@protontech/openpgp 6.0.0 → 6.0.1

package/dist/lightweight/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.0.0 - 2024-11-06 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.0.1 - 2024-11-25 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 const doneWritingPromise = Symbol('doneWritingPromise');
@@ -1047,6 +1047,11 @@ var enums = {
     ed25519: 27,
     /** Ed448 (Sign only) */
     ed448: 28,
+    /** Post-quantum ML-KEM-768 + X25519 (Encrypt only) */
+    pqc_mlkem_x25519: 105,
+    /** Post-quantum ML-DSA-64 + Ed25519 (Sign only) */
+    pqc_mldsa_ed25519: 107,
+
     /** Persistent symmetric keys: encryption algorithm */
     aead: 100,
     /** Persistent symmetric keys: authentication algorithm */
@@ -1682,7 +1687,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 6.0.0',
+  versionString: 'OpenPGP.js 6.0.1',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -3823,7 +3828,7 @@ function applySbox(sbox2, s0, s1, s2, s3) {
     return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] |
         (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16));
 }
-function encrypt$6(xk, s0, s1, s2, s3) {
+function encrypt$7(xk, s0, s1, s2, s3) {
     const { sbox2, T01, T23 } = tableEncoding;
     let k = 0;
     (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);
@@ -3843,7 +3848,7 @@ function encrypt$6(xk, s0, s1, s2, s3) {
     return { s0: t0, s1: t1, s2: t2, s3: t3 };
 }
 // Can't be merged with encrypt: arg positions for apply0123 / applySbox are different
-function decrypt$6(xk, s0, s1, s2, s3) {
+function decrypt$7(xk, s0, s1, s2, s3) {
     const { sbox2, T01, T23 } = tableDecoding;
     let k = 0;
     (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);
@@ -3881,7 +3886,7 @@ function ctrCounter(xk, nonce, src, dst) {
     const ctr = nonce;
     const c32 = u32$1(ctr);
     // Fill block (empty, ctr=0)
-    let { s0, s1, s2, s3 } = encrypt$6(xk, c32[0], c32[1], c32[2], c32[3]);
+    let { s0, s1, s2, s3 } = encrypt$7(xk, c32[0], c32[1], c32[2], c32[3]);
     const src32 = u32$1(src);
     const dst32 = u32$1(dst);
     // process blocks
@@ -3897,7 +3902,7 @@ function ctrCounter(xk, nonce, src, dst) {
             ctr[i] = carry & 0xff;
             carry >>>= 8;
         }
-        ({ s0, s1, s2, s3 } = encrypt$6(xk, c32[0], c32[1], c32[2], c32[3]));
+        ({ s0, s1, s2, s3 } = encrypt$7(xk, c32[0], c32[1], c32[2], c32[3]));
     }
     // leftovers (less than block)
     // It's possible to handle > u32 fast, but is it worth it?
@@ -3927,7 +3932,7 @@ function ctr32(xk, isLE, nonce, src, dst) {
     const srcLen = src.length;
     // Fill block (empty, ctr=0)
     let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value
-    let { s0, s1, s2, s3 } = encrypt$6(xk, c32[0], c32[1], c32[2], c32[3]);
+    let { s0, s1, s2, s3 } = encrypt$7(xk, c32[0], c32[1], c32[2], c32[3]);
     // process blocks
     for (let i = 0; i + 4 <= src32.length; i += 4) {
         dst32[i + 0] = src32[i + 0] ^ s0;
@@ -3936,7 +3941,7 @@ function ctr32(xk, isLE, nonce, src, dst) {
         dst32[i + 3] = src32[i + 3] ^ s3;
         ctrNum = (ctrNum + 1) >>> 0; // u32 wrap
         view.setUint32(ctrPos, ctrNum, isLE);
-        ({ s0, s1, s2, s3 } = encrypt$6(xk, c32[0], c32[1], c32[2], c32[3]));
+        ({ s0, s1, s2, s3 } = encrypt$7(xk, c32[0], c32[1], c32[2], c32[3]));
     }
     // leftovers (less than a block)
     const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
@@ -4048,13 +4053,13 @@ const cbc = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv,
             let i = 0;
             for (; i + 4 <= b.length;) {
                 (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]);
-                ({ s0, s1, s2, s3 } = encrypt$6(xk, s0, s1, s2, s3));
+                ({ s0, s1, s2, s3 } = encrypt$7(xk, s0, s1, s2, s3));
                 (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
             }
             if (pcks5) {
                 const tmp32 = padPCKS(plaintext.subarray(i * 4));
                 (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]);
-                ({ s0, s1, s2, s3 } = encrypt$6(xk, s0, s1, s2, s3));
+                ({ s0, s1, s2, s3 } = encrypt$7(xk, s0, s1, s2, s3));
                 (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
             }
             clean(...toClean);
@@ -4079,7 +4084,7 @@ const cbc = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv,
                 // prettier-ignore
                 const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3;
                 (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]);
-                const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt$6(xk, s0, s1, s2, s3);
+                const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt$7(xk, s0, s1, s2, s3);
                 (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3);
             }
             clean(...toClean);
@@ -4112,7 +4117,7 @@ const cfb$1 = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cfb(key, i
         // prettier-ignore
         let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];
         for (let i = 0; i + 4 <= src32.length;) {
-            const { s0: e0, s1: e1, s2: e2, s3: e3 } = encrypt$6(xk, s0, s1, s2, s3);
+            const { s0: e0, s1: e1, s2: e2, s3: e3 } = encrypt$7(xk, s0, s1, s2, s3);
             dst32[i + 0] = src32[i + 0] ^ e0;
             dst32[i + 1] = src32[i + 1] ^ e1;
             dst32[i + 2] = src32[i + 2] ^ e2;
@@ -4122,7 +4127,7 @@ const cfb$1 = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cfb(key, i
         // leftovers (less than block)
         const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
         if (start < srcLen) {
-            ({ s0, s1, s2, s3 } = encrypt$6(xk, s0, s1, s2, s3));
+            ({ s0, s1, s2, s3 } = encrypt$7(xk, s0, s1, s2, s3));
             const buf = u8$1(new Uint32Array([s0, s1, s2, s3]));
             for (let i = start, pos = 0; i < srcLen; i++, pos++)
                 dst[i] = src[i] ^ buf[pos];
@@ -4243,7 +4248,7 @@ function encryptBlock(xk, block) {
     if (!isBytes32(xk))
         throw new Error('_encryptBlock accepts result of expandKeyLE');
     const b32 = u32$1(block);
-    let { s0, s1, s2, s3 } = encrypt$6(xk, b32[0], b32[1], b32[2], b32[3]);
+    let { s0, s1, s2, s3 } = encrypt$7(xk, b32[0], b32[1], b32[2], b32[3]);
     (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3);
     return block;
 }
@@ -4252,7 +4257,7 @@ function decryptBlock(xk, block) {
     if (!isBytes32(xk))
         throw new Error('_decryptBlock accepts result of expandKeyLE');
     const b32 = u32$1(block);
-    let { s0, s1, s2, s3 } = decrypt$6(xk, b32[0], b32[1], b32[2], b32[3]);
+    let { s0, s1, s2, s3 } = decrypt$7(xk, b32[0], b32[1], b32[2], b32[3]);
     (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3);
     return block;
 }
@@ -4293,7 +4298,7 @@ const AESW = {
             let a0 = o32[0], a1 = o32[1]; // A
             for (let j = 0, ctr = 1; j < 6; j++) {
                 for (let pos = 2; pos < o32.length; pos += 2, ctr++) {
-                    const { s0, s1, s2, s3 } = encrypt$6(xk, a0, a1, o32[pos], o32[pos + 1]);
+                    const { s0, s1, s2, s3 } = encrypt$7(xk, a0, a1, o32[pos], o32[pos + 1]);
                     // A = MSB(64, B) ^ t where t = (n*j)+i
                     (a0 = s0), (a1 = s1 ^ byteSwap(ctr)), (o32[pos] = s2), (o32[pos + 1] = s3);
                 }
@@ -4316,7 +4321,7 @@ const AESW = {
             for (let j = 0, ctr = chunks * 6; j < 6; j++) {
                 for (let pos = chunks * 2; pos >= 1; pos -= 2, ctr--) {
                     a1 ^= byteSwap(ctr);
-                    const { s0, s1, s2, s3 } = decrypt$6(xk, a0, a1, o32[pos], o32[pos + 1]);
+                    const { s0, s1, s2, s3 } = decrypt$7(xk, a0, a1, o32[pos], o32[pos + 1]);
                     (a0 = s0), (a1 = s1), (o32[pos] = s2), (o32[pos + 1] = s3);
                 }
             }
@@ -4363,8 +4368,8 @@ const aeskw = wrapCipher({ blockSize: 8 }, (kek) => ({
 const unsafe = {
     expandKeyLE,
     expandKeyDecLE,
-    encrypt: encrypt$6,
-    decrypt: decrypt$6,
+    encrypt: encrypt$7,
+    decrypt: decrypt$7,
     encryptBlock,
     decryptBlock,
     ctrCounter,
@@ -4398,7 +4403,7 @@ const nodeAlgos = {
  * @param {Object} config - full configuration, defaults to openpgp.config
  * @returns MaybeStream<Uint8Array>
  */
-async function encrypt$5(algo, key, plaintext, iv, config) {
+async function encrypt$6(algo, key, plaintext, iv, config) {
   const algoName = enums.read(enums.symmetric, algo);
   if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
     return nodeEncrypt$1(algo, key, plaintext, iv);
@@ -4441,7 +4446,7 @@ async function encrypt$5(algo, key, plaintext, iv, config) {
  * @param {Uint8Array} iv
  * @returns MaybeStream<Uint8Array>
  */
-async function decrypt$5(algo, key, ciphertext, iv) {
+async function decrypt$6(algo, key, ciphertext, iv) {
   const algoName = enums.read(enums.symmetric, algo);
   if (nodeCrypto$a && nodeAlgos[algoName]) { // Node crypto library.
     return nodeDecrypt$1(algo, key, ciphertext, iv);
@@ -4716,8 +4721,8 @@ function nodeDecrypt$1(algo, key, ct, iv) {
 
 var cfb = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  decrypt: decrypt$5,
-  encrypt: encrypt$5
+  decrypt: decrypt$6,
+  encrypt: encrypt$6
 });
 
 /**
@@ -6095,7 +6100,7 @@ const _1n$3 = BigInt(1);
  * @returns {Promise<Uint8Array>} RSA Signature.
  * @async
  */
-async function sign$7(hashAlgo, data, n, e, d, p, q, u, hashed) {
+async function sign$a(hashAlgo, data, n, e, d, p, q, u, hashed) {
   if (hash.getHashByteLength(hashAlgo) >= n.length) {
     // Throw here instead of `emsaEncode` below, to provide a clearer and consistent error
     // e.g. if a 512-bit RSA key is used with a SHA-512 digest.
@@ -6129,7 +6134,7 @@ async function sign$7(hashAlgo, data, n, e, d, p, q, u, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$8(hashAlgo, data, s, n, e, hashed) {
+async function verify$b(hashAlgo, data, s, n, e, hashed) {
   if (data && !util.isStream(data)) {
     if (util.getWebCrypto()) {
       try {
@@ -6152,7 +6157,7 @@ async function verify$8(hashAlgo, data, s, n, e, hashed) {
  * @returns {Promise<Uint8Array>} RSA Ciphertext.
  * @async
  */
-async function encrypt$4(data, n, e) {
+async function encrypt$5(data, n, e) {
   if (util.getNodeCrypto()) {
     return nodeEncrypt(data, n, e);
   }
@@ -6174,7 +6179,7 @@ async function encrypt$4(data, n, e) {
  * @throws {Error} on decryption error, unless `randomPayload` is given
  * @async
  */
-async function decrypt$4(data, n, e, d, p, q, u, randomPayload) {
+async function decrypt$5(data, n, e, d, p, q, u, randomPayload) {
   // Node v18.19.1, 20.11.1 and 21.6.2 have disabled support for PKCS#1 decryption,
   // and we want to avoid checking the error type to decide if the random payload
   // should indeed be returned.
@@ -6201,7 +6206,7 @@ async function decrypt$4(data, n, e, d, p, q, u, randomPayload) {
  *                                  RSA private prime p, RSA private prime q, u = p ** -1 mod q
  * @async
  */
-async function generate$5(bits, e) {
+async function generate$b(bits, e) {
   e = BigInt(e);
 
   // Native RSA keygen using Web Crypto
@@ -6281,7 +6286,7 @@ async function generate$5(bits, e) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$8(n, e, d, p, q, u) {
+async function validateParams$e(n, e, d, p, q, u) {
   n = uint8ArrayToBigInt(n);
   p = uint8ArrayToBigInt(p);
   q = uint8ArrayToBigInt(q);
@@ -6511,12 +6516,12 @@ function jwkToPrivate(jwk, e) {
 
 var rsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  decrypt: decrypt$4,
-  encrypt: encrypt$4,
-  generate: generate$5,
-  sign: sign$7,
-  validateParams: validateParams$8,
-  verify: verify$8
+  decrypt: decrypt$5,
+  encrypt: encrypt$5,
+  generate: generate$b,
+  sign: sign$a,
+  validateParams: validateParams$e,
+  verify: verify$b
 });
 
 // GPG4Browsers - An OpenPGP implementation in javascript
@@ -6549,7 +6554,7 @@ const _1n$2 = BigInt(1);
  * @returns {Promise<{ c1: Uint8Array, c2: Uint8Array }>}
  * @async
  */
-async function encrypt$3(data, p, g, y) {
+async function encrypt$4(data, p, g, y) {
   p = uint8ArrayToBigInt(p);
   g = uint8ArrayToBigInt(g);
   y = uint8ArrayToBigInt(y);
@@ -6578,7 +6583,7 @@ async function encrypt$3(data, p, g, y) {
  * @throws {Error} on decryption error, unless `randomPayload` is given
  * @async
  */
-async function decrypt$3(c1, c2, p, x, randomPayload) {
+async function decrypt$4(c1, c2, p, x, randomPayload) {
   c1 = uint8ArrayToBigInt(c1);
   c2 = uint8ArrayToBigInt(c2);
   p = uint8ArrayToBigInt(p);
@@ -6597,7 +6602,7 @@ async function decrypt$3(c1, c2, p, x, randomPayload) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$7(p, g, y, x) {
+async function validateParams$d(p, g, y, x) {
   p = uint8ArrayToBigInt(p);
   g = uint8ArrayToBigInt(g);
   y = uint8ArrayToBigInt(y);
@@ -6658,9 +6663,9 @@ async function validateParams$7(p, g, y, x) {
 
 var elgamal = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  decrypt: decrypt$3,
-  encrypt: encrypt$3,
-  validateParams: validateParams$7
+  decrypt: decrypt$4,
+  encrypt: encrypt$4,
+  validateParams: validateParams$d
 });
 
 // declare const globalThis: Record<string, any> | undefined;
@@ -9141,7 +9146,7 @@ function finishVerification(publicKey, r, SB, hashed) {
     const RkA = ExtendedPoint.fromAffine(r).add(kA);
     return RkA.subtract(SB).multiplyUnsafe(CURVE.h).equals(ExtendedPoint.ZERO);
 }
-async function verify$7(sig, message, publicKey) {
+async function verify$a(sig, message, publicKey) {
     const { r, SB, msg, pub } = prepareVerification(sig, message, publicKey);
     const hashed = await utils.sha512(r.toRawBytes(), pub.toRawBytes(), msg);
     return finishVerification(pub, r, SB, hashed);
@@ -9240,7 +9245,7 @@ Object.defineProperties(utils, {
  * @param {module:enums.publicKey} algo - Algorithm identifier
  * @returns {Promise<{ A: Uint8Array, seed: Uint8Array }>}
  */
-async function generate$4(algo) {
+async function generate$a(algo) {
   switch (algo) {
     case enums.publicKey.ed25519:
       try {
@@ -9287,7 +9292,7 @@ async function generate$4(algo) {
  * }>} Signature of the message
  * @async
  */
-async function sign$6(algo, hashAlgo, message, publicKey, privateKey, hashed) {
+async function sign$9(algo, hashAlgo, message, publicKey, privateKey, hashed) {
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$2(algo))) {
     // Enforce digest sizes:
     // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
@@ -9337,7 +9342,7 @@ async function sign$6(algo, hashAlgo, message, publicKey, privateKey, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$6(algo, hashAlgo, { RS }, m, publicKey, hashed) {
+async function verify$9(algo, hashAlgo, { RS }, m, publicKey, hashed) {
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$2(algo))) {
     // Enforce digest sizes:
     // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
@@ -9356,7 +9361,7 @@ async function verify$6(algo, hashAlgo, { RS }, m, publicKey, hashed) {
         if (err.name !== 'NotSupportedError') {
           throw err;
         }
-        return verify$7(RS, hashed, publicKey);
+        return verify$a(RS, hashed, publicKey);
       }
 
     case enums.publicKey.ed448: {
@@ -9376,7 +9381,7 @@ async function verify$6(algo, hashAlgo, { RS }, m, publicKey, hashed) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$6(algo, A, seed) {
+async function validateParams$c(algo, A, seed) {
   switch (algo) {
     case enums.publicKey.ed25519: {
       /**
@@ -9453,12 +9458,12 @@ const privateKeyToJWK = (algo, publicKey, privateKey) => {
 
 var eddsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  generate: generate$4,
+  generate: generate$a,
   getPayloadSize: getPayloadSize$1,
   getPreferredHashAlgo: getPreferredHashAlgo$2,
-  sign: sign$6,
-  validateParams: validateParams$6,
-  verify: verify$6
+  sign: sign$9,
+  validateParams: validateParams$c,
+  verify: verify$9
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -9589,7 +9594,7 @@ const HKDF_INFO = {
  * @param {module:enums.publicKey} algo - Algorithm identifier
  * @returns {Promise<{ A: Uint8Array, k: Uint8Array }>}
  */
-async function generate$3(algo) {
+async function generate$9(algo) {
   switch (algo) {
     case enums.publicKey.x25519: {
       // k stays in little-endian, unlike legacy ECDH over curve25519
@@ -9617,7 +9622,7 @@ async function generate$3(algo) {
 * @returns {Promise<Boolean>} Whether params are valid.
 * @async
 */
-async function validateParams$5(algo, A, k) {
+async function validateParams$b(algo, A, k) {
   switch (algo) {
     case enums.publicKey.x25519: {
       /**
@@ -9654,7 +9659,7 @@ async function validateParams$5(algo, A, k) {
  * }>} ephemeral public key (K_A) and encrypted key
  * @async
  */
-async function encrypt$2(algo, data, recipientA) {
+async function encrypt$3(algo, data, recipientA) {
   const { ephemeralPublicKey, sharedSecret } = await generateEphemeralEncryptionMaterial(algo, recipientA);
   const hkdfInput = util.concatUint8Array([
     ephemeralPublicKey,
@@ -9693,7 +9698,7 @@ async function encrypt$2(algo, data, recipientA) {
  * @returns {Promise<Uint8Array>} decrypted session key data
  * @async
  */
-async function decrypt$2(algo, ephemeralPublicKey, wrappedKey, A, k) {
+async function decrypt$3(algo, ephemeralPublicKey, wrappedKey, A, k) {
   const sharedSecret = await recomputeSharedSecret(algo, ephemeralPublicKey, A, k);
   const hkdfInput = util.concatUint8Array([
     ephemeralPublicKey,
@@ -9794,13 +9799,13 @@ function assertNonZeroArray(sharedSecret) {
 
 var ecdh_x = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  decrypt: decrypt$2,
-  encrypt: encrypt$2,
-  generate: generate$3,
+  decrypt: decrypt$3,
+  encrypt: encrypt$3,
+  generate: generate$9,
   generateEphemeralEncryptionMaterial: generateEphemeralEncryptionMaterial,
   getPayloadSize: getPayloadSize,
   recomputeSharedSecret: recomputeSharedSecret,
-  validateParams: validateParams$5
+  validateParams: validateParams$b
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -9976,7 +9981,7 @@ class CurveWithOID {
         return nodeGenKeyPair(this.name);
       case 'curve25519Legacy': {
         // the private key must be stored in big endian and already clamped: https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-13.html#section-5.5.5.6.1.1-3
-        const { k, A } = await generate$3(enums.publicKey.x25519);
+        const { k, A } = await generate$9(enums.publicKey.x25519);
         const privateKey = k.slice().reverse();
         privateKey[0] = (privateKey[0] & 127) | 64;
         privateKey[31] &= 248;
@@ -9984,7 +9989,7 @@ class CurveWithOID {
         return { publicKey, privateKey };
       }
       case 'ed25519Legacy': {
-        const { seed: privateKey, A } = await generate$4(enums.publicKey.ed25519);
+        const { seed: privateKey, A } = await generate$a(enums.publicKey.ed25519);
         const publicKey = util.concatUint8Array([new Uint8Array([this.wireFormatLeadingByte]), A]);
         return { publicKey, privateKey };
       }
@@ -9994,7 +9999,7 @@ class CurveWithOID {
   }
 }
 
-async function generate$2(curveName) {
+async function generate$8(curveName) {
   const curve = new CurveWithOID(curveName);
   const { oid, hash, cipher } = curve;
   const keyPair = await curve.genKeyPair();
@@ -10212,7 +10217,7 @@ const nodeCrypto$2 = util.getNodeCrypto();
  * }>} Signature of the message
  * @async
  */
-async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
+async function sign$8(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
   if (message && !util.isStream(message)) {
@@ -10259,7 +10264,7 @@ async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$5(oid, hashAlgo, signature, message, publicKey, hashed) {
+async function verify$8(oid, hashAlgo, signature, message, publicKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
   // See https://github.com/openpgpjs/openpgpjs/pull/948.
@@ -10310,7 +10315,7 @@ async function verify$5(oid, hashAlgo, signature, message, publicKey, hashed) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$4(oid, Q, d) {
+async function validateParams$a(oid, Q, d) {
   const curve = new CurveWithOID(oid);
   // Reject curves x25519 and ed25519
   if (curve.keyType !== enums.publicKey.ecdsa) {
@@ -10326,9 +10331,9 @@ async function validateParams$4(oid, Q, d) {
       const hashAlgo = enums.hash.sha256;
       const hashed = await hash.digest(hashAlgo, message);
       try {
-        const signature = await sign$5(oid, hashAlgo, message, Q, d, hashed);
+        const signature = await sign$8(oid, hashAlgo, message, Q, d, hashed);
         // eslint-disable-next-line @typescript-eslint/return-await
-        return await verify$5(oid, hashAlgo, signature, message, Q, hashed);
+        return await verify$8(oid, hashAlgo, signature, message, Q, hashed);
       } catch (err) {
         return false;
       }
@@ -10459,9 +10464,9 @@ async function nodeVerify(curve, hashAlgo, { r, s }, message, publicKey) {
 
 var ecdsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  sign: sign$5,
-  validateParams: validateParams$4,
-  verify: verify$5
+  sign: sign$8,
+  validateParams: validateParams$a,
+  verify: verify$8
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -10496,7 +10501,7 @@ var ecdsa = /*#__PURE__*/Object.freeze({
  * }>} Signature of the message
  * @async
  */
-async function sign$4(oid, hashAlgo, message, publicKey, privateKey, hashed) {
+async function sign$7(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
@@ -10505,7 +10510,7 @@ async function sign$4(oid, hashAlgo, message, publicKey, privateKey, hashed) {
     // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
-  const { RS: signature } = await sign$6(enums.publicKey.ed25519, hashAlgo, message, publicKey.subarray(1), privateKey, hashed);
+  const { RS: signature } = await sign$9(enums.publicKey.ed25519, hashAlgo, message, publicKey.subarray(1), privateKey, hashed);
   // EdDSA signature params are returned in little-endian format
   return {
     r: signature.subarray(0, 32),
@@ -10525,7 +10530,7 @@ async function sign$4(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$4(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
+async function verify$7(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
@@ -10535,7 +10540,7 @@ async function verify$4(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
   const RS = util.concatUint8Array([r, s]);
-  return verify$6(enums.publicKey.ed25519, hashAlgo, { RS }, m, publicKey.subarray(1), hashed);
+  return verify$9(enums.publicKey.ed25519, hashAlgo, { RS }, m, publicKey.subarray(1), hashed);
 }
 /**
  * Validate legacy EdDSA parameters
@@ -10545,7 +10550,7 @@ async function verify$4(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$3(oid, Q, k) {
+async function validateParams$9(oid, Q, k) {
   // Check whether the given curve is supported
   if (oid.getName() !== enums.curve.ed25519Legacy) {
     return false;
@@ -10563,9 +10568,9 @@ async function validateParams$3(oid, Q, k) {
 
 var eddsa_legacy = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  sign: sign$4,
-  validateParams: validateParams$3,
-  verify: verify$4
+  sign: sign$7,
+  validateParams: validateParams$9,
+  verify: verify$7
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -10660,7 +10665,7 @@ const nodeCrypto$1 = util.getNodeCrypto();
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$2(oid, Q, d) {
+async function validateParams$8(oid, Q, d) {
   return validateStandardParams(enums.publicKey.ecdh, oid, Q, d);
 }
 
@@ -10743,7 +10748,7 @@ async function genPublicEphemeralKey(curve, Q) {
  * @returns {Promise<{publicKey: Uint8Array, wrappedKey: Uint8Array}>}
  * @async
  */
-async function encrypt$1(oid, kdfParams, data, Q, fingerprint) {
+async function encrypt$2(oid, kdfParams, data, Q, fingerprint) {
   const m = encode(data);
 
   const curve = new CurveWithOID(oid);
@@ -10808,7 +10813,7 @@ async function genPrivateEphemeralKey(curve, V, Q, d) {
  * @returns {Promise<Uint8Array>} Value derived from session key.
  * @async
  */
-async function decrypt$1(oid, kdfParams, V, C, Q, d, fingerprint) {
+async function decrypt$2(oid, kdfParams, V, C, Q, d, fingerprint) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, Q);
   checkPublicPointEnconding(curve, V);
@@ -10982,9 +10987,9 @@ async function nodePublicEphemeralKey(curve, Q) {
 
 var ecdh = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  decrypt: decrypt$1,
-  encrypt: encrypt$1,
-  validateParams: validateParams$2
+  decrypt: decrypt$2,
+  encrypt: encrypt$2,
+  validateParams: validateParams$8
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -11012,7 +11017,7 @@ var elliptic = /*#__PURE__*/Object.freeze({
   ecdsa: ecdsa,
   eddsa: eddsa,
   eddsaLegacy: eddsa_legacy,
-  generate: generate$2,
+  generate: generate$8,
   getPreferredHashAlgo: getPreferredHashAlgo$1
 });
 
@@ -11054,7 +11059,7 @@ const _1n = BigInt(1);
  * @returns {Promise<{ r: Uint8Array, s: Uint8Array }>}
  * @async
  */
-async function sign$3(hashAlgo, hashed, g, p, q, x) {
+async function sign$6(hashAlgo, hashed, g, p, q, x) {
   const _0n = BigInt(0);
   p = uint8ArrayToBigInt(p);
   q = uint8ArrayToBigInt(q);
@@ -11112,7 +11117,7 @@ async function sign$3(hashAlgo, hashed, g, p, q, x) {
  * @returns {boolean}
  * @async
  */
-async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
+async function verify$6(hashAlgo, r, s, hashed, g, p, q, y) {
   r = uint8ArrayToBigInt(r);
   s = uint8ArrayToBigInt(s);
 
@@ -11153,7 +11158,7 @@ async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$1(p, q, g, y, x) {
+async function validateParams$7(p, q, g, y, x) {
   p = uint8ArrayToBigInt(p);
   q = uint8ArrayToBigInt(q);
   g = uint8ArrayToBigInt(g);
@@ -11206,9 +11211,9 @@ async function validateParams$1(p, q, g, y, x) {
 
 var dsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  sign: sign$3,
-  validateParams: validateParams$1,
-  verify: verify$3
+  sign: sign$6,
+  validateParams: validateParams$7,
+  verify: verify$6
 });
 
 const supportedHashAlgos = new Set([enums.hash.sha1, enums.hash.sha256, enums.hash.sha512]);
@@ -11216,7 +11221,7 @@ const supportedHashAlgos = new Set([enums.hash.sha1, enums.hash.sha256, enums.ha
 const webCrypto = util.getWebCrypto();
 const nodeCrypto = util.getNodeCrypto();
 
-async function generate$1(hashAlgo) {
+async function generate$7(hashAlgo) {
   if (!supportedHashAlgos.has(hashAlgo)) {
     throw new Error('Unsupported hash algorithm.');
   }
@@ -11235,7 +11240,7 @@ async function generate$1(hashAlgo) {
   return new Uint8Array(exportedKey);
 }
 
-async function sign$2(hashAlgo, key, data) {
+async function sign$5(hashAlgo, key, data) {
   if (!supportedHashAlgos.has(hashAlgo)) {
     throw new Error('Unsupported hash algorithm.');
   }
@@ -11256,7 +11261,7 @@ async function sign$2(hashAlgo, key, data) {
   return new Uint8Array(mac);
 }
 
-async function verify$2(hashAlgo, key, mac, data) {
+async function verify$5(hashAlgo, key, mac, data) {
   if (!supportedHashAlgos.has(hashAlgo)) {
     throw new Error('Unsupported hash algorithm.');
   }
@@ -11277,12 +11282,390 @@ async function verify$2(hashAlgo, key, mac, data) {
 }
 
 var hmac = /*#__PURE__*/Object.freeze({
+  __proto__: null,
+  generate: generate$7,
+  sign: sign$5,
+  verify: verify$5
+});
+
+async function generate$6(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { A, k } = await generate$9(enums.publicKey.x25519);
+      return {
+        eccPublicKey: A,
+        eccSecretKey: k
+      };
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function encaps$1(eccAlgo, eccRecipientPublicKey) {
+  switch (eccAlgo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { ephemeralPublicKey: eccCipherText, sharedSecret: eccSharedSecret } = await generateEphemeralEncryptionMaterial(enums.publicKey.x25519, eccRecipientPublicKey);
+      const eccKeyShare = await hash.sha3_256(util.concatUint8Array([
+        eccSharedSecret,
+        eccCipherText,
+        eccRecipientPublicKey
+      ]));
+      return {
+        eccCipherText,
+        eccKeyShare
+      };
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function decaps$1(eccAlgo, eccCipherText, eccSecretKey, eccPublicKey) {
+  switch (eccAlgo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const eccSharedSecret = await recomputeSharedSecret(enums.publicKey.x25519, eccCipherText, eccPublicKey, eccSecretKey);
+      const eccKeyShare = await hash.sha3_256(util.concatUint8Array([
+        eccSharedSecret,
+        eccCipherText,
+        eccPublicKey
+      ]));
+      return eccKeyShare;
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function validateParams$6(algo, eccPublicKey, eccSecretKey) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519:
+      return validateParams$b(enums.publicKey.x25519, eccPublicKey, eccSecretKey);
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function generate$5(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const mlkemSeed = getRandomBytes(64);
+      const { mlkemSecretKey, mlkemPublicKey } = await expandSecretSeed$1(algo, mlkemSeed);
+
+      return { mlkemSeed, mlkemSecretKey, mlkemPublicKey };
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+/**
+ * Expand ML-KEM secret seed and retrieve the secret and public key material
+ * @param {module:enums.publicKey} algo - Public key algorithm
+ * @param {Uint8Array} seed - secret seed to expand
+ * @returns {Promise<{ mlkemPublicKey: Uint8Array, mlkemSecretKey: Uint8Array }>}
+ */
+async function expandSecretSeed$1(algo, seed) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { ml_kem768 } = await import('./noble_post_quantum.mjs');
+      const { publicKey: encapsulationKey, secretKey: decapsulationKey } = ml_kem768.keygen(seed);
+
+      return { mlkemPublicKey: encapsulationKey, mlkemSecretKey: decapsulationKey };
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function encaps(algo, mlkemRecipientPublicKey) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { ml_kem768 } = await import('./noble_post_quantum.mjs');
+      const { cipherText: mlkemCipherText, sharedSecret: mlkemKeyShare } = ml_kem768.encapsulate(mlkemRecipientPublicKey);
+
+      return { mlkemCipherText, mlkemKeyShare };
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function decaps(algo, mlkemCipherText, mlkemSecretKey) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { ml_kem768 } = await import('./noble_post_quantum.mjs');
+      const mlkemKeyShare = ml_kem768.decapsulate(mlkemCipherText, mlkemSecretKey);
+
+      return mlkemKeyShare;
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function validateParams$5(algo, mlkemPublicKey, mlkemSeed) {
+  switch (algo) {
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { mlkemPublicKey: expectedPublicKey } = await expandSecretSeed$1(algo, mlkemSeed);
+      return util.equalsUint8Array(mlkemPublicKey, expectedPublicKey);
+    }
+    default:
+      throw new Error('Unsupported KEM algorithm');
+  }
+}
+
+async function generate$4(algo) {
+  const { eccPublicKey, eccSecretKey } = await generate$6(algo);
+  const { mlkemPublicKey, mlkemSeed, mlkemSecretKey } = await generate$5(algo);
+
+  return { eccPublicKey, eccSecretKey, mlkemPublicKey, mlkemSeed, mlkemSecretKey };
+}
+
+async function encrypt$1(algo, eccPublicKey, mlkemPublicKey, sessioneKeyData) {
+  const { eccKeyShare, eccCipherText } = await encaps$1(algo, eccPublicKey);
+  const { mlkemKeyShare, mlkemCipherText } = await encaps(algo, mlkemPublicKey);
+  const kek = await multiKeyCombine(algo, eccKeyShare, eccCipherText, eccPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey);
+  const wrappedKey = await wrap(enums.symmetric.aes256, kek, sessioneKeyData); // C
+  return { eccCipherText, mlkemCipherText, wrappedKey };
+}
+
+async function decrypt$1(algo, eccCipherText, mlkemCipherText, eccSecretKey, eccPublicKey, mlkemSecretKey, mlkemPublicKey, encryptedSessionKeyData) {
+  const eccKeyShare = await decaps$1(algo, eccCipherText, eccSecretKey, eccPublicKey);
+  const mlkemKeyShare = await decaps(algo, mlkemCipherText, mlkemSecretKey);
+  const kek = await multiKeyCombine(algo, eccKeyShare, eccCipherText, eccPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey);
+  const sessionKey = await unwrap(enums.symmetric.aes256, kek, encryptedSessionKeyData);
+  return sessionKey;
+}
+
+async function multiKeyCombine(algo, ecdhKeyShare, ecdhCipherText, ecdhPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey) {
+  // LAMPS-aligned and NIST compatible combiner, proposed in: https://mailarchive.ietf.org/arch/msg/openpgp/NMTCy707LICtxIhP3Xt1U5C8MF0/
+  // 2a. KDF(mlkemSS || tradSS || tradCT || tradPK || Domain)
+  //     where Domain is "Domain" for LAMPS, and "mlkemCT || mlkemPK || algId" for OpenPGP
+  const encData = util.concatUint8Array([
+    mlkemKeyShare,
+    ecdhKeyShare,
+    ecdhCipherText,
+    ecdhPublicKey,
+    // domSep
+    mlkemCipherText,
+    mlkemPublicKey,
+    new Uint8Array([algo])
+  ]);
+
+  const kek = await hash.digest(enums.hash.sha3_256, encData);
+  return kek;
+}
+
+async function validateParams$4(algo, eccPublicKey, eccSecretKey, mlkemPublicKey, mlkemSeed) {
+  const eccValidationPromise = validateParams$6(algo, eccPublicKey, eccSecretKey);
+  const mlkemValidationPromise = validateParams$5(algo, mlkemPublicKey, mlkemSeed);
+  const valid = await eccValidationPromise && await mlkemValidationPromise;
+  return valid;
+}
+
+var index$1 = /*#__PURE__*/Object.freeze({
+  __proto__: null,
+  decrypt: decrypt$1,
+  encrypt: encrypt$1,
+  generate: generate$4,
+  mlkemExpandSecretSeed: expandSecretSeed$1,
+  validateParams: validateParams$4
+});
+
+async function generate$3(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const mldsaSeed = getRandomBytes(32);
+      const { mldsaSecretKey, mldsaPublicKey } = await expandSecretSeed(algo, mldsaSeed);
+
+      return { mldsaSeed, mldsaSecretKey, mldsaPublicKey };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+/**
+ * Expand ML-DSA secret seed and retrieve the secret and public key material
+ * @param {module:enums.publicKey} algo - Public key algorithm
+ * @param {Uint8Array} seed - secret seed to expand
+ * @returns {Promise<{ mldsaPublicKey: Uint8Array, mldsaSecretKey: Uint8Array }>}
+ */
+async function expandSecretSeed(algo, seed) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { ml_dsa65 } = await import('./noble_post_quantum.mjs');
+      const { secretKey: mldsaSecretKey, publicKey: mldsaPublicKey } = ml_dsa65.keygen(seed);
+
+      return { mldsaSecretKey, mldsaPublicKey };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function sign$4(algo, mldsaSecretKey, dataDigest) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { ml_dsa65 } = await import('./noble_post_quantum.mjs');
+      const mldsaSignature = ml_dsa65.sign(mldsaSecretKey, dataDigest);
+      return { mldsaSignature };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function verify$4(algo, mldsaPublicKey, dataDigest, mldsaSignature) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { ml_dsa65 } = await import('./noble_post_quantum.mjs');
+      return ml_dsa65.verify(mldsaPublicKey, dataDigest, mldsaSignature);
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function validateParams$3(algo, mldsaPublicKey, mldsaSeed) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { mldsaPublicKey: expectedPublicKey } = await expandSecretSeed(algo, mldsaSeed);
+      return util.equalsUint8Array(mldsaPublicKey, expectedPublicKey);
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function generate$2(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { A, seed } = await generate$a(enums.publicKey.ed25519);
+      return {
+        eccPublicKey: A,
+        eccSecretKey: seed
+      };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function sign$3(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, dataDigest) {
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { RS: eccSignature } = await sign$9(enums.publicKey.ed25519, hashAlgo, null, eccPublicKey, eccSecretKey, dataDigest);
+
+      return { eccSignature };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function verify$3(signatureAlgo, hashAlgo, eccPublicKey, dataDigest, eccSignature) {
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519:
+      return verify$9(enums.publicKey.ed25519, hashAlgo, { RS: eccSignature }, null, eccPublicKey, dataDigest);
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function validateParams$2(algo, eccPublicKey, eccSecretKey) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519:
+      return validateParams$c(enums.publicKey.ed25519, eccPublicKey, eccSecretKey);
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function generate$1(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { eccSecretKey, eccPublicKey } = await generate$2(algo);
+      const { mldsaSeed, mldsaSecretKey, mldsaPublicKey } = await generate$3(algo);
+      return { eccSecretKey, eccPublicKey, mldsaSeed, mldsaSecretKey, mldsaPublicKey };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function sign$2(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, mldsaSecretKey, dataDigest) {
+  if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
+    // The signature hash algo MUST be set to the specified algorithm, see
+    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+    throw new Error('Unexpected hash algorithm for PQC signature');
+  }
+
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { eccSignature } = await sign$3(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, dataDigest);
+      const { mldsaSignature } = await sign$4(signatureAlgo, mldsaSecretKey, dataDigest);
+
+      return { eccSignature, mldsaSignature };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function verify$2(signatureAlgo, hashAlgo, eccPublicKey, mldsaPublicKey, dataDigest, { eccSignature, mldsaSignature }) {
+  if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
+    // The signature hash algo MUST be set to the specified algorithm, see
+    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+    throw new Error('Unexpected hash algorithm for PQC signature');
+  }
+
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const eccVerifiedPromise = verify$3(signatureAlgo, hashAlgo, eccPublicKey, dataDigest, eccSignature);
+      const mldsaVerifiedPromise = verify$4(signatureAlgo, mldsaPublicKey, dataDigest, mldsaSignature);
+      const verified = await eccVerifiedPromise && await mldsaVerifiedPromise;
+      return verified;
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+function getRequiredHashAlgo(signatureAlgo) {
+  // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519:
+      return enums.hash.sha3_256;
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+async function validateParams$1(algo, eccPublicKey, eccSecretKey, mldsaPublicKey, mldsaSeed) {
+  const eccValidationPromise = validateParams$2(algo, eccPublicKey, eccSecretKey);
+  const mldsaValidationPromise = validateParams$3(algo, mldsaPublicKey, mldsaSeed);
+  const valid = await eccValidationPromise && await mldsaValidationPromise;
+  return valid;
+}
+
+var index = /*#__PURE__*/Object.freeze({
   __proto__: null,
   generate: generate$1,
+  getRequiredHashAlgo: getRequiredHashAlgo,
+  mldsaExpandSecretSeed: expandSecretSeed,
   sign: sign$2,
+  validateParams: validateParams$1,
   verify: verify$2
 });
 
+var postQuantum = /*#__PURE__*/Object.freeze({
+  __proto__: null,
+  kem: index$1,
+  signature: index
+});
+
 /**
  * @fileoverview Asymmetric cryptography functions
  * @module crypto/public_key
@@ -11299,7 +11682,9 @@ var publicKey = {
   /** @see module:crypto/public_key/dsa */
   dsa: dsa,
   /** @see module:crypto/public_key/hmac */
-  hmac: hmac
+  hmac: hmac,
+  /** @see module:crypto/public_key/post_quantum */
+  postQuantum
 };
 
 class ShortByteString {
@@ -11398,6 +11783,12 @@ function parseSignatureParams(algo, signature) {
       const mac = new ShortByteString(); read += mac.read(signature.subarray(read));
       return { read, signatureParams: { mac } };
     }
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const eccSignatureSize = 2 * publicKey.elliptic.eddsa.getPayloadSize(enums.publicKey.ed25519);
+      const eccSignature = util.readExactSubarray(signature, read, read + eccSignatureSize); read += eccSignature.length;
+      const mldsaSignature = util.readExactSubarray(signature, read, read + 3309); read += mldsaSignature.length;
+      return { read, signatureParams: { eccSignature, mldsaSignature } };
+    }
     default:
       throw new UnsupportedError('Unknown signature algorithm.');
   }
@@ -11462,6 +11853,10 @@ async function verify$1(algo, hashAlgo, signature, publicParams, privateParams,
       const { keyMaterial } = privateParams;
       return publicKey.hmac.verify(algo.getValue(), keyMaterial, signature.mac.data, hashed);
     }
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { eccPublicKey, mldsaPublicKey } = publicParams;
+      return publicKey.postQuantum.signature.verify(algo, hashAlgo, eccPublicKey, mldsaPublicKey, hashed, signature);
+    }
     default:
       throw new Error('Unknown signature algorithm.');
   }
@@ -11523,6 +11918,11 @@ async function sign$1(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
       const mac = await publicKey.hmac.sign(algo.getValue(), keyMaterial, hashed);
       return { mac: new ShortByteString(mac) };
     }
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { eccPublicKey } = publicKeyParams;
+      const { eccSecretKey, mldsaSecretKey } = privateKeyParams;
+      return publicKey.postQuantum.signature.sign(algo, hashAlgo, eccSecretKey, eccPublicKey, mldsaSecretKey, hashed);
+    }
     default:
       throw new Error('Unknown signature algorithm.');
   }
@@ -11862,6 +12262,12 @@ async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, privatePar
       const c = await modeInstance.encrypt(data, iv, new Uint8Array());
       return { aeadMode: new AEADEnum(aeadMode), iv, c: new ShortByteString(c) };
     }
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { eccPublicKey, mlkemPublicKey } = publicParams;
+      const { eccCipherText, mlkemCipherText, wrappedKey } = await publicKey.postQuantum.kem.encrypt(keyAlgo, eccPublicKey, mlkemPublicKey, data);
+      const C = ECDHXSymmetricKey.fromObject({ algorithm: symmetricAlgo, wrappedKey });
+      return { eccCipherText, mlkemCipherText, C };
+    }
     default:
       return [];
   }
@@ -11881,8 +12287,8 @@ async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, privatePar
  * @throws {Error} on sensitive decryption error, unless `randomPayload` is given
  * @async
  */
-async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams, sessionKeyParams, fingerprint, randomPayload) {
-  switch (algo) {
+async function publicKeyDecrypt(keyAlgo, publicKeyParams, privateKeyParams, sessionKeyParams, fingerprint, randomPayload) {
+  switch (keyAlgo) {
     case enums.publicKey.rsaEncryptSign:
     case enums.publicKey.rsaEncrypt: {
       const { c } = sessionKeyParams;
@@ -11912,7 +12318,7 @@ async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams, session
         throw new Error('AES session key expected');
       }
       return publicKey.elliptic.ecdhX.decrypt(
-        algo, ephemeralPublicKey, C.wrappedKey, A, k);
+        keyAlgo, ephemeralPublicKey, C.wrappedKey, A, k);
     }
     case enums.publicKey.aead: {
       const { cipher: algo } = publicKeyParams;
@@ -11925,6 +12331,12 @@ async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams, session
       const modeInstance = await mode(algoValue, keyMaterial);
       return modeInstance.decrypt(c.data, iv, new Uint8Array());
     }
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { eccSecretKey, mlkemSecretKey } = privateKeyParams;
+      const { eccPublicKey, mlkemPublicKey } = publicKeyParams;
+      const { eccCipherText, mlkemCipherText, C } = sessionKeyParams;
+      return publicKey.postQuantum.kem.decrypt(keyAlgo, eccCipherText, mlkemCipherText, eccSecretKey, eccPublicKey, mlkemSecretKey, mlkemPublicKey, C.wrappedKey);
+    }
     default:
       throw new Error('Unknown public key encryption algorithm.');
   }
@@ -11996,6 +12408,16 @@ function parsePublicKeyParams(algo, bytes) {
       const digest = bytes.subarray(read, read + digestLength); read += digestLength;
       return { read: read, publicParams: { cipher: algo, digest } };
     }
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const eccPublicKey = util.readExactSubarray(bytes, read, read + getCurvePayloadSize(enums.publicKey.x25519)); read += eccPublicKey.length;
+      const mlkemPublicKey = util.readExactSubarray(bytes, read, read + 1184); read += mlkemPublicKey.length;
+      return { read, publicParams: { eccPublicKey, mlkemPublicKey } };
+    }
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const eccPublicKey = util.readExactSubarray(bytes, read, read + getCurvePayloadSize(enums.publicKey.ed25519)); read += eccPublicKey.length;
+      const mldsaPublicKey = util.readExactSubarray(bytes, read, read + 1952); read += mldsaPublicKey.length;
+      return { read, publicParams: { eccPublicKey, mldsaPublicKey } };
+    }
     default:
       throw new UnsupportedError('Unknown public key encryption algorithm.');
   }
@@ -12008,7 +12430,7 @@ function parsePublicKeyParams(algo, bytes) {
  * @param {Object} publicParams - (ECC and symmetric only) public params, needed to format some private params
  * @returns {{ read: Number, privateParams: Object }} Number of read bytes plus the key parameters referenced by name.
  */
-function parsePrivateKeyParams(algo, bytes, publicParams) {
+async function parsePrivateKeyParams(algo, bytes, publicParams) {
   let read = 0;
   switch (algo) {
     case enums.publicKey.rsaEncrypt:
@@ -12067,6 +12489,18 @@ function parsePrivateKeyParams(algo, bytes, publicParams) {
       const keyMaterial = bytes.subarray(read, read + keySize); read += keySize;
       return { read, privateParams: { hashSeed, keyMaterial } };
     }
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const eccSecretKey = util.readExactSubarray(bytes, read, read + getCurvePayloadSize(enums.publicKey.x25519)); read += eccSecretKey.length;
+      const mlkemSeed = util.readExactSubarray(bytes, read, read + 64); read += mlkemSeed.length;
+      const { mlkemSecretKey } = await publicKey.postQuantum.kem.mlkemExpandSecretSeed(algo, mlkemSeed);
+      return { read, privateParams: { eccSecretKey, mlkemSecretKey, mlkemSeed } };
+    }
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const eccSecretKey = util.readExactSubarray(bytes, read, read + getCurvePayloadSize(enums.publicKey.ed25519)); read += eccSecretKey.length;
+      const mldsaSeed = util.readExactSubarray(bytes, read, read + 32); read += mldsaSeed.length;
+      const { mldsaSecretKey } = await publicKey.postQuantum.signature.mldsaExpandSecretSeed(algo, mldsaSeed);
+      return { read, privateParams: { eccSecretKey, mldsaSecretKey, mldsaSeed } };
+    }
     default:
       throw new UnsupportedError('Unknown public key encryption algorithm.');
   }
@@ -12130,6 +12564,12 @@ function parseEncSessionKeyParams(algo, bytes) {
 
       return { aeadMode, iv, c };
     }
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const eccCipherText = util.readExactSubarray(bytes, read, read + getCurvePayloadSize(enums.publicKey.x25519)); read += eccCipherText.length;
+      const mlkemCipherText = util.readExactSubarray(bytes, read, read + 1088); read += mlkemCipherText.length;
+      const C = new ECDHXSymmetricKey(); C.read(bytes.subarray(read));
+      return { eccCipherText, mlkemCipherText, C }; // eccCipherText || mlkemCipherText || len(C) || C
+    }
     default:
       throw new UnsupportedError('Unknown public key encryption algorithm.');
   }
@@ -12149,9 +12589,21 @@ function serializeParams(algo, params) {
     enums.publicKey.ed448,
     enums.publicKey.x448,
     enums.publicKey.aead,
-    enums.publicKey.hmac
+    enums.publicKey.hmac,
+    enums.publicKey.pqc_mlkem_x25519,
+    enums.publicKey.pqc_mldsa_ed25519
   ]);
+
+  const excludedFields = {
+    [enums.publicKey.pqc_mlkem_x25519]: new Set(['mlkemSecretKey']), // only `mlkemSeed` is serialized
+    [enums.publicKey.pqc_mldsa_ed25519]: new Set(['mldsaSecretKey']) // only `mldsaSeed` is serialized
+  };
+
   const orderedParams = Object.keys(params).map(name => {
+    if (excludedFields[algo]?.has(name)) {
+      return new Uint8Array();
+    }
+
     const param = params[name];
     if (!util.isUint8Array(param)) return param.write();
     return algosWithNativeRepresentation.has(algo) ? param : util.uint8ArrayToMPI(param);
@@ -12216,6 +12668,16 @@ async function generateParams(algo, bits, oid, symmetric) {
       const keyMaterial = generateSessionKey$1(symmetric);
       return createSymmetricParams(keyMaterial, new SymAlgoEnum(symmetric));
     }
+    case enums.publicKey.pqc_mlkem_x25519:
+      return publicKey.postQuantum.kem.generate(algo).then(({ eccSecretKey, eccPublicKey, mlkemSeed, mlkemSecretKey, mlkemPublicKey }) => ({
+        privateParams: { eccSecretKey, mlkemSeed, mlkemSecretKey },
+        publicParams: { eccPublicKey, mlkemPublicKey }
+      }));
+    case enums.publicKey.pqc_mldsa_ed25519:
+      return publicKey.postQuantum.signature.generate(algo).then(({ eccSecretKey, eccPublicKey, mldsaSeed, mldsaSecretKey, mldsaPublicKey }) => ({
+        privateParams: { eccSecretKey, mldsaSeed, mldsaSecretKey },
+        publicParams: { eccPublicKey, mldsaPublicKey }
+      }));
     case enums.publicKey.dsa:
     case enums.publicKey.elgamal:
       throw new Error('Unsupported algorithm for key generation.');
@@ -12307,6 +12769,16 @@ async function validateParams(algo, publicParams, privateParams) {
       return keySize === keyMaterial.length &&
         util.equalsUint8Array(digest, await hash.sha256(hashSeed));
     }
+    case enums.publicKey.pqc_mlkem_x25519: {
+      const { eccSecretKey, mlkemSeed } = privateParams;
+      const { eccPublicKey, mlkemPublicKey } = publicParams;
+      return publicKey.postQuantum.kem.validateParams(algo, eccPublicKey, eccSecretKey, mlkemPublicKey, mlkemSeed);
+    }
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { eccSecretKey, mldsaSeed } = privateParams;
+      const { eccPublicKey, mldsaPublicKey } = publicParams;
+      return publicKey.postQuantum.signature.validateParams(algo, eccPublicKey, eccSecretKey, mldsaPublicKey, mldsaSeed);
+    }
     default:
       throw new Error('Unknown public key algorithm.');
   }
@@ -15943,6 +16415,12 @@ class AEADEncryptedDataPacket {
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 
 
+const algosWithV3CleartextSessionKeyAlgorithm = new Set([
+  enums.publicKey.x25519,
+  enums.publicKey.x448,
+  enums.publicKey.pqc_mlkem_x25519
+]);
+
 /**
  * Public-Key Encrypted Session Key Packets (Tag 1)
  *
@@ -16050,7 +16528,7 @@ class PublicKeyEncryptedSessionKeyPacket {
     }
     this.publicKeyAlgorithm = bytes[offset++];
     this.encrypted = mod.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(offset));
-    if (this.publicKeyAlgorithm === enums.publicKey.x25519 || this.publicKeyAlgorithm === enums.publicKey.x448) {
+    if (algosWithV3CleartextSessionKeyAlgorithm.has(this.publicKeyAlgorithm)) {
       if (this.version === 3) {
         this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
       } else if (this.encrypted.C.algorithm !== null) {
@@ -16133,7 +16611,7 @@ class PublicKeyEncryptedSessionKeyPacket {
 
     if (this.version === 3) {
       // v3 Montgomery curves have cleartext cipher algo
-      const hasEncryptedAlgo = this.publicKeyAlgorithm !== enums.publicKey.x25519 && this.publicKeyAlgorithm !== enums.publicKey.x448;
+      const hasEncryptedAlgo = !algosWithV3CleartextSessionKeyAlgorithm.has(this.publicKeyAlgorithm);
       this.sessionKeyAlgorithm = hasEncryptedAlgo ? sessionKeyAlgorithm : this.sessionKeyAlgorithm;
 
       if (sessionKey.length !== mod.getCipherParams(this.sessionKeyAlgorithm).keySize) {
@@ -16160,6 +16638,7 @@ function encodeSessionKey(version, keyAlgo, cipherAlgo, sessionKeyData) {
       ]);
     case enums.publicKey.x25519:
     case enums.publicKey.x448:
+    case enums.publicKey.pqc_mlkem_x25519:
       return sessionKeyData;
     default:
       throw new Error('Unsupported public key algorithm');
@@ -16208,6 +16687,7 @@ function decodeSessionKey(version, keyAlgo, decryptedData, randomSessionKey) {
     }
     case enums.publicKey.x25519:
     case enums.publicKey.x448:
+    case enums.publicKey.pqc_mlkem_x25519:
       return {
         sessionKeyAlgorithm: null,
         sessionKey: decryptedData
@@ -16573,6 +17053,14 @@ class PublicKeyPacket {
       ) {
         throw new Error('Legacy curve25519 cannot be used with v6 keys');
       }
+      // The composite ML-DSA + EdDSA schemes MUST be used only with v6 keys.
+      // The composite ML-KEM + ECDH schemes MUST be used only with v6 keys.
+      if (this.version !== 6 && (
+        this.algorithm === enums.publicKey.pqc_mldsa_ed25519 ||
+        this.algorithm === enums.publicKey.pqc_mlkem_x25519
+      )) {
+        throw new Error('Unexpected key version: ML-DSA and ML-KEM algorithms can only be used with v6 keys');
+      }
       this.publicParams = publicParams;
       pos += read;
 
@@ -17256,7 +17744,7 @@ class SecretKeyPacket extends PublicKeyPacket {
         }
       }
       try {
-        const { read, privateParams } = mod.parsePrivateKeyParams(this.algorithm, cleartext, this.publicParams);
+        const { read, privateParams } = await mod.parsePrivateKeyParams(this.algorithm, cleartext, this.publicParams);
         if (read < cleartext.length) {
           throw new Error('Error reading MPIs');
         }
@@ -17514,7 +18002,7 @@ class SecretKeyPacket extends PublicKeyPacket {
     }
 
     try {
-      const { privateParams } = mod.parsePrivateKeyParams(this.algorithm, cleartext, this.publicParams);
+      const { privateParams } = await mod.parsePrivateKeyParams(this.algorithm, cleartext, this.publicParams);
       this.privateParams = privateParams;
     } catch (err) {
       throw new Error('Error reading MPIs');
@@ -17567,6 +18055,12 @@ class SecretKeyPacket extends PublicKeyPacket {
     )) {
       throw new Error(`Cannot generate v6 keys of type 'ecc' with curve ${curve}. Generate a key of type 'curve25519' instead`);
     }
+    if (this.version !== 6 && (
+      this.algorithm === enums.publicKey.pqc_mldsa_ed25519 ||
+      this.algorithm === enums.publicKey.pqc_mlkem_x25519
+    )) {
+      throw new Error(`Cannot generate v${this.version} keys of type 'pqc'. Generate a v6 key instead`);
+    }
     const { privateParams, publicParams } = await mod.generateParams(this.algorithm, bits, curve, symmetric);
     this.privateParams = privateParams;
     this.publicParams = publicParams;
@@ -18069,6 +18563,12 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
  * @async
  */
 async function getPreferredHashAlgo(targetKeys, signingKeyPacket, date = new Date(), targetUserIDs = [], config) {
+  if (signingKeyPacket.algorithm === enums.publicKey.pqc_mldsa_ed25519) {
+    // For PQC, the returned hash algo MUST be set to the specified algorithm, see
+    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+    return mod.publicKey.postQuantum.signature.getRequiredHashAlgo(signingKeyPacket.algorithm);
+  }
+
   /**
    * If `preferredSenderAlgo` appears in the prefs of all recipients, we pick it; otherwise, we use the
    * strongest supported algo (`defaultAlgo` is always implicitly supported by all keys).
@@ -18355,6 +18855,13 @@ function sanitizeKeyOptions(options, subkeyDefaults = {}) {
   }
 
   switch (options.type) {
+    case 'pqc':
+      if (options.sign) {
+        options.algorithm = enums.publicKey.pqc_mldsa_ed25519;
+      } else {
+        options.algorithm = enums.publicKey.pqc_mlkem_x25519;
+      }
+      break;
     case 'ecc': // NB: this case also handles legacy eddsa and x25519 keys, based on `options.curve`
       try {
         options.curve = enums.write(enums.curve, options.curve);
@@ -18413,6 +18920,7 @@ function validateSigningKeyPacket(keyPacket, signature, config) {
     case enums.publicKey.ed25519:
     case enums.publicKey.ed448:
     case enums.publicKey.hmac:
+    case enums.publicKey.pqc_mldsa_ed25519:
       if (!signature.keyFlags && !config.allowMissingKeyFlags) {
         throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`');
       }
@@ -18432,6 +18940,7 @@ function validateEncryptionKeyPacket(keyPacket, signature, config) {
     case enums.publicKey.x25519:
     case enums.publicKey.x448:
     case enums.publicKey.aead:
+    case enums.publicKey.pqc_mlkem_x25519:
       if (!signature.keyFlags && !config.allowMissingKeyFlags) {
         throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`');
       }
@@ -18454,7 +18963,8 @@ function validateDecryptionKeyPacket(keyPacket, signature, config) {
     case enums.publicKey.elgamal:
     case enums.publicKey.ecdh:
     case enums.publicKey.x25519:
-    case enums.publicKey.x448: {
+    case enums.publicKey.x448:
+    case enums.publicKey.pqc_mlkem_x25519: {
       const isValidSigningKeyPacket = !signature.keyFlags || (signature.keyFlags[0] & enums.keyFlags.signData) !== 0;
       if (isValidSigningKeyPacket && config.allowInsecureDecryptionWithSigningKeys) {
         // This is only relevant for RSA keys, all other signing algorithms cannot decrypt
@@ -20267,10 +20777,9 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
       });
     }
     signatureProperties.preferredHashAlgorithms = createPreferredAlgos([
-      // prefer fast asm.js implementations (SHA-256)
-      enums.hash.sha256,
       enums.hash.sha512,
-      ...(secretKeyPacket.version === 6 ? [enums.hash.sha3_256, enums.hash.sha3_512] : [])
+      enums.hash.sha256,
+      ...(secretKeyPacket.version === 6 ? [enums.hash.sha3_512, enums.hash.sha3_256] : [])
     ], config.preferredHashAlgorithm);
     signatureProperties.preferredCompressionAlgorithms = createPreferredAlgos([
       enums.compression.uncompressed,
@@ -22026,6 +22535,7 @@ async function decrypt({ message, decryptionKeys, passwords, sessionKeys, verifi
         result.data,
         fromAsync(async () => {
           await util.anyPromise(result.signatures.map(sig => sig.verified));
+          return format === 'binary' ? new Uint8Array() : '';
         })
       ]);
     }
@@ -22157,6 +22667,7 @@ async function verify({ message, verificationKeys, expectSigned = false, format
         result.data,
         fromAsync(async () => {
           await util.anyPromise(result.signatures.map(sig => sig.verified));
+          return format === 'binary' ? new Uint8Array() : '';
         })
       ]);
     }