@protontech/openpgp 6.0.0-beta.3.patch.1 → 6.0.1

package/dist/lightweight/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.0.0-beta.3.patch.1 - 2024-09-11 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.0.1 - 2024-11-25 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 const doneWritingPromise = Symbol('doneWritingPromise');
@@ -1047,6 +1047,11 @@ var enums = {
     ed25519: 27,
     /** Ed448 (Sign only) */
     ed448: 28,
+    /** Post-quantum ML-KEM-768 + X25519 (Encrypt only) */
+    pqc_mlkem_x25519: 105,
+    /** Post-quantum ML-DSA-64 + Ed25519 (Sign only) */
+    pqc_mldsa_ed25519: 107,
+
     /** Persistent symmetric keys: encryption algorithm */
     aead: 100,
     /** Persistent symmetric keys: authentication algorithm */
@@ -1455,7 +1460,7 @@ var config = {
    * @memberof module:config
    * @property {Integer} preferredHashAlgorithm Default hash algorithm {@link module:enums.hash}
    */
-  preferredHashAlgorithm: enums.hash.sha256,
+  preferredHashAlgorithm: enums.hash.sha512,
   /**
    * @memberof module:config
    * @property {Integer} preferredSymmetricAlgorithm Default encryption cipher {@link module:enums.symmetric}
@@ -1682,7 +1687,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 6.0.0-beta.3.patch.1',
+  versionString: 'OpenPGP.js 6.0.1',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -1883,6 +1888,9 @@ const util = {
    * @returns {Uint8Array} Padded bytes.
    */
   leftPad(bytes, length) {
+    if (bytes.length > length) {
+      throw new Error('Input array too long');
+    }
     const padded = new Uint8Array(length);
     const offset = length - bytes.length;
     padded.set(bytes, offset);
@@ -2458,7 +2466,7 @@ function encode$1(data) {
  * @returns {Uint8Array | ReadableStream<Uint8Array>} Binary array version of input string.
  * @static
  */
-function decode$2(data) {
+function decode$1(data) {
   let buf = '';
   return transform(data, value => {
     buf += value;
@@ -2494,7 +2502,7 @@ function decode$2(data) {
  * @returns {Uint8Array} An array of 8-bit integers.
  */
 function b64ToUint8Array(base64) {
-  return decode$2(base64.replace(/-/g, '+').replace(/_/g, '/'));
+  return decode$1(base64.replace(/-/g, '+').replace(/_/g, '/'));
 }
 
 /**
@@ -2747,7 +2755,7 @@ function unarmor(input) {
       let headersDone;
       let text = [];
       let textDone;
-      const data = decode$2(transformPair(input, async (readable, writable) => {
+      const data = decode$1(transformPair(input, async (readable, writable) => {
         const reader = getReader(readable);
         try {
           while (true) {
@@ -3820,7 +3828,7 @@ function applySbox(sbox2, s0, s1, s2, s3) {
     return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] |
         (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16));
 }
-function encrypt$6(xk, s0, s1, s2, s3) {
+function encrypt$7(xk, s0, s1, s2, s3) {
     const { sbox2, T01, T23 } = tableEncoding;
     let k = 0;
     (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);
@@ -3840,7 +3848,7 @@ function encrypt$6(xk, s0, s1, s2, s3) {
     return { s0: t0, s1: t1, s2: t2, s3: t3 };
 }
 // Can't be merged with encrypt: arg positions for apply0123 / applySbox are different
-function decrypt$6(xk, s0, s1, s2, s3) {
+function decrypt$7(xk, s0, s1, s2, s3) {
     const { sbox2, T01, T23 } = tableDecoding;
     let k = 0;
     (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);
@@ -3878,7 +3886,7 @@ function ctrCounter(xk, nonce, src, dst) {
     const ctr = nonce;
     const c32 = u32$1(ctr);
     // Fill block (empty, ctr=0)
-    let { s0, s1, s2, s3 } = encrypt$6(xk, c32[0], c32[1], c32[2], c32[3]);
+    let { s0, s1, s2, s3 } = encrypt$7(xk, c32[0], c32[1], c32[2], c32[3]);
     const src32 = u32$1(src);
     const dst32 = u32$1(dst);
     // process blocks
@@ -3894,7 +3902,7 @@ function ctrCounter(xk, nonce, src, dst) {
             ctr[i] = carry & 0xff;
             carry >>>= 8;
         }
-        ({ s0, s1, s2, s3 } = encrypt$6(xk, c32[0], c32[1], c32[2], c32[3]));
+        ({ s0, s1, s2, s3 } = encrypt$7(xk, c32[0], c32[1], c32[2], c32[3]));
     }
     // leftovers (less than block)
     // It's possible to handle > u32 fast, but is it worth it?
@@ -3924,7 +3932,7 @@ function ctr32(xk, isLE, nonce, src, dst) {
     const srcLen = src.length;
     // Fill block (empty, ctr=0)
     let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value
-    let { s0, s1, s2, s3 } = encrypt$6(xk, c32[0], c32[1], c32[2], c32[3]);
+    let { s0, s1, s2, s3 } = encrypt$7(xk, c32[0], c32[1], c32[2], c32[3]);
     // process blocks
     for (let i = 0; i + 4 <= src32.length; i += 4) {
         dst32[i + 0] = src32[i + 0] ^ s0;
@@ -3933,7 +3941,7 @@ function ctr32(xk, isLE, nonce, src, dst) {
         dst32[i + 3] = src32[i + 3] ^ s3;
         ctrNum = (ctrNum + 1) >>> 0; // u32 wrap
         view.setUint32(ctrPos, ctrNum, isLE);
-        ({ s0, s1, s2, s3 } = encrypt$6(xk, c32[0], c32[1], c32[2], c32[3]));
+        ({ s0, s1, s2, s3 } = encrypt$7(xk, c32[0], c32[1], c32[2], c32[3]));
     }
     // leftovers (less than a block)
     const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
@@ -4004,14 +4012,14 @@ function validatePCKS(data, pcks5) {
         return data;
     const len = data.length;
     if (!len)
-        throw new Error(`aes/pcks5: empty ciphertext not allowed`);
+        throw new Error('aes/pcks5: empty ciphertext not allowed');
     const lastByte = data[len - 1];
     if (lastByte <= 0 || lastByte > 16)
-        throw new Error(`aes/pcks5: wrong padding byte: ${lastByte}`);
+        throw new Error('aes/pcks5: wrong padding');
     const out = data.subarray(0, -lastByte);
     for (let i = 0; i < lastByte; i++)
         if (data[len - i - 1] !== lastByte)
-            throw new Error(`aes/pcks5: wrong padding`);
+            throw new Error('aes/pcks5: wrong padding');
     return out;
 }
 function padPCKS(left) {
@@ -4045,13 +4053,13 @@ const cbc = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv,
             let i = 0;
             for (; i + 4 <= b.length;) {
                 (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]);
-                ({ s0, s1, s2, s3 } = encrypt$6(xk, s0, s1, s2, s3));
+                ({ s0, s1, s2, s3 } = encrypt$7(xk, s0, s1, s2, s3));
                 (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
             }
             if (pcks5) {
                 const tmp32 = padPCKS(plaintext.subarray(i * 4));
                 (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]);
-                ({ s0, s1, s2, s3 } = encrypt$6(xk, s0, s1, s2, s3));
+                ({ s0, s1, s2, s3 } = encrypt$7(xk, s0, s1, s2, s3));
                 (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
             }
             clean(...toClean);
@@ -4076,7 +4084,7 @@ const cbc = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv,
                 // prettier-ignore
                 const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3;
                 (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]);
-                const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt$6(xk, s0, s1, s2, s3);
+                const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt$7(xk, s0, s1, s2, s3);
                 (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3);
             }
             clean(...toClean);
@@ -4109,7 +4117,7 @@ const cfb$1 = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cfb(key, i
         // prettier-ignore
         let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];
         for (let i = 0; i + 4 <= src32.length;) {
-            const { s0: e0, s1: e1, s2: e2, s3: e3 } = encrypt$6(xk, s0, s1, s2, s3);
+            const { s0: e0, s1: e1, s2: e2, s3: e3 } = encrypt$7(xk, s0, s1, s2, s3);
             dst32[i + 0] = src32[i + 0] ^ e0;
             dst32[i + 1] = src32[i + 1] ^ e1;
             dst32[i + 2] = src32[i + 2] ^ e2;
@@ -4119,7 +4127,7 @@ const cfb$1 = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cfb(key, i
         // leftovers (less than block)
         const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
         if (start < srcLen) {
-            ({ s0, s1, s2, s3 } = encrypt$6(xk, s0, s1, s2, s3));
+            ({ s0, s1, s2, s3 } = encrypt$7(xk, s0, s1, s2, s3));
             const buf = u8$1(new Uint32Array([s0, s1, s2, s3]));
             for (let i = start, pos = 0; i < srcLen; i++, pos++)
                 dst[i] = src[i] ^ buf[pos];
@@ -4152,17 +4160,21 @@ function computeTag(fn, isLE, key, data, AAD) {
 }
 /**
  * GCM: Galois/Counter Mode.
- * Good, modern version of CTR, parallel, with MAC.
+ * Modern, parallel version of CTR, with MAC.
  * Be careful: MACs can be forged.
+ * Unsafe to use random nonces under the same key, due to collision chance.
+ * As for nonce size, prefer 12-byte, instead of 8-byte.
  */
 const gcm = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) {
     bytes(key);
     bytes(nonce);
     if (AAD !== undefined)
         bytes(AAD);
-    // Nonce can be pretty much anything (even 1 byte). But smaller nonces less secure.
-    if (nonce.length === 0)
-        throw new Error('aes/gcm: empty nonce');
+    // NIST 800-38d doesn't enforce minimum nonce length.
+    // We enforce 8 bytes for compat with openssl.
+    // 12 bytes are recommended. More than 12 bytes would be converted into 12.
+    if (nonce.length < 8)
+        throw new Error('aes/gcm: invalid nonce length');
     const tagLength = 16;
     function _computeTag(authKey, tagMask, data) {
         const tag = computeTag(ghash, false, authKey, data, AAD);
@@ -4175,12 +4187,11 @@ const gcm = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, functi
         const authKey = EMPTY_BLOCK.slice();
         const counter = EMPTY_BLOCK.slice();
         ctr32(xk, false, counter, counter, authKey);
+        // NIST 800-38d, page 15: different behavior for 96-bit and non-96-bit nonces
         if (nonce.length === 12) {
             counter.set(nonce);
         }
         else {
-            // Spec (NIST 800-38d) supports variable size nonce.
-            // Not supported for now, but can be useful.
             const nonceLen = EMPTY_BLOCK.slice();
             const view = createView(nonceLen);
             setBigUint64(view, 8, BigInt(nonce.length * 8), false);
@@ -4237,7 +4248,7 @@ function encryptBlock(xk, block) {
     if (!isBytes32(xk))
         throw new Error('_encryptBlock accepts result of expandKeyLE');
     const b32 = u32$1(block);
-    let { s0, s1, s2, s3 } = encrypt$6(xk, b32[0], b32[1], b32[2], b32[3]);
+    let { s0, s1, s2, s3 } = encrypt$7(xk, b32[0], b32[1], b32[2], b32[3]);
     (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3);
     return block;
 }
@@ -4246,7 +4257,7 @@ function decryptBlock(xk, block) {
     if (!isBytes32(xk))
         throw new Error('_decryptBlock accepts result of expandKeyLE');
     const b32 = u32$1(block);
-    let { s0, s1, s2, s3 } = decrypt$6(xk, b32[0], b32[1], b32[2], b32[3]);
+    let { s0, s1, s2, s3 } = decrypt$7(xk, b32[0], b32[1], b32[2], b32[3]);
     (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3);
     return block;
 }
@@ -4287,7 +4298,7 @@ const AESW = {
             let a0 = o32[0], a1 = o32[1]; // A
             for (let j = 0, ctr = 1; j < 6; j++) {
                 for (let pos = 2; pos < o32.length; pos += 2, ctr++) {
-                    const { s0, s1, s2, s3 } = encrypt$6(xk, a0, a1, o32[pos], o32[pos + 1]);
+                    const { s0, s1, s2, s3 } = encrypt$7(xk, a0, a1, o32[pos], o32[pos + 1]);
                     // A = MSB(64, B) ^ t where t = (n*j)+i
                     (a0 = s0), (a1 = s1 ^ byteSwap(ctr)), (o32[pos] = s2), (o32[pos + 1] = s3);
                 }
@@ -4310,7 +4321,7 @@ const AESW = {
             for (let j = 0, ctr = chunks * 6; j < 6; j++) {
                 for (let pos = chunks * 2; pos >= 1; pos -= 2, ctr--) {
                     a1 ^= byteSwap(ctr);
-                    const { s0, s1, s2, s3 } = decrypt$6(xk, a0, a1, o32[pos], o32[pos + 1]);
+                    const { s0, s1, s2, s3 } = decrypt$7(xk, a0, a1, o32[pos], o32[pos + 1]);
                     (a0 = s0), (a1 = s1), (o32[pos] = s2), (o32[pos + 1] = s3);
                 }
             }
@@ -4331,7 +4342,7 @@ const aeskw = wrapCipher({ blockSize: 8 }, (kek) => ({
     encrypt(plaintext) {
         bytes(plaintext);
         if (!plaintext.length || plaintext.length % 8 !== 0)
-            throw new Error('plaintext length must be non-empty and a multiple of 8 bytes');
+            throw new Error('invalid plaintext length');
         if (plaintext.length === 8)
             throw new Error('8-byte keys not allowed in AESKW, use AESKWP instead');
         const out = concatBytes$1(AESKW_IV, plaintext);
@@ -4340,10 +4351,11 @@ const aeskw = wrapCipher({ blockSize: 8 }, (kek) => ({
     },
     decrypt(ciphertext) {
         bytes(ciphertext);
+        // ciphertext must be at least 24 bytes and a multiple of 8 bytes
         // 24 because should have at least two block (1 iv + 2).
         // Replace with 16 to enable '8-byte keys'
         if (ciphertext.length % 8 !== 0 || ciphertext.length < 3 * 8)
-            throw new Error('ciphertext must be at least 24 bytes and a multiple of 8 bytes');
+            throw new Error('invalid ciphertext length');
         const out = copyBytes(ciphertext);
         AESW.decrypt(kek, out);
         if (!equalBytes$1(out.subarray(0, 8), AESKW_IV))
@@ -4356,8 +4368,8 @@ const aeskw = wrapCipher({ blockSize: 8 }, (kek) => ({
 const unsafe = {
     expandKeyLE,
     expandKeyDecLE,
-    encrypt: encrypt$6,
-    decrypt: decrypt$6,
+    encrypt: encrypt$7,
+    decrypt: decrypt$7,
     encryptBlock,
     decryptBlock,
     ctrCounter,
@@ -4391,7 +4403,7 @@ const nodeAlgos = {
  * @param {Object} config - full configuration, defaults to openpgp.config
  * @returns MaybeStream<Uint8Array>
  */
-async function encrypt$5(algo, key, plaintext, iv, config) {
+async function encrypt$6(algo, key, plaintext, iv, config) {
   const algoName = enums.read(enums.symmetric, algo);
   if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
     return nodeEncrypt$1(algo, key, plaintext, iv);
@@ -4434,7 +4446,7 @@ async function encrypt$5(algo, key, plaintext, iv, config) {
  * @param {Uint8Array} iv
  * @returns MaybeStream<Uint8Array>
  */
-async function decrypt$5(algo, key, ciphertext, iv) {
+async function decrypt$6(algo, key, ciphertext, iv) {
   const algoName = enums.read(enums.symmetric, algo);
   if (nodeCrypto$a && nodeAlgos[algoName]) { // Node crypto library.
     return nodeDecrypt$1(algo, key, ciphertext, iv);
@@ -4709,8 +4721,8 @@ function nodeDecrypt$1(algo, key, ct, iv) {
 
 var cfb = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  decrypt: decrypt$5,
-  encrypt: encrypt$5
+  decrypt: decrypt$6,
+  encrypt: encrypt$6
 });
 
 /**
@@ -5617,16 +5629,13 @@ const nodeCrypto$6 = util.getNodeCrypto();
  * @returns {Uint8Array} Random byte array.
  */
 function getRandomBytes(length) {
-  const buf = new Uint8Array(length);
-  if (nodeCrypto$6) {
-    const bytes = nodeCrypto$6.randomBytes(buf.length);
-    buf.set(bytes);
-  } else if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
-    crypto.getRandomValues(buf);
+  const webcrypto = typeof crypto !== 'undefined' ? crypto : nodeCrypto$6?.webcrypto;
+  if (webcrypto?.getRandomValues) {
+    const buf = new Uint8Array(length);
+    return webcrypto.getRandomValues(buf);
   } else {
     throw new Error('No secure random number generator available.');
   }
-  return buf;
 }
 
 /**
@@ -6091,7 +6100,15 @@ const _1n$3 = BigInt(1);
  * @returns {Promise<Uint8Array>} RSA Signature.
  * @async
  */
-async function sign$7(hashAlgo, data, n, e, d, p, q, u, hashed) {
+async function sign$a(hashAlgo, data, n, e, d, p, q, u, hashed) {
+  if (hash.getHashByteLength(hashAlgo) >= n.length) {
+    // Throw here instead of `emsaEncode` below, to provide a clearer and consistent error
+    // e.g. if a 512-bit RSA key is used with a SHA-512 digest.
+    // The size limit is actually slightly different but here we only care about throwing
+    // on common key sizes.
+    throw new Error('Digest size cannot exceed key modulus size');
+  }
+
   if (data && !util.isStream(data)) {
     if (util.getWebCrypto()) {
       try {
@@ -6117,7 +6134,7 @@ async function sign$7(hashAlgo, data, n, e, d, p, q, u, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$8(hashAlgo, data, s, n, e, hashed) {
+async function verify$b(hashAlgo, data, s, n, e, hashed) {
   if (data && !util.isStream(data)) {
     if (util.getWebCrypto()) {
       try {
@@ -6140,7 +6157,7 @@ async function verify$8(hashAlgo, data, s, n, e, hashed) {
  * @returns {Promise<Uint8Array>} RSA Ciphertext.
  * @async
  */
-async function encrypt$4(data, n, e) {
+async function encrypt$5(data, n, e) {
   if (util.getNodeCrypto()) {
     return nodeEncrypt(data, n, e);
   }
@@ -6162,7 +6179,7 @@ async function encrypt$4(data, n, e) {
  * @throws {Error} on decryption error, unless `randomPayload` is given
  * @async
  */
-async function decrypt$4(data, n, e, d, p, q, u, randomPayload) {
+async function decrypt$5(data, n, e, d, p, q, u, randomPayload) {
   // Node v18.19.1, 20.11.1 and 21.6.2 have disabled support for PKCS#1 decryption,
   // and we want to avoid checking the error type to decide if the random payload
   // should indeed be returned.
@@ -6189,7 +6206,7 @@ async function decrypt$4(data, n, e, d, p, q, u, randomPayload) {
  *                                  RSA private prime p, RSA private prime q, u = p ** -1 mod q
  * @async
  */
-async function generate$5(bits, e) {
+async function generate$b(bits, e) {
   e = BigInt(e);
 
   // Native RSA keygen using Web Crypto
@@ -6269,7 +6286,7 @@ async function generate$5(bits, e) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$8(n, e, d, p, q, u) {
+async function validateParams$e(n, e, d, p, q, u) {
   n = uint8ArrayToBigInt(n);
   p = uint8ArrayToBigInt(p);
   q = uint8ArrayToBigInt(q);
@@ -6311,9 +6328,6 @@ async function bnSign(hashAlgo, n, d, hashed) {
   n = uint8ArrayToBigInt(n);
   const m = uint8ArrayToBigInt(emsaEncode(hashAlgo, hashed, byteLength(n)));
   d = uint8ArrayToBigInt(d);
-  if (m >= n) {
-    throw new Error('Message size cannot exceed modulus size');
-  }
   return bigIntToUint8Array(modExp(m, d, n), 'be', byteLength(n));
 }
 
@@ -6502,12 +6516,12 @@ function jwkToPrivate(jwk, e) {
 
 var rsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  decrypt: decrypt$4,
-  encrypt: encrypt$4,
-  generate: generate$5,
-  sign: sign$7,
-  validateParams: validateParams$8,
-  verify: verify$8
+  decrypt: decrypt$5,
+  encrypt: encrypt$5,
+  generate: generate$b,
+  sign: sign$a,
+  validateParams: validateParams$e,
+  verify: verify$b
 });
 
 // GPG4Browsers - An OpenPGP implementation in javascript
@@ -6540,7 +6554,7 @@ const _1n$2 = BigInt(1);
  * @returns {Promise<{ c1: Uint8Array, c2: Uint8Array }>}
  * @async
  */
-async function encrypt$3(data, p, g, y) {
+async function encrypt$4(data, p, g, y) {
   p = uint8ArrayToBigInt(p);
   g = uint8ArrayToBigInt(g);
   y = uint8ArrayToBigInt(y);
@@ -6569,7 +6583,7 @@ async function encrypt$3(data, p, g, y) {
  * @throws {Error} on decryption error, unless `randomPayload` is given
  * @async
  */
-async function decrypt$3(c1, c2, p, x, randomPayload) {
+async function decrypt$4(c1, c2, p, x, randomPayload) {
   c1 = uint8ArrayToBigInt(c1);
   c2 = uint8ArrayToBigInt(c2);
   p = uint8ArrayToBigInt(p);
@@ -6588,7 +6602,7 @@ async function decrypt$3(c1, c2, p, x, randomPayload) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$7(p, g, y, x) {
+async function validateParams$d(p, g, y, x) {
   p = uint8ArrayToBigInt(p);
   g = uint8ArrayToBigInt(g);
   y = uint8ArrayToBigInt(y);
@@ -6649,9 +6663,9 @@ async function validateParams$7(p, g, y, x) {
 
 var elgamal = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  decrypt: decrypt$3,
-  encrypt: encrypt$3,
-  validateParams: validateParams$7
+  decrypt: decrypt$4,
+  encrypt: encrypt$4,
+  validateParams: validateParams$d
 });
 
 // declare const globalThis: Record<string, any> | undefined;
@@ -9132,7 +9146,7 @@ function finishVerification(publicKey, r, SB, hashed) {
     const RkA = ExtendedPoint.fromAffine(r).add(kA);
     return RkA.subtract(SB).multiplyUnsafe(CURVE.h).equals(ExtendedPoint.ZERO);
 }
-async function verify$7(sig, message, publicKey) {
+async function verify$a(sig, message, publicKey) {
     const { r, SB, msg, pub } = prepareVerification(sig, message, publicKey);
     const hashed = await utils.sha512(r.toRawBytes(), pub.toRawBytes(), msg);
     return finishVerification(pub, r, SB, hashed);
@@ -9231,7 +9245,7 @@ Object.defineProperties(utils, {
  * @param {module:enums.publicKey} algo - Algorithm identifier
  * @returns {Promise<{ A: Uint8Array, seed: Uint8Array }>}
  */
-async function generate$4(algo) {
+async function generate$a(algo) {
   switch (algo) {
     case enums.publicKey.ed25519:
       try {
@@ -9278,8 +9292,11 @@ async function generate$4(algo) {
  * }>} Signature of the message
  * @async
  */
-async function sign$6(algo, hashAlgo, message, publicKey, privateKey, hashed) {
+async function sign$9(algo, hashAlgo, message, publicKey, privateKey, hashed) {
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$2(algo))) {
+    // Enforce digest sizes:
+    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
+    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
   switch (algo) {
@@ -9325,8 +9342,11 @@ async function sign$6(algo, hashAlgo, message, publicKey, privateKey, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$6(algo, hashAlgo, { RS }, m, publicKey, hashed) {
+async function verify$9(algo, hashAlgo, { RS }, m, publicKey, hashed) {
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$2(algo))) {
+    // Enforce digest sizes:
+    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
+    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
   switch (algo) {
@@ -9341,7 +9361,7 @@ async function verify$6(algo, hashAlgo, { RS }, m, publicKey, hashed) {
         if (err.name !== 'NotSupportedError') {
           throw err;
         }
-        return verify$7(RS, hashed, publicKey);
+        return verify$a(RS, hashed, publicKey);
       }
 
     case enums.publicKey.ed448: {
@@ -9361,7 +9381,7 @@ async function verify$6(algo, hashAlgo, { RS }, m, publicKey, hashed) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$6(algo, A, seed) {
+async function validateParams$c(algo, A, seed) {
   switch (algo) {
     case enums.publicKey.ed25519: {
       /**
@@ -9438,12 +9458,12 @@ const privateKeyToJWK = (algo, publicKey, privateKey) => {
 
 var eddsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  generate: generate$4,
+  generate: generate$a,
   getPayloadSize: getPayloadSize$1,
   getPreferredHashAlgo: getPreferredHashAlgo$2,
-  sign: sign$6,
-  validateParams: validateParams$6,
-  verify: verify$6
+  sign: sign$9,
+  validateParams: validateParams$c,
+  verify: verify$9
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -9574,7 +9594,7 @@ const HKDF_INFO = {
  * @param {module:enums.publicKey} algo - Algorithm identifier
  * @returns {Promise<{ A: Uint8Array, k: Uint8Array }>}
  */
-async function generate$3(algo) {
+async function generate$9(algo) {
   switch (algo) {
     case enums.publicKey.x25519: {
       // k stays in little-endian, unlike legacy ECDH over curve25519
@@ -9602,7 +9622,7 @@ async function generate$3(algo) {
 * @returns {Promise<Boolean>} Whether params are valid.
 * @async
 */
-async function validateParams$5(algo, A, k) {
+async function validateParams$b(algo, A, k) {
   switch (algo) {
     case enums.publicKey.x25519: {
       /**
@@ -9639,7 +9659,7 @@ async function validateParams$5(algo, A, k) {
  * }>} ephemeral public key (K_A) and encrypted key
  * @async
  */
-async function encrypt$2(algo, data, recipientA) {
+async function encrypt$3(algo, data, recipientA) {
   const { ephemeralPublicKey, sharedSecret } = await generateEphemeralEncryptionMaterial(algo, recipientA);
   const hkdfInput = util.concatUint8Array([
     ephemeralPublicKey,
@@ -9678,7 +9698,7 @@ async function encrypt$2(algo, data, recipientA) {
  * @returns {Promise<Uint8Array>} decrypted session key data
  * @async
  */
-async function decrypt$2(algo, ephemeralPublicKey, wrappedKey, A, k) {
+async function decrypt$3(algo, ephemeralPublicKey, wrappedKey, A, k) {
   const sharedSecret = await recomputeSharedSecret(algo, ephemeralPublicKey, A, k);
   const hkdfInput = util.concatUint8Array([
     ephemeralPublicKey,
@@ -9726,14 +9746,15 @@ async function generateEphemeralEncryptionMaterial(algo, recipientA) {
     case enums.publicKey.x25519: {
       const ephemeralSecretKey = getRandomBytes(getPayloadSize(algo));
       const sharedSecret = nacl.scalarMult(ephemeralSecretKey, recipientA);
+      assertNonZeroArray(sharedSecret);
       const { publicKey: ephemeralPublicKey } = nacl.box.keyPair.fromSecretKey(ephemeralSecretKey);
-
       return { ephemeralPublicKey, sharedSecret };
     }
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
       const ephemeralSecretKey = x448.utils.randomPrivateKey();
       const sharedSecret = x448.getSharedSecret(ephemeralSecretKey, recipientA);
+      assertNonZeroArray(sharedSecret);
       const ephemeralPublicKey = x448.getPublicKey(ephemeralSecretKey);
       return { ephemeralPublicKey, sharedSecret };
     }
@@ -9744,11 +9765,15 @@ async function generateEphemeralEncryptionMaterial(algo, recipientA) {
 
 async function recomputeSharedSecret(algo, ephemeralPublicKey, A, k) {
   switch (algo) {
-    case enums.publicKey.x25519:
-      return nacl.scalarMult(k, ephemeralPublicKey);
+    case enums.publicKey.x25519: {
+      const sharedSecret = nacl.scalarMult(k, ephemeralPublicKey);
+      assertNonZeroArray(sharedSecret);
+      return sharedSecret;
+    }
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
       const sharedSecret = x448.getSharedSecret(k, ephemeralPublicKey);
+      assertNonZeroArray(sharedSecret);
       return sharedSecret;
     }
     default:
@@ -9756,15 +9781,31 @@ async function recomputeSharedSecret(algo, ephemeralPublicKey, A, k) {
   }
 }
 
+/**
+ * x25519 and x448 produce an all-zero value when given as input a point with small order.
+ * This does not lead to a security issue in the context of ECDH, but it is still unexpected,
+ * hence we throw.
+ * @param {Uint8Array} sharedSecret
+ */
+function assertNonZeroArray(sharedSecret) {
+  let acc = 0;
+  for (let i = 0; i < sharedSecret.length; i++) {
+    acc |= sharedSecret[i];
+  }
+  if (acc === 0) {
+    throw new Error('Unexpected low order point');
+  }
+}
+
 var ecdh_x = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  decrypt: decrypt$2,
-  encrypt: encrypt$2,
-  generate: generate$3,
+  decrypt: decrypt$3,
+  encrypt: encrypt$3,
+  generate: generate$9,
   generateEphemeralEncryptionMaterial: generateEphemeralEncryptionMaterial,
   getPayloadSize: getPayloadSize,
   recomputeSharedSecret: recomputeSharedSecret,
-  validateParams: validateParams$5
+  validateParams: validateParams$b
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -9940,7 +9981,7 @@ class CurveWithOID {
         return nodeGenKeyPair(this.name);
       case 'curve25519Legacy': {
         // the private key must be stored in big endian and already clamped: https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-13.html#section-5.5.5.6.1.1-3
-        const { k, A } = await generate$3(enums.publicKey.x25519);
+        const { k, A } = await generate$9(enums.publicKey.x25519);
         const privateKey = k.slice().reverse();
         privateKey[0] = (privateKey[0] & 127) | 64;
         privateKey[31] &= 248;
@@ -9948,7 +9989,7 @@ class CurveWithOID {
         return { publicKey, privateKey };
       }
       case 'ed25519Legacy': {
-        const { seed: privateKey, A } = await generate$4(enums.publicKey.ed25519);
+        const { seed: privateKey, A } = await generate$a(enums.publicKey.ed25519);
         const publicKey = util.concatUint8Array([new Uint8Array([this.wireFormatLeadingByte]), A]);
         return { publicKey, privateKey };
       }
@@ -9958,7 +9999,7 @@ class CurveWithOID {
   }
 }
 
-async function generate$2(curveName) {
+async function generate$8(curveName) {
   const curve = new CurveWithOID(curveName);
   const { oid, hash, cipher } = curve;
   const keyPair = await curve.genKeyPair();
@@ -10176,7 +10217,7 @@ const nodeCrypto$2 = util.getNodeCrypto();
  * }>} Signature of the message
  * @async
  */
-async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
+async function sign$8(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
   if (message && !util.isStream(message)) {
@@ -10223,7 +10264,7 @@ async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$5(oid, hashAlgo, signature, message, publicKey, hashed) {
+async function verify$8(oid, hashAlgo, signature, message, publicKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
   // See https://github.com/openpgpjs/openpgpjs/pull/948.
@@ -10274,7 +10315,7 @@ async function verify$5(oid, hashAlgo, signature, message, publicKey, hashed) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$4(oid, Q, d) {
+async function validateParams$a(oid, Q, d) {
   const curve = new CurveWithOID(oid);
   // Reject curves x25519 and ed25519
   if (curve.keyType !== enums.publicKey.ecdsa) {
@@ -10290,9 +10331,9 @@ async function validateParams$4(oid, Q, d) {
       const hashAlgo = enums.hash.sha256;
       const hashed = await hash.digest(hashAlgo, message);
       try {
-        const signature = await sign$5(oid, hashAlgo, message, Q, d, hashed);
+        const signature = await sign$8(oid, hashAlgo, message, Q, d, hashed);
         // eslint-disable-next-line @typescript-eslint/return-await
-        return await verify$5(oid, hashAlgo, signature, message, Q, hashed);
+        return await verify$8(oid, hashAlgo, signature, message, Q, hashed);
       } catch (err) {
         return false;
       }
@@ -10423,9 +10464,9 @@ async function nodeVerify(curve, hashAlgo, { r, s }, message, publicKey) {
 
 var ecdsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  sign: sign$5,
-  validateParams: validateParams$4,
-  verify: verify$5
+  sign: sign$8,
+  validateParams: validateParams$a,
+  verify: verify$8
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -10460,14 +10501,16 @@ var ecdsa = /*#__PURE__*/Object.freeze({
  * }>} Signature of the message
  * @async
  */
-async function sign$4(oid, hashAlgo, message, publicKey, privateKey, hashed) {
+async function sign$7(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
+    // Enforce digest sizes, since the constraint was already present in RFC4880bis:
     // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+    // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
-  const { RS: signature } = await sign$6(enums.publicKey.ed25519, hashAlgo, message, publicKey.subarray(1), privateKey, hashed);
+  const { RS: signature } = await sign$9(enums.publicKey.ed25519, hashAlgo, message, publicKey.subarray(1), privateKey, hashed);
   // EdDSA signature params are returned in little-endian format
   return {
     r: signature.subarray(0, 32),
@@ -10487,14 +10530,17 @@ async function sign$4(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$4(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
+async function verify$7(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
+    // Enforce digest sizes, since the constraint was already present in RFC4880bis:
+    // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+    // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
   const RS = util.concatUint8Array([r, s]);
-  return verify$6(enums.publicKey.ed25519, hashAlgo, { RS }, m, publicKey.subarray(1), hashed);
+  return verify$9(enums.publicKey.ed25519, hashAlgo, { RS }, m, publicKey.subarray(1), hashed);
 }
 /**
  * Validate legacy EdDSA parameters
@@ -10504,7 +10550,7 @@ async function verify$4(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$3(oid, Q, k) {
+async function validateParams$9(oid, Q, k) {
   // Check whether the given curve is supported
   if (oid.getName() !== enums.curve.ed25519Legacy) {
     return false;
@@ -10522,9 +10568,9 @@ async function validateParams$3(oid, Q, k) {
 
 var eddsa_legacy = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  sign: sign$4,
-  validateParams: validateParams$3,
-  verify: verify$4
+  sign: sign$7,
+  validateParams: validateParams$9,
+  verify: verify$7
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -10569,7 +10615,7 @@ function encode(message) {
  * @param {Uint8Array} message - message to remove padding from
  * @returns {Uint8Array} Message without padding.
  */
-function decode$1(message) {
+function decode(message) {
   const len = message.length;
   if (len > 0) {
     const c = message[len - 1];
@@ -10586,7 +10632,7 @@ function decode$1(message) {
 
 var pkcs5 = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  decode: decode$1,
+  decode: decode,
   encode: encode
 });
 
@@ -10619,7 +10665,7 @@ const nodeCrypto$1 = util.getNodeCrypto();
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$2(oid, Q, d) {
+async function validateParams$8(oid, Q, d) {
   return validateStandardParams(enums.publicKey.ecdh, oid, Q, d);
 }
 
@@ -10702,7 +10748,7 @@ async function genPublicEphemeralKey(curve, Q) {
  * @returns {Promise<{publicKey: Uint8Array, wrappedKey: Uint8Array}>}
  * @async
  */
-async function encrypt$1(oid, kdfParams, data, Q, fingerprint) {
+async function encrypt$2(oid, kdfParams, data, Q, fingerprint) {
   const m = encode(data);
 
   const curve = new CurveWithOID(oid);
@@ -10767,7 +10813,7 @@ async function genPrivateEphemeralKey(curve, V, Q, d) {
  * @returns {Promise<Uint8Array>} Value derived from session key.
  * @async
  */
-async function decrypt$1(oid, kdfParams, V, C, Q, d, fingerprint) {
+async function decrypt$2(oid, kdfParams, V, C, Q, d, fingerprint) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, Q);
   checkPublicPointEnconding(curve, V);
@@ -10779,7 +10825,7 @@ async function decrypt$1(oid, kdfParams, V, C, Q, d, fingerprint) {
     try {
       // Work around old go crypto bug and old OpenPGP.js bug, respectively.
       const Z = await kdf(kdfParams.hash, sharedKey, keySize, param, i === 1, i === 2);
-      return decode$1(await unwrap(kdfParams.cipher, Z, C));
+      return decode(await unwrap(kdfParams.cipher, Z, C));
     } catch (e) {
       err = e;
     }
@@ -10941,9 +10987,9 @@ async function nodePublicEphemeralKey(curve, Q) {
 
 var ecdh = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  decrypt: decrypt$1,
-  encrypt: encrypt$1,
-  validateParams: validateParams$2
+  decrypt: decrypt$2,
+  encrypt: encrypt$2,
+  validateParams: validateParams$8
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -10971,7 +11017,7 @@ var elliptic = /*#__PURE__*/Object.freeze({
   ecdsa: ecdsa,
   eddsa: eddsa,
   eddsaLegacy: eddsa_legacy,
-  generate: generate$2,
+  generate: generate$8,
   getPreferredHashAlgo: getPreferredHashAlgo$1
 });
 
@@ -11013,7 +11059,7 @@ const _1n = BigInt(1);
  * @returns {Promise<{ r: Uint8Array, s: Uint8Array }>}
  * @async
  */
-async function sign$3(hashAlgo, hashed, g, p, q, x) {
+async function sign$6(hashAlgo, hashed, g, p, q, x) {
   const _0n = BigInt(0);
   p = uint8ArrayToBigInt(p);
   q = uint8ArrayToBigInt(q);
@@ -11071,7 +11117,7 @@ async function sign$3(hashAlgo, hashed, g, p, q, x) {
  * @returns {boolean}
  * @async
  */
-async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
+async function verify$6(hashAlgo, r, s, hashed, g, p, q, y) {
   r = uint8ArrayToBigInt(r);
   s = uint8ArrayToBigInt(s);
 
@@ -11112,7 +11158,7 @@ async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$1(p, q, g, y, x) {
+async function validateParams$7(p, q, g, y, x) {
   p = uint8ArrayToBigInt(p);
   q = uint8ArrayToBigInt(q);
   g = uint8ArrayToBigInt(g);
@@ -11165,9 +11211,9 @@ async function validateParams$1(p, q, g, y, x) {
 
 var dsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  sign: sign$3,
-  validateParams: validateParams$1,
-  verify: verify$3
+  sign: sign$6,
+  validateParams: validateParams$7,
+  verify: verify$6
 });
 
 const supportedHashAlgos = new Set([enums.hash.sha1, enums.hash.sha256, enums.hash.sha512]);
@@ -11175,7 +11221,7 @@ const supportedHashAlgos = new Set([enums.hash.sha1, enums.hash.sha256, enums.ha
 const webCrypto = util.getWebCrypto();
 const nodeCrypto = util.getNodeCrypto();
 
-async function generate$1(hashAlgo) {
+async function generate$7(hashAlgo) {
   if (!supportedHashAlgos.has(hashAlgo)) {
     throw new Error('Unsupported hash algorithm.');
   }
@@ -11194,7 +11240,7 @@ async function generate$1(hashAlgo) {
   return new Uint8Array(exportedKey);
 }
 
-async function sign$2(hashAlgo, key, data) {
+async function sign$5(hashAlgo, key, data) {
   if (!supportedHashAlgos.has(hashAlgo)) {
     throw new Error('Unsupported hash algorithm.');
   }
@@ -11215,7 +11261,7 @@ async function sign$2(hashAlgo, key, data) {
   return new Uint8Array(mac);
 }
 
-async function verify$2(hashAlgo, key, mac, data) {
+async function verify$5(hashAlgo, key, mac, data) {
   if (!supportedHashAlgos.has(hashAlgo)) {
     throw new Error('Unsupported hash algorithm.');
   }
@@ -11236,12 +11282,390 @@ async function verify$2(hashAlgo, key, mac, data) {
 }
 
 var hmac = /*#__PURE__*/Object.freeze({
+  __proto__: null,
+  generate: generate$7,
+  sign: sign$5,
+  verify: verify$5
+});
+
+async function generate$6(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { A, k } = await generate$9(enums.publicKey.x25519);
+      return {
+        eccPublicKey: A,
+        eccSecretKey: k
+      };
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function encaps$1(eccAlgo, eccRecipientPublicKey) {
+  switch (eccAlgo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { ephemeralPublicKey: eccCipherText, sharedSecret: eccSharedSecret } = await generateEphemeralEncryptionMaterial(enums.publicKey.x25519, eccRecipientPublicKey);
+      const eccKeyShare = await hash.sha3_256(util.concatUint8Array([
+        eccSharedSecret,
+        eccCipherText,
+        eccRecipientPublicKey
+      ]));
+      return {
+        eccCipherText,
+        eccKeyShare
+      };
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function decaps$1(eccAlgo, eccCipherText, eccSecretKey, eccPublicKey) {
+  switch (eccAlgo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const eccSharedSecret = await recomputeSharedSecret(enums.publicKey.x25519, eccCipherText, eccPublicKey, eccSecretKey);
+      const eccKeyShare = await hash.sha3_256(util.concatUint8Array([
+        eccSharedSecret,
+        eccCipherText,
+        eccPublicKey
+      ]));
+      return eccKeyShare;
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function validateParams$6(algo, eccPublicKey, eccSecretKey) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519:
+      return validateParams$b(enums.publicKey.x25519, eccPublicKey, eccSecretKey);
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function generate$5(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const mlkemSeed = getRandomBytes(64);
+      const { mlkemSecretKey, mlkemPublicKey } = await expandSecretSeed$1(algo, mlkemSeed);
+
+      return { mlkemSeed, mlkemSecretKey, mlkemPublicKey };
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+/**
+ * Expand ML-KEM secret seed and retrieve the secret and public key material
+ * @param {module:enums.publicKey} algo - Public key algorithm
+ * @param {Uint8Array} seed - secret seed to expand
+ * @returns {Promise<{ mlkemPublicKey: Uint8Array, mlkemSecretKey: Uint8Array }>}
+ */
+async function expandSecretSeed$1(algo, seed) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { ml_kem768 } = await import('./noble_post_quantum.mjs');
+      const { publicKey: encapsulationKey, secretKey: decapsulationKey } = ml_kem768.keygen(seed);
+
+      return { mlkemPublicKey: encapsulationKey, mlkemSecretKey: decapsulationKey };
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function encaps(algo, mlkemRecipientPublicKey) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { ml_kem768 } = await import('./noble_post_quantum.mjs');
+      const { cipherText: mlkemCipherText, sharedSecret: mlkemKeyShare } = ml_kem768.encapsulate(mlkemRecipientPublicKey);
+
+      return { mlkemCipherText, mlkemKeyShare };
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function decaps(algo, mlkemCipherText, mlkemSecretKey) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { ml_kem768 } = await import('./noble_post_quantum.mjs');
+      const mlkemKeyShare = ml_kem768.decapsulate(mlkemCipherText, mlkemSecretKey);
+
+      return mlkemKeyShare;
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function validateParams$5(algo, mlkemPublicKey, mlkemSeed) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { mlkemPublicKey: expectedPublicKey } = await expandSecretSeed$1(algo, mlkemSeed);
+      return util.equalsUint8Array(mlkemPublicKey, expectedPublicKey);
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function generate$4(algo) {
+  const { eccPublicKey, eccSecretKey } = await generate$6(algo);
+  const { mlkemPublicKey, mlkemSeed, mlkemSecretKey } = await generate$5(algo);
+
+  return { eccPublicKey, eccSecretKey, mlkemPublicKey, mlkemSeed, mlkemSecretKey };
+}
+
+async function encrypt$1(algo, eccPublicKey, mlkemPublicKey, sessioneKeyData) {
+  const { eccKeyShare, eccCipherText } = await encaps$1(algo, eccPublicKey);
+  const { mlkemKeyShare, mlkemCipherText } = await encaps(algo, mlkemPublicKey);
+  const kek = await multiKeyCombine(algo, eccKeyShare, eccCipherText, eccPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey);
+  const wrappedKey = await wrap(enums.symmetric.aes256, kek, sessioneKeyData); // C
+  return { eccCipherText, mlkemCipherText, wrappedKey };
+}
+
+async function decrypt$1(algo, eccCipherText, mlkemCipherText, eccSecretKey, eccPublicKey, mlkemSecretKey, mlkemPublicKey, encryptedSessionKeyData) {
+  const eccKeyShare = await decaps$1(algo, eccCipherText, eccSecretKey, eccPublicKey);
+  const mlkemKeyShare = await decaps(algo, mlkemCipherText, mlkemSecretKey);
+  const kek = await multiKeyCombine(algo, eccKeyShare, eccCipherText, eccPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey);
+  const sessionKey = await unwrap(enums.symmetric.aes256, kek, encryptedSessionKeyData);
+  return sessionKey;
+}
+
+async function multiKeyCombine(algo, ecdhKeyShare, ecdhCipherText, ecdhPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey) {
+  // LAMPS-aligned and NIST compatible combiner, proposed in: https://mailarchive.ietf.org/arch/msg/openpgp/NMTCy707LICtxIhP3Xt1U5C8MF0/
+  // 2a. KDF(mlkemSS || tradSS || tradCT || tradPK || Domain)
+  //     where Domain is "Domain" for LAMPS, and "mlkemCT || mlkemPK || algId" for OpenPGP
+  const encData = util.concatUint8Array([
+    mlkemKeyShare,
+    ecdhKeyShare,
+    ecdhCipherText,
+    ecdhPublicKey,
+    // domSep
+    mlkemCipherText,
+    mlkemPublicKey,
+    new Uint8Array([algo])
+  ]);
+
+  const kek = await hash.digest(enums.hash.sha3_256, encData);
+  return kek;
+}
+
+async function validateParams$4(algo, eccPublicKey, eccSecretKey, mlkemPublicKey, mlkemSeed) {
+  const eccValidationPromise = validateParams$6(algo, eccPublicKey, eccSecretKey);
+  const mlkemValidationPromise = validateParams$5(algo, mlkemPublicKey, mlkemSeed);
+  const valid = await eccValidationPromise && await mlkemValidationPromise;
+  return valid;
+}
+
+var index$1 = /*#__PURE__*/Object.freeze({
+  __proto__: null,
+  decrypt: decrypt$1,
+  encrypt: encrypt$1,
+  generate: generate$4,
+  mlkemExpandSecretSeed: expandSecretSeed$1,
+  validateParams: validateParams$4
+});
+
+async function generate$3(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const mldsaSeed = getRandomBytes(32);
+      const { mldsaSecretKey, mldsaPublicKey } = await expandSecretSeed(algo, mldsaSeed);
+
+      return { mldsaSeed, mldsaSecretKey, mldsaPublicKey };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+/**
+ * Expand ML-DSA secret seed and retrieve the secret and public key material
+ * @param {module:enums.publicKey} algo - Public key algorithm
+ * @param {Uint8Array} seed - secret seed to expand
+ * @returns {Promise<{ mldsaPublicKey: Uint8Array, mldsaSecretKey: Uint8Array }>}
+ */
+async function expandSecretSeed(algo, seed) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { ml_dsa65 } = await import('./noble_post_quantum.mjs');
+      const { secretKey: mldsaSecretKey, publicKey: mldsaPublicKey } = ml_dsa65.keygen(seed);
+
+      return { mldsaSecretKey, mldsaPublicKey };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function sign$4(algo, mldsaSecretKey, dataDigest) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { ml_dsa65 } = await import('./noble_post_quantum.mjs');
+      const mldsaSignature = ml_dsa65.sign(mldsaSecretKey, dataDigest);
+      return { mldsaSignature };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function verify$4(algo, mldsaPublicKey, dataDigest, mldsaSignature) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { ml_dsa65 } = await import('./noble_post_quantum.mjs');
+      return ml_dsa65.verify(mldsaPublicKey, dataDigest, mldsaSignature);
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function validateParams$3(algo, mldsaPublicKey, mldsaSeed) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { mldsaPublicKey: expectedPublicKey } = await expandSecretSeed(algo, mldsaSeed);
+      return util.equalsUint8Array(mldsaPublicKey, expectedPublicKey);
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function generate$2(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { A, seed } = await generate$a(enums.publicKey.ed25519);
+      return {
+        eccPublicKey: A,
+        eccSecretKey: seed
+      };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function sign$3(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, dataDigest) {
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { RS: eccSignature } = await sign$9(enums.publicKey.ed25519, hashAlgo, null, eccPublicKey, eccSecretKey, dataDigest);
+
+      return { eccSignature };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function verify$3(signatureAlgo, hashAlgo, eccPublicKey, dataDigest, eccSignature) {
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519:
+      return verify$9(enums.publicKey.ed25519, hashAlgo, { RS: eccSignature }, null, eccPublicKey, dataDigest);
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function validateParams$2(algo, eccPublicKey, eccSecretKey) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519:
+      return validateParams$c(enums.publicKey.ed25519, eccPublicKey, eccSecretKey);
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function generate$1(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { eccSecretKey, eccPublicKey } = await generate$2(algo);
+      const { mldsaSeed, mldsaSecretKey, mldsaPublicKey } = await generate$3(algo);
+      return { eccSecretKey, eccPublicKey, mldsaSeed, mldsaSecretKey, mldsaPublicKey };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function sign$2(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, mldsaSecretKey, dataDigest) {
+  if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
+    // The signature hash algo MUST be set to the specified algorithm, see
+    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+    throw new Error('Unexpected hash algorithm for PQC signature');
+  }
+
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { eccSignature } = await sign$3(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, dataDigest);
+      const { mldsaSignature } = await sign$4(signatureAlgo, mldsaSecretKey, dataDigest);
+
+      return { eccSignature, mldsaSignature };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function verify$2(signatureAlgo, hashAlgo, eccPublicKey, mldsaPublicKey, dataDigest, { eccSignature, mldsaSignature }) {
+  if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
+    // The signature hash algo MUST be set to the specified algorithm, see
+    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+    throw new Error('Unexpected hash algorithm for PQC signature');
+  }
+
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const eccVerifiedPromise = verify$3(signatureAlgo, hashAlgo, eccPublicKey, dataDigest, eccSignature);
+      const mldsaVerifiedPromise = verify$4(signatureAlgo, mldsaPublicKey, dataDigest, mldsaSignature);
+      const verified = await eccVerifiedPromise && await mldsaVerifiedPromise;
+      return verified;
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+function getRequiredHashAlgo(signatureAlgo) {
+  // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519:
+      return enums.hash.sha3_256;
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function validateParams$1(algo, eccPublicKey, eccSecretKey, mldsaPublicKey, mldsaSeed) {
+  const eccValidationPromise = validateParams$2(algo, eccPublicKey, eccSecretKey);
+  const mldsaValidationPromise = validateParams$3(algo, mldsaPublicKey, mldsaSeed);
+  const valid = await eccValidationPromise && await mldsaValidationPromise;
+  return valid;
+}
+
+var index = /*#__PURE__*/Object.freeze({
   __proto__: null,
   generate: generate$1,
+  getRequiredHashAlgo: getRequiredHashAlgo,
+  mldsaExpandSecretSeed: expandSecretSeed,
   sign: sign$2,
+  validateParams: validateParams$1,
   verify: verify$2
 });
 
+var postQuantum = /*#__PURE__*/Object.freeze({
+  __proto__: null,
+  kem: index$1,
+  signature: index
+});
+
 /**
  * @fileoverview Asymmetric cryptography functions
  * @module crypto/public_key
@@ -11258,7 +11682,9 @@ var publicKey = {
   /** @see module:crypto/public_key/dsa */
   dsa: dsa,
   /** @see module:crypto/public_key/hmac */
-  hmac: hmac
+  hmac: hmac,
+  /** @see module:crypto/public_key/post_quantum */
+  postQuantum
 };
 
 class ShortByteString {
@@ -11326,6 +11752,8 @@ function parseSignatureParams(algo, signature) {
     case enums.publicKey.dsa:
     case enums.publicKey.ecdsa:
     {
+      // If the signature payload sizes are unexpected, we will throw on verification,
+      // where we also have access to the OID curve from the key.
       const r = util.readMPI(signature.subarray(read)); read += r.length + 2;
       const s = util.readMPI(signature.subarray(read)); read += s.length + 2;
       return { read, signatureParams: { r, s } };
@@ -11334,12 +11762,11 @@ function parseSignatureParams(algo, signature) {
     // -  MPI of an EC point r.
     // -  EdDSA value s, in MPI, in the little endian representation
     case enums.publicKey.eddsaLegacy: {
-      // When parsing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
-      // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
-      let r = util.readMPI(signature.subarray(read)); read += r.length + 2;
-      r = util.leftPad(r, 32);
-      let s = util.readMPI(signature.subarray(read)); read += s.length + 2;
-      s = util.leftPad(s, 32);
+      // Only Curve25519Legacy is supported (no Curve448Legacy), but the relevant checks are done on key parsing and signature
+      // verification: if the signature payload sizes are unexpected, we will throw on verification,
+      // where we also have access to the OID curve from the key.
+      const r = util.readMPI(signature.subarray(read)); read += r.length + 2;
+      const s = util.readMPI(signature.subarray(read)); read += s.length + 2;
       return { read, signatureParams: { r, s } };
     }
     // Algorithm-Specific Fields for Ed25519 signatures:
@@ -11356,6 +11783,12 @@ function parseSignatureParams(algo, signature) {
       const mac = new ShortByteString(); read += mac.read(signature.subarray(read));
       return { read, signatureParams: { mac } };
     }
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const eccSignatureSize = 2 * publicKey.elliptic.eddsa.getPayloadSize(enums.publicKey.ed25519);
+      const eccSignature = util.readExactSubarray(signature, read, read + eccSignatureSize); read += eccSignature.length;
+      const mldsaSignature = util.readExactSubarray(signature, read, read + 3309); read += mldsaSignature.length;
+      return { read, signatureParams: { eccSignature, mldsaSignature } };
+    }
     default:
       throw new UnsupportedError('Unknown signature algorithm.');
   }
@@ -11400,8 +11833,12 @@ async function verify$1(algo, hashAlgo, signature, publicParams, privateParams,
     }
     case enums.publicKey.eddsaLegacy: {
       const { oid, Q } = publicParams;
-      // signature already padded on parsing
-      return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, signature, data, Q, hashed);
+      const curveSize = new publicKey.elliptic.CurveWithOID(oid).payloadSize;
+      // When dealing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
+      // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
+      const r = util.leftPad(signature.r, curveSize);
+      const s = util.leftPad(signature.s, curveSize);
+      return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, { r, s }, data, Q, hashed);
     }
     case enums.publicKey.ed25519:
     case enums.publicKey.ed448: {
@@ -11416,6 +11853,10 @@ async function verify$1(algo, hashAlgo, signature, publicParams, privateParams,
       const { keyMaterial } = privateParams;
       return publicKey.hmac.verify(algo.getValue(), keyMaterial, signature.mac.data, hashed);
     }
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { eccPublicKey, mldsaPublicKey } = publicParams;
+      return publicKey.postQuantum.signature.verify(algo, hashAlgo, eccPublicKey, mldsaPublicKey, hashed, signature);
+    }
     default:
       throw new Error('Unknown signature algorithm.');
   }
@@ -11477,6 +11918,11 @@ async function sign$1(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
       const mac = await publicKey.hmac.sign(algo.getValue(), keyMaterial, hashed);
       return { mac: new ShortByteString(mac) };
     }
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { eccPublicKey } = publicKeyParams;
+      const { eccSecretKey, mldsaSecretKey } = privateKeyParams;
+      return publicKey.postQuantum.signature.sign(algo, hashAlgo, eccSecretKey, eccPublicKey, mldsaSecretKey, hashed);
+    }
     default:
       throw new Error('Unknown signature algorithm.');
   }
@@ -11816,6 +12262,12 @@ async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, privatePar
       const c = await modeInstance.encrypt(data, iv, new Uint8Array());
       return { aeadMode: new AEADEnum(aeadMode), iv, c: new ShortByteString(c) };
     }
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { eccPublicKey, mlkemPublicKey } = publicParams;
+      const { eccCipherText, mlkemCipherText, wrappedKey } = await publicKey.postQuantum.kem.encrypt(keyAlgo, eccPublicKey, mlkemPublicKey, data);
+      const C = ECDHXSymmetricKey.fromObject({ algorithm: symmetricAlgo, wrappedKey });
+      return { eccCipherText, mlkemCipherText, C };
+    }
     default:
       return [];
   }
@@ -11835,8 +12287,8 @@ async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, privatePar
  * @throws {Error} on sensitive decryption error, unless `randomPayload` is given
  * @async
  */
-async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams, sessionKeyParams, fingerprint, randomPayload) {
-  switch (algo) {
+async function publicKeyDecrypt(keyAlgo, publicKeyParams, privateKeyParams, sessionKeyParams, fingerprint, randomPayload) {
+  switch (keyAlgo) {
     case enums.publicKey.rsaEncryptSign:
     case enums.publicKey.rsaEncrypt: {
       const { c } = sessionKeyParams;
@@ -11866,7 +12318,7 @@ async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams, session
         throw new Error('AES session key expected');
       }
       return publicKey.elliptic.ecdhX.decrypt(
-        algo, ephemeralPublicKey, C.wrappedKey, A, k);
+        keyAlgo, ephemeralPublicKey, C.wrappedKey, A, k);
     }
     case enums.publicKey.aead: {
       const { cipher: algo } = publicKeyParams;
@@ -11879,6 +12331,12 @@ async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams, session
       const modeInstance = await mode(algoValue, keyMaterial);
       return modeInstance.decrypt(c.data, iv, new Uint8Array());
     }
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { eccSecretKey, mlkemSecretKey } = privateKeyParams;
+      const { eccPublicKey, mlkemPublicKey } = publicKeyParams;
+      const { eccCipherText, mlkemCipherText, C } = sessionKeyParams;
+      return publicKey.postQuantum.kem.decrypt(keyAlgo, eccCipherText, mlkemCipherText, eccSecretKey, eccPublicKey, mlkemSecretKey, mlkemPublicKey, C.wrappedKey);
+    }
     default:
       throw new Error('Unknown public key encryption algorithm.');
   }
@@ -11950,6 +12408,16 @@ function parsePublicKeyParams(algo, bytes) {
       const digest = bytes.subarray(read, read + digestLength); read += digestLength;
       return { read: read, publicParams: { cipher: algo, digest } };
     }
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const eccPublicKey = util.readExactSubarray(bytes, read, read + getCurvePayloadSize(enums.publicKey.x25519)); read += eccPublicKey.length;
+      const mlkemPublicKey = util.readExactSubarray(bytes, read, read + 1184); read += mlkemPublicKey.length;
+      return { read, publicParams: { eccPublicKey, mlkemPublicKey } };
+    }
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const eccPublicKey = util.readExactSubarray(bytes, read, read + getCurvePayloadSize(enums.publicKey.ed25519)); read += eccPublicKey.length;
+      const mldsaPublicKey = util.readExactSubarray(bytes, read, read + 1952); read += mldsaPublicKey.length;
+      return { read, publicParams: { eccPublicKey, mldsaPublicKey } };
+    }
     default:
       throw new UnsupportedError('Unknown public key encryption algorithm.');
   }
@@ -11962,7 +12430,7 @@ function parsePublicKeyParams(algo, bytes) {
  * @param {Object} publicParams - (ECC and symmetric only) public params, needed to format some private params
  * @returns {{ read: Number, privateParams: Object }} Number of read bytes plus the key parameters referenced by name.
  */
-function parsePrivateKeyParams(algo, bytes, publicParams) {
+async function parsePrivateKeyParams(algo, bytes, publicParams) {
   let read = 0;
   switch (algo) {
     case enums.publicKey.rsaEncrypt:
@@ -12021,6 +12489,18 @@ function parsePrivateKeyParams(algo, bytes, publicParams) {
       const keyMaterial = bytes.subarray(read, read + keySize); read += keySize;
       return { read, privateParams: { hashSeed, keyMaterial } };
     }
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const eccSecretKey = util.readExactSubarray(bytes, read, read + getCurvePayloadSize(enums.publicKey.x25519)); read += eccSecretKey.length;
+      const mlkemSeed = util.readExactSubarray(bytes, read, read + 64); read += mlkemSeed.length;
+      const { mlkemSecretKey } = await publicKey.postQuantum.kem.mlkemExpandSecretSeed(algo, mlkemSeed);
+      return { read, privateParams: { eccSecretKey, mlkemSecretKey, mlkemSeed } };
+    }
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const eccSecretKey = util.readExactSubarray(bytes, read, read + getCurvePayloadSize(enums.publicKey.ed25519)); read += eccSecretKey.length;
+      const mldsaSeed = util.readExactSubarray(bytes, read, read + 32); read += mldsaSeed.length;
+      const { mldsaSecretKey } = await publicKey.postQuantum.signature.mldsaExpandSecretSeed(algo, mldsaSeed);
+      return { read, privateParams: { eccSecretKey, mldsaSecretKey, mldsaSeed } };
+    }
     default:
       throw new UnsupportedError('Unknown public key encryption algorithm.');
   }
@@ -12084,6 +12564,12 @@ function parseEncSessionKeyParams(algo, bytes) {
 
       return { aeadMode, iv, c };
     }
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const eccCipherText = util.readExactSubarray(bytes, read, read + getCurvePayloadSize(enums.publicKey.x25519)); read += eccCipherText.length;
+      const mlkemCipherText = util.readExactSubarray(bytes, read, read + 1088); read += mlkemCipherText.length;
+      const C = new ECDHXSymmetricKey(); C.read(bytes.subarray(read));
+      return { eccCipherText, mlkemCipherText, C }; // eccCipherText || mlkemCipherText || len(C) || C
+    }
     default:
       throw new UnsupportedError('Unknown public key encryption algorithm.');
   }
@@ -12103,9 +12589,21 @@ function serializeParams(algo, params) {
     enums.publicKey.ed448,
     enums.publicKey.x448,
     enums.publicKey.aead,
-    enums.publicKey.hmac
+    enums.publicKey.hmac,
+    enums.publicKey.pqc_mlkem_x25519,
+    enums.publicKey.pqc_mldsa_ed25519
   ]);
+
+  const excludedFields = {
+    [enums.publicKey.pqc_mlkem_x25519]: new Set(['mlkemSecretKey']), // only `mlkemSeed` is serialized
+    [enums.publicKey.pqc_mldsa_ed25519]: new Set(['mldsaSecretKey']) // only `mldsaSeed` is serialized
+  };
+
   const orderedParams = Object.keys(params).map(name => {
+    if (excludedFields[algo]?.has(name)) {
+      return new Uint8Array();
+    }
+
     const param = params[name];
     if (!util.isUint8Array(param)) return param.write();
     return algosWithNativeRepresentation.has(algo) ? param : util.uint8ArrayToMPI(param);
@@ -12170,6 +12668,16 @@ async function generateParams(algo, bits, oid, symmetric) {
       const keyMaterial = generateSessionKey$1(symmetric);
       return createSymmetricParams(keyMaterial, new SymAlgoEnum(symmetric));
     }
+    case enums.publicKey.pqc_mlkem_x25519:
+      return publicKey.postQuantum.kem.generate(algo).then(({ eccSecretKey, eccPublicKey, mlkemSeed, mlkemSecretKey, mlkemPublicKey }) => ({
+        privateParams: { eccSecretKey, mlkemSeed, mlkemSecretKey },
+        publicParams: { eccPublicKey, mlkemPublicKey }
+      }));
+    case enums.publicKey.pqc_mldsa_ed25519:
+      return publicKey.postQuantum.signature.generate(algo).then(({ eccSecretKey, eccPublicKey, mldsaSeed, mldsaSecretKey, mldsaPublicKey }) => ({
+        privateParams: { eccSecretKey, mldsaSeed, mldsaSecretKey },
+        publicParams: { eccPublicKey, mldsaPublicKey }
+      }));
     case enums.publicKey.dsa:
     case enums.publicKey.elgamal:
       throw new Error('Unsupported algorithm for key generation.');
@@ -12261,6 +12769,16 @@ async function validateParams(algo, publicParams, privateParams) {
       return keySize === keyMaterial.length &&
         util.equalsUint8Array(digest, await hash.sha256(hashSeed));
     }
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { eccSecretKey, mlkemSeed } = privateParams;
+      const { eccPublicKey, mlkemPublicKey } = publicParams;
+      return publicKey.postQuantum.kem.validateParams(algo, eccPublicKey, eccSecretKey, mlkemPublicKey, mlkemSeed);
+    }
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { eccSecretKey, mldsaSeed } = privateParams;
+      const { eccPublicKey, mldsaPublicKey } = publicParams;
+      return publicKey.postQuantum.signature.validateParams(algo, eccPublicKey, eccSecretKey, mldsaPublicKey, mldsaSeed);
+    }
     default:
       throw new Error('Unknown public key algorithm.');
   }
@@ -13666,849 +14184,6 @@ try {
 }
 catch (e) { }
 
-/*
-node-bzip - a pure-javascript Node.JS module for decoding bzip2 data
-
-Copyright (C) 2012 Eli Skeggs
-
-This library is free software; you can redistribute it and/or
-modify it under the terms of the GNU Lesser General Public
-License as published by the Free Software Foundation; either
-version 2.1 of the License, or (at your option) any later version.
-
-This library is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-Lesser General Public License for more details.
-
-You should have received a copy of the GNU Lesser General Public
-License along with this library; if not, see
-http://www.gnu.org/licenses/lgpl-2.1.html
-
-Adapted from bzip2.js, copyright 2011 antimatter15 (antimatter15@gmail.com).
-
-Based on micro-bunzip by Rob Landley (rob@landley.net).
-
-Based on bzip2 decompression code by Julian R Seward (jseward@acm.org),
-which also acknowledges contributions by Mike Burrows, David Wheeler,
-Peter Fenwick, Alistair Moffat, Radford Neal, Ian H. Witten,
-Robert Sedgewick, and Jon L. Bentley.
-*/
-
-var BITMASK = [0x00, 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3F, 0x7F, 0xFF];
-
-// offset in bytes
-var BitReader$1 = function(stream) {
-  this.stream = stream;
-  this.bitOffset = 0;
-  this.curByte = 0;
-  this.hasByte = false;
-};
-
-BitReader$1.prototype._ensureByte = function() {
-  if (!this.hasByte) {
-    this.curByte = this.stream.readByte();
-    this.hasByte = true;
-  }
-};
-
-// reads bits from the buffer
-BitReader$1.prototype.read = function(bits) {
-  var result = 0;
-  while (bits > 0) {
-    this._ensureByte();
-    var remaining = 8 - this.bitOffset;
-    // if we're in a byte
-    if (bits >= remaining) {
-      result <<= remaining;
-      result |= BITMASK[remaining] & this.curByte;
-      this.hasByte = false;
-      this.bitOffset = 0;
-      bits -= remaining;
-    } else {
-      result <<= bits;
-      var shift = remaining - bits;
-      result |= (this.curByte & (BITMASK[bits] << shift)) >> shift;
-      this.bitOffset += bits;
-      bits = 0;
-    }
-  }
-  return result;
-};
-
-// seek to an arbitrary point in the buffer (expressed in bits)
-BitReader$1.prototype.seek = function(pos) {
-  var n_bit = pos % 8;
-  var n_byte = (pos - n_bit) / 8;
-  this.bitOffset = n_bit;
-  this.stream.seek(n_byte);
-  this.hasByte = false;
-};
-
-// reads 6 bytes worth of data using the read method
-BitReader$1.prototype.pi = function() {
-  var buf = new Uint8Array(6), i;
-  for (i = 0; i < buf.length; i++) {
-    buf[i] = this.read(8);
-  }
-  return bufToHex(buf);
-};
-
-function bufToHex(buf) {
-  return Array.prototype.map.call(buf, x => ('00' + x.toString(16)).slice(-2)).join('');
-}
-
-var bitreader = BitReader$1;
-
-/* very simple input/output stream interface */
-
-var Stream$1 = function() {
-};
-
-// input streams //////////////
-/** Returns the next byte, or -1 for EOF. */
-Stream$1.prototype.readByte = function() {
-  throw new Error("abstract method readByte() not implemented");
-};
-/** Attempts to fill the buffer; returns number of bytes read, or
- *  -1 for EOF. */
-Stream$1.prototype.read = function(buffer, bufOffset, length) {
-  var bytesRead = 0;
-  while (bytesRead < length) {
-    var c = this.readByte();
-    if (c < 0) { // EOF
-      return (bytesRead===0) ? -1 : bytesRead;
-    }
-    buffer[bufOffset++] = c;
-    bytesRead++;
-  }
-  return bytesRead;
-};
-Stream$1.prototype.seek = function(new_pos) {
-  throw new Error("abstract method seek() not implemented");
-};
-
-// output streams ///////////
-Stream$1.prototype.writeByte = function(_byte) {
-  throw new Error("abstract method readByte() not implemented");
-};
-Stream$1.prototype.write = function(buffer, bufOffset, length) {
-  var i;
-  for (i=0; i<length; i++) {
-    this.writeByte(buffer[bufOffset++]);
-  }
-  return length;
-};
-Stream$1.prototype.flush = function() {
-};
-
-var stream = Stream$1;
-
-/* CRC32, used in Bzip2 implementation.
- * This is a port of CRC32.java from the jbzip2 implementation at
- *   https://code.google.com/p/jbzip2
- * which is:
- *   Copyright (c) 2011 Matthew Francis
- *
- *   Permission is hereby granted, free of charge, to any person
- *   obtaining a copy of this software and associated documentation
- *   files (the "Software"), to deal in the Software without
- *   restriction, including without limitation the rights to use,
- *   copy, modify, merge, publish, distribute, sublicense, and/or sell
- *   copies of the Software, and to permit persons to whom the
- *   Software is furnished to do so, subject to the following
- *   conditions:
- *
- *   The above copyright notice and this permission notice shall be
- *   included in all copies or substantial portions of the Software.
- *
- *   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- *   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
- *   OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- *   NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
- *   HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
- *   WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- *   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
- *   OTHER DEALINGS IN THE SOFTWARE.
- * This JavaScript implementation is:
- *   Copyright (c) 2013 C. Scott Ananian
- * with the same licensing terms as Matthew Francis' original implementation.
- */
-
-var crc32 = (function() {
-
-  /**
-   * A static CRC lookup table
-   */
-  var crc32Lookup = new Uint32Array([
-    0x00000000, 0x04c11db7, 0x09823b6e, 0x0d4326d9, 0x130476dc, 0x17c56b6b, 0x1a864db2, 0x1e475005,
-    0x2608edb8, 0x22c9f00f, 0x2f8ad6d6, 0x2b4bcb61, 0x350c9b64, 0x31cd86d3, 0x3c8ea00a, 0x384fbdbd,
-    0x4c11db70, 0x48d0c6c7, 0x4593e01e, 0x4152fda9, 0x5f15adac, 0x5bd4b01b, 0x569796c2, 0x52568b75,
-    0x6a1936c8, 0x6ed82b7f, 0x639b0da6, 0x675a1011, 0x791d4014, 0x7ddc5da3, 0x709f7b7a, 0x745e66cd,
-    0x9823b6e0, 0x9ce2ab57, 0x91a18d8e, 0x95609039, 0x8b27c03c, 0x8fe6dd8b, 0x82a5fb52, 0x8664e6e5,
-    0xbe2b5b58, 0xbaea46ef, 0xb7a96036, 0xb3687d81, 0xad2f2d84, 0xa9ee3033, 0xa4ad16ea, 0xa06c0b5d,
-    0xd4326d90, 0xd0f37027, 0xddb056fe, 0xd9714b49, 0xc7361b4c, 0xc3f706fb, 0xceb42022, 0xca753d95,
-    0xf23a8028, 0xf6fb9d9f, 0xfbb8bb46, 0xff79a6f1, 0xe13ef6f4, 0xe5ffeb43, 0xe8bccd9a, 0xec7dd02d,
-    0x34867077, 0x30476dc0, 0x3d044b19, 0x39c556ae, 0x278206ab, 0x23431b1c, 0x2e003dc5, 0x2ac12072,
-    0x128e9dcf, 0x164f8078, 0x1b0ca6a1, 0x1fcdbb16, 0x018aeb13, 0x054bf6a4, 0x0808d07d, 0x0cc9cdca,
-    0x7897ab07, 0x7c56b6b0, 0x71159069, 0x75d48dde, 0x6b93dddb, 0x6f52c06c, 0x6211e6b5, 0x66d0fb02,
-    0x5e9f46bf, 0x5a5e5b08, 0x571d7dd1, 0x53dc6066, 0x4d9b3063, 0x495a2dd4, 0x44190b0d, 0x40d816ba,
-    0xaca5c697, 0xa864db20, 0xa527fdf9, 0xa1e6e04e, 0xbfa1b04b, 0xbb60adfc, 0xb6238b25, 0xb2e29692,
-    0x8aad2b2f, 0x8e6c3698, 0x832f1041, 0x87ee0df6, 0x99a95df3, 0x9d684044, 0x902b669d, 0x94ea7b2a,
-    0xe0b41de7, 0xe4750050, 0xe9362689, 0xedf73b3e, 0xf3b06b3b, 0xf771768c, 0xfa325055, 0xfef34de2,
-    0xc6bcf05f, 0xc27dede8, 0xcf3ecb31, 0xcbffd686, 0xd5b88683, 0xd1799b34, 0xdc3abded, 0xd8fba05a,
-    0x690ce0ee, 0x6dcdfd59, 0x608edb80, 0x644fc637, 0x7a089632, 0x7ec98b85, 0x738aad5c, 0x774bb0eb,
-    0x4f040d56, 0x4bc510e1, 0x46863638, 0x42472b8f, 0x5c007b8a, 0x58c1663d, 0x558240e4, 0x51435d53,
-    0x251d3b9e, 0x21dc2629, 0x2c9f00f0, 0x285e1d47, 0x36194d42, 0x32d850f5, 0x3f9b762c, 0x3b5a6b9b,
-    0x0315d626, 0x07d4cb91, 0x0a97ed48, 0x0e56f0ff, 0x1011a0fa, 0x14d0bd4d, 0x19939b94, 0x1d528623,
-    0xf12f560e, 0xf5ee4bb9, 0xf8ad6d60, 0xfc6c70d7, 0xe22b20d2, 0xe6ea3d65, 0xeba91bbc, 0xef68060b,
-    0xd727bbb6, 0xd3e6a601, 0xdea580d8, 0xda649d6f, 0xc423cd6a, 0xc0e2d0dd, 0xcda1f604, 0xc960ebb3,
-    0xbd3e8d7e, 0xb9ff90c9, 0xb4bcb610, 0xb07daba7, 0xae3afba2, 0xaafbe615, 0xa7b8c0cc, 0xa379dd7b,
-    0x9b3660c6, 0x9ff77d71, 0x92b45ba8, 0x9675461f, 0x8832161a, 0x8cf30bad, 0x81b02d74, 0x857130c3,
-    0x5d8a9099, 0x594b8d2e, 0x5408abf7, 0x50c9b640, 0x4e8ee645, 0x4a4ffbf2, 0x470cdd2b, 0x43cdc09c,
-    0x7b827d21, 0x7f436096, 0x7200464f, 0x76c15bf8, 0x68860bfd, 0x6c47164a, 0x61043093, 0x65c52d24,
-    0x119b4be9, 0x155a565e, 0x18197087, 0x1cd86d30, 0x029f3d35, 0x065e2082, 0x0b1d065b, 0x0fdc1bec,
-    0x3793a651, 0x3352bbe6, 0x3e119d3f, 0x3ad08088, 0x2497d08d, 0x2056cd3a, 0x2d15ebe3, 0x29d4f654,
-    0xc5a92679, 0xc1683bce, 0xcc2b1d17, 0xc8ea00a0, 0xd6ad50a5, 0xd26c4d12, 0xdf2f6bcb, 0xdbee767c,
-    0xe3a1cbc1, 0xe760d676, 0xea23f0af, 0xeee2ed18, 0xf0a5bd1d, 0xf464a0aa, 0xf9278673, 0xfde69bc4,
-    0x89b8fd09, 0x8d79e0be, 0x803ac667, 0x84fbdbd0, 0x9abc8bd5, 0x9e7d9662, 0x933eb0bb, 0x97ffad0c,
-    0xafb010b1, 0xab710d06, 0xa6322bdf, 0xa2f33668, 0xbcb4666d, 0xb8757bda, 0xb5365d03, 0xb1f740b4
-  ]);
-
-  var CRC32 = function() {
-    /**
-     * The current CRC
-     */
-    var crc = 0xffffffff;
-
-    /**
-     * @return The current CRC
-     */
-    this.getCRC = function() {
-      return (~crc) >>> 0; // return an unsigned value
-    };
-
-    /**
-     * Update the CRC with a single byte
-     * @param value The value to update the CRC with
-     */
-    this.updateCRC = function(value) {
-      crc = (crc << 8) ^ crc32Lookup[((crc >>> 24) ^ value) & 0xff];
-    };
-
-    /**
-     * Update the CRC with a sequence of identical bytes
-     * @param value The value to update the CRC with
-     * @param count The number of bytes
-     */
-    this.updateCRCRun = function(value, count) {
-      while (count-- > 0) {
-        crc = (crc << 8) ^ crc32Lookup[((crc >>> 24) ^ value) & 0xff];
-      }
-    };
-  };
-  return CRC32;
-})();
-
-/*
-seek-bzip - a pure-javascript module for seeking within bzip2 data
-
-Copyright (C) 2013 C. Scott Ananian
-Copyright (C) 2012 Eli Skeggs
-Copyright (C) 2011 Kevin Kwok
-
-This library is free software; you can redistribute it and/or
-modify it under the terms of the GNU Lesser General Public
-License as published by the Free Software Foundation; either
-version 2.1 of the License, or (at your option) any later version.
-
-This library is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-Lesser General Public License for more details.
-
-You should have received a copy of the GNU Lesser General Public
-License along with this library; if not, see
-http://www.gnu.org/licenses/lgpl-2.1.html
-
-Adapted from node-bzip, copyright 2012 Eli Skeggs.
-Adapted from bzip2.js, copyright 2011 Kevin Kwok (antimatter15@gmail.com).
-
-Based on micro-bunzip by Rob Landley (rob@landley.net).
-
-Based on bzip2 decompression code by Julian R Seward (jseward@acm.org),
-which also acknowledges contributions by Mike Burrows, David Wheeler,
-Peter Fenwick, Alistair Moffat, Radford Neal, Ian H. Witten,
-Robert Sedgewick, and Jon L. Bentley.
-*/
-
-var BitReader = bitreader;
-var Stream = stream;
-var CRC32 = crc32;
-
-var MAX_HUFCODE_BITS = 20;
-var MAX_SYMBOLS = 258;
-var SYMBOL_RUNA = 0;
-var SYMBOL_RUNB = 1;
-var MIN_GROUPS = 2;
-var MAX_GROUPS = 6;
-var GROUP_SIZE = 50;
-
-var WHOLEPI = "314159265359";
-var SQRTPI = "177245385090";
-
-var mtf = function(array, index) {
-  var src = array[index], i;
-  for (i = index; i > 0; i--) {
-    array[i] = array[i-1];
-  }
-  array[0] = src;
-  return src;
-};
-
-var Err = {
-  OK: 0,
-  LAST_BLOCK: -1,
-  NOT_BZIP_DATA: -2,
-  UNEXPECTED_INPUT_EOF: -3,
-  UNEXPECTED_OUTPUT_EOF: -4,
-  DATA_ERROR: -5,
-  OUT_OF_MEMORY: -6,
-  OBSOLETE_INPUT: -7,
-  END_OF_BLOCK: -8
-};
-var ErrorMessages = {};
-ErrorMessages[Err.LAST_BLOCK] =            "Bad file checksum";
-ErrorMessages[Err.NOT_BZIP_DATA] =         "Not bzip data";
-ErrorMessages[Err.UNEXPECTED_INPUT_EOF] =  "Unexpected input EOF";
-ErrorMessages[Err.UNEXPECTED_OUTPUT_EOF] = "Unexpected output EOF";
-ErrorMessages[Err.DATA_ERROR] =            "Data error";
-ErrorMessages[Err.OUT_OF_MEMORY] =         "Out of memory";
-ErrorMessages[Err.OBSOLETE_INPUT] = "Obsolete (pre 0.9.5) bzip format not supported.";
-
-var _throw = function(status, optDetail) {
-  var msg = ErrorMessages[status] || 'unknown error';
-  if (optDetail) { msg += ': '+optDetail; }
-  var e = new TypeError(msg);
-  e.errorCode = status;
-  throw e;
-};
-
-var Bunzip = function(inputStream, outputStream) {
-  this.writePos = this.writeCurrent = this.writeCount = 0;
-
-  this._start_bunzip(inputStream, outputStream);
-};
-Bunzip.prototype._init_block = function() {
-  var moreBlocks = this._get_next_block();
-  if ( !moreBlocks ) {
-    this.writeCount = -1;
-    return false; /* no more blocks */
-  }
-  this.blockCRC = new CRC32();
-  return true;
-};
-/* XXX micro-bunzip uses (inputStream, inputBuffer, len) as arguments */
-Bunzip.prototype._start_bunzip = function(inputStream, outputStream) {
-  /* Ensure that file starts with "BZh['1'-'9']." */
-  var buf = new Uint8Array(4);
-  if (inputStream.read(buf, 0, 4) !== 4 ||
-      String.fromCharCode(buf[0], buf[1], buf[2]) !== 'BZh')
-    _throw(Err.NOT_BZIP_DATA, 'bad magic');
-
-  var level = buf[3] - 0x30;
-  if (level < 1 || level > 9)
-    _throw(Err.NOT_BZIP_DATA, 'level out of range');
-
-  this.reader = new BitReader(inputStream);
-
-  /* Fourth byte (ascii '1'-'9'), indicates block size in units of 100k of
-     uncompressed data.  Allocate intermediate buffer for block. */
-  this.dbufSize = 100000 * level;
-  this.nextoutput = 0;
-  this.outputStream = outputStream;
-  this.streamCRC = 0;
-};
-Bunzip.prototype._get_next_block = function() {
-  var i, j, k;
-  var reader = this.reader;
-  // this is get_next_block() function from micro-bunzip:
-  /* Read in header signature and CRC, then validate signature.
-     (last block signature means CRC is for whole file, return now) */
-  var h = reader.pi();
-  if (h === SQRTPI) { // last block
-    return false; /* no more blocks */
-  }
-  if (h !== WHOLEPI)
-    _throw(Err.NOT_BZIP_DATA);
-  this.targetBlockCRC = reader.read(32) >>> 0; // (convert to unsigned)
-  this.streamCRC = (this.targetBlockCRC ^
-                    ((this.streamCRC << 1) | (this.streamCRC>>>31))) >>> 0;
-  /* We can add support for blockRandomised if anybody complains.  There was
-     some code for this in busybox 1.0.0-pre3, but nobody ever noticed that
-     it didn't actually work. */
-  if (reader.read(1))
-    _throw(Err.OBSOLETE_INPUT);
-  var origPointer = reader.read(24);
-  if (origPointer > this.dbufSize)
-    _throw(Err.DATA_ERROR, 'initial position out of bounds');
-  /* mapping table: if some byte values are never used (encoding things
-     like ascii text), the compression code removes the gaps to have fewer
-     symbols to deal with, and writes a sparse bitfield indicating which
-     values were present.  We make a translation table to convert the symbols
-     back to the corresponding bytes. */
-  var t = reader.read(16);
-  var symToByte = new Uint8Array(256), symTotal = 0;
-  for (i = 0; i < 16; i++) {
-    if (t & (1 << (0xF - i))) {
-      var o = i * 16;
-      k = reader.read(16);
-      for (j = 0; j < 16; j++)
-        if (k & (1 << (0xF - j)))
-          symToByte[symTotal++] = o + j;
-    }
-  }
-
-  /* How many different huffman coding groups does this block use? */
-  var groupCount = reader.read(3);
-  if (groupCount < MIN_GROUPS || groupCount > MAX_GROUPS)
-    _throw(Err.DATA_ERROR);
-  /* nSelectors: Every GROUP_SIZE many symbols we select a new huffman coding
-     group.  Read in the group selector list, which is stored as MTF encoded
-     bit runs.  (MTF=Move To Front, as each value is used it's moved to the
-     start of the list.) */
-  var nSelectors = reader.read(15);
-  if (nSelectors === 0)
-    _throw(Err.DATA_ERROR);
-
-  var mtfSymbol = new Uint8Array(256);
-  for (i = 0; i < groupCount; i++)
-    mtfSymbol[i] = i;
-
-  var selectors = new Uint8Array(nSelectors); // was 32768...
-
-  for (i = 0; i < nSelectors; i++) {
-    /* Get next value */
-    for (j = 0; reader.read(1); j++)
-      if (j >= groupCount) _throw(Err.DATA_ERROR);
-    /* Decode MTF to get the next selector */
-    selectors[i] = mtf(mtfSymbol, j);
-  }
-
-  /* Read the huffman coding tables for each group, which code for symTotal
-     literal symbols, plus two run symbols (RUNA, RUNB) */
-  var symCount = symTotal + 2;
-  var groups = [], hufGroup;
-  for (j = 0; j < groupCount; j++) {
-    var length = new Uint8Array(symCount), temp = new Uint16Array(MAX_HUFCODE_BITS + 1);
-    /* Read huffman code lengths for each symbol.  They're stored in
-       a way similar to mtf; record a starting value for the first symbol,
-       and an offset from the previous value for everys symbol after that. */
-    t = reader.read(5); // lengths
-    for (i = 0; i < symCount; i++) {
-      for (;;) {
-        if (t < 1 || t > MAX_HUFCODE_BITS) _throw(Err.DATA_ERROR);
-        /* If first bit is 0, stop.  Else second bit indicates whether
-           to increment or decrement the value. */
-        if(!reader.read(1))
-          break;
-        if(!reader.read(1))
-          t++;
-        else
-          t--;
-      }
-      length[i] = t;
-    }
-
-    /* Find largest and smallest lengths in this group */
-    var minLen,  maxLen;
-    minLen = maxLen = length[0];
-    for (i = 1; i < symCount; i++) {
-      if (length[i] > maxLen)
-        maxLen = length[i];
-      else if (length[i] < minLen)
-        minLen = length[i];
-    }
-
-    /* Calculate permute[], base[], and limit[] tables from length[].
-     *
-     * permute[] is the lookup table for converting huffman coded symbols
-     * into decoded symbols.  base[] is the amount to subtract from the
-     * value of a huffman symbol of a given length when using permute[].
-     *
-     * limit[] indicates the largest numerical value a symbol with a given
-     * number of bits can have.  This is how the huffman codes can vary in
-     * length: each code with a value>limit[length] needs another bit.
-     */
-    hufGroup = {};
-    groups.push(hufGroup);
-    hufGroup.permute = new Uint16Array(MAX_SYMBOLS);
-    hufGroup.limit = new Uint32Array(MAX_HUFCODE_BITS + 2);
-    hufGroup.base = new Uint32Array(MAX_HUFCODE_BITS + 1);
-    hufGroup.minLen = minLen;
-    hufGroup.maxLen = maxLen;
-    /* Calculate permute[].  Concurently, initialize temp[] and limit[]. */
-    var pp = 0;
-    for (i = minLen; i <= maxLen; i++) {
-      temp[i] = hufGroup.limit[i] = 0;
-      for (t = 0; t < symCount; t++)
-        if (length[t] === i)
-          hufGroup.permute[pp++] = t;
-    }
-    /* Count symbols coded for at each bit length */
-    for (i = 0; i < symCount; i++)
-      temp[length[i]]++;
-    /* Calculate limit[] (the largest symbol-coding value at each bit
-     * length, which is (previous limit<<1)+symbols at this level), and
-     * base[] (number of symbols to ignore at each bit length, which is
-     * limit minus the cumulative count of symbols coded for already). */
-    pp = t = 0;
-    for (i = minLen; i < maxLen; i++) {
-      pp += temp[i];
-      /* We read the largest possible symbol size and then unget bits
-         after determining how many we need, and those extra bits could
-         be set to anything.  (They're noise from future symbols.)  At
-         each level we're really only interested in the first few bits,
-         so here we set all the trailing to-be-ignored bits to 1 so they
-         don't affect the value>limit[length] comparison. */
-      hufGroup.limit[i] = pp - 1;
-      pp <<= 1;
-      t += temp[i];
-      hufGroup.base[i + 1] = pp - t;
-    }
-    hufGroup.limit[maxLen + 1] = Number.MAX_VALUE; /* Sentinal value for reading next sym. */
-    hufGroup.limit[maxLen] = pp + temp[maxLen] - 1;
-    hufGroup.base[minLen] = 0;
-  }
-  /* We've finished reading and digesting the block header.  Now read this
-     block's huffman coded symbols from the file and undo the huffman coding
-     and run length encoding, saving the result into dbuf[dbufCount++]=uc */
-
-  /* Initialize symbol occurrence counters and symbol Move To Front table */
-  var byteCount = new Uint32Array(256);
-  for (i = 0; i < 256; i++)
-    mtfSymbol[i] = i;
-  /* Loop through compressed symbols. */
-  var runPos = 0, dbufCount = 0, selector = 0, uc;
-  var dbuf = this.dbuf = new Uint32Array(this.dbufSize);
-  symCount = 0;
-  for (;;) {
-    /* Determine which huffman coding group to use. */
-    if (!(symCount--)) {
-      symCount = GROUP_SIZE - 1;
-      if (selector >= nSelectors) { _throw(Err.DATA_ERROR); }
-      hufGroup = groups[selectors[selector++]];
-    }
-    /* Read next huffman-coded symbol. */
-    i = hufGroup.minLen;
-    j = reader.read(i);
-    for (;;i++) {
-      if (i > hufGroup.maxLen) { _throw(Err.DATA_ERROR); }
-      if (j <= hufGroup.limit[i])
-        break;
-      j = (j << 1) | reader.read(1);
-    }
-    /* Huffman decode value to get nextSym (with bounds checking) */
-    j -= hufGroup.base[i];
-    if (j < 0 || j >= MAX_SYMBOLS) { _throw(Err.DATA_ERROR); }
-    var nextSym = hufGroup.permute[j];
-    /* We have now decoded the symbol, which indicates either a new literal
-       byte, or a repeated run of the most recent literal byte.  First,
-       check if nextSym indicates a repeated run, and if so loop collecting
-       how many times to repeat the last literal. */
-    if (nextSym === SYMBOL_RUNA || nextSym === SYMBOL_RUNB) {
-      /* If this is the start of a new run, zero out counter */
-      if (!runPos){
-        runPos = 1;
-        t = 0;
-      }
-      /* Neat trick that saves 1 symbol: instead of or-ing 0 or 1 at
-         each bit position, add 1 or 2 instead.  For example,
-         1011 is 1<<0 + 1<<1 + 2<<2.  1010 is 2<<0 + 2<<1 + 1<<2.
-         You can make any bit pattern that way using 1 less symbol than
-         the basic or 0/1 method (except all bits 0, which would use no
-         symbols, but a run of length 0 doesn't mean anything in this
-         context).  Thus space is saved. */
-      if (nextSym === SYMBOL_RUNA)
-        t += runPos;
-      else
-        t += 2 * runPos;
-      runPos <<= 1;
-      continue;
-    }
-    /* When we hit the first non-run symbol after a run, we now know
-       how many times to repeat the last literal, so append that many
-       copies to our buffer of decoded symbols (dbuf) now.  (The last
-       literal used is the one at the head of the mtfSymbol array.) */
-    if (runPos){
-      runPos = 0;
-      if (dbufCount + t > this.dbufSize) { _throw(Err.DATA_ERROR); }
-      uc = symToByte[mtfSymbol[0]];
-      byteCount[uc] += t;
-      while (t--)
-        dbuf[dbufCount++] = uc;
-    }
-    /* Is this the terminating symbol? */
-    if (nextSym > symTotal)
-      break;
-    /* At this point, nextSym indicates a new literal character.  Subtract
-       one to get the position in the MTF array at which this literal is
-       currently to be found.  (Note that the result can't be -1 or 0,
-       because 0 and 1 are RUNA and RUNB.  But another instance of the
-       first symbol in the mtf array, position 0, would have been handled
-       as part of a run above.  Therefore 1 unused mtf position minus
-       2 non-literal nextSym values equals -1.) */
-    if (dbufCount >= this.dbufSize) { _throw(Err.DATA_ERROR); }
-    i = nextSym - 1;
-    uc = mtf(mtfSymbol, i);
-    uc = symToByte[uc];
-    /* We have our literal byte.  Save it into dbuf. */
-    byteCount[uc]++;
-    dbuf[dbufCount++] = uc;
-  }
-  /* At this point, we've read all the huffman-coded symbols (and repeated
-     runs) for this block from the input stream, and decoded them into the
-     intermediate buffer.  There are dbufCount many decoded bytes in dbuf[].
-     Now undo the Burrows-Wheeler transform on dbuf.
-     See http://dogma.net/markn/articles/bwt/bwt.htm
-  */
-  if (origPointer < 0 || origPointer >= dbufCount) { _throw(Err.DATA_ERROR); }
-  /* Turn byteCount into cumulative occurrence counts of 0 to n-1. */
-  j = 0;
-  for (i = 0; i < 256; i++) {
-    k = j + byteCount[i];
-    byteCount[i] = j;
-    j = k;
-  }
-  /* Figure out what order dbuf would be in if we sorted it. */
-  for (i = 0; i < dbufCount; i++) {
-    uc = dbuf[i] & 0xff;
-    dbuf[byteCount[uc]] |= (i << 8);
-    byteCount[uc]++;
-  }
-  /* Decode first byte by hand to initialize "previous" byte.  Note that it
-     doesn't get output, and if the first three characters are identical
-     it doesn't qualify as a run (hence writeRunCountdown=5). */
-  var pos = 0, current = 0, run = 0;
-  if (dbufCount) {
-    pos = dbuf[origPointer];
-    current = (pos & 0xff);
-    pos >>= 8;
-    run = -1;
-  }
-  this.writePos = pos;
-  this.writeCurrent = current;
-  this.writeCount = dbufCount;
-  this.writeRun = run;
-
-  return true; /* more blocks to come */
-};
-/* Undo burrows-wheeler transform on intermediate buffer to produce output.
-   If start_bunzip was initialized with out_fd=-1, then up to len bytes of
-   data are written to outbuf.  Return value is number of bytes written or
-   error (all errors are negative numbers).  If out_fd!=-1, outbuf and len
-   are ignored, data is written to out_fd and return is RETVAL_OK or error.
-*/
-Bunzip.prototype._read_bunzip = function(outputBuffer, len) {
-    var copies, previous, outbyte;
-    /* james@jamestaylor.org: writeCount goes to -1 when the buffer is fully
-       decoded, which results in this returning RETVAL_LAST_BLOCK, also
-       equal to -1... Confusing, I'm returning 0 here to indicate no
-       bytes written into the buffer */
-  if (this.writeCount < 0) { return 0; }
-  var dbuf = this.dbuf, pos = this.writePos, current = this.writeCurrent;
-  var dbufCount = this.writeCount; this.outputsize;
-  var run = this.writeRun;
-
-  while (dbufCount) {
-    dbufCount--;
-    previous = current;
-    pos = dbuf[pos];
-    current = pos & 0xff;
-    pos >>= 8;
-    if (run++ === 3){
-      copies = current;
-      outbyte = previous;
-      current = -1;
-    } else {
-      copies = 1;
-      outbyte = current;
-    }
-    this.blockCRC.updateCRCRun(outbyte, copies);
-    while (copies--) {
-      this.outputStream.writeByte(outbyte);
-      this.nextoutput++;
-    }
-    if (current != previous)
-      run = 0;
-  }
-  this.writeCount = dbufCount;
-  // check CRC
-  if (this.blockCRC.getCRC() !== this.targetBlockCRC) {
-    _throw(Err.DATA_ERROR, "Bad block CRC "+
-           "(got "+this.blockCRC.getCRC().toString(16)+
-           " expected "+this.targetBlockCRC.toString(16)+")");
-  }
-  return this.nextoutput;
-};
-
-var coerceInputStream = function(input) {
-  if ('readByte' in input) { return input; }
-  var inputStream = new Stream();
-  inputStream.pos = 0;
-  inputStream.readByte = function() { return input[this.pos++]; };
-  inputStream.seek = function(pos) { this.pos = pos; };
-  inputStream.eof = function() { return this.pos >= input.length; };
-  return inputStream;
-};
-var coerceOutputStream = function(output) {
-  var outputStream = new Stream();
-  var resizeOk = true;
-  if (output) {
-    if (typeof(output)==='number') {
-      outputStream.buffer = new Uint8Array(output);
-      resizeOk = false;
-    } else if ('writeByte' in output) {
-      return output;
-    } else {
-      outputStream.buffer = output;
-      resizeOk = false;
-    }
-  } else {
-    outputStream.buffer = new Uint8Array(16384);
-  }
-  outputStream.pos = 0;
-  outputStream.writeByte = function(_byte) {
-    if (resizeOk && this.pos >= this.buffer.length) {
-      var newBuffer = new Uint8Array(this.buffer.length*2);
-      newBuffer.set(this.buffer);
-      this.buffer = newBuffer;
-    }
-    this.buffer[this.pos++] = _byte;
-  };
-  outputStream.getBuffer = function() {
-    // trim buffer
-    if (this.pos !== this.buffer.length) {
-      if (!resizeOk)
-        throw new TypeError('outputsize does not match decoded input');
-      var newBuffer = new Uint8Array(this.pos);
-      newBuffer.set(this.buffer.subarray(0, this.pos));
-      this.buffer = newBuffer;
-    }
-    return this.buffer;
-  };
-  outputStream._coerced = true;
-  return outputStream;
-};
-
-/* Static helper functions */
-// 'input' can be a stream or a buffer
-// 'output' can be a stream or a buffer or a number (buffer size)
-const decode = function(input, output, multistream) {
-  // make a stream from a buffer, if necessary
-  var inputStream = coerceInputStream(input);
-  var outputStream = coerceOutputStream(output);
-
-  var bz = new Bunzip(inputStream, outputStream);
-  while (true) {
-    if ('eof' in inputStream && inputStream.eof()) break;
-    if (bz._init_block()) {
-      bz._read_bunzip();
-    } else {
-      var targetStreamCRC = bz.reader.read(32) >>> 0; // (convert to unsigned)
-      if (targetStreamCRC !== bz.streamCRC) {
-        _throw(Err.DATA_ERROR, "Bad stream CRC "+
-               "(got "+bz.streamCRC.toString(16)+
-               " expected "+targetStreamCRC.toString(16)+")");
-      }
-      if (multistream &&
-          'eof' in inputStream &&
-          !inputStream.eof()) {
-        // note that start_bunzip will also resync the bit reader to next byte
-        bz._start_bunzip(inputStream, outputStream);
-      } else break;
-    }
-  }
-  if ('getBuffer' in outputStream)
-    return outputStream.getBuffer();
-};
-const decodeBlock = function(input, pos, output) {
-  // make a stream from a buffer, if necessary
-  var inputStream = coerceInputStream(input);
-  var outputStream = coerceOutputStream(output);
-  var bz = new Bunzip(inputStream, outputStream);
-  bz.reader.seek(pos);
-  /* Fill the decode buffer for the block */
-  var moreBlocks = bz._get_next_block();
-  if (moreBlocks) {
-    /* Init the CRC for writing */
-    bz.blockCRC = new CRC32();
-
-    /* Zero this so the current byte from before the seek is not written */
-    bz.writeCopies = 0;
-
-    /* Decompress the block and write to stdout */
-    bz._read_bunzip();
-    // XXX keep writing?
-  }
-  if ('getBuffer' in outputStream)
-    return outputStream.getBuffer();
-};
-/* Reads bzip2 file from stream or buffer `input`, and invoke
- * `callback(position, size)` once for each bzip2 block,
- * where position gives the starting position (in *bits*)
- * and size gives uncompressed size of the block (in *bytes*). */
-const table = function(input, callback, multistream) {
-  // make a stream from a buffer, if necessary
-  var inputStream = new Stream();
-  inputStream.delegate = coerceInputStream(input);
-  inputStream.pos = 0;
-  inputStream.readByte = function() {
-    this.pos++;
-    return this.delegate.readByte();
-  };
-  if (inputStream.delegate.eof) {
-    inputStream.eof = inputStream.delegate.eof.bind(inputStream.delegate);
-  }
-  var outputStream = new Stream();
-  outputStream.pos = 0;
-  outputStream.writeByte = function() { this.pos++; };
-
-  var bz = new Bunzip(inputStream, outputStream);
-  var blockSize = bz.dbufSize;
-  while (true) {
-    if ('eof' in inputStream && inputStream.eof()) break;
-
-    var position = inputStream.pos*8 + bz.reader.bitOffset;
-    if (bz.reader.hasByte) { position -= 8; }
-
-    if (bz._init_block()) {
-      var start = outputStream.pos;
-      bz._read_bunzip();
-      callback(position, outputStream.pos - start);
-    } else {
-      bz.reader.read(32); // (but we ignore the crc)
-      if (multistream &&
-          'eof' in inputStream &&
-          !inputStream.eof()) {
-        // note that start_bunzip will also resync the bit reader to next byte
-        bz._start_bunzip(inputStream, outputStream);
-        console.assert(bz.dbufSize === blockSize,
-                       "shouldn't change block size within multistream file");
-      } else break;
-    }
-  }
-};
-
-var lib = {
-  Bunzip,
-  Stream,
-  Err,
-  decode,
-  decodeBlock,
-  table
-};
-
 // GPG4Browsers - An OpenPGP implementation in javascript
 // Copyright (C) 2011 Recurity Labs GmbH
 //
@@ -16161,12 +15836,12 @@ class CompressedDataPacket {
    */
   async decompress(config$1 = config) {
     const compressionName = enums.read(enums.compression, this.algorithm);
-    const decompressionFn = decompress_fns[compressionName];
+    const decompressionFn = decompress_fns[compressionName]; // bzip decompression is async
     if (!decompressionFn) {
       throw new Error(`${compressionName} decompression not supported`);
     }
 
-    this.packets = await PacketList.fromBinary(decompressionFn(this.compressed), allowedPackets$5, config$1);
+    this.packets = await PacketList.fromBinary(await decompressionFn(this.compressed), allowedPackets$5, config$1);
   }
 
   /**
@@ -16253,9 +15928,10 @@ function zlib(compressionStreamInstantiator, ZlibStreamedConstructor) {
   };
 }
 
-function bzip2(func) {
-  return function(data) {
-    return fromAsync(async () => func(await readToEnd(data)));
+function bzip2Decompress() {
+  return async function(data) {
+    const { decode: bunzipDecode } = await import('./seek-bzip.mjs').then(function (n) { return n.i; });
+    return fromAsync(async () => bunzipDecode(await readToEnd(data)));
   };
 }
 
@@ -16280,7 +15956,7 @@ const decompress_fns = {
   uncompressed: data => data,
   zip: /*#__PURE__*/ zlib(getCompressionStreamInstantiators('deflate-raw').decompressor, Inflate),
   zlib: /*#__PURE__*/ zlib(getCompressionStreamInstantiators('deflate').decompressor, Unzlib),
-  bzip2: /*#__PURE__*/ bzip2(lib.decode)
+  bzip2: /*#__PURE__*/ bzip2Decompress() // NB: async due to dynamic lib import
 };
 
 // GPG4Browsers - An OpenPGP implementation in javascript
@@ -16400,6 +16076,16 @@ class SymEncryptedIntegrityProtectedDataPacket {
    * @async
    */
   async encrypt(sessionKeyAlgorithm, key, config$1 = config) {
+    // We check that the session key size matches the one expected by the symmetric algorithm.
+    // This is especially important for SEIPDv2 session keys, as a key derivation step is run where the resulting key will always match the expected cipher size,
+    // but we want to ensure that the input key isn't e.g. too short.
+    // The check is done here, instead of on encrypted session key (ESK) encryption, because v6 ESK packets do not store the session key algorithm,
+    // which is instead included in the SEIPDv2 data.
+    const { blockSize, keySize } = mod.getCipherParams(sessionKeyAlgorithm);
+    if (key.length !== keySize) {
+      throw new Error('Unexpected session key size');
+    }
+
     let bytes = this.packets.write();
     if (isArrayStream(bytes)) bytes = await readToEnd(bytes);
 
@@ -16410,8 +16096,6 @@ class SymEncryptedIntegrityProtectedDataPacket {
       this.chunkSizeByte = config$1.aeadChunkSizeByte;
       this.encrypted = await runAEAD(this, 'encrypt', key, bytes);
     } else {
-      const { blockSize } = mod.getCipherParams(sessionKeyAlgorithm);
-
       const prefix = await mod.getPrefixRandom(sessionKeyAlgorithm);
       const mdc = new Uint8Array([0xD3, 0x14]); // modification detection code packet
 
@@ -16434,11 +16118,24 @@ class SymEncryptedIntegrityProtectedDataPacket {
    * @async
    */
   async decrypt(sessionKeyAlgorithm, key, config$1 = config) {
+    // We check that the session key size matches the one expected by the symmetric algorithm.
+    // This is especially important for SEIPDv2 session keys, as a key derivation step is run where the resulting key will always match the expected cipher size,
+    // but we want to ensure that the input key isn't e.g. too short.
+    // The check is done here, instead of on encrypted session key (ESK) decryption, because v6 ESK packets do not store the session key algorithm,
+    // which is instead included in the SEIPDv2 data.
+    if (key.length !== mod.getCipherParams(sessionKeyAlgorithm).keySize) {
+      throw new Error('Unexpected session key size');
+    }
+
     let encrypted = clone(this.encrypted);
     if (isArrayStream(encrypted)) encrypted = await readToEnd(encrypted);
 
     let packetbytes;
     if (this.version === 2) {
+      if (this.cipherAlgorithm !== sessionKeyAlgorithm) {
+        // sanity check
+        throw new Error('Unexpected session key algorithm');
+      }
       packetbytes = await runAEAD(this, 'decrypt', key, encrypted);
     } else {
       const { blockSize } = mod.getCipherParams(sessionKeyAlgorithm);
@@ -16718,6 +16415,12 @@ class AEADEncryptedDataPacket {
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 
 
+const algosWithV3CleartextSessionKeyAlgorithm = new Set([
+  enums.publicKey.x25519,
+  enums.publicKey.x448,
+  enums.publicKey.pqc_mlkem_x25519
+]);
+
 /**
  * Public-Key Encrypted Session Key Packets (Tag 1)
  *
@@ -16825,7 +16528,7 @@ class PublicKeyEncryptedSessionKeyPacket {
     }
     this.publicKeyAlgorithm = bytes[offset++];
     this.encrypted = mod.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(offset));
-    if (this.publicKeyAlgorithm === enums.publicKey.x25519 || this.publicKeyAlgorithm === enums.publicKey.x448) {
+    if (algosWithV3CleartextSessionKeyAlgorithm.has(this.publicKeyAlgorithm)) {
       if (this.version === 3) {
         this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
       } else if (this.encrypted.C.algorithm !== null) {
@@ -16906,11 +16609,14 @@ class PublicKeyEncryptedSessionKeyPacket {
 
     const { sessionKey, sessionKeyAlgorithm } = decodeSessionKey(this.version, this.publicKeyAlgorithm, decryptedData, randomSessionKey);
 
-    // v3 Montgomery curves have cleartext cipher algo
-    if (this.version === 3 && (
-      this.publicKeyAlgorithm !== enums.publicKey.x25519 && this.publicKeyAlgorithm !== enums.publicKey.x448)
-    ) {
-      this.sessionKeyAlgorithm = sessionKeyAlgorithm;
+    if (this.version === 3) {
+      // v3 Montgomery curves have cleartext cipher algo
+      const hasEncryptedAlgo = !algosWithV3CleartextSessionKeyAlgorithm.has(this.publicKeyAlgorithm);
+      this.sessionKeyAlgorithm = hasEncryptedAlgo ? sessionKeyAlgorithm : this.sessionKeyAlgorithm;
+
+      if (sessionKey.length !== mod.getCipherParams(this.sessionKeyAlgorithm).keySize) {
+        throw new Error('Unexpected session key size');
+      }
     }
     this.sessionKey = sessionKey;
   }
@@ -16932,6 +16638,7 @@ function encodeSessionKey(version, keyAlgo, cipherAlgo, sessionKeyData) {
       ]);
     case enums.publicKey.x25519:
     case enums.publicKey.x448:
+    case enums.publicKey.pqc_mlkem_x25519:
       return sessionKeyData;
     default:
       throw new Error('Unsupported public key algorithm');
@@ -16980,6 +16687,7 @@ function decodeSessionKey(version, keyAlgo, decryptedData, randomSessionKey) {
     }
     case enums.publicKey.x25519:
     case enums.publicKey.x448:
+    case enums.publicKey.pqc_mlkem_x25519:
       return {
         sessionKeyAlgorithm: null,
         sessionKey: decryptedData
@@ -17040,7 +16748,7 @@ class SymEncryptedSessionKeyPacket {
      * Algorithm to encrypt the message with
      * @type {enums.symmetric}
      */
-    this.sessionKeyAlgorithm = enums.symmetric.aes256;
+    this.sessionKeyAlgorithm = null;
     /**
      * AEAD mode to encrypt the session key with (if AEAD protection is enabled)
      * @type {enums.aead}
@@ -17161,7 +16869,11 @@ class SymEncryptedSessionKeyPacket {
 
       this.sessionKeyAlgorithm = enums.write(enums.symmetric, decrypted[0]);
       this.sessionKey = decrypted.subarray(1, decrypted.length);
+      if (this.sessionKey.length !== mod.getCipherParams(this.sessionKeyAlgorithm).keySize) {
+        throw new Error('Unexpected session key size');
+      }
     } else {
+      // session key size is checked as part of SEIPDv2 decryption, where we know the expected symmetric algo
       this.sessionKey = key;
     }
   }
@@ -17341,6 +17053,14 @@ class PublicKeyPacket {
       ) {
         throw new Error('Legacy curve25519 cannot be used with v6 keys');
       }
+      // The composite ML-DSA + EdDSA schemes MUST be used only with v6 keys.
+      // The composite ML-KEM + ECDH schemes MUST be used only with v6 keys.
+      if (this.version !== 6 && (
+        this.algorithm === enums.publicKey.pqc_mldsa_ed25519 ||
+        this.algorithm === enums.publicKey.pqc_mlkem_x25519
+      )) {
+        throw new Error('Unexpected key version: ML-DSA and ML-KEM algorithms can only be used with v6 keys');
+      }
       this.publicParams = publicParams;
       pos += read;
 
@@ -18024,7 +17744,7 @@ class SecretKeyPacket extends PublicKeyPacket {
         }
       }
       try {
-        const { read, privateParams } = mod.parsePrivateKeyParams(this.algorithm, cleartext, this.publicParams);
+        const { read, privateParams } = await mod.parsePrivateKeyParams(this.algorithm, cleartext, this.publicParams);
         if (read < cleartext.length) {
           throw new Error('Error reading MPIs');
         }
@@ -18282,7 +18002,7 @@ class SecretKeyPacket extends PublicKeyPacket {
     }
 
     try {
-      const { privateParams } = mod.parsePrivateKeyParams(this.algorithm, cleartext, this.publicParams);
+      const { privateParams } = await mod.parsePrivateKeyParams(this.algorithm, cleartext, this.publicParams);
       this.privateParams = privateParams;
     } catch (err) {
       throw new Error('Error reading MPIs');
@@ -18335,6 +18055,12 @@ class SecretKeyPacket extends PublicKeyPacket {
     )) {
       throw new Error(`Cannot generate v6 keys of type 'ecc' with curve ${curve}. Generate a key of type 'curve25519' instead`);
     }
+    if (this.version !== 6 && (
+      this.algorithm === enums.publicKey.pqc_mldsa_ed25519 ||
+      this.algorithm === enums.publicKey.pqc_mlkem_x25519
+    )) {
+      throw new Error(`Cannot generate v${this.version} keys of type 'pqc'. Generate a v6 key instead`);
+    }
     const { privateParams, publicParams } = await mod.generateParams(this.algorithm, bits, curve, symmetric);
     this.privateParams = privateParams;
     this.publicParams = publicParams;
@@ -18810,7 +18536,7 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
   const signatureProperties = { signatureType: enums.signature.subkeyBinding };
   if (options.sign) {
     signatureProperties.keyFlags = [enums.keyFlags.signData];
-    signatureProperties.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {
+    signatureProperties.embeddedSignature = await createSignaturePacket(dataToSign, [], subkey, {
       signatureType: enums.signature.keyBinding
     }, options.date, undefined, undefined, undefined, config);
   } else {
@@ -18822,41 +18548,101 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
     signatureProperties.keyExpirationTime = options.keyExpirationTime;
     signatureProperties.keyNeverExpires = false;
   }
-  const subkeySignaturePacket = await createSignaturePacket(dataToSign, null, primaryKey, signatureProperties, options.date, undefined, undefined, undefined, config);
+  const subkeySignaturePacket = await createSignaturePacket(dataToSign, [], primaryKey, signatureProperties, options.date, undefined, undefined, undefined, config);
   return subkeySignaturePacket;
 }
 
 /**
- * Returns the preferred signature hash algorithm of a key
- * @param {Key} [key] - The key to get preferences from
- * @param {SecretKeyPacket|SecretSubkeyPacket} keyPacket - key packet used for signing
+ * Returns the preferred signature hash algorithm for a set of keys.
+ * @param {Array<Key>} [targetKeys] - The keys to get preferences from
+ * @param {SecretKeyPacket|SecretSubkeyPacket} signingKeyPacket - key packet used for signing
  * @param {Date} [date] - Use the given date for verification instead of the current time
- * @param {Object} [userID] - User ID
+ * @param {Object} [targetUserID] - User IDs corresponding to `targetKeys` to get preferences from
  * @param {Object} config - full configuration
  * @returns {Promise<enums.hash>}
  * @async
  */
-async function getPreferredHashAlgo(key, keyPacket, date = new Date(), userID = {}, config) {
-  let hashAlgo = config.preferredHashAlgorithm;
-  let prefAlgo = hashAlgo;
-  if (key) {
-    const selfCertification = await key.getPrimarySelfSignature(date, userID, config);
-    if (selfCertification.preferredHashAlgorithms) {
-      [prefAlgo] = selfCertification.preferredHashAlgorithms;
-      hashAlgo = mod.hash.getHashByteLength(hashAlgo) <= mod.hash.getHashByteLength(prefAlgo) ?
-        prefAlgo : hashAlgo;
+async function getPreferredHashAlgo(targetKeys, signingKeyPacket, date = new Date(), targetUserIDs = [], config) {
+  if (signingKeyPacket.algorithm === enums.publicKey.pqc_mldsa_ed25519) {
+    // For PQC, the returned hash algo MUST be set to the specified algorithm, see
+    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+    return mod.publicKey.postQuantum.signature.getRequiredHashAlgo(signingKeyPacket.algorithm);
+  }
+
+  /**
+   * If `preferredSenderAlgo` appears in the prefs of all recipients, we pick it; otherwise, we use the
+   * strongest supported algo (`defaultAlgo` is always implicitly supported by all keys).
+   * if no keys are available, `preferredSenderAlgo` is returned.
+   * For ECC signing key, the curve preferred hash is taken into account as well (see logic below).
+   */
+  const defaultAlgo = enums.hash.sha256; // MUST implement
+  const preferredSenderAlgo = config.preferredHashAlgorithm;
+
+  const supportedAlgosPerTarget = await Promise.all(targetKeys.map(async (key, i) => {
+    const selfCertification = await key.getPrimarySelfSignature(date, targetUserIDs[i], config);
+    const targetPrefs = selfCertification.preferredHashAlgorithms;
+    return targetPrefs;
+  }));
+  const supportedAlgosMap = new Map(); // use Map over object to preserve numeric keys
+  for (const supportedAlgos of supportedAlgosPerTarget) {
+    for (const hashAlgo of supportedAlgos) {
+      try {
+        // ensure that `hashAlgo` is recognized/implemented by us, otherwise e.g. `getHashByteLength` will throw later on
+        const supportedAlgo = enums.write(enums.hash, hashAlgo);
+        supportedAlgosMap.set(
+          supportedAlgo,
+          supportedAlgosMap.has(supportedAlgo) ? supportedAlgosMap.get(supportedAlgo) + 1 : 1
+        );
+      } catch {}
     }
   }
-  switch (keyPacket.algorithm) {
-    case enums.publicKey.ecdsa:
-    case enums.publicKey.eddsaLegacy:
-    case enums.publicKey.ed25519:
-    case enums.publicKey.ed448:
-      prefAlgo = mod.getPreferredCurveHashAlgo(keyPacket.algorithm, keyPacket.publicParams.oid);
+  const isSupportedHashAlgo = hashAlgo => targetKeys.length === 0 || supportedAlgosMap.get(hashAlgo) === targetKeys.length || hashAlgo === defaultAlgo;
+  const getStrongestSupportedHashAlgo = () => {
+    if (supportedAlgosMap.size === 0) {
+      return defaultAlgo;
+    }
+    const sortedHashAlgos = Array.from(supportedAlgosMap.keys())
+      .filter(hashAlgo => isSupportedHashAlgo(hashAlgo))
+      .sort((algoA, algoB) => mod.hash.getHashByteLength(algoA) - mod.hash.getHashByteLength(algoB));
+    const strongestHashAlgo = sortedHashAlgos[0];
+    // defaultAlgo is always implicilty supported, and might be stronger than the rest
+    return mod.hash.getHashByteLength(strongestHashAlgo) >= mod.hash.getHashByteLength(defaultAlgo) ? strongestHashAlgo : defaultAlgo;
+  };
+
+  const eccAlgos = new Set([
+    enums.publicKey.ecdsa,
+    enums.publicKey.eddsaLegacy,
+    enums.publicKey.ed25519,
+    enums.publicKey.ed448
+  ]);
+
+  if (eccAlgos.has(signingKeyPacket.algorithm)) {
+    // For ECC, the returned hash algo MUST be at least as strong as `preferredCurveHashAlgo`, see:
+    // - ECDSA: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.2-5
+    // - EdDSALegacy: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
+    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
+    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
+    // Hence, we return the `preferredHashAlgo` as long as it's supported and strong enough;
+    // Otherwise, we look at the strongest supported algo, and ultimately fallback to the curve
+    // preferred algo, even if not supported by all targets.
+    const preferredCurveAlgo = mod.getPreferredCurveHashAlgo(signingKeyPacket.algorithm, signingKeyPacket.publicParams.oid);
+
+    const preferredSenderAlgoIsSupported = isSupportedHashAlgo(preferredSenderAlgo);
+    const preferredSenderAlgoStrongerThanCurveAlgo = mod.hash.getHashByteLength(preferredSenderAlgo) >= mod.hash.getHashByteLength(preferredCurveAlgo);
+
+    if (preferredSenderAlgoIsSupported && preferredSenderAlgoStrongerThanCurveAlgo) {
+      return preferredSenderAlgo;
+    } else {
+      const strongestSupportedAlgo = getStrongestSupportedHashAlgo();
+      return mod.hash.getHashByteLength(strongestSupportedAlgo) >= mod.hash.getHashByteLength(preferredCurveAlgo) ?
+        strongestSupportedAlgo :
+        preferredCurveAlgo;
+    }
   }
 
-  return mod.hash.getHashByteLength(hashAlgo) <= mod.hash.getHashByteLength(prefAlgo) ?
-    prefAlgo : hashAlgo;
+  // `preferredSenderAlgo` may be weaker than the default, but we do not guard against this,
+  // since it was manually set by the sender.
+  return isSupportedHashAlgo(preferredSenderAlgo) ? preferredSenderAlgo : getStrongestSupportedHashAlgo();
 }
 
 /**
@@ -18927,7 +18713,7 @@ async function getPreferredCipherSuite(keys = [], date = new Date(), userIDs = [
 /**
  * Create signature packet
  * @param {Object} dataToSign - Contains packets to be signed
- * @param {PrivateKey} privateKey - key to get preferences from
+ * @param {Array<Key>} recipientKeys - keys to get preferences from
  * @param  {SecretKeyPacket|
  *          SecretSubkeyPacket}              signingKeyPacket secret key packet for signing
  * @param {Object} [signatureProperties] - Properties to write on the signature packet before signing
@@ -18938,7 +18724,7 @@ async function getPreferredCipherSuite(keys = [], date = new Date(), userIDs = [
  * @param {Object} config - full configuration
  * @returns {Promise<SignaturePacket>} Signature packet.
  */
-async function createSignaturePacket(dataToSign, privateKey, signingKeyPacket, signatureProperties, date, userID, notations = [], detached = false, config) {
+async function createSignaturePacket(dataToSign, recipientKeys, signingKeyPacket, signatureProperties, date, recipientUserIDs, notations = [], detached = false, config) {
   if (signingKeyPacket.isDummy()) {
     throw new Error('Cannot sign with a gnu-dummy key.');
   }
@@ -18948,7 +18734,7 @@ async function createSignaturePacket(dataToSign, privateKey, signingKeyPacket, s
   const signaturePacket = new SignaturePacket();
   Object.assign(signaturePacket, signatureProperties);
   signaturePacket.publicKeyAlgorithm = signingKeyPacket.algorithm;
-  signaturePacket.hashAlgorithm = await getPreferredHashAlgo(privateKey, signingKeyPacket, date, userID, config);
+  signaturePacket.hashAlgorithm = await getPreferredHashAlgo(recipientKeys, signingKeyPacket, date, recipientUserIDs, config);
   signaturePacket.rawNotations = [...notations];
   await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached, config);
   return signaturePacket;
@@ -19069,6 +18855,13 @@ function sanitizeKeyOptions(options, subkeyDefaults = {}) {
   }
 
   switch (options.type) {
+    case 'pqc':
+      if (options.sign) {
+        options.algorithm = enums.publicKey.pqc_mldsa_ed25519;
+      } else {
+        options.algorithm = enums.publicKey.pqc_mlkem_x25519;
+      }
+      break;
     case 'ecc': // NB: this case also handles legacy eddsa and x25519 keys, based on `options.curve`
       try {
         options.curve = enums.write(enums.curve, options.curve);
@@ -19127,6 +18920,7 @@ function validateSigningKeyPacket(keyPacket, signature, config) {
     case enums.publicKey.ed25519:
     case enums.publicKey.ed448:
     case enums.publicKey.hmac:
+    case enums.publicKey.pqc_mldsa_ed25519:
       if (!signature.keyFlags && !config.allowMissingKeyFlags) {
         throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`');
       }
@@ -19146,6 +18940,7 @@ function validateEncryptionKeyPacket(keyPacket, signature, config) {
     case enums.publicKey.x25519:
     case enums.publicKey.x448:
     case enums.publicKey.aead:
+    case enums.publicKey.pqc_mlkem_x25519:
       if (!signature.keyFlags && !config.allowMissingKeyFlags) {
         throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`');
       }
@@ -19168,7 +18963,8 @@ function validateDecryptionKeyPacket(keyPacket, signature, config) {
     case enums.publicKey.elgamal:
     case enums.publicKey.ecdh:
     case enums.publicKey.x25519:
-    case enums.publicKey.x448: {
+    case enums.publicKey.x448:
+    case enums.publicKey.pqc_mlkem_x25519: {
       const isValidSigningKeyPacket = !signature.keyFlags || (signature.keyFlags[0] & enums.keyFlags.signData) !== 0;
       if (isValidSigningKeyPacket && config.allowInsecureDecryptionWithSigningKeys) {
         // This is only relevant for RSA keys, all other signing algorithms cannot decrypt
@@ -19285,7 +19081,7 @@ class User {
         throw new Error("The user's own key can only be used for self-certifications");
       }
       const signingKey = await privateKey.getSigningKey(undefined, date, undefined, config);
-      return createSignaturePacket(dataToSign, privateKey, signingKey.keyPacket, {
+      return createSignaturePacket(dataToSign, [privateKey], signingKey.keyPacket, {
         // Most OpenPGP implementations use generic certification (0x10)
         signatureType: enums.signature.certGeneric,
         keyFlags: [enums.keyFlags.certifyKeys | enums.keyFlags.signData]
@@ -19473,7 +19269,7 @@ class User {
       key: primaryKey
     };
     const user = new User(dataToSign.userID || dataToSign.userAttribute, this.mainKey);
-    user.revocationSignatures.push(await createSignaturePacket(dataToSign, null, primaryKey, {
+    user.revocationSignatures.push(await createSignaturePacket(dataToSign, [], primaryKey, {
       signatureType: enums.signature.certRevocation,
       reasonForRevocationFlag: enums.write(enums.reasonForRevocation, reasonForRevocationFlag),
       reasonForRevocationString
@@ -19666,7 +19462,7 @@ class Subkey {
   ) {
     const dataToSign = { key: primaryKey, bind: this.keyPacket };
     const subkey = new Subkey(this.keyPacket, this.mainKey);
-    subkey.revocationSignatures.push(await createSignaturePacket(dataToSign, null, primaryKey, {
+    subkey.revocationSignatures.push(await createSignaturePacket(dataToSign, [], primaryKey, {
       signatureType: enums.signature.subkeyRevocation,
       reasonForRevocationFlag: enums.write(enums.reasonForRevocation, reasonForRevocationFlag),
       reasonForRevocationString
@@ -20699,7 +20495,7 @@ class PrivateKey extends PublicKey {
     }
     const dataToSign = { key: this.keyPacket };
     const key = this.clone();
-    key.revocationSignatures.push(await createSignaturePacket(dataToSign, null, this.keyPacket, {
+    key.revocationSignatures.push(await createSignaturePacket(dataToSign, [], this.keyPacket, {
       signatureType: enums.signature.keyRevocation,
       reasonForRevocationFlag: enums.write(enums.reasonForRevocation, reasonForRevocationFlag),
       reasonForRevocationString
@@ -20981,10 +20777,9 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
       });
     }
     signatureProperties.preferredHashAlgorithms = createPreferredAlgos([
-      // prefer fast asm.js implementations (SHA-256)
-      enums.hash.sha256,
       enums.hash.sha512,
-      ...(secretKeyPacket.version === 6 ? [enums.hash.sha3_256, enums.hash.sha3_512] : [])
+      enums.hash.sha256,
+      ...(secretKeyPacket.version === 6 ? [enums.hash.sha3_512, enums.hash.sha3_256] : [])
     ], config.preferredHashAlgorithm);
     signatureProperties.preferredCompressionAlgorithms = createPreferredAlgos([
       enums.compression.uncompressed,
@@ -21012,7 +20807,7 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
     const signatureProperties = getKeySignatureProperties();
     signatureProperties.signatureType = enums.signature.key;
 
-    const signaturePacket = await createSignaturePacket(dataToSign, null, secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
+    const signaturePacket = await createSignaturePacket(dataToSign, [], secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
     packetlist.push(signaturePacket);
   }
 
@@ -21028,7 +20823,7 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
       signatureProperties.isPrimaryUserID = true;
     }
 
-    const signaturePacket = await createSignaturePacket(dataToSign, null, secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
+    const signaturePacket = await createSignaturePacket(dataToSign, [], secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
 
     return { userIDPacket, signaturePacket };
   })).then(list => {
@@ -21052,7 +20847,7 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
   // Add revocation signature packet for creating a revocation certificate.
   // This packet should be removed before returning the key.
   const dataToSign = { key: secretKeyPacket };
-  packetlist.push(await createSignaturePacket(dataToSign, null, secretKeyPacket, {
+  packetlist.push(await createSignaturePacket(dataToSign, [], secretKeyPacket, {
     signatureType: enums.signature.keyRevocation,
     reasonForRevocationFlag: enums.reasonForRevocation.noReason,
     reasonForRevocationString: ''
@@ -21727,16 +21522,18 @@ class Message {
   /**
    * Sign the message (the literal data packet of the message)
    * @param {Array<PrivateKey>} signingKeys - private keys with decrypted secret key data for signing
+   * @param {Array<Key>} recipientKeys - recipient keys to get the signing preferences from
    * @param {Signature} [signature] - Any existing detached signature to add to the message
    * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]
    * @param {Date} [date] - Override the creation time of the signature
-   * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array<UserID>} [signingUserIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array<UserID>} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from
    * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]
    * @param {Object} [config] - Full configuration, defaults to openpgp.config
    * @returns {Promise<Message>} New message with signed content.
    * @async
    */
-  async sign(signingKeys = [], signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], notations = [], config$1 = config) {
+  async sign(signingKeys = [], recipientKeys = [], signature = null, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], notations = [], config$1 = config) {
     const packetlist = new PacketList();
 
     const literalDataPacket = this.packets.findPacket(enums.packet.literalData);
@@ -21744,7 +21541,7 @@ class Message {
       throw new Error('No literal data packet to sign.');
     }
 
-    const signaturePackets = await createSignaturePackets(literalDataPacket, signingKeys, signature, signingKeyIDs, date, userIDs, notations, false, config$1); // this returns the existing signature packets as well
+    const signaturePackets = await createSignaturePackets(literalDataPacket, signingKeys, recipientKeys, signature, signingKeyIDs, date, signingUserIDs, recipientUserIDs, notations, false, config$1); // this returns the existing signature packets as well
     const onePassSignaturePackets = signaturePackets.map(
       (signaturePacket, i) => OnePassSignaturePacket.fromSignaturePacket(signaturePacket, i === 0))
       .reverse(); // innermost OPS refers to the first signature packet
@@ -21780,21 +21577,23 @@ class Message {
   /**
    * Create a detached signature for the message (the literal data packet of the message)
    * @param {Array<PrivateKey>} signingKeys - private keys with decrypted secret key data for signing
+   * @param {Array<Key>} recipientKeys - recipient keys to get the signing preferences from
    * @param {Signature} [signature] - Any existing detached signature
    * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]
    * @param {Date} [date] - Override the creation time of the signature
-   * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array<UserID>} [signingUserIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array<UserID>} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from
    * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]
    * @param {Object} [config] - Full configuration, defaults to openpgp.config
    * @returns {Promise<Signature>} New detached signature of message content.
    * @async
    */
-  async signDetached(signingKeys = [], signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], notations = [], config$1 = config) {
+  async signDetached(signingKeys = [], recipientKeys = [], signature = null, signingKeyIDs = [], recipientKeyIDs = [], date = new Date(), userIDs = [], notations = [], config$1 = config) {
     const literalDataPacket = this.packets.findPacket(enums.packet.literalData);
     if (!literalDataPacket) {
       throw new Error('No literal data packet to sign.');
     }
-    return new Signature(await createSignaturePackets(literalDataPacket, signingKeys, signature, signingKeyIDs, date, userIDs, notations, true, config$1));
+    return new Signature(await createSignaturePackets(literalDataPacket, signingKeys, recipientKeys, signature, signingKeyIDs, recipientKeyIDs, date, userIDs, notations, true, config$1));
   }
 
   /**
@@ -21929,10 +21728,12 @@ class Message {
  * Create signature packets for the message
  * @param {LiteralDataPacket} literalDataPacket - the literal data packet to sign
  * @param {Array<PrivateKey>} [signingKeys] - private keys with decrypted secret key data for signing
+ * @param {Array<Key>} [recipientKeys] - recipient keys to get the signing preferences from
  * @param {Signature} [signature] - Any existing detached signature to append
  * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]
  * @param {Date} [date] - Override the creationtime of the signature
- * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+ * @param {Array<UserID>} [signingUserIDs] - User IDs to sign to, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+ * @param {Array<UserID>} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from
  * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]
  * @param {Array} [signatureSalts] - A list of signature salts matching the number of signingKeys that should be used for v6 signatures
  * @param {Boolean} [detached] - Whether to create detached signature packets
@@ -21941,7 +21742,7 @@ class Message {
  * @async
  * @private
  */
-async function createSignaturePackets(literalDataPacket, signingKeys, signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], notations = [], detached = false, config$1 = config) {
+async function createSignaturePackets(literalDataPacket, signingKeys, recipientKeys = [], signature = null, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], notations = [], detached = false, config$1 = config) {
   const packetlist = new PacketList();
 
   // If data packet was created from Uint8Array, use binary, otherwise use text
@@ -21949,12 +21750,12 @@ async function createSignaturePackets(literalDataPacket, signingKeys, signature
     enums.signature.binary : enums.signature.text;
 
   await Promise.all(signingKeys.map(async (primaryKey, i) => {
-    const userID = userIDs[i];
+    const signingUserID = signingUserIDs[i];
     if (!primaryKey.isPrivate()) {
       throw new Error('Need private key for signing');
     }
-    const signingKey = await primaryKey.getSigningKey(signingKeyIDs[i], date, userID, config$1);
-    return createSignaturePacket(literalDataPacket, primaryKey, signingKey.keyPacket, { signatureType }, date, userID, notations, detached, config$1);
+    const signingKey = await primaryKey.getSigningKey(signingKeyIDs[i], date, signingUserID, config$1);
+    return createSignaturePacket(literalDataPacket, recipientKeys.length ? recipientKeys : [primaryKey], signingKey.keyPacket, { signatureType }, date, recipientUserIDs, notations, detached, config$1);
   })).then(signatureList => {
     packetlist.push(...signatureList);
   });
@@ -22204,20 +22005,22 @@ class CleartextMessage {
 
   /**
    * Sign the cleartext message
-   * @param {Array<Key>} privateKeys - private keys with decrypted secret key data for signing
+   * @param {Array<Key>} signingKeys - private keys with decrypted secret key data for signing
+   * @param {Array<Key>} recipientKeys - recipient keys to get the signing preferences from
    * @param {Signature} [signature] - Any existing detached signature
    * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to privateKeys[i]
    * @param {Date} [date] - The creation time of the signature that should be created
-   * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array} [signingKeyIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from
    * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]
    * @param {Object} [config] - Full configuration, defaults to openpgp.config
    * @returns {Promise<CleartextMessage>} New cleartext message with signed content.
    * @async
    */
-  async sign(privateKeys, signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], notations = [], config$1 = config) {
+  async sign(signingKeys, recipientKeys = [], signature = null, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], notations = [], config$1 = config) {
     const literalDataPacket = new LiteralDataPacket();
     literalDataPacket.setText(this.text);
-    const newSignature = new Signature(await createSignaturePackets(literalDataPacket, privateKeys, signature, signingKeyIDs, date, userIDs, notations, true, config$1));
+    const newSignature = new Signature(await createSignaturePackets(literalDataPacket, signingKeys, recipientKeys, signature, signingKeyIDs, date, signingUserIDs, recipientUserIDs, notations, true, config$1));
     return new CleartextMessage(this.text, newSignature);
   }
 
@@ -22653,7 +22456,7 @@ async function encrypt({ message, encryptionKeys, signingKeys, passwords, sessio
 
   try {
     if (signingKeys.length || signature) { // sign the message only if signing keys or signature is specified
-      message = await message.sign(signingKeys, signature, signingKeyIDs, date, signingUserIDs, signatureNotations, config$1);
+      message = await message.sign(signingKeys, encryptionKeys, signature, signingKeyIDs, date, signingUserIDs, encryptionKeyIDs, signatureNotations, config$1);
     }
     message = message.compress(
       await getPreferredCompressionAlgo(encryptionKeys, date, encryptionUserIDs, config$1),
@@ -22732,6 +22535,7 @@ async function decrypt({ message, decryptionKeys, passwords, sessionKeys, verifi
         result.data,
         fromAsync(async () => {
           await util.anyPromise(result.signatures.map(sig => sig.verified));
+          return format === 'binary' ? new Uint8Array() : '';
         })
       ]);
     }
@@ -22755,21 +22559,23 @@ async function decrypt({ message, decryptionKeys, passwords, sessionKeys, verifi
  * @param {Object} options
  * @param {CleartextMessage|Message} options.message - (cleartext) message to be signed
  * @param {PrivateKey|PrivateKey[]} options.signingKeys - Array of keys or single key with decrypted secret key data to sign cleartext
+ * @param {Key|Key[]} options.recipientKeys - Array of keys or single to get the signing preferences from
  * @param {'armored'|'binary'|'object'} [options.format='armored'] - Format of the returned message
  * @param {Boolean} [options.detached=false] - If the return value should contain a detached signature
  * @param {KeyID|KeyID[]} [options.signingKeyIDs=latest-created valid signing (sub)keys] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]
  * @param {Date} [options.date=current date] - Override the creation date of the signature
  * @param {Object|Object[]} [options.signingUserIDs=primary user IDs] - Array of user IDs to sign with, one per key in `signingKeys`, e.g. `[{ name: 'Steve Sender', email: 'steve@openpgp.org' }]`
+ * @param {Object|Object[]} [options.recipientUserIDs=primary user IDs] - Array of user IDs to get the signing preferences from, one per key in `recipientKeys`
  * @param {Object|Object[]} [options.signatureNotations=[]] - Array of notations to add to the signatures, e.g. `[{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]`
  * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
  * @returns {Promise<MaybeStream<String|Uint8Array>>} Signed message (string if `armor` was true, the default; Uint8Array if `armor` was false).
  * @async
  * @static
  */
-async function sign({ message, signingKeys, format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
+async function sign({ message, signingKeys, recipientKeys = [], format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkCleartextOrMessage(message); checkOutputMessageFormat(format);
-  signingKeys = toArray(signingKeys); signingKeyIDs = toArray(signingKeyIDs); signingUserIDs = toArray(signingUserIDs); signatureNotations = toArray(signatureNotations);
+  signingKeys = toArray(signingKeys); signingKeyIDs = toArray(signingKeyIDs); signingUserIDs = toArray(signingUserIDs); recipientKeys = toArray(recipientKeys); recipientUserIDs = toArray(recipientUserIDs); signatureNotations = toArray(signatureNotations);
 
   if (rest.privateKeys) throw new Error('The `privateKeys` option has been removed from openpgp.sign, pass `signingKeys` instead');
   if (rest.armor !== undefined) throw new Error('The `armor` option has been removed from openpgp.sign, pass `format` instead.');
@@ -22785,9 +22591,9 @@ async function sign({ message, signingKeys, format = 'armored', detached = false
   try {
     let signature;
     if (detached) {
-      signature = await message.signDetached(signingKeys, undefined, signingKeyIDs, date, signingUserIDs, signatureNotations, config$1);
+      signature = await message.signDetached(signingKeys, recipientKeys, undefined, signingKeyIDs, date, signingUserIDs, recipientUserIDs, signatureNotations, config$1);
     } else {
-      signature = await message.sign(signingKeys, undefined, signingKeyIDs, date, signingUserIDs, signatureNotations, config$1);
+      signature = await message.sign(signingKeys, recipientKeys, undefined, signingKeyIDs, date, signingUserIDs, recipientUserIDs, signatureNotations, config$1);
     }
     if (format === 'object') return signature;
 
@@ -22861,6 +22667,7 @@ async function verify({ message, verificationKeys, expectSigned = false, format
         result.data,
         fromAsync(async () => {
           await util.anyPromise(result.signatures.map(sig => sig.verified));
+          return format === 'binary' ? new Uint8Array() : '';
         })
       ]);
     }