npm - leviathan-crypto - Versions diffs - 2.0.1 → 3.0.0 - Mend

leviathan-crypto 2.0.1 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (312) hide show

package/CLAUDE.md +88 -281
package/LICENSE +4 -0
package/README.md +275 -87
package/dist/aes/aes-cbc.d.ts +40 -0
package/dist/aes/aes-cbc.js +158 -0
package/dist/aes/aes-ctr.d.ts +50 -0
package/dist/aes/aes-ctr.js +141 -0
package/dist/aes/aes-gcm-siv.d.ts +67 -0
package/dist/aes/aes-gcm-siv.js +217 -0
package/dist/aes/aes-gcm.d.ts +61 -0
package/dist/aes/aes-gcm.js +226 -0
package/dist/aes/cipher-suite.d.ts +21 -0
package/dist/aes/cipher-suite.js +179 -0
package/dist/aes/embedded.d.ts +1 -0
package/dist/aes/embedded.js +26 -0
package/dist/aes/generator.d.ts +14 -0
package/dist/aes/generator.js +103 -0
package/dist/aes/index.d.ts +58 -0
package/dist/aes/index.js +125 -0
package/dist/aes/ops.d.ts +60 -0
package/dist/aes/ops.js +164 -0
package/dist/aes/pool-worker.d.ts +1 -0
package/dist/aes/pool-worker.js +92 -0
package/dist/aes/types.d.ts +1 -0
package/dist/aes/types.js +23 -0
package/dist/aes.wasm +0 -0
package/dist/blake3/embedded.d.ts +1 -0
package/dist/blake3/embedded.js +26 -0
package/dist/blake3/index.d.ts +143 -0
package/dist/blake3/index.js +620 -0
package/dist/blake3/types.d.ts +102 -0
package/dist/blake3/types.js +31 -0
package/dist/blake3/validate.d.ts +29 -0
package/dist/blake3/validate.js +80 -0
package/dist/blake3.wasm +0 -0
package/dist/chacha20/cipher-suite.d.ts +10 -0
package/dist/chacha20/cipher-suite.js +98 -13
package/dist/chacha20/generator.d.ts +12 -0
package/dist/chacha20/generator.js +91 -0
package/dist/chacha20/index.d.ts +100 -3
package/dist/chacha20/index.js +169 -35
package/dist/chacha20/ops.d.ts +57 -6
package/dist/chacha20/ops.js +107 -27
package/dist/chacha20/pool-worker.js +14 -0
package/dist/chacha20/types.d.ts +1 -32
package/dist/cte-wasm.d.ts +1 -0
package/dist/cte-wasm.js +3 -0
package/dist/cte.wasm +0 -0
package/dist/curve25519.wasm +0 -0
package/dist/ecdsa/der.d.ts +23 -0
package/dist/ecdsa/der.js +192 -0
package/dist/ecdsa/ecprivatekey-der.d.ts +32 -0
package/dist/ecdsa/ecprivatekey-der.js +230 -0
package/dist/ecdsa/embedded.d.ts +1 -0
package/dist/ecdsa/embedded.js +25 -0
package/dist/ecdsa/index.d.ts +124 -0
package/dist/ecdsa/index.js +366 -0
package/dist/ecdsa/types.d.ts +31 -0
package/dist/ecdsa/types.js +28 -0
package/dist/ecdsa/validate.d.ts +18 -0
package/dist/ecdsa/validate.js +92 -0
package/dist/ed25519/embedded.d.ts +1 -0
package/dist/ed25519/embedded.js +31 -0
package/dist/ed25519/index.d.ts +70 -0
package/dist/ed25519/index.js +308 -0
package/dist/ed25519/types.d.ts +27 -0
package/dist/ed25519/types.js +27 -0
package/dist/ed25519/validate.d.ts +7 -0
package/dist/ed25519/validate.js +77 -0
package/dist/embedded/aes-pool-worker.d.ts +1 -0
package/dist/embedded/aes-pool-worker.js +5 -0
package/dist/embedded/aes.d.ts +1 -0
package/dist/embedded/aes.js +3 -0
package/dist/embedded/blake3.d.ts +1 -0
package/dist/embedded/blake3.js +3 -0
package/dist/embedded/chacha20-pool-worker.d.ts +1 -0
package/dist/embedded/chacha20-pool-worker.js +5 -0
package/dist/embedded/chacha20.d.ts +1 -1
package/dist/embedded/chacha20.js +2 -2
package/dist/embedded/curve25519.d.ts +1 -0
package/dist/embedded/curve25519.js +3 -0
package/dist/embedded/mldsa.d.ts +1 -0
package/dist/embedded/mldsa.js +3 -0
package/dist/embedded/mlkem.d.ts +1 -0
package/dist/embedded/mlkem.js +3 -0
package/dist/embedded/p256.d.ts +1 -0
package/dist/embedded/p256.js +3 -0
package/dist/embedded/serpent-pool-worker.d.ts +1 -0
package/dist/embedded/serpent-pool-worker.js +5 -0
package/dist/embedded/serpent.d.ts +1 -1
package/dist/embedded/serpent.js +2 -2
package/dist/embedded/sha2.d.ts +1 -1
package/dist/embedded/sha2.js +2 -2
package/dist/embedded/sha3.d.ts +1 -1
package/dist/embedded/sha3.js +2 -2
package/dist/embedded/slhdsa.d.ts +1 -0
package/dist/embedded/slhdsa.js +3 -0
package/dist/errors.d.ts +92 -1
package/dist/errors.js +111 -1
package/dist/fortuna.d.ts +18 -12
package/dist/fortuna.js +166 -99
package/dist/index.d.ts +42 -11
package/dist/index.js +65 -20
package/dist/init.d.ts +1 -3
package/dist/init.js +73 -7
package/dist/keccak/embedded.js +1 -1
package/dist/keccak/index.d.ts +2 -0
package/dist/keccak/index.js +4 -2
package/dist/loader.d.ts +1 -19
package/dist/loader.js +26 -32
package/dist/merkle/blake3-tree.d.ts +35 -0
package/dist/merkle/blake3-tree.js +187 -0
package/dist/merkle/checkpoint.d.ts +58 -0
package/dist/merkle/checkpoint.js +217 -0
package/dist/merkle/index.d.ts +19 -0
package/dist/merkle/index.js +37 -0
package/dist/merkle/merkle-log.d.ts +130 -0
package/dist/merkle/merkle-log.js +207 -0
package/dist/merkle/merkle-verifier.d.ts +126 -0
package/dist/merkle/merkle-verifier.js +296 -0
package/dist/merkle/proof.d.ts +70 -0
package/dist/merkle/proof.js +300 -0
package/dist/merkle/sha256-tree.d.ts +33 -0
package/dist/merkle/sha256-tree.js +145 -0
package/dist/merkle/signed-log.d.ts +156 -0
package/dist/merkle/signed-log.js +356 -0
package/dist/merkle/signed-note.d.ts +309 -0
package/dist/merkle/signed-note.js +648 -0
package/dist/merkle/sth.d.ts +31 -0
package/dist/merkle/sth.js +31 -0
package/dist/merkle/storage.d.ts +40 -0
package/dist/merkle/storage.js +71 -0
package/dist/merkle/tree.d.ts +68 -0
package/dist/merkle/tree.js +94 -0
package/dist/mldsa/embedded.d.ts +1 -0
package/dist/{kyber → mldsa}/embedded.js +5 -5
package/dist/mldsa/expand.d.ts +53 -0
package/dist/mldsa/expand.js +188 -0
package/dist/mldsa/format.d.ts +16 -0
package/dist/mldsa/format.js +68 -0
package/dist/mldsa/hashvariant.d.ts +32 -0
package/dist/mldsa/hashvariant.js +248 -0
package/dist/mldsa/index.d.ts +142 -0
package/dist/mldsa/index.js +463 -0
package/dist/mldsa/keygen.d.ts +16 -0
package/dist/mldsa/keygen.js +232 -0
package/dist/mldsa/params.d.ts +21 -0
package/dist/mldsa/params.js +55 -0
package/dist/mldsa/sha3-helpers.d.ts +30 -0
package/dist/mldsa/sha3-helpers.js +124 -0
package/dist/mldsa/sign.d.ts +36 -0
package/dist/mldsa/sign.js +380 -0
package/dist/mldsa/types.d.ts +91 -0
package/dist/mldsa/types.js +25 -0
package/dist/mldsa/validate.d.ts +55 -0
package/dist/mldsa/validate.js +125 -0
package/dist/mldsa/verify.d.ts +29 -0
package/dist/mldsa/verify.js +269 -0
package/dist/mldsa.wasm +0 -0
package/dist/mlkem/embedded.d.ts +1 -0
package/dist/mlkem/embedded.js +27 -0
package/dist/mlkem/indcpa.d.ts +49 -0
package/dist/{kyber → mlkem}/indcpa.js +48 -48
package/dist/mlkem/index.d.ts +37 -0
package/dist/{kyber → mlkem}/index.js +41 -31
package/dist/mlkem/kem.d.ts +21 -0
package/dist/{kyber → mlkem}/kem.js +48 -13
package/dist/{kyber → mlkem}/params.d.ts +4 -4
package/dist/{kyber → mlkem}/params.js +2 -2
package/dist/mlkem/suite.d.ts +12 -0
package/dist/{kyber → mlkem}/suite.js +17 -12
package/dist/{kyber → mlkem}/types.d.ts +4 -3
package/dist/{kyber → mlkem}/types.js +1 -1
package/dist/mlkem/validate.d.ts +23 -0
package/dist/{kyber → mlkem}/validate.js +24 -20
package/dist/{kyber.wasm → mlkem.wasm} +0 -0
package/dist/p256.wasm +0 -0
package/dist/ratchet/index.d.ts +8 -0
package/dist/ratchet/index.js +38 -0
package/dist/ratchet/kdf-chain.d.ts +13 -0
package/dist/ratchet/kdf-chain.js +85 -0
package/dist/ratchet/ratchet-keypair.d.ts +9 -0
package/dist/ratchet/ratchet-keypair.js +61 -0
package/dist/ratchet/root-kdf.d.ts +4 -0
package/dist/ratchet/root-kdf.js +124 -0
package/dist/ratchet/skipped-key-store.d.ts +14 -0
package/dist/ratchet/skipped-key-store.js +154 -0
package/dist/ratchet/types.d.ts +36 -0
package/dist/ratchet/types.js +26 -0
package/dist/serpent/cipher-suite.d.ts +10 -0
package/dist/serpent/cipher-suite.js +144 -56
package/dist/serpent/generator.d.ts +12 -0
package/dist/serpent/generator.js +97 -0
package/dist/serpent/index.d.ts +62 -1
package/dist/serpent/index.js +97 -21
package/dist/serpent/pool-worker.js +28 -102
package/dist/serpent/serpent-cbc.d.ts +16 -6
package/dist/serpent/serpent-cbc.js +58 -37
package/dist/serpent/shared-ops.d.ts +63 -0
package/dist/serpent/shared-ops.js +178 -0
package/dist/serpent/types.d.ts +1 -5
package/dist/serpent.wasm +0 -0
package/dist/sha2/hash.d.ts +2 -0
package/dist/sha2/hash.js +53 -0
package/dist/sha2/hkdf.js +5 -5
package/dist/sha2/index.d.ts +22 -1
package/dist/sha2/index.js +80 -11
package/dist/sha2/types.d.ts +41 -2
package/dist/sha2.wasm +0 -0
package/dist/sha3/hash.d.ts +2 -0
package/dist/sha3/hash.js +53 -0
package/dist/sha3/index.d.ts +87 -3
package/dist/sha3/index.js +317 -19
package/dist/sha3/kmac.d.ts +121 -0
package/dist/sha3/kmac.js +800 -0
package/dist/sha3.wasm +0 -0
package/dist/shared/pkcs7.d.ts +22 -0
package/dist/shared/pkcs7.js +84 -0
package/dist/sign/ctx.d.ts +41 -0
package/dist/sign/ctx.js +102 -0
package/dist/sign/envelope.d.ts +45 -0
package/dist/sign/envelope.js +152 -0
package/dist/sign/hasher.d.ts +9 -0
package/dist/sign/hasher.js +132 -0
package/dist/sign/index.d.ts +11 -0
package/dist/sign/index.js +34 -0
package/dist/sign/sign-stream.d.ts +25 -0
package/dist/sign/sign-stream.js +112 -0
package/dist/sign/suites/ecdsa-p256.d.ts +2 -0
package/dist/sign/suites/ecdsa-p256.js +120 -0
package/dist/sign/suites/ed25519.d.ts +3 -0
package/dist/sign/suites/ed25519.js +165 -0
package/dist/sign/suites/hybrid-classical.d.ts +23 -0
package/dist/sign/suites/hybrid-classical.js +526 -0
package/dist/sign/suites/hybrid-pq.d.ts +4 -0
package/dist/sign/suites/hybrid-pq.js +234 -0
package/dist/sign/suites/mldsa.d.ts +7 -0
package/dist/sign/suites/mldsa.js +161 -0
package/dist/sign/suites/slhdsa.d.ts +7 -0
package/dist/sign/suites/slhdsa.js +176 -0
package/dist/sign/types.d.ts +106 -0
package/dist/sign/types.js +28 -0
package/dist/sign/verify-stream.d.ts +30 -0
package/dist/sign/verify-stream.js +227 -0
package/dist/slhdsa/embedded.d.ts +1 -0
package/dist/slhdsa/embedded.js +26 -0
package/dist/slhdsa/index.d.ts +149 -0
package/dist/slhdsa/index.js +493 -0
package/dist/slhdsa/params.d.ts +26 -0
package/dist/slhdsa/params.js +70 -0
package/dist/slhdsa/prehash.d.ts +68 -0
package/dist/slhdsa/prehash.js +307 -0
package/dist/slhdsa/sign.d.ts +39 -0
package/dist/slhdsa/sign.js +116 -0
package/dist/slhdsa/types.d.ts +129 -0
package/dist/slhdsa/types.js +27 -0
package/dist/slhdsa/validate.d.ts +60 -0
package/dist/slhdsa/validate.js +127 -0
package/dist/slhdsa/verify.d.ts +32 -0
package/dist/slhdsa/verify.js +107 -0
package/dist/slhdsa.wasm +0 -0
package/dist/stream/header.js +8 -8
package/dist/stream/index.d.ts +1 -0
package/dist/stream/index.js +1 -0
package/dist/stream/open-stream.js +65 -22
package/dist/stream/seal-stream-pool.d.ts +2 -0
package/dist/stream/seal-stream-pool.js +100 -33
package/dist/stream/seal-stream.d.ts +1 -1
package/dist/stream/seal-stream.js +48 -19
package/dist/stream/seal.js +6 -6
package/dist/stream/types.d.ts +3 -1
package/dist/stream/types.js +1 -1
package/dist/types.d.ts +22 -1
package/dist/types.js +1 -1
package/dist/utils.d.ts +9 -10
package/dist/utils.js +84 -59
package/dist/wasm-source.d.ts +9 -8
package/dist/wasm-source.js +1 -1
package/dist/x25519/embedded.d.ts +1 -0
package/dist/x25519/embedded.js +31 -0
package/dist/x25519/index.d.ts +43 -0
package/dist/x25519/index.js +159 -0
package/dist/x25519/types.d.ts +25 -0
package/dist/x25519/types.js +27 -0
package/dist/x25519/validate.d.ts +2 -0
package/dist/x25519/validate.js +39 -0
package/package.json +123 -64
package/SECURITY.md +0 -276
package/dist/ct-wasm.d.ts +0 -1
package/dist/ct-wasm.js +0 -3
package/dist/ct.wasm +0 -0
package/dist/docs/aead.md +0 -323
package/dist/docs/architecture.md +0 -932
package/dist/docs/argon2id.md +0 -302
package/dist/docs/chacha20.md +0 -674
package/dist/docs/exports.md +0 -241
package/dist/docs/fortuna.md +0 -313
package/dist/docs/init.md +0 -302
package/dist/docs/loader.md +0 -161
package/dist/docs/serpent.md +0 -519
package/dist/docs/sha2.md +0 -613
package/dist/docs/sha3.md +0 -546
package/dist/docs/types.md +0 -276
package/dist/docs/utils.md +0 -367
package/dist/embedded/kyber.d.ts +0 -1
package/dist/embedded/kyber.js +0 -3
package/dist/kyber/embedded.d.ts +0 -1
package/dist/kyber/indcpa.d.ts +0 -49
package/dist/kyber/index.d.ts +0 -38
package/dist/kyber/kem.d.ts +0 -21
package/dist/kyber/suite.d.ts +0 -13
package/dist/kyber/validate.d.ts +0 -19

package/dist/mldsa/hashvariant.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import type { Sha3Exports } from './types.js';
+import type { Sha2Exports } from '../sha2/types.js';
+/** FIPS 204 §5.4.1, approved pre-hash functions. Names follow the spec
+ *  spelling (no hyphens between SHAKE and the digit). The SHAKE entries
+ *  are XOFs with fixed output lengths set by FIPS 204 §5.4.1:
+ *  SHAKE128 → 256-bit (32-byte) output, SHAKE256 → 512-bit (64-byte). */
+export type PreHashAlgorithm = 'SHA2-224' | 'SHA2-256' | 'SHA2-384' | 'SHA2-512' | 'SHA2-512/224' | 'SHA2-512/256' | 'SHA3-224' | 'SHA3-256' | 'SHA3-384' | 'SHA3-512' | 'SHAKE128' | 'SHAKE256';
+/** Look up the FIPS 204 §5.4.1 OID DER bytes for `algo`. Returns a fresh
+ *  Uint8Array each call so callers can wipe / mutate without aliasing the
+ *  module-private constant. */
+export declare function getOid(algo: PreHashAlgorithm): Uint8Array;
+/** FIPS 204 §5.4.1 PH_M byte length for `algo`. SHAKE128 / SHAKE256 are
+ *  XOFs but the spec fixes their HashML-DSA output to 32 / 64 bytes
+ *  respectively; the SHA-3 and SHA-2 entries return their natural digest
+ *  size. Used by `validateDigest` to bound the caller-supplied prehash. */
+export declare function digestSize(algo: PreHashAlgorithm): number;
+/** True iff `algo` is one of the SHA-2 family pre-hashes (and therefore
+ *  requires `init({ sha2: ... })`). The SHA-3 family and SHAKE variants
+ *  use the same `sha3` module mldsa already requires. */
+export declare function algoNeedsSha2(algo: PreHashAlgorithm): boolean;
+/**
+ * Pre-hash dispatcher, applies the FIPS 204 §5.4.1 hash function `algo`
+ * to message `M` and returns PH_M (the bytes that go into M' alongside
+ * the OID).
+ *
+ * `sha2x` may be `undefined` if `algo` does not need the sha2 module
+ * (i.e. SHA3-* / SHAKE*). When `algo` is a SHA-2 variant, the dispatcher
+ * throws if `sha2x` is missing rather than NPE'ing on a member access.
+ * The arrangement keeps sha2 strictly optional for pure-ML-DSA users and
+ * SHA3-prehash HashML-DSA users.
+ */
+export declare function preHashMessage(sx: Sha3Exports, sha2x: Sha2Exports | undefined, algo: PreHashAlgorithm, M: Uint8Array): Uint8Array;

package/dist/mldsa/hashvariant.js ADDED Viewed

@@ -0,0 +1,248 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/mldsa/hashvariant.ts
+//
+// HashML-DSA pre-hash dispatcher and OID DER table.
+// FIPS 204 §5.4 / §5.4.1, Algorithm 4 (HashML-DSA.Sign) and Algorithm 5
+// (HashML-DSA.Verify) build M' = 0x01 ‖ |ctx| ‖ ctx ‖ OID ‖ PH_M, where
+//   • PH_M = H_PH(M) for the caller-selected approved pre-hash function PH
+//   • OID  = the DER encoding of PH's NIST CSOR object identifier
+//
+// The 12 approved pre-hash functions (FIPS 204 §5.4.1) are SHA2-{224,256,
+// 384,512,512/224,512/256}, SHA3-{224,256,384,512}, and the two XOFs
+// SHAKE128 / SHAKE256 with fixed 256- / 512-bit outputs respectively.
+//
+// All OIDs share the 10-byte DER prefix `06 09 60 86 48 01 65 03 04 02`
+// (joint-iso-itu-t.country(2).us(16).organization(840).gov(1).csor(101)
+// .nistalgorithm(3).hashalgs(4).hashalg(2)) and are distinguished by the
+// trailing arc byte. Spec authority: FIPS 204 Algorithm 4 lines 12, 15,
+// 18 enumerates SHA-256 (.01), SHA-512 (.03), and SHAKE128 (.0B) by
+// example; the remaining nine arcs are the NIST CSOR registrations
+// (RFC 5754 / RFC 8702) on the same 2.16.840.1.101.3.4.2.x branch and
+// must match the verifying-party expectation byte-for-byte.
+import { sha3Absorb } from './sha3-helpers.js';
+// ── OID DER table, FIPS 204 §5.4.1 ─────────────────────────────────────────
+// Shared 10-byte DER prefix: tag 0x06 (OBJECT IDENTIFIER), length 0x09,
+// then the encoded ancestor arcs 2.16.840.1.101.3.4.2:
+//   2.16   → 0x60 0x86 0x48                  (joint-iso-itu-t.country)
+//   .1     → 0x01                            (us)
+//   .101   → 0x65                            (organization → gov)
+//   .3.4.2 → 0x03 0x04 0x02                  (csor.nistalgorithm.hashalgs)
+// The trailing byte is the per-algorithm arc.
+const DER_PREFIX = Object.freeze([0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02]);
+function oid(arc) {
+    const out = new Uint8Array(11);
+    for (let i = 0; i < 10; i++)
+        out[i] = DER_PREFIX[i];
+    out[10] = arc & 0xFF;
+    return out;
+}
+// id-sha224, 2.16.840.1.101.3.4.2.4
+const OID_SHA2_224 = oid(0x04);
+// id-sha256, 2.16.840.1.101.3.4.2.1 (FIPS 204 §5.4.1 Algorithm 4 line 12)
+const OID_SHA2_256 = oid(0x01);
+// id-sha384, 2.16.840.1.101.3.4.2.2
+const OID_SHA2_384 = oid(0x02);
+// id-sha512, 2.16.840.1.101.3.4.2.3 (FIPS 204 §5.4.1 Algorithm 4 line 15)
+const OID_SHA2_512 = oid(0x03);
+// id-sha512-224, 2.16.840.1.101.3.4.2.5
+const OID_SHA2_512_224 = oid(0x05);
+// id-sha512-256, 2.16.840.1.101.3.4.2.6
+const OID_SHA2_512_256 = oid(0x06);
+// id-sha3-224, 2.16.840.1.101.3.4.2.7
+const OID_SHA3_224 = oid(0x07);
+// id-sha3-256, 2.16.840.1.101.3.4.2.8
+const OID_SHA3_256 = oid(0x08);
+// id-sha3-384, 2.16.840.1.101.3.4.2.9
+const OID_SHA3_384 = oid(0x09);
+// id-sha3-512, 2.16.840.1.101.3.4.2.10
+const OID_SHA3_512 = oid(0x0A);
+// id-shake128, 2.16.840.1.101.3.4.2.11 (FIPS 204 §5.4.1 Algorithm 4 line 18)
+const OID_SHAKE128 = oid(0x0B);
+// id-shake256, 2.16.840.1.101.3.4.2.12
+const OID_SHAKE256 = oid(0x0C);
+const OID_TABLE = Object.freeze({
+    'SHA2-224': OID_SHA2_224,
+    'SHA2-256': OID_SHA2_256,
+    'SHA2-384': OID_SHA2_384,
+    'SHA2-512': OID_SHA2_512,
+    'SHA2-512/224': OID_SHA2_512_224,
+    'SHA2-512/256': OID_SHA2_512_256,
+    'SHA3-224': OID_SHA3_224,
+    'SHA3-256': OID_SHA3_256,
+    'SHA3-384': OID_SHA3_384,
+    'SHA3-512': OID_SHA3_512,
+    'SHAKE128': OID_SHAKE128,
+    'SHAKE256': OID_SHAKE256,
+});
+/** Look up the FIPS 204 §5.4.1 OID DER bytes for `algo`. Returns a fresh
+ *  Uint8Array each call so callers can wipe / mutate without aliasing the
+ *  module-private constant. */
+export function getOid(algo) {
+    const tab = OID_TABLE[algo];
+    if (!tab)
+        throw new RangeError(`leviathan-crypto: unsupported HashML-DSA pre-hash algorithm '${algo}'`);
+    return tab.slice();
+}
+/** FIPS 204 §5.4.1 PH_M byte length for `algo`. SHAKE128 / SHAKE256 are
+ *  XOFs but the spec fixes their HashML-DSA output to 32 / 64 bytes
+ *  respectively; the SHA-3 and SHA-2 entries return their natural digest
+ *  size. Used by `validateDigest` to bound the caller-supplied prehash. */
+export function digestSize(algo) {
+    switch (algo) {
+        case 'SHA2-224': return 28;
+        case 'SHA2-256': return 32;
+        case 'SHA2-384': return 48;
+        case 'SHA2-512': return 64;
+        case 'SHA2-512/224': return 28;
+        case 'SHA2-512/256': return 32;
+        case 'SHA3-224': return 28;
+        case 'SHA3-256': return 32;
+        case 'SHA3-384': return 48;
+        case 'SHA3-512': return 64;
+        case 'SHAKE128': return 32;
+        case 'SHAKE256': return 64;
+        default: {
+            const exhaustive = algo;
+            throw new RangeError(`leviathan-crypto: unsupported HashML-DSA pre-hash algorithm '${exhaustive}'`);
+        }
+    }
+}
+/** True iff `algo` is one of the SHA-2 family pre-hashes (and therefore
+ *  requires `init({ sha2: ... })`). The SHA-3 family and SHAKE variants
+ *  use the same `sha3` module mldsa already requires. */
+export function algoNeedsSha2(algo) {
+    switch (algo) {
+        case 'SHA2-224':
+        case 'SHA2-256':
+        case 'SHA2-384':
+        case 'SHA2-512':
+        case 'SHA2-512/224':
+        case 'SHA2-512/256':
+            return true;
+        default:
+            return false;
+    }
+}
+// ── SHA-2 driver ────────────────────────────────────────────────────────────
+// Mirrors the `feedHash` pattern in src/ts/sha2/index.ts, but kept inline
+// here so hashvariant.ts is the only file that needs to know about HashML-DSA's
+// SHA-2 dispatch table.
+function feedSha2(x, msg, inputOff, chunkSize, updateFn) {
+    const mem = new Uint8Array(x.memory.buffer);
+    let pos = 0;
+    while (pos < msg.length) {
+        const n = Math.min(msg.length - pos, chunkSize);
+        mem.set(msg.subarray(pos, pos + n), inputOff);
+        updateFn(n);
+        pos += n;
+    }
+}
+function sha2Hash(x, msg, initFn, finalFn, inputOff, outOff, blockSize, updateFn, outLen) {
+    initFn();
+    feedSha2(x, msg, inputOff, blockSize, updateFn);
+    finalFn();
+    const mem = new Uint8Array(x.memory.buffer);
+    return mem.slice(outOff, outOff + outLen);
+}
+// ── SHA-3 fixed-length driver ───────────────────────────────────────────────
+// `sha3Absorb` from sha3-helpers handles ≤168-byte chunks. Final functions
+// land the digest at OUT_OFFSET; we slice it out into a fresh Uint8Array.
+function sha3HashFixed(sx, msg, initFn, finalFn, outLen) {
+    initFn();
+    sha3Absorb(sx, msg);
+    finalFn();
+    const mem = new Uint8Array(sx.memory.buffer);
+    const off = sx.getOutOffset();
+    return mem.slice(off, off + outLen);
+}
+// ── SHAKE driver, fixed output length per FIPS 204 §5.4.1 ──────────────────
+function shakeHashFixed(sx, msg, initFn, rate, outLen) {
+    initFn();
+    sha3Absorb(sx, msg);
+    sx.shakePad();
+    const mem = new Uint8Array(sx.memory.buffer);
+    const off = sx.getOutOffset();
+    const out = new Uint8Array(outLen);
+    let pos = 0;
+    while (pos < outLen) {
+        sx.shakeSqueezeBlock();
+        const take = Math.min(outLen - pos, rate);
+        out.set(mem.subarray(off, off + take), pos);
+        pos += take;
+    }
+    return out;
+}
+/**
+ * Pre-hash dispatcher, applies the FIPS 204 §5.4.1 hash function `algo`
+ * to message `M` and returns PH_M (the bytes that go into M' alongside
+ * the OID).
+ *
+ * `sha2x` may be `undefined` if `algo` does not need the sha2 module
+ * (i.e. SHA3-* / SHAKE*). When `algo` is a SHA-2 variant, the dispatcher
+ * throws if `sha2x` is missing rather than NPE'ing on a member access.
+ * The arrangement keeps sha2 strictly optional for pure-ML-DSA users and
+ * SHA3-prehash HashML-DSA users.
+ */
+export function preHashMessage(sx, sha2x, algo, M) {
+    // SHA-3 / SHAKE branches don't touch sha2x, handle them first so
+    // the SHA-2 cases below operate on a narrowed non-undefined sha2x.
+    switch (algo) {
+        case 'SHA3-224':
+            return sha3HashFixed(sx, M, sx.sha3_224Init, sx.sha3_224Final, 28);
+        case 'SHA3-256':
+            return sha3HashFixed(sx, M, sx.sha3_256Init, sx.sha3_256Final, 32);
+        case 'SHA3-384':
+            return sha3HashFixed(sx, M, sx.sha3_384Init, sx.sha3_384Final, 48);
+        case 'SHA3-512':
+            return sha3HashFixed(sx, M, sx.sha3_512Init, sx.sha3_512Final, 64);
+        case 'SHAKE128':
+            // FIPS 204 §5.4.1, SHAKE128 fixed at 256-bit / 32-byte output.
+            return shakeHashFixed(sx, M, sx.shake128Init, 168, 32);
+        case 'SHAKE256':
+            // FIPS 204 §5.4.1, SHAKE256 fixed at 512-bit / 64-byte output.
+            return shakeHashFixed(sx, M, sx.shake256Init, 136, 64);
+    }
+    if (sha2x === undefined)
+        throw new Error('leviathan-crypto: HashML-DSA SHA-2 pre-hash requires the sha2 module to be initialized');
+    const x = sha2x;
+    switch (algo) {
+        case 'SHA2-224':
+            return sha2Hash(x, M, x.sha224Init, x.sha224Final, x.getSha256InputOffset(), x.getSha256OutOffset(), 64, x.sha256Update, 28);
+        case 'SHA2-256':
+            return sha2Hash(x, M, x.sha256Init, x.sha256Final, x.getSha256InputOffset(), x.getSha256OutOffset(), 64, x.sha256Update, 32);
+        case 'SHA2-384':
+            return sha2Hash(x, M, x.sha384Init, x.sha384Final, x.getSha512InputOffset(), x.getSha512OutOffset(), 128, x.sha512Update, 48);
+        case 'SHA2-512':
+            return sha2Hash(x, M, x.sha512Init, x.sha512Final, x.getSha512InputOffset(), x.getSha512OutOffset(), 128, x.sha512Update, 64);
+        case 'SHA2-512/224':
+            return sha2Hash(x, M, x.sha512_224Init, x.sha512_224Final, x.getSha512InputOffset(), x.getSha512OutOffset(), 128, x.sha512Update, 28);
+        case 'SHA2-512/256':
+            return sha2Hash(x, M, x.sha512_256Init, x.sha512_256Final, x.getSha512InputOffset(), x.getSha512OutOffset(), 128, x.sha512Update, 32);
+        default: {
+            // Defensive: type system should rule this out, but a dynamic
+            // dispatch (e.g. parsing a vector file) could widen the type.
+            const exhaustive = algo;
+            throw new RangeError(`leviathan-crypto: unsupported HashML-DSA pre-hash algorithm '${exhaustive}'`);
+        }
+    }
+}

package/dist/mldsa/index.d.ts ADDED Viewed

@@ -0,0 +1,142 @@
+import { isInitialized } from '../init.js';
+import type { WasmSource } from '../wasm-source.js';
+import type { MlDsaKeyPair } from './types.js';
+import { MlDsaParams, MLDSA44, MLDSA65, MLDSA87 } from './params.js';
+import { type PreHashAlgorithm } from './hashvariant.js';
+export declare function mldsaInit(source: WasmSource): Promise<void>;
+export type { WasmSource };
+export type { MlDsaKeyPair, MlDsaExports, Sha3Exports } from './types.js';
+export { MLDSA44, MLDSA65, MLDSA87 };
+export type { MlDsaParams };
+export type { PreHashAlgorithm } from './hashvariant.js';
+export { isInitialized };
+export declare class MlDsaBase {
+    readonly params: MlDsaParams;
+    constructor(params: MlDsaParams);
+    private get mx();
+    private get sx();
+    private get sha2x();
+    /**
+     * Deterministic key generation, FIPS 204 §6.1 Algorithm 6.
+     * @param xi 32-byte seed. The sole input; ml-dsa keygen has no
+     *           additional rejection-tied randomness.
+     */
+    keygenDerand(xi: Uint8Array): MlDsaKeyPair;
+    /** Random key generation, wraps `keygenDerand` with `randomBytes(32)`. */
+    keygen(): MlDsaKeyPair;
+    /**
+     * Hedged signing, FIPS 204 §3.4 (recommended default).
+     * Generates a fresh 32-byte rnd via `randomBytes()` per signature; the
+     * rnd is mixed into ρ'' so two signatures over the same (sk, M) produce
+     * different bytes. Hedged signatures are recommended over deterministic
+     * because they remain unforgeable under fault attacks that bias the
+     * rejection-sampling stream (FIPS 204 §3.4 / §3.6.1).
+     */
+    sign(sk: Uint8Array, M: Uint8Array, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Deterministic signing, FIPS 204 §3.4. Sets rnd ← 0³² so two
+     * signatures over the same (sk, M) produce identical bytes. Caller
+     * accepts the §3.4 caveat: deterministic signatures are vulnerable to
+     * fault attacks that bias the SampleInBall stream, use only when no
+     * entropy is available or determinism is a hard protocol requirement.
+     */
+    signDeterministic(sk: Uint8Array, M: Uint8Array, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Externally-randomised signing, testing / CAVP API. Caller supplies
+     * the 32-byte rnd; library does not mix in additional entropy. Hard
+     * contract on the caller: rnd MUST come from an approved RBG and MUST
+     * NOT be reused across signatures. ACVP `sigGen` test vectors (with a
+     * supplied rnd) drive this path.
+     */
+    signDerand(sk: Uint8Array, M: Uint8Array, ctx: Uint8Array, rnd: Uint8Array): Uint8Array;
+    /**
+     * Pure ML-DSA verify, FIPS 204 §5.3 Algorithm 3 / §6.3 Algorithm 8.
+     *
+     * Returns boolean, `true` only if (a) the FIPS 204 norm bound on z
+     * holds and (b) the constant-time comparison of c̃ to the recomputed
+     * c̃' succeeds. Throws RangeError only on caller-side contract
+     * violations (`ctx.length > 255`). Wrong-length pk/sig and malformed
+     * hint encodings are NOT contract violations: they cause `verify` to
+     * return false (FIPS 204 §3.6.2 / §D.3).
+     */
+    verify(vk: Uint8Array, M: Uint8Array, sig: Uint8Array, ctx?: Uint8Array): boolean;
+    private _assertHashPrereqs;
+    /**
+     * Hedged HashML-DSA sign, FIPS 204 §5.4 Algorithm 4.
+     *
+     * Pre-hashes `M` with the chosen approved function `ph`, builds
+     * M' = 0x01 ‖ |ctx| ‖ ctx ‖ OID(ph) ‖ PH_M, then drives
+     * ML-DSA.Sign_internal with a fresh 32-byte rnd (FIPS 204 §3.4
+     * recommended default; see {@link sign} for the rationale).
+     */
+    signHash(sk: Uint8Array, M: Uint8Array, ph: PreHashAlgorithm, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Deterministic HashML-DSA sign, FIPS 204 §5.4 Algorithm 4 with
+     * rnd ← 0³². Same fault-attack caveat as {@link signDeterministic}.
+     */
+    signHashDeterministic(sk: Uint8Array, M: Uint8Array, ph: PreHashAlgorithm, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Externally-randomised HashML-DSA sign, testing / CAVP API. Caller
+     * supplies the 32-byte rnd (same contract as {@link signDerand}). Used
+     * to oracle ACVP HashML-DSA sigGen vectors with byte-identical output.
+     */
+    signHashDerand(sk: Uint8Array, M: Uint8Array, ph: PreHashAlgorithm, ctx: Uint8Array, rnd: Uint8Array): Uint8Array;
+    /**
+     * HashML-DSA verify, FIPS 204 §5.4 Algorithm 5.
+     *
+     * Same return / throw posture as {@link verify}: returns boolean for
+     * every signature outcome (including malformed-σ → false), throws
+     * RangeError only on caller-side contract violations such as
+     * `ctx.length > 255` or unsupported `ph`.
+     */
+    verifyHash(vk: Uint8Array, M: Uint8Array, sig: Uint8Array, ph: PreHashAlgorithm, ctx?: Uint8Array): boolean;
+    /**
+     * Hedged HashML-DSA sign with a caller-supplied prehash, FIPS 204
+     * §5.4 Algorithm 4 lines 22-24 (the post-PH path).
+     *
+     * `digest` must be exactly `digestSize(ph)` bytes (FIPS 204 §5.4.1);
+     * a mismatch throws `SigningError('sig-malformed-input')`. The caller
+     * owns `digest` and is responsible for wiping it; this method never
+     * mutates the buffer.
+     *
+     * Hedged variant generates a fresh 32-byte rnd internally per
+     * signature, see {@link sign} for the §3.4 rationale.
+     */
+    signHashPrehashed(sk: Uint8Array, digest: Uint8Array, ph: PreHashAlgorithm, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Deterministic HashML-DSA sign with a caller-supplied prehash, rnd
+     * ← 0³² per FIPS 204 §3.4. Same fault-attack caveat as
+     * {@link signDeterministic}.
+     */
+    signHashPrehashedDeterministic(sk: Uint8Array, digest: Uint8Array, ph: PreHashAlgorithm, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Externally-randomised HashML-DSA sign with a caller-supplied
+     * prehash, testing / CAVP API. Caller supplies the 32-byte rnd (same
+     * contract as {@link signDerand}): rnd MUST come from an approved RBG
+     * and MUST NOT be reused across signatures.
+     */
+    signHashPrehashedDerand(sk: Uint8Array, digest: Uint8Array, ph: PreHashAlgorithm, rnd: Uint8Array, ctx?: Uint8Array): Uint8Array;
+    /**
+     * HashML-DSA verify with a caller-supplied prehash, FIPS 204 §5.4
+     * Algorithm 5 lines 17-19 (the post-PH path).
+     *
+     * Returns boolean for every signature outcome. Wrong-length pk / σ
+     * and wrong-size `digest` all return `false` (FIPS 204 §3.6.2
+     * structural mismatch). Throws `RangeError` only on caller-side
+     * contract violations (`ctx.length > 255`, unsupported `ph`).
+     */
+    verifyHashPrehashed(vk: Uint8Array, digest: Uint8Array, sig: Uint8Array, ph: PreHashAlgorithm, ctx?: Uint8Array): boolean;
+    dispose(): void;
+}
+/** ML-DSA-44, FIPS 204 §4 Table 1 (NIST security category 2). */
+export declare class MlDsa44 extends MlDsaBase {
+    constructor();
+}
+/** ML-DSA-65, FIPS 204 §4 Table 1 (NIST security category 3). */
+export declare class MlDsa65 extends MlDsaBase {
+    constructor();
+}
+/** ML-DSA-87, FIPS 204 §4 Table 1 (NIST security category 5). */
+export declare class MlDsa87 extends MlDsaBase {
+    constructor();
+}