@mysten/seal 0.2.0 → 0.3.1

package/dist/cjs/decrypt.js

@@ -0,0 +1,94 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var decrypt_exports = {};
+__export(decrypt_exports, {
+  decrypt: () => decrypt
+});
+module.exports = __toCommonJS(decrypt_exports);
+var import_bcs = require("@mysten/bcs");
+var import_shamir_secret_sharing = require("shamir-secret-sharing");
+var import_bls12381 = require("./bls12381.js");
+var import_dem = require("./dem.js");
+var import_error = require("./error.js");
+var import_ibe = require("./ibe.js");
+var import_kdf = require("./kdf.js");
+var import_utils = require("./utils.js");
+async function decrypt({ encryptedObject, keys }) {
+  if (!encryptedObject.encryptedShares.BonehFranklinBLS12381) {
+    throw new import_error.UnsupportedFeatureError("Encryption mode not supported");
+  }
+  const fullId = (0, import_utils.createFullId)(import_ibe.DST, encryptedObject.packageId, encryptedObject.id);
+  const inKeystore = encryptedObject.services.map((_, i) => i).filter((i) => keys.has(`${fullId}:${encryptedObject.services[i][0]}`));
+  if (inKeystore.length < encryptedObject.threshold) {
+    throw new Error("Not enough shares. Please fetch more keys.");
+  }
+  const encryptedShares = encryptedObject.encryptedShares.BonehFranklinBLS12381.encryptedShares;
+  if (encryptedShares.length !== encryptedObject.services.length) {
+    throw new import_error.InvalidCiphertextError(
+      `Mismatched shares ${encryptedShares.length} and services ${encryptedObject.services.length}`
+    );
+  }
+  const nonce = import_bls12381.G2Element.fromBytes(encryptedObject.encryptedShares.BonehFranklinBLS12381.nonce);
+  const shares = inKeystore.map((i) => {
+    const [objectId, index] = encryptedObject.services[i];
+    const share = import_ibe.BonehFranklinBLS12381Services.decrypt(
+      nonce,
+      keys.get(`${fullId}:${objectId}`),
+      encryptedShares[i],
+      (0, import_bcs.fromHex)(fullId),
+      [objectId, index]
+    );
+    return { index, share };
+  });
+  const key = await combine(shares);
+  const demKey = (0, import_kdf.deriveKey)(import_kdf.KeyPurpose.DEM, key);
+  if (encryptedObject.ciphertext.Aes256Gcm) {
+    try {
+      return import_dem.AesGcm256.decrypt(demKey, encryptedObject.ciphertext);
+    } catch {
+      throw new Error("Decryption failed");
+    }
+  } else if (encryptedObject.ciphertext.Plain) {
+    return demKey;
+  } else if (encryptedObject.ciphertext.Hmac256Ctr) {
+    try {
+      return import_dem.Hmac256Ctr.decrypt(demKey, encryptedObject.ciphertext);
+    } catch {
+      throw new Error("Decryption failed");
+    }
+  } else {
+    throw new Error("Invalid encrypted object");
+  }
+}
+async function combine(shares) {
+  if (shares.length === 0) {
+    throw new Error("Invalid shares length");
+  } else if (shares.length === 1) {
+    return Promise.resolve(shares[0].share);
+  }
+  return (0, import_shamir_secret_sharing.combine)(
+    shares.map(({ index, share }) => {
+      const packedShare = new Uint8Array(share.length + 1);
+      packedShare.set(share, 0);
+      packedShare[share.length] = index;
+      return packedShare;
+    })
+  );
+}
+//# sourceMappingURL=decrypt.js.map

package/dist/cjs/decrypt.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/decrypt.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex } from '@mysten/bcs';\nimport { combine as externalCombine } from 'shamir-secret-sharing';\n\nimport type { EncryptedObject } from './bcs.js';\nimport type { G1Element } from './bls12381.js';\nimport { G2Element } from './bls12381.js';\nimport { AesGcm256, Hmac256Ctr } from './dem.js';\nimport { InvalidCiphertextError, UnsupportedFeatureError } from './error.js';\nimport { BonehFranklinBLS12381Services, DST } from './ibe.js';\nimport { deriveKey, KeyPurpose } from './kdf.js';\nimport type { KeyCacheKey } from './types.js';\nimport { createFullId } from './utils.js';\n\nexport interface DecryptOptions {\n\tencryptedObject: typeof EncryptedObject.$inferType;\n\tkeys: Map<KeyCacheKey, G1Element>;\n}\n\n/**\n * Decrypt the given encrypted bytes with the given cached secret keys for the full ID.\n * It's assumed that fetchKeys has been called to fetch the secret keys for enough key servers\n * otherwise, this will throw an error.\n *\n * @returns - The decrypted plaintext corresponding to ciphertext.\n */\nexport async function decrypt({ encryptedObject, keys }: DecryptOptions): Promise<Uint8Array> {\n\tif (!encryptedObject.encryptedShares.BonehFranklinBLS12381) {\n\t\tthrow new UnsupportedFeatureError('Encryption mode not supported');\n\t}\n\n\tconst fullId = createFullId(DST, encryptedObject.packageId, encryptedObject.id);\n\n\t// Get the indices of the service whose keys are in the keystore.\n\tconst inKeystore = encryptedObject.services\n\t\t.map((_, i) => i)\n\t\t.filter((i) => keys.has(`${fullId}:${encryptedObject.services[i][0]}`));\n\n\tif (inKeystore.length < encryptedObject.threshold) {\n\t\tthrow new Error('Not enough shares. Please fetch more keys.');\n\t}\n\n\tconst encryptedShares = encryptedObject.encryptedShares.BonehFranklinBLS12381.encryptedShares;\n\tif (encryptedShares.length !== encryptedObject.services.length) {\n\t\tthrow new InvalidCiphertextError(\n\t\t\t`Mismatched shares ${encryptedShares.length} and services ${encryptedObject.services.length}`,\n\t\t);\n\t}\n\n\tconst nonce = G2Element.fromBytes(encryptedObject.encryptedShares.BonehFranklinBLS12381.nonce);\n\n\t// Decrypt each share.\n\tconst shares = inKeystore.map((i: number) => {\n\t\tconst [objectId, index] = encryptedObject.services[i];\n\t\t// Use the index as the unique info parameter to allow for multiple shares per key server.\n\t\tconst share = BonehFranklinBLS12381Services.decrypt(\n\t\t\tnonce,\n\t\t\tkeys.get(`${fullId}:${objectId}`)!,\n\t\t\tencryptedShares[i],\n\t\t\tfromHex(fullId),\n\t\t\t[objectId, index],\n\t\t);\n\t\t// The Shamir secret sharing library expects the index/x-coordinate to be at the end of the share.\n\t\treturn { index, share };\n\t});\n\n\t// Combine the decrypted shares into the key.\n\tconst key = await combine(shares);\n\tconst demKey = deriveKey(KeyPurpose.DEM, key);\n\tif (encryptedObject.ciphertext.Aes256Gcm) {\n\t\ttry {\n\t\t\t// Decrypt the ciphertext with the key.\n\t\t\treturn AesGcm256.decrypt(demKey, encryptedObject.ciphertext);\n\t\t} catch {\n\t\t\tthrow new Error('Decryption failed');\n\t\t}\n\t} else if (encryptedObject.ciphertext.Plain) {\n\t\t// In case `Plain` mode is used, return the key.\n\t\treturn demKey;\n\t} else if (encryptedObject.ciphertext.Hmac256Ctr) {\n\t\ttry {\n\t\t\treturn Hmac256Ctr.decrypt(demKey, encryptedObject.ciphertext);\n\t\t} catch {\n\t\t\tthrow new Error('Decryption failed');\n\t\t}\n\t} else {\n\t\tthrow new Error('Invalid encrypted object');\n\t}\n}\n\n/**\n * Helper function that combines the shares into the key.\n * @param shares - The shares to combine.\n * @returns - The combined key.\n */\nasync function combine(shares: { index: number; share: Uint8Array }[]): Promise<Uint8Array> {\n\tif (shares.length === 0) {\n\t\tthrow new Error('Invalid shares length');\n\t} else if (shares.length === 1) {\n\t\t// The Shamir secret sharing library expects at least two shares.\n\t\t// If there is only one and the threshold is 1, the reconstructed secret is the same as the share.\n\t\treturn Promise.resolve(shares[0].share);\n\t}\n\n\t// The Shamir secret sharing library expects the index/x-coordinate to be at the end of the share\n\treturn externalCombine(\n\t\tshares.map(({ index, share }) => {\n\t\t\tconst packedShare = new Uint8Array(share.length + 1);\n\t\t\tpackedShare.set(share, 0);\n\t\t\tpackedShare[share.length] = index;\n\t\t\treturn packedShare;\n\t\t}),\n\t);\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,iBAAwB;AACxB,mCAA2C;AAI3C,sBAA0B;AAC1B,iBAAsC;AACtC,mBAAgE;AAChE,iBAAmD;AACnD,iBAAsC;AAEtC,mBAA6B;AAc7B,eAAsB,QAAQ,EAAE,iBAAiB,KAAK,GAAwC;AAC7F,MAAI,CAAC,gBAAgB,gBAAgB,uBAAuB;AAC3D,UAAM,IAAI,qCAAwB,+BAA+B;AAAA,EAClE;AAEA,QAAM,aAAS,2BAAa,gBAAK,gBAAgB,WAAW,gBAAgB,EAAE;AAG9E,QAAM,aAAa,gBAAgB,SACjC,IAAI,CAAC,GAAG,MAAM,CAAC,EACf,OAAO,CAAC,MAAM,KAAK,IAAI,GAAG,MAAM,IAAI,gBAAgB,SAAS,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;AAEvE,MAAI,WAAW,SAAS,gBAAgB,WAAW;AAClD,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC7D;AAEA,QAAM,kBAAkB,gBAAgB,gBAAgB,sBAAsB;AAC9E,MAAI,gBAAgB,WAAW,gBAAgB,SAAS,QAAQ;AAC/D,UAAM,IAAI;AAAA,MACT,qBAAqB,gBAAgB,MAAM,iBAAiB,gBAAgB,SAAS,MAAM;AAAA,IAC5F;AAAA,EACD;AAEA,QAAM,QAAQ,0BAAU,UAAU,gBAAgB,gBAAgB,sBAAsB,KAAK;AAG7F,QAAM,SAAS,WAAW,IAAI,CAAC,MAAc;AAC5C,UAAM,CAAC,UAAU,KAAK,IAAI,gBAAgB,SAAS,CAAC;AAEpD,UAAM,QAAQ,yCAA8B;AAAA,MAC3C;AAAA,MACA,KAAK,IAAI,GAAG,MAAM,IAAI,QAAQ,EAAE;AAAA,MAChC,gBAAgB,CAAC;AAAA,UACjB,oBAAQ,MAAM;AAAA,MACd,CAAC,UAAU,KAAK;AAAA,IACjB;AAEA,WAAO,EAAE,OAAO,MAAM;AAAA,EACvB,CAAC;AAGD,QAAM,MAAM,MAAM,QAAQ,MAAM;AAChC,QAAM,aAAS,sBAAU,sBAAW,KAAK,GAAG;AAC5C,MAAI,gBAAgB,WAAW,WAAW;AACzC,QAAI;AAEH,aAAO,qBAAU,QAAQ,QAAQ,gBAAgB,UAAU;AAAA,IAC5D,QAAQ;AACP,YAAM,IAAI,MAAM,mBAAmB;AAAA,IACpC;AAAA,EACD,WAAW,gBAAgB,WAAW,OAAO;AAE5C,WAAO;AAAA,EACR,WAAW,gBAAgB,WAAW,YAAY;AACjD,QAAI;AACH,aAAO,sBAAW,QAAQ,QAAQ,gBAAgB,UAAU;AAAA,IAC7D,QAAQ;AACP,YAAM,IAAI,MAAM,mBAAmB;AAAA,IACpC;AAAA,EACD,OAAO;AACN,UAAM,IAAI,MAAM,0BAA0B;AAAA,EAC3C;AACD;AAOA,eAAe,QAAQ,QAAqE;AAC3F,MAAI,OAAO,WAAW,GAAG;AACxB,UAAM,IAAI,MAAM,uBAAuB;AAAA,EACxC,WAAW,OAAO,WAAW,GAAG;AAG/B,WAAO,QAAQ,QAAQ,OAAO,CAAC,EAAE,KAAK;AAAA,EACvC;AAGA,aAAO,6BAAAA;AAAA,IACN,OAAO,IAAI,CAAC,EAAE,OAAO,MAAM,MAAM;AAChC,YAAM,cAAc,IAAI,WAAW,MAAM,SAAS,CAAC;AACnD,kBAAY,IAAI,OAAO,CAAC;AACxB,kBAAY,MAAM,MAAM,IAAI;AAC5B,aAAO;AAAA,IACR,CAAC;AAAA,EACF;AACD;",
+  "names": ["externalCombine"]
+}

package/dist/cjs/dem.d.ts

@@ -0,0 +1,36 @@
+import type { Ciphertext } from './bcs.js';
+export declare const iv: Uint8Array<ArrayBuffer>;
+export interface EncryptionInput {
+    encrypt(key: Uint8Array): Promise<typeof Ciphertext.$inferInput>;
+    generateKey(): Promise<Uint8Array>;
+}
+export declare class AesGcm256 implements EncryptionInput {
+    readonly plaintext: Uint8Array;
+    readonly aad: Uint8Array;
+    constructor(msg: Uint8Array, aad: Uint8Array);
+    generateKey(): Promise<Uint8Array>;
+    encrypt(key: Uint8Array): Promise<typeof Ciphertext.$inferInput>;
+    static decrypt(key: Uint8Array, ciphertext: typeof Ciphertext.$inferInput): Promise<Uint8Array>;
+}
+export declare class Plain implements EncryptionInput {
+    encrypt(_key: Uint8Array): Promise<typeof Ciphertext.$inferInput>;
+    generateKey(): Promise<Uint8Array>;
+}
+/**
+ * Authenticated encryption using CTR mode with HMAC-SHA3-256 as a PRF.
+ * 1. Derive an encryption key, <i>k<sub>1</sub> = <b>hmac</b>(key, 1)</i>.
+ * 2. Chunk the message into blocks of 32 bytes, <i>m = m<sub>1</sub> || ... || m<sub>n</sub></i>.
+ * 3. Let the ciphertext be defined by <i>c = c<sub>1</sub> || ... || c<sub>n</sub></i> where <i>c<sub>i</sub> = m<sub>i</sub> ⊕ <b>hmac</b>(k<sub>1</sub>, i)</i>.
+ * 4. Compute a MAC over the AAD and the ciphertext, <i>mac = <b>hmac</b>(k<sub>2</sub>, aad || c) where k<sub>2</sub> = <b>hmac</b>(key, 2)</i>.
+ * 5. Return <i>mac || c</i>.
+ */
+export declare class Hmac256Ctr implements EncryptionInput {
+    readonly plaintext: Uint8Array;
+    readonly aad: Uint8Array;
+    constructor(msg: Uint8Array, aad: Uint8Array);
+    generateKey(): Promise<Uint8Array>;
+    encrypt(key: Uint8Array): Promise<typeof Ciphertext.$inferInput>;
+    static decrypt(key: Uint8Array, ciphertext: typeof Ciphertext.$inferInput): Promise<Uint8Array>;
+    private static computeMac;
+    private static encryptInCtrMode;
+}

package/dist/cjs/dem.js

@@ -0,0 +1,173 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var dem_exports = {};
+__export(dem_exports, {
+  AesGcm256: () => AesGcm256,
+  Hmac256Ctr: () => Hmac256Ctr,
+  Plain: () => Plain,
+  iv: () => iv
+});
+module.exports = __toCommonJS(dem_exports);
+var import_bcs = require("@mysten/bcs");
+var import_utils = require("@noble/curves/abstract/utils");
+var import_hmac = require("@noble/hashes/hmac");
+var import_sha3 = require("@noble/hashes/sha3");
+var import_error = require("./error.js");
+var import_utils2 = require("./utils.js");
+const iv = Uint8Array.from([
+  138,
+  55,
+  153,
+  253,
+  198,
+  46,
+  121,
+  219,
+  160,
+  128,
+  89,
+  7,
+  214,
+  156,
+  148,
+  220
+]);
+async function generateAesKey() {
+  const key = await crypto.subtle.generateKey(
+    {
+      name: "AES-GCM",
+      length: 256
+    },
+    true,
+    ["encrypt", "decrypt"]
+  );
+  return await crypto.subtle.exportKey("raw", key).then((keyData) => new Uint8Array(keyData));
+}
+class AesGcm256 {
+  constructor(msg, aad) {
+    this.plaintext = msg;
+    this.aad = aad;
+  }
+  generateKey() {
+    return generateAesKey();
+  }
+  async encrypt(key) {
+    const aesCryptoKey = await crypto.subtle.importKey("raw", key, "AES-GCM", false, ["encrypt"]);
+    const blob = new Uint8Array(
+      await crypto.subtle.encrypt(
+        {
+          name: "AES-GCM",
+          iv,
+          additionalData: this.aad
+        },
+        aesCryptoKey,
+        this.plaintext
+      )
+    );
+    return {
+      Aes256Gcm: {
+        blob,
+        aad: this.aad ?? []
+      }
+    };
+  }
+  static async decrypt(key, ciphertext) {
+    if (!("Aes256Gcm" in ciphertext)) {
+      throw new import_error.InvalidCiphertextError(`Invalid ciphertext ${ciphertext}`);
+    }
+    const aesCryptoKey = await crypto.subtle.importKey("raw", key, "AES-GCM", false, ["decrypt"]);
+    return new Uint8Array(
+      await crypto.subtle.decrypt(
+        {
+          name: "AES-GCM",
+          iv,
+          additionalData: new Uint8Array(ciphertext.Aes256Gcm.aad ?? [])
+        },
+        aesCryptoKey,
+        new Uint8Array(ciphertext.Aes256Gcm.blob)
+      )
+    );
+  }
+}
+class Plain {
+  async encrypt(_key) {
+    return {
+      Plain: {}
+    };
+  }
+  generateKey() {
+    return generateAesKey();
+  }
+}
+class Hmac256Ctr {
+  constructor(msg, aad) {
+    this.plaintext = msg;
+    this.aad = aad;
+  }
+  generateKey() {
+    return generateAesKey();
+  }
+  async encrypt(key) {
+    const blob = Hmac256Ctr.encryptInCtrMode(key, this.plaintext);
+    const mac = Hmac256Ctr.computeMac(key, this.aad, blob);
+    return {
+      Hmac256Ctr: {
+        blob,
+        mac,
+        aad: this.aad ?? []
+      }
+    };
+  }
+  static async decrypt(key, ciphertext) {
+    if (!("Hmac256Ctr" in ciphertext)) {
+      throw new import_error.InvalidCiphertextError(`Invalid ciphertext ${ciphertext}`);
+    }
+    const aad = new Uint8Array(ciphertext.Hmac256Ctr.aad ?? []);
+    const blob = new Uint8Array(ciphertext.Hmac256Ctr.blob);
+    const mac = Hmac256Ctr.computeMac(key, aad, blob);
+    if (!(0, import_utils.equalBytes)(mac, new Uint8Array(ciphertext.Hmac256Ctr.mac))) {
+      throw new import_error.InvalidCiphertextError(`Invalid MAC ${mac}`);
+    }
+    return Hmac256Ctr.encryptInCtrMode(key, blob);
+  }
+  static computeMac(key, aad, ciphertext) {
+    const macKey = (0, import_hmac.hmac)(import_sha3.sha3_256, key, MacKeyTag);
+    const macInput = new Uint8Array([...toBytes(aad.length), ...aad, ...ciphertext]);
+    const mac = (0, import_hmac.hmac)(import_sha3.sha3_256, macKey, macInput);
+    return mac;
+  }
+  static encryptInCtrMode(key, msg) {
+    const blockSize = 32;
+    let result = Uint8Array.from({ length: msg.length }, () => 0);
+    const encryptionKey = (0, import_hmac.hmac)(import_sha3.sha3_256, key, EncryptionKeyTag);
+    for (let i = 0; i * blockSize < msg.length; i++) {
+      const block = msg.slice(i * blockSize, (i + 1) * blockSize);
+      let mask = (0, import_hmac.hmac)(import_sha3.sha3_256, encryptionKey, toBytes(i));
+      const encryptedBlock = (0, import_utils2.xorUnchecked)(block, mask);
+      result.set(encryptedBlock, i * blockSize);
+    }
+    return result;
+  }
+}
+function toBytes(n) {
+  return import_bcs.bcs.u64().serialize(n).toBytes();
+}
+const EncryptionKeyTag = new Uint8Array([1]);
+const MacKeyTag = new Uint8Array([2]);
+//# sourceMappingURL=dem.js.map

package/dist/cjs/dem.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/dem.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { bcs } from '@mysten/bcs';\nimport { equalBytes } from '@noble/curves/abstract/utils';\nimport { hmac } from '@noble/hashes/hmac';\nimport { sha3_256 } from '@noble/hashes/sha3';\n\nimport type { Ciphertext } from './bcs.js';\nimport { InvalidCiphertextError } from './error.js';\nimport { xorUnchecked } from './utils.js';\n\n// Use a fixed IV for AES.\nexport const iv = Uint8Array.from([\n\t138, 55, 153, 253, 198, 46, 121, 219, 160, 128, 89, 7, 214, 156, 148, 220,\n]);\n\nasync function generateAesKey(): Promise<Uint8Array> {\n\tconst key = await crypto.subtle.generateKey(\n\t\t{\n\t\t\tname: 'AES-GCM',\n\t\t\tlength: 256,\n\t\t},\n\t\ttrue,\n\t\t['encrypt', 'decrypt'],\n\t);\n\treturn await crypto.subtle.exportKey('raw', key).then((keyData) => new Uint8Array(keyData));\n}\n\nexport interface EncryptionInput {\n\tencrypt(key: Uint8Array): Promise<typeof Ciphertext.$inferInput>;\n\tgenerateKey(): Promise<Uint8Array>;\n}\n\nexport class AesGcm256 implements EncryptionInput {\n\treadonly plaintext: Uint8Array;\n\treadonly aad: Uint8Array;\n\n\tconstructor(msg: Uint8Array, aad: Uint8Array) {\n\t\tthis.plaintext = msg;\n\t\tthis.aad = aad;\n\t}\n\n\tgenerateKey(): Promise<Uint8Array> {\n\t\treturn generateAesKey();\n\t}\n\n\tasync encrypt(key: Uint8Array): Promise<typeof Ciphertext.$inferInput> {\n\t\tconst aesCryptoKey = await crypto.subtle.importKey('raw', key, 'AES-GCM', false, ['encrypt']);\n\n\t\tconst blob = new Uint8Array(\n\t\t\tawait crypto.subtle.encrypt(\n\t\t\t\t{\n\t\t\t\t\tname: 'AES-GCM',\n\t\t\t\t\tiv,\n\t\t\t\t\tadditionalData: this.aad,\n\t\t\t\t},\n\t\t\t\taesCryptoKey,\n\t\t\t\tthis.plaintext,\n\t\t\t),\n\t\t);\n\n\t\treturn {\n\t\t\tAes256Gcm: {\n\t\t\t\tblob,\n\t\t\t\taad: this.aad ?? [],\n\t\t\t},\n\t\t};\n\t}\n\n\tstatic async decrypt(\n\t\tkey: Uint8Array,\n\t\tciphertext: typeof Ciphertext.$inferInput,\n\t): Promise<Uint8Array> {\n\t\tif (!('Aes256Gcm' in ciphertext)) {\n\t\t\tthrow new InvalidCiphertextError(`Invalid ciphertext ${ciphertext}`);\n\t\t}\n\n\t\tconst aesCryptoKey = await crypto.subtle.importKey('raw', key, 'AES-GCM', false, ['decrypt']);\n\n\t\treturn new Uint8Array(\n\t\t\tawait crypto.subtle.decrypt(\n\t\t\t\t{\n\t\t\t\t\tname: 'AES-GCM',\n\t\t\t\t\tiv,\n\t\t\t\t\tadditionalData: new Uint8Array(ciphertext.Aes256Gcm.aad ?? []),\n\t\t\t\t},\n\t\t\t\taesCryptoKey,\n\t\t\t\tnew Uint8Array(ciphertext.Aes256Gcm.blob),\n\t\t\t),\n\t\t);\n\t}\n}\n\nexport class Plain implements EncryptionInput {\n\tasync encrypt(_key: Uint8Array): Promise<typeof Ciphertext.$inferInput> {\n\t\treturn {\n\t\t\tPlain: {},\n\t\t};\n\t}\n\n\tgenerateKey(): Promise<Uint8Array> {\n\t\treturn generateAesKey();\n\t}\n}\n\n/**\n * Authenticated encryption using CTR mode with HMAC-SHA3-256 as a PRF.\n * 1. Derive an encryption key, <i>k<sub>1</sub> = <b>hmac</b>(key, 1)</i>.\n * 2. Chunk the message into blocks of 32 bytes, <i>m = m<sub>1</sub> || ... || m<sub>n</sub></i>.\n * 3. Let the ciphertext be defined by <i>c = c<sub>1</sub> || ... || c<sub>n</sub></i> where <i>c<sub>i</sub> = m<sub>i</sub> \u2295 <b>hmac</b>(k<sub>1</sub>, i)</i>.\n * 4. Compute a MAC over the AAD and the ciphertext, <i>mac = <b>hmac</b>(k<sub>2</sub>, aad || c) where k<sub>2</sub> = <b>hmac</b>(key, 2)</i>.\n * 5. Return <i>mac || c</i>.\n */\nexport class Hmac256Ctr implements EncryptionInput {\n\treadonly plaintext: Uint8Array;\n\treadonly aad: Uint8Array;\n\n\tconstructor(msg: Uint8Array, aad: Uint8Array) {\n\t\tthis.plaintext = msg;\n\t\tthis.aad = aad;\n\t}\n\n\tgenerateKey(): Promise<Uint8Array> {\n\t\treturn generateAesKey();\n\t}\n\n\tasync encrypt(key: Uint8Array): Promise<typeof Ciphertext.$inferInput> {\n\t\tconst blob = Hmac256Ctr.encryptInCtrMode(key, this.plaintext);\n\t\tconst mac = Hmac256Ctr.computeMac(key, this.aad, blob);\n\t\treturn {\n\t\t\tHmac256Ctr: {\n\t\t\t\tblob,\n\t\t\t\tmac,\n\t\t\t\taad: this.aad ?? [],\n\t\t\t},\n\t\t};\n\t}\n\n\tstatic async decrypt(\n\t\tkey: Uint8Array,\n\t\tciphertext: typeof Ciphertext.$inferInput,\n\t): Promise<Uint8Array> {\n\t\tif (!('Hmac256Ctr' in ciphertext)) {\n\t\t\tthrow new InvalidCiphertextError(`Invalid ciphertext ${ciphertext}`);\n\t\t}\n\t\tconst aad = new Uint8Array(ciphertext.Hmac256Ctr.aad ?? []);\n\t\tconst blob = new Uint8Array(ciphertext.Hmac256Ctr.blob);\n\t\tconst mac = Hmac256Ctr.computeMac(key, aad, blob);\n\t\tif (!equalBytes(mac, new Uint8Array(ciphertext.Hmac256Ctr.mac))) {\n\t\t\tthrow new InvalidCiphertextError(`Invalid MAC ${mac}`);\n\t\t}\n\t\treturn Hmac256Ctr.encryptInCtrMode(key, blob);\n\t}\n\n\tprivate static computeMac(key: Uint8Array, aad: Uint8Array, ciphertext: Uint8Array): Uint8Array {\n\t\tconst macKey = hmac(sha3_256, key, MacKeyTag);\n\t\tconst macInput = new Uint8Array([...toBytes(aad.length), ...aad, ...ciphertext]);\n\t\tconst mac = hmac(sha3_256, macKey, macInput);\n\t\treturn mac;\n\t}\n\n\tprivate static encryptInCtrMode(key: Uint8Array, msg: Uint8Array): Uint8Array {\n\t\tconst blockSize = 32;\n\t\tlet result = Uint8Array.from({ length: msg.length }, () => 0);\n\t\tconst encryptionKey = hmac(sha3_256, key, EncryptionKeyTag);\n\t\tfor (let i = 0; i * blockSize < msg.length; i++) {\n\t\t\tconst block = msg.slice(i * blockSize, (i + 1) * blockSize);\n\t\t\tlet mask = hmac(sha3_256, encryptionKey, toBytes(i));\n\t\t\tconst encryptedBlock = xorUnchecked(block, mask);\n\t\t\tresult.set(encryptedBlock, i * blockSize);\n\t\t}\n\t\treturn result;\n\t}\n}\n\n/**\n * Convert a u64 to bytes using little-endian representation.\n */\nfunction toBytes(n: number): Uint8Array {\n\treturn bcs.u64().serialize(n).toBytes();\n}\n\nconst EncryptionKeyTag = new Uint8Array([1]);\nconst MacKeyTag = new Uint8Array([2]);\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,iBAAoB;AACpB,mBAA2B;AAC3B,kBAAqB;AACrB,kBAAyB;AAGzB,mBAAuC;AACvC,IAAAA,gBAA6B;AAGtB,MAAM,KAAK,WAAW,KAAK;AAAA,EACjC;AAAA,EAAK;AAAA,EAAI;AAAA,EAAK;AAAA,EAAK;AAAA,EAAK;AAAA,EAAI;AAAA,EAAK;AAAA,EAAK;AAAA,EAAK;AAAA,EAAK;AAAA,EAAI;AAAA,EAAG;AAAA,EAAK;AAAA,EAAK;AAAA,EAAK;AACvE,CAAC;AAED,eAAe,iBAAsC;AACpD,QAAM,MAAM,MAAM,OAAO,OAAO;AAAA,IAC/B;AAAA,MACC,MAAM;AAAA,MACN,QAAQ;AAAA,IACT;AAAA,IACA;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACtB;AACA,SAAO,MAAM,OAAO,OAAO,UAAU,OAAO,GAAG,EAAE,KAAK,CAAC,YAAY,IAAI,WAAW,OAAO,CAAC;AAC3F;AAOO,MAAM,UAAqC;AAAA,EAIjD,YAAY,KAAiB,KAAiB;AAC7C,SAAK,YAAY;AACjB,SAAK,MAAM;AAAA,EACZ;AAAA,EAEA,cAAmC;AAClC,WAAO,eAAe;AAAA,EACvB;AAAA,EAEA,MAAM,QAAQ,KAAyD;AACtE,UAAM,eAAe,MAAM,OAAO,OAAO,UAAU,OAAO,KAAK,WAAW,OAAO,CAAC,SAAS,CAAC;AAE5F,UAAM,OAAO,IAAI;AAAA,MAChB,MAAM,OAAO,OAAO;AAAA,QACnB;AAAA,UACC,MAAM;AAAA,UACN;AAAA,UACA,gBAAgB,KAAK;AAAA,QACtB;AAAA,QACA;AAAA,QACA,KAAK;AAAA,MACN;AAAA,IACD;AAEA,WAAO;AAAA,MACN,WAAW;AAAA,QACV;AAAA,QACA,KAAK,KAAK,OAAO,CAAC;AAAA,MACnB;AAAA,IACD;AAAA,EACD;AAAA,EAEA,aAAa,QACZ,KACA,YACsB;AACtB,QAAI,EAAE,eAAe,aAAa;AACjC,YAAM,IAAI,oCAAuB,sBAAsB,UAAU,EAAE;AAAA,IACpE;AAEA,UAAM,eAAe,MAAM,OAAO,OAAO,UAAU,OAAO,KAAK,WAAW,OAAO,CAAC,SAAS,CAAC;AAE5F,WAAO,IAAI;AAAA,MACV,MAAM,OAAO,OAAO;AAAA,QACnB;AAAA,UACC,MAAM;AAAA,UACN;AAAA,UACA,gBAAgB,IAAI,WAAW,WAAW,UAAU,OAAO,CAAC,CAAC;AAAA,QAC9D;AAAA,QACA;AAAA,QACA,IAAI,WAAW,WAAW,UAAU,IAAI;AAAA,MACzC;AAAA,IACD;AAAA,EACD;AACD;AAEO,MAAM,MAAiC;AAAA,EAC7C,MAAM,QAAQ,MAA0D;AACvE,WAAO;AAAA,MACN,OAAO,CAAC;AAAA,IACT;AAAA,EACD;AAAA,EAEA,cAAmC;AAClC,WAAO,eAAe;AAAA,EACvB;AACD;AAUO,MAAM,WAAsC;AAAA,EAIlD,YAAY,KAAiB,KAAiB;AAC7C,SAAK,YAAY;AACjB,SAAK,MAAM;AAAA,EACZ;AAAA,EAEA,cAAmC;AAClC,WAAO,eAAe;AAAA,EACvB;AAAA,EAEA,MAAM,QAAQ,KAAyD;AACtE,UAAM,OAAO,WAAW,iBAAiB,KAAK,KAAK,SAAS;AAC5D,UAAM,MAAM,WAAW,WAAW,KAAK,KAAK,KAAK,IAAI;AACrD,WAAO;AAAA,MACN,YAAY;AAAA,QACX;AAAA,QACA;AAAA,QACA,KAAK,KAAK,OAAO,CAAC;AAAA,MACnB;AAAA,IACD;AAAA,EACD;AAAA,EAEA,aAAa,QACZ,KACA,YACsB;AACtB,QAAI,EAAE,gBAAgB,aAAa;AAClC,YAAM,IAAI,oCAAuB,sBAAsB,UAAU,EAAE;AAAA,IACpE;AACA,UAAM,MAAM,IAAI,WAAW,WAAW,WAAW,OAAO,CAAC,CAAC;AAC1D,UAAM,OAAO,IAAI,WAAW,WAAW,WAAW,IAAI;AACtD,UAAM,MAAM,WAAW,WAAW,KAAK,KAAK,IAAI;AAChD,QAAI,KAAC,yBAAW,KAAK,IAAI,WAAW,WAAW,WAAW,GAAG,CAAC,GAAG;AAChE,YAAM,IAAI,oCAAuB,eAAe,GAAG,EAAE;AAAA,IACtD;AACA,WAAO,WAAW,iBAAiB,KAAK,IAAI;AAAA,EAC7C;AAAA,EAEA,OAAe,WAAW,KAAiB,KAAiB,YAAoC;AAC/F,UAAM,aAAS,kBAAK,sBAAU,KAAK,SAAS;AAC5C,UAAM,WAAW,IAAI,WAAW,CAAC,GAAG,QAAQ,IAAI,MAAM,GAAG,GAAG,KAAK,GAAG,UAAU,CAAC;AAC/E,UAAM,UAAM,kBAAK,sBAAU,QAAQ,QAAQ;AAC3C,WAAO;AAAA,EACR;AAAA,EAEA,OAAe,iBAAiB,KAAiB,KAA6B;AAC7E,UAAM,YAAY;AAClB,QAAI,SAAS,WAAW,KAAK,EAAE,QAAQ,IAAI,OAAO,GAAG,MAAM,CAAC;AAC5D,UAAM,oBAAgB,kBAAK,sBAAU,KAAK,gBAAgB;AAC1D,aAAS,IAAI,GAAG,IAAI,YAAY,IAAI,QAAQ,KAAK;AAChD,YAAM,QAAQ,IAAI,MAAM,IAAI,YAAY,IAAI,KAAK,SAAS;AAC1D,UAAI,WAAO,kBAAK,sBAAU,eAAe,QAAQ,CAAC,CAAC;AACnD,YAAM,qBAAiB,4BAAa,OAAO,IAAI;AAC/C,aAAO,IAAI,gBAAgB,IAAI,SAAS;AAAA,IACzC;AACA,WAAO;AAAA,EACR;AACD;AAKA,SAAS,QAAQ,GAAuB;AACvC,SAAO,eAAI,IAAI,EAAE,UAAU,CAAC,EAAE,QAAQ;AACvC;AAEA,MAAM,mBAAmB,IAAI,WAAW,CAAC,CAAC,CAAC;AAC3C,MAAM,YAAY,IAAI,WAAW,CAAC,CAAC,CAAC;",
+  "names": ["import_utils"]
+}

package/dist/cjs/elgamal.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/elgamal.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { G1Element, G2Element, Scalar } from './bls12381.js';\n\n/**\n * Decrypt a ciphertext with a given secret key. The secret key must be a 32-byte scalar.\n * The ciphertext is a pair of G1Elements (48 bytes).\n */\nexport function elgamalDecrypt(sk: Uint8Array, ciphertext: [Uint8Array, Uint8Array]): Uint8Array {\n\treturn decrypt(Scalar.fromBytes(sk), [\n\t\tG1Element.fromBytes(ciphertext[0]),\n\t\tG1Element.fromBytes(ciphertext[1]),\n\t]).toBytes();\n}\n\n/**\n * Decrypt a ciphertext with a given secret key. The secret key must be a 32-byte scalar.\n * The ciphertext is a pair of G1Elements (48 bytes).\n */\nfunction decrypt(sk: Scalar, encryption: [G1Element, G1Element]): G1Element {\n\treturn encryption[1].subtract(encryption[0].multiply(sk));\n}\n\n// /**\n//  * Encrypt a message with a given public key. Both the public key and the message must a compressed G1Element (48 bytes).\n//  */\n// function elgamal_encrypt(pk: Uint8Array, message: Uint8Array): [Uint8Array, Uint8Array] {\n// \tconst ciphertext = encrypt(G1Element.fromBytes(pk), G1Element.fromBytes(message));\n// \treturn [ciphertext[0].toBytes(), ciphertext[1].toBytes()];\n// }\n\n// /**\n//  * Encrypt a message with a given public key. Both the public key and the message must a compressed G1Element (48 bytes).\n//  */\n// function encrypt(pk: G1Element, message: G1Element): [G1Element, G1Element] {\n// \tconst r = Scalar.random();\n// \treturn [G1Element.generator().multiply(r), pk.multiply(r).add(message)];\n// }\n\n/** Generate a random secret key. */\nexport function generateSecretKey(): Uint8Array {\n\treturn Scalar.random().toBytes();\n}\n\n/** Derive the BLS public key for a given secret key. */\nexport function toPublicKey(sk: Uint8Array): Uint8Array {\n\treturn G1Element.generator().multiply(Scalar.fromBytes(sk)).toBytes();\n}\n\n/** Derive the BLS verification key for a given secret key. */\nexport function toVerificationKey(sk: Uint8Array): Uint8Array {\n\treturn G2Element.generator().multiply(Scalar.fromBytes(sk)).toBytes();\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,sBAA6C;AAMtC,SAAS,eAAe,IAAgB,YAAkD;AAChG,SAAO,QAAQ,uBAAO,UAAU,EAAE,GAAG;AAAA,IACpC,0BAAU,UAAU,WAAW,CAAC,CAAC;AAAA,IACjC,0BAAU,UAAU,WAAW,CAAC,CAAC;AAAA,EAClC,CAAC,EAAE,QAAQ;AACZ;AAMA,SAAS,QAAQ,IAAY,YAA+C;AAC3E,SAAO,WAAW,CAAC,EAAE,SAAS,WAAW,CAAC,EAAE,SAAS,EAAE,CAAC;AACzD;AAmBO,SAAS,oBAAgC;AAC/C,SAAO,uBAAO,OAAO,EAAE,QAAQ;AAChC;AAGO,SAAS,YAAY,IAA4B;AACvD,SAAO,0BAAU,UAAU,EAAE,SAAS,uBAAO,UAAU,EAAE,CAAC,EAAE,QAAQ;AACrE;AAGO,SAAS,kBAAkB,IAA4B;AAC7D,SAAO,0BAAU,UAAU,EAAE,SAAS,uBAAO,UAAU,EAAE,CAAC,EAAE,QAAQ;AACrE;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { G1Element, G2Element, Scalar } from './bls12381.js';\n\n/**\n * Decrypt a ciphertext with a given secret key. The secret key must be a 32-byte scalar.\n * The ciphertext is a pair of G1Elements (48 bytes).\n */\nexport function elgamalDecrypt(sk: Uint8Array, ciphertext: [Uint8Array, Uint8Array]): Uint8Array {\n\treturn decrypt(Scalar.fromBytes(sk), [\n\t\tG1Element.fromBytes(ciphertext[0]),\n\t\tG1Element.fromBytes(ciphertext[1]),\n\t]).toBytes();\n}\n\n/**\n * Decrypt a ciphertext with a given secret key. The secret key must be a 32-byte scalar.\n * The ciphertext is a pair of G1Elements (48 bytes).\n */\nfunction decrypt(sk: Scalar, encryption: [G1Element, G1Element]): G1Element {\n\treturn encryption[1].subtract(encryption[0].multiply(sk));\n}\n\n/** Generate a random secret key. */\nexport function generateSecretKey(): Uint8Array {\n\treturn Scalar.random().toBytes();\n}\n\n/** Derive the BLS public key for a given secret key. */\nexport function toPublicKey(sk: Uint8Array): Uint8Array {\n\treturn G1Element.generator().multiply(Scalar.fromBytes(sk)).toBytes();\n}\n\n/** Derive the BLS verification key for a given secret key. */\nexport function toVerificationKey(sk: Uint8Array): Uint8Array {\n\treturn G2Element.generator().multiply(Scalar.fromBytes(sk)).toBytes();\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,sBAA6C;AAMtC,SAAS,eAAe,IAAgB,YAAkD;AAChG,SAAO,QAAQ,uBAAO,UAAU,EAAE,GAAG;AAAA,IACpC,0BAAU,UAAU,WAAW,CAAC,CAAC;AAAA,IACjC,0BAAU,UAAU,WAAW,CAAC,CAAC;AAAA,EAClC,CAAC,EAAE,QAAQ;AACZ;AAMA,SAAS,QAAQ,IAAY,YAA+C;AAC3E,SAAO,WAAW,CAAC,EAAE,SAAS,WAAW,CAAC,EAAE,SAAS,EAAE,CAAC;AACzD;AAGO,SAAS,oBAAgC;AAC/C,SAAO,uBAAO,OAAO,EAAE,QAAQ;AAChC;AAGO,SAAS,YAAY,IAA4B;AACvD,SAAO,0BAAU,UAAU,EAAE,SAAS,uBAAO,UAAU,EAAE,CAAC,EAAE,QAAQ;AACrE;AAGO,SAAS,kBAAkB,IAA4B;AAC7D,SAAO,0BAAU,UAAU,EAAE,SAAS,uBAAO,UAAU,EAAE,CAAC,EAAE,QAAQ;AACrE;",
   "names": []
 }

package/dist/cjs/encrypt.d.ts

@@ -1,10 +1,11 @@
-import type { EncryptionInput } from './aes.js';
+import type { EncryptionInput } from './dem.js';
 import type { KeyServer } from './key-server.js';
 export declare const MAX_U8 = 255;
 /**
  * Given full ID and what key servers to use, return the encrypted message under the identity and return the bcs bytes of the encrypted object.
  *
  * @param keyServers - A list of KeyServers (same server can be used multiple times)
+ * @param kemType - The type of KEM to use.
  * @param packageId - packageId
  * @param id - id
  * @param encryptionInput - Input to the encryption. Should be one of the EncryptionInput types, AesGcmEncryptionInput or Plain.
@@ -12,13 +13,21 @@ export declare const MAX_U8 = 255;
  * @returns The bcs bytes of the encrypted object containing all metadata and the 256-bit symmetric key that was used to encrypt the object.
  * Since the key can be used to decrypt, it should not be shared but can be used eg. for backup.
  */
-export declare function encrypt<Input extends EncryptionInput>({ keyServers, threshold, packageId, id, encryptionInput, }: {
+export declare function encrypt({ keyServers, kemType, threshold, packageId, id, encryptionInput, }: {
     keyServers: KeyServer[];
+    kemType: KemType;
     threshold: number;
-    packageId: Uint8Array;
-    id: Uint8Array;
-    encryptionInput: Input;
+    packageId: string;
+    id: string;
+    encryptionInput: EncryptionInput;
 }): Promise<{
     encryptedObject: Uint8Array;
     key: Uint8Array;
 }>;
+export declare enum KemType {
+    BonehFranklinBLS12381DemCCA = 0
+}
+export declare enum DemType {
+    AesGcm256 = 0,
+    Hmac256Ctr = 1
+}

package/dist/cjs/encrypt.js

@@ -18,58 +18,88 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var encrypt_exports = {};
 __export(encrypt_exports, {
+  DemType: () => DemType,
+  KemType: () => KemType,
   MAX_U8: () => MAX_U8,
   encrypt: () => encrypt
 });
 module.exports = __toCommonJS(encrypt_exports);
+var import_bcs = require("@mysten/bcs");
+var import_utils = require("@mysten/sui/utils");
 var import_shamir_secret_sharing = require("shamir-secret-sharing");
+var import_bcs2 = require("./bcs.js");
+var import_error = require("./error.js");
 var import_ibe = require("./ibe.js");
-var import_key_server = require("./key-server.js");
-var import_types = require("./types.js");
-var import_utils = require("./utils.js");
+var import_kdf = require("./kdf.js");
+var import_utils2 = require("./utils.js");
 const MAX_U8 = 255;
 async function encrypt({
   keyServers,
+  kemType,
   threshold,
   packageId,
   id,
   encryptionInput
 }) {
-  if (keyServers.length < threshold || threshold === 0 || keyServers.length > MAX_U8 || threshold > MAX_U8 || packageId.length !== 32) {
-    throw new Error("Invalid input");
+  if (keyServers.length < threshold || threshold === 0 || keyServers.length > MAX_U8 || threshold > MAX_U8 || !(0, import_utils.isValidSuiObjectId)(packageId)) {
+    throw new import_error.UserError(
+      `Invalid key servers or threshold ${threshold} for ${keyServers.length} key servers for package ${packageId}`
+    );
   }
-  if (keyServers.some((server) => server.keyType !== import_key_server.KeyServerType.BonehFranklinBLS12381)) {
-    throw new Error("Key type is not supported");
-  }
-  const ibeServers = new import_ibe.BonehFranklinBLS12381Services(keyServers);
   const key = await encryptionInput.generateKey();
-  const ciphertext = await encryptionInput.encrypt(key);
-  const shares = await split(key, ibeServers.size(), threshold);
-  const fullId = (0, import_utils.createFullId)(import_ibe.DST, packageId, id);
-  const encrypted_shares = ibeServers.encryptBatched(
-    fullId,
+  const demKey = (0, import_kdf.deriveKey)(import_kdf.KeyPurpose.DEM, key);
+  const ciphertext = await encryptionInput.encrypt(demKey);
+  const shares = await split(key, keyServers.length, threshold);
+  const fullId = (0, import_utils2.createFullId)(import_ibe.DST, packageId, id);
+  const encryptedShares = encryptBatched(
+    keyServers,
+    kemType,
+    (0, import_bcs.fromHex)(fullId),
     shares.map(({ share, index }) => ({
       msg: share,
-      info: new Uint8Array([index])
-    }))
+      index
+    })),
+    (0, import_kdf.deriveKey)(import_kdf.KeyPurpose.EncryptedRandomness, key)
   );
-  const services = ibeServers.getObjectIds().map((id2, i) => [id2, shares[i].index]);
+  const services = keyServers.map((server, i) => [
+    server.objectId,
+    shares[i].index
+  ]);
   return {
-    encryptedObject: import_types.EncryptedObject.serialize({
+    encryptedObject: import_bcs2.EncryptedObject.serialize({
       version: 0,
-      package_id: packageId,
+      packageId,
       id,
       services,
       threshold,
-      encrypted_shares,
+      encryptedShares,
       ciphertext
     }).toBytes(),
-    key
+    key: demKey
   };
 }
+var KemType = /* @__PURE__ */ ((KemType2) => {
+  KemType2[KemType2["BonehFranklinBLS12381DemCCA"] = 0] = "BonehFranklinBLS12381DemCCA";
+  return KemType2;
+})(KemType || {});
+var DemType = /* @__PURE__ */ ((DemType2) => {
+  DemType2[DemType2["AesGcm256"] = 0] = "AesGcm256";
+  DemType2[DemType2["Hmac256Ctr"] = 1] = "Hmac256Ctr";
+  return DemType2;
+})(DemType || {});
+function encryptBatched(keyServers, kemType, id, shares, randomnessKey) {
+  switch (kemType) {
+    case 0 /* BonehFranklinBLS12381DemCCA */:
+      return new import_ibe.BonehFranklinBLS12381Services(keyServers).encryptBatched(
+        id,
+        shares,
+        randomnessKey
+      );
+  }
+}
 async function split(secret, n, threshold) {
   if (n === 0 || threshold === 0 || threshold > n) {
-    throw new Error("Invalid input");
+    throw new Error("Invalid threshold or number of shares");
   } else if (threshold === 1) {
     const result = [];
     for (let i = 0; i < n; i++) {

package/dist/cjs/encrypt.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/encrypt.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { split as externalSplit } from 'shamir-secret-sharing';\n\nimport type { EncryptionInput } from './aes.js';\nimport { BonehFranklinBLS12381Services, DST } from './ibe.js';\nimport type { KeyServer } from './key-server.js';\nimport { KeyServerType } from './key-server.js';\nimport { EncryptedObject } from './types.js';\nimport { createFullId } from './utils.js';\n\nexport const MAX_U8 = 255;\n\n/**\n * Given full ID and what key servers to use, return the encrypted message under the identity and return the bcs bytes of the encrypted object.\n *\n * @param keyServers - A list of KeyServers (same server can be used multiple times)\n * @param packageId - packageId\n * @param id - id\n * @param encryptionInput - Input to the encryption. Should be one of the EncryptionInput types, AesGcmEncryptionInput or Plain.\n * @param threshold - The threshold for the TSS encryption.\n * @returns The bcs bytes of the encrypted object containing all metadata and the 256-bit symmetric key that was used to encrypt the object.\n * Since the key can be used to decrypt, it should not be shared but can be used eg. for backup.\n */\nexport async function encrypt<Input extends EncryptionInput>({\n\tkeyServers,\n\tthreshold,\n\tpackageId,\n\tid,\n\tencryptionInput,\n}: {\n\tkeyServers: KeyServer[];\n\tthreshold: number;\n\tpackageId: Uint8Array;\n\tid: Uint8Array;\n\tencryptionInput: Input;\n}): Promise<{\n\tencryptedObject: Uint8Array;\n\tkey: Uint8Array;\n}> {\n\t// Check inputs\n\tif (\n\t\tkeyServers.length < threshold ||\n\t\tthreshold === 0 ||\n\t\tkeyServers.length > MAX_U8 ||\n\t\tthreshold > MAX_U8 ||\n\t\tpackageId.length !== 32\n\t) {\n\t\tthrow new Error('Invalid input');\n\t}\n\tif (keyServers.some((server) => server.keyType !== KeyServerType.BonehFranklinBLS12381)) {\n\t\tthrow new Error('Key type is not supported');\n\t}\n\tconst ibeServers = new BonehFranklinBLS12381Services(keyServers);\n\n\t// Generate a random symmetric key and encrypt the encryption input using this key.\n\tconst key = await encryptionInput.generateKey();\n\tconst ciphertext = await encryptionInput.encrypt(key);\n\n\t// Split the symmetric key into shares and encrypt each share with the public keys of the key servers.\n\tconst shares = await split(key, ibeServers.size(), threshold);\n\n\t// Encrypt the shares with the public keys of the key servers.\n\tconst fullId = createFullId(DST, packageId, id);\n\tconst encrypted_shares = ibeServers.encryptBatched(\n\t\tfullId,\n\t\tshares.map(({ share, index }) => ({\n\t\t\tmsg: share,\n\t\t\tinfo: new Uint8Array([index]),\n\t\t})),\n\t);\n\n\t// Services and indices of their shares are stored as a tuple\n\tconst services: [Uint8Array, number][] = ibeServers\n\t\t.getObjectIds()\n\t\t.map((id, i) => [id, shares[i].index]);\n\n\treturn {\n\t\tencryptedObject: EncryptedObject.serialize({\n\t\t\tversion: 0,\n\t\t\tpackage_id: packageId,\n\t\t\tid,\n\t\t\tservices,\n\t\t\tthreshold,\n\t\t\tencrypted_shares,\n\t\t\tciphertext,\n\t\t}).toBytes(),\n\t\tkey,\n\t};\n}\n\nasync function split(\n\tsecret: Uint8Array,\n\tn: number,\n\tthreshold: number,\n): Promise<{ index: number; share: Uint8Array }[]> {\n\t// The externalSplit function is from the 'shamir-secret-sharing' package and requires t > 1 and n >= 2.\n\t// So we handle the special cases here.\n\tif (n === 0 || threshold === 0 || threshold > n) {\n\t\tthrow new Error('Invalid input');\n\t} else if (threshold === 1) {\n\t\t// If the threshold is 1, the secret is not split.\n\t\tconst result = [];\n\t\tfor (let i = 0; i < n; i++) {\n\t\t\t// The shared polynomial is a constant in this case, so the index doesn't matter.\n\t\t\t// To make sure they are unique, we use a counter.\n\t\t\tresult.push({ share: secret, index: i });\n\t\t}\n\t\treturn Promise.resolve(result);\n\t}\n\n\treturn externalSplit(secret, n, threshold).then((share) =>\n\t\tshare.map((s) => ({\n\t\t\tshare: s.subarray(0, s.length - 1),\n\t\t\t// split() returns the share index in the last byte\n\t\t\tindex: s[s.length - 1],\n\t\t})),\n\t);\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,mCAAuC;AAGvC,iBAAmD;AAEnD,wBAA8B;AAC9B,mBAAgC;AAChC,mBAA6B;AAEtB,MAAM,SAAS;AAatB,eAAsB,QAAuC;AAAA,EAC5D;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACD,GASG;AAEF,MACC,WAAW,SAAS,aACpB,cAAc,KACd,WAAW,SAAS,UACpB,YAAY,UACZ,UAAU,WAAW,IACpB;AACD,UAAM,IAAI,MAAM,eAAe;AAAA,EAChC;AACA,MAAI,WAAW,KAAK,CAAC,WAAW,OAAO,YAAY,gCAAc,qBAAqB,GAAG;AACxF,UAAM,IAAI,MAAM,2BAA2B;AAAA,EAC5C;AACA,QAAM,aAAa,IAAI,yCAA8B,UAAU;AAG/D,QAAM,MAAM,MAAM,gBAAgB,YAAY;AAC9C,QAAM,aAAa,MAAM,gBAAgB,QAAQ,GAAG;AAGpD,QAAM,SAAS,MAAM,MAAM,KAAK,WAAW,KAAK,GAAG,SAAS;AAG5D,QAAM,aAAS,2BAAa,gBAAK,WAAW,EAAE;AAC9C,QAAM,mBAAmB,WAAW;AAAA,IACnC;AAAA,IACA,OAAO,IAAI,CAAC,EAAE,OAAO,MAAM,OAAO;AAAA,MACjC,KAAK;AAAA,MACL,MAAM,IAAI,WAAW,CAAC,KAAK,CAAC;AAAA,IAC7B,EAAE;AAAA,EACH;AAGA,QAAM,WAAmC,WACvC,aAAa,EACb,IAAI,CAACA,KAAI,MAAM,CAACA,KAAI,OAAO,CAAC,EAAE,KAAK,CAAC;AAEtC,SAAO;AAAA,IACN,iBAAiB,6BAAgB,UAAU;AAAA,MAC1C,SAAS;AAAA,MACT,YAAY;AAAA,MACZ;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACD,CAAC,EAAE,QAAQ;AAAA,IACX;AAAA,EACD;AACD;AAEA,eAAe,MACd,QACA,GACA,WACkD;AAGlD,MAAI,MAAM,KAAK,cAAc,KAAK,YAAY,GAAG;AAChD,UAAM,IAAI,MAAM,eAAe;AAAA,EAChC,WAAW,cAAc,GAAG;AAE3B,UAAM,SAAS,CAAC;AAChB,aAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAG3B,aAAO,KAAK,EAAE,OAAO,QAAQ,OAAO,EAAE,CAAC;AAAA,IACxC;AACA,WAAO,QAAQ,QAAQ,MAAM;AAAA,EAC9B;AAEA,aAAO,6BAAAC,OAAc,QAAQ,GAAG,SAAS,EAAE;AAAA,IAAK,CAAC,UAChD,MAAM,IAAI,CAAC,OAAO;AAAA,MACjB,OAAO,EAAE,SAAS,GAAG,EAAE,SAAS,CAAC;AAAA;AAAA,MAEjC,OAAO,EAAE,EAAE,SAAS,CAAC;AAAA,IACtB,EAAE;AAAA,EACH;AACD;",
-  "names": ["id", "externalSplit"]
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex } from '@mysten/bcs';\nimport { isValidSuiObjectId } from '@mysten/sui/utils';\nimport { split as externalSplit } from 'shamir-secret-sharing';\n\nimport type { IBEEncryptions } from './bcs.js';\nimport { EncryptedObject } from './bcs.js';\nimport type { EncryptionInput } from './dem.js';\nimport { UserError } from './error.js';\nimport { BonehFranklinBLS12381Services, DST } from './ibe.js';\nimport { deriveKey, KeyPurpose } from './kdf.js';\nimport type { KeyServer } from './key-server.js';\nimport { createFullId } from './utils.js';\n\nexport const MAX_U8 = 255;\n\n/**\n * Given full ID and what key servers to use, return the encrypted message under the identity and return the bcs bytes of the encrypted object.\n *\n * @param keyServers - A list of KeyServers (same server can be used multiple times)\n * @param kemType - The type of KEM to use.\n * @param packageId - packageId\n * @param id - id\n * @param encryptionInput - Input to the encryption. Should be one of the EncryptionInput types, AesGcmEncryptionInput or Plain.\n * @param threshold - The threshold for the TSS encryption.\n * @returns The bcs bytes of the encrypted object containing all metadata and the 256-bit symmetric key that was used to encrypt the object.\n * Since the key can be used to decrypt, it should not be shared but can be used eg. for backup.\n */\nexport async function encrypt({\n\tkeyServers,\n\tkemType,\n\tthreshold,\n\tpackageId,\n\tid,\n\tencryptionInput,\n}: {\n\tkeyServers: KeyServer[];\n\tkemType: KemType;\n\tthreshold: number;\n\tpackageId: string;\n\tid: string;\n\tencryptionInput: EncryptionInput;\n}): Promise<{\n\tencryptedObject: Uint8Array;\n\tkey: Uint8Array;\n}> {\n\t// Check inputs\n\tif (\n\t\tkeyServers.length < threshold ||\n\t\tthreshold === 0 ||\n\t\tkeyServers.length > MAX_U8 ||\n\t\tthreshold > MAX_U8 ||\n\t\t!isValidSuiObjectId(packageId)\n\t) {\n\t\tthrow new UserError(\n\t\t\t`Invalid key servers or threshold ${threshold} for ${keyServers.length} key servers for package ${packageId}`,\n\t\t);\n\t}\n\n\t// Generate a random symmetric key and encrypt the encryption input using this key.\n\tconst key = await encryptionInput.generateKey();\n\tconst demKey = deriveKey(KeyPurpose.DEM, key);\n\tconst ciphertext = await encryptionInput.encrypt(demKey);\n\n\t// Split the symmetric key into shares and encrypt each share with the public keys of the key servers.\n\tconst shares = await split(key, keyServers.length, threshold);\n\n\t// Encrypt the shares with the public keys of the key servers.\n\tconst fullId = createFullId(DST, packageId, id);\n\tconst encryptedShares = encryptBatched(\n\t\tkeyServers,\n\t\tkemType,\n\t\tfromHex(fullId),\n\t\tshares.map(({ share, index }) => ({\n\t\t\tmsg: share,\n\t\t\tindex,\n\t\t})),\n\t\tderiveKey(KeyPurpose.EncryptedRandomness, key),\n\t);\n\n\t// Services and indices of their shares are stored as a tuple\n\tconst services: [string, number][] = keyServers.map((server, i) => [\n\t\tserver.objectId,\n\t\tshares[i].index,\n\t]);\n\n\treturn {\n\t\tencryptedObject: EncryptedObject.serialize({\n\t\t\tversion: 0,\n\t\t\tpackageId,\n\t\t\tid,\n\t\t\tservices,\n\t\t\tthreshold,\n\t\t\tencryptedShares,\n\t\t\tciphertext,\n\t\t}).toBytes(),\n\t\tkey: demKey,\n\t};\n}\n\nexport enum KemType {\n\tBonehFranklinBLS12381DemCCA = 0,\n}\n\nexport enum DemType {\n\tAesGcm256 = 0,\n\tHmac256Ctr = 1,\n}\n\nfunction encryptBatched(\n\tkeyServers: KeyServer[],\n\tkemType: KemType,\n\tid: Uint8Array,\n\tshares: { msg: Uint8Array; index: number }[],\n\trandomnessKey: Uint8Array,\n): typeof IBEEncryptions.$inferType {\n\tswitch (kemType) {\n\t\tcase KemType.BonehFranklinBLS12381DemCCA:\n\t\t\treturn new BonehFranklinBLS12381Services(keyServers).encryptBatched(\n\t\t\t\tid,\n\t\t\t\tshares,\n\t\t\t\trandomnessKey,\n\t\t\t);\n\t}\n}\n\nasync function split(\n\tsecret: Uint8Array,\n\tn: number,\n\tthreshold: number,\n): Promise<{ index: number; share: Uint8Array }[]> {\n\t// The externalSplit function is from the 'shamir-secret-sharing' package and requires t > 1 and n >= 2.\n\t// So we handle the special cases here.\n\tif (n === 0 || threshold === 0 || threshold > n) {\n\t\tthrow new Error('Invalid threshold or number of shares');\n\t} else if (threshold === 1) {\n\t\t// If the threshold is 1, the secret is not split.\n\t\tconst result = [];\n\t\tfor (let i = 0; i < n; i++) {\n\t\t\t// The shared polynomial is a constant in this case, so the index doesn't matter.\n\t\t\t// To make sure they are unique, we use a counter.\n\t\t\tresult.push({ share: secret, index: i });\n\t\t}\n\t\treturn Promise.resolve(result);\n\t}\n\n\treturn externalSplit(secret, n, threshold).then((share) =>\n\t\tshare.map((s) => ({\n\t\t\tshare: s.subarray(0, s.length - 1),\n\t\t\t// split() returns the share index in the last byte\n\t\t\tindex: s[s.length - 1],\n\t\t})),\n\t);\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,iBAAwB;AACxB,mBAAmC;AACnC,mCAAuC;AAGvC,IAAAA,cAAgC;AAEhC,mBAA0B;AAC1B,iBAAmD;AACnD,iBAAsC;AAEtC,IAAAC,gBAA6B;AAEtB,MAAM,SAAS;AActB,eAAsB,QAAQ;AAAA,EAC7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACD,GAUG;AAEF,MACC,WAAW,SAAS,aACpB,cAAc,KACd,WAAW,SAAS,UACpB,YAAY,UACZ,KAAC,iCAAmB,SAAS,GAC5B;AACD,UAAM,IAAI;AAAA,MACT,oCAAoC,SAAS,QAAQ,WAAW,MAAM,4BAA4B,SAAS;AAAA,IAC5G;AAAA,EACD;AAGA,QAAM,MAAM,MAAM,gBAAgB,YAAY;AAC9C,QAAM,aAAS,sBAAU,sBAAW,KAAK,GAAG;AAC5C,QAAM,aAAa,MAAM,gBAAgB,QAAQ,MAAM;AAGvD,QAAM,SAAS,MAAM,MAAM,KAAK,WAAW,QAAQ,SAAS;AAG5D,QAAM,aAAS,4BAAa,gBAAK,WAAW,EAAE;AAC9C,QAAM,kBAAkB;AAAA,IACvB;AAAA,IACA;AAAA,QACA,oBAAQ,MAAM;AAAA,IACd,OAAO,IAAI,CAAC,EAAE,OAAO,MAAM,OAAO;AAAA,MACjC,KAAK;AAAA,MACL;AAAA,IACD,EAAE;AAAA,QACF,sBAAU,sBAAW,qBAAqB,GAAG;AAAA,EAC9C;AAGA,QAAM,WAA+B,WAAW,IAAI,CAAC,QAAQ,MAAM;AAAA,IAClE,OAAO;AAAA,IACP,OAAO,CAAC,EAAE;AAAA,EACX,CAAC;AAED,SAAO;AAAA,IACN,iBAAiB,4BAAgB,UAAU;AAAA,MAC1C,SAAS;AAAA,MACT;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACD,CAAC,EAAE,QAAQ;AAAA,IACX,KAAK;AAAA,EACN;AACD;AAEO,IAAK,UAAL,kBAAKC,aAAL;AACN,EAAAA,kBAAA,iCAA8B,KAA9B;AADW,SAAAA;AAAA,GAAA;AAIL,IAAK,UAAL,kBAAKC,aAAL;AACN,EAAAA,kBAAA,eAAY,KAAZ;AACA,EAAAA,kBAAA,gBAAa,KAAb;AAFW,SAAAA;AAAA,GAAA;AAKZ,SAAS,eACR,YACA,SACA,IACA,QACA,eACmC;AACnC,UAAQ,SAAS;AAAA,IAChB,KAAK;AACJ,aAAO,IAAI,yCAA8B,UAAU,EAAE;AAAA,QACpD;AAAA,QACA;AAAA,QACA;AAAA,MACD;AAAA,EACF;AACD;AAEA,eAAe,MACd,QACA,GACA,WACkD;AAGlD,MAAI,MAAM,KAAK,cAAc,KAAK,YAAY,GAAG;AAChD,UAAM,IAAI,MAAM,uCAAuC;AAAA,EACxD,WAAW,cAAc,GAAG;AAE3B,UAAM,SAAS,CAAC;AAChB,aAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAG3B,aAAO,KAAK,EAAE,OAAO,QAAQ,OAAO,EAAE,CAAC;AAAA,IACxC;AACA,WAAO,QAAQ,QAAQ,MAAM;AAAA,EAC9B;AAEA,aAAO,6BAAAC,OAAc,QAAQ,GAAG,SAAS,EAAE;AAAA,IAAK,CAAC,UAChD,MAAM,IAAI,CAAC,OAAO;AAAA,MACjB,OAAO,EAAE,SAAS,GAAG,EAAE,SAAS,CAAC;AAAA;AAAA,MAEjC,OAAO,EAAE,EAAE,SAAS,CAAC;AAAA,IACtB,EAAE;AAAA,EACH;AACD;",
+  "names": ["import_bcs", "import_utils", "KemType", "DemType", "externalSplit"]
 }

package/dist/cjs/error.d.ts

@@ -0,0 +1,58 @@
+export declare class SealError extends Error {
+}
+export declare class UserError extends SealError {
+}
+export declare class SealAPIError extends SealError {
+    #private;
+    requestId?: string | undefined;
+    status?: number | undefined;
+    constructor(message: string, requestId?: string | undefined, status?: number | undefined);
+    static assertResponse(response: Response, requestId: string): Promise<void>;
+}
+export declare class InvalidPTBError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidPackageError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class OldPackageError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidUserSignatureError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidSessionKeySignatureError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Server error indicating that the user does not have access to one or more of the requested keys */
+export declare class NoAccessError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Server error indicating that the session key has expired */
+export declare class ExpiredSessionKeyError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Internal server error, caller should retry */
+export declare class InternalError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** General server errors that are not specific to the Seal API (e.g., 404 "Not Found") */
+export declare class GeneralError extends SealAPIError {
+}
+export declare class InvalidPersonalMessageSignatureError extends UserError {
+}
+export declare class InvalidGetObjectError extends UserError {
+}
+export declare class UnsupportedFeatureError extends UserError {
+}
+export declare class UnsupportedNetworkError extends UserError {
+}
+export declare class InvalidKeyServerError extends UserError {
+}
+export declare class InvalidCiphertextError extends UserError {
+}
+export declare class InvalidThresholdError extends UserError {
+}
+export declare class InconsistentKeyServersError extends UserError {
+}
+export declare function toMajorityError(errors: Error[]): Error;