leviathan-crypto 1.3.1 → 2.0.0

package/dist/kyber/kem.js

@@ -0,0 +1,160 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/kyber/kem.ts
+//
+// ML-KEM KEM layer — Fujisaki-Okamoto transform.
+// FIPS 203 Algorithms 15, 16, 17 (ML-KEM internal).
+import { indcpaKeypairDerand, indcpaEncrypt, indcpaDecrypt, sha3_256Hash, sha3_512Hash, shake256Hash, } from './indcpa.js';
+import { wipe } from '../utils.js';
+/**
+ * ML-KEM.KeyGen_internal (FIPS 203 Algorithm 15).
+ *
+ * dk = skCpa || ek || H(ek) || z
+ */
+export function kemKeypairDerand(kx, sx, params, d, z) {
+    // indcpaKeypairDerand handles its own sigma wipe
+    const { ekCpa, skCpa } = indcpaKeypairDerand(kx, sx, params, d);
+    const h = sha3_256Hash(sx, ekCpa);
+    try {
+        const dk = new Uint8Array(params.dkBytes);
+        dk.set(skCpa, 0);
+        dk.set(ekCpa, params.skCpaBytes);
+        dk.set(h, params.skCpaBytes + params.ekBytes);
+        dk.set(z, params.skCpaBytes + params.ekBytes + 32);
+        return {
+            encapsulationKey: ekCpa,
+            decapsulationKey: dk,
+        };
+    }
+    finally {
+        wipe(skCpa);
+        wipe(h);
+    }
+}
+/**
+ * ML-KEM.Encaps_internal (FIPS 203 Algorithm 16).
+ *
+ * (K, r) = G(m || H(ek)), c = K-PKE.Encrypt(ek, m, r)
+ */
+export function kemEncapsulateDerand(kx, sx, params, ek, m) {
+    const h = sha3_256Hash(sx, ek);
+    let gInput;
+    let gOut;
+    let r;
+    try {
+        gInput = new Uint8Array(64);
+        gInput.set(m, 0);
+        gInput.set(h, 32);
+        gOut = sha3_512Hash(sx, gInput);
+        const K = gOut.slice(0, 32);
+        r = gOut.slice(32, 64);
+        const c = indcpaEncrypt(kx, sx, params, ek, m, r);
+        return { ciphertext: c, sharedSecret: K };
+    }
+    finally {
+        if (gInput)
+            wipe(gInput);
+        if (gOut)
+            wipe(gOut);
+        if (r)
+            wipe(r);
+    }
+}
+/**
+ * ML-KEM.Decaps_internal (FIPS 203 Algorithm 17).
+ *
+ * Constant-time: uses ct_verify and ct_cmov from kyber WASM.
+ * MUST NOT branch on secret data in JS — all comparison via WASM primitives.
+ */
+export function kemDecapsulate(kx, sx, params, dk, c) {
+    const { skCpaBytes, ekBytes, ctBytes } = params;
+    // Parse dk: skCpa || ek || H(ek) || z
+    const skCpa = dk.slice(0, skCpaBytes);
+    const ek = dk.slice(skCpaBytes, skCpaBytes + ekBytes);
+    const h = dk.slice(skCpaBytes + ekBytes, skCpaBytes + ekBytes + 32);
+    const z = dk.slice(skCpaBytes + ekBytes + 32, skCpaBytes + ekBytes + 64);
+    let mPrime;
+    let gInput;
+    let gOut;
+    let kPrime;
+    let rPrime;
+    let jInput;
+    let kBar;
+    let cPrime;
+    try {
+        // Decrypt
+        mPrime = indcpaDecrypt(kx, params, skCpa, c);
+        // G(m' || H(ek)) → (K', r')
+        gInput = new Uint8Array(64);
+        gInput.set(mPrime, 0);
+        gInput.set(h, 32);
+        gOut = sha3_512Hash(sx, gInput);
+        kPrime = gOut.slice(0, 32);
+        rPrime = gOut.slice(32, 64);
+        // J(z || c) → K̄  [implicit rejection value]
+        jInput = new Uint8Array(32 + ctBytes);
+        jInput.set(z, 0);
+        jInput.set(c, 32);
+        kBar = shake256Hash(sx, jInput, 32);
+        // Re-encrypt c' = K-PKE.Encrypt(ek, m', r') — indcpaEncrypt handles its own prfInput wipe
+        cPrime = indcpaEncrypt(kx, sx, params, ek, mPrime, rPrime);
+        // Constant-time comparison and conditional select via kyber WASM
+        const kyberMem = new Uint8Array(kx.memory.buffer);
+        const ctOff = kx.getCtOffset();
+        const ctPrimeOff = kx.getCtPrimeOffset();
+        // Write c and c' into named kyber memory regions
+        kyberMem.set(c, ctOff);
+        kyberMem.set(cPrime, ctPrimeOff);
+        // Write K' and K̄ into poly slots (512B each, 32B needed)
+        const kPrimeOff = kx.getPolySlot0();
+        const kBarOff = kx.getPolySlot1();
+        kyberMem.set(kPrime, kPrimeOff);
+        kyberMem.set(kBar, kBarOff);
+        // fail = 0 if c == c', non-zero if different
+        const fail = kx.ct_verify(ctOff, ctPrimeOff, ctBytes);
+        // If fail != 0 (mismatch): K' ← K̄
+        kx.ct_cmov(kPrimeOff, kBarOff, 32, fail);
+        return kyberMem.slice(kPrimeOff, kPrimeOff + 32);
+    }
+    finally {
+        if (mPrime)
+            wipe(mPrime);
+        if (gInput)
+            wipe(gInput);
+        if (gOut)
+            wipe(gOut);
+        if (kPrime)
+            wipe(kPrime);
+        if (rPrime)
+            wipe(rPrime);
+        if (jInput)
+            wipe(jInput);
+        if (kBar)
+            wipe(kBar);
+        if (cPrime)
+            wipe(cPrime);
+        wipe(skCpa);
+        wipe(ek);
+        wipe(h);
+        wipe(z);
+    }
+}

package/dist/kyber/params.d.ts

@@ -0,0 +1,14 @@
+export interface KyberParams {
+    k: number;
+    eta1: number;
+    eta2: number;
+    du: number;
+    dv: number;
+    ekBytes: number;
+    dkBytes: number;
+    ctBytes: number;
+    skCpaBytes: number;
+}
+export declare const MLKEM512: KyberParams;
+export declare const MLKEM768: KyberParams;
+export declare const MLKEM1024: KyberParams;

package/dist/kyber/params.js

@@ -0,0 +1,37 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/kyber/params.ts
+//
+// ML-KEM (FIPS 203) parameter set configurations.
+// FIPS 203 Table 2 — Parameter sets for ML-KEM.
+export const MLKEM512 = {
+    k: 2, eta1: 3, eta2: 2, du: 10, dv: 4,
+    ekBytes: 800, dkBytes: 1632, ctBytes: 768, skCpaBytes: 768,
+};
+export const MLKEM768 = {
+    k: 3, eta1: 2, eta2: 2, du: 10, dv: 4,
+    ekBytes: 1184, dkBytes: 2400, ctBytes: 1088, skCpaBytes: 1152,
+};
+export const MLKEM1024 = {
+    k: 4, eta1: 2, eta2: 2, du: 11, dv: 5,
+    ekBytes: 1568, dkBytes: 3168, ctBytes: 1568, skCpaBytes: 1536,
+};

package/dist/kyber/suite.d.ts

@@ -0,0 +1,13 @@
+import type { CipherSuite } from '../stream/types.js';
+import type { KyberKeyPair, KyberEncapsulation } from './types.js';
+import type { KyberParams } from './params.js';
+interface MlKemLike {
+    readonly params: KyberParams;
+    encapsulate(ek: Uint8Array): KyberEncapsulation;
+    decapsulate(dk: Uint8Array, c: Uint8Array): Uint8Array;
+    keygen(): KyberKeyPair;
+}
+export declare function KyberSuite(kem: MlKemLike, inner: CipherSuite): CipherSuite & {
+    keygen(): KyberKeyPair;
+};
+export {};

package/dist/kyber/suite.js

@@ -0,0 +1,93 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/kyber/suite.ts
+//
+// KyberSuite — wraps a MlKemBase + inner CipherSuite into a unified CipherSuite.
+// Provides hybrid KEM + symmetric AEAD for use with SealStream / OpenStream / Seal.
+import { concat } from '../utils.js';
+import { HKDF_SHA256 } from '../sha2/index.js';
+// KEM selector per parameter set (bits 4-5 of formatEnum)
+const KEM_NIBBLE = {
+    2: 0x10, // ML-KEM-512  (k=2)
+    3: 0x20, // ML-KEM-768  (k=3)
+    4: 0x30, // ML-KEM-1024 (k=4)
+};
+const KEM_LABEL = {
+    2: 'mlkem512',
+    3: 'mlkem768',
+    4: 'mlkem1024',
+};
+export function KyberSuite(kem, inner) {
+    const p = kem.params;
+    const kemNibble = KEM_NIBBLE[p.k];
+    if (!kemNibble)
+        throw new Error(`unsupported ML-KEM k=${p.k}`);
+    const kemLabel = KEM_LABEL[p.k];
+    const infoBytes = new TextEncoder().encode(inner.hkdfInfo);
+    return {
+        formatEnum: kemNibble | inner.formatEnum,
+        formatName: `${kemLabel}+${inner.formatName}`,
+        hkdfInfo: inner.hkdfInfo,
+        keySize: p.ekBytes,
+        decKeySize: p.dkBytes,
+        kemCtSize: p.ctBytes,
+        tagSize: inner.tagSize,
+        padded: inner.padded,
+        wasmModules: [...inner.wasmModules, 'kyber', 'sha3'],
+        deriveKeys(key, nonce, kemCt) {
+            let sharedSecret;
+            let outKemCt;
+            let ctForInfo;
+            if (kemCt === undefined) {
+                // encrypt path: key = ek — encapsulate to produce shared secret + ct
+                const result = kem.encapsulate(key);
+                sharedSecret = result.sharedSecret;
+                outKemCt = result.ciphertext;
+                ctForInfo = outKemCt;
+            }
+            else {
+                // decrypt path: key = dk — decapsulate to recover shared secret
+                sharedSecret = kem.decapsulate(key, kemCt);
+                ctForInfo = kemCt;
+            }
+            // Bind kemCt into HKDF info for defense in depth (KEM ciphertext binding)
+            const info = concat(infoBytes, ctForInfo);
+            const hkdf = new HKDF_SHA256();
+            const derived = hkdf.derive(sharedSecret, nonce, info, inner.keySize);
+            hkdf.dispose();
+            sharedSecret.fill(0);
+            // Delegate actual per-cipher key derivation to the inner suite
+            const innerKeys = inner.deriveKeys(derived, nonce);
+            derived.fill(0);
+            return outKemCt
+                ? { bytes: innerKeys.bytes, kemCiphertext: outKemCt }
+                : innerKeys;
+        },
+        sealChunk: inner.sealChunk.bind(inner),
+        openChunk: inner.openChunk.bind(inner),
+        wipeKeys: inner.wipeKeys.bind(inner),
+        createPoolWorker: inner.createPoolWorker.bind(inner),
+        keygen() {
+            return kem.keygen();
+        },
+    };
+}

package/dist/kyber/types.d.ts

@@ -0,0 +1,98 @@
+export interface KyberExports {
+    memory: WebAssembly.Memory;
+    getModuleId: () => number;
+    getMemoryPages: () => number;
+    getPolySlotBase: () => number;
+    getPolySlotSize: () => number;
+    getPolySlot0: () => number;
+    getPolySlot1: () => number;
+    getPolySlot2: () => number;
+    getPolySlot3: () => number;
+    getPolySlot4: () => number;
+    getPolySlot5: () => number;
+    getPolySlot6: () => number;
+    getPolySlot7: () => number;
+    getPolySlot8: () => number;
+    getPolySlot9: () => number;
+    getPolyvecSlotBase: () => number;
+    getPolyvecSlotSize: () => number;
+    getPolyvecSlot0: () => number;
+    getPolyvecSlot1: () => number;
+    getPolyvecSlot2: () => number;
+    getPolyvecSlot3: () => number;
+    getPolyvecSlot4: () => number;
+    getPolyvecSlot5: () => number;
+    getPolyvecSlot6: () => number;
+    getPolyvecSlot7: () => number;
+    getSeedOffset: () => number;
+    getMsgOffset: () => number;
+    getPkOffset: () => number;
+    getSkOffset: () => number;
+    getCtOffset: () => number;
+    getCtPrimeOffset: () => number;
+    getXofPrfOffset: () => number;
+    wipeBuffers: () => void;
+    montgomery_reduce: (a: number) => number;
+    barrett_reduce: (a: number) => number;
+    fqmul: (a: number, b: number) => number;
+    getZetasOffset: () => number;
+    getZeta: (i: number) => number;
+    ntt: (polyOffset: number) => void;
+    invntt: (polyOffset: number) => void;
+    basemul: (rOffset: number, aOffset: number, bOffset: number, zetaIdx: number) => void;
+    poly_tobytes: (rOffset: number, polyOffset: number) => void;
+    poly_frombytes: (polyOffset: number, aOffset: number) => void;
+    poly_compress: (rOffset: number, polyOffset: number, dv: number) => void;
+    poly_decompress: (polyOffset: number, aOffset: number, dv: number) => void;
+    poly_frommsg: (polyOffset: number, msgOffset: number) => void;
+    poly_tomsg: (msgOffset: number, polyOffset: number) => void;
+    poly_add: (rOffset: number, aOffset: number, bOffset: number) => void;
+    poly_sub: (rOffset: number, aOffset: number, bOffset: number) => void;
+    poly_reduce: (polyOffset: number) => void;
+    poly_tomont: (polyOffset: number) => void;
+    poly_ntt: (polyOffset: number) => void;
+    poly_invntt: (polyOffset: number) => void;
+    poly_basemul_montgomery: (rOffset: number, aOffset: number, bOffset: number) => void;
+    poly_getnoise: (polyOffset: number, bufOffset: number, eta: number) => void;
+    polyvec_tobytes: (rOffset: number, pvOffset: number, k: number) => void;
+    polyvec_frombytes: (pvOffset: number, aOffset: number, k: number) => void;
+    polyvec_compress: (rOffset: number, pvOffset: number, k: number, du: number) => void;
+    polyvec_decompress: (pvOffset: number, aOffset: number, k: number, du: number) => void;
+    polyvec_ntt: (pvOffset: number, k: number) => void;
+    polyvec_invntt: (pvOffset: number, k: number) => void;
+    polyvec_reduce: (pvOffset: number, k: number) => void;
+    polyvec_add: (rOffset: number, aOffset: number, bOffset: number, k: number) => void;
+    polyvec_basemul_acc_montgomery: (rOffset: number, aOffset: number, bOffset: number, k: number) => void;
+    rej_uniform: (polyOffset: number, ctrStart: number, bufOffset: number, buflen: number) => number;
+    ct_verify: (aOffset: number, bOffset: number, len: number) => number;
+    ct_cmov: (rOffset: number, xOffset: number, len: number, b: number) => void;
+}
+export interface Sha3Exports {
+    memory: WebAssembly.Memory;
+    getInputOffset: () => number;
+    getOutOffset: () => number;
+    getStateOffset: () => number;
+    sha3_224Init: () => void;
+    sha3_256Init: () => void;
+    sha3_384Init: () => void;
+    sha3_512Init: () => void;
+    shake128Init: () => void;
+    shake256Init: () => void;
+    keccakAbsorb: (len: number) => void;
+    sha3_224Final: () => void;
+    sha3_256Final: () => void;
+    sha3_384Final: () => void;
+    sha3_512Final: () => void;
+    shakeFinal: (outLen: number) => void;
+    shakePad: () => void;
+    shakeSqueezeBlock: () => void;
+    wipeBuffers: () => void;
+}
+export interface KyberKeyPair {
+    encapsulationKey: Uint8Array;
+    decapsulationKey: Uint8Array;
+}
+export interface KyberEncapsulation {
+    ciphertext: Uint8Array;
+    sharedSecret: Uint8Array;
+}

package/dist/kyber/types.js

@@ -0,0 +1,25 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/kyber/types.ts
+//
+// ML-KEM type definitions: WASM export interfaces and KEM API types.
+export {};

package/dist/kyber/validate.d.ts

@@ -0,0 +1,19 @@
+import type { KyberExports, Sha3Exports } from './types.js';
+import type { KyberParams } from './params.js';
+/**
+ * Encapsulation key check — FIPS 203 §7.2 (EncapsulationKeyCheck).
+ *
+ * 1. Length check: ek.length == params.ekBytes
+ * 2. ByteDecode₁₂ → ByteEncode₁₂ round-trip check on the polyvec portion.
+ *    Any coefficient ≥ q stored modulo 2^12 survives frombytes, but tobytes
+ *    re-encodes it differently — so the round-trip fails iff any coeff was ≥ q.
+ */
+export declare function checkEncapsulationKey(kx: KyberExports, params: KyberParams, ek: Uint8Array): boolean;
+/**
+ * Decapsulation key check — FIPS 203 §7.3 (DecapsulationKeyCheck).
+ *
+ * 1. Length check: dk.length == params.dkBytes
+ * 2. Extract embedded ek and H(ek), verify SHA3-256(ek) matches stored H
+ * 3. Also run checkEncapsulationKey on the embedded ek
+ */
+export declare function checkDecapsulationKey(kx: KyberExports, sx: Sha3Exports, params: KyberParams, dk: Uint8Array): boolean;

package/dist/kyber/validate.js

@@ -0,0 +1,68 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/kyber/validate.ts
+//
+// ML-KEM key validation — FIPS 203 §7.2 and §7.3.
+import { sha3_256Hash } from './indcpa.js';
+import { constantTimeEqual } from '../utils.js';
+/**
+ * Encapsulation key check — FIPS 203 §7.2 (EncapsulationKeyCheck).
+ *
+ * 1. Length check: ek.length == params.ekBytes
+ * 2. ByteDecode₁₂ → ByteEncode₁₂ round-trip check on the polyvec portion.
+ *    Any coefficient ≥ q stored modulo 2^12 survives frombytes, but tobytes
+ *    re-encodes it differently — so the round-trip fails iff any coeff was ≥ q.
+ */
+export function checkEncapsulationKey(kx, params, ek) {
+    if (ek.length !== params.ekBytes)
+        return false;
+    const { k } = params;
+    const kyberMem = new Uint8Array(kx.memory.buffer);
+    const pkOff = kx.getPkOffset();
+    const skOff = kx.getSkOffset();
+    const pvecOff = kx.getPolyvecSlot0();
+    // Write the polyvec portion of ek into PK buffer, decode, re-encode
+    kyberMem.set(ek.subarray(0, k * 384), pkOff);
+    kx.polyvec_frombytes(pvecOff, pkOff, k);
+    kx.polyvec_tobytes(skOff, pvecOff, k);
+    // orig is at pkOff (written above); reEnc is at skOff (polyvec_tobytes output)
+    const mismatch = kx.ct_verify(pkOff, skOff, k * 384);
+    return mismatch === 0;
+}
+/**
+ * Decapsulation key check — FIPS 203 §7.3 (DecapsulationKeyCheck).
+ *
+ * 1. Length check: dk.length == params.dkBytes
+ * 2. Extract embedded ek and H(ek), verify SHA3-256(ek) matches stored H
+ * 3. Also run checkEncapsulationKey on the embedded ek
+ */
+export function checkDecapsulationKey(kx, sx, params, dk) {
+    if (dk.length !== params.dkBytes)
+        return false;
+    const { skCpaBytes, ekBytes } = params;
+    const ek = dk.slice(skCpaBytes, skCpaBytes + ekBytes);
+    const h = dk.slice(skCpaBytes + ekBytes, skCpaBytes + ekBytes + 32);
+    const hComputed = sha3_256Hash(sx, ek);
+    if (!constantTimeEqual(hComputed, h))
+        return false;
+    return checkEncapsulationKey(kx, params, ek);
+}

package/dist/loader.d.ts

@@ -1,4 +1,19 @@
-import type { Module } from './init.js';
-export declare function loadEmbedded(thunk: () => Promise<string>): Promise<WebAssembly.Instance>;
-export declare function loadStreaming(_mod: Module, baseUrl: URL | string, filename: string): Promise<WebAssembly.Instance>;
-export declare function loadManual(binary: Uint8Array | ArrayBuffer): Promise<WebAssembly.Instance>;
+import type { WasmSource } from './wasm-source.js';
+/**
+ * Decode a gzip+base64 embedded WASM string to raw bytes.
+ * Guards against missing DecompressionStream (Node <18, non-browser runtimes).
+ * Exported for pool worker launchers that decode blobs before spawning threads.
+ */
+export declare function decodeWasm(b64: string): Promise<Uint8Array>;
+/**
+ * Compile a WASM source to a Module without instantiating.
+ * Used by pool infrastructure to send compiled modules to workers.
+ */
+export declare function compileWasm(source: WasmSource): Promise<WebAssembly.Module>;
+/**
+ * Load a WASM module from any accepted source type.
+ * The loading strategy is inferred from the argument type — no mode string.
+ *
+ * Throws `TypeError` for null, numeric, or unrecognised inputs.
+ */
+export declare function loadWasm(source: WasmSource): Promise<WebAssembly.Instance>;