@omnituum/pqc-shared 0.2.6

package/dist/crypto/index.js

@@ -0,0 +1,716 @@
+import { sha256 as sha256$1 } from '@noble/hashes/sha256';
+import { hmac } from '@noble/hashes/hmac';
+import nacl from 'tweetnacl';
+import { blake3 as blake3$1 } from '@noble/hashes/blake3';
+import { chacha20poly1305, xchacha20poly1305 } from '@noble/ciphers/chacha';
+import { hkdf, extract, expand } from '@noble/hashes/hkdf';
+import { sha512 } from '@noble/hashes/sha512';
+
+// src/crypto/primitives.ts
+var textEncoder = new TextEncoder();
+var textDecoder = new TextDecoder();
+function toB64(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function fromB64(str) {
+  const binary = atob(str);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function toHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function fromHex(hex) {
+  const s = hex.startsWith("0x") ? hex.slice(2) : hex;
+  const normalized = s.length % 2 ? "0" + s : s;
+  const out = new Uint8Array(normalized.length / 2);
+  for (let i = 0; i < out.length; i++) {
+    out[i] = parseInt(normalized.slice(i * 2, i * 2 + 2), 16);
+  }
+  return out;
+}
+function assertLen(label, arr, n) {
+  if (arr.length !== n) {
+    throw new Error(`${label} must be ${n} bytes, got ${arr.length}`);
+  }
+}
+function rand32() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(32));
+}
+function rand24() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(24));
+}
+function rand12() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(12));
+}
+function randN(n) {
+  return globalThis.crypto.getRandomValues(new Uint8Array(n));
+}
+function sha256(bytes) {
+  return sha256$1(bytes);
+}
+function sha256String(str) {
+  return sha256(textEncoder.encode(str));
+}
+function hkdfSha256(ikm, opts) {
+  const salt = opts?.salt ?? new Uint8Array(32);
+  const info = opts?.info ?? new Uint8Array(0);
+  const L = opts?.length ?? 32;
+  const prk = hmac(sha256$1, salt, ikm);
+  let t = new Uint8Array(0);
+  const chunks = [];
+  for (let i = 1; i <= Math.ceil(L / 32); i++) {
+    const input = new Uint8Array(t.length + info.length + 1);
+    input.set(t, 0);
+    input.set(info, t.length);
+    input[input.length - 1] = i;
+    t = new Uint8Array(hmac(sha256$1, prk, input));
+    chunks.push(t);
+  }
+  const out = new Uint8Array(L);
+  let off = 0;
+  for (const c of chunks) {
+    out.set(c.subarray(0, L - off), off);
+    off += c.length;
+    if (off >= L) break;
+  }
+  return out;
+}
+var b64 = toB64;
+var ub64 = fromB64;
+var u8 = (s) => typeof s === "string" ? textEncoder.encode(s) : s;
+function secretboxEncrypt(key, plaintext, nonce) {
+  assertLen("secretbox key", key, 32);
+  const n = nonce ?? rand24();
+  assertLen("nonce", n, 24);
+  const ciphertext = nacl.secretbox(plaintext, n, key);
+  return {
+    scheme: "nacl.secretbox",
+    nonce: toB64(n),
+    ciphertext: toB64(ciphertext)
+  };
+}
+function secretboxEncryptString(key, plaintext, nonce) {
+  return secretboxEncrypt(key, new TextEncoder().encode(plaintext), nonce);
+}
+function secretboxDecrypt(key, payload) {
+  if (payload.scheme !== "nacl.secretbox") {
+    return null;
+  }
+  assertLen("secretbox key", key, 32);
+  const nonce = fromB64(payload.nonce);
+  const ciphertext = fromB64(payload.ciphertext);
+  return nacl.secretbox.open(ciphertext, nonce, key) || null;
+}
+function secretboxDecryptString(key, payload) {
+  const result = secretboxDecrypt(key, payload);
+  if (!result) return null;
+  return new TextDecoder().decode(result);
+}
+function secretboxRaw(key, plaintext, nonce) {
+  assertLen("secretbox key", key, 32);
+  assertLen("nonce", nonce, 24);
+  return nacl.secretbox(plaintext, nonce, key);
+}
+function secretboxOpenRaw(key, ciphertext, nonce) {
+  assertLen("secretbox key", key, 32);
+  assertLen("nonce", nonce, 24);
+  return nacl.secretbox.open(ciphertext, nonce, key) || null;
+}
+function boxEncrypt(plaintext, nonce, recipientPubKey, senderSecKey) {
+  assertLen("nonce", nonce, 24);
+  assertLen("recipient pubKey", recipientPubKey, 32);
+  assertLen("sender secKey", senderSecKey, 32);
+  return nacl.box(plaintext, nonce, recipientPubKey, senderSecKey);
+}
+function boxDecrypt(ciphertext, nonce, senderPubKey, recipientSecKey) {
+  assertLen("nonce", nonce, 24);
+  assertLen("sender pubKey", senderPubKey, 32);
+  assertLen("recipient secKey", recipientSecKey, 32);
+  return nacl.box.open(ciphertext, nonce, senderPubKey, recipientSecKey) || null;
+}
+var SECRETBOX_KEY_SIZE = nacl.secretbox.keyLength;
+var SECRETBOX_NONCE_SIZE = nacl.secretbox.nonceLength;
+var SECRETBOX_OVERHEAD = nacl.secretbox.overheadLength;
+var BOX_KEY_SIZE = nacl.box.publicKeyLength;
+var BOX_NONCE_SIZE = nacl.box.nonceLength;
+function generateX25519Keypair() {
+  const kp = nacl.box.keyPair();
+  return {
+    publicHex: "0x" + toHex(kp.publicKey),
+    secretHex: "0x" + toHex(kp.secretKey),
+    publicBytes: kp.publicKey,
+    secretBytes: kp.secretKey
+  };
+}
+function generateX25519KeypairFromSeed(seed) {
+  if (seed.length !== 32) {
+    throw new Error("X25519 seed must be 32 bytes");
+  }
+  const uniformSeed = sha256(seed);
+  const kp = nacl.box.keyPair.fromSecretKey(uniformSeed);
+  return {
+    publicKey: kp.publicKey,
+    secretKey: uniformSeed
+  };
+}
+function boxWrapWithX25519(symKey32, recipientPubKeyHex) {
+  assertLen("sym key", symKey32, 32);
+  const pk = fromHex(recipientPubKeyHex);
+  assertLen("recipient pubKey", pk, 32);
+  const eph = nacl.box.keyPair();
+  const nonce = rand24();
+  const boxed = nacl.box(symKey32, nonce, pk, eph.secretKey);
+  return {
+    ephPubKey: toHex(eph.publicKey),
+    nonce: b64(nonce),
+    boxed: b64(boxed)
+  };
+}
+function boxUnwrapWithX25519(wrap, recipientSecretKey32) {
+  assertLen("recipient secretKey", recipientSecretKey32, 32);
+  const ephPk = fromHex(wrap.ephPubKey);
+  assertLen("ephemeral pubKey", ephPk, 32);
+  return nacl.box.open(
+    ub64(wrap.boxed),
+    ub64(wrap.nonce),
+    ephPk,
+    recipientSecretKey32
+  ) || null;
+}
+function x25519SharedSecret(ourSecretKey, theirPublicKey) {
+  assertLen("secret key", ourSecretKey, 32);
+  assertLen("public key", theirPublicKey, 32);
+  return nacl.scalarMult(ourSecretKey, theirPublicKey);
+}
+function deriveKeyFromShared(shared, salt, info) {
+  return hkdfSha256(shared, { salt: u8(salt), info: u8(info), length: 32 });
+}
+var kyberModule = null;
+async function loadKyber() {
+  if (kyberModule) return kyberModule;
+  try {
+    const m = await import('kyber-crystals');
+    const k = m.default ?? m;
+    kyberModule = k.kyber ?? k;
+    return kyberModule;
+  } catch (e) {
+    console.warn("[Kyber] Failed to load kyber-crystals:", e);
+    return null;
+  }
+}
+async function isKyberAvailable() {
+  const mod = await loadKyber();
+  return mod !== null;
+}
+async function generateKyberKeypair() {
+  try {
+    const mod = await loadKyber();
+    if (!mod) return null;
+    if (mod?.ready?.then) {
+      await mod.ready;
+    }
+    const fn = mod?.keypair ?? mod?.keyPair ?? mod?.generateKeyPair ?? null;
+    if (typeof fn !== "function") {
+      console.warn("[Kyber] No keypair function found");
+      return null;
+    }
+    const kp = await fn.call(mod);
+    const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
+    const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
+    if (!pub || !priv) {
+      console.warn("[Kyber] Invalid keypair result");
+      return null;
+    }
+    return {
+      publicB64: b64(new Uint8Array(pub)),
+      secretB64: b64(new Uint8Array(priv))
+    };
+  } catch (e) {
+    console.warn("[Kyber] Key generation failed:", e);
+    return null;
+  }
+}
+async function kyberEncapsulate(pubKeyB64) {
+  const kyber = await loadKyber();
+  if (!kyber?.encrypt) {
+    throw new Error("Kyber encrypt not available");
+  }
+  const pk = ub64(pubKeyB64);
+  const r = await kyber.encrypt(pk);
+  const ctRaw = r?.ciphertext ?? r?.cyphertext ?? r?.ct ?? r?.bytes?.ciphertext ?? r?.bytes?.cyphertext ?? r?.bytes?.ct ?? (Array.isArray(r) ? r[0] : void 0);
+  const ssRaw = r?.key ?? r?.sharedSecret ?? r?.secret ?? r?.bytes?.key ?? r?.bytes?.sharedSecret ?? (Array.isArray(r) ? r[1] : void 0);
+  if (!ctRaw || !ssRaw) {
+    throw new Error("Kyber encapsulate failed: missing ciphertext or shared secret");
+  }
+  return {
+    ciphertext: new Uint8Array(ctRaw),
+    sharedSecret: new Uint8Array(ssRaw)
+  };
+}
+async function kyberDecapsulate(kemCiphertextB64, secretKeyB64) {
+  const kyber = await loadKyber();
+  if (!kyber?.decrypt && !kyber?.decapsulate) {
+    throw new Error("Kyber decrypt/decapsulate not available");
+  }
+  const ct = ub64(kemCiphertextB64);
+  const sk = ub64(secretKeyB64);
+  const r = kyber.decrypt ? await kyber.decrypt(ct, sk) : await kyber.decapsulate(ct, sk);
+  const key = r && (r.key ?? r.sharedSecret) ? r.key ?? r.sharedSecret : r;
+  return new Uint8Array(key);
+}
+function kyberWrapKey(sharedSecret, msgKey32) {
+  if (msgKey32.length !== 32) {
+    throw new Error("Message key must be 32 bytes");
+  }
+  const kek = sha256(sharedSecret);
+  const nonce = globalThis.crypto.getRandomValues(new Uint8Array(24));
+  const wrapped = nacl.secretbox(msgKey32, nonce, kek);
+  return {
+    nonce: b64(nonce),
+    wrapped: b64(wrapped)
+  };
+}
+function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
+  const kek = sha256(sharedSecret);
+  const nonce = ub64(nonceB64);
+  const wrapped = ub64(wrappedB64);
+  return nacl.secretbox.open(wrapped, nonce, kek) || null;
+}
+
+// src/crypto/dilithium.ts
+var dilithiumModule = null;
+async function loadDilithium() {
+  if (dilithiumModule) return dilithiumModule;
+  try {
+    const { ml_dsa65 } = await import('@noble/post-quantum/ml-dsa');
+    dilithiumModule = ml_dsa65;
+    return dilithiumModule;
+  } catch (e) {
+    console.warn("[Dilithium] Failed to load @noble/post-quantum:", e);
+    return null;
+  }
+}
+async function isDilithiumAvailable() {
+  const mod = await loadDilithium();
+  return mod !== null;
+}
+async function generateDilithiumKeypair() {
+  try {
+    const mod = await loadDilithium();
+    if (!mod) return null;
+    const seed = randN(32);
+    const kp = mod.keygen(seed);
+    return {
+      publicB64: toB64(kp.publicKey),
+      secretB64: toB64(kp.secretKey)
+    };
+  } catch (e) {
+    console.warn("[Dilithium] Key generation failed:", e);
+    return null;
+  }
+}
+async function generateDilithiumKeypairFromSeed(seed) {
+  const mod = await loadDilithium();
+  if (!mod) {
+    throw new Error("Dilithium library not available");
+  }
+  if (seed.length !== 32) {
+    throw new Error("Dilithium seed must be 32 bytes");
+  }
+  const uniformSeed = sha256(seed);
+  const kp = mod.keygen(uniformSeed);
+  return {
+    publicKey: kp.publicKey,
+    secretKey: kp.secretKey
+  };
+}
+async function dilithiumSign(message, secretKeyB64) {
+  const mod = await loadDilithium();
+  if (!mod) {
+    throw new Error("Dilithium library not available");
+  }
+  const sk = fromB64(secretKeyB64);
+  const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
+  const signature = mod.sign(sk, msg);
+  return {
+    signature: toB64(signature),
+    algorithm: "ML-DSA-65"
+  };
+}
+async function dilithiumSignRaw(message, secretKey) {
+  const mod = await loadDilithium();
+  if (!mod) {
+    throw new Error("Dilithium library not available");
+  }
+  return mod.sign(secretKey, message);
+}
+async function dilithiumVerify(message, signatureB64, publicKeyB64) {
+  const mod = await loadDilithium();
+  if (!mod) {
+    throw new Error("Dilithium library not available");
+  }
+  const pk = fromB64(publicKeyB64);
+  const sig = fromB64(signatureB64);
+  const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
+  try {
+    return mod.verify(pk, msg, sig);
+  } catch {
+    return false;
+  }
+}
+async function dilithiumVerifyRaw(message, signature, publicKey) {
+  const mod = await loadDilithium();
+  if (!mod) {
+    throw new Error("Dilithium library not available");
+  }
+  try {
+    return mod.verify(publicKey, message, signature);
+  } catch {
+    return false;
+  }
+}
+var DILITHIUM_PUBLIC_KEY_SIZE = 1952;
+var DILITHIUM_SECRET_KEY_SIZE = 4032;
+var DILITHIUM_SIGNATURE_SIZE = 3309;
+var DILITHIUM_ALGORITHM = "ML-DSA-65";
+
+// src/version.ts
+var ENVELOPE_VERSION = "omnituum.hybrid.v1";
+var ENVELOPE_VERSION_LEGACY = "pqc-demo.hybrid.v1";
+var ENVELOPE_SUITE = "x25519+kyber768";
+var ENVELOPE_AEAD = "xsalsa20poly1305";
+var SUPPORTED_ENVELOPE_VERSIONS = [
+  ENVELOPE_VERSION,
+  ENVELOPE_VERSION_LEGACY
+];
+var VersionMismatchError = class extends Error {
+  constructor(type, expected, received) {
+    super(
+      `Version mismatch for ${type}: expected one of [${expected.join(", ")}], got "${received}". This may indicate data corruption or a newer format. See pqc-docs/specs/ for format specifications.`
+    );
+    this.type = type;
+    this.expected = expected;
+    this.received = received;
+    this.name = "VersionMismatchError";
+  }
+};
+function assertEnvelopeVersion(version) {
+  if (!SUPPORTED_ENVELOPE_VERSIONS.includes(version)) {
+    throw new VersionMismatchError("envelope", SUPPORTED_ENVELOPE_VERSIONS, version);
+  }
+}
+
+// src/crypto/hybrid.ts
+function hkdfFlex(ikm, salt, info) {
+  return hkdfSha256(ikm, { salt: u8(salt), info: u8(info), length: 32 });
+}
+function generateId() {
+  const bytes = globalThis.crypto.getRandomValues(new Uint8Array(16));
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function generateHybridIdentity(name) {
+  const x25519 = generateX25519Keypair();
+  const kyber = await generateKyberKeypair();
+  if (!kyber) {
+    console.error("Kyber key generation failed - library not available");
+    return null;
+  }
+  return {
+    id: generateId(),
+    name,
+    x25519PubHex: x25519.publicHex,
+    x25519SecHex: x25519.secretHex,
+    kyberPubB64: kyber.publicB64,
+    kyberSecB64: kyber.secretB64,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    rotationCount: 0
+  };
+}
+async function rotateHybridIdentity(identity) {
+  const x25519 = generateX25519Keypair();
+  const kyber = await generateKyberKeypair();
+  if (!kyber) {
+    return null;
+  }
+  return {
+    ...identity,
+    x25519PubHex: x25519.publicHex,
+    x25519SecHex: x25519.secretHex,
+    kyberPubB64: kyber.publicB64,
+    kyberSecB64: kyber.secretB64,
+    lastRotatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    rotationCount: identity.rotationCount + 1
+  };
+}
+function getPublicKeys(identity) {
+  return {
+    x25519PubHex: identity.x25519PubHex,
+    kyberPubB64: identity.kyberPubB64
+  };
+}
+function getSecretKeys(identity) {
+  return {
+    x25519SecHex: identity.x25519SecHex,
+    kyberSecB64: identity.kyberSecB64
+  };
+}
+async function hybridEncrypt(plaintext, recipientPublicKeys, sender) {
+  const pt = typeof plaintext === "string" ? textEncoder.encode(plaintext) : plaintext;
+  const CK = rand32();
+  const contentNonce = rand24();
+  const ciphertext = nacl.secretbox(pt, contentNonce, CK);
+  const x25519EphKp = nacl.box.keyPair();
+  const recipientX25519Pk = fromHex(recipientPublicKeys.x25519PubHex);
+  const x25519Shared = nacl.scalarMult(x25519EphKp.secretKey, recipientX25519Pk);
+  const x25519Kek = hkdfFlex(x25519Shared, "omnituum/x25519", "wrap-ck");
+  const x25519WrapNonce = rand24();
+  const x25519Wrapped = nacl.secretbox(CK, x25519WrapNonce, x25519Kek);
+  const kyberResult = await kyberEncapsulate(recipientPublicKeys.kyberPubB64);
+  const kyberKek = hkdfFlex(kyberResult.sharedSecret, "omnituum/kyber", "wrap-ck");
+  const kyberWrapNonce = rand24();
+  const kyberWrapped = nacl.secretbox(CK, kyberWrapNonce, kyberKek);
+  return {
+    v: ENVELOPE_VERSION,
+    suite: ENVELOPE_SUITE,
+    aead: ENVELOPE_AEAD,
+    x25519Epk: toHex(x25519EphKp.publicKey),
+    x25519Wrap: {
+      nonce: b64(x25519WrapNonce),
+      wrapped: b64(x25519Wrapped)
+    },
+    kyberKemCt: b64(kyberResult.ciphertext),
+    kyberWrap: {
+      nonce: b64(kyberWrapNonce),
+      wrapped: b64(kyberWrapped)
+    },
+    contentNonce: b64(contentNonce),
+    ciphertext: b64(ciphertext),
+    meta: {
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      senderName: sender?.name,
+      senderId: sender?.id
+    }
+  };
+}
+async function hybridDecrypt(envelope, secretKeys) {
+  const version = envelope.v;
+  assertEnvelopeVersion(version);
+  let CK = null;
+  const saltPrefix = version === "pqc-demo.hybrid.v1" ? "pqc-demo" : "omnituum";
+  try {
+    const kyberShared = await kyberDecapsulate(envelope.kyberKemCt, secretKeys.kyberSecB64);
+    const kyberKek = hkdfFlex(kyberShared, `${saltPrefix}/kyber`, "wrap-ck");
+    CK = nacl.secretbox.open(
+      ub64(envelope.kyberWrap.wrapped),
+      ub64(envelope.kyberWrap.nonce),
+      kyberKek
+    );
+    if (CK) {
+      console.log("[Hybrid] Decrypted using Kyber (post-quantum)");
+    }
+  } catch (e) {
+    console.warn("[Hybrid] Kyber decapsulation failed:", e);
+  }
+  if (!CK) {
+    try {
+      const ephPk = fromHex(envelope.x25519Epk);
+      const sk = fromHex(secretKeys.x25519SecHex);
+      const x25519Shared = nacl.scalarMult(sk, ephPk);
+      const x25519Kek = hkdfFlex(x25519Shared, `${saltPrefix}/x25519`, "wrap-ck");
+      CK = nacl.secretbox.open(
+        ub64(envelope.x25519Wrap.wrapped),
+        ub64(envelope.x25519Wrap.nonce),
+        x25519Kek
+      );
+      if (CK) {
+        console.log("[Hybrid] Decrypted using X25519 (classical)");
+      }
+    } catch (e) {
+      console.warn("[Hybrid] X25519 decryption failed:", e);
+    }
+  }
+  if (!CK) {
+    throw new Error("Could not unwrap content key with either algorithm");
+  }
+  const pt = nacl.secretbox.open(
+    ub64(envelope.ciphertext),
+    ub64(envelope.contentNonce),
+    CK
+  );
+  if (!pt) {
+    throw new Error("Content authentication failed");
+  }
+  return pt;
+}
+async function hybridDecryptToString(envelope, secretKeys) {
+  const pt = await hybridDecrypt(envelope, secretKeys);
+  return textDecoder.decode(pt);
+}
+function blake3(data, options) {
+  const input = typeof data === "string" ? new TextEncoder().encode(data) : data;
+  const opts = {};
+  if (options?.outputLength) {
+    opts.dkLen = options.outputLength;
+  }
+  if (options?.key) {
+    if (options.key.length !== 32) {
+      throw new Error("BLAKE3 key must be exactly 32 bytes");
+    }
+    opts.key = options.key;
+  }
+  if (options?.context) {
+    opts.context = new TextEncoder().encode(options.context);
+  }
+  return blake3$1(input, opts);
+}
+function blake3Hex(data, options) {
+  const hash = blake3(data, options);
+  return Array.from(hash).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function blake3Mac(key, data, outputLength = 32) {
+  if (key.length !== 32) {
+    throw new Error("BLAKE3 MAC key must be exactly 32 bytes");
+  }
+  return blake3(data, { key, outputLength });
+}
+function blake3DeriveKey(context, keyMaterial, outputLength = 32) {
+  return blake3(keyMaterial, { context, outputLength });
+}
+var BLAKE3_OUTPUT_LENGTH = 32;
+var BLAKE3_KEY_LENGTH = 32;
+var BLAKE3_BLOCK_SIZE = 64;
+function chaCha20Poly1305Encrypt(key, nonce, plaintext, aad) {
+  if (key.length !== 32) {
+    throw new Error("ChaCha20-Poly1305 key must be 32 bytes");
+  }
+  if (nonce.length !== 12) {
+    throw new Error("ChaCha20-Poly1305 nonce must be 12 bytes");
+  }
+  const cipher = chacha20poly1305(key, nonce, aad);
+  return cipher.encrypt(plaintext);
+}
+function chaCha20Poly1305Decrypt(key, nonce, ciphertext, aad) {
+  if (key.length !== 32) {
+    throw new Error("ChaCha20-Poly1305 key must be 32 bytes");
+  }
+  if (nonce.length !== 12) {
+    throw new Error("ChaCha20-Poly1305 nonce must be 12 bytes");
+  }
+  try {
+    const cipher = chacha20poly1305(key, nonce, aad);
+    return cipher.decrypt(ciphertext);
+  } catch {
+    return null;
+  }
+}
+function xChaCha20Poly1305Encrypt(key, nonce, plaintext, aad) {
+  if (key.length !== 32) {
+    throw new Error("XChaCha20-Poly1305 key must be 32 bytes");
+  }
+  if (nonce.length !== 24) {
+    throw new Error("XChaCha20-Poly1305 nonce must be 24 bytes");
+  }
+  const cipher = xchacha20poly1305(key, nonce, aad);
+  return cipher.encrypt(plaintext);
+}
+function xChaCha20Poly1305Decrypt(key, nonce, ciphertext, aad) {
+  if (key.length !== 32) {
+    throw new Error("XChaCha20-Poly1305 key must be 32 bytes");
+  }
+  if (nonce.length !== 24) {
+    throw new Error("XChaCha20-Poly1305 nonce must be 24 bytes");
+  }
+  try {
+    const cipher = xchacha20poly1305(key, nonce, aad);
+    return cipher.decrypt(ciphertext);
+  } catch {
+    return null;
+  }
+}
+function createXChaCha20Poly1305(key, nonce, aad) {
+  if (key.length !== 32) {
+    throw new Error("XChaCha20-Poly1305 key must be 32 bytes");
+  }
+  if (nonce.length !== 24) {
+    throw new Error("XChaCha20-Poly1305 nonce must be 24 bytes");
+  }
+  return xchacha20poly1305(key, nonce, aad);
+}
+function createChaCha20Poly1305(key, nonce, aad) {
+  if (key.length !== 32) {
+    throw new Error("ChaCha20-Poly1305 key must be 32 bytes");
+  }
+  if (nonce.length !== 12) {
+    throw new Error("ChaCha20-Poly1305 nonce must be 12 bytes");
+  }
+  return chacha20poly1305(key, nonce, aad);
+}
+var CHACHA20_KEY_SIZE = 32;
+var CHACHA20_NONCE_SIZE = 12;
+var XCHACHA20_NONCE_SIZE = 24;
+var POLY1305_TAG_SIZE = 16;
+function hkdfDerive(ikm, outputLength, options) {
+  const hashFn = getHashFunction(options?.hash ?? "sha256");
+  const info = normalizeInfo(options?.info);
+  const salt = options?.salt;
+  return hkdf(hashFn, ikm, salt, info, outputLength);
+}
+function hkdfExtract(ikm, salt, hash = "sha256") {
+  const hashFn = getHashFunction(hash);
+  return extract(hashFn, ikm, salt);
+}
+function hkdfExpand(prk, info, outputLength, hash = "sha256") {
+  const hashFn = getHashFunction(hash);
+  return expand(hashFn, prk, normalizeInfo(info), outputLength);
+}
+function hkdfSplitForNoise(chainingKey, inputKeyMaterial) {
+  const prk = hkdfExtract(inputKeyMaterial, chainingKey, "sha256");
+  const output = hkdfExpand(prk, void 0, 64, "sha256");
+  return [
+    output.slice(0, 32),
+    // New chaining key
+    output.slice(32, 64)
+    // Output key
+  ];
+}
+function hkdfTripleSplitForNoise(chainingKey, inputKeyMaterial) {
+  const prk = hkdfExtract(inputKeyMaterial, chainingKey, "sha256");
+  const output = hkdfExpand(prk, void 0, 96, "sha256");
+  return [
+    output.slice(0, 32),
+    // New chaining key
+    output.slice(32, 64),
+    // Output key 1
+    output.slice(64, 96)
+    // Output key 2
+  ];
+}
+function getHashFunction(hash) {
+  switch (hash) {
+    case "sha256":
+      return sha256$1;
+    case "sha512":
+      return sha512;
+    default:
+      throw new Error(`Unsupported HKDF hash: ${hash}`);
+  }
+}
+function normalizeInfo(info) {
+  if (!info) return new Uint8Array(0);
+  if (typeof info === "string") return new TextEncoder().encode(info);
+  return info;
+}
+var HKDF_SHA256_OUTPUT_SIZE = 32;
+var HKDF_SHA512_OUTPUT_SIZE = 64;
+var HKDF_SHA256_MAX_OUTPUT = 255 * 32;
+var HKDF_SHA512_MAX_OUTPUT = 255 * 64;
+
+export { BLAKE3_BLOCK_SIZE, BLAKE3_KEY_LENGTH, BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, CHACHA20_KEY_SIZE, CHACHA20_NONCE_SIZE, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, HKDF_SHA256_MAX_OUTPUT, HKDF_SHA256_OUTPUT_SIZE, HKDF_SHA512_MAX_OUTPUT, HKDF_SHA512_OUTPUT_SIZE, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, rotateHybridIdentity, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt };