQ,QAAQ,gBAAgB,WAAW;UAClD,gBAAgB,WAAW,WACrC,QAAO,WAAW,QAAQ,QAAQ,gBAAgB,WAAW;KAE7D,OAAM,IAAI,uBAAuB,0BAA0B"}

package/dist/dem.d.mts

@@ -0,0 +1 @@
+import "./bcs.mjs";