leviathan-crypto 2.0.1 → 3.0.0

package/dist/fortuna.js

@@ -21,31 +21,29 @@
 //
 // src/ts/fortuna.ts
 //
-// Fortuna CSPRNG — Ferguson & Schneier, Practical Cryptography (2003), Chapter 9.
-// Backed by WASM Serpent-256 ECB (generator) and WASM SHA-256 (accumulator pools).
-// Requires init({ serpent: ..., sha2: ... }) before Fortuna.create().
-import { isInitialized } from './init.js';
-import { Serpent } from './serpent/index.js';
-import { SHA256 } from './sha2/index.js';
+// Fortuna CSPRNG, Ferguson & Schneier, Practical Cryptography (2003), Chapter 9.
+// Backed by a pluggable Generator (cipher PRF) and HashFn (accumulator hash).
+// Requires init() for the modules used by the chosen generator and hash pair.
+import { isInitialized, getInstance } from './init.js';
 import { wipe, utf8ToBytes, concat } from './utils.js';
 const isBrowser = typeof window !== 'undefined';
 const isNode = typeof process !== 'undefined' && typeof process.pid === 'number';
 /**
- * Fortuna CSPRNG — spec §9.3–§9.5
+ * Fortuna CSPRNG, spec §9.3-§9.5
  *
- * Use `Fortuna.create()` to instantiate. Direct construction is not allowed.
+ * Use `Fortuna.create({ generator, hash })` to instantiate. Direct construction is not allowed.
  */
 export class Fortuna {
     // ── Constants ──────────────────────────────────────────────────────────
     static NUM_POOLS = 32;
-    static RESEED_LIMIT = 64; // bits — pool 0 threshold (spec §9.5)
-    static MS_PER_RESEED = 100; // ms — minimum reseed interval (spec §9.5)
-    static NODE_STATS_INTERVAL = 1000; // ms — OS stats collector interval
-    static CRYPTO_INTERVAL = 3000; // ms — crypto.randomBytes interval
+    static RESEED_LIMIT = 64; // bits, pool 0 threshold (spec §9.5)
+    static MS_PER_RESEED = 100; // ms, minimum reseed interval (spec §9.5)
+    static NODE_STATS_INTERVAL = 1000; // ms, OS stats collector interval
+    static CRYPTO_INTERVAL = 3000; // ms, crypto.randomBytes interval
     // ── State ─────────────────────────────────────────────────────────────
-    serpent;
-    sha;
-    poolHash; // 32 running SHA-256 chain hashes (32 bytes each)
+    gen;
+    hash;
+    poolHash; // 32 running hash chain values
     poolEntropy;
     genKey;
     genCnt;
@@ -62,25 +60,33 @@ export class Fortuna {
     timers = [];
     // ── Static factory ────────────────────────────────────────────────────
     static async create(opts) {
-        if (!isInitialized('serpent'))
-            throw new Error('leviathan-crypto: call init({ serpent: ..., sha2: ... }) before using Fortuna');
-        if (!isInitialized('sha2'))
-            throw new Error('leviathan-crypto: call init({ serpent: ..., sha2: ... }) before using Fortuna');
-        const f = new Fortuna(opts?.msPerReseed ?? Fortuna.MS_PER_RESEED);
-        f.initialize(opts?.entropy);
-        // Force the first reseed — pool[0] is saturated by initialize(),
+        if (!opts || !opts.generator || !opts.hash)
+            throw new TypeError('leviathan-crypto: Fortuna.create() requires { generator, hash }');
+        if (opts.hash.outputSize !== opts.generator.keySize)
+            throw new RangeError(`leviathan-crypto: Fortuna requires hash.outputSize (${opts.hash.outputSize}) `
+                + `to match generator.keySize (${opts.generator.keySize})`);
+        const required = new Set([...opts.generator.wasmModules, ...opts.hash.wasmModules]);
+        for (const mod of required) {
+            if (!isInitialized(mod)) {
+                const args = [...required].map(m => `${m}: ...`).join(', ');
+                throw new Error(`leviathan-crypto: call init({ ${args} }) before using Fortuna`);
+            }
+        }
+        const f = new Fortuna(opts.generator, opts.hash, opts.msPerReseed ?? Fortuna.MS_PER_RESEED);
+        f.initialize(opts.entropy);
+        // Force the first reseed, pool[0] is saturated by initialize(),
         // so this call triggers an immediate reseed and guarantees get() never
         // returns undefined. The byte is discarded.
         f.get(1);
         return f;
     }
-    constructor(msPerReseed) {
-        this.serpent = new Serpent();
-        this.sha = new SHA256();
+    constructor(gen, hash, msPerReseed) {
+        this.gen = gen;
+        this.hash = hash;
         this.poolHash = [];
         this.poolEntropy = [];
-        this.genKey = new Uint8Array(32);
-        this.genCnt = new Uint8Array(16);
+        this.genKey = new Uint8Array(gen.keySize);
+        this.genCnt = new Uint8Array(gen.counterSize);
         this.reseedCnt = 0;
         this.lastReseed = 0;
         this.entropyLevel = 0;
@@ -90,36 +96,42 @@ export class Fortuna {
         this.msPerReseed = msPerReseed;
         this.robin = { kbd: 0, mouse: 0, scroll: 0, touch: 0, motion: 0, time: 0, rnd: 0, dom: 0 };
         for (let i = 0; i < Fortuna.NUM_POOLS; i++) {
-            this.poolHash.push(new Uint8Array(32)); // zero-initialized chain value
+            this.poolHash.push(new Uint8Array(hash.outputSize)); // zero-initialized chain value
             this.poolEntropy.push(0);
         }
     }
     // ── Public API ────────────────────────────────────────────────────────
-    /** Get n random bytes. Always returns Uint8Array — instance is guaranteed seeded after create(). */
+    /** Get n random bytes. Always returns Uint8Array, instance is guaranteed seeded after create(). */
     get(length) {
         if (this.disposed)
             throw new Error('Fortuna instance has been disposed');
-        // Capture hrtime jitter at call time (Node.js) — spec §9.5
+        // Capture hrtime jitter at call time (Node.js), spec §9.5
         if (isNode)
             this.captureHrtime();
-        // Check reseed trigger — spec §9.5
+        // Check reseed trigger, spec §9.5
         if (this.poolEntropy[0] >= Fortuna.RESEED_LIMIT &&
             Date.now() >= this.lastReseed + this.msPerReseed) {
             this.reseedCnt = (this.reseedCnt + 1) >>> 0; // u32 wrap
             let seed = new Uint8Array(0);
             let strength = 0;
             for (let i = 0; i < Fortuna.NUM_POOLS; i++) {
-                if ((this.reseedCnt & (1 << i)) !== 0) {
+                // Practical Cryptography (Ferguson & Schneier, 2003) §9.5.5:
+                // pool P_i is used in reseed r iff 2^i divides r.
+                if ((this.reseedCnt & ((1 << i) - 1)) === 0) {
                     // Pool digest = current chain hash
                     seed = concat(seed, this.poolHash[i]);
                     strength += this.poolEntropy[i];
-                    // Reset pool
-                    this.poolHash[i] = new Uint8Array(32);
+                    // Reset pool, wipe old chain hash before dropping the reference.
+                    const old = this.poolHash[i];
+                    this.poolHash[i] = new Uint8Array(this.hash.outputSize);
+                    wipe(old);
                     this.poolEntropy[i] = 0;
                 }
             }
             this.entropyLevel -= strength;
             this.reseed(seed);
+            // seed is built from concatenated pool-hash copies; wipe the temp.
+            wipe(seed);
         }
         return this.pseudoRandomData(length);
     }
@@ -140,64 +152,130 @@ export class Fortuna {
     stop() {
         if (this.disposed)
             throw new Error('Fortuna instance has been disposed');
+        // Mark disposed first so partially-disposed reentry throws cleanly.
+        this.disposed = true;
         this.stopCollectors();
         wipe(this.genKey);
         wipe(this.genCnt);
+        // Wipe the 32 pool-hash chain values so residual entropy-bearing
+        // bytes do not outlive the instance.
+        for (const p of this.poolHash)
+            wipe(p);
         this.reseedCnt = 0;
-        this.disposed = true;
+        // Best-effort wipe of WASM scratch; surface the first error.
+        const required = new Set([...this.gen.wasmModules, ...this.hash.wasmModules]);
+        let err;
+        for (const mod of required) {
+            try {
+                getInstance(mod).exports.wipeBuffers();
+            }
+            catch (e) {
+                err ??= e;
+            }
+        }
+        if (err)
+            throw err;
     }
     // ── Test-only accessors ───────────────────────────────────────────────
-    /** @internal — exposed for testing key replacement */
+    /** @internal, exposed for testing key replacement */
     _getGenKey() {
         return this.genKey;
     }
-    /** @internal — exposed for testing pool state */
+    /** @internal, exposed for testing pool state */
     _getPoolEntropy() {
         return this.poolEntropy;
     }
-    /** @internal — exposed for testing reseed count */
+    /** @internal, exposed for testing reseed count */
     _getReseedCnt() {
         return this.reseedCnt;
     }
-    // ── Generator (spec §9.4) ─────────────────────────────────────────────
-    /** Generate n blocks of 16 bytes each. — spec §9.4 */
-    generateBlocks(n) {
-        const out = new Uint8Array(n * 16);
-        for (let i = 0; i < n; i++) {
-            // Encrypt genCnt with Serpent-256 ECB
-            this.serpent.loadKey(this.genKey);
-            out.set(this.serpent.encryptBlock(this.genCnt), i * 16);
-            this.incrementCounter();
+    /** @internal, exposed for testing pool-hash backing arrays */
+    _getPoolHash() {
+        return this.poolHash;
+    }
+    /**
+     * @internal, test-only deterministic factory. Seeds pool[0] with the provided
+     * entropy and triggers one reseed directly, bypassing all OS entropy collection
+     * and the hrtime jitter capture in get(). This makes KAT vectors reproducible
+     * across runs. Not suitable for production use.
+     */
+    static async _createDeterministicForTesting(opts) {
+        if (!opts || !opts.generator || !opts.hash)
+            throw new TypeError('Fortuna._createDeterministicForTesting() requires { generator, hash, entropy }');
+        if (opts.hash.outputSize !== opts.generator.keySize)
+            throw new RangeError(`leviathan-crypto: Fortuna requires hash.outputSize (${opts.hash.outputSize}) `
+                + `to match generator.keySize (${opts.generator.keySize})`);
+        const required = new Set([...opts.generator.wasmModules, ...opts.hash.wasmModules]);
+        for (const mod of required) {
+            if (!isInitialized(mod)) {
+                const args = [...required].map(m => `${m}: ...`).join(', ');
+                throw new Error(`leviathan-crypto: call init({ ${args} }) before using Fortuna`);
+            }
         }
-        return out;
+        const f = new Fortuna(opts.generator, opts.hash, 0);
+        // Seed pool[0] with the provided entropy, no OS collection.
+        f.addRandomEvent(opts.entropy, 0, opts.entropy.length * 8);
+        // Manually trigger reseed #1 without calling get(), get() calls captureHrtime()
+        // in Node.js which adds non-deterministic data before the reseed fires.
+        f.reseedFromPool0();
+        return f;
     }
-    /** Get length pseudo-random bytes. — spec §9.4 */
+    // ── Generator (spec §9.4) ─────────────────────────────────────────────
+    /** Get length pseudo-random bytes., spec §9.4 */
     pseudoRandomData(length) {
-        // Generate ceil(length/16) blocks — spec §9.4
-        const blocks = Math.ceil(length / 16);
-        const raw = this.generateBlocks(blocks);
-        const output = raw.slice(0, length);
-        // Key replacement — mandatory forward secrecy (spec §9.4)
-        this.genKey = this.generateBlocks(2);
-        return output;
+        const blocks = Math.ceil(length / this.gen.blockSize);
+        const out = this.gen.generate(this.genKey, this.genCnt, length);
+        // External counter advance, generator is stateless and does not mutate caller's counter
+        for (let i = 0; i < blocks; i++)
+            this.incrementCounter();
+        // Key replacement, mandatory forward secrecy (spec §9.4).
+        // Wipe the prior key BEFORE dropping its reference so no key bytes are
+        // reachable after key replacement; anyone holding a Uint8Array view to
+        // the old key now observes zero.
+        const newKey = this.gen.generate(this.genKey, this.genCnt, this.gen.keySize);
+        for (let i = 0; i < Math.ceil(this.gen.keySize / this.gen.blockSize); i++)
+            this.incrementCounter();
+        wipe(this.genKey);
+        this.genKey = newKey;
+        return out;
     }
-    /** Reseed the generator — spec §9.4 */
+    /** Reseed the generator, spec §9.4 */
     reseed(seed) {
-        // genKey = SHA256(genKey ‖ seed)
-        this.genKey = this.sha.hash(concat(this.genKey, seed));
-        // Increment counter — makes it nonzero on first reseed, marking generator as seeded
+        // genKey = hash(genKey ‖ seed). Wipe both the hash input and the
+        // prior key before dropping references.
+        const combined = concat(this.genKey, seed);
+        const newKey = this.hash.digest(combined);
+        wipe(combined);
+        wipe(this.genKey);
+        this.genKey = newKey;
+        // Increment counter, makes it nonzero on first reseed, marking generator as seeded
         this.incrementCounter();
         this.lastReseed = Date.now();
     }
-    /** Increment 16-byte little-endian counter. — spec §9.4 */
+    /** Drain pool 0 into a fresh seed and reseed. Used by the deterministic
+     *  test factory; production reseeds in get() walk the §9.5.5 schedule
+     *  across all pools, not just pool 0. Caller is responsible for any
+     *  entropy-threshold check. */
+    reseedFromPool0() {
+        this.reseedCnt = (this.reseedCnt + 1) >>> 0;
+        const seed = this.poolHash[0].slice();
+        const old = this.poolHash[0];
+        this.poolHash[0] = new Uint8Array(this.hash.outputSize);
+        wipe(old);
+        this.entropyLevel -= this.poolEntropy[0];
+        this.poolEntropy[0] = 0;
+        this.reseed(seed);
+        wipe(seed);
+    }
+    /** Increment little-endian counter., spec §9.4 */
     incrementCounter() {
-        for (let i = 0; i < 16; i++) {
+        for (let i = 0; i < this.genCnt.length; i++) {
             if (++this.genCnt[i] !== 0)
                 break;
         }
     }
     // ── Accumulator (spec §9.5) ───────────────────────────────────────────
-    /** Add an event to a pool via hash chaining: poolHash[i] = SHA256(poolHash[i] ‖ eventId ‖ data). */
+    /** Add an event to a pool via hash chaining: poolHash[i] = hash(poolHash[i] ‖ eventId ‖ data). */
     addRandomEvent(data, poolIdx, entropyBits) {
         // Encode eventId as 4 bytes little-endian
         const id = new Uint8Array(4);
@@ -206,14 +284,19 @@ export class Fortuna {
         id[2] = (this.eventId >>> 16) & 0xff;
         id[3] = (this.eventId >>> 24) & 0xff;
         this.eventId = (this.eventId + 1) >>> 0; // u32 wrap
-        // Chain: poolHash[i] = SHA256(poolHash[i] ‖ id ‖ data)
-        this.poolHash[poolIdx] = this.sha.hash(concat(this.poolHash[poolIdx], id, data));
+        // Chain: poolHash[i] = hash(poolHash[i] ‖ id ‖ data).
+        // Wipe the chain input and the prior chain value before dropping refs.
+        const combined = concat(this.poolHash[poolIdx], id, data);
+        const newChain = this.hash.digest(combined);
+        wipe(combined);
+        wipe(this.poolHash[poolIdx]);
+        this.poolHash[poolIdx] = newChain;
         this.poolEntropy[poolIdx] += entropyBits;
         this.entropyLevel += entropyBits;
     }
     // ── Initialization ────────────────────────────────────────────────────
     initialize(entropy) {
-        // Initial seeding — crypto random per pool (spec §9.5)
+        // Initial seeding, crypto random per pool (spec §9.5)
         for (let i = 0; i < Fortuna.NUM_POOLS * 4; i++) {
             this.collectorCryptoRandom();
         }
@@ -226,6 +309,13 @@ export class Fortuna {
             this.addRandomEvent(entropy, this.robin.rnd, entropy.length * 8);
             this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
         }
+        // F-2 invariant: fail loudly if no OS entropy source delivered anything.
+        // The try/catch in collectorCryptoRandom is preserved to protect against
+        // platforms where crypto.getRandomValues itself throws (non-standard
+        // runtimes). This post-init check covers all silent-failure paths uniformly.
+        if (this.poolEntropy[0] < Fortuna.RESEED_LIMIT)
+            throw new Error('leviathan-crypto: Fortuna initialization could not gather sufficient entropy. '
+                + 'No working crypto.getRandomValues in this environment.');
         this.startCollectors();
     }
     // ── Collectors ────────────────────────────────────────────────────────
@@ -255,7 +345,7 @@ export class Fortuna {
             // OS stats timer
             this.timers.push(setInterval(() => this.collectNodeStats(), Fortuna.NODE_STATS_INTERVAL));
         }
-        // Crypto timer — both environments
+        // Crypto timer, both environments
         this.timers.push(setInterval(() => this.collectorCryptoRandom(), Fortuna.CRYPTO_INTERVAL));
         this.active = true;
     }
@@ -358,25 +448,18 @@ export class Fortuna {
     }
     collectorDom() {
         if (typeof document !== 'undefined' && document.documentElement) {
-            this.addRandomEvent(this.sha.hash(utf8ToBytes(document.documentElement.innerHTML)), this.robin.dom, 2);
+            this.addRandomEvent(this.hash.digest(utf8ToBytes(document.documentElement.innerHTML)), this.robin.dom, 2);
             this.robin.dom = (this.robin.dom + 1) % Fortuna.NUM_POOLS;
         }
     }
     collectorCryptoRandom() {
         try {
+            // Web Crypto is the only secure source. No node:crypto fallback: an absent
+            // source must fail loud via the init invariant below, never be polyfilled.
+            if (typeof globalThis.crypto === 'undefined' || typeof globalThis.crypto.getRandomValues !== 'function')
+                return;
             const rnd = new Uint8Array(128);
-            if (typeof globalThis.crypto !== 'undefined' && typeof globalThis.crypto.getRandomValues === 'function') {
-                globalThis.crypto.getRandomValues(rnd);
-            }
-            else if (isNode) {
-                // eslint-disable-next-line @typescript-eslint/no-require-imports
-                const nodeCrypto = require('node:crypto');
-                const buf = nodeCrypto.randomBytes(128);
-                rnd.set(new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength));
-            }
-            else {
-                return; // no crypto source available
-            }
+            globalThis.crypto.getRandomValues(rnd);
             this.addRandomEvent(rnd, this.robin.rnd, 1024);
             this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
         }
@@ -395,14 +478,14 @@ export class Fortuna {
     }
     collectNodeStats() {
         try {
-            // hrtime — nanosecond scheduling jitter
+            // hrtime, nanosecond scheduling jitter
             const hr = process.hrtime.bigint();
             const hrBytes = new Uint8Array(8);
             for (let i = 0; i < 8; i++)
                 hrBytes[i] = Number((hr >> BigInt(i * 8)) & 0xffn);
             this.addRandomEvent(hrBytes, this.robin.time, 8);
             this.robin.time = (this.robin.time + 1) % Fortuna.NUM_POOLS;
-            // cpuUsage — user + system CPU microseconds
+            // cpuUsage, user + system CPU microseconds
             const cpu = process.cpuUsage();
             const cpuBytes = new Uint8Array(8);
             cpuBytes[0] = cpu.user & 0xff;
@@ -415,7 +498,7 @@ export class Fortuna {
             cpuBytes[7] = (cpu.system >>> 24) & 0xff;
             this.addRandomEvent(cpuBytes, this.robin.rnd, 2);
             this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
-            // memoryUsage — heapUsed changes constantly
+            // memoryUsage, heapUsed changes constantly
             const mem = process.memoryUsage();
             const memVal = mem.heapUsed;
             const memBytes = new Uint8Array(4);
@@ -425,22 +508,6 @@ export class Fortuna {
             memBytes[3] = (memVal >>> 24) & 0xff;
             this.addRandomEvent(memBytes, this.robin.rnd, 1);
             this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
-            // loadavg — slow-changing but real system state
-            // eslint-disable-next-line @typescript-eslint/no-require-imports
-            const os = require('node:os');
-            const la = os.loadavg();
-            const laStr = la.map((n) => Math.round(n * 1000).toString()).join('');
-            this.addRandomEvent(utf8ToBytes(laStr), this.robin.time, 1);
-            this.robin.time = (this.robin.time + 1) % Fortuna.NUM_POOLS;
-            // freemem — changes with allocation activity
-            const fm = os.freemem();
-            const fmBytes = new Uint8Array(4);
-            fmBytes[0] = fm & 0xff;
-            fmBytes[1] = (fm >>> 8) & 0xff;
-            fmBytes[2] = (fm >>> 16) & 0xff;
-            fmBytes[3] = (fm >>> 24) & 0xff;
-            this.addRandomEvent(fmBytes, this.robin.rnd, 1);
-            this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
         }
         catch { /* Node APIs may not be available */ }
     }

package/dist/index.d.ts

@@ -1,5 +1,11 @@
 import type { Module } from './init.js';
 import type { WasmSource } from './wasm-source.js';
+/**
+ * Top-level init() input. Accepts the canonical module keys plus the
+ * `ed25519` and `x25519` aliases; both aliases resolve to the underlying
+ * `curve25519` WASM module and are de-duped if given identical sources.
+ */
+export type InitInput = Partial<Record<Module | 'ed25519' | 'x25519', WasmSource>>;
 /**
  * Load one or more WASM modules. Each key is a module name; the value is the
  * WasmSource to load it from (embedded blob, URL, ArrayBuffer, etc.).
@@ -10,20 +16,45 @@ import type { WasmSource } from './wasm-source.js';
  * import { sha2Wasm }    from 'leviathan-crypto/sha2/embedded';
  * await init({ serpent: serpentWasm, sha2: sha2Wasm });
  * ```
+ *
+ * `ed25519` and `x25519` are aliases for the underlying `curve25519`
+ * module. `init({ ed25519: src })` and `init({ x25519: src })` both work,
+ * and `init({ ed25519: src, x25519: src })` is accepted (single underlying
+ * init). Two different sources for the same underlying module is rejected.
  */
-export declare function init(sources: Partial<Record<Module, WasmSource>>): Promise<void>;
+export declare function init(sources: InitInput): Promise<void>;
 export type { Module, WasmSource };
-export { isInitialized, _resetForTesting } from './init.js';
-export { AuthenticationError } from './errors.js';
-export { serpentInit, Serpent, SerpentCtr, SerpentCbc, SerpentCipher, _serpentReady } from './serpent/index.js';
-export { chacha20Init, ChaCha20, Poly1305, ChaCha20Poly1305, XChaCha20Poly1305, XChaCha20Cipher, _chachaReady } from './chacha20/index.js';
-export { sha2Init, SHA256, SHA512, SHA384, HMAC_SHA256, HMAC_SHA512, HMAC_SHA384, HKDF_SHA256, HKDF_SHA512, _sha2Ready } from './sha2/index.js';
-export { sha3Init, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHAKE128, SHAKE256, _sha3Ready } from './sha3/index.js';
+export { isInitialized } from './init.js';
+export { AuthenticationError, SigningError, KeyAgreementError, MerkleCodecError, MerkleLogError } from './errors.js';
+export { serpentInit, Serpent, SerpentCtr, SerpentCbc, SerpentCipher, SerpentGenerator } from './serpent/index.js';
+export { chacha20Init, ChaCha20, Poly1305, ChaCha20Poly1305, XChaCha20Poly1305, XChaCha20Cipher, ChaCha20Generator } from './chacha20/index.js';
+export { sha2Init, SHA256, SHA224, SHA384, SHA512, SHA512_224, SHA512_256, HMAC_SHA256, HMAC_SHA512, HMAC_SHA384, HKDF_SHA256, HKDF_SHA512, SHA256Hash } from './sha2/index.js';
+export { sha3Init, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHA3_256Stream, SHA3_512Stream, SHAKE128, SHAKE256, SHAKE128Stream, SHAKE256Stream, SHA3_256Hash, CSHAKE128, CSHAKE256, KMAC128, KMAC256, KMACXOF128, KMACXOF256 } from './sha3/index.js';
 export { keccakInit } from './keccak/index.js';
-export { kyberInit, MlKem512, MlKem768, MlKem1024, MlKemBase, KyberSuite, _kyberReady } from './kyber/index.js';
-export type { KyberKeyPair, KyberEncapsulation, KyberParams } from './kyber/index.js';
+export { mlkemInit, MlKem512, MlKem768, MlKem1024, MlKemBase, MlKemSuite } from './mlkem/index.js';
+export { aesInit, AES, AESCbc, AESCtr, AESGCM, AESGCMSIV, AESGenerator, AESGCMSIVCipher } from './aes/index.js';
+export { mldsaInit, MlDsa44, MlDsa65, MlDsa87, MlDsaBase, MLDSA44, MLDSA65, MLDSA87 } from './mldsa/index.js';
+export { slhdsaInit, SlhDsaBase, SlhDsa128f, SlhDsa192f, SlhDsa256f, SLHDSA128F, SLHDSA192F, SLHDSA256F, } from './slhdsa/index.js';
+export { blake3Init, BLAKE3, BLAKE3KeyedHash, BLAKE3DeriveKey, BLAKE3Stream, BLAKE3KeyedHashStream, BLAKE3DeriveKeyStream, BLAKE3OutputReader, BLAKE3Hash, } from './blake3/index.js';
+export { ecdsaP256Init, EcdsaP256, pointDecompress, encodeEcPrivateKey, decodeEcPrivateKey, } from './ecdsa/index.js';
+export type { EcdsaP256KeyPair } from './ecdsa/index.js';
+export { ecdsaSignatureToDer, ecdsaSignatureFromDer } from './ecdsa/der.js';
+export { ed25519Init, Ed25519 } from './ed25519/index.js';
+export type { Ed25519KeyPair } from './ed25519/index.js';
+export { x25519Init, X25519 } from './x25519/index.js';
+export type { X25519KeyPair } from './x25519/index.js';
+export type { MlKemKeyPair, MlKemEncapsulation, MlKemParams } from './mlkem/index.js';
+export type { MlDsaKeyPair, MlDsaParams, PreHashAlgorithm } from './mldsa/index.js';
+export type { SlhDsaKeyPair, SlhDsaParams } from './slhdsa/index.js';
 export { SealStream, OpenStream, Seal, SealStreamPool, FLAG_FRAMED, TAG_DATA, TAG_FINAL, HEADER_SIZE, CHUNK_MIN, CHUNK_MAX } from './stream/index.js';
 export type { CipherSuite, DerivedKeys, SealStreamOpts, PoolOpts } from './stream/index.js';
+export { MemoryStorage, Sha256Hasher, Sha256Tree, Blake3Hasher, Blake3Tree, splitPoint, verifyInclusionProof, verifyConsistencyProof, buildInclusionProof, buildConsistencyProof, serializeCheckpointBody, parseCheckpointBody, emitSignedNote, parseSignedNote, deriveKeyId, suiteFormatEnumToAlgoByte, lookupAlgoEntryByFormatEnum, lookupAlgoEntryByByte, buildCosigSignedMessage, buildCosignedMessage, emitCosigSignaturePayload, parseCosigSignaturePayload, ALGO_BYTE_ED25519_NOTE, ALGO_BYTE_ED25519_COSIG, ALGO_BYTE_MLDSA44_COSIG, SignedLog, MerkleVerifier, MerkleLog, } from './merkle/index.js';
+export type { Hasher, MerkleTree, MerkleStorage, VerifyInclusionInput, VerifyConsistencyInput, BuildInclusionInput, BuildConsistencyInput, GetNode, Checkpoint, SignatureLine, SignedNote, SignedTreeHead, AlgoEntry, MessageConstruction, SignaturePayload, CosignedMessageInput, SignedLogOpts, MerkleVerifierOpts, MerkleLogCreateOpts, MerkleLogGenerateOpts, } from './merkle/index.js';
+export { Sign, SignStream, VerifyStream } from './sign/index.js';
+export type { SignatureSuite, StreamableSignatureSuite, PrehashAlgorithm, } from './sign/index.js';
+export { Ed25519Suite, Ed25519PreHashSuite, EcdsaP256Suite, MlDsa44Suite, MlDsa65Suite, MlDsa87Suite, MlDsa44PreHashSuite, MlDsa65PreHashSuite, MlDsa87PreHashSuite, SlhDsa128fSuite, SlhDsa192fSuite, SlhDsa256fSuite, SlhDsa128fPreHashSuite, SlhDsa192fPreHashSuite, SlhDsa256fPreHashSuite, MlDsa44SlhDsa128fSuite, MlDsa65SlhDsa192fSuite, MlDsa87SlhDsa256fSuite, MlDsa44Ed25519Suite, MlDsa65Ed25519Suite, MlDsa44EcdsaP256Suite, MlDsa65EcdsaP256Suite, } from './sign/index.js';
 export { Fortuna } from './fortuna.js';
-export type { Hash, KeyedHash, Blockcipher, Streamcipher, AEAD } from './types.js';
-export { hexToBytes, bytesToHex, utf8ToBytes, bytesToUtf8, base64ToBytes, bytesToBase64, constantTimeEqual, CT_MAX_BYTES, wipe, xor, concat, randomBytes, hasSIMD, } from './utils.js';
+export type { Hash, KeyedHash, Blockcipher, Streamcipher, AEAD, Generator, HashFn } from './types.js';
+export { KDFChain, ratchetInit, kemRatchetEncap, kemRatchetDecap, ratchetReady, SkippedKeyStore, RatchetKeypair, } from './ratchet/index.js';
+export type { RatchetInitResult, KemEncapResult, KemDecapResult, MlKemLike, RatchetMessageHeader, ResolveHandle, SkippedKeyStoreOpts, } from './ratchet/index.js';
+export { hexToBytes, bytesToHex, utf8ToBytes, bytesToUtf8, base64ToBytes, bytesToBase64, constantTimeEqual, CTE_MAX_BYTES, wipe, xor, concat, randomBytes, hasSIMD, } from './utils.js';

package/dist/index.js

@@ -19,21 +19,35 @@
 //   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
 //                           ▀█████▀▀
 //
-// Root barrel — re-exports everything
+// Root barrel, re-exports everything
 import { serpentInit } from './serpent/index.js';
 import { chacha20Init } from './chacha20/index.js';
 import { sha2Init } from './sha2/index.js';
 import { sha3Init } from './sha3/index.js';
 import { keccakInit } from './keccak/index.js';
-import { kyberInit } from './kyber/index.js';
+import { mlkemInit } from './mlkem/index.js';
+import { aesInit } from './aes/index.js';
+import { mldsaInit } from './mldsa/index.js';
+import { slhdsaInit } from './slhdsa/index.js';
+import { blake3Init } from './blake3/index.js';
+import { ecdsaP256Init } from './ecdsa/index.js';
+import { initModule } from './init.js';
 import { hasSIMD } from './utils.js';
+// curve25519 backs ed25519 + x25519. Public surface is the
+// per-primitive alias; 'curve25519' key accepted for Module symmetry.
 const _dispatchers = {
     serpent: serpentInit,
     chacha20: chacha20Init,
     sha2: sha2Init,
     sha3: sha3Init,
     keccak: keccakInit,
-    kyber: kyberInit,
+    mlkem: mlkemInit,
+    aes: aesInit,
+    mldsa: mldsaInit,
+    slhdsa: slhdsaInit,
+    blake3: blake3Init,
+    curve25519: (source) => initModule('curve25519', source),
+    p256: ecdsaP256Init,
 };
 /**
  * Load one or more WASM modules. Each key is a module name; the value is the
@@ -45,29 +59,60 @@ const _dispatchers = {
  * import { sha2Wasm }    from 'leviathan-crypto/sha2/embedded';
  * await init({ serpent: serpentWasm, sha2: sha2Wasm });
  * ```
+ *
+ * `ed25519` and `x25519` are aliases for the underlying `curve25519`
+ * module. `init({ ed25519: src })` and `init({ x25519: src })` both work,
+ * and `init({ ed25519: src, x25519: src })` is accepted (single underlying
+ * init). Two different sources for the same underlying module is rejected.
  */
 export async function init(sources) {
     const entries = Object.entries(sources);
-    // SIMD preflight — serpent, chacha20, and kyber modules contain SIMD instructions
-    if (('serpent' in sources || 'chacha20' in sources || 'kyber' in sources) && !hasSIMD())
-        throw new Error('leviathan-crypto: serpent, chacha20, and kyber require WebAssembly SIMD — '
-            + 'this runtime does not support it');
-    for (const [mod, src] of entries) {
-        if (!Object.hasOwn(_dispatchers, mod))
-            throw new Error(`leviathan-crypto: unknown module "${mod}" — expected one of: ${Object.keys(_dispatchers).join(', ')}`);
+    const resolved = new Map();
+    for (const [key, src] of entries) {
         if (src == null)
-            throw new TypeError(`leviathan-crypto: source for "${mod}" is null or undefined`);
+            throw new TypeError(`leviathan-crypto: source for "${key}" is null or undefined`);
+        const target = (key === 'ed25519' || key === 'x25519') ? 'curve25519' : key;
+        if (!Object.hasOwn(_dispatchers, target))
+            throw new Error(`leviathan-crypto: unknown module "${key}", expected one of: `
+                + `${Object.keys(_dispatchers).join(', ')}, ed25519, x25519`);
+        const prior = resolved.get(target);
+        if (prior !== undefined) {
+            if (prior !== src)
+                throw new Error('leviathan-crypto: init() called with different sources for "ed25519" and "x25519" '
+                    + '(both alias to curve25519, sources must be identical)');
+            continue;
+        }
+        resolved.set(target, src);
     }
-    await Promise.all(entries.map(([mod, src]) => _dispatchers[mod](src)));
+    // SIMD preflight for modules that contain v128 instructions
+    // (see scripts/lib/modules.ts).
+    if ((resolved.has('serpent') || resolved.has('chacha20') || resolved.has('mlkem')
+        || resolved.has('aes') || resolved.has('mldsa') || resolved.has('blake3'))
+        && !hasSIMD())
+        throw new Error('leviathan-crypto: serpent, chacha20, mlkem, aes, mldsa, and blake3 require WebAssembly SIMD, '
+            + 'this runtime does not support it');
+    await Promise.all(Array.from(resolved.entries()).map(([mod, src]) => _dispatchers[mod](src)));
 }
-export { isInitialized, _resetForTesting } from './init.js';
-export { AuthenticationError } from './errors.js';
-export { serpentInit, Serpent, SerpentCtr, SerpentCbc, SerpentCipher, _serpentReady } from './serpent/index.js';
-export { chacha20Init, ChaCha20, Poly1305, ChaCha20Poly1305, XChaCha20Poly1305, XChaCha20Cipher, _chachaReady } from './chacha20/index.js';
-export { sha2Init, SHA256, SHA512, SHA384, HMAC_SHA256, HMAC_SHA512, HMAC_SHA384, HKDF_SHA256, HKDF_SHA512, _sha2Ready } from './sha2/index.js';
-export { sha3Init, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHAKE128, SHAKE256, _sha3Ready } from './sha3/index.js';
+export { isInitialized } from './init.js';
+export { AuthenticationError, SigningError, KeyAgreementError, MerkleCodecError, MerkleLogError } from './errors.js';
+export { serpentInit, Serpent, SerpentCtr, SerpentCbc, SerpentCipher, SerpentGenerator } from './serpent/index.js';
+export { chacha20Init, ChaCha20, Poly1305, ChaCha20Poly1305, XChaCha20Poly1305, XChaCha20Cipher, ChaCha20Generator } from './chacha20/index.js';
+export { sha2Init, SHA256, SHA224, SHA384, SHA512, SHA512_224, SHA512_256, HMAC_SHA256, HMAC_SHA512, HMAC_SHA384, HKDF_SHA256, HKDF_SHA512, SHA256Hash } from './sha2/index.js';
+export { sha3Init, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHA3_256Stream, SHA3_512Stream, SHAKE128, SHAKE256, SHAKE128Stream, SHAKE256Stream, SHA3_256Hash, CSHAKE128, CSHAKE256, KMAC128, KMAC256, KMACXOF128, KMACXOF256 } from './sha3/index.js';
 export { keccakInit } from './keccak/index.js';
-export { kyberInit, MlKem512, MlKem768, MlKem1024, MlKemBase, KyberSuite, _kyberReady } from './kyber/index.js';
+export { mlkemInit, MlKem512, MlKem768, MlKem1024, MlKemBase, MlKemSuite } from './mlkem/index.js';
+export { aesInit, AES, AESCbc, AESCtr, AESGCM, AESGCMSIV, AESGenerator, AESGCMSIVCipher } from './aes/index.js';
+export { mldsaInit, MlDsa44, MlDsa65, MlDsa87, MlDsaBase, MLDSA44, MLDSA65, MLDSA87 } from './mldsa/index.js';
+export { slhdsaInit, SlhDsaBase, SlhDsa128f, SlhDsa192f, SlhDsa256f, SLHDSA128F, SLHDSA192F, SLHDSA256F, } from './slhdsa/index.js';
+export { blake3Init, BLAKE3, BLAKE3KeyedHash, BLAKE3DeriveKey, BLAKE3Stream, BLAKE3KeyedHashStream, BLAKE3DeriveKeyStream, BLAKE3OutputReader, BLAKE3Hash, } from './blake3/index.js';
+export { ecdsaP256Init, EcdsaP256, pointDecompress, encodeEcPrivateKey, decodeEcPrivateKey, } from './ecdsa/index.js';
+export { ecdsaSignatureToDer, ecdsaSignatureFromDer } from './ecdsa/der.js';
+export { ed25519Init, Ed25519 } from './ed25519/index.js';
+export { x25519Init, X25519 } from './x25519/index.js';
 export { SealStream, OpenStream, Seal, SealStreamPool, FLAG_FRAMED, TAG_DATA, TAG_FINAL, HEADER_SIZE, CHUNK_MIN, CHUNK_MAX } from './stream/index.js';
+export { MemoryStorage, Sha256Hasher, Sha256Tree, Blake3Hasher, Blake3Tree, splitPoint, verifyInclusionProof, verifyConsistencyProof, buildInclusionProof, buildConsistencyProof, serializeCheckpointBody, parseCheckpointBody, emitSignedNote, parseSignedNote, deriveKeyId, suiteFormatEnumToAlgoByte, lookupAlgoEntryByFormatEnum, lookupAlgoEntryByByte, buildCosigSignedMessage, buildCosignedMessage, emitCosigSignaturePayload, parseCosigSignaturePayload, ALGO_BYTE_ED25519_NOTE, ALGO_BYTE_ED25519_COSIG, ALGO_BYTE_MLDSA44_COSIG, SignedLog, MerkleVerifier, MerkleLog, } from './merkle/index.js';
+export { Sign, SignStream, VerifyStream } from './sign/index.js';
+export { Ed25519Suite, Ed25519PreHashSuite, EcdsaP256Suite, MlDsa44Suite, MlDsa65Suite, MlDsa87Suite, MlDsa44PreHashSuite, MlDsa65PreHashSuite, MlDsa87PreHashSuite, SlhDsa128fSuite, SlhDsa192fSuite, SlhDsa256fSuite, SlhDsa128fPreHashSuite, SlhDsa192fPreHashSuite, SlhDsa256fPreHashSuite, MlDsa44SlhDsa128fSuite, MlDsa65SlhDsa192fSuite, MlDsa87SlhDsa256fSuite, MlDsa44Ed25519Suite, MlDsa65Ed25519Suite, MlDsa44EcdsaP256Suite, MlDsa65EcdsaP256Suite, } from './sign/index.js';
 export { Fortuna } from './fortuna.js';
-export { hexToBytes, bytesToHex, utf8ToBytes, bytesToUtf8, base64ToBytes, bytesToBase64, constantTimeEqual, CT_MAX_BYTES, wipe, xor, concat, randomBytes, hasSIMD, } from './utils.js';
+export { KDFChain, ratchetInit, kemRatchetEncap, kemRatchetDecap, ratchetReady, SkippedKeyStore, RatchetKeypair, } from './ratchet/index.js';
+export { hexToBytes, bytesToHex, utf8ToBytes, bytesToUtf8, base64ToBytes, bytesToBase64, constantTimeEqual, CTE_MAX_BYTES, wipe, xor, concat, randomBytes, hasSIMD, } from './utils.js';

package/dist/init.d.ts

@@ -1,7 +1,5 @@
 import type { WasmSource } from './wasm-source.js';
-export type Module = 'serpent' | 'chacha20' | 'sha2' | 'sha3' | 'keccak' | 'kyber';
+export type Module = 'serpent' | 'chacha20' | 'sha2' | 'sha3' | 'keccak' | 'mlkem' | 'aes' | 'mldsa' | 'slhdsa' | 'blake3' | 'curve25519' | 'p256';
 export declare function initModule(mod: Module, source: WasmSource): Promise<void>;
 export declare function getInstance(mod: Module): WebAssembly.Instance;
 export declare function isInitialized(mod: Module): boolean;
-/** Reset all cached instances — for testing only */
-export declare function _resetForTesting(): void;