@noble/post-quantum 0.4.0 → 0.5.0

package/src/ml-kem.ts

@@ -20,36 +20,22 @@
  * @module
  */
 /*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) */
-import { sha3_256, sha3_512, shake256 } from '@noble/hashes/sha3';
-import { u32, wrapConstructor, wrapConstructorWithOpts } from '@noble/hashes/utils';
-import { genCrystals, type XOF, XOF128 } from './_crystals.js';
+import { sha3_256, sha3_512, shake256 } from '@noble/hashes/sha3.js';
+import { type CHash, u32 } from '@noble/hashes/utils.js';
+import { genCrystals, type XOF, XOF128 } from './_crystals.ts';
 import {
+  abytes,
   cleanBytes,
   type Coder,
-  ensureBytes,
+  copyBytes,
   equalBytes,
+  type KEM,
   randomBytes,
   splitCoder,
   vecCoder,
-} from './utils.js';
+} from './utils.ts';
 
 /** Key encapsulation mechanism interface */
-export type KEM = {
-  publicKeyLen: number;
-  msgLen: number;
-  keygen: (seed?: Uint8Array) => {
-    publicKey: Uint8Array;
-    secretKey: Uint8Array;
-  };
-  encapsulate: (
-    publicKey: Uint8Array,
-    msg?: Uint8Array
-  ) => {
-    cipherText: Uint8Array;
-    sharedSecret: Uint8Array;
-  };
-  decapsulate: (cipherText: Uint8Array, secretKey: Uint8Array) => Uint8Array;
-};
 
 const N = 256; // Kyber (not FIPS-203) supports different lengths, but all std modes were using 256
 const Q = 3329; // 13*(2**8)+1, modulo prime
@@ -60,7 +46,7 @@ const { mod, nttZetas, NTT, bitsCoder } = genCrystals({
   Q,
   F,
   ROOT_OF_UNITY,
-  newPoly: (n: number) => new Uint16Array(n),
+  newPoly: (n: number): Uint16Array => new Uint16Array(n),
   brvBits: 7,
   isKyber: true,
 });
@@ -106,7 +92,7 @@ const compress = (d: number): Coder<number, number> => {
 const polyCoder = (d: number) => bitsCoder(d, compress(d));
 
 // Poly is mod Q, so 12 bits
-type Poly = Uint16Array;
+type Poly = Uint16Array<any>;
 
 function polyAdd(a: Poly, b: Poly) {
   for (let i = 0; i < N; i++) a[i] = mod(a[i] + b[i]); // a += b
@@ -137,14 +123,13 @@ function MultiplyNTTs(f: Poly, g: Poly): Poly {
 
 type PRF = (l: number, key: Uint8Array, nonce: number) => Uint8Array;
 
-type Hash = ReturnType<typeof wrapConstructor>;
-type HashWOpts = ReturnType<typeof wrapConstructorWithOpts>;
 type XofGet = ReturnType<ReturnType<XOF>['get']>;
 
 type KyberOpts = KEMParam & {
-  HASH256: Hash;
-  HASH512: Hash;
-  KDF: Hash | HashWOpts;
+  HASH256: CHash;
+  HASH512: CHash;
+  // KDF: CHash<Keccak, ShakeOpts>;
+  KDF: any;
   XOF: XOF; // (seed: Uint8Array, len: number, x: number, y: number) => Uint8Array;
   PRF: PRF;
 };
@@ -205,10 +190,13 @@ const genKPKE = (opts: KyberOpts) => {
   const seedCoder = splitCoder(32, 32);
   return {
     secretCoder,
-    secretKeyLen: secretCoder.bytesLen,
-    publicKeyLen: publicCoder.bytesLen,
-    cipherTextLen: cipherCoder.bytesLen,
+    lengths: {
+      secretKey: secretCoder.bytesLen,
+      publicKey: publicCoder.bytesLen,
+      cipherText: cipherCoder.bytesLen,
+    },
     keygen: (seed: Uint8Array) => {
+      abytes(seed, 32);
       const seedDst = new Uint8Array(33);
       seedDst.set(seed);
       seedDst[32] = K;
@@ -252,7 +240,7 @@ const genKPKE = (opts: KyberOpts) => {
         polyAdd(e1, NTT.decode(tmp)); // e1 += tmp
         u.push(e1);
         polyAdd(tmp2, MultiplyNTTs(tHat[i], rHat[i])); // t2 += tHat[i] * rHat[i]
-        tmp.fill(0);
+        cleanBytes(tmp);
       }
       x.clean();
       const e2 = sampleCBD(PRF, seed, 2 * K, ETA2);
@@ -277,16 +265,21 @@ const genKPKE = (opts: KyberOpts) => {
 function createKyber(opts: KyberOpts) {
   const KPKE = genKPKE(opts);
   const { HASH256, HASH512, KDF } = opts;
-  const { secretCoder: KPKESecretCoder, cipherTextLen } = KPKE;
-  const publicKeyLen = KPKE.publicKeyLen; // 384*K+32
-  const secretCoder = splitCoder(KPKE.secretKeyLen, KPKE.publicKeyLen, 32, 32);
-  const secretKeyLen = secretCoder.bytesLen;
+  const { secretCoder: KPKESecretCoder, lengths } = KPKE;
+  const secretCoder = splitCoder(lengths.secretKey, lengths.publicKey, 32, 32);
   const msgLen = 32;
+  const seedLen = 64;
   return {
-    publicKeyLen,
-    msgLen,
-    keygen: (seed = randomBytes(64)) => {
-      ensureBytes(seed, 64);
+    info: { type: 'ml-kem' },
+    lengths: {
+      ...lengths,
+      seed: 64,
+      msg: msgLen,
+      msgRand: msgLen,
+      secretKey: secretCoder.bytesLen,
+    },
+    keygen: (seed = randomBytes(seedLen)) => {
+      abytes(seed, seedLen);
       const { publicKey, secretKey: sk } = KPKE.keygen(seed.subarray(0, 32));
       const publicKeyHash = HASH256(publicKey);
       // (dkPKE||ek||H(ek)||z)
@@ -294,13 +287,17 @@ function createKyber(opts: KyberOpts) {
       cleanBytes(sk, publicKeyHash);
       return { publicKey, secretKey };
     },
-    encapsulate: (publicKey: Uint8Array, msg = randomBytes(32)) => {
-      ensureBytes(publicKey, publicKeyLen);
-      ensureBytes(msg, msgLen);
+    getPublicKey: (secretKey: Uint8Array) => {
+      const [_sk, publicKey, _publicKeyHash, _z] = secretCoder.decode(secretKey);
+      return Uint8Array.from(publicKey);
+    },
+    encapsulate: (publicKey: Uint8Array, msg = randomBytes(msgLen)) => {
+      abytes(publicKey, lengths.publicKey);
+      abytes(msg, msgLen);
 
       // FIPS-203 includes additional verification check for modulus
       const eke = publicKey.subarray(0, 384 * opts.K);
-      const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(eke.slice())); // Copy because of inplace encoding
+      const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(copyBytes(eke))); // Copy because of inplace encoding
       // (Modulus check.) Perform the computation ek ← ByteEncode12(ByteDecode12(eke)).
       // If ek = ̸ eke, the input is invalid. (See Section 4.2.1.)
       if (!equalBytes(ek, eke)) {
@@ -310,12 +307,19 @@ function createKyber(opts: KyberOpts) {
       cleanBytes(ek);
       const kr = HASH512.create().update(msg).update(HASH256(publicKey)).digest(); // derive randomness
       const cipherText = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
-      kr.subarray(32).fill(0);
+      cleanBytes(kr.subarray(32));
       return { cipherText, sharedSecret: kr.subarray(0, 32) };
     },
     decapsulate: (cipherText: Uint8Array, secretKey: Uint8Array) => {
-      ensureBytes(secretKey, secretKeyLen); // 768*k + 96
-      ensureBytes(cipherText, cipherTextLen); // 32(du*k + dv)
+      abytes(secretKey, secretCoder.bytesLen); // 768*k + 96
+      abytes(cipherText, lengths.cipherText); // 32(du*k + dv)
+      // test ← H(dk[384𝑘 ∶ 768𝑘 + 32])) .
+      const k768 = secretCoder.bytesLen - 96;
+      const start = k768 + 32;
+      const test = HASH256(secretKey.subarray(k768 / 2, start));
+      // If test ≠ dk[768𝑘 + 32 ∶ 768𝑘 + 64], then input checking has failed.
+      if (!equalBytes(test, secretKey.subarray(start, start + 32)))
+        throw new Error('invalid secretKey: hash check failed');
       const [sk, publicKey, publicKeyHash, z] = secretCoder.decode(secretKey);
       const msg = KPKE.decrypt(cipherText, sk);
       const kr = HASH512.create().update(msg).update(publicKeyHash).digest(); // derive randomness, Khat, rHat = G(mHat || h)

package/src/slh-dsa.ts

@@ -27,16 +27,23 @@
  * @module
  */
 /*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) */
-import { setBigUint64 } from '@noble/hashes/_md';
-import { HMAC } from '@noble/hashes/hmac';
-import { sha256, sha512 } from '@noble/hashes/sha2';
-import { shake256 } from '@noble/hashes/sha3';
-import { bytesToHex, concatBytes, createView, hexToBytes } from '@noble/hashes/utils';
+import { hmac } from '@noble/hashes/hmac.js';
+import { sha256, sha512 } from '@noble/hashes/sha2.js';
+import { shake256 } from '@noble/hashes/sha3.js';
 import {
-  EMPTY,
-  type Signer,
+  bytesToHex,
+  concatBytes,
+  createView,
+  hexToBytes,
+  type CHash,
+} from '@noble/hashes/utils.js';
+import {
+  abytes,
+  checkHash,
+  validateSigOpts,
+  validateVerOpts,
   cleanBytes,
-  ensureBytes,
+  copyBytes,
   equalBytes,
   getMask,
   getMessage,
@@ -44,7 +51,10 @@ import {
   randomBytes,
   splitCoder,
   vecCoder,
-} from './utils.js';
+  type Signer,
+  type SigOpts,
+  type VerOpts,
+} from './utils.ts';
 
 /**
  * * N: Security parameter (in bytes). W: Winternitz parameter
@@ -58,6 +68,7 @@ export type SphincsOpts = {
   D: number;
   K: number;
   A: number;
+  securityLevel: number;
 };
 
 export type SphincsHashOpts = {
@@ -67,12 +78,12 @@ export type SphincsHashOpts = {
 
 /** Winternitz signature params. */
 export const PARAMS: Record<string, SphincsOpts> = {
-  '128f': { W: 16, N: 16, H: 66, D: 22, K: 33, A: 6 },
-  '128s': { W: 16, N: 16, H: 63, D: 7, K: 14, A: 12 },
-  '192f': { W: 16, N: 24, H: 66, D: 22, K: 33, A: 8 },
-  '192s': { W: 16, N: 24, H: 63, D: 7, K: 17, A: 14 },
-  '256f': { W: 16, N: 32, H: 68, D: 17, K: 35, A: 9 },
-  '256s': { W: 16, N: 32, H: 64, D: 8, K: 22, A: 14 },
+  '128f': { W: 16, N: 16, H: 66, D: 22, K: 33, A: 6, securityLevel: 128 },
+  '128s': { W: 16, N: 16, H: 63, D: 7, K: 14, A: 12, securityLevel: 128 },
+  '192f': { W: 16, N: 24, H: 66, D: 22, K: 33, A: 8, securityLevel: 192 },
+  '192s': { W: 16, N: 24, H: 63, D: 7, K: 17, A: 14, securityLevel: 192 },
+  '256f': { W: 16, N: 32, H: 68, D: 17, K: 35, A: 9, securityLevel: 256 },
+  '256s': { W: 16, N: 32, H: 64, D: 8, K: 22, A: 14, securityLevel: 256 },
 } as const;
 
 const AddressType = {
@@ -135,13 +146,14 @@ function getMaskBig(bits: number) {
   return (1n << BigInt(bits)) - 1n; // 4 -> 0b1111
 }
 
-export type SphincsSigner = Signer & { seedLen: number } & {
+export type SphincsSigner = Signer & {
   internal: Signer;
-  prehash: (hashName: string) => Signer;
+  securityLevel: number;
+  prehash: (hash: CHash) => Signer;
 };
 
 function gen(opts: SphincsOpts, hashOpts: SphincsHashOpts): SphincsSigner {
-  const { N, W, H, D, K, A } = opts;
+  const { N, W, H, D, K, A, securityLevel: securityLevel } = opts;
   const getContext = hashOpts.getContext(opts);
   if (W !== 16) throw new Error('Unsupported Winternitz parameter');
   const WOTS_LOGW = 4;
@@ -197,7 +209,7 @@ function gen(opts: SphincsOpts, hashOpts: SphincsHashOpts): SphincsSigner {
     if (hash !== undefined) addr[OFFSET_HASH_ADDR] = hash;
     if (index !== undefined) v.setUint32(OFFSET_TREE_INDEX, index, false);
     if (subtreeAddr) addr.set(subtreeAddr.subarray(0, OFFSET_TREE + 8));
-    if (tree !== undefined) setBigUint64(v, OFFSET_TREE, tree, false);
+    if (tree !== undefined) v.setBigUint64(OFFSET_TREE, tree, false);
     if (keypair !== undefined) {
       addr[OFFSET_KP_ADDR1] = keypair;
       if (TREE_HEIGHT > 8) addr[OFFSET_KP_ADDR2] = keypair >>> 8;
@@ -315,7 +327,7 @@ function gen(opts: SphincsOpts, hashOpts: SphincsHashOpts): SphincsSigner {
     wotsAddr: ADRS,
     treeAddr: ADRS,
     leafIdx: number,
-    prevRoot = new Uint8Array(N)
+    prevRoot: Uint8Array = new Uint8Array(N)
   ) => {
     setAddr({ type: AddressType.HASHTREE }, treeAddr);
     // State variables
@@ -381,8 +393,17 @@ function gen(opts: SphincsOpts, hashOpts: SphincsHashOpts): SphincsSigner {
   const wotsCoder = vecCoder(splitCoder(WOTS_LEN * N, TREE_HEIGHT * N), D);
   const sigCoder = splitCoder(N, forsCoder, wotsCoder); // random || fors || wots
   const internal: Signer = {
-    signRandBytes: N,
-    keygen(seed = randomBytes(seedCoder.bytesLen)) {
+    info: { type: 'internal-slh-dsa' },
+    lengths: {
+      publicKey: publicCoder.bytesLen,
+      secretKey: secretCoder.bytesLen,
+      signature: sigCoder.bytesLen,
+      seed: seedCoder.bytesLen,
+      signRand: N,
+    },
+    keygen(seed?: Uint8Array) {
+      if (seed !== undefined) abytes(seed, seedCoder.bytesLen);
+      seed = seed === undefined ? randomBytes(seedCoder.bytesLen) : copyBytes(seed);
       // Set SK.seed, SK.prf, and PK.seed to random n-byte
       const [secretSeed, secretPRF, publicSeed] = seedCoder.decode(seed);
       const context = getContext(publicSeed, secretSeed);
@@ -397,12 +418,20 @@ function gen(opts: SphincsOpts, hashOpts: SphincsHashOpts): SphincsSigner {
       cleanBytes(secretSeed, secretPRF, root, wotsAddr, topTreeAddr);
       return { publicKey, secretKey };
     },
-    sign: (sk: Uint8Array, msg: Uint8Array, random?: Uint8Array) => {
+    getPublicKey: (secretKey: Uint8Array) => {
+      const [_skSeed, _skPRF, pk] = secretCoder.decode(secretKey);
+      return Uint8Array.from(pk);
+    },
+    sign: (msg: Uint8Array, sk: Uint8Array, opts: SigOpts = {}) => {
+      validateSigOpts(opts);
+      let { extraEntropy: random } = opts;
       const [skSeed, skPRF, pk] = secretCoder.decode(sk); // todo: fix
       const [pkSeed, _] = publicCoder.decode(pk);
       // Set opt_rand to either PK.seed or to a random n-byte string
-      if (!random) random = pkSeed.slice();
-      ensureBytes(random, N);
+      if (random === false) random = copyBytes(pkSeed);
+      else if (random === undefined) random = randomBytes(N);
+      else random = copyBytes(random);
+      abytes(random, N);
       const context = getContext(pkSeed, skSeed);
       // Generate randomizer
       const R = context.PRFmsg(skPRF, random, msg); // R ← PRFmsg(SK.prf, opt_rand, M)
@@ -457,7 +486,7 @@ function gen(opts: SphincsOpts, hashOpts: SphincsHashOpts): SphincsSigner {
           root: r,
         } = merkleSign(context, wotsAddr, treeAddr, leafIdx, root);
         root.set(r);
-        r.fill(0);
+        cleanBytes(r);
         wots.push([sigWots, sigAuth]);
         leafIdx = Number(tree & getMaskBig(TREE_HEIGHT));
       }
@@ -466,7 +495,7 @@ function gen(opts: SphincsOpts, hashOpts: SphincsHashOpts): SphincsSigner {
       cleanBytes(R, random, treeAddr, wotsAddr, forsLeaf, forsTreeAddr, indices, roots);
       return SIG;
     },
-    verify: (publicKey: Uint8Array, msg: Uint8Array, sig: Uint8Array) => {
+    verify: (sig: Uint8Array, msg: Uint8Array, publicKey: Uint8Array) => {
       const [pkSeed, pubRoot] = publicCoder.decode(publicKey);
       const [random, forsVec, wotsVec] = sigCoder.decode(sig);
       const pk = publicKey;
@@ -527,33 +556,43 @@ function gen(opts: SphincsOpts, hashOpts: SphincsHashOpts): SphincsSigner {
     },
   };
   return {
+    info: { type: 'slh-dsa' },
     internal,
-    seedLen: seedCoder.bytesLen,
+    securityLevel: securityLevel,
+    lengths: internal.lengths,
     keygen: internal.keygen,
-    signRandBytes: internal.signRandBytes,
-    sign: (secretKey: Uint8Array, msg: Uint8Array, ctx = EMPTY, random?: Uint8Array) => {
-      const M = getMessage(msg, ctx);
-      const res = internal.sign(secretKey, M, random);
-      M.fill(0);
+    getPublicKey: internal.getPublicKey,
+    sign: (msg: Uint8Array, secretKey: Uint8Array, opts: SigOpts = {}) => {
+      validateSigOpts(opts);
+      const M = getMessage(msg, opts.context);
+      const res = internal.sign(M, secretKey, opts);
+      cleanBytes(M);
       return res;
     },
-    verify: (publicKey: Uint8Array, msg: Uint8Array, sig: Uint8Array, ctx = EMPTY) => {
-      return internal.verify(publicKey, getMessage(msg, ctx), sig);
+    verify: (sig: Uint8Array, msg: Uint8Array, publicKey: Uint8Array, opts: VerOpts = {}) => {
+      validateVerOpts(opts);
+      return internal.verify(sig, getMessage(msg, opts.context), publicKey);
+    },
+    prehash: (hash: CHash) => {
+      checkHash(hash, securityLevel);
+      return {
+        info: { type: 'hashslh-dsa' },
+        lengths: internal.lengths,
+        keygen: internal.keygen,
+        getPublicKey: internal.getPublicKey,
+        sign: (msg: Uint8Array, secretKey: Uint8Array, opts: SigOpts = {}) => {
+          validateSigOpts(opts);
+          const M = getMessagePrehash(hash, msg, opts.context);
+          const res = internal.sign(M, secretKey, opts);
+          cleanBytes(M);
+          return res;
+        },
+        verify: (sig: Uint8Array, msg: Uint8Array, publicKey: Uint8Array, opts: VerOpts = {}) => {
+          validateVerOpts(opts);
+          return internal.verify(sig, getMessagePrehash(hash, msg, opts.context), publicKey);
+        },
+      };
     },
-    prehash: (hashName: string) => ({
-      seedLen: seedCoder.bytesLen,
-      keygen: internal.keygen,
-      signRandBytes: internal.signRandBytes,
-      sign: (secretKey: Uint8Array, msg: Uint8Array, ctx = EMPTY, random?: Uint8Array) => {
-        const M = getMessagePrehash(hashName, msg, ctx);
-        const res = internal.sign(secretKey, M, random);
-        M.fill(0);
-        return res;
-      },
-      verify: (publicKey: Uint8Array, msg: Uint8Array, sig: Uint8Array, ctx = EMPTY) => {
-        return internal.verify(publicKey, getMessagePrehash(hashName, msg, ctx), sig);
-      },
-    }),
   };
 }
 
@@ -639,16 +678,18 @@ const genSha =
     const h0tmp = h0ps.clone();
     const h1tmp = h1ps.clone();
 
+    // https://www.rfc-editor.org/rfc/rfc8017.html#appendix-B.2.1
     function mgf1(seed: Uint8Array, length: number, hash: ShaType) {
       stats.mgf1++;
       const out = new Uint8Array(Math.ceil(length / hash.outputLen) * hash.outputLen);
+      // NOT 2^32-1
       if (length > 2 ** 32) throw new Error('mask too long');
       for (let counter = 0, o = out; o.length; counter++) {
         counterV.setUint32(0, counter, false);
         hash.create().update(seed).update(counterB).digestInto(o);
         o = o.subarray(hash.outputLen);
       }
-      out.subarray(length).fill(0);
+      cleanBytes(out.subarray(length));
       return out.subarray(0, length);
     }
 
@@ -677,7 +718,7 @@ const genSha =
       },
       PRFmsg: (skPRF: Uint8Array, random: Uint8Array, msg: Uint8Array) => {
         stats.gen_message_random++;
-        return new HMAC(h1, skPRF).update(random).update(msg).digest().subarray(0, N);
+        return hmac.create(h1, skPRF).update(random).update(msg).digest().subarray(0, N);
       },
       Hmsg: (R: Uint8Array, pk: Uint8Array, m: Uint8Array, outLen) => {
         stats.hmsg++;

package/src/utils.ts

@@ -3,21 +3,18 @@
  * @module
  */
 /*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) */
-import { abytes } from '@noble/hashes/_assert';
-import { sha224, sha256 } from '@noble/hashes/sha256';
-import { sha3_224, sha3_256, sha3_384, sha3_512, shake128, shake256 } from '@noble/hashes/sha3';
-import { sha384, sha512, sha512_224, sha512_256 } from '@noble/hashes/sha512';
 import {
+  type CHash,
   type TypedArray,
+  abytes,
+  abytes as abytes_,
   concatBytes,
-  hexToBytes,
+  isBytes,
   randomBytes as randb,
-  utf8ToBytes,
-} from '@noble/hashes/utils';
-
-export const ensureBytes: typeof abytes = abytes;
+} from '@noble/hashes/utils.js';
+export { abytes } from '@noble/hashes/utils.js';
+export { concatBytes };
 export const randomBytes: typeof randb = randb;
-export { concatBytes, utf8ToBytes };
 
 // Compares 2 u8a-s in kinda constant time
 export function equalBytes(a: Uint8Array, b: Uint8Array): boolean {
@@ -27,15 +24,60 @@ export function equalBytes(a: Uint8Array, b: Uint8Array): boolean {
   return diff === 0;
 }
 
+// copy bytes to new u8a (aligned). Because Buffer.slice is broken.
+export function copyBytes(bytes: Uint8Array): Uint8Array {
+  return Uint8Array.from(bytes);
+}
+
+export type CryptoKeys = {
+  info?: { type?: string };
+  lengths: { seed?: number; publicKey?: number; secretKey?: number };
+  keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
+  getPublicKey: (secretKey: Uint8Array) => Uint8Array;
+};
+
+export type VerOpts = {
+  context?: Uint8Array;
+};
+export type SigOpts = VerOpts & {
+  // Compatibility with @noble/curves: false to disable, enabled by default, user can pass U8A
+  extraEntropy?: Uint8Array | false;
+};
+
+export function validateOpts(opts: object): void {
+  // We try to catch u8a, since it was previously valid argument at this position
+  if (typeof opts !== 'object' || opts === null || isBytes(opts))
+    throw new Error('expected opts to be an object');
+}
+
+export function validateVerOpts(opts: VerOpts): void {
+  validateOpts(opts);
+  if (opts.context !== undefined) abytes(opts.context, undefined, 'opts.context');
+}
+
+export function validateSigOpts(opts: SigOpts): void {
+  validateVerOpts(opts);
+  if (opts.extraEntropy !== false && opts.extraEntropy !== undefined)
+    abytes(opts.extraEntropy, undefined, 'opts.extraEntropy');
+}
+
 /** Generic interface for signatures. Has keygen, sign and verify. */
-export type Signer = {
-  signRandBytes: number;
-  keygen: (seed: Uint8Array) => {
-    secretKey: Uint8Array;
-    publicKey: Uint8Array;
+export type Signer = CryptoKeys & {
+  lengths: { signRand?: number; signature?: number };
+  sign: (msg: Uint8Array, secretKey: Uint8Array, opts?: SigOpts) => Uint8Array;
+  verify: (sig: Uint8Array, msg: Uint8Array, publicKey: Uint8Array, opts?: VerOpts) => boolean;
+};
+
+export type KEM = CryptoKeys & {
+  lengths: { cipherText?: number; msg?: number; msgRand?: number };
+  encapsulate: (
+    publicKey: Uint8Array,
+    msg?: Uint8Array
+  ) => {
+    cipherText: Uint8Array;
+    sharedSecret: Uint8Array;
   };
-  sign: (secretKey: Uint8Array, msg: Uint8Array, random?: Uint8Array) => Uint8Array;
-  verify: (publicKey: Uint8Array, msg: Uint8Array, sig: Uint8Array) => boolean;
+  decapsulate: (cipherText: Uint8Array, secretKey: Uint8Array) => Uint8Array;
 };
 
 export interface Coder<F, T> {
@@ -68,7 +110,7 @@ export function splitCoder<T extends (number | BytesCoderLen<any>)[]>(
         const c = lengths[i];
         const l = getLength(c);
         const b: Uint8Array = typeof c === 'number' ? (bufs[i] as any) : c.encode(bufs[i]);
-        ensureBytes(b, l);
+        abytes_(b, l);
         res.set(b, pos);
         if (typeof c !== 'number') b.fill(0); // clean
         pos += l;
@@ -76,7 +118,7 @@ export function splitCoder<T extends (number | BytesCoderLen<any>)[]>(
       return res;
     },
     decode: (buf: Uint8Array) => {
-      ensureBytes(buf, bytesLen);
+      abytes_(buf, bytesLen);
       const res = [];
       for (const c of lengths) {
         const l = getLength(c);
@@ -106,7 +148,7 @@ export function vecCoder<T>(c: BytesCoderLen<T>, vecLen: number): BytesCoderLen<
       return res;
     },
     decode: (a: Uint8Array): T[] => {
-      ensureBytes(a, bytesLen);
+      abytes_(a, bytesLen);
       const r: T[] = [];
       for (let i = 0; i < a.length; i += c.bytesLen)
         r.push(c.decode(a.subarray(i, i + c.bytesLen)));
@@ -115,7 +157,7 @@ export function vecCoder<T>(c: BytesCoderLen<T>, vecLen: number): BytesCoderLen<
   };
 }
 
-// cleanBytes(new Uint8Array(), [new Uint16Array(), new Uint32Array()])
+// cleanBytes(Uint8Array.of(), [Uint16Array.of(), Uint32Array.of()])
 export function cleanBytes(...list: (TypedArray | TypedArray[])[]): void {
   for (const t of list) {
     if (Array.isArray(t)) for (const b of t) b.fill(0);
@@ -127,48 +169,40 @@ export function getMask(bits: number): number {
   return (1 << bits) - 1; // 4 -> 0b1111
 }
 
-export const EMPTY: Uint8Array = new Uint8Array(0);
+export const EMPTY: Uint8Array = Uint8Array.of();
 
 export function getMessage(msg: Uint8Array, ctx: Uint8Array = EMPTY): Uint8Array {
-  ensureBytes(msg);
-  ensureBytes(ctx);
+  abytes_(msg);
+  abytes_(ctx);
   if (ctx.length > 255) throw new Error('context should be less than 255 bytes');
   return concatBytes(new Uint8Array([0, ctx.length]), ctx, msg);
 }
 
-// OIDS from https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration
-// TODO: maybe add 'OID' property to hashes themselves to improve tree-shaking?
-const HASHES: Record<string, { oid: Uint8Array; hash: (msg: Uint8Array) => Uint8Array }> = {
-  'SHA2-256': { oid: hexToBytes('0609608648016503040201'), hash: sha256 },
-  'SHA2-384': { oid: hexToBytes('0609608648016503040202'), hash: sha384 },
-  'SHA2-512': { oid: hexToBytes('0609608648016503040203'), hash: sha512 },
-  'SHA2-224': { oid: hexToBytes('0609608648016503040204'), hash: sha224 },
-  'SHA2-512/224': { oid: hexToBytes('0609608648016503040205'), hash: sha512_224 },
-  'SHA2-512/256': { oid: hexToBytes('0609608648016503040206'), hash: sha512_256 },
-  'SHA3-224': { oid: hexToBytes('0609608648016503040207'), hash: sha3_224 },
-  'SHA3-256': { oid: hexToBytes('0609608648016503040208'), hash: sha3_256 },
-  'SHA3-384': { oid: hexToBytes('0609608648016503040209'), hash: sha3_384 },
-  'SHA3-512': { oid: hexToBytes('060960864801650304020A'), hash: sha3_512 },
-  'SHAKE-128': {
-    oid: hexToBytes('060960864801650304020B'),
-    hash: (msg) => shake128(msg, { dkLen: 32 }),
-  },
-  'SHAKE-256': {
-    oid: hexToBytes('060960864801650304020C'),
-    hash: (msg) => shake256(msg, { dkLen: 64 }),
-  },
-};
+// 06 09 60 86 48 01 65 03 04 02
+const oidNistP = /* @__PURE__ */ Uint8Array.from([6, 9, 0x60, 0x86, 0x48, 1, 0x65, 3, 4, 2]);
+
+export function checkHash(hash: CHash, requiredStrength: number = 0): void {
+  if (!hash.oid || !equalBytes(hash.oid.subarray(0, 10), oidNistP))
+    throw new Error('hash.oid is invalid: expected NIST hash');
+  const collisionResistance = (hash.outputLen * 8) / 2;
+  if (requiredStrength > collisionResistance) {
+    throw new Error(
+      'Pre-hash security strength too low: ' +
+        collisionResistance +
+        ', required: ' +
+        requiredStrength
+    );
+  }
+}
 
 export function getMessagePrehash(
-  hashName: string,
+  hash: CHash,
   msg: Uint8Array,
   ctx: Uint8Array = EMPTY
 ): Uint8Array {
-  ensureBytes(msg);
-  ensureBytes(ctx);
+  abytes_(msg);
+  abytes_(ctx);
   if (ctx.length > 255) throw new Error('context should be less than 255 bytes');
-  if (!HASHES[hashName]) throw new Error('unknown hash: ' + hashName);
-  const { oid, hash } = HASHES[hashName];
   const hashed = hash(msg);
-  return concatBytes(new Uint8Array([1, ctx.length]), ctx, oid, hashed);
+  return concatBytes(new Uint8Array([1, ctx.length]), ctx, hash.oid!, hashed);
 }