npm - @theqrl/dilithium5 - Versions diffs - 1.1.5 → 1.2.0 - Mend

@theqrl/dilithium5 1.1.5 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +5 -2
package/dist/cjs/dilithium5.d.cts +59 -1
package/dist/cjs/dilithium5.js +83 -1
package/dist/mjs/dilithium5.d.mts +59 -1
package/dist/mjs/dilithium5.js +81 -2
package/package.json +1 -1
package/src/index.d.ts +59 -1

package/README.md CHANGED Viewed

@@ -26,9 +26,12 @@ const pk = new Uint8Array(CryptoPublicKeyBytes);  // 2592 bytes
 const sk = new Uint8Array(CryptoSecretKeyBytes);  // 4896 bytes
 cryptoSignKeypair(null, pk, sk);  // null = random seed
-// Sign a message
+// Sign a message (hedged by default — recommended per TOB-QRLLIB-6).
+// Pass `false` only when deterministic signatures are themselves a
+// protocol requirement (e.g. KAT vector reproduction); for that case
+// use `cryptoSignDeterministic`.
 const message = new TextEncoder().encode('Hello, quantum world!');
-const signedMessage = cryptoSign(message, sk, false);  // false = deterministic
+const signedMessage = cryptoSign(message, sk, true);  // true = hedged (recommended)
 // Verify and extract
 const extracted = cryptoSignOpen(signedMessage, pk);

package/dist/cjs/dilithium5.d.cts CHANGED Viewed

@@ -83,6 +83,31 @@ export function cryptoSign(
   randomizedSigning: boolean
 ): Uint8Array;
+/**
+ * Create a deterministic Dilithium5 detached signature
+ * (`randomizedSigning = false` wrapper for `cryptoSignSignature`).
+ *
+ * **Use only when the deterministic property is itself a requirement**.
+ * For general-purpose signing prefer `cryptoSignSignature` with
+ * `randomizedSigning = true` (hedged — TOB-QRLLIB-6).
+ */
+export function cryptoSignSignatureDeterministic(
+  sig: Uint8Array,
+  m: Uint8Array | string,
+  sk: Uint8Array
+): number;
+/**
+ * Attached-form deterministic Dilithium5 signing
+ * (`randomizedSigning = false` wrapper for `cryptoSign`).
+ * Same recommendation as `cryptoSignSignatureDeterministic`.
+ * (TOB-QRLLIB-6.)
+ */
+export function cryptoSignDeterministic(
+  msg: Uint8Array | string,
+  sk: Uint8Array
+): Uint8Array;
 /**
  * Verify a signature
  * @param sig - Signature to verify
@@ -100,13 +125,46 @@ export function cryptoSignVerify(
  * Open a signed message (verify and extract message)
  * @param sm - Signed message (signature || message)
  * @param pk - Public key
- * @returns Message if valid, undefined if verification fails
+ * @returns Message if valid, undefined if verification fails (or if
+ *   sm is null / undefined / non-Uint8Array / shorter than
+ *   CryptoBytes — see `cryptoSignOpenWithReason` for distinct
+ *   failure-mode reporting)
  */
 export function cryptoSignOpen(
   sm: Uint8Array,
   pk: Uint8Array
 ): Uint8Array | undefined;
+/**
+ * Failure-mode discriminator returned by `cryptoSignOpenWithReason`.
+ * (TOB-QRLLIB-14: distinct failure modes for Open.)
+ */
+export type CryptoSignOpenReason =
+  | 'invalid-sm-type'
+  | 'invalid-sm-length'
+  | 'invalid-pk'
+  | 'verification-failed';
+/**
+ * Open a signed message with a typed failure-mode report.
+ * (TOB-QRLLIB-14.) Behavioural twin of `cryptoSignOpen` that
+ * distinguishes API-shape problems (input wrong type / length /
+ * shape) from genuine verification failures.
+ *
+ * `cryptoSignOpen` is kept unchanged and continues to return
+ * `undefined` for any failure mode. Use this variant when you need
+ * to log or route on specific failure modes.
+ *
+ * @param sm - Signed message (signature || message)
+ * @param pk - Public key
+ */
+export function cryptoSignOpenWithReason(
+  sm: Uint8Array,
+  pk: Uint8Array
+):
+  | { ok: true; message: Uint8Array }
+  | { ok: false; reason: CryptoSignOpenReason };
 // Utility functions
 /**

package/dist/cjs/dilithium5.js CHANGED Viewed

@@ -1800,6 +1800,31 @@ function cryptoSignSignature(sig, m, sk, randomizedSigning) {
   }
 }
+/**
+ * Create a **deterministic** Dilithium5 detached signature
+ * (`randomizedSigning = false`).
+ *
+ * Convenience wrapper that hard-wires the deterministic mode so callers
+ * who *need* byte-identical signatures for the same `(sk, message)`
+ * — KAT vector reproduction, deterministic-test fixtures, RANDAO-style
+ * protocols — get a clearly-named entry point rather than passing a
+ * bare boolean.
+ *
+ * **Use only when the deterministic property is itself a requirement.**
+ * For general-purpose signing prefer [cryptoSignSignature] with
+ * `randomizedSigning = true` (hedged signing — TOB-QRLLIB-6 audit
+ * recommendation for parity with the lattice-scheme guidance applied
+ * to the Go and Rust ports).
+ *
+ * @param {Uint8Array} sig - Output buffer for signature (must be at least CryptoBytes bytes)
+ * @param {string|Uint8Array} m - Message to sign
+ * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes bytes)
+ * @returns {number} 0 on success
+ */
+function cryptoSignSignatureDeterministic(sig, m, sk) {
+  return cryptoSignSignature(sig, m, sk, /* randomizedSigning */ false);
+}
 /**
  * Sign a message, returning signature concatenated with message.
  *
@@ -1835,6 +1860,24 @@ function cryptoSign(msg, sk, randomizedSigning) {
   return sm;
 }
+/**
+ * Attached-form **deterministic** Dilithium5 signing
+ * (`randomizedSigning = false`).
+ *
+ * Convenience wrapper that hard-wires the deterministic mode for the
+ * attached `signature || message` form. Same recommendation as
+ * [cryptoSignSignatureDeterministic]: use only when determinism is a
+ * protocol requirement; for general-purpose signing prefer
+ * [cryptoSign] with `randomizedSigning = true` (hedged — TOB-QRLLIB-6).
+ *
+ * @param {string|Uint8Array} msg - Message to sign
+ * @param {Uint8Array} sk - Secret key
+ * @returns {Uint8Array} Signed message (signature || message)
+ */
+function cryptoSignDeterministic(msg, sk) {
+  return cryptoSign(msg, sk, /* randomizedSigning */ false);
+}
 /**
  * Verify a detached signature.
  *
@@ -1943,7 +1986,12 @@ function cryptoSignVerify(sig, m, pk) {
  * }
  */
 function cryptoSignOpen(sm, pk) {
-  if (sm.length < CryptoBytes) {
+  // Type-guard `sm` so callers passing `null` / `undefined` / non-Uint8Array
+  // get a clean `undefined` return rather than a `Cannot read properties of
+  // null (reading 'length')` thrown deep in the call chain. Mirrors the
+  // existing `pk` / `sig` instanceof checks in `cryptoSignVerify`.
+  // (TOB-QRLLIB-11.)
+  if (!(sm instanceof Uint8Array) || sm.length < CryptoBytes) {
     return undefined;
   }
@@ -1956,6 +2004,37 @@ function cryptoSignOpen(sm, pk) {
   return msg;
 }
+/**
+ * Open a signed message with a typed failure-mode report.
+ *
+ * Behavioural twin of [cryptoSignOpen], but returns a discriminated
+ * union so callers can distinguish between API-shape problems (input
+ * was the wrong type / length / shape) and genuine cryptographic
+ * verification failures. See the ML-DSA-87 sibling for the rationale
+ * (TOB-QRLLIB-14).
+ *
+ * @param {Uint8Array} sm Signed message (signature || message).
+ * @param {Uint8Array} pk Public key.
+ * @returns {{ok: true, message: Uint8Array} | {ok: false, reason: 'invalid-sm-type'|'invalid-sm-length'|'invalid-pk'|'verification-failed'}}
+ */
+function cryptoSignOpenWithReason(sm, pk) {
+  if (!(sm instanceof Uint8Array)) {
+    return { ok: false, reason: 'invalid-sm-type' };
+  }
+  if (sm.length < CryptoBytes) {
+    return { ok: false, reason: 'invalid-sm-length' };
+  }
+  if (!(pk instanceof Uint8Array) || pk.length !== CryptoPublicKeyBytes) {
+    return { ok: false, reason: 'invalid-pk' };
+  }
+  const sig = sm.slice(0, CryptoBytes);
+  const msg = sm.slice(CryptoBytes);
+  if (!cryptoSignVerify(sig, msg, pk)) {
+    return { ok: false, reason: 'verification-failed' };
+  }
+  return { ok: true, message: msg };
+}
 exports.BETA = BETA;
 exports.CRHBytes = CRHBytes;
 exports.CryptoBytes = CryptoBytes;
@@ -1993,9 +2072,12 @@ exports.TAU = TAU;
 exports.TRBytes = TRBytes;
 exports.cAddQ = cAddQ;
 exports.cryptoSign = cryptoSign;
+exports.cryptoSignDeterministic = cryptoSignDeterministic;
 exports.cryptoSignKeypair = cryptoSignKeypair;
 exports.cryptoSignOpen = cryptoSignOpen;
+exports.cryptoSignOpenWithReason = cryptoSignOpenWithReason;
 exports.cryptoSignSignature = cryptoSignSignature;
+exports.cryptoSignSignatureDeterministic = cryptoSignSignatureDeterministic;
 exports.cryptoSignVerify = cryptoSignVerify;
 exports.decompose = decompose;
 exports.dilithiumShake128StreamInit = dilithiumShake128StreamInit;

package/dist/mjs/dilithium5.d.mts CHANGED Viewed

@@ -83,6 +83,31 @@ export function cryptoSign(
   randomizedSigning: boolean
 ): Uint8Array;
+/**
+ * Create a deterministic Dilithium5 detached signature
+ * (`randomizedSigning = false` wrapper for `cryptoSignSignature`).
+ *
+ * **Use only when the deterministic property is itself a requirement**.
+ * For general-purpose signing prefer `cryptoSignSignature` with
+ * `randomizedSigning = true` (hedged — TOB-QRLLIB-6).
+ */
+export function cryptoSignSignatureDeterministic(
+  sig: Uint8Array,
+  m: Uint8Array | string,
+  sk: Uint8Array
+): number;
+/**
+ * Attached-form deterministic Dilithium5 signing
+ * (`randomizedSigning = false` wrapper for `cryptoSign`).
+ * Same recommendation as `cryptoSignSignatureDeterministic`.
+ * (TOB-QRLLIB-6.)
+ */
+export function cryptoSignDeterministic(
+  msg: Uint8Array | string,
+  sk: Uint8Array
+): Uint8Array;
 /**
  * Verify a signature
  * @param sig - Signature to verify
@@ -100,13 +125,46 @@ export function cryptoSignVerify(
  * Open a signed message (verify and extract message)
  * @param sm - Signed message (signature || message)
  * @param pk - Public key
- * @returns Message if valid, undefined if verification fails
+ * @returns Message if valid, undefined if verification fails (or if
+ *   sm is null / undefined / non-Uint8Array / shorter than
+ *   CryptoBytes — see `cryptoSignOpenWithReason` for distinct
+ *   failure-mode reporting)
  */
 export function cryptoSignOpen(
   sm: Uint8Array,
   pk: Uint8Array
 ): Uint8Array | undefined;
+/**
+ * Failure-mode discriminator returned by `cryptoSignOpenWithReason`.
+ * (TOB-QRLLIB-14: distinct failure modes for Open.)
+ */
+export type CryptoSignOpenReason =
+  | 'invalid-sm-type'
+  | 'invalid-sm-length'
+  | 'invalid-pk'
+  | 'verification-failed';
+/**
+ * Open a signed message with a typed failure-mode report.
+ * (TOB-QRLLIB-14.) Behavioural twin of `cryptoSignOpen` that
+ * distinguishes API-shape problems (input wrong type / length /
+ * shape) from genuine verification failures.
+ *
+ * `cryptoSignOpen` is kept unchanged and continues to return
+ * `undefined` for any failure mode. Use this variant when you need
+ * to log or route on specific failure modes.
+ *
+ * @param sm - Signed message (signature || message)
+ * @param pk - Public key
+ */
+export function cryptoSignOpenWithReason(
+  sm: Uint8Array,
+  pk: Uint8Array
+):
+  | { ok: true; message: Uint8Array }
+  | { ok: false; reason: CryptoSignOpenReason };
 // Utility functions
 /**

package/dist/mjs/dilithium5.js CHANGED Viewed

@@ -1421,6 +1421,31 @@ function cryptoSignSignature(sig, m, sk, randomizedSigning) {
   }
 }
+/**
+ * Create a **deterministic** Dilithium5 detached signature
+ * (`randomizedSigning = false`).
+ *
+ * Convenience wrapper that hard-wires the deterministic mode so callers
+ * who *need* byte-identical signatures for the same `(sk, message)`
+ * — KAT vector reproduction, deterministic-test fixtures, RANDAO-style
+ * protocols — get a clearly-named entry point rather than passing a
+ * bare boolean.
+ *
+ * **Use only when the deterministic property is itself a requirement.**
+ * For general-purpose signing prefer [cryptoSignSignature] with
+ * `randomizedSigning = true` (hedged signing — TOB-QRLLIB-6 audit
+ * recommendation for parity with the lattice-scheme guidance applied
+ * to the Go and Rust ports).
+ *
+ * @param {Uint8Array} sig - Output buffer for signature (must be at least CryptoBytes bytes)
+ * @param {string|Uint8Array} m - Message to sign
+ * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes bytes)
+ * @returns {number} 0 on success
+ */
+function cryptoSignSignatureDeterministic(sig, m, sk) {
+  return cryptoSignSignature(sig, m, sk, /* randomizedSigning */ false);
+}
 /**
  * Sign a message, returning signature concatenated with message.
  *
@@ -1456,6 +1481,24 @@ function cryptoSign(msg, sk, randomizedSigning) {
   return sm;
 }
+/**
+ * Attached-form **deterministic** Dilithium5 signing
+ * (`randomizedSigning = false`).
+ *
+ * Convenience wrapper that hard-wires the deterministic mode for the
+ * attached `signature || message` form. Same recommendation as
+ * [cryptoSignSignatureDeterministic]: use only when determinism is a
+ * protocol requirement; for general-purpose signing prefer
+ * [cryptoSign] with `randomizedSigning = true` (hedged — TOB-QRLLIB-6).
+ *
+ * @param {string|Uint8Array} msg - Message to sign
+ * @param {Uint8Array} sk - Secret key
+ * @returns {Uint8Array} Signed message (signature || message)
+ */
+function cryptoSignDeterministic(msg, sk) {
+  return cryptoSign(msg, sk, /* randomizedSigning */ false);
+}
 /**
  * Verify a detached signature.
  *
@@ -1564,7 +1607,12 @@ function cryptoSignVerify(sig, m, pk) {
  * }
  */
 function cryptoSignOpen(sm, pk) {
-  if (sm.length < CryptoBytes) {
+  // Type-guard `sm` so callers passing `null` / `undefined` / non-Uint8Array
+  // get a clean `undefined` return rather than a `Cannot read properties of
+  // null (reading 'length')` thrown deep in the call chain. Mirrors the
+  // existing `pk` / `sig` instanceof checks in `cryptoSignVerify`.
+  // (TOB-QRLLIB-11.)
+  if (!(sm instanceof Uint8Array) || sm.length < CryptoBytes) {
     return undefined;
   }
@@ -1577,4 +1625,35 @@ function cryptoSignOpen(sm, pk) {
   return msg;
 }
-export { BETA, CRHBytes, CryptoBytes, CryptoPublicKeyBytes, CryptoSecretKeyBytes, D, ETA, GAMMA1, GAMMA2, K, KeccakState, L, N, OMEGA, Poly, PolyETAPackedBytes, PolyT0PackedBytes, PolyT1PackedBytes, PolyUniformETANBlocks, PolyUniformGamma1NBlocks, PolyUniformNBlocks, PolyVecHPackedBytes, PolyVecK, PolyVecL, PolyW1PackedBytes, PolyZPackedBytes, Q, QInv, SeedBytes, Shake128Rate, Shake256Rate, Stream128BlockBytes, Stream256BlockBytes, TAU, TRBytes, cAddQ, cryptoSign, cryptoSignKeypair, cryptoSignOpen, cryptoSignSignature, cryptoSignVerify, decompose, dilithiumShake128StreamInit, dilithiumShake256StreamInit, invNTTToMont, isZero, makeHint, montgomeryReduce, ntt, packPk, packSig, packSk, polyAdd, polyCAddQ, polyChallenge, polyChkNorm, polyDecompose, polyEtaPack, polyEtaUnpack, polyInvNTTToMont, polyMakeHint, polyNTT, polyPointWiseMontgomery, polyPower2round, polyReduce, polyShiftL, polySub, polyT0Pack, polyT0Unpack, polyT1Pack, polyT1Unpack, polyUniform, polyUniformEta, polyUniformGamma1, polyUseHint, polyVecKAdd, polyVecKCAddQ, polyVecKChkNorm, polyVecKDecompose, polyVecKInvNTTToMont, polyVecKMakeHint, polyVecKNTT, polyVecKPackW1, polyVecKPointWisePolyMontgomery, polyVecKPower2round, polyVecKReduce, polyVecKShiftL, polyVecKSub, polyVecKUniformEta, polyVecKUseHint, polyVecLAdd, polyVecLChkNorm, polyVecLInvNTTToMont, polyVecLNTT, polyVecLPointWiseAccMontgomery, polyVecLPointWisePolyMontgomery, polyVecLReduce, polyVecLUniformEta, polyVecLUniformGamma1, polyVecMatrixExpand, polyVecMatrixPointWiseMontgomery, polyW1Pack, polyZPack, polyZUnpack, power2round, reduce32, rejEta, rejUniform, shake128Absorb, shake128Finalize, shake128Init, shake128SqueezeBlocks, shake256Absorb, shake256Finalize, shake256Init, shake256SqueezeBlocks, unpackPk, unpackSig, unpackSk, useHint, zeroize, zetas };
+/**
+ * Open a signed message with a typed failure-mode report.
+ *
+ * Behavioural twin of [cryptoSignOpen], but returns a discriminated
+ * union so callers can distinguish between API-shape problems (input
+ * was the wrong type / length / shape) and genuine cryptographic
+ * verification failures. See the ML-DSA-87 sibling for the rationale
+ * (TOB-QRLLIB-14).
+ *
+ * @param {Uint8Array} sm Signed message (signature || message).
+ * @param {Uint8Array} pk Public key.
+ * @returns {{ok: true, message: Uint8Array} | {ok: false, reason: 'invalid-sm-type'|'invalid-sm-length'|'invalid-pk'|'verification-failed'}}
+ */
+function cryptoSignOpenWithReason(sm, pk) {
+  if (!(sm instanceof Uint8Array)) {
+    return { ok: false, reason: 'invalid-sm-type' };
+  }
+  if (sm.length < CryptoBytes) {
+    return { ok: false, reason: 'invalid-sm-length' };
+  }
+  if (!(pk instanceof Uint8Array) || pk.length !== CryptoPublicKeyBytes) {
+    return { ok: false, reason: 'invalid-pk' };
+  }
+  const sig = sm.slice(0, CryptoBytes);
+  const msg = sm.slice(CryptoBytes);
+  if (!cryptoSignVerify(sig, msg, pk)) {
+    return { ok: false, reason: 'verification-failed' };
+  }
+  return { ok: true, message: msg };
+}
+export { BETA, CRHBytes, CryptoBytes, CryptoPublicKeyBytes, CryptoSecretKeyBytes, D, ETA, GAMMA1, GAMMA2, K, KeccakState, L, N, OMEGA, Poly, PolyETAPackedBytes, PolyT0PackedBytes, PolyT1PackedBytes, PolyUniformETANBlocks, PolyUniformGamma1NBlocks, PolyUniformNBlocks, PolyVecHPackedBytes, PolyVecK, PolyVecL, PolyW1PackedBytes, PolyZPackedBytes, Q, QInv, SeedBytes, Shake128Rate, Shake256Rate, Stream128BlockBytes, Stream256BlockBytes, TAU, TRBytes, cAddQ, cryptoSign, cryptoSignDeterministic, cryptoSignKeypair, cryptoSignOpen, cryptoSignOpenWithReason, cryptoSignSignature, cryptoSignSignatureDeterministic, cryptoSignVerify, decompose, dilithiumShake128StreamInit, dilithiumShake256StreamInit, invNTTToMont, isZero, makeHint, montgomeryReduce, ntt, packPk, packSig, packSk, polyAdd, polyCAddQ, polyChallenge, polyChkNorm, polyDecompose, polyEtaPack, polyEtaUnpack, polyInvNTTToMont, polyMakeHint, polyNTT, polyPointWiseMontgomery, polyPower2round, polyReduce, polyShiftL, polySub, polyT0Pack, polyT0Unpack, polyT1Pack, polyT1Unpack, polyUniform, polyUniformEta, polyUniformGamma1, polyUseHint, polyVecKAdd, polyVecKCAddQ, polyVecKChkNorm, polyVecKDecompose, polyVecKInvNTTToMont, polyVecKMakeHint, polyVecKNTT, polyVecKPackW1, polyVecKPointWisePolyMontgomery, polyVecKPower2round, polyVecKReduce, polyVecKShiftL, polyVecKSub, polyVecKUniformEta, polyVecKUseHint, polyVecLAdd, polyVecLChkNorm, polyVecLInvNTTToMont, polyVecLNTT, polyVecLPointWiseAccMontgomery, polyVecLPointWisePolyMontgomery, polyVecLReduce, polyVecLUniformEta, polyVecLUniformGamma1, polyVecMatrixExpand, polyVecMatrixPointWiseMontgomery, polyW1Pack, polyZPack, polyZUnpack, power2round, reduce32, rejEta, rejUniform, shake128Absorb, shake128Finalize, shake128Init, shake128SqueezeBlocks, shake256Absorb, shake256Finalize, shake256Init, shake256SqueezeBlocks, unpackPk, unpackSig, unpackSk, useHint, zeroize, zetas };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@theqrl/dilithium5",
-  "version": "1.1.5",
+  "version": "1.2.0",
   "description": "Dilithium-5 cryptography",
   "keywords": [
     "dilithium",

package/src/index.d.ts CHANGED Viewed

@@ -83,6 +83,31 @@ export function cryptoSign(
   randomizedSigning: boolean
 ): Uint8Array;
+/**
+ * Create a deterministic Dilithium5 detached signature
+ * (`randomizedSigning = false` wrapper for `cryptoSignSignature`).
+ *
+ * **Use only when the deterministic property is itself a requirement**.
+ * For general-purpose signing prefer `cryptoSignSignature` with
+ * `randomizedSigning = true` (hedged — TOB-QRLLIB-6).
+ */
+export function cryptoSignSignatureDeterministic(
+  sig: Uint8Array,
+  m: Uint8Array | string,
+  sk: Uint8Array
+): number;
+/**
+ * Attached-form deterministic Dilithium5 signing
+ * (`randomizedSigning = false` wrapper for `cryptoSign`).
+ * Same recommendation as `cryptoSignSignatureDeterministic`.
+ * (TOB-QRLLIB-6.)
+ */
+export function cryptoSignDeterministic(
+  msg: Uint8Array | string,
+  sk: Uint8Array
+): Uint8Array;
 /**
  * Verify a signature
  * @param sig - Signature to verify
@@ -100,13 +125,46 @@ export function cryptoSignVerify(
  * Open a signed message (verify and extract message)
  * @param sm - Signed message (signature || message)
  * @param pk - Public key
- * @returns Message if valid, undefined if verification fails
+ * @returns Message if valid, undefined if verification fails (or if
+ *   sm is null / undefined / non-Uint8Array / shorter than
+ *   CryptoBytes — see `cryptoSignOpenWithReason` for distinct
+ *   failure-mode reporting)
  */
 export function cryptoSignOpen(
   sm: Uint8Array,
   pk: Uint8Array
 ): Uint8Array | undefined;
+/**
+ * Failure-mode discriminator returned by `cryptoSignOpenWithReason`.
+ * (TOB-QRLLIB-14: distinct failure modes for Open.)
+ */
+export type CryptoSignOpenReason =
+  | 'invalid-sm-type'
+  | 'invalid-sm-length'
+  | 'invalid-pk'
+  | 'verification-failed';
+/**
+ * Open a signed message with a typed failure-mode report.
+ * (TOB-QRLLIB-14.) Behavioural twin of `cryptoSignOpen` that
+ * distinguishes API-shape problems (input wrong type / length /
+ * shape) from genuine verification failures.
+ *
+ * `cryptoSignOpen` is kept unchanged and continues to return
+ * `undefined` for any failure mode. Use this variant when you need
+ * to log or route on specific failure modes.
+ *
+ * @param sm - Signed message (signature || message)
+ * @param pk - Public key
+ */
+export function cryptoSignOpenWithReason(
+  sm: Uint8Array,
+  pk: Uint8Array
+):
+  | { ok: true; message: Uint8Array }
+  | { ok: false; reason: CryptoSignOpenReason };
 // Utility functions
 /**