@theqrl/mldsa87 2.0.0 → 2.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +9 -1
  2. package/dist/cjs/mldsa87.d.cts +319 -0
  3. package/dist/cjs/mldsa87.js +76 -28
  4. package/dist/mjs/mldsa87.d.mts +319 -0
  5. package/dist/mjs/mldsa87.js +76 -28
  6. package/package.json +9 -3
  7. package/src/index.d.ts +115 -0
package/README.md CHANGED
@@ -74,7 +74,7 @@ Context is a required `Uint8Array` and can be 0-255 bytes. Use an empty `Uint8Ar
74
74
 
75
75
  Generate a keypair from a seed.
76
76
 
77
- - `seed`: `Uint8Array(32)` or `null` for random
77
+ - `seed`: `Uint8Array(32)`, `null`, or `undefined` for random
78
78
  - `pk`: `Uint8Array(2592)` - output buffer for public key
79
79
  - `sk`: `Uint8Array(4896)` - output buffer for secret key
80
80
  - Returns: The seed used (useful when `seed` is `null`)
@@ -125,10 +125,17 @@ Verify a detached signature.
125
125
 
126
126
  Zero out sensitive data (best-effort, see security notes).
127
127
 
128
+ - `buffer`: `Uint8Array` - the buffer to zero
129
+ - Throws: `TypeError` if buffer is not a `Uint8Array`
130
+
128
131
  #### `isZero(buffer)`
129
132
 
130
133
  Check if buffer is all zeros (constant-time).
131
134
 
135
+ - `buffer`: `Uint8Array` - the buffer to check
136
+ - Returns: `true` if all bytes are zero
137
+ - Throws: `TypeError` if buffer is not a `Uint8Array`
138
+
132
139
  ## Interoperability
133
140
 
134
141
  Both this library and go-qrllib process ML-DSA-87 seeds identically. Raw seeds produce matching keys:
@@ -157,6 +164,7 @@ See [SECURITY.md](../../SECURITY.md) for important information about:
157
164
 
158
165
  - JavaScript memory security limitations
159
166
  - Constant-time verification
167
+ - **Signing timing variability** — signing is not constant-time due to the algorithm's rejection sampling loop; see SECURITY.md for measured impact and deployment mitigations
160
168
  - Secure key handling recommendations
161
169
 
162
170
  ## Requirements
package/dist/cjs/mldsa87.d.cts ADDED
@@ -0,0 +1,319 @@
1
+ /**
2
+ * TypeScript definitions for @theqrl/mldsa87
3
+ * ML-DSA-87 (FIPS 204) post-quantum digital signature scheme
4
+ */
5
+
6
+ // Constants
7
+ export const Shake128Rate: number;
8
+ export const Shake256Rate: number;
9
+ export const Stream128BlockBytes: number;
10
+ export const Stream256BlockBytes: number;
11
+ export const SeedBytes: number;
12
+ export const CRHBytes: number;
13
+ export const TRBytes: number;
14
+ export const RNDBytes: number;
15
+ export const N: number;
16
+ export const Q: number;
17
+ export const QInv: number;
18
+ export const D: number;
19
+ export const K: number;
20
+ export const L: number;
21
+ export const ETA: number;
22
+ export const TAU: number;
23
+ export const BETA: number;
24
+ export const GAMMA1: number;
25
+ export const GAMMA2: number;
26
+ export const OMEGA: number;
27
+ export const CTILDEBytes: number;
28
+ export const PolyT1PackedBytes: number;
29
+ export const PolyT0PackedBytes: number;
30
+ export const PolyETAPackedBytes: number;
31
+ export const PolyZPackedBytes: number;
32
+ export const PolyVecHPackedBytes: number;
33
+ export const PolyW1PackedBytes: number;
34
+ export const CryptoPublicKeyBytes: number;
35
+ export const CryptoSecretKeyBytes: number;
36
+ export const CryptoBytes: number;
37
+ export const PolyUniformNBlocks: number;
38
+ export const PolyUniformETANBlocks: number;
39
+ export const PolyUniformGamma1NBlocks: number;
40
+ export const zetas: readonly number[];
41
+
42
+ // Core signing functions
43
+
44
+ /**
45
+ * Generate an ML-DSA-87 key pair
46
+ * @param seed - Optional 32-byte seed for deterministic key generation (null for random)
47
+ * @param pk - Output buffer for public key (must be CryptoPublicKeyBytes length)
48
+ * @param sk - Output buffer for secret key (must be CryptoSecretKeyBytes length)
49
+ * @returns The seed used for key generation
50
+ * @throws Error if pk/sk buffers are wrong size or null
51
+ */
52
+ export function cryptoSignKeypair(
53
+ seed: Uint8Array | null,
54
+ pk: Uint8Array,
55
+ sk: Uint8Array
56
+ ): Uint8Array;
57
+
58
+ /**
59
+ * Create a signature for a message
60
+ * @param sig - Output buffer for signature (must be CryptoBytes length minimum)
61
+ * @param m - Message to sign (hex string or Uint8Array; strings are parsed as hex only)
62
+ * @param sk - Secret key
63
+ * @param randomizedSigning - If true, use random nonce; if false, deterministic
64
+ * @param ctx - Context string (max 255 bytes)
65
+ * @returns 0 on success
66
+ * @throws Error if sk is wrong size or context too long
67
+ */
68
+ export function cryptoSignSignature(
69
+ sig: Uint8Array,
70
+ m: Uint8Array | string,
71
+ sk: Uint8Array,
72
+ randomizedSigning: boolean,
73
+ ctx: Uint8Array
74
+ ): number;
75
+
76
+ /**
77
+ * Sign a message, returning signature concatenated with message
78
+ * @param msg - Message to sign
79
+ * @param sk - Secret key
80
+ * @param randomizedSigning - If true, use random nonce; if false, deterministic
81
+ * @param ctx - Context string (max 255 bytes)
82
+ * @returns Signed message (signature || message)
83
+ * @throws Error if signing fails
84
+ */
85
+ export function cryptoSign(
86
+ msg: Uint8Array | string,
87
+ sk: Uint8Array,
88
+ randomizedSigning: boolean,
89
+ ctx: Uint8Array
90
+ ): Uint8Array;
91
+
92
+ /**
93
+ * Verify a signature
94
+ * @param sig - Signature to verify
95
+ * @param m - Message that was signed (hex string or Uint8Array; strings are parsed as hex only)
96
+ * @param pk - Public key
97
+ * @param ctx - Context string (max 255 bytes)
98
+ * @returns true if signature is valid, false otherwise
99
+ */
100
+ export function cryptoSignVerify(
101
+ sig: Uint8Array,
102
+ m: Uint8Array | string,
103
+ pk: Uint8Array,
104
+ ctx: Uint8Array
105
+ ): boolean;
106
+
107
+ /**
108
+ * Open a signed message (verify and extract message)
109
+ * @param sm - Signed message (signature || message)
110
+ * @param pk - Public key
111
+ * @param ctx - Context string (max 255 bytes)
112
+ * @returns Message if valid, undefined if verification fails
113
+ */
114
+ export function cryptoSignOpen(
115
+ sm: Uint8Array,
116
+ pk: Uint8Array,
117
+ ctx: Uint8Array
118
+ ): Uint8Array | undefined;
119
+
120
+ // Utility functions
121
+
122
+ /**
123
+ * Zero out a buffer (best-effort, see SECURITY.md for limitations)
124
+ * @param buffer - Buffer to zero
125
+ * @throws TypeError if buffer is not Uint8Array
126
+ */
127
+ export function zeroize(buffer: Uint8Array): void;
128
+
129
+ /**
130
+ * Check if buffer is all zeros using constant-time comparison
131
+ * @param buffer - Buffer to check
132
+ * @returns true if all bytes are zero
133
+ * @throws TypeError if buffer is not Uint8Array
134
+ */
135
+ export function isZero(buffer: Uint8Array): boolean;
136
+
137
+ // Internal classes (exported but primarily for internal use)
138
+
139
+ export class Poly {
140
+ coeffs: Int32Array;
141
+ constructor();
142
+ copy(poly: Poly): void;
143
+ }
144
+
145
+ export class PolyVecK {
146
+ vec: Poly[];
147
+ constructor();
148
+ }
149
+
150
+ export class PolyVecL {
151
+ vec: Poly[];
152
+ constructor();
153
+ copy(polyVecL: PolyVecL): void;
154
+ }
155
+
156
+ export class KeccakState {
157
+ constructor();
158
+ }
159
+
160
+ // Internal functions (exported but primarily for internal use)
161
+ export function polyNTT(a: Poly): void;
162
+ export function polyInvNTTToMont(a: Poly): void;
163
+ export function polyChallenge(c: Poly, seed: Uint8Array): void;
164
+ export function ntt(a: Int32Array): void;
165
+ export function invNTTToMont(a: Int32Array): void;
166
+ export function montgomeryReduce(a: bigint): bigint;
167
+ export function reduce32(a: number): number;
168
+ export function cAddQ(a: number): number;
169
+ export function decompose(a0: Int32Array, i: number, a: number): number;
170
+ export function power2round(a0: Int32Array, i: number, a: number): number;
171
+ export function makeHint(a0: number, a1: number): number;
172
+ export function useHint(a: number, hint: number): number;
173
+ export function packPk(pk: Uint8Array, rho: Uint8Array, t1: PolyVecK): void;
174
+ export function packSk(
175
+ sk: Uint8Array,
176
+ rho: Uint8Array,
177
+ tr: Uint8Array,
178
+ key: Uint8Array,
179
+ t0: PolyVecK,
180
+ s1: PolyVecL,
181
+ s2: PolyVecK
182
+ ): void;
183
+ export function packSig(
184
+ sig: Uint8Array,
185
+ c: Uint8Array,
186
+ z: PolyVecL,
187
+ h: PolyVecK
188
+ ): void;
189
+ export function unpackPk(rho: Uint8Array, t1: PolyVecK, pk: Uint8Array): void;
190
+ export function unpackSk(
191
+ rho: Uint8Array,
192
+ tr: Uint8Array,
193
+ key: Uint8Array,
194
+ t0: PolyVecK,
195
+ s1: PolyVecL,
196
+ s2: PolyVecK,
197
+ sk: Uint8Array
198
+ ): void;
199
+ export function unpackSig(
200
+ c: Uint8Array,
201
+ z: PolyVecL,
202
+ h: PolyVecK,
203
+ sig: Uint8Array
204
+ ): number;
205
+
206
+ // FIPS 202 SHAKE primitives (low-level XOF interface, primarily internal)
207
+ export function shake128Init(state: KeccakState): void;
208
+ export function shake128Absorb(state: KeccakState, input: Uint8Array): void;
209
+ export function shake128Finalize(state: KeccakState): void;
210
+ export function shake128SqueezeBlocks(
211
+ out: Uint8Array,
212
+ outputOffset: number,
213
+ nBlocks: number,
214
+ state: KeccakState
215
+ ): void;
216
+ export function shake256Init(state: KeccakState): void;
217
+ export function shake256Absorb(state: KeccakState, input: Uint8Array): void;
218
+ export function shake256Finalize(state: KeccakState): void;
219
+ export function shake256SqueezeBlocks(
220
+ out: Uint8Array,
221
+ outputOffset: number,
222
+ nBlocks: number,
223
+ state: KeccakState
224
+ ): void;
225
+
226
+ // ML-DSA-specific stream initializers
227
+ export function mldsaShake128StreamInit(
228
+ state: KeccakState,
229
+ seed: Uint8Array,
230
+ nonce: number
231
+ ): void;
232
+ export function mldsaShake256StreamInit(
233
+ state: KeccakState,
234
+ seed: Uint8Array,
235
+ nonce: number
236
+ ): void;
237
+
238
+ // Polynomial operations (internal)
239
+ export function polyReduce(a: Poly): void;
240
+ export function polyCAddQ(a: Poly): void;
241
+ export function polyAdd(c: Poly, a: Poly, b: Poly): void;
242
+ export function polySub(c: Poly, a: Poly, b: Poly): void;
243
+ export function polyShiftL(a: Poly): void;
244
+ export function polyPointWiseMontgomery(c: Poly, a: Poly, b: Poly): void;
245
+ export function polyPower2round(a1: Poly, a0: Poly, a: Poly): void;
246
+ export function polyDecompose(a1: Poly, a0: Poly, a: Poly): void;
247
+ export function polyMakeHint(h: Poly, a0: Poly, a1: Poly): number;
248
+ export function polyUseHint(b: Poly, a: Poly, h: Poly): void;
249
+ export function polyChkNorm(a: Poly, b: number): number;
250
+ export function rejUniform(
251
+ a: Int32Array,
252
+ aOffset: number,
253
+ len: number,
254
+ buf: Uint8Array,
255
+ bufLen: number
256
+ ): number;
257
+ export function polyUniform(a: Poly, seed: Uint8Array, nonce: number): void;
258
+ export function rejEta(
259
+ a: Int32Array,
260
+ aOffset: number,
261
+ len: number,
262
+ buf: Uint8Array,
263
+ bufLen: number
264
+ ): number;
265
+ export function polyUniformEta(a: Poly, seed: Uint8Array, nonce: number): void;
266
+ export function polyZUnpack(r: Poly, a: Uint8Array, aOffset: number): void;
267
+ export function polyUniformGamma1(a: Poly, seed: Uint8Array, nonce: number): void;
268
+ export function polyEtaPack(r: Uint8Array, rOffset: number, a: Poly): void;
269
+ export function polyEtaUnpack(r: Poly, a: Uint8Array, aOffset: number): void;
270
+ export function polyT1Pack(r: Uint8Array, rOffset: number, a: Poly): void;
271
+ export function polyT1Unpack(r: Poly, a: Uint8Array, aOffset: number): void;
272
+ export function polyT0Pack(r: Uint8Array, rOffset: number, a: Poly): void;
273
+ export function polyT0Unpack(r: Poly, a: Uint8Array, aOffset: number): void;
274
+ export function polyZPack(r: Uint8Array, rOffset: number, a: Poly): void;
275
+ export function polyW1Pack(r: Uint8Array, rOffset: number, a: Poly): void;
276
+
277
+ // Polynomial vector operations (internal)
278
+ export function polyVecMatrixExpand(mat: PolyVecL[], rho: Uint8Array): void;
279
+ export function polyVecMatrixPointWiseMontgomery(
280
+ t: PolyVecK,
281
+ mat: PolyVecL[],
282
+ v: PolyVecL
283
+ ): void;
284
+ export function polyVecLUniformEta(v: PolyVecL, seed: Uint8Array, nonce: number): void;
285
+ export function polyVecLUniformGamma1(v: PolyVecL, seed: Uint8Array, nonce: number): void;
286
+ export function polyVecLReduce(v: PolyVecL): void;
287
+ export function polyVecLAdd(w: PolyVecL, u: PolyVecL, v: PolyVecL): void;
288
+ export function polyVecLNTT(v: PolyVecL): void;
289
+ export function polyVecLInvNTTToMont(v: PolyVecL): void;
290
+ export function polyVecLPointWisePolyMontgomery(
291
+ r: PolyVecL,
292
+ a: Poly,
293
+ v: PolyVecL
294
+ ): void;
295
+ export function polyVecLPointWiseAccMontgomery(
296
+ w: Poly,
297
+ u: PolyVecL,
298
+ v: PolyVecL
299
+ ): void;
300
+ export function polyVecLChkNorm(v: PolyVecL, bound: number): number;
301
+ export function polyVecKUniformEta(v: PolyVecK, seed: Uint8Array, nonce: number): void;
302
+ export function polyVecKReduce(v: PolyVecK): void;
303
+ export function polyVecKCAddQ(v: PolyVecK): void;
304
+ export function polyVecKAdd(w: PolyVecK, u: PolyVecK, v: PolyVecK): void;
305
+ export function polyVecKSub(w: PolyVecK, u: PolyVecK, v: PolyVecK): void;
306
+ export function polyVecKShiftL(v: PolyVecK): void;
307
+ export function polyVecKNTT(v: PolyVecK): void;
308
+ export function polyVecKInvNTTToMont(v: PolyVecK): void;
309
+ export function polyVecKPointWisePolyMontgomery(
310
+ r: PolyVecK,
311
+ a: Poly,
312
+ v: PolyVecK
313
+ ): void;
314
+ export function polyVecKChkNorm(v: PolyVecK, bound: number): number;
315
+ export function polyVecKPower2round(v1: PolyVecK, v0: PolyVecK, v: PolyVecK): void;
316
+ export function polyVecKDecompose(v1: PolyVecK, v0: PolyVecK, v: PolyVecK): void;
317
+ export function polyVecKMakeHint(h: PolyVecK, v0: PolyVecK, v1: PolyVecK): number;
318
+ export function polyVecKUseHint(w: PolyVecK, u: PolyVecK, h: PolyVecK): void;
319
+ export function polyVecKPackW1(r: Uint8Array, w1: PolyVecK): void;
package/dist/cjs/mldsa87.js CHANGED
@@ -539,12 +539,16 @@ function montgomeryReduce(a) {
539
539
  return t;
540
540
  }
541
541
 
542
+ // Partial reduction modulo Q. Input must satisfy |a| < 2^31 - 2^22.
543
+ // Output is in (-Q, Q). Mirrors the reference C implementation.
542
544
  function reduce32(a) {
543
545
  let t = (a + (1 << 22)) >> 23;
544
546
  t = a - t * Q;
545
547
  return t;
546
548
  }
547
549
 
550
+ // Conditional add Q: if a is negative, add Q. Input must satisfy -Q < a < 2^31.
551
+ // Output is in [0, Q). Mirrors the reference C implementation.
548
552
  function cAddQ(a) {
549
553
  let ar = a;
550
554
  ar += (ar >> 31) & Q;
@@ -706,10 +710,7 @@ function polyChkNorm(a, b) {
706
710
  }
707
711
 
708
712
  for (let i = 0; i < N; i++) {
709
- let t = a.coeffs[i] >> 31;
710
- t = a.coeffs[i] - (t & (2 * a.coeffs[i]));
711
-
712
- if (t >= b) {
713
+ if (Math.abs(a.coeffs[i]) >= b) {
713
714
  return 1;
714
715
  }
715
716
  }
@@ -1250,6 +1251,9 @@ function packPk(pkp, rho, t1) {
1250
1251
  }
1251
1252
 
1252
1253
  function unpackPk(rhop, t1, pk) {
1254
+ if (!(pk instanceof Uint8Array) || pk.length !== CryptoPublicKeyBytes) {
1255
+ throw new Error(`pk must be a Uint8Array of ${CryptoPublicKeyBytes} bytes`);
1256
+ }
1253
1257
  const rho = rhop;
1254
1258
  for (let i = 0; i < SeedBytes; ++i) {
1255
1259
  rho[i] = pk[i];
@@ -1294,6 +1298,9 @@ function packSk(skp, rho, tr, key, t0, s1, s2) {
1294
1298
  }
1295
1299
 
1296
1300
  function unpackSk(rhoP, trP, keyP, t0, s1, s2, sk) {
1301
+ if (!(sk instanceof Uint8Array) || sk.length !== CryptoSecretKeyBytes) {
1302
+ throw new Error(`sk must be a Uint8Array of ${CryptoSecretKeyBytes} bytes`);
1303
+ }
1297
1304
  let skOffset = 0;
1298
1305
  const rho = rhoP;
1299
1306
  const tr = trP;
@@ -1349,6 +1356,12 @@ function packSig(sigP, ctilde, z, h) {
1349
1356
  for (let i = 0; i < K; ++i) {
1350
1357
  for (let j = 0; j < N; ++j) {
1351
1358
  if (h.vec[i].coeffs[j] !== 0) {
1359
+ if (h.vec[i].coeffs[j] !== 1) {
1360
+ throw new Error('hint coefficients must be binary (0 or 1)');
1361
+ }
1362
+ if (k >= OMEGA) {
1363
+ throw new Error(`hint count exceeds OMEGA (${OMEGA})`);
1364
+ }
1352
1365
  sig[sigOffset + k++] = j;
1353
1366
  }
1354
1367
  }
@@ -1357,7 +1370,12 @@ function packSig(sigP, ctilde, z, h) {
1357
1370
  }
1358
1371
  }
1359
1372
 
1373
+ // Returns 0 on success, 1 on failure. On failure, output buffers (c, z, h)
1374
+ // may contain partial data and must not be used.
1360
1375
  function unpackSig(cP, z, hP, sig) {
1376
+ if (!(sig instanceof Uint8Array) || sig.length !== CryptoBytes) {
1377
+ throw new Error(`sig must be a Uint8Array of ${CryptoBytes} bytes`);
1378
+ }
1361
1379
  let sigOffset = 0;
1362
1380
  const c = cP; // ctilde
1363
1381
  const h = hP;
@@ -1452,6 +1470,8 @@ function randomBytes(size) {
1452
1470
  *
1453
1471
  * @param {Uint8Array} buffer - The buffer to zero
1454
1472
  * @returns {void}
1473
+ * @throws {TypeError} If buffer is not a Uint8Array
1474
+ * @throws {Error} If zeroization verification fails
1455
1475
  */
1456
1476
  function zeroize(buffer) {
1457
1477
  if (!(buffer instanceof Uint8Array)) {
@@ -1474,6 +1494,7 @@ function zeroize(buffer) {
1474
1494
  *
1475
1495
  * @param {Uint8Array} buffer - The buffer to check
1476
1496
  * @returns {boolean} True if all bytes are zero
1497
+ * @throws {TypeError} If buffer is not a Uint8Array
1477
1498
  */
1478
1499
  function isZero(buffer) {
1479
1500
  if (!(buffer instanceof Uint8Array)) {
@@ -1489,16 +1510,12 @@ function isZero(buffer) {
1489
1510
  /**
1490
1511
  * Convert hex string to Uint8Array with strict validation.
1491
1512
  *
1492
- * NOTE: This function accepts multiple hex formats (with/without 0x prefix,
1493
- * leading/trailing whitespace). While user-friendly, this flexibility could
1494
- * mask input errors. Applications requiring strict format validation should
1495
- * validate hex format before calling cryptographic functions, e.g.:
1496
- * - Reject strings with 0x prefix if raw hex is expected
1497
- * - Reject strings with whitespace
1498
- * - Enforce consistent casing (lowercase/uppercase)
1513
+ * Accepts an optional 0x/0X prefix. Leading/trailing whitespace is rejected.
1514
+ * Empty strings and whitespace-only strings are rejected.
1499
1515
  *
1500
- * @param {string} hex - Hex string (optional 0x prefix, even length).
1516
+ * @param {string} hex - Hex string (optional 0x prefix, even length, no whitespace).
1501
1517
  * @returns {Uint8Array} Decoded bytes.
1518
+ * @throws {Error} If input is not a valid hex string
1502
1519
  * @private
1503
1520
  */
1504
1521
  function hexToBytes(hex) {
@@ -1507,11 +1524,16 @@ function hexToBytes(hex) {
1507
1524
  throw new Error('message must be a hex string');
1508
1525
  }
1509
1526
  /* c8 ignore stop */
1510
- let clean = hex.trim();
1511
- // Accepts both "0x..." and raw hex formats for convenience
1527
+ if (hex !== hex.trim()) {
1528
+ throw new Error('hex string must not have leading or trailing whitespace');
1529
+ }
1530
+ let clean = hex;
1512
1531
  if (clean.startsWith('0x') || clean.startsWith('0X')) {
1513
1532
  clean = clean.slice(2);
1514
1533
  }
1534
+ if (clean.length === 0) {
1535
+ throw new Error('hex string must not be empty');
1536
+ }
1515
1537
  if (clean.length % 2 !== 0) {
1516
1538
  throw new Error('hex string must have an even length');
1517
1539
  }
@@ -1521,6 +1543,14 @@ function hexToBytes(hex) {
1521
1543
  return hexToBytes$1(clean);
1522
1544
  }
1523
1545
 
1546
+ /**
1547
+ * Convert a message to Uint8Array.
1548
+ *
1549
+ * @param {string|Uint8Array} message - Message as hex string (optional 0x prefix) or Uint8Array.
1550
+ * @returns {Uint8Array} Message bytes.
1551
+ * @throws {Error} If message is not a Uint8Array or valid hex string
1552
+ * @private
1553
+ */
1524
1554
  function messageToBytes(message) {
1525
1555
  if (typeof message === 'string') {
1526
1556
  return hexToBytes(message);
@@ -1537,8 +1567,8 @@ function messageToBytes(message) {
1537
1567
  * Key generation follows FIPS 204, using domain separator [K, L] during
1538
1568
  * seed expansion to ensure algorithm binding.
1539
1569
  *
1540
- * @param {Uint8Array|null} passedSeed - Optional 32-byte seed for deterministic key generation.
1541
- * Pass null for random key generation.
1570
+ * @param {Uint8Array|null} [passedSeed=null] - Optional 32-byte seed for deterministic key generation.
1571
+ * Pass null or undefined for random key generation.
1542
1572
  * @param {Uint8Array} pk - Output buffer for public key (must be CryptoPublicKeyBytes = 2592 bytes)
1543
1573
  * @param {Uint8Array} sk - Output buffer for secret key (must be CryptoSecretKeyBytes = 4896 bytes)
1544
1574
  * @returns {Uint8Array} The seed used for key generation (useful when passedSeed is null)
@@ -1630,7 +1660,7 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
1630
1660
  }
1631
1661
 
1632
1662
  /**
1633
- * Create a detached signature for a message with optional context.
1663
+ * Create a detached signature for a message with context.
1634
1664
  *
1635
1665
  * Uses the ML-DSA-87 (FIPS 204) signing algorithm with rejection sampling.
1636
1666
  * The context parameter provides domain separation as required by FIPS 204.
@@ -1640,9 +1670,16 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
1640
1670
  * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes = 4896 bytes)
1641
1671
  * @param {boolean} randomizedSigning - If true, use random nonce for hedged signing.
1642
1672
  * If false, use deterministic nonce derived from message and key.
1643
- * @param {Uint8Array} ctx - Context string for domain separation (max 255 bytes).
1673
+ * @param {Uint8Array} ctx - Context string for domain separation (required, max 255 bytes).
1674
+ * Pass an empty Uint8Array for no context.
1644
1675
  * @returns {number} 0 on success
1645
- * @throws {Error} If ctx is missing, sk is wrong size, or context exceeds 255 bytes
1676
+ * @throws {TypeError} If sig is not a Uint8Array or is smaller than CryptoBytes
1677
+ * @throws {TypeError} If sk is not a Uint8Array
1678
+ * @throws {TypeError} If ctx is not a Uint8Array
1679
+ * @throws {TypeError} If randomizedSigning is not a boolean
1680
+ * @throws {Error} If ctx exceeds 255 bytes
1681
+ * @throws {Error} If sk length does not equal CryptoSecretKeyBytes
1682
+ * @throws {Error} If message is not a Uint8Array or valid hex string
1646
1683
  *
1647
1684
  * @example
1648
1685
  * const sig = new Uint8Array(CryptoBytes);
@@ -1650,13 +1687,19 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
1650
1687
  * cryptoSignSignature(sig, message, sk, false, ctx);
1651
1688
  */
1652
1689
  function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx) {
1653
- if (!sig || sig.length < CryptoBytes) {
1654
- throw new Error(`sig must be at least ${CryptoBytes} bytes`);
1690
+ if (!(sig instanceof Uint8Array) || sig.length < CryptoBytes) {
1691
+ throw new TypeError(`sig must be at least ${CryptoBytes} bytes and a Uint8Array`);
1692
+ }
1693
+ if (!(sk instanceof Uint8Array)) {
1694
+ throw new TypeError('sk must be a Uint8Array');
1655
1695
  }
1656
1696
  if (!(ctx instanceof Uint8Array)) {
1657
1697
  throw new TypeError('ctx is required and must be a Uint8Array');
1658
1698
  }
1659
1699
  if (ctx.length > 255) throw new Error(`invalid context length: ${ctx.length} (max 255)`);
1700
+ if (typeof randomizedSigning !== 'boolean') {
1701
+ throw new TypeError('randomizedSigning must be a boolean');
1702
+ }
1660
1703
  if (sk.length !== CryptoSecretKeyBytes) {
1661
1704
  throw new Error(`invalid sk length ${sk.length} | Expected length ${CryptoSecretKeyBytes}`);
1662
1705
  }
@@ -1696,6 +1739,7 @@ function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx) {
1696
1739
  // rhoPrime = SHAKE256(key || rnd || mu)
1697
1740
  const rnd = randomizedSigning ? randomBytes(RNDBytes) : new Uint8Array(RNDBytes);
1698
1741
  rhoPrime = shake256.create({}).update(key).update(rnd).update(mu).xof(CRHBytes);
1742
+ zeroize(rnd);
1699
1743
 
1700
1744
  polyVecMatrixExpand(mat, rho);
1701
1745
  polyVecLNTT(s1);
@@ -1782,9 +1826,11 @@ function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx) {
1782
1826
  * @param {string|Uint8Array} msg - Message to sign (hex string, optional 0x prefix, or Uint8Array)
1783
1827
  * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes = 4896 bytes)
1784
1828
  * @param {boolean} randomizedSigning - If true, use random nonce; if false, deterministic
1785
- * @param {Uint8Array} ctx - Context string for domain separation (max 255 bytes).
1829
+ * @param {Uint8Array} ctx - Context string for domain separation (required, max 255 bytes).
1786
1830
  * @returns {Uint8Array} Signed message (CryptoBytes + msg.length bytes)
1787
- * @throws {Error} If signing fails
1831
+ * @throws {TypeError} If ctx is not a Uint8Array
1832
+ * @throws {TypeError} If sk or randomizedSigning fail type validation (see cryptoSignSignature)
1833
+ * @throws {Error} If signing fails or message/sk/ctx are invalid
1788
1834
  *
1789
1835
  * @example
1790
1836
  * const signedMsg = cryptoSign(message, sk, false, ctx);
@@ -1812,7 +1858,7 @@ function cryptoSign(msg, sk, randomizedSigning, ctx) {
1812
1858
  }
1813
1859
 
1814
1860
  /**
1815
- * Verify a detached signature with optional context.
1861
+ * Verify a detached signature with context.
1816
1862
  *
1817
1863
  * Performs constant-time verification to prevent timing side-channel attacks.
1818
1864
  * The context must match the one used during signing.
@@ -1820,8 +1866,9 @@ function cryptoSign(msg, sk, randomizedSigning, ctx) {
1820
1866
  * @param {Uint8Array} sig - Signature to verify (must be CryptoBytes = 4627 bytes)
1821
1867
  * @param {string|Uint8Array} m - Message that was signed (hex string, optional 0x prefix, or Uint8Array)
1822
1868
  * @param {Uint8Array} pk - Public key (must be CryptoPublicKeyBytes = 2592 bytes)
1823
- * @param {Uint8Array} ctx - Context string used during signing (max 255 bytes).
1869
+ * @param {Uint8Array} ctx - Context string used during signing (required, max 255 bytes).
1824
1870
  * @returns {boolean} true if signature is valid, false otherwise
1871
+ * @throws {TypeError} If ctx is not a Uint8Array
1825
1872
  *
1826
1873
  * @example
1827
1874
  * const isValid = cryptoSignVerify(signature, message, pk, ctx);
@@ -1847,10 +1894,10 @@ function cryptoSignVerify(sig, m, pk, ctx) {
1847
1894
  const w1 = new PolyVecK();
1848
1895
  const h = new PolyVecK();
1849
1896
 
1850
- if (sig.length !== CryptoBytes) {
1897
+ if (!(sig instanceof Uint8Array) || sig.length !== CryptoBytes) {
1851
1898
  return false;
1852
1899
  }
1853
- if (pk.length !== CryptoPublicKeyBytes) {
1900
+ if (!(pk instanceof Uint8Array) || pk.length !== CryptoPublicKeyBytes) {
1854
1901
  return false;
1855
1902
  }
1856
1903
 
@@ -1920,8 +1967,9 @@ function cryptoSignVerify(sig, m, pk, ctx) {
1920
1967
  *
1921
1968
  * @param {Uint8Array} sm - Signed message (signature || message)
1922
1969
  * @param {Uint8Array} pk - Public key (must be CryptoPublicKeyBytes = 2592 bytes)
1923
- * @param {Uint8Array} ctx - Context string used during signing (max 255 bytes).
1970
+ * @param {Uint8Array} ctx - Context string used during signing (required, max 255 bytes).
1924
1971
  * @returns {Uint8Array|undefined} The original message if valid, undefined if verification fails
1972
+ * @throws {TypeError} If ctx is not a Uint8Array
1925
1973
  *
1926
1974
  * @example
1927
1975
  * const message = cryptoSignOpen(signedMsg, pk, ctx);
package/dist/mjs/mldsa87.d.mts ADDED
@@ -0,0 +1,319 @@
1
+ /**
2
+ * TypeScript definitions for @theqrl/mldsa87
3
+ * ML-DSA-87 (FIPS 204) post-quantum digital signature scheme
4
+ */
5
+
6
+ // Constants
7
+ export const Shake128Rate: number;
8
+ export const Shake256Rate: number;
9
+ export const Stream128BlockBytes: number;
10
+ export const Stream256BlockBytes: number;
11
+ export const SeedBytes: number;
12
+ export const CRHBytes: number;
13
+ export const TRBytes: number;
14
+ export const RNDBytes: number;
15
+ export const N: number;
16
+ export const Q: number;
17
+ export const QInv: number;
18
+ export const D: number;
19
+ export const K: number;
20
+ export const L: number;
21
+ export const ETA: number;
22
+ export const TAU: number;
23
+ export const BETA: number;
24
+ export const GAMMA1: number;
25
+ export const GAMMA2: number;
26
+ export const OMEGA: number;
27
+ export const CTILDEBytes: number;
28
+ export const PolyT1PackedBytes: number;
29
+ export const PolyT0PackedBytes: number;
30
+ export const PolyETAPackedBytes: number;
31
+ export const PolyZPackedBytes: number;
32
+ export const PolyVecHPackedBytes: number;
33
+ export const PolyW1PackedBytes: number;
34
+ export const CryptoPublicKeyBytes: number;
35
+ export const CryptoSecretKeyBytes: number;
36
+ export const CryptoBytes: number;
37
+ export const PolyUniformNBlocks: number;
38
+ export const PolyUniformETANBlocks: number;
39
+ export const PolyUniformGamma1NBlocks: number;
40
+ export const zetas: readonly number[];
41
+
42
+ // Core signing functions
43
+
44
+ /**
45
+ * Generate an ML-DSA-87 key pair
46
+ * @param seed - Optional 32-byte seed for deterministic key generation (null for random)
47
+ * @param pk - Output buffer for public key (must be CryptoPublicKeyBytes length)
48
+ * @param sk - Output buffer for secret key (must be CryptoSecretKeyBytes length)
49
+ * @returns The seed used for key generation
50
+ * @throws Error if pk/sk buffers are wrong size or null
51
+ */
52
+ export function cryptoSignKeypair(
53
+ seed: Uint8Array | null,
54
+ pk: Uint8Array,
55
+ sk: Uint8Array
56
+ ): Uint8Array;
57
+
58
+ /**
59
+ * Create a signature for a message
60
+ * @param sig - Output buffer for signature (must be CryptoBytes length minimum)
61
+ * @param m - Message to sign (hex string or Uint8Array; strings are parsed as hex only)
62
+ * @param sk - Secret key
63
+ * @param randomizedSigning - If true, use random nonce; if false, deterministic
64
+ * @param ctx - Context string (max 255 bytes)
65
+ * @returns 0 on success
66
+ * @throws Error if sk is wrong size or context too long
67
+ */
68
+ export function cryptoSignSignature(
69
+ sig: Uint8Array,
70
+ m: Uint8Array | string,
71
+ sk: Uint8Array,
72
+ randomizedSigning: boolean,
73
+ ctx: Uint8Array
74
+ ): number;
75
+
76
+ /**
77
+ * Sign a message, returning signature concatenated with message
78
+ * @param msg - Message to sign
79
+ * @param sk - Secret key
80
+ * @param randomizedSigning - If true, use random nonce; if false, deterministic
81
+ * @param ctx - Context string (max 255 bytes)
82
+ * @returns Signed message (signature || message)
83
+ * @throws Error if signing fails
84
+ */
85
+ export function cryptoSign(
86
+ msg: Uint8Array | string,
87
+ sk: Uint8Array,
88
+ randomizedSigning: boolean,
89
+ ctx: Uint8Array
90
+ ): Uint8Array;
91
+
92
+ /**
93
+ * Verify a signature
94
+ * @param sig - Signature to verify
95
+ * @param m - Message that was signed (hex string or Uint8Array; strings are parsed as hex only)
96
+ * @param pk - Public key
97
+ * @param ctx - Context string (max 255 bytes)
98
+ * @returns true if signature is valid, false otherwise
99
+ */
100
+ export function cryptoSignVerify(
101
+ sig: Uint8Array,
102
+ m: Uint8Array | string,
103
+ pk: Uint8Array,
104
+ ctx: Uint8Array
105
+ ): boolean;
106
+
107
+ /**
108
+ * Open a signed message (verify and extract message)
109
+ * @param sm - Signed message (signature || message)
110
+ * @param pk - Public key
111
+ * @param ctx - Context string (max 255 bytes)
112
+ * @returns Message if valid, undefined if verification fails
113
+ */
114
+ export function cryptoSignOpen(
115
+ sm: Uint8Array,
116
+ pk: Uint8Array,
117
+ ctx: Uint8Array
118
+ ): Uint8Array | undefined;
119
+
120
+ // Utility functions
121
+
122
+ /**
123
+ * Zero out a buffer (best-effort, see SECURITY.md for limitations)
124
+ * @param buffer - Buffer to zero
125
+ * @throws TypeError if buffer is not Uint8Array
126
+ */
127
+ export function zeroize(buffer: Uint8Array): void;
128
+
129
+ /**
130
+ * Check if buffer is all zeros using constant-time comparison
131
+ * @param buffer - Buffer to check
132
+ * @returns true if all bytes are zero
133
+ * @throws TypeError if buffer is not Uint8Array
134
+ */
135
+ export function isZero(buffer: Uint8Array): boolean;
136
+
137
+ // Internal classes (exported but primarily for internal use)
138
+
139
+ export class Poly {
140
+ coeffs: Int32Array;
141
+ constructor();
142
+ copy(poly: Poly): void;
143
+ }
144
+
145
+ export class PolyVecK {
146
+ vec: Poly[];
147
+ constructor();
148
+ }
149
+
150
+ export class PolyVecL {
151
+ vec: Poly[];
152
+ constructor();
153
+ copy(polyVecL: PolyVecL): void;
154
+ }
155
+
156
+ export class KeccakState {
157
+ constructor();
158
+ }
159
+
160
+ // Internal functions (exported but primarily for internal use)
161
+ export function polyNTT(a: Poly): void;
162
+ export function polyInvNTTToMont(a: Poly): void;
163
+ export function polyChallenge(c: Poly, seed: Uint8Array): void;
164
+ export function ntt(a: Int32Array): void;
165
+ export function invNTTToMont(a: Int32Array): void;
166
+ export function montgomeryReduce(a: bigint): bigint;
167
+ export function reduce32(a: number): number;
168
+ export function cAddQ(a: number): number;
169
+ export function decompose(a0: Int32Array, i: number, a: number): number;
170
+ export function power2round(a0: Int32Array, i: number, a: number): number;
171
+ export function makeHint(a0: number, a1: number): number;
172
+ export function useHint(a: number, hint: number): number;
173
+ export function packPk(pk: Uint8Array, rho: Uint8Array, t1: PolyVecK): void;
174
+ export function packSk(
175
+ sk: Uint8Array,
176
+ rho: Uint8Array,
177
+ tr: Uint8Array,
178
+ key: Uint8Array,
179
+ t0: PolyVecK,
180
+ s1: PolyVecL,
181
+ s2: PolyVecK
182
+ ): void;
183
+ export function packSig(
184
+ sig: Uint8Array,
185
+ c: Uint8Array,
186
+ z: PolyVecL,
187
+ h: PolyVecK
188
+ ): void;
189
+ export function unpackPk(rho: Uint8Array, t1: PolyVecK, pk: Uint8Array): void;
190
+ export function unpackSk(
191
+ rho: Uint8Array,
192
+ tr: Uint8Array,
193
+ key: Uint8Array,
194
+ t0: PolyVecK,
195
+ s1: PolyVecL,
196
+ s2: PolyVecK,
197
+ sk: Uint8Array
198
+ ): void;
199
+ export function unpackSig(
200
+ c: Uint8Array,
201
+ z: PolyVecL,
202
+ h: PolyVecK,
203
+ sig: Uint8Array
204
+ ): number;
205
+
206
+ // FIPS 202 SHAKE primitives (low-level XOF interface, primarily internal)
207
+ export function shake128Init(state: KeccakState): void;
208
+ export function shake128Absorb(state: KeccakState, input: Uint8Array): void;
209
+ export function shake128Finalize(state: KeccakState): void;
210
+ export function shake128SqueezeBlocks(
211
+ out: Uint8Array,
212
+ outputOffset: number,
213
+ nBlocks: number,
214
+ state: KeccakState
215
+ ): void;
216
+ export function shake256Init(state: KeccakState): void;
217
+ export function shake256Absorb(state: KeccakState, input: Uint8Array): void;
218
+ export function shake256Finalize(state: KeccakState): void;
219
+ export function shake256SqueezeBlocks(
220
+ out: Uint8Array,
221
+ outputOffset: number,
222
+ nBlocks: number,
223
+ state: KeccakState
224
+ ): void;
225
+
226
+ // ML-DSA-specific stream initializers
227
+ export function mldsaShake128StreamInit(
228
+ state: KeccakState,
229
+ seed: Uint8Array,
230
+ nonce: number
231
+ ): void;
232
+ export function mldsaShake256StreamInit(
233
+ state: KeccakState,
234
+ seed: Uint8Array,
235
+ nonce: number
236
+ ): void;
237
+
238
+ // Polynomial operations (internal)
239
+ export function polyReduce(a: Poly): void;
240
+ export function polyCAddQ(a: Poly): void;
241
+ export function polyAdd(c: Poly, a: Poly, b: Poly): void;
242
+ export function polySub(c: Poly, a: Poly, b: Poly): void;
243
+ export function polyShiftL(a: Poly): void;
244
+ export function polyPointWiseMontgomery(c: Poly, a: Poly, b: Poly): void;
245
+ export function polyPower2round(a1: Poly, a0: Poly, a: Poly): void;
246
+ export function polyDecompose(a1: Poly, a0: Poly, a: Poly): void;
247
+ export function polyMakeHint(h: Poly, a0: Poly, a1: Poly): number;
248
+ export function polyUseHint(b: Poly, a: Poly, h: Poly): void;
249
+ export function polyChkNorm(a: Poly, b: number): number;
250
+ export function rejUniform(
251
+ a: Int32Array,
252
+ aOffset: number,
253
+ len: number,
254
+ buf: Uint8Array,
255
+ bufLen: number
256
+ ): number;
257
+ export function polyUniform(a: Poly, seed: Uint8Array, nonce: number): void;
258
+ export function rejEta(
259
+ a: Int32Array,
260
+ aOffset: number,
261
+ len: number,
262
+ buf: Uint8Array,
263
+ bufLen: number
264
+ ): number;
265
+ export function polyUniformEta(a: Poly, seed: Uint8Array, nonce: number): void;
266
+ export function polyZUnpack(r: Poly, a: Uint8Array, aOffset: number): void;
267
+ export function polyUniformGamma1(a: Poly, seed: Uint8Array, nonce: number): void;
268
+ export function polyEtaPack(r: Uint8Array, rOffset: number, a: Poly): void;
269
+ export function polyEtaUnpack(r: Poly, a: Uint8Array, aOffset: number): void;
270
+ export function polyT1Pack(r: Uint8Array, rOffset: number, a: Poly): void;
271
+ export function polyT1Unpack(r: Poly, a: Uint8Array, aOffset: number): void;
272
+ export function polyT0Pack(r: Uint8Array, rOffset: number, a: Poly): void;
273
+ export function polyT0Unpack(r: Poly, a: Uint8Array, aOffset: number): void;
274
+ export function polyZPack(r: Uint8Array, rOffset: number, a: Poly): void;
275
+ export function polyW1Pack(r: Uint8Array, rOffset: number, a: Poly): void;
276
+
277
+ // Polynomial vector operations (internal)
278
+ export function polyVecMatrixExpand(mat: PolyVecL[], rho: Uint8Array): void;
279
+ export function polyVecMatrixPointWiseMontgomery(
280
+ t: PolyVecK,
281
+ mat: PolyVecL[],
282
+ v: PolyVecL
283
+ ): void;
284
+ export function polyVecLUniformEta(v: PolyVecL, seed: Uint8Array, nonce: number): void;
285
+ export function polyVecLUniformGamma1(v: PolyVecL, seed: Uint8Array, nonce: number): void;
286
+ export function polyVecLReduce(v: PolyVecL): void;
287
+ export function polyVecLAdd(w: PolyVecL, u: PolyVecL, v: PolyVecL): void;
288
+ export function polyVecLNTT(v: PolyVecL): void;
289
+ export function polyVecLInvNTTToMont(v: PolyVecL): void;
290
+ export function polyVecLPointWisePolyMontgomery(
291
+ r: PolyVecL,
292
+ a: Poly,
293
+ v: PolyVecL
294
+ ): void;
295
+ export function polyVecLPointWiseAccMontgomery(
296
+ w: Poly,
297
+ u: PolyVecL,
298
+ v: PolyVecL
299
+ ): void;
300
+ export function polyVecLChkNorm(v: PolyVecL, bound: number): number;
301
+ export function polyVecKUniformEta(v: PolyVecK, seed: Uint8Array, nonce: number): void;
302
+ export function polyVecKReduce(v: PolyVecK): void;
303
+ export function polyVecKCAddQ(v: PolyVecK): void;
304
+ export function polyVecKAdd(w: PolyVecK, u: PolyVecK, v: PolyVecK): void;
305
+ export function polyVecKSub(w: PolyVecK, u: PolyVecK, v: PolyVecK): void;
306
+ export function polyVecKShiftL(v: PolyVecK): void;
307
+ export function polyVecKNTT(v: PolyVecK): void;
308
+ export function polyVecKInvNTTToMont(v: PolyVecK): void;
309
+ export function polyVecKPointWisePolyMontgomery(
310
+ r: PolyVecK,
311
+ a: Poly,
312
+ v: PolyVecK
313
+ ): void;
314
+ export function polyVecKChkNorm(v: PolyVecK, bound: number): number;
315
+ export function polyVecKPower2round(v1: PolyVecK, v0: PolyVecK, v: PolyVecK): void;
316
+ export function polyVecKDecompose(v1: PolyVecK, v0: PolyVecK, v: PolyVecK): void;
317
+ export function polyVecKMakeHint(h: PolyVecK, v0: PolyVecK, v1: PolyVecK): number;
318
+ export function polyVecKUseHint(w: PolyVecK, u: PolyVecK, h: PolyVecK): void;
319
+ export function polyVecKPackW1(r: Uint8Array, w1: PolyVecK): void;
package/dist/mjs/mldsa87.js CHANGED
@@ -160,12 +160,16 @@ function montgomeryReduce(a) {
160
160
  return t;
161
161
  }
162
162
 
163
+ // Partial reduction modulo Q. Input must satisfy |a| < 2^31 - 2^22.
164
+ // Output is in (-Q, Q). Mirrors the reference C implementation.
163
165
  function reduce32(a) {
164
166
  let t = (a + (1 << 22)) >> 23;
165
167
  t = a - t * Q;
166
168
  return t;
167
169
  }
168
170
 
171
+ // Conditional add Q: if a is negative, add Q. Input must satisfy -Q < a < 2^31.
172
+ // Output is in [0, Q). Mirrors the reference C implementation.
169
173
  function cAddQ(a) {
170
174
  let ar = a;
171
175
  ar += (ar >> 31) & Q;
@@ -327,10 +331,7 @@ function polyChkNorm(a, b) {
327
331
  }
328
332
 
329
333
  for (let i = 0; i < N; i++) {
330
- let t = a.coeffs[i] >> 31;
331
- t = a.coeffs[i] - (t & (2 * a.coeffs[i]));
332
-
333
- if (t >= b) {
334
+ if (Math.abs(a.coeffs[i]) >= b) {
334
335
  return 1;
335
336
  }
336
337
  }
@@ -871,6 +872,9 @@ function packPk(pkp, rho, t1) {
871
872
  }
872
873
 
873
874
  function unpackPk(rhop, t1, pk) {
875
+ if (!(pk instanceof Uint8Array) || pk.length !== CryptoPublicKeyBytes) {
876
+ throw new Error(`pk must be a Uint8Array of ${CryptoPublicKeyBytes} bytes`);
877
+ }
874
878
  const rho = rhop;
875
879
  for (let i = 0; i < SeedBytes; ++i) {
876
880
  rho[i] = pk[i];
@@ -915,6 +919,9 @@ function packSk(skp, rho, tr, key, t0, s1, s2) {
915
919
  }
916
920
 
917
921
  function unpackSk(rhoP, trP, keyP, t0, s1, s2, sk) {
922
+ if (!(sk instanceof Uint8Array) || sk.length !== CryptoSecretKeyBytes) {
923
+ throw new Error(`sk must be a Uint8Array of ${CryptoSecretKeyBytes} bytes`);
924
+ }
918
925
  let skOffset = 0;
919
926
  const rho = rhoP;
920
927
  const tr = trP;
@@ -970,6 +977,12 @@ function packSig(sigP, ctilde, z, h) {
970
977
  for (let i = 0; i < K; ++i) {
971
978
  for (let j = 0; j < N; ++j) {
972
979
  if (h.vec[i].coeffs[j] !== 0) {
980
+ if (h.vec[i].coeffs[j] !== 1) {
981
+ throw new Error('hint coefficients must be binary (0 or 1)');
982
+ }
983
+ if (k >= OMEGA) {
984
+ throw new Error(`hint count exceeds OMEGA (${OMEGA})`);
985
+ }
973
986
  sig[sigOffset + k++] = j;
974
987
  }
975
988
  }
@@ -978,7 +991,12 @@ function packSig(sigP, ctilde, z, h) {
978
991
  }
979
992
  }
980
993
 
994
+ // Returns 0 on success, 1 on failure. On failure, output buffers (c, z, h)
995
+ // may contain partial data and must not be used.
981
996
  function unpackSig(cP, z, hP, sig) {
997
+ if (!(sig instanceof Uint8Array) || sig.length !== CryptoBytes) {
998
+ throw new Error(`sig must be a Uint8Array of ${CryptoBytes} bytes`);
999
+ }
982
1000
  let sigOffset = 0;
983
1001
  const c = cP; // ctilde
984
1002
  const h = hP;
@@ -1073,6 +1091,8 @@ function randomBytes(size) {
1073
1091
  *
1074
1092
  * @param {Uint8Array} buffer - The buffer to zero
1075
1093
  * @returns {void}
1094
+ * @throws {TypeError} If buffer is not a Uint8Array
1095
+ * @throws {Error} If zeroization verification fails
1076
1096
  */
1077
1097
  function zeroize(buffer) {
1078
1098
  if (!(buffer instanceof Uint8Array)) {
@@ -1095,6 +1115,7 @@ function zeroize(buffer) {
1095
1115
  *
1096
1116
  * @param {Uint8Array} buffer - The buffer to check
1097
1117
  * @returns {boolean} True if all bytes are zero
1118
+ * @throws {TypeError} If buffer is not a Uint8Array
1098
1119
  */
1099
1120
  function isZero(buffer) {
1100
1121
  if (!(buffer instanceof Uint8Array)) {
@@ -1110,16 +1131,12 @@ function isZero(buffer) {
1110
1131
  /**
1111
1132
  * Convert hex string to Uint8Array with strict validation.
1112
1133
  *
1113
- * NOTE: This function accepts multiple hex formats (with/without 0x prefix,
1114
- * leading/trailing whitespace). While user-friendly, this flexibility could
1115
- * mask input errors. Applications requiring strict format validation should
1116
- * validate hex format before calling cryptographic functions, e.g.:
1117
- * - Reject strings with 0x prefix if raw hex is expected
1118
- * - Reject strings with whitespace
1119
- * - Enforce consistent casing (lowercase/uppercase)
1134
+ * Accepts an optional 0x/0X prefix. Leading/trailing whitespace is rejected.
1135
+ * Empty strings and whitespace-only strings are rejected.
1120
1136
  *
1121
- * @param {string} hex - Hex string (optional 0x prefix, even length).
1137
+ * @param {string} hex - Hex string (optional 0x prefix, even length, no whitespace).
1122
1138
  * @returns {Uint8Array} Decoded bytes.
1139
+ * @throws {Error} If input is not a valid hex string
1123
1140
  * @private
1124
1141
  */
1125
1142
  function hexToBytes(hex) {
@@ -1128,11 +1145,16 @@ function hexToBytes(hex) {
1128
1145
  throw new Error('message must be a hex string');
1129
1146
  }
1130
1147
  /* c8 ignore stop */
1131
- let clean = hex.trim();
1132
- // Accepts both "0x..." and raw hex formats for convenience
1148
+ if (hex !== hex.trim()) {
1149
+ throw new Error('hex string must not have leading or trailing whitespace');
1150
+ }
1151
+ let clean = hex;
1133
1152
  if (clean.startsWith('0x') || clean.startsWith('0X')) {
1134
1153
  clean = clean.slice(2);
1135
1154
  }
1155
+ if (clean.length === 0) {
1156
+ throw new Error('hex string must not be empty');
1157
+ }
1136
1158
  if (clean.length % 2 !== 0) {
1137
1159
  throw new Error('hex string must have an even length');
1138
1160
  }
@@ -1142,6 +1164,14 @@ function hexToBytes(hex) {
1142
1164
  return hexToBytes$1(clean);
1143
1165
  }
1144
1166
 
1167
+ /**
1168
+ * Convert a message to Uint8Array.
1169
+ *
1170
+ * @param {string|Uint8Array} message - Message as hex string (optional 0x prefix) or Uint8Array.
1171
+ * @returns {Uint8Array} Message bytes.
1172
+ * @throws {Error} If message is not a Uint8Array or valid hex string
1173
+ * @private
1174
+ */
1145
1175
  function messageToBytes(message) {
1146
1176
  if (typeof message === 'string') {
1147
1177
  return hexToBytes(message);
@@ -1158,8 +1188,8 @@ function messageToBytes(message) {
1158
1188
  * Key generation follows FIPS 204, using domain separator [K, L] during
1159
1189
  * seed expansion to ensure algorithm binding.
1160
1190
  *
1161
- * @param {Uint8Array|null} passedSeed - Optional 32-byte seed for deterministic key generation.
1162
- * Pass null for random key generation.
1191
+ * @param {Uint8Array|null} [passedSeed=null] - Optional 32-byte seed for deterministic key generation.
1192
+ * Pass null or undefined for random key generation.
1163
1193
  * @param {Uint8Array} pk - Output buffer for public key (must be CryptoPublicKeyBytes = 2592 bytes)
1164
1194
  * @param {Uint8Array} sk - Output buffer for secret key (must be CryptoSecretKeyBytes = 4896 bytes)
1165
1195
  * @returns {Uint8Array} The seed used for key generation (useful when passedSeed is null)
@@ -1251,7 +1281,7 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
1251
1281
  }
1252
1282
 
1253
1283
  /**
1254
- * Create a detached signature for a message with optional context.
1284
+ * Create a detached signature for a message with context.
1255
1285
  *
1256
1286
  * Uses the ML-DSA-87 (FIPS 204) signing algorithm with rejection sampling.
1257
1287
  * The context parameter provides domain separation as required by FIPS 204.
@@ -1261,9 +1291,16 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
1261
1291
  * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes = 4896 bytes)
1262
1292
  * @param {boolean} randomizedSigning - If true, use random nonce for hedged signing.
1263
1293
  * If false, use deterministic nonce derived from message and key.
1264
- * @param {Uint8Array} ctx - Context string for domain separation (max 255 bytes).
1294
+ * @param {Uint8Array} ctx - Context string for domain separation (required, max 255 bytes).
1295
+ * Pass an empty Uint8Array for no context.
1265
1296
  * @returns {number} 0 on success
1266
- * @throws {Error} If ctx is missing, sk is wrong size, or context exceeds 255 bytes
1297
+ * @throws {TypeError} If sig is not a Uint8Array or is smaller than CryptoBytes
1298
+ * @throws {TypeError} If sk is not a Uint8Array
1299
+ * @throws {TypeError} If ctx is not a Uint8Array
1300
+ * @throws {TypeError} If randomizedSigning is not a boolean
1301
+ * @throws {Error} If ctx exceeds 255 bytes
1302
+ * @throws {Error} If sk length does not equal CryptoSecretKeyBytes
1303
+ * @throws {Error} If message is not a Uint8Array or valid hex string
1267
1304
  *
1268
1305
  * @example
1269
1306
  * const sig = new Uint8Array(CryptoBytes);
@@ -1271,13 +1308,19 @@ function cryptoSignKeypair(passedSeed, pk, sk) {
1271
1308
  * cryptoSignSignature(sig, message, sk, false, ctx);
1272
1309
  */
1273
1310
  function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx) {
1274
- if (!sig || sig.length < CryptoBytes) {
1275
- throw new Error(`sig must be at least ${CryptoBytes} bytes`);
1311
+ if (!(sig instanceof Uint8Array) || sig.length < CryptoBytes) {
1312
+ throw new TypeError(`sig must be at least ${CryptoBytes} bytes and a Uint8Array`);
1313
+ }
1314
+ if (!(sk instanceof Uint8Array)) {
1315
+ throw new TypeError('sk must be a Uint8Array');
1276
1316
  }
1277
1317
  if (!(ctx instanceof Uint8Array)) {
1278
1318
  throw new TypeError('ctx is required and must be a Uint8Array');
1279
1319
  }
1280
1320
  if (ctx.length > 255) throw new Error(`invalid context length: ${ctx.length} (max 255)`);
1321
+ if (typeof randomizedSigning !== 'boolean') {
1322
+ throw new TypeError('randomizedSigning must be a boolean');
1323
+ }
1281
1324
  if (sk.length !== CryptoSecretKeyBytes) {
1282
1325
  throw new Error(`invalid sk length ${sk.length} | Expected length ${CryptoSecretKeyBytes}`);
1283
1326
  }
@@ -1317,6 +1360,7 @@ function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx) {
1317
1360
  // rhoPrime = SHAKE256(key || rnd || mu)
1318
1361
  const rnd = randomizedSigning ? randomBytes(RNDBytes) : new Uint8Array(RNDBytes);
1319
1362
  rhoPrime = shake256.create({}).update(key).update(rnd).update(mu).xof(CRHBytes);
1363
+ zeroize(rnd);
1320
1364
 
1321
1365
  polyVecMatrixExpand(mat, rho);
1322
1366
  polyVecLNTT(s1);
@@ -1403,9 +1447,11 @@ function cryptoSignSignature(sig, m, sk, randomizedSigning, ctx) {
1403
1447
  * @param {string|Uint8Array} msg - Message to sign (hex string, optional 0x prefix, or Uint8Array)
1404
1448
  * @param {Uint8Array} sk - Secret key (must be CryptoSecretKeyBytes = 4896 bytes)
1405
1449
  * @param {boolean} randomizedSigning - If true, use random nonce; if false, deterministic
1406
- * @param {Uint8Array} ctx - Context string for domain separation (max 255 bytes).
1450
+ * @param {Uint8Array} ctx - Context string for domain separation (required, max 255 bytes).
1407
1451
  * @returns {Uint8Array} Signed message (CryptoBytes + msg.length bytes)
1408
- * @throws {Error} If signing fails
1452
+ * @throws {TypeError} If ctx is not a Uint8Array
1453
+ * @throws {TypeError} If sk or randomizedSigning fail type validation (see cryptoSignSignature)
1454
+ * @throws {Error} If signing fails or message/sk/ctx are invalid
1409
1455
  *
1410
1456
  * @example
1411
1457
  * const signedMsg = cryptoSign(message, sk, false, ctx);
@@ -1433,7 +1479,7 @@ function cryptoSign(msg, sk, randomizedSigning, ctx) {
1433
1479
  }
1434
1480
 
1435
1481
  /**
1436
- * Verify a detached signature with optional context.
1482
+ * Verify a detached signature with context.
1437
1483
  *
1438
1484
  * Performs constant-time verification to prevent timing side-channel attacks.
1439
1485
  * The context must match the one used during signing.
@@ -1441,8 +1487,9 @@ function cryptoSign(msg, sk, randomizedSigning, ctx) {
1441
1487
  * @param {Uint8Array} sig - Signature to verify (must be CryptoBytes = 4627 bytes)
1442
1488
  * @param {string|Uint8Array} m - Message that was signed (hex string, optional 0x prefix, or Uint8Array)
1443
1489
  * @param {Uint8Array} pk - Public key (must be CryptoPublicKeyBytes = 2592 bytes)
1444
- * @param {Uint8Array} ctx - Context string used during signing (max 255 bytes).
1490
+ * @param {Uint8Array} ctx - Context string used during signing (required, max 255 bytes).
1445
1491
  * @returns {boolean} true if signature is valid, false otherwise
1492
+ * @throws {TypeError} If ctx is not a Uint8Array
1446
1493
  *
1447
1494
  * @example
1448
1495
  * const isValid = cryptoSignVerify(signature, message, pk, ctx);
@@ -1468,10 +1515,10 @@ function cryptoSignVerify(sig, m, pk, ctx) {
1468
1515
  const w1 = new PolyVecK();
1469
1516
  const h = new PolyVecK();
1470
1517
 
1471
- if (sig.length !== CryptoBytes) {
1518
+ if (!(sig instanceof Uint8Array) || sig.length !== CryptoBytes) {
1472
1519
  return false;
1473
1520
  }
1474
- if (pk.length !== CryptoPublicKeyBytes) {
1521
+ if (!(pk instanceof Uint8Array) || pk.length !== CryptoPublicKeyBytes) {
1475
1522
  return false;
1476
1523
  }
1477
1524
 
@@ -1541,8 +1588,9 @@ function cryptoSignVerify(sig, m, pk, ctx) {
1541
1588
  *
1542
1589
  * @param {Uint8Array} sm - Signed message (signature || message)
1543
1590
  * @param {Uint8Array} pk - Public key (must be CryptoPublicKeyBytes = 2592 bytes)
1544
- * @param {Uint8Array} ctx - Context string used during signing (max 255 bytes).
1591
+ * @param {Uint8Array} ctx - Context string used during signing (required, max 255 bytes).
1545
1592
  * @returns {Uint8Array|undefined} The original message if valid, undefined if verification fails
1593
+ * @throws {TypeError} If ctx is not a Uint8Array
1546
1594
  *
1547
1595
  * @example
1548
1596
  * const message = cryptoSignOpen(signedMsg, pk, ctx);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@theqrl/mldsa87",
3
- "version": "2.0.0",
3
+ "version": "2.0.4",
4
4
  "description": "ML-DSA-87 cryptography",
5
5
  "keywords": [
6
6
  "ml-dsa",
@@ -44,8 +44,14 @@
44
44
  },
45
45
  "exports": {
46
46
  ".": {
47
- "import": "./dist/mjs/mldsa87.js",
48
- "require": "./dist/cjs/mldsa87.js"
47
+ "import": {
48
+ "types": "./dist/mjs/mldsa87.d.mts",
49
+ "default": "./dist/mjs/mldsa87.js"
50
+ },
51
+ "require": {
52
+ "types": "./dist/cjs/mldsa87.d.cts",
53
+ "default": "./dist/cjs/mldsa87.js"
54
+ }
49
55
  }
50
56
  },
51
57
  "type": "module",
package/src/index.d.ts CHANGED
@@ -202,3 +202,118 @@ export function unpackSig(
202
202
  h: PolyVecK,
203
203
  sig: Uint8Array
204
204
  ): number;
205
+
206
+ // FIPS 202 SHAKE primitives (low-level XOF interface, primarily internal)
207
+ export function shake128Init(state: KeccakState): void;
208
+ export function shake128Absorb(state: KeccakState, input: Uint8Array): void;
209
+ export function shake128Finalize(state: KeccakState): void;
210
+ export function shake128SqueezeBlocks(
211
+ out: Uint8Array,
212
+ outputOffset: number,
213
+ nBlocks: number,
214
+ state: KeccakState
215
+ ): void;
216
+ export function shake256Init(state: KeccakState): void;
217
+ export function shake256Absorb(state: KeccakState, input: Uint8Array): void;
218
+ export function shake256Finalize(state: KeccakState): void;
219
+ export function shake256SqueezeBlocks(
220
+ out: Uint8Array,
221
+ outputOffset: number,
222
+ nBlocks: number,
223
+ state: KeccakState
224
+ ): void;
225
+
226
+ // ML-DSA-specific stream initializers
227
+ export function mldsaShake128StreamInit(
228
+ state: KeccakState,
229
+ seed: Uint8Array,
230
+ nonce: number
231
+ ): void;
232
+ export function mldsaShake256StreamInit(
233
+ state: KeccakState,
234
+ seed: Uint8Array,
235
+ nonce: number
236
+ ): void;
237
+
238
+ // Polynomial operations (internal)
239
+ export function polyReduce(a: Poly): void;
240
+ export function polyCAddQ(a: Poly): void;
241
+ export function polyAdd(c: Poly, a: Poly, b: Poly): void;
242
+ export function polySub(c: Poly, a: Poly, b: Poly): void;
243
+ export function polyShiftL(a: Poly): void;
244
+ export function polyPointWiseMontgomery(c: Poly, a: Poly, b: Poly): void;
245
+ export function polyPower2round(a1: Poly, a0: Poly, a: Poly): void;
246
+ export function polyDecompose(a1: Poly, a0: Poly, a: Poly): void;
247
+ export function polyMakeHint(h: Poly, a0: Poly, a1: Poly): number;
248
+ export function polyUseHint(b: Poly, a: Poly, h: Poly): void;
249
+ export function polyChkNorm(a: Poly, b: number): number;
250
+ export function rejUniform(
251
+ a: Int32Array,
252
+ aOffset: number,
253
+ len: number,
254
+ buf: Uint8Array,
255
+ bufLen: number
256
+ ): number;
257
+ export function polyUniform(a: Poly, seed: Uint8Array, nonce: number): void;
258
+ export function rejEta(
259
+ a: Int32Array,
260
+ aOffset: number,
261
+ len: number,
262
+ buf: Uint8Array,
263
+ bufLen: number
264
+ ): number;
265
+ export function polyUniformEta(a: Poly, seed: Uint8Array, nonce: number): void;
266
+ export function polyZUnpack(r: Poly, a: Uint8Array, aOffset: number): void;
267
+ export function polyUniformGamma1(a: Poly, seed: Uint8Array, nonce: number): void;
268
+ export function polyEtaPack(r: Uint8Array, rOffset: number, a: Poly): void;
269
+ export function polyEtaUnpack(r: Poly, a: Uint8Array, aOffset: number): void;
270
+ export function polyT1Pack(r: Uint8Array, rOffset: number, a: Poly): void;
271
+ export function polyT1Unpack(r: Poly, a: Uint8Array, aOffset: number): void;
272
+ export function polyT0Pack(r: Uint8Array, rOffset: number, a: Poly): void;
273
+ export function polyT0Unpack(r: Poly, a: Uint8Array, aOffset: number): void;
274
+ export function polyZPack(r: Uint8Array, rOffset: number, a: Poly): void;
275
+ export function polyW1Pack(r: Uint8Array, rOffset: number, a: Poly): void;
276
+
277
+ // Polynomial vector operations (internal)
278
+ export function polyVecMatrixExpand(mat: PolyVecL[], rho: Uint8Array): void;
279
+ export function polyVecMatrixPointWiseMontgomery(
280
+ t: PolyVecK,
281
+ mat: PolyVecL[],
282
+ v: PolyVecL
283
+ ): void;
284
+ export function polyVecLUniformEta(v: PolyVecL, seed: Uint8Array, nonce: number): void;
285
+ export function polyVecLUniformGamma1(v: PolyVecL, seed: Uint8Array, nonce: number): void;
286
+ export function polyVecLReduce(v: PolyVecL): void;
287
+ export function polyVecLAdd(w: PolyVecL, u: PolyVecL, v: PolyVecL): void;
288
+ export function polyVecLNTT(v: PolyVecL): void;
289
+ export function polyVecLInvNTTToMont(v: PolyVecL): void;
290
+ export function polyVecLPointWisePolyMontgomery(
291
+ r: PolyVecL,
292
+ a: Poly,
293
+ v: PolyVecL
294
+ ): void;
295
+ export function polyVecLPointWiseAccMontgomery(
296
+ w: Poly,
297
+ u: PolyVecL,
298
+ v: PolyVecL
299
+ ): void;
300
+ export function polyVecLChkNorm(v: PolyVecL, bound: number): number;
301
+ export function polyVecKUniformEta(v: PolyVecK, seed: Uint8Array, nonce: number): void;
302
+ export function polyVecKReduce(v: PolyVecK): void;
303
+ export function polyVecKCAddQ(v: PolyVecK): void;
304
+ export function polyVecKAdd(w: PolyVecK, u: PolyVecK, v: PolyVecK): void;
305
+ export function polyVecKSub(w: PolyVecK, u: PolyVecK, v: PolyVecK): void;
306
+ export function polyVecKShiftL(v: PolyVecK): void;
307
+ export function polyVecKNTT(v: PolyVecK): void;
308
+ export function polyVecKInvNTTToMont(v: PolyVecK): void;
309
+ export function polyVecKPointWisePolyMontgomery(
310
+ r: PolyVecK,
311
+ a: Poly,
312
+ v: PolyVecK
313
+ ): void;
314
+ export function polyVecKChkNorm(v: PolyVecK, bound: number): number;
315
+ export function polyVecKPower2round(v1: PolyVecK, v0: PolyVecK, v: PolyVecK): void;
316
+ export function polyVecKDecompose(v1: PolyVecK, v0: PolyVecK, v: PolyVecK): void;
317
+ export function polyVecKMakeHint(h: PolyVecK, v0: PolyVecK, v1: PolyVecK): number;
318
+ export function polyVecKUseHint(w: PolyVecK, u: PolyVecK, h: PolyVecK): void;
319
+ export function polyVecKPackW1(r: Uint8Array, w1: PolyVecK): void;