@theqrl/mldsa87 1.1.0 → 2.0.0

package/README.md

@@ -26,12 +26,13 @@ const pk = new Uint8Array(CryptoPublicKeyBytes);  // 2592 bytes
 const sk = new Uint8Array(CryptoSecretKeyBytes);  // 4896 bytes
 cryptoSignKeypair(null, pk, sk);  // null = random seed
 
-// Sign a message (uses default "ZOND" context)
+// Sign a message
 const message = new TextEncoder().encode('Hello, quantum world!');
-const signedMessage = cryptoSign(message, sk, false);  // false = deterministic
+const ctx = new Uint8Array([0x5a, 0x4f, 0x4e, 0x44]);  // "ZOND"
+const signedMessage = cryptoSign(message, sk, false, ctx);  // false = deterministic
 
-// Verify and extract
-const extracted = cryptoSignOpen(signedMessage, pk);
+// Verify and extract (context must match)
+const extracted = cryptoSignOpen(signedMessage, pk, ctx);
 if (extracted === undefined) {
   throw new Error('Invalid signature');
 }
@@ -40,20 +41,21 @@ console.log(new TextDecoder().decode(extracted));  // "Hello, quantum world!"
 
 ## Context Parameter
 
-ML-DSA-87 supports a context parameter for domain separation (FIPS 204 feature). This allows the same keypair to be used safely across different applications.
+ML-DSA-87 requires a context parameter for domain separation (FIPS 204 feature). This allows the same keypair to be used safely across different applications.
 
 ```javascript
-// With custom context
+// With application-specific context
 const ctx = new TextEncoder().encode('my-app-v1');
 const signed = cryptoSign(message, sk, false, ctx);
 const extracted = cryptoSignOpen(signed, pk, ctx);
 
 // Context must match for verification
-cryptoSignOpen(signed, pk);  // undefined - wrong context (default "ZOND")
-cryptoSignOpen(signed, pk, ctx);  // message - correct context
+const wrongCtx = new Uint8Array(0);
+cryptoSignOpen(signed, pk, wrongCtx);  // undefined - wrong context
+cryptoSignOpen(signed, pk, ctx);       // message - correct context
 ```
 
-The default context is `"ZOND"` (for QRL Zond network compatibility). Context can be 0-255 bytes.
+Context is a required `Uint8Array` and can be 0-255 bytes. Use an empty `Uint8Array(0)` if no domain separation is needed.
 
 ## API
 
@@ -77,26 +79,26 @@ Generate a keypair from a seed.
 - `sk`: `Uint8Array(4896)` - output buffer for secret key
 - Returns: The seed used (useful when `seed` is `null`)
 
-#### `cryptoSign(message, sk, randomized, context?)`
+#### `cryptoSign(message, sk, randomized, context)`
 
 Sign a message (combined mode: returns signature || message).
 
 - `message`: `Uint8Array` or `string` - message bytes; if `string`, it must be hex only (optional `0x`, even length). Plain-text strings are not accepted.
 - `sk`: `Uint8Array(4896)` - secret key
 - `randomized`: `boolean` - `true` for hedged signing, `false` for deterministic
-- `context`: `Uint8Array` (optional) - context string, 0-255 bytes. Default: `"ZOND"`
+- `context`: `Uint8Array` - context string for domain separation, 0-255 bytes
 - Returns: `Uint8Array` containing signature + message
 
-#### `cryptoSignOpen(signedMessage, pk, context?)`
+#### `cryptoSignOpen(signedMessage, pk, context)`
 
 Verify and extract message from signed message.
 
 - `signedMessage`: `Uint8Array` - output from `cryptoSign()`
 - `pk`: `Uint8Array(2592)` - public key
-- `context`: `Uint8Array` (optional) - must match signing context
+- `context`: `Uint8Array` - must match signing context
 - Returns: Original message if valid, `undefined` if verification fails
 
-#### `cryptoSignSignature(sig, message, sk, randomized, context?)`
+#### `cryptoSignSignature(sig, message, sk, randomized, context)`
 
 Create a detached signature.
 
@@ -104,17 +106,17 @@ Create a detached signature.
 - `message`: `Uint8Array` or `string` - message bytes; if `string`, it must be hex only (optional `0x`, even length). Plain-text strings are not accepted.
 - `sk`: `Uint8Array(4896)` - secret key
 - `randomized`: `boolean` - `true` for hedged, `false` for deterministic
-- `context`: `Uint8Array` (optional) - context string, 0-255 bytes
+- `context`: `Uint8Array` - context string for domain separation, 0-255 bytes
 - Returns: `0` on success
 
-#### `cryptoSignVerify(sig, message, pk, context?)`
+#### `cryptoSignVerify(sig, message, pk, context)`
 
 Verify a detached signature.
 
 - `sig`: `Uint8Array(4627)` - signature to verify
 - `message`: `Uint8Array` or `string` - original message bytes; if `string`, it must be hex only (optional `0x`, even length). Plain-text strings are not accepted.
 - `pk`: `Uint8Array(2592)` - public key
-- `context`: `Uint8Array` (optional) - must match signing context
+- `context`: `Uint8Array` - must match signing context
 - Returns: `true` if valid, `false` otherwise
 
 **Note:** To sign or verify plain text, convert it to bytes (e.g., `new TextEncoder().encode('Hello')`). String inputs are interpreted as hex only.

package/dist/cjs/mldsa87.js

@@ -1,8 +1,5 @@
 'use strict';
 
-var sha3_js = require('@noble/hashes/sha3.js');
-var utils_js = require('@noble/hashes/utils.js');
-
 const Shake128Rate = 168;
 const Shake256Rate = 136;
 const Stream128BlockBytes = Shake128Rate;
@@ -67,6 +64,386 @@ const zetas = [
   -1362209, 3937738, 1400424, -846154, 1976782,
 ];
 
+/**
+ * Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.
+ * @todo re-check https://issues.chromium.org/issues/42212588
+ * @module
+ */
+const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
+const _32n = /* @__PURE__ */ BigInt(32);
+function fromBig(n, le = false) {
+    if (le)
+        return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };
+    return { h: Number((n >> _32n) & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
+}
+function split(lst, le = false) {
+    const len = lst.length;
+    let Ah = new Uint32Array(len);
+    let Al = new Uint32Array(len);
+    for (let i = 0; i < len; i++) {
+        const { h, l } = fromBig(lst[i], le);
+        [Ah[i], Al[i]] = [h, l];
+    }
+    return [Ah, Al];
+}
+// Left rotate for Shift in [1, 32)
+const rotlSH = (h, l, s) => (h << s) | (l >>> (32 - s));
+const rotlSL = (h, l, s) => (l << s) | (h >>> (32 - s));
+// Left rotate for Shift in (32, 64), NOTE: 32 is special case.
+const rotlBH = (h, l, s) => (l << (s - 32)) | (h >>> (64 - s));
+const rotlBL = (h, l, s) => (h << (s - 32)) | (l >>> (64 - s));
+
+/**
+ * Utilities for hex, bytes, CSPRNG.
+ * @module
+ */
+/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
+function isBytes(a) {
+    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
+}
+/** Asserts something is positive integer. */
+function anumber(n, title = '') {
+    if (!Number.isSafeInteger(n) || n < 0) {
+        const prefix = title && `"${title}" `;
+        throw new Error(`${prefix}expected integer >= 0, got ${n}`);
+    }
+}
+/** Asserts something is Uint8Array. */
+function abytes(value, length, title = '') {
+    const bytes = isBytes(value);
+    const len = value?.length;
+    const needsLen = length !== undefined;
+    if (!bytes || (needsLen)) {
+        const prefix = title && `"${title}" `;
+        const ofLen = '';
+        const got = bytes ? `length=${len}` : `type=${typeof value}`;
+        throw new Error(prefix + 'expected Uint8Array' + ofLen + ', got ' + got);
+    }
+    return value;
+}
+/** Asserts a hash instance has not been destroyed / finished */
+function aexists(instance, checkFinished = true) {
+    if (instance.destroyed)
+        throw new Error('Hash instance has been destroyed');
+    if (checkFinished && instance.finished)
+        throw new Error('Hash#digest() has already been called');
+}
+/** Asserts output is properly-sized byte array */
+function aoutput(out, instance) {
+    abytes(out, undefined, 'digestInto() output');
+    const min = instance.outputLen;
+    if (out.length < min) {
+        throw new Error('"digestInto() output" expected to be of length >=' + min);
+    }
+}
+/** Cast u8 / u16 / u32 to u32. */
+function u32(arr) {
+    return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
+}
+/** Zeroize a byte array. Warning: JS provides no guarantees. */
+function clean(...arrays) {
+    for (let i = 0; i < arrays.length; i++) {
+        arrays[i].fill(0);
+    }
+}
+/** Is current platform little-endian? Most are. Big-Endian platform: IBM */
+const isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();
+/** The byte swap operation for uint32 */
+function byteSwap(word) {
+    return (((word << 24) & 0xff000000) |
+        ((word << 8) & 0xff0000) |
+        ((word >>> 8) & 0xff00) |
+        ((word >>> 24) & 0xff));
+}
+/** In place byte swap for Uint32Array */
+function byteSwap32(arr) {
+    for (let i = 0; i < arr.length; i++) {
+        arr[i] = byteSwap(arr[i]);
+    }
+    return arr;
+}
+const swap32IfBE = isLE
+    ? (u) => u
+    : byteSwap32;
+// Built-in hex conversion https://caniuse.com/mdn-javascript_builtins_uint8array_fromhex
+const hasHexBuiltin = /* @__PURE__ */ (() => 
+// @ts-ignore
+typeof Uint8Array.from([]).toHex === 'function' && typeof Uint8Array.fromHex === 'function')();
+// We use optimized technique to convert hex string to byte array
+const asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
+function asciiToBase16(ch) {
+    if (ch >= asciis._0 && ch <= asciis._9)
+        return ch - asciis._0; // '2' => 50-48
+    if (ch >= asciis.A && ch <= asciis.F)
+        return ch - (asciis.A - 10); // 'B' => 66-(65-10)
+    if (ch >= asciis.a && ch <= asciis.f)
+        return ch - (asciis.a - 10); // 'b' => 98-(97-10)
+    return;
+}
+/**
+ * Convert hex string to byte array. Uses built-in function, when available.
+ * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
+ */
+function hexToBytes$1(hex) {
+    if (typeof hex !== 'string')
+        throw new Error('hex string expected, got ' + typeof hex);
+    // @ts-ignore
+    if (hasHexBuiltin)
+        return Uint8Array.fromHex(hex);
+    const hl = hex.length;
+    const al = hl / 2;
+    if (hl % 2)
+        throw new Error('hex string expected, got unpadded hex of length ' + hl);
+    const array = new Uint8Array(al);
+    for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+        const n1 = asciiToBase16(hex.charCodeAt(hi));
+        const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
+        if (n1 === undefined || n2 === undefined) {
+            const char = hex[hi] + hex[hi + 1];
+            throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
+        }
+        array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163
+    }
+    return array;
+}
+/** Creates function with outputLen, blockLen, create properties from a class constructor. */
+function createHasher(hashCons, info = {}) {
+    const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
+    const tmp = hashCons(undefined);
+    hashC.outputLen = tmp.outputLen;
+    hashC.blockLen = tmp.blockLen;
+    hashC.create = (opts) => hashCons(opts);
+    Object.assign(hashC, info);
+    return Object.freeze(hashC);
+}
+/** Creates OID opts for NIST hashes, with prefix 06 09 60 86 48 01 65 03 04 02. */
+const oidNist = (suffix) => ({
+    oid: Uint8Array.from([0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, suffix]),
+});
+
+/**
+ * SHA3 (keccak) hash function, based on a new "Sponge function" design.
+ * Different from older hashes, the internal state is bigger than output size.
+ *
+ * Check out [FIPS-202](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf),
+ * [Website](https://keccak.team/keccak.html),
+ * [the differences between SHA-3 and Keccak](https://crypto.stackexchange.com/questions/15727/what-are-the-key-differences-between-the-draft-sha-3-standard-and-the-keccak-sub).
+ *
+ * Check out `sha3-addons` module for cSHAKE, k12, and others.
+ * @module
+ */
+// No __PURE__ annotations in sha3 header:
+// EVERYTHING is in fact used on every export.
+// Various per round constants calculations
+const _0n = BigInt(0);
+const _1n = BigInt(1);
+const _2n = BigInt(2);
+const _7n = BigInt(7);
+const _256n = BigInt(256);
+const _0x71n = BigInt(0x71);
+const SHA3_PI = [];
+const SHA3_ROTL = [];
+const _SHA3_IOTA = []; // no pure annotation: var is always used
+for (let round = 0, R = _1n, x = 1, y = 0; round < 24; round++) {
+    // Pi
+    [x, y] = [y, (2 * x + 3 * y) % 5];
+    SHA3_PI.push(2 * (5 * y + x));
+    // Rotational
+    SHA3_ROTL.push((((round + 1) * (round + 2)) / 2) % 64);
+    // Iota
+    let t = _0n;
+    for (let j = 0; j < 7; j++) {
+        R = ((R << _1n) ^ ((R >> _7n) * _0x71n)) % _256n;
+        if (R & _2n)
+            t ^= _1n << ((_1n << BigInt(j)) - _1n);
+    }
+    _SHA3_IOTA.push(t);
+}
+const IOTAS = split(_SHA3_IOTA, true);
+const SHA3_IOTA_H = IOTAS[0];
+const SHA3_IOTA_L = IOTAS[1];
+// Left rotation (without 0, 32, 64)
+const rotlH = (h, l, s) => (s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s));
+const rotlL = (h, l, s) => (s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s));
+/** `keccakf1600` internal function, additionally allows to adjust round count. */
+function keccakP(s, rounds = 24) {
+    const B = new Uint32Array(5 * 2);
+    // NOTE: all indices are x2 since we store state as u32 instead of u64 (bigints to slow in js)
+    for (let round = 24 - rounds; round < 24; round++) {
+        // Theta θ
+        for (let x = 0; x < 10; x++)
+            B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];
+        for (let x = 0; x < 10; x += 2) {
+            const idx1 = (x + 8) % 10;
+            const idx0 = (x + 2) % 10;
+            const B0 = B[idx0];
+            const B1 = B[idx0 + 1];
+            const Th = rotlH(B0, B1, 1) ^ B[idx1];
+            const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];
+            for (let y = 0; y < 50; y += 10) {
+                s[x + y] ^= Th;
+                s[x + y + 1] ^= Tl;
+            }
+        }
+        // Rho (ρ) and Pi (π)
+        let curH = s[2];
+        let curL = s[3];
+        for (let t = 0; t < 24; t++) {
+            const shift = SHA3_ROTL[t];
+            const Th = rotlH(curH, curL, shift);
+            const Tl = rotlL(curH, curL, shift);
+            const PI = SHA3_PI[t];
+            curH = s[PI];
+            curL = s[PI + 1];
+            s[PI] = Th;
+            s[PI + 1] = Tl;
+        }
+        // Chi (χ)
+        for (let y = 0; y < 50; y += 10) {
+            for (let x = 0; x < 10; x++)
+                B[x] = s[y + x];
+            for (let x = 0; x < 10; x++)
+                s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10];
+        }
+        // Iota (ι)
+        s[0] ^= SHA3_IOTA_H[round];
+        s[1] ^= SHA3_IOTA_L[round];
+    }
+    clean(B);
+}
+/** Keccak sponge function. */
+class Keccak {
+    state;
+    pos = 0;
+    posOut = 0;
+    finished = false;
+    state32;
+    destroyed = false;
+    blockLen;
+    suffix;
+    outputLen;
+    enableXOF = false;
+    rounds;
+    // NOTE: we accept arguments in bytes instead of bits here.
+    constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {
+        this.blockLen = blockLen;
+        this.suffix = suffix;
+        this.outputLen = outputLen;
+        this.enableXOF = enableXOF;
+        this.rounds = rounds;
+        // Can be passed from user as dkLen
+        anumber(outputLen, 'outputLen');
+        // 1600 = 5x5 matrix of 64bit.  1600 bits === 200 bytes
+        // 0 < blockLen < 200
+        if (!(0 < blockLen && blockLen < 200))
+            throw new Error('only keccak-f1600 function is supported');
+        this.state = new Uint8Array(200);
+        this.state32 = u32(this.state);
+    }
+    clone() {
+        return this._cloneInto();
+    }
+    keccak() {
+        swap32IfBE(this.state32);
+        keccakP(this.state32, this.rounds);
+        swap32IfBE(this.state32);
+        this.posOut = 0;
+        this.pos = 0;
+    }
+    update(data) {
+        aexists(this);
+        abytes(data);
+        const { blockLen, state } = this;
+        const len = data.length;
+        for (let pos = 0; pos < len;) {
+            const take = Math.min(blockLen - this.pos, len - pos);
+            for (let i = 0; i < take; i++)
+                state[this.pos++] ^= data[pos++];
+            if (this.pos === blockLen)
+                this.keccak();
+        }
+        return this;
+    }
+    finish() {
+        if (this.finished)
+            return;
+        this.finished = true;
+        const { state, suffix, pos, blockLen } = this;
+        // Do the padding
+        state[pos] ^= suffix;
+        if ((suffix & 0x80) !== 0 && pos === blockLen - 1)
+            this.keccak();
+        state[blockLen - 1] ^= 0x80;
+        this.keccak();
+    }
+    writeInto(out) {
+        aexists(this, false);
+        abytes(out);
+        this.finish();
+        const bufferOut = this.state;
+        const { blockLen } = this;
+        for (let pos = 0, len = out.length; pos < len;) {
+            if (this.posOut >= blockLen)
+                this.keccak();
+            const take = Math.min(blockLen - this.posOut, len - pos);
+            out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);
+            this.posOut += take;
+            pos += take;
+        }
+        return out;
+    }
+    xofInto(out) {
+        // Sha3/Keccak usage with XOF is probably mistake, only SHAKE instances can do XOF
+        if (!this.enableXOF)
+            throw new Error('XOF is not possible for this instance');
+        return this.writeInto(out);
+    }
+    xof(bytes) {
+        anumber(bytes);
+        return this.xofInto(new Uint8Array(bytes));
+    }
+    digestInto(out) {
+        aoutput(out, this);
+        if (this.finished)
+            throw new Error('digest() was already called');
+        this.writeInto(out);
+        this.destroy();
+        return out;
+    }
+    digest() {
+        return this.digestInto(new Uint8Array(this.outputLen));
+    }
+    destroy() {
+        this.destroyed = true;
+        clean(this.state);
+    }
+    _cloneInto(to) {
+        const { blockLen, suffix, outputLen, rounds, enableXOF } = this;
+        to ||= new Keccak(blockLen, suffix, outputLen, enableXOF, rounds);
+        to.state32.set(this.state32);
+        to.pos = this.pos;
+        to.posOut = this.posOut;
+        to.finished = this.finished;
+        to.rounds = rounds;
+        // Suffix can change in cSHAKE
+        to.suffix = suffix;
+        to.outputLen = outputLen;
+        to.enableXOF = enableXOF;
+        to.destroyed = this.destroyed;
+        return to;
+    }
+}
+const genShake = (suffix, blockLen, outputLen, info = {}) => createHasher((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === undefined ? outputLen : opts.dkLen, true), info);
+/** SHAKE128 XOF with 128-bit security. */
+const shake128 = 
+/* @__PURE__ */
+genShake(0x1f, 168, 16, /* @__PURE__ */ oidNist(0x0b));
+/** SHAKE256 XOF with 256-bit security. */
+const shake256 = 
+/* @__PURE__ */
+genShake(0x1f, 136, 32, /* @__PURE__ */ oidNist(0x0c));
+
 /**
  * FIPS 202 SHAKE functions using @noble/hashes
  * Provides streaming XOF (extendable output function) interface
@@ -87,7 +464,7 @@ class KeccakState {
 // SHAKE-128 functions
 
 function shake128Init(state) {
-  state.hasher = sha3_js.shake128.create({});
+  state.hasher = shake128.create({});
   state.finalized = false;
 }
 
@@ -109,7 +486,7 @@ function shake128SqueezeBlocks(out, outputOffset, nBlocks, state) {
 // SHAKE-256 functions
 
 function shake256Init(state) {
-  state.hasher = sha3_js.shake256.create({});
+  state.hasher = shake256.create({});
   state.finalized = false;
 }
 
@@ -176,7 +553,7 @@ function cAddQ(a) {
 
 function ntt(a) {
   let k = 0;
-  let j = 0;
+  let j;
 
   for (let len = 128; len > 0; len >>= 1) {
     for (let start = 0; start < N; start = j + len) {
@@ -192,7 +569,7 @@ function ntt(a) {
 
 function invNTTToMont(a) {
   const f = 41978n; // mont^2/256
-  let j = 0;
+  let j;
   let k = 256;
 
   for (let len = 1; len < N; len <<= 1) {
@@ -1109,13 +1486,6 @@ function isZero(buffer) {
   return acc === 0;
 }
 
-/**
- * Default signing context ("ZOND" in ASCII).
- * Used for domain separation per FIPS 204.
- * @constant {Uint8Array}
- */
-const DEFAULT_CTX = new Uint8Array([0x5a, 0x4f, 0x4e, 0x44]); // "ZOND"
-
 /**
  * Convert hex string to Uint8Array with strict validation.
  *
@@ -1148,7 +1518,7 @@ function hexToBytes(hex) {
   if (!/^[0-9a-fA-F]*$/.test(clean)) {
     throw new Error('hex string contains non-hex characters');
   }
-  return utils_js.hexToBytes(clean);
+  return hexToBytes$1(clean);
 }
 
 function messageToBytes(message) {
@@ -1189,9 +1559,9 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
     }
   } catch (e) {
     if (e instanceof TypeError) {
-      throw new Error(`pk/sk cannot be null`);
+      throw new Error(`pk/sk cannot be null`, { cause: e });
     } else {
-      throw new Error(`${e.message}`);
+      throw new Error(`${e.message}`, { cause: e });
     }
   }
 
@@ -1213,7 +1583,7 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
 
   const outputLength = 2 * SeedBytes + CRHBytes;
   const domainSep = new Uint8Array([K, L]);
-  const seedBuf = sha3_js.shake256.create({}).update(seed).update(domainSep).xof(outputLength);
+  const seedBuf = shake256.create({}).update(seed).update(domainSep).xof(outputLength);
   const rho = seedBuf.slice(0, SeedBytes);
   const rhoPrime = seedBuf.slice(SeedBytes, SeedBytes + CRHBytes);
   const key = seedBuf.slice(SeedBytes + CRHBytes);
@@ -1244,7 +1614,7 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
     packPk(pk, rho, t1);
 
     // Compute tr = SHAKE256(pk) (64 bytes) and write secret key
-    const tr = sha3_js.shake256.create({}).update(pk).xof(TRBytes);
+    const tr = shake256.create({}).update(pk).xof(TRBytes);
     packSk(sk, rho, tr, key, t0, s1, s2);
 
     return seed;
@@ -1270,21 +1640,22 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
  * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes = 4896 bytes)
  * @param {boolean} randomizedSigning - If true, use random nonce for hedged signing.
  *   If false, use deterministic nonce derived from message and key.
- * @param {Uint8Array} [ctx=DEFAULT_CTX] - Context string for domain separation (max 255 bytes).
- *   Defaults to "ZOND" for QRL compatibility.
+ * @param {Uint8Array} ctx - Context string for domain separation (max 255 bytes).
  * @returns {number} 0 on success
- * @throws {Error} If sk is wrong size or context exceeds 255 bytes
+ * @throws {Error} If ctx is missing, sk is wrong size, or context exceeds 255 bytes
  *
  * @example
  * const sig = new Uint8Array(CryptoBytes);
- * cryptoSignSignature(sig, message, sk, false);
- * // Or with custom context:
- * cryptoSignSignature(sig, message, sk, false, new Uint8Array([0x01, 0x02]));
+ * const ctx = new Uint8Array([0x01, 0x02]);
+ * cryptoSignSignature(sig, message, sk, false, ctx);
  */
-function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx = DEFAULT_CTX) {
+function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx) {
   if (!sig || sig.length < CryptoBytes) {
     throw new Error(`sig must be at least ${CryptoBytes} bytes`);
   }
+  if (!(ctx instanceof Uint8Array)) {
+    throw new TypeError('ctx is required and must be a Uint8Array');
+  }
   if (ctx.length > 255) throw new Error(`invalid context length: ${ctx.length} (max 255)`);
   if (sk.length !== CryptoSecretKeyBytes) {
     throw new Error(`invalid sk length ${sk.length} | Expected length ${CryptoSecretKeyBytes}`);
@@ -1320,11 +1691,11 @@ function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx = DEFAULT_CTX) {
     const mBytes = messageToBytes(m);
 
     // mu = SHAKE256(tr || pre || m)
-    const mu = sha3_js.shake256.create({}).update(tr).update(pre).update(mBytes).xof(CRHBytes);
+    const mu = shake256.create({}).update(tr).update(pre).update(mBytes).xof(CRHBytes);
 
     // rhoPrime = SHAKE256(key || rnd || mu)
     const rnd = randomizedSigning ? randomBytes(RNDBytes) : new Uint8Array(RNDBytes);
-    rhoPrime = sha3_js.shake256.create({}).update(key).update(rnd).update(mu).xof(CRHBytes);
+    rhoPrime = shake256.create({}).update(key).update(rnd).update(mu).xof(CRHBytes);
 
     polyVecMatrixExpand(mat, rho);
     polyVecLNTT(s1);
@@ -1346,7 +1717,7 @@ function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx = DEFAULT_CTX) {
       polyVecKPackW1(sig, w1);
 
       // ctilde = SHAKE256(mu || w1_packed) (64 bytes)
-      const ctilde = sha3_js.shake256
+      const ctilde = shake256
         .create({})
         .update(mu)
         .update(sig.slice(0, K * PolyW1PackedBytes))
@@ -1411,16 +1782,18 @@ function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx = DEFAULT_CTX) {
  * @param {string|Uint8Array} msg - Message to sign (hex string, optional 0x prefix, or Uint8Array)
  * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes = 4896 bytes)
  * @param {boolean} randomizedSigning - If true, use random nonce; if false, deterministic
- * @param {Uint8Array} [ctx=DEFAULT_CTX] - Context string for domain separation (max 255 bytes).
- *   Defaults to "ZOND" for QRL compatibility.
+ * @param {Uint8Array} ctx - Context string for domain separation (max 255 bytes).
  * @returns {Uint8Array} Signed message (CryptoBytes + msg.length bytes)
  * @throws {Error} If signing fails
  *
  * @example
- * const signedMsg = cryptoSign(message, sk, false);
+ * const signedMsg = cryptoSign(message, sk, false, ctx);
  * // signedMsg contains: signature (4627 bytes) || message
  */
-function cryptoSign(msg, sk, randomizedSigning, ctx = DEFAULT_CTX) {
+function cryptoSign(msg, sk, randomizedSigning, ctx) {
+  if (!(ctx instanceof Uint8Array)) {
+    throw new TypeError('ctx is required and must be a Uint8Array');
+  }
   const msgBytes = messageToBytes(msg);
 
   const sm = new Uint8Array(CryptoBytes + msgBytes.length);
@@ -1447,17 +1820,19 @@ function cryptoSign(msg, sk, randomizedSigning, ctx = DEFAULT_CTX) {
  * @param {Uint8Array} sig - Signature to verify (must be CryptoBytes = 4627 bytes)
  * @param {string|Uint8Array} m - Message that was signed (hex string, optional 0x prefix, or Uint8Array)
  * @param {Uint8Array} pk - Public key (must be CryptoPublicKeyBytes = 2592 bytes)
- * @param {Uint8Array} [ctx=DEFAULT_CTX] - Context string used during signing (max 255 bytes).
- *   Defaults to "ZOND" for QRL compatibility.
+ * @param {Uint8Array} ctx - Context string used during signing (max 255 bytes).
  * @returns {boolean} true if signature is valid, false otherwise
  *
  * @example
- * const isValid = cryptoSignVerify(signature, message, pk);
+ * const isValid = cryptoSignVerify(signature, message, pk, ctx);
  * if (!isValid) {
  *   throw new Error('Invalid signature');
  * }
  */
-function cryptoSignVerify(sig, m, pk, ctx = DEFAULT_CTX) {
+function cryptoSignVerify(sig, m, pk, ctx) {
+  if (!(ctx instanceof Uint8Array)) {
+    throw new TypeError('ctx is required and must be a Uint8Array');
+  }
   if (ctx.length > 255) return false;
   let i;
   const buf = new Uint8Array(K * PolyW1PackedBytes);
@@ -1488,7 +1863,7 @@ function cryptoSignVerify(sig, m, pk, ctx = DEFAULT_CTX) {
   }
 
   /* Compute mu = SHAKE256(tr || pre || m) with tr = SHAKE256(pk) */
-  const tr = sha3_js.shake256.create({}).update(pk).xof(TRBytes);
+  const tr = shake256.create({}).update(pk).xof(TRBytes);
 
   const pre = new Uint8Array(2 + ctx.length);
   pre[0] = 0;
@@ -1501,7 +1876,7 @@ function cryptoSignVerify(sig, m, pk, ctx = DEFAULT_CTX) {
   } catch {
     return false;
   }
-  const muFull = sha3_js.shake256.create({}).update(tr).update(pre).update(mBytes).xof(CRHBytes);
+  const muFull = shake256.create({}).update(tr).update(pre).update(mBytes).xof(CRHBytes);
   mu.set(muFull);
 
   /* Matrix-vector multiplication; compute Az - c2^dt1 */
@@ -1526,7 +1901,7 @@ function cryptoSignVerify(sig, m, pk, ctx = DEFAULT_CTX) {
   polyVecKPackW1(buf, w1);
 
   /* Call random oracle and verify challenge */
-  const c2Hash = sha3_js.shake256.create({}).update(mu).update(buf).xof(CTILDEBytes);
+  const c2Hash = shake256.create({}).update(mu).update(buf).xof(CTILDEBytes);
   c2.set(c2Hash);
 
   // Constant-time comparison to prevent timing attacks
@@ -1545,17 +1920,19 @@ function cryptoSignVerify(sig, m, pk, ctx = DEFAULT_CTX) {
  *
  * @param {Uint8Array} sm - Signed message (signature || message)
  * @param {Uint8Array} pk - Public key (must be CryptoPublicKeyBytes = 2592 bytes)
- * @param {Uint8Array} [ctx=DEFAULT_CTX] - Context string used during signing (max 255 bytes).
- *   Defaults to "ZOND" for QRL compatibility.
+ * @param {Uint8Array} ctx - Context string used during signing (max 255 bytes).
  * @returns {Uint8Array|undefined} The original message if valid, undefined if verification fails
  *
  * @example
- * const message = cryptoSignOpen(signedMsg, pk);
+ * const message = cryptoSignOpen(signedMsg, pk, ctx);
  * if (message === undefined) {
  *   throw new Error('Invalid signature');
  * }
  */
-function cryptoSignOpen(sm, pk, ctx = DEFAULT_CTX) {
+function cryptoSignOpen(sm, pk, ctx) {
+  if (!(ctx instanceof Uint8Array)) {
+    throw new TypeError('ctx is required and must be a Uint8Array');
+  }
   if (sm.length < CryptoBytes) {
     return undefined;
   }

package/dist/mjs/mldsa87.js

@@ -174,7 +174,7 @@ function cAddQ(a) {
 
 function ntt(a) {
   let k = 0;
-  let j = 0;
+  let j;
 
   for (let len = 128; len > 0; len >>= 1) {
     for (let start = 0; start < N; start = j + len) {
@@ -190,7 +190,7 @@ function ntt(a) {
 
 function invNTTToMont(a) {
   const f = 41978n; // mont^2/256
-  let j = 0;
+  let j;
   let k = 256;
 
   for (let len = 1; len < N; len <<= 1) {
@@ -1107,13 +1107,6 @@ function isZero(buffer) {
   return acc === 0;
 }
 
-/**
- * Default signing context ("ZOND" in ASCII).
- * Used for domain separation per FIPS 204.
- * @constant {Uint8Array}
- */
-const DEFAULT_CTX = new Uint8Array([0x5a, 0x4f, 0x4e, 0x44]); // "ZOND"
-
 /**
  * Convert hex string to Uint8Array with strict validation.
  *
@@ -1187,9 +1180,9 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
     }
   } catch (e) {
     if (e instanceof TypeError) {
-      throw new Error(`pk/sk cannot be null`);
+      throw new Error(`pk/sk cannot be null`, { cause: e });
     } else {
-      throw new Error(`${e.message}`);
+      throw new Error(`${e.message}`, { cause: e });
     }
   }
 
@@ -1268,21 +1261,22 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
  * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes = 4896 bytes)
  * @param {boolean} randomizedSigning - If true, use random nonce for hedged signing.
  *   If false, use deterministic nonce derived from message and key.
- * @param {Uint8Array} [ctx=DEFAULT_CTX] - Context string for domain separation (max 255 bytes).
- *   Defaults to "ZOND" for QRL compatibility.
+ * @param {Uint8Array} ctx - Context string for domain separation (max 255 bytes).
  * @returns {number} 0 on success
- * @throws {Error} If sk is wrong size or context exceeds 255 bytes
+ * @throws {Error} If ctx is missing, sk is wrong size, or context exceeds 255 bytes
  *
  * @example
  * const sig = new Uint8Array(CryptoBytes);
- * cryptoSignSignature(sig, message, sk, false);
- * // Or with custom context:
- * cryptoSignSignature(sig, message, sk, false, new Uint8Array([0x01, 0x02]));
+ * const ctx = new Uint8Array([0x01, 0x02]);
+ * cryptoSignSignature(sig, message, sk, false, ctx);
  */
-function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx = DEFAULT_CTX) {
+function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx) {
   if (!sig || sig.length < CryptoBytes) {
     throw new Error(`sig must be at least ${CryptoBytes} bytes`);
   }
+  if (!(ctx instanceof Uint8Array)) {
+    throw new TypeError('ctx is required and must be a Uint8Array');
+  }
   if (ctx.length > 255) throw new Error(`invalid context length: ${ctx.length} (max 255)`);
   if (sk.length !== CryptoSecretKeyBytes) {
     throw new Error(`invalid sk length ${sk.length} | Expected length ${CryptoSecretKeyBytes}`);
@@ -1409,16 +1403,18 @@ function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx = DEFAULT_CTX) {
  * @param {string|Uint8Array} msg - Message to sign (hex string, optional 0x prefix, or Uint8Array)
  * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes = 4896 bytes)
  * @param {boolean} randomizedSigning - If true, use random nonce; if false, deterministic
- * @param {Uint8Array} [ctx=DEFAULT_CTX] - Context string for domain separation (max 255 bytes).
- *   Defaults to "ZOND" for QRL compatibility.
+ * @param {Uint8Array} ctx - Context string for domain separation (max 255 bytes).
  * @returns {Uint8Array} Signed message (CryptoBytes + msg.length bytes)
  * @throws {Error} If signing fails
  *
  * @example
- * const signedMsg = cryptoSign(message, sk, false);
+ * const signedMsg = cryptoSign(message, sk, false, ctx);
  * // signedMsg contains: signature (4627 bytes) || message
  */
-function cryptoSign(msg, sk, randomizedSigning, ctx = DEFAULT_CTX) {
+function cryptoSign(msg, sk, randomizedSigning, ctx) {
+  if (!(ctx instanceof Uint8Array)) {
+    throw new TypeError('ctx is required and must be a Uint8Array');
+  }
   const msgBytes = messageToBytes(msg);
 
   const sm = new Uint8Array(CryptoBytes + msgBytes.length);
@@ -1445,17 +1441,19 @@ function cryptoSign(msg, sk, randomizedSigning, ctx = DEFAULT_CTX) {
  * @param {Uint8Array} sig - Signature to verify (must be CryptoBytes = 4627 bytes)
  * @param {string|Uint8Array} m - Message that was signed (hex string, optional 0x prefix, or Uint8Array)
  * @param {Uint8Array} pk - Public key (must be CryptoPublicKeyBytes = 2592 bytes)
- * @param {Uint8Array} [ctx=DEFAULT_CTX] - Context string used during signing (max 255 bytes).
- *   Defaults to "ZOND" for QRL compatibility.
+ * @param {Uint8Array} ctx - Context string used during signing (max 255 bytes).
  * @returns {boolean} true if signature is valid, false otherwise
  *
  * @example
- * const isValid = cryptoSignVerify(signature, message, pk);
+ * const isValid = cryptoSignVerify(signature, message, pk, ctx);
  * if (!isValid) {
  *   throw new Error('Invalid signature');
  * }
  */
-function cryptoSignVerify(sig, m, pk, ctx = DEFAULT_CTX) {
+function cryptoSignVerify(sig, m, pk, ctx) {
+  if (!(ctx instanceof Uint8Array)) {
+    throw new TypeError('ctx is required and must be a Uint8Array');
+  }
   if (ctx.length > 255) return false;
   let i;
   const buf = new Uint8Array(K * PolyW1PackedBytes);
@@ -1543,17 +1541,19 @@ function cryptoSignVerify(sig, m, pk, ctx = DEFAULT_CTX) {
  *
  * @param {Uint8Array} sm - Signed message (signature || message)
  * @param {Uint8Array} pk - Public key (must be CryptoPublicKeyBytes = 2592 bytes)
- * @param {Uint8Array} [ctx=DEFAULT_CTX] - Context string used during signing (max 255 bytes).
- *   Defaults to "ZOND" for QRL compatibility.
+ * @param {Uint8Array} ctx - Context string used during signing (max 255 bytes).
  * @returns {Uint8Array|undefined} The original message if valid, undefined if verification fails
  *
  * @example
- * const message = cryptoSignOpen(signedMsg, pk);
+ * const message = cryptoSignOpen(signedMsg, pk, ctx);
  * if (message === undefined) {
  *   throw new Error('Invalid signature');
  * }
  */
-function cryptoSignOpen(sm, pk, ctx = DEFAULT_CTX) {
+function cryptoSignOpen(sm, pk, ctx) {
+  if (!(ctx instanceof Uint8Array)) {
+    throw new TypeError('ctx is required and must be a Uint8Array');
+  }
   if (sm.length < CryptoBytes) {
     return undefined;
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@theqrl/mldsa87",
-  "version": "1.1.0",
+  "version": "2.0.0",
   "description": "ML-DSA-87 cryptography",
   "keywords": [
     "ml-dsa",
@@ -33,7 +33,7 @@
   "scripts": {
     "test": "../../node_modules/mocha/bin/mocha.js --require ../../scripts/node-test-setup.cjs --timeout 10000",
     "test:browser": "playwright test",
-    "build": "rollup src/index.js --file ./dist/cjs/mldsa87.js --format cjs && rollup src/index.js --file ./dist/mjs/mldsa87.js --format esm && ./fixup",
+    "build": "rollup -c && ./fixup",
     "lint-check": "eslint 'src/**/*.js' 'test/**/*.js'",
     "lint": "eslint --fix 'src/**/*.js' 'test/**/*.js'",
     "coverage": "c8 npm run test",
@@ -53,19 +53,39 @@
     "node": ">=20.19.0"
   },
   "devDependencies": {
-    "@eslint/js": "^10.0.1",
-    "c8": "^10.1.3",
-    "chai": "^6.2.2",
-    "eslint": "^10.0.0",
-    "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-import-x": "^4.15.0",
-    "eslint-plugin-prettier": "^5.5.4",
-    "globals": "^17.3.0",
-    "mocha": "^11.7.5",
-    "prettier": "^3.8.1",
-    "rollup": "^4.57.1"
+    "@eslint/js": "10.0.1",
+    "@rollup/plugin-node-resolve": "16.0.3",
+    "c8": "11.0.0",
+    "chai": "6.2.2",
+    "eslint": "10.0.3",
+    "eslint-config-prettier": "10.1.8",
+    "eslint-plugin-import-x": "4.16.2",
+    "eslint-plugin-prettier": "5.5.5",
+    "globals": "17.4.0",
+    "minimatch": "10.2.4",
+    "mocha": "11.7.5",
+    "prettier": "3.8.1",
+    "rollup": "4.59.0",
+    "serialize-javascript": "7.0.4",
+    "tar": "7.5.11"
   },
   "dependencies": {
-    "@noble/hashes": "^2.0.1"
+    "@noble/hashes": "2.0.1"
+  },
+  "overrides": {
+    "diff": "8.0.3",
+    "minimatch": "10.2.4"
+  },
+  "c8": {
+    "include": [
+      "src/**"
+    ],
+    "exclude": [
+      "**/dist/**",
+      "**/test/**",
+      "**/browser-tests/**",
+      "**/*.d.ts"
+    ],
+    "all": true
   }
 }

package/src/index.d.ts

@@ -56,12 +56,12 @@ export function cryptoSignKeypair(
 ): Uint8Array;
 
 /**
- * Create a signature for a message with optional context
+ * Create a signature for a message
  * @param sig - Output buffer for signature (must be CryptoBytes length minimum)
  * @param m - Message to sign (hex string or Uint8Array; strings are parsed as hex only)
  * @param sk - Secret key
  * @param randomizedSigning - If true, use random nonce; if false, deterministic
- * @param ctx - Optional context string (max 255 bytes, defaults to "ZOND")
+ * @param ctx - Context string (max 255 bytes)
  * @returns 0 on success
  * @throws Error if sk is wrong size or context too long
  */
@@ -70,7 +70,7 @@ export function cryptoSignSignature(
   m: Uint8Array | string,
   sk: Uint8Array,
   randomizedSigning: boolean,
-  ctx?: Uint8Array
+  ctx: Uint8Array
 ): number;
 
 /**
@@ -78,7 +78,7 @@ export function cryptoSignSignature(
  * @param msg - Message to sign
  * @param sk - Secret key
  * @param randomizedSigning - If true, use random nonce; if false, deterministic
- * @param ctx - Optional context string (max 255 bytes, defaults to "ZOND")
+ * @param ctx - Context string (max 255 bytes)
  * @returns Signed message (signature || message)
  * @throws Error if signing fails
  */
@@ -86,35 +86,35 @@ export function cryptoSign(
   msg: Uint8Array | string,
   sk: Uint8Array,
   randomizedSigning: boolean,
-  ctx?: Uint8Array
+  ctx: Uint8Array
 ): Uint8Array;
 
 /**
- * Verify a signature with optional context
+ * Verify a signature
  * @param sig - Signature to verify
  * @param m - Message that was signed (hex string or Uint8Array; strings are parsed as hex only)
  * @param pk - Public key
- * @param ctx - Optional context string (max 255 bytes, defaults to "ZOND")
+ * @param ctx - Context string (max 255 bytes)
  * @returns true if signature is valid, false otherwise
  */
 export function cryptoSignVerify(
   sig: Uint8Array,
   m: Uint8Array | string,
   pk: Uint8Array,
-  ctx?: Uint8Array
+  ctx: Uint8Array
 ): boolean;
 
 /**
  * Open a signed message (verify and extract message)
  * @param sm - Signed message (signature || message)
  * @param pk - Public key
- * @param ctx - Optional context string (max 255 bytes, defaults to "ZOND")
+ * @param ctx - Context string (max 255 bytes)
  * @returns Message if valid, undefined if verification fails
  */
 export function cryptoSignOpen(
   sm: Uint8Array,
   pk: Uint8Array,
-  ctx?: Uint8Array
+  ctx: Uint8Array
 ): Uint8Array | undefined;
 
 // Utility functions