@mysten/seal 0.6.0 → 0.8.0

package/dist/esm/elgamal.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/elgamal.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { G1Element, G2Element, Scalar } from './bls12381.js';\n\n/**\n * Decrypt a ciphertext with a given secret key. The secret key must be a 32-byte scalar.\n * The ciphertext is a pair of G1Elements (48 bytes).\n */\nexport function elgamalDecrypt(sk: Uint8Array, [c0, c1]: [Uint8Array, Uint8Array]): Uint8Array {\n\treturn decrypt(Scalar.fromBytes(sk), [\n\t\tG1Element.fromBytes(c0),\n\t\tG1Element.fromBytes(c1),\n\t]).toBytes();\n}\n\n/**\n * Decrypt a ciphertext with a given secret key. The secret key must be a 32-byte scalar.\n * The ciphertext is a pair of G1Elements (48 bytes).\n */\nfunction decrypt(sk: Scalar, [c0, c1]: [G1Element, G1Element]): G1Element {\n\treturn c1.subtract(c0.multiply(sk));\n}\n\n/** Generate a random secret key. */\nexport function generateSecretKey(): Uint8Array<ArrayBuffer> {\n\treturn Scalar.random().toBytes() as Uint8Array<ArrayBuffer>;\n}\n\n/** Derive the BLS public key for a given secret key. */\nexport function toPublicKey(sk: Uint8Array<ArrayBuffer>): Uint8Array<ArrayBuffer> {\n\treturn G1Element.generator().multiply(Scalar.fromBytes(sk)).toBytes();\n}\n\n/** Derive the BLS verification key for a given secret key. */\nexport function toVerificationKey(sk: Uint8Array<ArrayBuffer>): Uint8Array<ArrayBuffer> {\n\treturn G2Element.generator().multiply(Scalar.fromBytes(sk)).toBytes();\n}\n"],
-  "mappings": "AAGA,SAAS,WAAW,WAAW,cAAc;AAMtC,SAAS,eAAe,IAAgB,CAAC,IAAI,EAAE,GAAyC;AAC9F,SAAO,QAAQ,OAAO,UAAU,EAAE,GAAG;AAAA,IACpC,UAAU,UAAU,EAAE;AAAA,IACtB,UAAU,UAAU,EAAE;AAAA,EACvB,CAAC,EAAE,QAAQ;AACZ;AAMA,SAAS,QAAQ,IAAY,CAAC,IAAI,EAAE,GAAsC;AACzE,SAAO,GAAG,SAAS,GAAG,SAAS,EAAE,CAAC;AACnC;AAGO,SAAS,oBAA6C;AAC5D,SAAO,OAAO,OAAO,EAAE,QAAQ;AAChC;AAGO,SAAS,YAAY,IAAsD;AACjF,SAAO,UAAU,UAAU,EAAE,SAAS,OAAO,UAAU,EAAE,CAAC,EAAE,QAAQ;AACrE;AAGO,SAAS,kBAAkB,IAAsD;AACvF,SAAO,UAAU,UAAU,EAAE,SAAS,OAAO,UAAU,EAAE,CAAC,EAAE,QAAQ;AACrE;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { G1Element, G2Element, Scalar } from './bls12381.js';\n\n/**\n * Decrypt a ciphertext with a given secret key. The secret key must be a 32-byte scalar.\n * The ciphertext is a pair of G1Elements (48 bytes).\n *\n * Throws an error if the secret key is not a valid scalar or if the ciphertext elements are not valid G1 points.\n */\nexport function elgamalDecrypt(sk: Uint8Array, [c0, c1]: [Uint8Array, Uint8Array]): Uint8Array {\n\treturn decrypt(Scalar.fromBytes(sk), [\n\t\tG1Element.fromBytes(c0),\n\t\tG1Element.fromBytes(c1),\n\t]).toBytes();\n}\n\n/**\n * Decrypt a ciphertext with a given secret key. The secret key must be a 32-byte scalar.\n * The ciphertext is a pair of G1Elements (48 bytes).\n */\nfunction decrypt(sk: Scalar, [c0, c1]: [G1Element, G1Element]): G1Element {\n\treturn c1.subtract(c0.multiply(sk));\n}\n\n/** Generate a random secret key. */\nexport function generateSecretKey(): Uint8Array<ArrayBuffer> {\n\treturn Scalar.random().toBytes() as Uint8Array<ArrayBuffer>;\n}\n\n/** Derive the BLS public key for a given secret key. */\nexport function toPublicKey(sk: Uint8Array<ArrayBuffer>): Uint8Array<ArrayBuffer> {\n\treturn G1Element.generator().multiply(Scalar.fromBytes(sk)).toBytes();\n}\n\n/** Derive the BLS verification key for a given secret key. */\nexport function toVerificationKey(sk: Uint8Array<ArrayBuffer>): Uint8Array<ArrayBuffer> {\n\treturn G2Element.generator().multiply(Scalar.fromBytes(sk)).toBytes();\n}\n"],
+  "mappings": "AAGA,SAAS,WAAW,WAAW,cAAc;AAQtC,SAAS,eAAe,IAAgB,CAAC,IAAI,EAAE,GAAyC;AAC9F,SAAO,QAAQ,OAAO,UAAU,EAAE,GAAG;AAAA,IACpC,UAAU,UAAU,EAAE;AAAA,IACtB,UAAU,UAAU,EAAE;AAAA,EACvB,CAAC,EAAE,QAAQ;AACZ;AAMA,SAAS,QAAQ,IAAY,CAAC,IAAI,EAAE,GAAsC;AACzE,SAAO,GAAG,SAAS,GAAG,SAAS,EAAE,CAAC;AACnC;AAGO,SAAS,oBAA6C;AAC5D,SAAO,OAAO,OAAO,EAAE,QAAQ;AAChC;AAGO,SAAS,YAAY,IAAsD;AACjF,SAAO,UAAU,UAAU,EAAE,SAAS,OAAO,UAAU,EAAE,CAAC,EAAE,QAAQ;AACrE;AAGO,SAAS,kBAAkB,IAAsD;AACvF,SAAO,UAAU,UAAU,EAAE,SAAS,OAAO,UAAU,EAAE,CAAC,EAAE,QAAQ;AACrE;",
   "names": []
 }

package/dist/esm/ibe.d.ts

@@ -1,6 +1,6 @@
 import type { IBEEncryptions } from './bcs.js';
 import type { G1Element } from './bls12381.js';
-import { G2Element, Scalar } from './bls12381.js';
+import { G2Element } from './bls12381.js';
 import type { KeyServer } from './key-server.js';
 import type { Share } from './shamir.js';
 /**
@@ -61,24 +61,37 @@ export declare class BonehFranklinBLS12381Services extends IBEServers {
      * @param id - The id.
      * @returns All decrypted shares.
      */
-    static decryptAllSharesUsingRandomness(randomness: Scalar, encryptedShares: Uint8Array[], services: [string, number][], publicKeys: G2Element[], nonce: G2Element, id: Uint8Array): {
+    static decryptAllSharesUsingRandomness(randomness: Uint8Array, encryptedShares: Uint8Array[], services: [string, number][], publicKeys: G2Element[], nonce: G2Element, id: Uint8Array): {
         index: number;
         share: Uint8Array;
     }[];
 }
 /**
  * Verify that the given randomness was used to crate the nonce.
+ * Throws an error if the given randomness is invalid (not a BLS scalar).
  *
  * @param randomness - The randomness.
  * @param nonce - The nonce.
+ * @param useBE - Flag to indicate if BE encoding is used for the randomness. Defaults to true.
  * @returns True if the randomness was used to create the nonce, false otherwise.
  */
-export declare function verifyNonce(nonce: G2Element, randomness: Scalar): boolean;
+export declare function verifyNonce(nonce: G2Element, randomness: Uint8Array, useBE?: boolean): boolean;
 /**
  * Decrypt the randomness using a key.
  *
  * @param encrypted_randomness - The encrypted randomness.
  * @param derived_key - The derived key.
- * @returns The randomness.
+ * @returns The randomness. Returns both the scalar interpreted in big-endian and little-endian encoding.
  */
-export declare function decryptRandomness(encryptedRandomness: Uint8Array, randomnessKey: Uint8Array): Scalar;
+export declare function decryptRandomness(encryptedRandomness: Uint8Array, randomnessKey: Uint8Array): Uint8Array;
+/**
+ * Verify that the given randomness was used to crate the nonce.
+ * Check using both big-endian and little-endian encoding of the randomness.
+ *
+ * Throws an error if the nonce check doesn't pass using LE encoding _and_ the randomness is invalid as a BE encoded scalar.
+ *
+ * @param randomness - The randomness.
+ * @param nonce - The nonce.
+ * @returns True if the randomness was used to create the nonce using either LE or BE encoding, false otherwise.
+ */
+export declare function verifyNonceWithLE(nonce: G2Element, randomness: Uint8Array): boolean;

package/dist/esm/ibe.js

@@ -2,6 +2,7 @@ import { fromHex } from "@mysten/bcs";
 import { G2Element, Scalar } from "./bls12381.js";
 import { deriveKey, hashToG1, kdf, KeyPurpose } from "./kdf.js";
 import { xor } from "./utils.js";
+import { InvalidCiphertextError } from "./error.js";
 const DST_POP = new TextEncoder().encode("SUI-SEAL-IBE-BLS12381-POP-00");
 class IBEServers {
   constructor(objectIds) {
@@ -77,7 +78,13 @@ class BonehFranklinBLS12381Services extends IBEServers {
     if (publicKeys.length !== encryptedShares.length || publicKeys.length !== services.length) {
       throw new Error("The number of public keys, encrypted shares and services must be the same");
     }
-    const gid_r = hashToG1(id).multiply(randomness);
+    let r;
+    try {
+      r = Scalar.fromBytes(randomness);
+    } catch {
+      throw new InvalidCiphertextError("Invalid randomness");
+    }
+    const gid_r = hashToG1(id).multiply(r);
     return services.map(([objectId, index], i) => {
       return {
         index,
@@ -101,17 +108,39 @@ function encapBatched(publicKeys, id) {
 function decap(nonce, usk) {
   return usk.pairing(nonce);
 }
-function verifyNonce(nonce, randomness) {
-  return G2Element.generator().multiply(randomness).equals(nonce);
+function verifyNonce(nonce, randomness, useBE = true) {
+  try {
+    const r = decodeRandomness(randomness, useBE);
+    return G2Element.generator().multiply(r).equals(nonce);
+  } catch {
+    throw new InvalidCiphertextError("Invalid randomness");
+  }
+}
+function decodeRandomness(bytes, useBE) {
+  if (useBE) {
+    return Scalar.fromBytes(bytes);
+  } else {
+    return Scalar.fromBytesLE(bytes);
+  }
 }
 function decryptRandomness(encryptedRandomness, randomnessKey) {
-  return Scalar.fromBytes(xor(encryptedRandomness, randomnessKey));
+  return xor(encryptedRandomness, randomnessKey);
+}
+function verifyNonceWithLE(nonce, randomness) {
+  try {
+    if (verifyNonce(nonce, randomness, false)) {
+      return true;
+    }
+  } catch {
+  }
+  return verifyNonce(nonce, randomness, true);
 }
 export {
   BonehFranklinBLS12381Services,
   DST_POP,
   IBEServers,
   decryptRandomness,
-  verifyNonce
+  verifyNonce,
+  verifyNonceWithLE
 };
 //# sourceMappingURL=ibe.js.map

package/dist/esm/ibe.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/ibe.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex } from '@mysten/bcs';\n\nimport type { IBEEncryptions } from './bcs.js';\nimport type { G1Element, GTElement } from './bls12381.js';\nimport { G2Element, Scalar } from './bls12381.js';\nimport { deriveKey, hashToG1, kdf, KeyPurpose } from './kdf.js';\nimport type { KeyServer } from './key-server.js';\nimport { xor } from './utils.js';\nimport type { Share } from './shamir.js';\n\n/**\n * The domain separation tag for the signing proof of possession.\n */\nexport const DST_POP: Uint8Array = new TextEncoder().encode('SUI-SEAL-IBE-BLS12381-POP-00');\n\n/**\n * The interface for the key servers.\n */\nexport abstract class IBEServers {\n\tobjectIds: string[];\n\n\tconstructor(objectIds: string[]) {\n\t\tthis.objectIds = objectIds;\n\t}\n\n\t/**\n\t * Encrypt a batch of messages for the given identity.\n\t *\n\t * @param id The identity.\n\t * @param msgAndIndices The messages and the corresponding indices of the share being encrypted.\n\t * @returns The encrypted messages.\n\t */\n\tabstract encryptBatched(\n\t\tid: Uint8Array,\n\t\tshares: Share[],\n\t\tbaseKey: Uint8Array,\n\t\tthreshold: number,\n\t): typeof IBEEncryptions.$inferType;\n}\n\n/**\n * Identity-based encryption based on the Boneh-Franklin IBE scheme (https://eprint.iacr.org/2001/090).\n * Note that this implementation is of the \"BasicIdent\" protocol which on its own is not CCA secure, so this IBE implementation should not be used on its own.\n *\n * This object represents a set of key servers that can be used to encrypt messages for a given identity.\n */\nexport class BonehFranklinBLS12381Services extends IBEServers {\n\treadonly publicKeys: G2Element[];\n\n\tconstructor(services: KeyServer[]) {\n\t\tsuper(services.map((service) => service.objectId));\n\t\tthis.publicKeys = services.map((service) => G2Element.fromBytes(service.pk));\n\t}\n\n\tencryptBatched(\n\t\tid: Uint8Array,\n\t\tshares: Share[],\n\t\tbaseKey: Uint8Array,\n\t\tthreshold: number,\n\t): typeof IBEEncryptions.$inferType {\n\t\tif (this.publicKeys.length === 0 || this.publicKeys.length !== shares.length) {\n\t\t\tthrow new Error('Invalid public keys');\n\t\t}\n\t\tconst [r, nonce, keys] = encapBatched(this.publicKeys, id);\n\t\tconst encryptedShares = shares.map(({ share, index }, i) =>\n\t\t\txor(share, kdf(keys[i], nonce, id, this.objectIds[i], index)),\n\t\t);\n\t\tconst randomnessKey = deriveKey(\n\t\t\tKeyPurpose.EncryptedRandomness,\n\t\t\tbaseKey,\n\t\t\tencryptedShares,\n\t\t\tthreshold,\n\t\t\tthis.objectIds,\n\t\t);\n\t\tconst encryptedRandomness = xor(randomnessKey, r.toBytes());\n\n\t\treturn {\n\t\t\tBonehFranklinBLS12381: {\n\t\t\t\tnonce: nonce.toBytes(),\n\t\t\t\tencryptedShares,\n\t\t\t\tencryptedRandomness,\n\t\t\t},\n\t\t\t$kind: 'BonehFranklinBLS12381',\n\t\t};\n\t}\n\n\t/**\n\t * Returns true if the user secret key is valid for the given public key and id.\n\t * @param user_secret_key - The user secret key.\n\t * @param id - The identity.\n\t * @param public_key - The public key.\n\t * @returns True if the user secret key is valid for the given public key and id.\n\t */\n\tstatic verifyUserSecretKey(userSecretKey: G1Element, id: string, publicKey: G2Element): boolean {\n\t\tconst lhs = userSecretKey.pairing(G2Element.generator());\n\t\tconst rhs = hashToG1(fromHex(id)).pairing(publicKey);\n\t\treturn lhs.equals(rhs);\n\t}\n\n\t/**\n\t * Identity-based decryption.\n\t *\n\t * @param nonce The encryption nonce.\n\t * @param sk The user secret key.\n\t * @param ciphertext The encrypted message.\n\t * @param info An info parameter also included in the KDF.\n\t * @returns The decrypted message.\n\t */\n\tstatic decrypt(\n\t\tnonce: G2Element,\n\t\tsk: G1Element,\n\t\tciphertext: Uint8Array,\n\t\tid: Uint8Array,\n\t\t[objectId, index]: [string, number],\n\t): Uint8Array {\n\t\treturn xor(ciphertext, kdf(decap(nonce, sk), nonce, id, objectId, index));\n\t}\n\n\t/**\n\t * Decrypt all shares and verify that the randomness was used to create the given nonce.\n\t *\n\t * @param randomness - The randomness.\n\t * @param encryptedShares - The encrypted shares.\n\t * @param services - The services.\n\t * @param publicKeys - The public keys.\n\t * @param nonce - The nonce.\n\t * @param id - The id.\n\t * @returns All decrypted shares.\n\t */\n\tstatic decryptAllSharesUsingRandomness(\n\t\trandomness: Scalar,\n\t\tencryptedShares: Uint8Array[],\n\t\tservices: [string, number][],\n\t\tpublicKeys: G2Element[],\n\t\tnonce: G2Element,\n\t\tid: Uint8Array,\n\t): { index: number; share: Uint8Array }[] {\n\t\tif (publicKeys.length !== encryptedShares.length || publicKeys.length !== services.length) {\n\t\t\tthrow new Error('The number of public keys, encrypted shares and services must be the same');\n\t\t}\n\t\tconst gid_r = hashToG1(id).multiply(randomness);\n\t\treturn services.map(([objectId, index], i) => {\n\t\t\treturn {\n\t\t\t\tindex,\n\t\t\t\tshare: xor(\n\t\t\t\t\tencryptedShares[i],\n\t\t\t\t\tkdf(gid_r.pairing(publicKeys[i]), nonce, id, objectId, index),\n\t\t\t\t),\n\t\t\t};\n\t\t});\n\t}\n}\n\n/**\n * Batched identity-based key-encapsulation mechanism: encapsulate multiple keys for given identity using different key servers.\n *\n * @param publicKeys Public keys for a set of key servers.\n * @param id The identity used to encapsulate the keys.\n * @returns A common nonce of the keys and a list of keys, 32 bytes each.\n */\nfunction encapBatched(publicKeys: G2Element[], id: Uint8Array): [Scalar, G2Element, GTElement[]] {\n\tif (publicKeys.length === 0) {\n\t\tthrow new Error('No public keys provided');\n\t}\n\tconst r = Scalar.random();\n\tconst nonce = G2Element.generator().multiply(r);\n\tconst gid_r = hashToG1(id).multiply(r);\n\treturn [r, nonce, publicKeys.map((public_key) => gid_r.pairing(public_key))];\n}\n\n/**\n * Decapsulate a key using a user secret key and the nonce.\n *\n * @param usk The user secret key.\n * @param nonce The nonce.\n * @returns The encapsulated key.\n */\nfunction decap(nonce: G2Element, usk: G1Element): GTElement {\n\treturn usk.pairing(nonce);\n}\n\n/**\n * Verify that the given randomness was used to crate the nonce.\n *\n * @param randomness - The randomness.\n * @param nonce - The nonce.\n * @returns True if the randomness was used to create the nonce, false otherwise.\n */\nexport function verifyNonce(nonce: G2Element, randomness: Scalar): boolean {\n\treturn G2Element.generator().multiply(randomness).equals(nonce);\n}\n\n/**\n * Decrypt the randomness using a key.\n *\n * @param encrypted_randomness - The encrypted randomness.\n * @param derived_key - The derived key.\n * @returns The randomness.\n */\nexport function decryptRandomness(\n\tencryptedRandomness: Uint8Array,\n\trandomnessKey: Uint8Array,\n): Scalar {\n\treturn Scalar.fromBytes(xor(encryptedRandomness, randomnessKey));\n}\n"],
-  "mappings": "AAGA,SAAS,eAAe;AAIxB,SAAS,WAAW,cAAc;AAClC,SAAS,WAAW,UAAU,KAAK,kBAAkB;AAErD,SAAS,WAAW;AAMb,MAAM,UAAsB,IAAI,YAAY,EAAE,OAAO,8BAA8B;AAKnF,MAAe,WAAW;AAAA,EAGhC,YAAY,WAAqB;AAChC,SAAK,YAAY;AAAA,EAClB;AAeD;AAQO,MAAM,sCAAsC,WAAW;AAAA,EAG7D,YAAY,UAAuB;AAClC,UAAM,SAAS,IAAI,CAAC,YAAY,QAAQ,QAAQ,CAAC;AACjD,SAAK,aAAa,SAAS,IAAI,CAAC,YAAY,UAAU,UAAU,QAAQ,EAAE,CAAC;AAAA,EAC5E;AAAA,EAEA,eACC,IACA,QACA,SACA,WACmC;AACnC,QAAI,KAAK,WAAW,WAAW,KAAK,KAAK,WAAW,WAAW,OAAO,QAAQ;AAC7E,YAAM,IAAI,MAAM,qBAAqB;AAAA,IACtC;AACA,UAAM,CAAC,GAAG,OAAO,IAAI,IAAI,aAAa,KAAK,YAAY,EAAE;AACzD,UAAM,kBAAkB,OAAO;AAAA,MAAI,CAAC,EAAE,OAAO,MAAM,GAAG,MACrD,IAAI,OAAO,IAAI,KAAK,CAAC,GAAG,OAAO,IAAI,KAAK,UAAU,CAAC,GAAG,KAAK,CAAC;AAAA,IAC7D;AACA,UAAM,gBAAgB;AAAA,MACrB,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,MACA,KAAK;AAAA,IACN;AACA,UAAM,sBAAsB,IAAI,eAAe,EAAE,QAAQ,CAAC;AAE1D,WAAO;AAAA,MACN,uBAAuB;AAAA,QACtB,OAAO,MAAM,QAAQ;AAAA,QACrB;AAAA,QACA;AAAA,MACD;AAAA,MACA,OAAO;AAAA,IACR;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,OAAO,oBAAoB,eAA0B,IAAY,WAA+B;AAC/F,UAAM,MAAM,cAAc,QAAQ,UAAU,UAAU,CAAC;AACvD,UAAM,MAAM,SAAS,QAAQ,EAAE,CAAC,EAAE,QAAQ,SAAS;AACnD,WAAO,IAAI,OAAO,GAAG;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,QACN,OACA,IACA,YACA,IACA,CAAC,UAAU,KAAK,GACH;AACb,WAAO,IAAI,YAAY,IAAI,MAAM,OAAO,EAAE,GAAG,OAAO,IAAI,UAAU,KAAK,CAAC;AAAA,EACzE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,OAAO,gCACN,YACA,iBACA,UACA,YACA,OACA,IACyC;AACzC,QAAI,WAAW,WAAW,gBAAgB,UAAU,WAAW,WAAW,SAAS,QAAQ;AAC1F,YAAM,IAAI,MAAM,2EAA2E;AAAA,IAC5F;AACA,UAAM,QAAQ,SAAS,EAAE,EAAE,SAAS,UAAU;AAC9C,WAAO,SAAS,IAAI,CAAC,CAAC,UAAU,KAAK,GAAG,MAAM;AAC7C,aAAO;AAAA,QACN;AAAA,QACA,OAAO;AAAA,UACN,gBAAgB,CAAC;AAAA,UACjB,IAAI,MAAM,QAAQ,WAAW,CAAC,CAAC,GAAG,OAAO,IAAI,UAAU,KAAK;AAAA,QAC7D;AAAA,MACD;AAAA,IACD,CAAC;AAAA,EACF;AACD;AASA,SAAS,aAAa,YAAyB,IAAkD;AAChG,MAAI,WAAW,WAAW,GAAG;AAC5B,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC1C;AACA,QAAM,IAAI,OAAO,OAAO;AACxB,QAAM,QAAQ,UAAU,UAAU,EAAE,SAAS,CAAC;AAC9C,QAAM,QAAQ,SAAS,EAAE,EAAE,SAAS,CAAC;AACrC,SAAO,CAAC,GAAG,OAAO,WAAW,IAAI,CAAC,eAAe,MAAM,QAAQ,UAAU,CAAC,CAAC;AAC5E;AASA,SAAS,MAAM,OAAkB,KAA2B;AAC3D,SAAO,IAAI,QAAQ,KAAK;AACzB;AASO,SAAS,YAAY,OAAkB,YAA6B;AAC1E,SAAO,UAAU,UAAU,EAAE,SAAS,UAAU,EAAE,OAAO,KAAK;AAC/D;AASO,SAAS,kBACf,qBACA,eACS;AACT,SAAO,OAAO,UAAU,IAAI,qBAAqB,aAAa,CAAC;AAChE;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex } from '@mysten/bcs';\n\nimport type { IBEEncryptions } from './bcs.js';\nimport type { G1Element, GTElement } from './bls12381.js';\nimport { G2Element, Scalar } from './bls12381.js';\nimport { deriveKey, hashToG1, kdf, KeyPurpose } from './kdf.js';\nimport type { KeyServer } from './key-server.js';\nimport { xor } from './utils.js';\nimport type { Share } from './shamir.js';\nimport { InvalidCiphertextError } from './error.js';\n\n/**\n * The domain separation tag for the signing proof of possession.\n */\nexport const DST_POP: Uint8Array = new TextEncoder().encode('SUI-SEAL-IBE-BLS12381-POP-00');\n\n/**\n * The interface for the key servers.\n */\nexport abstract class IBEServers {\n\tobjectIds: string[];\n\n\tconstructor(objectIds: string[]) {\n\t\tthis.objectIds = objectIds;\n\t}\n\n\t/**\n\t * Encrypt a batch of messages for the given identity.\n\t *\n\t * @param id The identity.\n\t * @param msgAndIndices The messages and the corresponding indices of the share being encrypted.\n\t * @returns The encrypted messages.\n\t */\n\tabstract encryptBatched(\n\t\tid: Uint8Array,\n\t\tshares: Share[],\n\t\tbaseKey: Uint8Array,\n\t\tthreshold: number,\n\t): typeof IBEEncryptions.$inferType;\n}\n\n/**\n * Identity-based encryption based on the Boneh-Franklin IBE scheme (https://eprint.iacr.org/2001/090).\n * Note that this implementation is of the \"BasicIdent\" protocol which on its own is not CCA secure, so this IBE implementation should not be used on its own.\n *\n * This object represents a set of key servers that can be used to encrypt messages for a given identity.\n */\nexport class BonehFranklinBLS12381Services extends IBEServers {\n\treadonly publicKeys: G2Element[];\n\n\tconstructor(services: KeyServer[]) {\n\t\tsuper(services.map((service) => service.objectId));\n\t\tthis.publicKeys = services.map((service) => G2Element.fromBytes(service.pk));\n\t}\n\n\tencryptBatched(\n\t\tid: Uint8Array,\n\t\tshares: Share[],\n\t\tbaseKey: Uint8Array,\n\t\tthreshold: number,\n\t): typeof IBEEncryptions.$inferType {\n\t\tif (this.publicKeys.length === 0 || this.publicKeys.length !== shares.length) {\n\t\t\tthrow new Error('Invalid public keys');\n\t\t}\n\t\tconst [r, nonce, keys] = encapBatched(this.publicKeys, id);\n\t\tconst encryptedShares = shares.map(({ share, index }, i) =>\n\t\t\txor(share, kdf(keys[i], nonce, id, this.objectIds[i], index)),\n\t\t);\n\t\tconst randomnessKey = deriveKey(\n\t\t\tKeyPurpose.EncryptedRandomness,\n\t\t\tbaseKey,\n\t\t\tencryptedShares,\n\t\t\tthreshold,\n\t\t\tthis.objectIds,\n\t\t);\n\t\tconst encryptedRandomness = xor(randomnessKey, r.toBytes());\n\n\t\treturn {\n\t\t\tBonehFranklinBLS12381: {\n\t\t\t\tnonce: nonce.toBytes(),\n\t\t\t\tencryptedShares,\n\t\t\t\tencryptedRandomness,\n\t\t\t},\n\t\t\t$kind: 'BonehFranklinBLS12381',\n\t\t};\n\t}\n\n\t/**\n\t * Returns true if the user secret key is valid for the given public key and id.\n\t * @param user_secret_key - The user secret key.\n\t * @param id - The identity.\n\t * @param public_key - The public key.\n\t * @returns True if the user secret key is valid for the given public key and id.\n\t */\n\tstatic verifyUserSecretKey(userSecretKey: G1Element, id: string, publicKey: G2Element): boolean {\n\t\tconst lhs = userSecretKey.pairing(G2Element.generator());\n\t\tconst rhs = hashToG1(fromHex(id)).pairing(publicKey);\n\t\treturn lhs.equals(rhs);\n\t}\n\n\t/**\n\t * Identity-based decryption.\n\t *\n\t * @param nonce The encryption nonce.\n\t * @param sk The user secret key.\n\t * @param ciphertext The encrypted message.\n\t * @param info An info parameter also included in the KDF.\n\t * @returns The decrypted message.\n\t */\n\tstatic decrypt(\n\t\tnonce: G2Element,\n\t\tsk: G1Element,\n\t\tciphertext: Uint8Array,\n\t\tid: Uint8Array,\n\t\t[objectId, index]: [string, number],\n\t): Uint8Array {\n\t\treturn xor(ciphertext, kdf(decap(nonce, sk), nonce, id, objectId, index));\n\t}\n\n\t/**\n\t * Decrypt all shares and verify that the randomness was used to create the given nonce.\n\t *\n\t * @param randomness - The randomness.\n\t * @param encryptedShares - The encrypted shares.\n\t * @param services - The services.\n\t * @param publicKeys - The public keys.\n\t * @param nonce - The nonce.\n\t * @param id - The id.\n\t * @returns All decrypted shares.\n\t */\n\tstatic decryptAllSharesUsingRandomness(\n\t\trandomness: Uint8Array,\n\t\tencryptedShares: Uint8Array[],\n\t\tservices: [string, number][],\n\t\tpublicKeys: G2Element[],\n\t\tnonce: G2Element,\n\t\tid: Uint8Array,\n\t): { index: number; share: Uint8Array }[] {\n\t\tif (publicKeys.length !== encryptedShares.length || publicKeys.length !== services.length) {\n\t\t\tthrow new Error('The number of public keys, encrypted shares and services must be the same');\n\t\t}\n\t\tlet r;\n\t\ttry {\n\t\t\tr = Scalar.fromBytes(randomness);\n\t\t} catch {\n\t\t\tthrow new InvalidCiphertextError('Invalid randomness');\n\t\t}\n\t\tconst gid_r = hashToG1(id).multiply(r);\n\t\treturn services.map(([objectId, index], i) => {\n\t\t\treturn {\n\t\t\t\tindex,\n\t\t\t\tshare: xor(\n\t\t\t\t\tencryptedShares[i],\n\t\t\t\t\tkdf(gid_r.pairing(publicKeys[i]), nonce, id, objectId, index),\n\t\t\t\t),\n\t\t\t};\n\t\t});\n\t}\n}\n\n/**\n * Batched identity-based key-encapsulation mechanism: encapsulate multiple keys for given identity using different key servers.\n *\n * @param publicKeys Public keys for a set of key servers.\n * @param id The identity used to encapsulate the keys.\n * @returns A common nonce of the keys and a list of keys, 32 bytes each.\n */\nfunction encapBatched(publicKeys: G2Element[], id: Uint8Array): [Scalar, G2Element, GTElement[]] {\n\tif (publicKeys.length === 0) {\n\t\tthrow new Error('No public keys provided');\n\t}\n\tconst r = Scalar.random();\n\tconst nonce = G2Element.generator().multiply(r);\n\tconst gid_r = hashToG1(id).multiply(r);\n\treturn [r, nonce, publicKeys.map((public_key) => gid_r.pairing(public_key))];\n}\n\n/**\n * Decapsulate a key using a user secret key and the nonce.\n *\n * @param usk The user secret key.\n * @param nonce The nonce.\n * @returns The encapsulated key.\n */\nfunction decap(nonce: G2Element, usk: G1Element): GTElement {\n\treturn usk.pairing(nonce);\n}\n\n/**\n * Verify that the given randomness was used to crate the nonce.\n * Throws an error if the given randomness is invalid (not a BLS scalar).\n *\n * @param randomness - The randomness.\n * @param nonce - The nonce.\n * @param useBE - Flag to indicate if BE encoding is used for the randomness. Defaults to true.\n * @returns True if the randomness was used to create the nonce, false otherwise.\n */\nexport function verifyNonce(\n\tnonce: G2Element,\n\trandomness: Uint8Array,\n\tuseBE: boolean = true,\n): boolean {\n\ttry {\n\t\tconst r = decodeRandomness(randomness, useBE);\n\t\treturn G2Element.generator().multiply(r).equals(nonce);\n\t} catch {\n\t\tthrow new InvalidCiphertextError('Invalid randomness');\n\t}\n}\n\nfunction decodeRandomness(bytes: Uint8Array, useBE: boolean): Scalar {\n\tif (useBE) {\n\t\treturn Scalar.fromBytes(bytes);\n\t} else {\n\t\treturn Scalar.fromBytesLE(bytes);\n\t}\n}\n\n/**\n * Decrypt the randomness using a key.\n *\n * @param encrypted_randomness - The encrypted randomness.\n * @param derived_key - The derived key.\n * @returns The randomness. Returns both the scalar interpreted in big-endian and little-endian encoding.\n */\nexport function decryptRandomness(\n\tencryptedRandomness: Uint8Array,\n\trandomnessKey: Uint8Array,\n): Uint8Array {\n\treturn xor(encryptedRandomness, randomnessKey);\n}\n\n/**\n * Verify that the given randomness was used to crate the nonce.\n * Check using both big-endian and little-endian encoding of the randomness.\n *\n * Throws an error if the nonce check doesn't pass using LE encoding _and_ the randomness is invalid as a BE encoded scalar.\n *\n * @param randomness - The randomness.\n * @param nonce - The nonce.\n * @returns True if the randomness was used to create the nonce using either LE or BE encoding, false otherwise.\n */\nexport function verifyNonceWithLE(nonce: G2Element, randomness: Uint8Array): boolean {\n\ttry {\n\t\t// First try little-endian encoding\n\t\tif (verifyNonce(nonce, randomness, false)) {\n\t\t\treturn true;\n\t\t}\n\t} catch {\n\t\t// Ignore error and try big-endian encoding\n\t}\n\treturn verifyNonce(nonce, randomness, true);\n}\n"],
+  "mappings": "AAGA,SAAS,eAAe;AAIxB,SAAS,WAAW,cAAc;AAClC,SAAS,WAAW,UAAU,KAAK,kBAAkB;AAErD,SAAS,WAAW;AAEpB,SAAS,8BAA8B;AAKhC,MAAM,UAAsB,IAAI,YAAY,EAAE,OAAO,8BAA8B;AAKnF,MAAe,WAAW;AAAA,EAGhC,YAAY,WAAqB;AAChC,SAAK,YAAY;AAAA,EAClB;AAeD;AAQO,MAAM,sCAAsC,WAAW;AAAA,EAG7D,YAAY,UAAuB;AAClC,UAAM,SAAS,IAAI,CAAC,YAAY,QAAQ,QAAQ,CAAC;AACjD,SAAK,aAAa,SAAS,IAAI,CAAC,YAAY,UAAU,UAAU,QAAQ,EAAE,CAAC;AAAA,EAC5E;AAAA,EAEA,eACC,IACA,QACA,SACA,WACmC;AACnC,QAAI,KAAK,WAAW,WAAW,KAAK,KAAK,WAAW,WAAW,OAAO,QAAQ;AAC7E,YAAM,IAAI,MAAM,qBAAqB;AAAA,IACtC;AACA,UAAM,CAAC,GAAG,OAAO,IAAI,IAAI,aAAa,KAAK,YAAY,EAAE;AACzD,UAAM,kBAAkB,OAAO;AAAA,MAAI,CAAC,EAAE,OAAO,MAAM,GAAG,MACrD,IAAI,OAAO,IAAI,KAAK,CAAC,GAAG,OAAO,IAAI,KAAK,UAAU,CAAC,GAAG,KAAK,CAAC;AAAA,IAC7D;AACA,UAAM,gBAAgB;AAAA,MACrB,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,MACA,KAAK;AAAA,IACN;AACA,UAAM,sBAAsB,IAAI,eAAe,EAAE,QAAQ,CAAC;AAE1D,WAAO;AAAA,MACN,uBAAuB;AAAA,QACtB,OAAO,MAAM,QAAQ;AAAA,QACrB;AAAA,QACA;AAAA,MACD;AAAA,MACA,OAAO;AAAA,IACR;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,OAAO,oBAAoB,eAA0B,IAAY,WAA+B;AAC/F,UAAM,MAAM,cAAc,QAAQ,UAAU,UAAU,CAAC;AACvD,UAAM,MAAM,SAAS,QAAQ,EAAE,CAAC,EAAE,QAAQ,SAAS;AACnD,WAAO,IAAI,OAAO,GAAG;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,QACN,OACA,IACA,YACA,IACA,CAAC,UAAU,KAAK,GACH;AACb,WAAO,IAAI,YAAY,IAAI,MAAM,OAAO,EAAE,GAAG,OAAO,IAAI,UAAU,KAAK,CAAC;AAAA,EACzE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,OAAO,gCACN,YACA,iBACA,UACA,YACA,OACA,IACyC;AACzC,QAAI,WAAW,WAAW,gBAAgB,UAAU,WAAW,WAAW,SAAS,QAAQ;AAC1F,YAAM,IAAI,MAAM,2EAA2E;AAAA,IAC5F;AACA,QAAI;AACJ,QAAI;AACH,UAAI,OAAO,UAAU,UAAU;AAAA,IAChC,QAAQ;AACP,YAAM,IAAI,uBAAuB,oBAAoB;AAAA,IACtD;AACA,UAAM,QAAQ,SAAS,EAAE,EAAE,SAAS,CAAC;AACrC,WAAO,SAAS,IAAI,CAAC,CAAC,UAAU,KAAK,GAAG,MAAM;AAC7C,aAAO;AAAA,QACN;AAAA,QACA,OAAO;AAAA,UACN,gBAAgB,CAAC;AAAA,UACjB,IAAI,MAAM,QAAQ,WAAW,CAAC,CAAC,GAAG,OAAO,IAAI,UAAU,KAAK;AAAA,QAC7D;AAAA,MACD;AAAA,IACD,CAAC;AAAA,EACF;AACD;AASA,SAAS,aAAa,YAAyB,IAAkD;AAChG,MAAI,WAAW,WAAW,GAAG;AAC5B,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC1C;AACA,QAAM,IAAI,OAAO,OAAO;AACxB,QAAM,QAAQ,UAAU,UAAU,EAAE,SAAS,CAAC;AAC9C,QAAM,QAAQ,SAAS,EAAE,EAAE,SAAS,CAAC;AACrC,SAAO,CAAC,GAAG,OAAO,WAAW,IAAI,CAAC,eAAe,MAAM,QAAQ,UAAU,CAAC,CAAC;AAC5E;AASA,SAAS,MAAM,OAAkB,KAA2B;AAC3D,SAAO,IAAI,QAAQ,KAAK;AACzB;AAWO,SAAS,YACf,OACA,YACA,QAAiB,MACP;AACV,MAAI;AACH,UAAM,IAAI,iBAAiB,YAAY,KAAK;AAC5C,WAAO,UAAU,UAAU,EAAE,SAAS,CAAC,EAAE,OAAO,KAAK;AAAA,EACtD,QAAQ;AACP,UAAM,IAAI,uBAAuB,oBAAoB;AAAA,EACtD;AACD;AAEA,SAAS,iBAAiB,OAAmB,OAAwB;AACpE,MAAI,OAAO;AACV,WAAO,OAAO,UAAU,KAAK;AAAA,EAC9B,OAAO;AACN,WAAO,OAAO,YAAY,KAAK;AAAA,EAChC;AACD;AASO,SAAS,kBACf,qBACA,eACa;AACb,SAAO,IAAI,qBAAqB,aAAa;AAC9C;AAYO,SAAS,kBAAkB,OAAkB,YAAiC;AACpF,MAAI;AAEH,QAAI,YAAY,OAAO,YAAY,KAAK,GAAG;AAC1C,aAAO;AAAA,IACR;AAAA,EACD,QAAQ;AAAA,EAER;AACA,SAAO,YAAY,OAAO,YAAY,IAAI;AAC3C;",
   "names": []
 }

package/dist/esm/index.d.ts

@@ -3,3 +3,4 @@ export { SealClient } from './client.js';
 export { SessionKey, type ExportedSessionKey } from './session-key.js';
 export * from './error.js';
 export type { SealCompatibleClient, SealClientOptions, SealClientExtensionOptions, KeyServerConfig, EncryptOptions, DecryptOptions, FetchKeysOptions, GetDerivedKeysOptions, } from './types.js';
+export { DemType } from './encrypt.js';

package/dist/esm/index.js

@@ -2,7 +2,9 @@ import { EncryptedObject } from "./bcs.js";
 import { SealClient } from "./client.js";
 import { SessionKey } from "./session-key.js";
 export * from "./error.js";
+import { DemType } from "./encrypt.js";
 export {
+  DemType,
   EncryptedObject,
   SealClient,
   SessionKey

package/dist/esm/index.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/index.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nexport { EncryptedObject } from './bcs.js';\nexport { SealClient } from './client.js';\nexport { SessionKey, type ExportedSessionKey } from './session-key.js';\nexport * from './error.js';\nexport type {\n\tSealCompatibleClient,\n\tSealClientOptions,\n\tSealClientExtensionOptions,\n\tKeyServerConfig,\n\tEncryptOptions,\n\tDecryptOptions,\n\tFetchKeysOptions,\n\tGetDerivedKeysOptions,\n} from './types.js';\n"],
-  "mappings": "AAGA,SAAS,uBAAuB;AAChC,SAAS,kBAAkB;AAC3B,SAAS,kBAA2C;AACpD,cAAc;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nexport { EncryptedObject } from './bcs.js';\nexport { SealClient } from './client.js';\nexport { SessionKey, type ExportedSessionKey } from './session-key.js';\nexport * from './error.js';\nexport type {\n\tSealCompatibleClient,\n\tSealClientOptions,\n\tSealClientExtensionOptions,\n\tKeyServerConfig,\n\tEncryptOptions,\n\tDecryptOptions,\n\tFetchKeysOptions,\n\tGetDerivedKeysOptions,\n} from './types.js';\nexport { DemType } from './encrypt.js';\n"],
+  "mappings": "AAGA,SAAS,uBAAuB;AAChC,SAAS,kBAAkB;AAC3B,SAAS,kBAA2C;AACpD,cAAc;AAWd,SAAS,eAAe;",
   "names": []
 }

package/dist/esm/types.d.ts

@@ -48,6 +48,8 @@ export interface DecryptOptions {
     txBytes: Uint8Array;
     /** Whether to check share consistency. */
     checkShareConsistency?: boolean;
+    /** Whether to check also using an LE encoded nonce. */
+    checkLEEncoding?: boolean;
 }
 export interface FetchKeysOptions {
     /** The ids of the encrypted objects. */

package/dist/esm/version.d.ts

@@ -1 +1 @@
-export declare const PACKAGE_VERSION = "0.6.0";
+export declare const PACKAGE_VERSION = "0.8.0";

package/dist/esm/version.js

@@ -1,4 +1,4 @@
-const PACKAGE_VERSION = "0.6.0";
+const PACKAGE_VERSION = "0.8.0";
 export {
   PACKAGE_VERSION
 };

package/dist/esm/version.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/version.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// This file is generated by genversion.mjs. Do not edit it directly.\n\nexport const PACKAGE_VERSION = '0.6.0';\n"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// This file is generated by genversion.mjs. Do not edit it directly.\n\nexport const PACKAGE_VERSION = '0.8.0';\n"],
   "mappings": "AAKO,MAAM,kBAAkB;",
   "names": []
 }