leviathan-crypto 2.0.1 → 3.0.0

package/dist/shared/pkcs7.d.ts

@@ -0,0 +1,22 @@
+export declare const PKCS7_INVALID = "invalid ciphertext";
+/**
+ * Apply PKCS7 padding to `data` so the result length is a multiple of 16.
+ * Padding length is always 1-16 bytes so a full pad block is appended when
+ * `data.length` is already block-aligned.
+ * @param data  Input bytes of any length
+ * @returns     New Uint8Array padded to the next 16-byte boundary
+ */
+export declare function pkcs7Pad(data: Uint8Array): Uint8Array;
+/**
+ * Remove PKCS7 padding from a block-aligned buffer in constant time.
+ *
+ * Branch-free over all secret bits, padding length and per-byte comparisons
+ * are accumulated into a single `bad` flag with no early exit. Closes the
+ * Vaudenay 2002 padding-oracle surface. Throws a single generic
+ * `RangeError('invalid ciphertext')` for every failure mode: empty input,
+ * non-block-aligned length, padding byte out of range 1-16, and any per-byte
+ * mismatch in the padding region.
+ * @param data  Block-aligned ciphertext (length must be a multiple of 16)
+ * @returns     Plaintext with padding removed
+ */
+export declare function pkcs7Strip(data: Uint8Array): Uint8Array;

package/dist/shared/pkcs7.js

@@ -0,0 +1,84 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/shared/pkcs7.ts
+//
+// Cipher-agnostic PKCS7 padding helpers (RFC 5652 §6.3). Used by every
+// CBC mode wrapper in the library, `SerpentCbc`, `AESCbc`, the Serpent
+// pool worker, and any future CBC-based suite. A single source of truth
+// keeps the branch-free, Vaudenay-2002-closed padding check identical
+// across all call sites; divergence between paths would reintroduce a
+// padding-oracle.
+// Generic error string used by every failure mode of `pkcs7Strip` and the
+// length/alignment gates in CBC `decrypt` paths. No numeric leaks, no
+// structural disclosure, a caller cannot distinguish "bad length" from
+// "bad padding" by message or by timing.
+export const PKCS7_INVALID = 'invalid ciphertext';
+/**
+ * Apply PKCS7 padding to `data` so the result length is a multiple of 16.
+ * Padding length is always 1-16 bytes so a full pad block is appended when
+ * `data.length` is already block-aligned.
+ * @param data  Input bytes of any length
+ * @returns     New Uint8Array padded to the next 16-byte boundary
+ */
+export function pkcs7Pad(data) {
+    const padLen = 16 - (data.length % 16); // 1..16
+    const out = new Uint8Array(data.length + padLen);
+    out.set(data);
+    out.fill(padLen, data.length);
+    return out;
+}
+/**
+ * Remove PKCS7 padding from a block-aligned buffer in constant time.
+ *
+ * Branch-free over all secret bits, padding length and per-byte comparisons
+ * are accumulated into a single `bad` flag with no early exit. Closes the
+ * Vaudenay 2002 padding-oracle surface. Throws a single generic
+ * `RangeError('invalid ciphertext')` for every failure mode: empty input,
+ * non-block-aligned length, padding byte out of range 1-16, and any per-byte
+ * mismatch in the padding region.
+ * @param data  Block-aligned ciphertext (length must be a multiple of 16)
+ * @returns     Plaintext with padding removed
+ */
+export function pkcs7Strip(data) {
+    if (data.length === 0 || data.length % 16 !== 0)
+        throw new RangeError(PKCS7_INVALID);
+    const padLen = data[data.length - 1];
+    let bad = 0;
+    bad |= ((padLen - 1) >>> 31); // 1 if padLen == 0
+    bad |= ((16 - padLen) >>> 31); // 1 if padLen > 16
+    // Per-byte pad-region mask without branches on secret bits.
+    //   inPadRegion = 0xff when i >= 16 - padLen
+    //               = 0x00 otherwise
+    //
+    // (16 - padLen - i - 1) is negative iff i >= 16 - padLen. A signed
+    // arithmetic shift by 31 yields -1 for negative, 0 for non-negative;
+    // ANDing with 0xff collapses those to 0xff and 0x00.
+    for (let i = 0; i < 16; i++) {
+        const idx = data.length - 16 + i;
+        const mask = ((16 - padLen - i - 1) >> 31) & 0xff;
+        bad |= (data[idx] ^ padLen) & mask;
+    }
+    const invalid = ((bad - 1) >>> 31) ^ 1;
+    if (invalid)
+        throw new RangeError(PKCS7_INVALID);
+    return data.subarray(0, data.length - padLen);
+}

package/dist/sign/ctx.d.ts

@@ -0,0 +1,41 @@
+import type { PreHashAlgorithm } from '../mldsa/hashvariant.js';
+import type { PrehashAlgorithm } from './types.js';
+/**
+ * Maximum user_ctx length in bytes. Matches the FIPS 204 (Module-Lattice-
+ * Based Digital Signature Standard) §3.6.1 native ctx cap; buildEffectiveCtx
+ * enforces it as the first check.
+ */
+export declare const USER_CTX_MAX = 255;
+/** Maximum ctxDomain length in bytes; enforced by suite factories. */
+export declare const CTX_DOMAIN_MAX = 32;
+/**
+ * Construct effective_ctx from suite domain and user-supplied ctx.
+ *
+ * Format: [domain_len: u8][domain_bytes][user_ctx_len: u8][user_ctx_bytes]
+ *
+ * Two independent length checks gate the construction:
+ *
+ *  1. user_ctx ≤ USER_CTX_MAX (255). Mirrors FIPS 204 §3.6.1's ctx cap on
+ *     the user-supplied half before any framing is applied.
+ *  2. Combined effective_ctx ≤ 255. The 1-byte length prefixes plus the
+ *     domain and user_ctx bytes must fit FIPS 204 §3.6.1's ctx parameter,
+ *     which is what the result is ultimately passed to. The effective
+ *     per-suite user_ctx ceiling is `253 - len(domainBytes)`.
+ *
+ * Both throws share the `sig-ctx-too-long` discriminator. The absolute
+ * check fires first, so callers passing user_ctx > 255 always trip the
+ * absolute cap regardless of ctxDomain length.
+ *
+ * @throws SigningError('sig-ctx-too-long') if user_ctx exceeds USER_CTX_MAX
+ *         or if the combined effective_ctx exceeds 255 bytes.
+ * @throws Error (not SigningError) if ctxDomain exceeds CTX_DOMAIN_MAX;
+ *         that's a developer-time mistake, not a caller mistake.
+ */
+export declare function buildEffectiveCtx(ctxDomain: string, userCtx: Uint8Array): Uint8Array;
+/**
+ * Map the lib's lowercase, hyphenated PrehashAlgorithm to the identifier
+ * MlDsaBase's signHash / verifyHash family accepts (FIPS 204 §5.4.1).
+ * SHAKE entries deliberately use the no-hyphen spelling 'SHAKE128' /
+ * 'SHAKE256' that the mldsa layer expects.
+ */
+export declare function prehashAlgoToMldsa(algo: PrehashAlgorithm): PreHashAlgorithm;

package/dist/sign/ctx.js

@@ -0,0 +1,102 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sign/ctx.ts
+//
+// Effective-ctx construction and prehash-algorithm mapping. Used by
+// every SignatureSuite factory.
+import { utf8ToBytes } from '../utils.js';
+import { SigningError } from '../errors.js';
+/**
+ * Maximum user_ctx length in bytes. Matches the FIPS 204 (Module-Lattice-
+ * Based Digital Signature Standard) §3.6.1 native ctx cap; buildEffectiveCtx
+ * enforces it as the first check.
+ */
+export const USER_CTX_MAX = 255;
+/** Maximum ctxDomain length in bytes; enforced by suite factories. */
+export const CTX_DOMAIN_MAX = 32;
+/**
+ * Maximum combined effective_ctx length in bytes. The output of
+ * buildEffectiveCtx is fed to the underlying primitive's ctx parameter,
+ * which FIPS 204 §3.6.1 caps at 255.
+ */
+const EFFECTIVE_CTX_MAX = 255;
+/**
+ * Construct effective_ctx from suite domain and user-supplied ctx.
+ *
+ * Format: [domain_len: u8][domain_bytes][user_ctx_len: u8][user_ctx_bytes]
+ *
+ * Two independent length checks gate the construction:
+ *
+ *  1. user_ctx ≤ USER_CTX_MAX (255). Mirrors FIPS 204 §3.6.1's ctx cap on
+ *     the user-supplied half before any framing is applied.
+ *  2. Combined effective_ctx ≤ 255. The 1-byte length prefixes plus the
+ *     domain and user_ctx bytes must fit FIPS 204 §3.6.1's ctx parameter,
+ *     which is what the result is ultimately passed to. The effective
+ *     per-suite user_ctx ceiling is `253 - len(domainBytes)`.
+ *
+ * Both throws share the `sig-ctx-too-long` discriminator. The absolute
+ * check fires first, so callers passing user_ctx > 255 always trip the
+ * absolute cap regardless of ctxDomain length.
+ *
+ * @throws SigningError('sig-ctx-too-long') if user_ctx exceeds USER_CTX_MAX
+ *         or if the combined effective_ctx exceeds 255 bytes.
+ * @throws Error (not SigningError) if ctxDomain exceeds CTX_DOMAIN_MAX;
+ *         that's a developer-time mistake, not a caller mistake.
+ */
+export function buildEffectiveCtx(ctxDomain, userCtx) {
+    if (userCtx.length > USER_CTX_MAX)
+        throw new SigningError('sig-ctx-too-long', `user_ctx length ${userCtx.length} > ${USER_CTX_MAX}`);
+    const domainBytes = utf8ToBytes(ctxDomain);
+    if (domainBytes.length > CTX_DOMAIN_MAX)
+        throw new Error(`leviathan-crypto: ctxDomain '${ctxDomain}' encodes to ${domainBytes.length} bytes (max ${CTX_DOMAIN_MAX})`);
+    const combined = 1 + domainBytes.length + 1 + userCtx.length;
+    if (combined > EFFECTIVE_CTX_MAX)
+        throw new SigningError('sig-ctx-too-long', `effective_ctx length ${combined} > ${EFFECTIVE_CTX_MAX} (FIPS 204 §3.6.1 ctx cap; ctxDomain ${domainBytes.length} bytes + user_ctx ${userCtx.length} bytes + 2 length prefixes)`);
+    const out = new Uint8Array(combined);
+    let pos = 0;
+    out[pos++] = domainBytes.length;
+    out.set(domainBytes, pos);
+    pos += domainBytes.length;
+    out[pos++] = userCtx.length;
+    out.set(userCtx, pos);
+    return out;
+}
+/**
+ * Map the lib's lowercase, hyphenated PrehashAlgorithm to the identifier
+ * MlDsaBase's signHash / verifyHash family accepts (FIPS 204 §5.4.1).
+ * SHAKE entries deliberately use the no-hyphen spelling 'SHAKE128' /
+ * 'SHAKE256' that the mldsa layer expects.
+ */
+export function prehashAlgoToMldsa(algo) {
+    switch (algo) {
+        case 'sha-256': return 'SHA2-256';
+        case 'sha-512': return 'SHA2-512';
+        case 'sha3-256': return 'SHA3-256';
+        case 'sha3-512': return 'SHA3-512';
+        case 'shake-128': return 'SHAKE128';
+        case 'shake-256': return 'SHAKE256';
+        default: {
+            const _exhaustive = algo;
+            throw new Error(`leviathan-crypto: unknown prehash algorithm ${_exhaustive}`);
+        }
+    }
+}

package/dist/sign/envelope.d.ts

@@ -0,0 +1,45 @@
+import type { SignatureSuite } from './types.js';
+export declare class Sign {
+    /**
+     * Single-shot sign. Returns the attached envelope blob.
+     */
+    static sign(suite: SignatureSuite, sk: Uint8Array, msg: Uint8Array, ctx: Uint8Array): Uint8Array;
+    /**
+     * Single-shot verify. Returns the extracted payload on success.
+     *
+     * @throws SigningError('sig-blob-too-short')  blob cannot fit the wire shape.
+     * @throws SigningError('sig-suite-mismatch')  wire suite_byte mismatch.
+     * @throws SigningError('sig-ctx-mismatch')    caller ctx != wire ctx.
+     * @throws SigningError('verify-failed')       suite.verify returned false.
+     */
+    static verify(suite: SignatureSuite, pk: Uint8Array, blob: Uint8Array, ctx: Uint8Array): Uint8Array;
+    /**
+     * Detached sign. Returns just the raw signature bytes (no envelope).
+     * Caller is responsible for transmitting (suite, msg, sig, ctx)
+     * out-of-band. signDetached is the interop surface; the wire is
+     * exactly what the underlying primitive emits, no leviathan-specific
+     * framing.
+     */
+    static signDetached(suite: SignatureSuite, sk: Uint8Array, msg: Uint8Array, ctx: Uint8Array): Uint8Array;
+    /**
+     * Detached verify. Returns boolean; does NOT throw on signature failure.
+     * Contract violations in the suite (wrong-size key, ctx too long) still
+     * throw SigningError per the suite contract.
+     */
+    static verifyDetached(suite: SignatureSuite, pk: Uint8Array, msg: Uint8Array, sig: Uint8Array, ctx: Uint8Array): boolean;
+    /**
+     * Introspect a blob without verifying. Validates structural shape only
+     * (ctx_len and payload_len in range); does NOT call suite.verify and
+     * does NOT compare ctx. Returns offsets the caller can use to extract
+     * wire ctx, payload, and sig themselves.
+     *
+     * @throws SigningError('sig-blob-too-short') blob cannot fit the wire shape.
+     */
+    static peek(blob: Uint8Array, suite: SignatureSuite): {
+        suiteByte: number;
+        ctx: Uint8Array;
+        payloadOffset: number;
+        payloadLength: number;
+        sigOffset: number;
+    };
+}

package/dist/sign/envelope.js

@@ -0,0 +1,152 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sign/envelope.ts
+//
+// Sign, single-shot signing/verification using the attached envelope wire
+// format. Mirrors the static-only-class pattern from stream/seal.ts.
+//
+// Wire format see: docs/signing.md#attached-envelope.
+import { constantTimeEqual } from '../utils.js';
+import { SigningError } from '../errors.js';
+// 1 suite_byte + 1 ctx_len + 4 payload_len. Smallest legal blob carries
+// at least these six header bytes plus the suite's sig.
+const ENVELOPE_HEADER_FIXED = 6;
+// eslint-disable-next-line @typescript-eslint/no-extraneous-class
+export class Sign {
+    /**
+     * Single-shot sign. Returns the attached envelope blob.
+     */
+    static sign(suite, sk, msg, ctx) {
+        const sig = suite.sign(sk, msg, ctx);
+        return assembleBlob(suite.formatEnum, ctx, msg, sig);
+    }
+    /**
+     * Single-shot verify. Returns the extracted payload on success.
+     *
+     * @throws SigningError('sig-blob-too-short')  blob cannot fit the wire shape.
+     * @throws SigningError('sig-suite-mismatch')  wire suite_byte mismatch.
+     * @throws SigningError('sig-ctx-mismatch')    caller ctx != wire ctx.
+     * @throws SigningError('verify-failed')       suite.verify returned false.
+     */
+    static verify(suite, pk, blob, ctx) {
+        const { suiteByte, ctxLen, payloadLen, payloadOffset, sigOffset } = parseHeader(blob, suite);
+        if (suiteByte !== suite.formatEnum)
+            throw new SigningError('sig-suite-mismatch', `wire suite 0x${suiteByte.toString(16)} != suite.formatEnum 0x${suite.formatEnum.toString(16)}`);
+        const wireCtx = blob.subarray(2, 2 + ctxLen);
+        if (!constantTimeEqual(wireCtx, ctx))
+            throw new SigningError('sig-ctx-mismatch');
+        const payload = blob.subarray(payloadOffset, payloadOffset + payloadLen);
+        const sig = blob.subarray(sigOffset, blob.length);
+        if (!suite.verify(pk, payload, sig, wireCtx))
+            throw new SigningError('verify-failed');
+        return payload;
+    }
+    /**
+     * Detached sign. Returns just the raw signature bytes (no envelope).
+     * Caller is responsible for transmitting (suite, msg, sig, ctx)
+     * out-of-band. signDetached is the interop surface; the wire is
+     * exactly what the underlying primitive emits, no leviathan-specific
+     * framing.
+     */
+    static signDetached(suite, sk, msg, ctx) {
+        return suite.sign(sk, msg, ctx);
+    }
+    /**
+     * Detached verify. Returns boolean; does NOT throw on signature failure.
+     * Contract violations in the suite (wrong-size key, ctx too long) still
+     * throw SigningError per the suite contract.
+     */
+    static verifyDetached(suite, pk, msg, sig, ctx) {
+        return suite.verify(pk, msg, sig, ctx);
+    }
+    /**
+     * Introspect a blob without verifying. Validates structural shape only
+     * (ctx_len and payload_len in range); does NOT call suite.verify and
+     * does NOT compare ctx. Returns offsets the caller can use to extract
+     * wire ctx, payload, and sig themselves.
+     *
+     * @throws SigningError('sig-blob-too-short') blob cannot fit the wire shape.
+     */
+    static peek(blob, suite) {
+        const { suiteByte, ctxLen, payloadLen, payloadOffset, sigOffset } = parseHeader(blob, suite);
+        return {
+            suiteByte,
+            ctx: blob.subarray(2, 2 + ctxLen),
+            payloadOffset,
+            payloadLength: payloadLen,
+            sigOffset,
+        };
+    }
+}
+/**
+ * Parse the wire header. Throws SigningError('sig-blob-too-short')
+ * on every wire-shape overflow; .message carries the specifics.
+ */
+function parseHeader(blob, suite) {
+    if (blob.length < ENVELOPE_HEADER_FIXED)
+        throw new SigningError('sig-blob-too-short', `blob length ${blob.length} < min ${ENVELOPE_HEADER_FIXED} (suite + ctx_len + payload_len header)`);
+    const suiteByte = blob[0];
+    const ctxLen = blob[1];
+    const payloadLenOffset = 2 + ctxLen;
+    const payloadOffset = payloadLenOffset + 4;
+    if (blob.length < payloadOffset)
+        throw new SigningError('sig-blob-too-short', `blob length ${blob.length} cannot fit ctx (${ctxLen} bytes) + payload_len header`);
+    const payloadLen = readU32BE(blob, payloadLenOffset);
+    const sigOffset = payloadOffset + payloadLen;
+    if (sigOffset > blob.length)
+        throw new SigningError('sig-blob-too-short', `payload_len ${payloadLen} pushes payload past blob end (blob length ${blob.length})`);
+    if (sigOffset + suite.sigMaxSize < blob.length)
+        throw new SigningError('sig-blob-too-short', `trailing sig ${blob.length - sigOffset} > suite.sigMaxSize ${suite.sigMaxSize}`);
+    return { suiteByte, ctxLen, payloadLen, payloadOffset, sigOffset };
+}
+function assembleBlob(suiteByte, ctx, payload, sig) {
+    if (ctx.length > 255)
+        throw new SigningError('sig-ctx-too-long', `ctx length ${ctx.length} > 255 (wire format ctx_len is u8)`);
+    if (payload.length > 0xFFFFFFFF)
+        throw new SigningError('sig-malformed-input', `payload length ${payload.length} > 2^32 - 1 (wire format payload_len is u32)`);
+    const out = new Uint8Array(2 + ctx.length + 4 + payload.length + sig.length);
+    let pos = 0;
+    out[pos++] = suiteByte;
+    out[pos++] = ctx.length;
+    out.set(ctx, pos);
+    pos += ctx.length;
+    writeU32BE(out, pos, payload.length);
+    pos += 4;
+    out.set(payload, pos);
+    pos += payload.length;
+    out.set(sig, pos);
+    return out;
+}
+function readU32BE(buf, off) {
+    // Multiply by 2^24 instead of <<24 so the high byte does not
+    // sign-extend into a negative JS number, which would propagate
+    // through the subsequent arithmetic and silently bypass the
+    // payload-overflow check.
+    return (buf[off] * 0x1000000
+        + ((buf[off + 1] << 16) | (buf[off + 2] << 8) | buf[off + 3]));
+}
+function writeU32BE(buf, off, value) {
+    buf[off] = (value >>> 24) & 0xFF;
+    buf[off + 1] = (value >>> 16) & 0xFF;
+    buf[off + 2] = (value >>> 8) & 0xFF;
+    buf[off + 3] = value & 0xFF;
+}

package/dist/sign/hasher.d.ts

@@ -0,0 +1,9 @@
+import type { PrehashAlgorithm } from './types.js';
+export interface RunningHash {
+    update(chunk: Uint8Array): void;
+    finalize(): Uint8Array;
+    dispose(): void;
+}
+export declare function sha256OneShot(msg: Uint8Array): Uint8Array;
+export declare function sha512OneShot(msg: Uint8Array): Uint8Array;
+export declare function createRunningHash(algo: PrehashAlgorithm): RunningHash;

package/dist/sign/hasher.js

@@ -0,0 +1,132 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sign/hasher.ts
+//
+// Internal running-hash abstraction keyed on PrehashAlgorithm, used by
+// SignStream and VerifyStream. SHAKE output sizes track FIPS 204 §5.4.1
+// (HashML-DSA) and FIPS 205 §10.2.2 (HashSLH-DSA).
+import { SHA3_256Stream, SHA3_512Stream, SHAKE128Stream, SHAKE256Stream, } from '../sha3/index.js';
+import { SHA256, SHA512 } from '../sha2/index.js';
+export function sha256OneShot(msg) {
+    const h = new SHA256();
+    try {
+        return h.hash(msg);
+    }
+    finally {
+        h.dispose();
+    }
+}
+export function sha512OneShot(msg) {
+    const h = new SHA512();
+    try {
+        return h.hash(msg);
+    }
+    finally {
+        h.dispose();
+    }
+}
+function sha256Buffered() {
+    let chunks = [];
+    let total = 0;
+    return {
+        update(chunk) {
+            const copy = new Uint8Array(chunk.length);
+            copy.set(chunk);
+            chunks.push(copy);
+            total += copy.length;
+        },
+        finalize() {
+            const buf = new Uint8Array(total);
+            let off = 0;
+            for (const c of chunks) {
+                buf.set(c, off);
+                off += c.length;
+            }
+            try {
+                return sha256OneShot(buf);
+            }
+            finally {
+                buf.fill(0);
+                for (const c of chunks)
+                    c.fill(0);
+                chunks = [];
+                total = 0;
+            }
+        },
+        dispose() {
+            for (const c of chunks)
+                c.fill(0);
+            chunks = [];
+            total = 0;
+        },
+    };
+}
+function sha512Buffered() {
+    let chunks = [];
+    let total = 0;
+    return {
+        update(chunk) {
+            const copy = new Uint8Array(chunk.length);
+            copy.set(chunk);
+            chunks.push(copy);
+            total += copy.length;
+        },
+        finalize() {
+            const buf = new Uint8Array(total);
+            let off = 0;
+            for (const c of chunks) {
+                buf.set(c, off);
+                off += c.length;
+            }
+            try {
+                return sha512OneShot(buf);
+            }
+            finally {
+                buf.fill(0);
+                for (const c of chunks)
+                    c.fill(0);
+                chunks = [];
+                total = 0;
+            }
+        },
+        dispose() {
+            for (const c of chunks)
+                c.fill(0);
+            chunks = [];
+            total = 0;
+        },
+    };
+}
+export function createRunningHash(algo) {
+    switch (algo) {
+        case 'sha3-256': return new SHA3_256Stream();
+        case 'sha3-512': return new SHA3_512Stream();
+        case 'shake-128': return new SHAKE128Stream(32);
+        case 'shake-256': return new SHAKE256Stream(64);
+        case 'sha-512': return sha512Buffered();
+        case 'sha-256': return sha256Buffered();
+        default: {
+            const _exhaustive = algo;
+            throw new Error(`leviathan-crypto: unknown prehash algorithm ${_exhaustive}`);
+        }
+    }
+}

package/dist/sign/index.d.ts

@@ -0,0 +1,11 @@
+export type { SignatureSuite, StreamableSignatureSuite, PrehashAlgorithm, } from './types.js';
+export { buildEffectiveCtx, prehashAlgoToMldsa, USER_CTX_MAX, CTX_DOMAIN_MAX, } from './ctx.js';
+export { Sign } from './envelope.js';
+export { SignStream } from './sign-stream.js';
+export { VerifyStream } from './verify-stream.js';
+export { Ed25519Suite, Ed25519PreHashSuite, } from './suites/ed25519.js';
+export { EcdsaP256Suite } from './suites/ecdsa-p256.js';
+export { MlDsa44Suite, MlDsa65Suite, MlDsa87Suite, MlDsa44PreHashSuite, MlDsa65PreHashSuite, MlDsa87PreHashSuite, } from './suites/mldsa.js';
+export { SlhDsa128fSuite, SlhDsa192fSuite, SlhDsa256fSuite, SlhDsa128fPreHashSuite, SlhDsa192fPreHashSuite, SlhDsa256fPreHashSuite, } from './suites/slhdsa.js';
+export { MlDsa44SlhDsa128fSuite, MlDsa65SlhDsa192fSuite, MlDsa87SlhDsa256fSuite, } from './suites/hybrid-pq.js';
+export { MlDsa44Ed25519Suite, MlDsa65Ed25519Suite, MlDsa44EcdsaP256Suite, MlDsa65EcdsaP256Suite, } from './suites/hybrid-classical.js';

package/dist/sign/index.js

@@ -0,0 +1,34 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sign/index.ts
+//
+// Public barrel for the v3 sign module.
+export { buildEffectiveCtx, prehashAlgoToMldsa, USER_CTX_MAX, CTX_DOMAIN_MAX, } from './ctx.js';
+export { Sign } from './envelope.js';
+export { SignStream } from './sign-stream.js';
+export { VerifyStream } from './verify-stream.js';
+export { Ed25519Suite, Ed25519PreHashSuite, } from './suites/ed25519.js';
+export { EcdsaP256Suite } from './suites/ecdsa-p256.js';
+export { MlDsa44Suite, MlDsa65Suite, MlDsa87Suite, MlDsa44PreHashSuite, MlDsa65PreHashSuite, MlDsa87PreHashSuite, } from './suites/mldsa.js';
+export { SlhDsa128fSuite, SlhDsa192fSuite, SlhDsa256fSuite, SlhDsa128fPreHashSuite, SlhDsa192fPreHashSuite, SlhDsa256fPreHashSuite, } from './suites/slhdsa.js';
+export { MlDsa44SlhDsa128fSuite, MlDsa65SlhDsa192fSuite, MlDsa87SlhDsa256fSuite, } from './suites/hybrid-pq.js';
+export { MlDsa44Ed25519Suite, MlDsa65Ed25519Suite, MlDsa44EcdsaP256Suite, MlDsa65EcdsaP256Suite, } from './suites/hybrid-classical.js';