leviathan-crypto 2.0.1 → 3.0.0

package/dist/sign/suites/hybrid-pq.js

@@ -0,0 +1,234 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sign/suites/hybrid-pq.ts
+//
+// MldsaSlhdsaHybridSuite factory (internal). Three exported PQ-only
+// hybrid consts:
+//   0x30  MlDsa44SlhDsa128fSuite   (cat-1)
+//   0x31  MlDsa65SlhDsa192fSuite   (cat-3)
+//   0x32  MlDsa87SlhDsa256fSuite   (cat-5)
+//
+// Wire is leviathan-defined (no composite-sigs entry covers PQ-only
+// pairs); ML-DSA first, no length prefixes (per-hybrid sizes catalog-
+// fixed).
+//
+// Both halves sign the same prehash digest under the same effective_ctx.
+// FIPS 204 §5.4 Alg 4 and FIPS 205 §10.2 Alg 22 produce byte-identical
+// M' = toByte(1,1) || toByte(|ctx|,1) || ctx || OID(ph) || PH_M given a
+// common (digest, ph, ctx); SHAKE128 / SHAKE256 share OIDs across the
+// two specs (FIPS 204 §5.4.1 Table 1 = FIPS 205 §10.2 Table 11).
+//
+// verifyPrehashed ALWAYS runs both sub-verifies before AND-reduce
+// (constant-time gate). Per-hybrid ctxDomain prevents cross-suite and
+// cross-hybrid forgery.
+//
+// Wire layout, M' construction, ctxDomain table, constant-time
+// discipline, and threat model:
+// docs/signaturesuite.md#pq-only-hybrid-composite-encoding.
+import { concat } from '../../utils.js';
+import { wipe, utf8ToBytes } from '../../utils.js';
+import { SigningError } from '../../errors.js';
+import { MlDsa44, MlDsa65, MlDsa87, MLDSA44, MLDSA65, MLDSA87, } from '../../mldsa/index.js';
+import { SlhDsa128f, SlhDsa192f, SlhDsa256f, SLHDSA128F, SLHDSA192F, SLHDSA256F, } from '../../slhdsa/index.js';
+import { buildEffectiveCtx, CTX_DOMAIN_MAX } from '../ctx.js';
+import { createRunningHash } from '../hasher.js';
+// Lowercase public sign-surface → uppercase ML-DSA-side algorithm name.
+// Mirrors prehashAlgoToMldsa in ctx.ts but only covers the two SHAKE
+// entries actually used by hybrid suites; the hybrid catalog is locked
+// to shake-128 (cat-1) and shake-256 (cat-3 / cat-5).
+function prehashAlgoToMldsaLocal(algo) {
+    switch (algo) {
+        case 'shake-128': return 'SHAKE128';
+        case 'shake-256': return 'SHAKE256';
+        case 'sha-256': return 'SHA2-256';
+        case 'sha-512': return 'SHA2-512';
+        case 'sha3-256': return 'SHA3-256';
+        case 'sha3-512': return 'SHA3-512';
+        default: {
+            const _exhaustive = algo;
+            throw new Error(`leviathan-crypto: unknown prehash algorithm ${_exhaustive}`);
+        }
+    }
+}
+function prehashAlgoToSlhdsaLocal(algo) {
+    switch (algo) {
+        case 'shake-128': return 'SHAKE128';
+        case 'shake-256': return 'SHAKE256';
+        case 'sha-256': return 'SHA2-256';
+        case 'sha-512': return 'SHA2-512';
+        case 'sha3-256': return 'SHA3-256';
+        case 'sha3-512': return 'SHA3-512';
+        default: {
+            const _exhaustive = algo;
+            throw new Error(`leviathan-crypto: unknown prehash algorithm ${_exhaustive}`);
+        }
+    }
+}
+// ── Factory ─────────────────────────────────────────────────────────────────
+function MldsaSlhdsaHybridSuite(MlDsaClass, mldsaParams, SlhDsaClass, slhdsaParams, formatEnum, formatName, ctxDomain, prehashAlgorithm, prehashSize) {
+    if (utf8ToBytes(ctxDomain).length > CTX_DOMAIN_MAX)
+        throw new Error(`leviathan-crypto: ctxDomain '${ctxDomain}' too long for ${formatName}`);
+    const pkSize = mldsaParams.pkBytes + slhdsaParams.pkBytes;
+    const skSize = mldsaParams.skBytes + slhdsaParams.skBytes;
+    const sigMaxSize = mldsaParams.sigBytes + slhdsaParams.sigBytes;
+    const wasmModules = Object.freeze(['mldsa', 'sha3', 'slhdsa']);
+    const mldsaHashAlgo = prehashAlgoToMldsaLocal(prehashAlgorithm);
+    const slhdsaHashAlgo = prehashAlgoToSlhdsaLocal(prehashAlgorithm);
+    return {
+        formatEnum,
+        formatName,
+        ctxDomain,
+        pkSize,
+        skSize,
+        sigMaxSize,
+        wasmModules,
+        prehashAlgorithm,
+        prehashSize,
+        sign(sk, msg, ctx) {
+            const h = createRunningHash(prehashAlgorithm);
+            try {
+                h.update(msg);
+                const digest = h.finalize();
+                try {
+                    return this.signPrehashed(sk, digest, ctx);
+                }
+                finally {
+                    wipe(digest);
+                }
+            }
+            catch (e) {
+                h.dispose();
+                throw e;
+            }
+        },
+        verify(pk, msg, sig, ctx) {
+            const h = createRunningHash(prehashAlgorithm);
+            try {
+                h.update(msg);
+                const digest = h.finalize();
+                try {
+                    return this.verifyPrehashed(pk, digest, sig, ctx);
+                }
+                finally {
+                    wipe(digest);
+                }
+            }
+            catch (e) {
+                h.dispose();
+                throw e;
+            }
+        },
+        keygen() {
+            const mldsaInst = new MlDsaClass();
+            let mldsaKp;
+            try {
+                mldsaKp = mldsaInst.keygen();
+            }
+            finally {
+                mldsaInst.dispose();
+            }
+            const slhdsaInst = new SlhDsaClass();
+            let slhdsaKp;
+            try {
+                slhdsaKp = slhdsaInst.keygen();
+            }
+            finally {
+                slhdsaInst.dispose();
+            }
+            return {
+                pk: concat(mldsaKp.verificationKey, slhdsaKp.verificationKey),
+                sk: concat(mldsaKp.signingKey, slhdsaKp.signingKey),
+            };
+        },
+        signPrehashed(sk, digest, ctx) {
+            if (digest.length !== prehashSize)
+                throw new SigningError('sig-malformed-input', `digest length ${digest.length} != ${prehashSize} for ${formatName}`);
+            if (sk.length !== skSize)
+                throw new SigningError('sig-key-size', `sk length ${sk.length} != ${skSize} for ${formatName}`);
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const skMldsa = sk.subarray(0, mldsaParams.skBytes);
+            const skSlhdsa = sk.subarray(mldsaParams.skBytes);
+            const mldsaInst = new MlDsaClass();
+            let sigMldsa;
+            try {
+                sigMldsa = mldsaInst.signHashPrehashed(skMldsa, digest, mldsaHashAlgo, effectiveCtx);
+            }
+            finally {
+                mldsaInst.dispose();
+            }
+            const slhdsaInst = new SlhDsaClass();
+            let sigSlhdsa;
+            try {
+                sigSlhdsa = slhdsaInst.signHashPrehashed(skSlhdsa, digest, slhdsaHashAlgo, effectiveCtx);
+            }
+            finally {
+                slhdsaInst.dispose();
+            }
+            try {
+                return concat(sigMldsa, sigSlhdsa);
+            }
+            finally {
+                wipe(effectiveCtx);
+            }
+        },
+        verifyPrehashed(pk, digest, sig, ctx) {
+            if (pk.length !== pkSize)
+                return false;
+            if (sig.length !== sigMaxSize)
+                return false;
+            if (digest.length !== prehashSize)
+                throw new SigningError('sig-malformed-input', `digest length ${digest.length} != ${prehashSize} for ${formatName}`);
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const pkMldsa = pk.subarray(0, mldsaParams.pkBytes);
+            const pkSlhdsa = pk.subarray(mldsaParams.pkBytes);
+            const sigMldsa = sig.subarray(0, mldsaParams.sigBytes);
+            const sigSlhdsa = sig.subarray(mldsaParams.sigBytes);
+            let mldsaOk;
+            let slhdsaOk;
+            try {
+                const mldsaInst = new MlDsaClass();
+                try {
+                    mldsaOk = mldsaInst.verifyHashPrehashed(pkMldsa, digest, sigMldsa, mldsaHashAlgo, effectiveCtx);
+                }
+                finally {
+                    mldsaInst.dispose();
+                }
+                const slhdsaInst = new SlhDsaClass();
+                try {
+                    slhdsaOk = slhdsaInst.verifyHashPrehashed(pkSlhdsa, digest, sigSlhdsa, slhdsaHashAlgo, effectiveCtx);
+                }
+                finally {
+                    slhdsaInst.dispose();
+                }
+            }
+            finally {
+                wipe(effectiveCtx);
+            }
+            // Do NOT wipe sub-sig subarrays; they alias caller-owned `sig`.
+            return mldsaOk && slhdsaOk;
+        },
+    };
+}
+// ── Exported suite consts ───────────────────────────────────────────────────
+export const MlDsa44SlhDsa128fSuite = MldsaSlhdsaHybridSuite(MlDsa44, MLDSA44, SlhDsa128f, SLHDSA128F, 0x30, 'mldsa44-slhdsa128f', 'mldsa44-slhdsa128f-envelope-v3', 'shake-128', 32);
+export const MlDsa65SlhDsa192fSuite = MldsaSlhdsaHybridSuite(MlDsa65, MLDSA65, SlhDsa192f, SLHDSA192F, 0x31, 'mldsa65-slhdsa192f', 'mldsa65-slhdsa192f-envelope-v3', 'shake-256', 64);
+export const MlDsa87SlhDsa256fSuite = MldsaSlhdsaHybridSuite(MlDsa87, MLDSA87, SlhDsa256f, SLHDSA256F, 0x32, 'mldsa87-slhdsa256f', 'mldsa87-slhdsa256f-envelope-v3', 'shake-256', 64);

package/dist/sign/suites/mldsa.d.ts

@@ -0,0 +1,7 @@
+import type { SignatureSuite, StreamableSignatureSuite } from '../types.js';
+export declare const MlDsa44Suite: SignatureSuite;
+export declare const MlDsa65Suite: SignatureSuite;
+export declare const MlDsa87Suite: SignatureSuite;
+export declare const MlDsa44PreHashSuite: StreamableSignatureSuite;
+export declare const MlDsa65PreHashSuite: StreamableSignatureSuite;
+export declare const MlDsa87PreHashSuite: StreamableSignatureSuite;

package/dist/sign/suites/mldsa.js

@@ -0,0 +1,161 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sign/suites/mldsa.ts
+//
+// Pure (0x03/0x04/0x05) and prehash (0x13/0x14/0x15) ML-DSA suites,
+// FIPS 204.
+//
+// Catalog + prehash mapping: docs/signaturesuite.md, docs/mldsa.md.
+import { utf8ToBytes, wipe } from '../../utils.js';
+import { SigningError } from '../../errors.js';
+import { MlDsa44, MlDsa65, MlDsa87, MLDSA44, MLDSA65, MLDSA87, } from '../../mldsa/index.js';
+import { buildEffectiveCtx, prehashAlgoToMldsa, CTX_DOMAIN_MAX, } from '../ctx.js';
+// ── Pure-mode factory ───────────────────────────────────────────────────────
+function MldsaPureSuite(MlDsaClass, params, formatEnum, formatName, ctxDomain) {
+    if (utf8ToBytes(ctxDomain).length > CTX_DOMAIN_MAX)
+        throw new Error(`leviathan-crypto: ctxDomain '${ctxDomain}' too long for ${formatName}`);
+    const wasmModules = Object.freeze(['mldsa', 'sha3']);
+    return {
+        formatEnum,
+        formatName,
+        ctxDomain,
+        pkSize: params.pkBytes,
+        skSize: params.skBytes,
+        sigMaxSize: params.sigBytes,
+        wasmModules,
+        sign(sk, msg, ctx) {
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const inst = new MlDsaClass();
+            try {
+                return inst.sign(sk, msg, effectiveCtx);
+            }
+            finally {
+                inst.dispose();
+                wipe(effectiveCtx);
+            }
+        },
+        verify(pk, msg, sig, ctx) {
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const inst = new MlDsaClass();
+            try {
+                return inst.verify(pk, msg, sig, effectiveCtx);
+            }
+            finally {
+                inst.dispose();
+                wipe(effectiveCtx);
+            }
+        },
+        keygen() {
+            const inst = new MlDsaClass();
+            try {
+                const kp = inst.keygen();
+                return { pk: kp.verificationKey, sk: kp.signingKey };
+            }
+            finally {
+                inst.dispose();
+            }
+        },
+    };
+}
+// ── Prehash-mode factory ────────────────────────────────────────────────────
+function MldsaPrehashSuite(MlDsaClass, params, formatEnum, formatName, ctxDomain, prehashAlgorithm, prehashSize) {
+    if (utf8ToBytes(ctxDomain).length > CTX_DOMAIN_MAX)
+        throw new Error(`leviathan-crypto: ctxDomain '${ctxDomain}' too long for ${formatName}`);
+    const wasmModules = Object.freeze(['mldsa', 'sha3']);
+    const mldsaHashAlgo = prehashAlgoToMldsa(prehashAlgorithm);
+    return {
+        formatEnum,
+        formatName,
+        ctxDomain,
+        pkSize: params.pkBytes,
+        skSize: params.skBytes,
+        sigMaxSize: params.sigBytes,
+        wasmModules,
+        prehashAlgorithm,
+        prehashSize,
+        sign(sk, msg, ctx) {
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const inst = new MlDsaClass();
+            try {
+                return inst.signHash(sk, msg, mldsaHashAlgo, effectiveCtx);
+            }
+            finally {
+                inst.dispose();
+                wipe(effectiveCtx);
+            }
+        },
+        verify(pk, msg, sig, ctx) {
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const inst = new MlDsaClass();
+            try {
+                return inst.verifyHash(pk, msg, sig, mldsaHashAlgo, effectiveCtx);
+            }
+            finally {
+                inst.dispose();
+                wipe(effectiveCtx);
+            }
+        },
+        keygen() {
+            const inst = new MlDsaClass();
+            try {
+                const kp = inst.keygen();
+                return { pk: kp.verificationKey, sk: kp.signingKey };
+            }
+            finally {
+                inst.dispose();
+            }
+        },
+        signPrehashed(sk, digest, ctx) {
+            if (digest.length !== prehashSize)
+                throw new SigningError('sig-malformed-input', `digest length ${digest.length} != expected ${prehashSize} for ${formatName}`);
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const inst = new MlDsaClass();
+            try {
+                return inst.signHashPrehashed(sk, digest, mldsaHashAlgo, effectiveCtx);
+            }
+            finally {
+                inst.dispose();
+                wipe(effectiveCtx);
+            }
+        },
+        verifyPrehashed(pk, digest, sig, ctx) {
+            if (digest.length !== prehashSize)
+                throw new SigningError('sig-malformed-input', `digest length ${digest.length} != expected ${prehashSize} for ${formatName}`);
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const inst = new MlDsaClass();
+            try {
+                return inst.verifyHashPrehashed(pk, digest, sig, mldsaHashAlgo, effectiveCtx);
+            }
+            finally {
+                inst.dispose();
+                wipe(effectiveCtx);
+            }
+        },
+    };
+}
+// ── Exported suite consts ───────────────────────────────────────────────────
+export const MlDsa44Suite = MldsaPureSuite(MlDsa44, MLDSA44, 0x03, 'mldsa44', 'mldsa44-envelope-v3');
+export const MlDsa65Suite = MldsaPureSuite(MlDsa65, MLDSA65, 0x04, 'mldsa65', 'mldsa65-envelope-v3');
+export const MlDsa87Suite = MldsaPureSuite(MlDsa87, MLDSA87, 0x05, 'mldsa87', 'mldsa87-envelope-v3');
+export const MlDsa44PreHashSuite = MldsaPrehashSuite(MlDsa44, MLDSA44, 0x13, 'mldsa44-prehash', 'mldsa44-prehash-envelope-v3', 'sha3-256', 32);
+export const MlDsa65PreHashSuite = MldsaPrehashSuite(MlDsa65, MLDSA65, 0x14, 'mldsa65-prehash', 'mldsa65-prehash-envelope-v3', 'sha3-256', 32);
+export const MlDsa87PreHashSuite = MldsaPrehashSuite(MlDsa87, MLDSA87, 0x15, 'mldsa87-prehash', 'mldsa87-prehash-envelope-v3', 'sha3-512', 64);

package/dist/sign/suites/slhdsa.d.ts

@@ -0,0 +1,7 @@
+import type { SignatureSuite, StreamableSignatureSuite } from '../types.js';
+export declare const SlhDsa128fSuite: SignatureSuite;
+export declare const SlhDsa192fSuite: SignatureSuite;
+export declare const SlhDsa256fSuite: SignatureSuite;
+export declare const SlhDsa128fPreHashSuite: StreamableSignatureSuite;
+export declare const SlhDsa192fPreHashSuite: StreamableSignatureSuite;
+export declare const SlhDsa256fPreHashSuite: StreamableSignatureSuite;

package/dist/sign/suites/slhdsa.js

@@ -0,0 +1,176 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sign/suites/slhdsa.ts
+//
+// Pure (0x06/0x07/0x08) and prehash (0x16/0x17/0x18) SLH-DSA SHAKE-family
+// fast suites, FIPS 205. Hash pinning per §10.2.2: 128f→SHAKE128 cat 1,
+// 192f→SHAKE256 cat 3, 256f→SHAKE256 cat 5.
+//
+// Catalog + prehash mapping: docs/signaturesuite.md, docs/slhdsa.md.
+import { utf8ToBytes, wipe } from '../../utils.js';
+import { SigningError } from '../../errors.js';
+import { SlhDsa128f, SlhDsa192f, SlhDsa256f, SLHDSA128F, SLHDSA192F, SLHDSA256F, } from '../../slhdsa/index.js';
+import { buildEffectiveCtx, CTX_DOMAIN_MAX } from '../ctx.js';
+function prehashAlgoToSlhdsa(algo) {
+    switch (algo) {
+        case 'shake-128': return 'SHAKE128';
+        case 'shake-256': return 'SHAKE256';
+        case 'sha-256': return 'SHA2-256';
+        case 'sha-512': return 'SHA2-512';
+        case 'sha3-256': return 'SHA3-256';
+        case 'sha3-512': return 'SHA3-512';
+        default: {
+            const _exhaustive = algo;
+            throw new Error(`leviathan-crypto: unknown prehash algorithm ${_exhaustive}`);
+        }
+    }
+}
+// ── Pure-mode factory ───────────────────────────────────────────────────────
+function SlhdsaPureSuite(SlhDsaClass, params, formatEnum, formatName, ctxDomain) {
+    if (utf8ToBytes(ctxDomain).length > CTX_DOMAIN_MAX)
+        throw new Error(`leviathan-crypto: ctxDomain '${ctxDomain}' too long for ${formatName}`);
+    const wasmModules = Object.freeze(['slhdsa']);
+    return {
+        formatEnum,
+        formatName,
+        ctxDomain,
+        pkSize: params.pkBytes,
+        skSize: params.skBytes,
+        sigMaxSize: params.sigBytes,
+        wasmModules,
+        sign(sk, msg, ctx) {
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const inst = new SlhDsaClass();
+            try {
+                return inst.sign(sk, msg, effectiveCtx);
+            }
+            finally {
+                inst.dispose();
+                wipe(effectiveCtx);
+            }
+        },
+        verify(pk, msg, sig, ctx) {
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const inst = new SlhDsaClass();
+            try {
+                return inst.verify(pk, msg, sig, effectiveCtx);
+            }
+            finally {
+                inst.dispose();
+                wipe(effectiveCtx);
+            }
+        },
+        keygen() {
+            const inst = new SlhDsaClass();
+            try {
+                const kp = inst.keygen();
+                return { pk: kp.verificationKey, sk: kp.signingKey };
+            }
+            finally {
+                inst.dispose();
+            }
+        },
+    };
+}
+// ── Prehash-mode factory ────────────────────────────────────────────────────
+function SlhdsaPrehashSuite(SlhDsaClass, params, formatEnum, formatName, ctxDomain, prehashAlgorithm, prehashSize) {
+    if (utf8ToBytes(ctxDomain).length > CTX_DOMAIN_MAX)
+        throw new Error(`leviathan-crypto: ctxDomain '${ctxDomain}' too long for ${formatName}`);
+    const wasmModules = Object.freeze(['slhdsa', 'sha3']);
+    const slhHashAlgo = prehashAlgoToSlhdsa(prehashAlgorithm);
+    return {
+        formatEnum,
+        formatName,
+        ctxDomain,
+        pkSize: params.pkBytes,
+        skSize: params.skBytes,
+        sigMaxSize: params.sigBytes,
+        wasmModules,
+        prehashAlgorithm,
+        prehashSize,
+        sign(sk, msg, ctx) {
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const inst = new SlhDsaClass();
+            try {
+                return inst.signHash(sk, msg, slhHashAlgo, effectiveCtx);
+            }
+            finally {
+                inst.dispose();
+                wipe(effectiveCtx);
+            }
+        },
+        verify(pk, msg, sig, ctx) {
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const inst = new SlhDsaClass();
+            try {
+                return inst.verifyHash(pk, msg, sig, slhHashAlgo, effectiveCtx);
+            }
+            finally {
+                inst.dispose();
+                wipe(effectiveCtx);
+            }
+        },
+        keygen() {
+            const inst = new SlhDsaClass();
+            try {
+                const kp = inst.keygen();
+                return { pk: kp.verificationKey, sk: kp.signingKey };
+            }
+            finally {
+                inst.dispose();
+            }
+        },
+        signPrehashed(sk, digest, ctx) {
+            if (digest.length !== prehashSize)
+                throw new SigningError('sig-malformed-input', `digest length ${digest.length} != expected ${prehashSize} for ${formatName}`);
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const inst = new SlhDsaClass();
+            try {
+                return inst.signHashPrehashed(sk, digest, slhHashAlgo, effectiveCtx);
+            }
+            finally {
+                inst.dispose();
+                wipe(effectiveCtx);
+            }
+        },
+        verifyPrehashed(pk, digest, sig, ctx) {
+            if (digest.length !== prehashSize)
+                throw new SigningError('sig-malformed-input', `digest length ${digest.length} != expected ${prehashSize} for ${formatName}`);
+            const effectiveCtx = buildEffectiveCtx(ctxDomain, ctx);
+            const inst = new SlhDsaClass();
+            try {
+                return inst.verifyHashPrehashed(pk, digest, sig, slhHashAlgo, effectiveCtx);
+            }
+            finally {
+                inst.dispose();
+                wipe(effectiveCtx);
+            }
+        },
+    };
+}
+// ── Exported suite consts ───────────────────────────────────────────────────
+export const SlhDsa128fSuite = SlhdsaPureSuite(SlhDsa128f, SLHDSA128F, 0x06, 'slhdsa128f', 'slhdsa128f-envelope-v3');
+export const SlhDsa192fSuite = SlhdsaPureSuite(SlhDsa192f, SLHDSA192F, 0x07, 'slhdsa192f', 'slhdsa192f-envelope-v3');
+export const SlhDsa256fSuite = SlhdsaPureSuite(SlhDsa256f, SLHDSA256F, 0x08, 'slhdsa256f', 'slhdsa256f-envelope-v3');
+export const SlhDsa128fPreHashSuite = SlhdsaPrehashSuite(SlhDsa128f, SLHDSA128F, 0x16, 'slhdsa128f-prehash', 'slhdsa128f-prehash-envelope-v3', 'shake-128', 32);
+export const SlhDsa192fPreHashSuite = SlhdsaPrehashSuite(SlhDsa192f, SLHDSA192F, 0x17, 'slhdsa192f-prehash', 'slhdsa192f-prehash-envelope-v3', 'shake-256', 64);
+export const SlhDsa256fPreHashSuite = SlhdsaPrehashSuite(SlhDsa256f, SLHDSA256F, 0x18, 'slhdsa256f-prehash', 'slhdsa256f-prehash-envelope-v3', 'shake-256', 64);