npm - @noble/post-quantum - Versions diffs - 0.1.0 - Mend

@noble/post-quantum 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+Copyright (c) 2024 Paul Miller (https://paulmillr.com)
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the “Software”), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,300 @@
+# noble-post-quantum
+Auditable & minimal JS implementation of public-key post-quantum cryptography.
+- 🔒 Auditable
+- 🔻 Tree-shaking-friendly: use only what's necessary, other code won't be included
+- 🦾 ML-KEM & CRYSTALS-Kyber: lattice-based kem
+- 🔋 ML-DSA & CRYSTALS-Dilithium: lattice-based signatures
+- 🐈 SLH-DSA & SPHINCS+: hash-based signatures
+- 📄 FIPS-203, FIPS-204, FIPS-205 drafts
+- 🪶 2000 lines for all algorithms
+Check out [What should I use](#what-should-i-use) section for benchmarks
+and algorithm selection guidance. For discussions, questions and support, visit
+[GitHub Discussions](https://github.com/paulmillr/noble-post-quantum/discussions)
+section of the repository.
+### This library belongs to _noble_ cryptography
+> **noble cryptography** — high-security, easily auditable set of contained cryptographic libraries and tools.
+- Zero or minimal dependencies
+- Highly readable TypeScript / JS code
+- PGP-signed releases and transparent NPM builds
+- All libraries:
+  [ciphers](https://github.com/paulmillr/noble-ciphers),
+  [curves](https://github.com/paulmillr/noble-curves),
+  [hashes](https://github.com/paulmillr/noble-hashes),
+  [post-quantum](https://github.com/paulmillr/noble-post-quantum),
+  4kb [secp256k1](https://github.com/paulmillr/noble-secp256k1) /
+  [ed25519](https://github.com/paulmillr/noble-ed25519)
+- [Check out homepage](https://paulmillr.com/noble/)
+  for reading resources, documentation and apps built with noble
+## Usage
+> npm install @noble/post-quantum
+We support all major platforms and runtimes.
+For [Deno](https://deno.land), ensure to use
+[npm specifier](https://deno.land/manual@v1.28.0/node/npm_specifiers).
+For React Native, you may need a
+[polyfill for getRandomValues](https://github.com/LinusU/react-native-get-random-values).
+A standalone file
+[noble-post-quantum.js](https://github.com/paulmillr/noble-post-quantum/releases) is also available.
+```js
+// import * from '@noble/post-quantum'; // Error: use sub-imports, to ensure small app size
+import { ml_kem768, kyber768 } from '@noble/post-quantum/ml-kem';
+// import { ml_kem768, kyber768 } from 'npm:@noble/post-quantum@0.1.0/ml-kem'; // Deno
+```
+- [What should I use?](#what-should-i-use)
+- [ML-KEM / Kyber](#ml-kem--kyber-shared-secrets)
+- [ML-DSA / Dilithium](#ml-dsa--dilithium-signatures)
+- [SLH-DSA / SPHINCS+](#slh-dsa--sphincs-signatures)
+- [Security](#security)
+- [Speed](#speed)
+- [Contributing & testing](#contributing--testing)
+- [Resources](#resources)
+- [License](#license)
+### What should I use?
+|           | Speed  | Key size    | Sig size    | Created in | Popularized in | Post-quantum? |
+|-----------|--------|-------------|-------------|------------|----------------|---------------|
+| RSA       | Normal | 256B - 2KB  | 256B - 2KB  | 1970s      | 1990s          | No            |
+| ECC       | Normal | 32 - 256B   | 48 - 128B   | 1980s      | 2010s          | No            |
+| Kyber     | Fast   | 1.6 - 31KB  | 1KB         | 1990s      | 2020s          | Yes           |
+| Dilithium | Normal | 1.3 - 2.5KB | 2.5 - 4.5KB | 1990s      | 2020s          | Yes           |
+| SPHINCS   | Slow   | 32 - 128B   | 17 - 50KB   | 1970s      | 2020s          | Yes           |
+Speed (higher is better):
+| OPs/sec      | Keygen | Signing | Verification | Shared secret |
+|--------------|--------|---------|--------------|---------------|
+| ECC ed25519  | 10270  | 5110    | 1050         | 1470          |
+| Kyber-512    | 3050   |         |              | 2090          |
+| Dilithium-2  | 580    | 170     | 550          |               |
+| SPHINCS-128f | 200    | 8       | 140          |               |
+tl;dr: ECC + ML-KEM for key agreement, SLH-DSA for pq signatures.
+It's recommended to use SPHINCS, which is built on
+top of older, conservative primitives.
+Kyber and Dilithium are lattice-based, so they're less "proven".
+There's some chance of advancement, which will break this algorithm class.
+FIPS wants to release final standards in 2024.
+Until then, they provide no test vectors, meaning
+implementations could be producing invalid output.
+Moreover, if you'll use non-FIPS versions, or even FIPS
+versions today, it's possible the final spec will be
+incompatible, and you'll be stuck with old implementations.
+Similar to what happened to Keccak and SHA-3.
+Symmetrical algorithms like AES and ChaCha (available in [noble-ciphers](https://github.com/paulmillr/noble-ciphers))
+suffer less from quantum computers. For AES, simply update from AES-128 to AES-256.
+### ML-KEM / Kyber shared secrets
+```ts
+import { ml_kem512, ml_kem768, ml_kem1024 } from '@noble/post-quantum/ml-kem';
+// import { kyber512, kyber768, kyber1024 } from '@noble/post-quantum/ml-kem';
+// import { kyber512_90s, kyber768_90s, kyber1024_90s } from '@noble/post-quantum/ml-kem';
+const aliceKeys = ml_kem768.keygen();
+const alicePub = aliceKeys.publicKey;
+const { cipherText, sharedSecret: bobShared } = ml_kem768.encapsulate(alicePub);
+const aliceShared = ml_kem768.decapsulate(cipherText, aliceKeys.secretKey); // [Alice] decrypts sharedSecret from Bob
+// aliceShared == bobShared
+```
+Lattice-based key encapsulation mechanism.
+See [official site](https://www.pq-crystals.org/kyber/resources.shtml),
+[repo](https://github.com/pq-crystals/kyber),
+[spec](https://datatracker.ietf.org/doc/draft-cfrg-schwabe-kyber/).
+Key encapsulation is similar to DH / ECDH (think X25519), with important differences:
+- We can't verify if it was "Bob" who've sent the shared secret.
+  In ECDH, it's always verified
+- It is probabalistic and relies on quality of randomness (CSPRNG).
+  ECDH doesn't (to this extent).
+- Kyber decapsulation never throws an error, even when shared secret was
+  encrypted by a different public key. It will just return a different
+  shared secret
+There are some concerns with regards to security: see
+[djb blog](https://blog.cr.yp.to/20231003-countcorrectly.html) and
+[mailing list](https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/W2VOzy0wz_E).
+Three versions are provided:
+1. Kyber
+2. Kyber-90s, using algorithms from 1990s
+3. ML-KEM aka [FIPS-203](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.ipd.pdf)
+```ts
+// Alice generates keys
+const aliceKeys = kyber1024.keygen(); // [Alice] generates key pair (secret and public key)
+const alicePub = aliceKeys.publicKey; // [Alice] sends public key to Bob (somehow)
+// aliceKeys.secretKey never leaves [Alice] system and unknown to other parties
+// Bob creates cipherText for Alice
+// [Bob] generates shared secret for Alice publicKey
+const { cipherText, sharedSecret: bobShared } = kyber1024.encapsulate(alicePub);
+// bobShared never leaves [Bob] system and unknown to other parties
+// Alice gets cipherText from Bob
+// [Alice] decrypts sharedSecret from Bob
+const aliceShared = kyber1024.decapsulate(cipherText, aliceKeys.secretKey);
+// Now, both Alice and Both have same sharedSecret key without exchanging in plainText
+deepStrictEqual(aliceShared, bobShared);
+// Warning: Can be MITM-ed
+const carolKeys = kyber1024.keygen();
+const carolShared = kyber1024.decapsulate(cipherText, carolKeys.secretKey); // No error!
+notDeepStrictEqual(aliceShared, carolShared); // Different key!
+```
+### ML-DSA / Dilithium signatures
+```ts
+import { ml_dsa44, ml_dsa65, ml_dsa87 } from '@noble/post-quantum/ml-dsa';
+// import { dilithium_v30, dilithium_v31 } from '@noble/post-quantum/ml-dsa';
+// import { dilithium_v30_aes, dilithium_v31_aes } from '@noble/post-quantum/ml-dsa';
+const aliceKeys = ml_dsa65.keygen();
+const msg = new Uint8Array(1);
+const sig = ml_dsa65.sign(aliceKeys.secretKey, msg);
+const isValid = ml_dsa65.verify(aliceKeys.publicKey, msg, sig)
+```
+Lattice-based digital signature algorithm. See
+[official site](https://www.pq-crystals.org/dilithium/index.shtml),
+[repo](https://github.com/pq-crystals/dilithium).
+Dilithium has similar internals to Kyber, but their keys and params are different.
+Three versions are provided:
+1. Dilithium v3.0, v3.0 AES
+2. Dilithium v3.1, v3.1 AES
+3. ML-DSA aka [FIPS-204](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf)
+### SLH-DSA / SPHINCS+ signatures
+```ts
+import { slh_dsa_sha2_128f as sph } from '@noble/post-quantum/slh-dsa';
+// import { sphincs_shake_128f_simple } from '@noble/post-quantum/slh-dsa';
+// import { sphincs_sha2_128f_simple } from '@noble/post-quantum/slh-dsa';
+// Full list of imports can be seen below in "FIPS-205" section details
+const aliceKeys = sph.keygen();
+const msg = new Uint8Array(1);
+const sig = sph.sign(aliceKeys.secretKey, msg);
+const isValid = sph.verify(aliceKeys.publicKey, msg, sig);
+```
+Hash-based digital signature algorithm. See [official site](https://sphincs.org).
+We implement spec v3.1 with latest FIPS-205 changes.
+It's compatible with the latest version in the [official repo](https://github.com/sphincs/sphincsplus).
+Some wasm libraries use older specs.
+Three versions are provided:
+1. SHAKE256-based
+2. SHA2-based
+3. SLH-DSA aka [FIPS-205](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.ipd.pdf)
+The pattern for exported name is:
+```
+sphincs_{HASH}_{BITS}{SIZE}_{KIND}
+where
+  HASH: shake | sha2
+  BITS: 128 | 192 | 256
+  SIZE: f | s (full, short)
+  KIND: simple | robust
+// Examples
+sphincs_shake_128f_simple
+sphincs_sha2_192s_robust
+```
+All imports:
+```ts
+import {
+  sphincs_shake_128f_simple,
+  sphincs_shake_128f_robust,
+  sphincs_shake_128s_simple,
+  sphincs_shake_128s_robust,
+  sphincs_shake_192f_simple,
+  sphincs_shake_192f_robust,
+  sphincs_shake_192s_simple,
+  sphincs_shake_192s_robust,
+  sphincs_shake_256f_simple,
+  sphincs_shake_256f_robust,
+  sphincs_shake_256s_simple,
+  sphincs_shake_256s_robust,
+} from '@noble/post-quantum/slh-dsa';
+import {
+  sphincs_sha2_128f_simple,
+  sphincs_sha2_128f_robust,
+  sphincs_sha2_128s_simple,
+  sphincs_sha2_128s_robust,
+  sphincs_sha2_192f_simple,
+  sphincs_sha2_192f_robust,
+  sphincs_sha2_192s_simple,
+  sphincs_sha2_192s_robust,
+  sphincs_sha2_256f_simple,
+  sphincs_sha2_256f_robust,
+  sphincs_sha2_256s_simple,
+  sphincs_sha2_256s_robust,
+} from '@noble/post-quantum/slh-dsa';
+import {
+  slh_dsa_sha2_128f,
+  slh_dsa_sha2_128s,
+  slh_dsa_sha2_192f,
+  slh_dsa_sha2_192s,
+  slh_dsa_sha2_256f,
+  slh_dsa_sha2_256s,
+} from '@noble/post-quantum/slh-dsa';
+```
+## Security
+The library has not been independently audited yet.
+If you see anything unusual: investigate and report.
+## Speed
+To summarize, noble is the fastest JS implementation of post-quantum algorithms.
+Check out [What should I use](#what-should-i-use) table for now.
+## Contributing & testing
+1. Clone the repository
+2. `npm install` to install build dependencies like TypeScript
+3. `npm run build` to compile TypeScript code
+4. `npm run test` will execute all main tests
+## Resources
+Check out [paulmillr.com/noble](https://paulmillr.com/noble/)
+for useful resources, articles, documentation and demos
+related to the library.
+## License
+The MIT License (MIT)
+Copyright (c) 2024 Paul Miller [(https://paulmillr.com)](https://paulmillr.com)
+See LICENSE file.

package/_crystals.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import type { TypedArray } from '@noble/hashes/utils';
+import { BytesCoderLen, Coder } from './utils.js';
+export type XOF = (seed: Uint8Array, blockLen?: number) => {
+    stats: () => {
+        calls: number;
+        xofs: number;
+    };
+    get: (x: number, y: number) => () => Uint8Array;
+    clean: () => void;
+};
+export type CrystalOpts<T extends TypedArray> = {
+    newPoly: TypedCons<T>;
+    N: number;
+    Q: number;
+    F: number;
+    ROOT_OF_UNITY: number;
+    brvBits: number;
+    isKyber: boolean;
+};
+export type TypedCons<T extends TypedArray> = (n: number) => T;
+export declare const genCrystals: <T extends TypedArray>(opts: CrystalOpts<T>) => {
+    mod: (a: number, modulo?: number) => number;
+    smod: (a: number, modulo?: number) => number;
+    nttZetas: T;
+    NTT: {
+        encode: (r: T) => T;
+        decode: (r: T) => T;
+    };
+    bitsCoder: (d: number, c: Coder<number, number>) => BytesCoderLen<T>;
+};
+export declare const XOF128: XOF;
+export declare const XOF256: XOF;
+export declare const XOF_AES: XOF;
+//# sourceMappingURL=_crystals.d.ts.map

package/_crystals.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"_crystals.d.ts","sourceRoot":"","sources":["src/_crystals.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,KAAK,EAAW,MAAM,YAAY,CAAC;AAE3D,MAAM,MAAM,GAAG,GAAG,CAChB,IAAI,EAAE,UAAU,EAChB,QAAQ,CAAC,EAAE,MAAM,KACd;IACH,KAAK,EAAE,MAAM;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7C,GAAG,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,KAAK,MAAM,UAAU,CAAC;IAChD,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,WAAW,CAAC,CAAC,SAAS,UAAU,IAAI;IAC9C,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,SAAS,CAAC,CAAC,SAAS,UAAU,IAAI,CAAC,CAAC,EAAE,MAAM,KAAK,CAAC,CAAC;AAU/D,eAAO,MAAM,WAAW;aAGN,MAAM,sBAAe,MAAM;cAK1B,MAAM,sBAAe,MAAM;;;;;;mBAsDtB,MAAM,KAAK,MAAM,MAAM,EAAE,MAAM,CAAC;CA2BvD,CAAC;AAuCF,eAAO,MAAM,MAAM,KAA2C,CAAC;AAC/D,eAAO,MAAM,MAAM,KAA2C,CAAC;AAgC/D,eAAO,MAAM,OAAO,KAAuC,CAAC"}

package/_crystals.js ADDED Viewed

@@ -0,0 +1,171 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XOF_AES = exports.XOF256 = exports.XOF128 = exports.genCrystals = void 0;
+/*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) */
+const aes_1 = require("@noble/ciphers/aes");
+const sha3_1 = require("@noble/hashes/sha3");
+const utils_js_1 = require("./utils.js");
+// TODO: benchmark
+function bitReversal(n, bits = 8) {
+    const padded = n.toString(2).padStart(8, '0');
+    const sliced = padded.slice(-bits).padStart(7, '0');
+    const revrsd = sliced.split('').reverse().join('');
+    return Number.parseInt(revrsd, 2);
+}
+const genCrystals = (opts) => {
+    // isKyber: true means Kyber, false means Dilithium
+    const { newPoly, N, Q, F, ROOT_OF_UNITY, brvBits, isKyber } = opts;
+    const mod = (a, modulo = Q) => {
+        const result = a % modulo | 0;
+        return (result >= 0 ? result | 0 : (modulo + result) | 0) | 0;
+    };
+    // -(Q-1)/2 < a <= (Q-1)/2
+    const smod = (a, modulo = Q) => {
+        const r = mod(a, modulo) | 0;
+        return (r > modulo >> 1 ? (r - modulo) | 0 : r) | 0;
+    };
+    // Generate zettas
+    function getZettas() {
+        const out = newPoly(N);
+        for (let i = 0; i < N; i++) {
+            const b = bitReversal(i, brvBits);
+            const p = BigInt(ROOT_OF_UNITY) ** BigInt(b) % BigInt(Q);
+            out[i] = Number(p) | 0;
+        }
+        return out;
+    }
+    const nttZetas = getZettas();
+    // Number-Theoretic Transform
+    // Explained: https://electricdusk.com/ntt.html
+    // Kyber has slightly different params, since there is no 512th primitive root of unity mod q,
+    // only 256th primitive root of unity mod. Which also complicates MultiplyNTT.
+    // TODO: there should be less ugly way to define this.
+    const LEN1 = isKyber ? 128 : N;
+    const LEN2 = isKyber ? 1 : 0;
+    const NTT = {
+        encode: (r) => {
+            for (let k = 1, len = 128; len > LEN2; len >>= 1) {
+                for (let start = 0; start < N; start += 2 * len) {
+                    const zeta = nttZetas[k++];
+                    for (let j = start; j < start + len; j++) {
+                        const t = mod(zeta * r[j + len]);
+                        r[j + len] = mod(r[j] - t) | 0;
+                        r[j] = mod(r[j] + t) | 0;
+                    }
+                }
+            }
+            return r;
+        },
+        decode: (r) => {
+            for (let k = LEN1 - 1, len = 1 + LEN2; len < LEN1 + LEN2; len <<= 1) {
+                for (let start = 0; start < N; start += 2 * len) {
+                    const zeta = nttZetas[k--];
+                    for (let j = start; j < start + len; j++) {
+                        const t = r[j];
+                        r[j] = mod(t + r[j + len]);
+                        r[j + len] = mod(zeta * (r[j + len] - t));
+                    }
+                }
+            }
+            for (let i = 0; i < r.length; i++)
+                r[i] = mod(F * r[i]);
+            return r;
+        },
+    };
+    // Encode polynominal as bits
+    const bitsCoder = (d, c) => {
+        const mask = (0, utils_js_1.getMask)(d);
+        const bytesLen = d * (N / 8);
+        return {
+            bytesLen,
+            encode: (poly) => {
+                const r = new Uint8Array(bytesLen);
+                for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {
+                    buf |= (c.encode(poly[i]) & mask) << bufLen;
+                    bufLen += d;
+                    for (; bufLen >= 8; bufLen -= 8, buf >>= 8)
+                        r[pos++] = buf & (0, utils_js_1.getMask)(bufLen);
+                }
+                return r;
+            },
+            decode: (bytes) => {
+                const r = newPoly(N);
+                for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {
+                    buf |= bytes[i] << bufLen;
+                    bufLen += 8;
+                    for (; bufLen >= d; bufLen -= d, buf >>= d)
+                        r[pos++] = c.decode(buf & mask);
+                }
+                return r;
+            },
+        };
+    };
+    return { mod, smod, nttZetas, NTT, bitsCoder };
+};
+exports.genCrystals = genCrystals;
+const createXofShake = (shake) => (seed, blockLen) => {
+    if (!blockLen)
+        blockLen = shake.blockLen;
+    // Optimizations that won't mater:
+    // - cached seed update (two .update(), on start and on the end)
+    // - another cache which cloned into working copy
+    // Faster than multiple updates, since seed less than blockLen
+    const _seed = new Uint8Array(seed.length + 2);
+    _seed.set(seed);
+    const seedLen = seed.length;
+    const buf = new Uint8Array(blockLen); // == shake128.blockLen
+    let h = shake.create({});
+    let calls = 0;
+    let xofs = 0;
+    return {
+        stats: () => ({ calls, xofs }),
+        get: (x, y) => {
+            _seed[seedLen + 0] = x;
+            _seed[seedLen + 1] = y;
+            h.destroy();
+            h = shake.create({}).update(_seed);
+            calls++;
+            return () => {
+                xofs++;
+                return h.xofInto(buf);
+            };
+        },
+        clean: () => {
+            h.destroy();
+            buf.fill(0);
+            _seed.fill(0);
+        },
+    };
+};
+exports.XOF128 = createXofShake(sha3_1.shake128);
+exports.XOF256 = createXofShake(sha3_1.shake256);
+const createXofAes = (aes) => (seed, blockLen) => {
+    if (!blockLen)
+        blockLen = 16 * 3; // 288
+    const nonce = new Uint8Array(16);
+    const xk = aes.expandKeyLE(seed.subarray(0, 32));
+    const block = new Uint8Array(blockLen);
+    const out = block.slice();
+    let calls = 0;
+    let xofs = 0;
+    return {
+        stats: () => ({ calls, xofs }),
+        get: (x, y) => {
+            nonce.fill(0); // clean counter
+            nonce[0] = x;
+            nonce[1] = y;
+            calls++;
+            return () => {
+                xofs++;
+                return aes.ctrCounter(xk, nonce, block, out);
+            };
+        },
+        clean: () => {
+            nonce.fill(0);
+            xk.fill(0);
+            out.fill(0);
+        },
+    };
+};
+exports.XOF_AES = createXofAes(aes_1.unsafe);
+//# sourceMappingURL=_crystals.js.map

package/_crystals.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"_crystals.js","sourceRoot":"","sources":["src/_crystals.ts"],"names":[],"mappings":";;;AAAA,4EAA4E;AAC5E,4CAA4C;AAC5C,6CAAwD;AAExD,yCAA2D;AAuB3D,kBAAkB;AAClB,SAAS,WAAW,CAAC,CAAS,EAAE,OAAe,CAAC;IAC9C,MAAM,MAAM,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnD,OAAO,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AACpC,CAAC;AAEM,MAAM,WAAW,GAAG,CAAuB,IAAoB,EAAE,EAAE;IACxE,mDAAmD;IACnD,MAAM,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,aAAa,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IACnE,MAAM,GAAG,GAAG,CAAC,CAAS,EAAE,MAAM,GAAG,CAAC,EAAU,EAAE;QAC5C,MAAM,MAAM,GAAG,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;QAC9B,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;IAChE,CAAC,CAAC;IACF,0BAA0B;IAC1B,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,MAAM,GAAG,CAAC,EAAU,EAAE;QAC7C,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7B,OAAO,CAAC,CAAC,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACtD,CAAC,CAAC;IACF,kBAAkB;IAClB,SAAS,SAAS;QAChB,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3B,MAAM,CAAC,GAAG,WAAW,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;YAClC,MAAM,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YACzD,GAAG,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,MAAM,QAAQ,GAAG,SAAS,EAAE,CAAC;IAE7B,6BAA6B;IAC7B,+CAA+C;IAE/C,8FAA8F;IAC9F,8EAA8E;IAC9E,sDAAsD;IACtD,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7B,MAAM,GAAG,GAAG;QACV,MAAM,EAAE,CAAC,CAAI,EAAE,EAAE;YACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,GAAG,GAAG,EAAE,GAAG,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;gBACjD,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,KAAK,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;oBAChD,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC3B,KAAK,IAAI,CAAC,GAAG,KAAK,EAAE,CAAC,GAAG,KAAK,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;wBACzC,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;wBACjC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;wBAC/B,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;oBAC3B,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,CAAC,CAAC;QACX,CAAC;QACD,MAAM,EAAE,CAAC,CAAI,EAAE,EAAE;YACf,KAAK,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,EAAE,GAAG,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,GAAG,IAAI,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;gBACpE,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,KAAK,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;oBAChD,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC3B,KAAK,IAAI,CAAC,GAAG,KAAK,EAAE,CAAC,GAAG,KAAK,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;wBACzC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;wBACf,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;wBAC3B,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;oBAC5C,CAAC;gBACH,CAAC;YACH,CAAC;YACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;gBAAE,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACxD,OAAO,CAAC,CAAC;QACX,CAAC;KACF,CAAC;IACF,6BAA6B;IAC7B,MAAM,SAAS,GAAG,CAAC,CAAS,EAAE,CAAwB,EAAoB,EAAE;QAC1E,MAAM,IAAI,GAAG,IAAA,kBAAO,EAAC,CAAC,CAAC,CAAC;QACxB,MAAM,QAAQ,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC7B,OAAO;YACL,QAAQ;YACR,MAAM,EAAE,CAAC,IAAO,EAAc,EAAE;gBAC9B,MAAM,CAAC,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;gBACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,GAAG,CAAC,EAAE,MAAM,GAAG,CAAC,EAAE,GAAG,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACnE,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,MAAM,CAAC;oBAC5C,MAAM,IAAI,CAAC,CAAC;oBACZ,OAAO,MAAM,IAAI,CAAC,EAAE,MAAM,IAAI,CAAC,EAAE,GAAG,KAAK,CAAC;wBAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,GAAG,GAAG,IAAA,kBAAO,EAAC,MAAM,CAAC,CAAC;gBAC/E,CAAC;gBACD,OAAO,CAAC,CAAC;YACX,CAAC;YACD,MAAM,EAAE,CAAC,KAAiB,EAAK,EAAE;gBAC/B,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;gBACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,GAAG,CAAC,EAAE,MAAM,GAAG,CAAC,EAAE,GAAG,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACpE,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;oBAC1B,MAAM,IAAI,CAAC,CAAC;oBACZ,OAAO,MAAM,IAAI,CAAC,EAAE,MAAM,IAAI,CAAC,EAAE,GAAG,KAAK,CAAC;wBAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;gBAC9E,CAAC;gBACD,OAAO,CAAC,CAAC;YACX,CAAC;SACF,CAAC;IACJ,CAAC,CAAC;IAEF,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC;AACjD,CAAC,CAAC;AAzFW,QAAA,WAAW,eAyFtB;AAEF,MAAM,cAAc,GAClB,CAAC,KAAsB,EAAO,EAAE,CAChC,CAAC,IAAgB,EAAE,QAAiB,EAAE,EAAE;IACtC,IAAI,CAAC,QAAQ;QAAE,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC;IACzC,kCAAkC;IAClC,gEAAgE;IAChE,iDAAiD;IAEjD,8DAA8D;IAC9D,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC9C,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChB,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;IAC5B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,uBAAuB;IAC7D,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACzB,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,OAAO;QACL,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAC9B,GAAG,EAAE,CAAC,CAAS,EAAE,CAAS,EAAE,EAAE;YAC5B,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;YACvB,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;YACvB,CAAC,CAAC,OAAO,EAAE,CAAC;YACZ,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnC,KAAK,EAAE,CAAC;YACR,OAAO,GAAG,EAAE;gBACV,IAAI,EAAE,CAAC;gBACP,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACxB,CAAC,CAAC;QACJ,CAAC;QACD,KAAK,EAAE,GAAG,EAAE;YACV,CAAC,CAAC,OAAO,EAAE,CAAC;YACZ,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACZ,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChB,CAAC;KACF,CAAC;AACJ,CAAC,CAAC;AAES,QAAA,MAAM,GAAmB,cAAc,CAAC,eAAQ,CAAC,CAAC;AAClD,QAAA,MAAM,GAAmB,cAAc,CAAC,eAAQ,CAAC,CAAC;AAE/D,MAAM,YAAY,GAChB,CAAC,GAAkB,EAAO,EAAE,CAC5B,CAAC,IAAgB,EAAE,QAAiB,EAAE,EAAE;IACtC,IAAI,CAAC,QAAQ;QAAE,QAAQ,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,MAAM;IACxC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,EAAE,GAAG,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACjD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC;IAC1B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,OAAO;QACL,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAC9B,GAAG,EAAE,CAAC,CAAS,EAAE,CAAS,EAAE,EAAE;YAC5B,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB;YAC/B,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACb,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACb,KAAK,EAAE,CAAC;YACR,OAAO,GAAG,EAAE;gBACV,IAAI,EAAE,CAAC;gBACP,OAAO,GAAG,CAAC,UAAU,CAAC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;YAC/C,CAAC,CAAC;QACJ,CAAC;QACD,KAAK,EAAE,GAAG,EAAE;YACV,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACd,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACX,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACd,CAAC;KACF,CAAC;AACJ,CAAC,CAAC;AAES,QAAA,OAAO,GAAmB,YAAY,CAAC,YAAM,CAAC,CAAC"}