leviathan-crypto 2.0.1 → 3.0.0

package/dist/sign/types.d.ts

@@ -0,0 +1,106 @@
+/**
+ * Prehash algorithm identifier used by StreamableSignatureSuite. The
+ * lowercase, hyphenated form is the lib's public sign-surface; the
+ * mldsa-internal `PreHashAlgorithm` (uppercase, no hyphen on SHAKE)
+ * remains private. `prehashAlgoToMldsa` in ctx.ts is the only bridge.
+ */
+export type PrehashAlgorithm = 'sha-256' | 'sha-512' | 'sha3-256' | 'sha3-512' | 'shake-128' | 'shake-256';
+/**
+ * Base SignatureSuite interface. All suite consts conform to this.
+ * Pure-mode suites conform to SignatureSuite only; suites that support
+ * streaming additionally conform to StreamableSignatureSuite.
+ */
+export interface SignatureSuite {
+    /**
+     * Wire format byte. Bits 0-3 = suite within category;
+     * bits 4-5 = category (0x0X pure, 0x1X prehash, 0x2X classical+PQ
+     * hybrid, 0x3X PQ-only hybrid); bits 6-7 reserved.
+     */
+    readonly formatEnum: number;
+    /** Human label, e.g. 'mldsa65', 'mldsa65-prehash'. */
+    readonly formatName: string;
+    /**
+     * Built-in domain separator. Concatenated, length-prefixed, with
+     * user-supplied ctx before being fed to the underlying primitive's
+     * ctx parameter. Convention: `{scheme}-envelope-v3` for pure suites,
+     * `{scheme}-prehash-envelope-v3` for prehash variants. Max 32 bytes,
+     * validated at factory construction.
+     */
+    readonly ctxDomain: string;
+    /** Public key size in bytes. */
+    readonly pkSize: number;
+    /** Secret key size in bytes. */
+    readonly skSize: number;
+    /**
+     * Upper-bound signature size in bytes. For fixed-length signature
+     * schemes equals the actual size. For variable-length schemes
+     * (e.g., composite ECDSA whose `Ecdsa-Sig-Value` DER encoding per
+     * RFC 3279 §2.2.3 varies with leading-zero stripping) is the
+     * catalog-reserved upper bound, the actual sig may be shorter.
+     * Hybrid suites precompute `sig_classical + sig_pq` for clear
+     * visibility.
+     */
+    readonly sigMaxSize: number;
+    /** WASM modules this suite requires initialized via init(). */
+    readonly wasmModules: readonly string[];
+    /**
+     * Sign a message. Returns the raw signature bytes, not wrapped in
+     * the envelope wire format; that is Sign.sign's job.
+     *
+     * @param sk  Secret key, must be exactly skSize bytes.
+     * @param msg Message to sign. Any length.
+     * @param ctx User context, up to USER_CTX_MAX (255) bytes per
+     *            FIPS 204 §3.6.1. Suites that route ctx through
+     *            buildEffectiveCtx have a tighter per-call ceiling
+     *            equal to `253 - len(ctxDomain)`. Empty Uint8Array
+     *            is legal but must be passed explicitly.
+     * @throws SigningError on contract violations (wrong-size key,
+     *         ctx too long).
+     * @returns Signature bytes, length at most sigMaxSize.
+     */
+    sign(sk: Uint8Array, msg: Uint8Array, ctx: Uint8Array): Uint8Array;
+    /**
+     * Verify a signature. Returns boolean for all signature outcomes
+     * including malformed signature encoding. Throws SigningError on
+     * contract violations (wrong-size key, ctx too long).
+     */
+    verify(pk: Uint8Array, msg: Uint8Array, sig: Uint8Array, ctx: Uint8Array): boolean;
+    /**
+     * Generate a fresh keypair. Returns named-field object regardless
+     * of how the underlying primitive names its keys.
+     */
+    keygen(): {
+        pk: Uint8Array;
+        sk: Uint8Array;
+    };
+}
+/**
+ * SignatureSuite extension for streamable signing. Suites that support
+ * SignStream / VerifyStream must conform to this interface; pure-mode
+ * suites do not.
+ */
+export interface StreamableSignatureSuite extends SignatureSuite {
+    /** Prehash algorithm. Locked at suite construction. */
+    readonly prehashAlgorithm: PrehashAlgorithm;
+    /** Digest size in bytes for the locked prehash algorithm. */
+    readonly prehashSize: number;
+    /**
+     * Sign a precomputed digest. Caller is responsible for computing
+     * the digest with the prehash algorithm matching this suite, or
+     * using SignStream which does it internally.
+     *
+     * @param digest Digest bytes, must be exactly prehashSize.
+     * @throws SigningError('sig-malformed-input') on digest length
+     *         mismatch; SigningError on other contract violations.
+     */
+    signPrehashed(sk: Uint8Array, digest: Uint8Array, ctx: Uint8Array): Uint8Array;
+    /**
+     * Verify a precomputed-digest signature. Returns false on signature
+     * failure (including malformed signature encoding). Throws SigningError
+     * on contract violations: wrong-size key, ctx too long, or wrong-size
+     * digest (`sig-malformed-input`). The digest length is a caller-side
+     * contract; symmetric with `signPrehashed` which throws on the same
+     * condition.
+     */
+    verifyPrehashed(pk: Uint8Array, digest: Uint8Array, sig: Uint8Array, ctx: Uint8Array): boolean;
+}

package/dist/sign/types.js

@@ -0,0 +1,28 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sign/types.ts
+//
+// SignatureSuite interface definitions for the v3 signature layer.
+// Mirrors src/ts/stream/types.ts (CipherSuite) shape; signatures plug
+// into Sign / SignStream / VerifyStream the way ciphers plug into
+// Seal / SealStream / OpenStream.
+export {};

package/dist/sign/verify-stream.d.ts

@@ -0,0 +1,30 @@
+import type { StreamableSignatureSuite } from './types.js';
+export declare class VerifyStream {
+    private readonly suite;
+    private readonly pk;
+    private readonly expectedCtx;
+    private state;
+    private headerBuf;
+    private payloadChunks;
+    private payloadHasher;
+    private payloadRemaining;
+    private sigBuf;
+    constructor(suite: StreamableSignatureSuite, pk: Uint8Array, ctx: Uint8Array);
+    /**
+     * Feed bytes from the wire. Header parsing is byte-by-byte tolerant;
+     * payload bytes accumulate up to the wire-declared payload_len; the
+     * trailing sig bytes accumulate until finalize.
+     */
+    update(chunk: Uint8Array): void;
+    /**
+     * Verify the buffered signature. Returns the payload on success.
+     * Throws and wipes the buffered payload on verification failure.
+     */
+    finalize(): Uint8Array;
+    /** Wipe all internal state. Idempotent. */
+    dispose(): void;
+    private consumeHeaderBytes;
+    private consumePayloadBytes;
+    private consumeSigBytes;
+    private wipeBuffers;
+}

package/dist/sign/verify-stream.js

@@ -0,0 +1,227 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sign/verify-stream.ts
+//
+// VerifyStream class, buffered streaming verification for
+// StreamableSignatureSuite. Holds payload chunks internally; on finalize
+// verifies and returns the payload, or throws and wipes.
+//
+// Wire format and parser flow: docs/signing.md#attached-envelope.
+import { constantTimeEqual, concat, wipe } from '../utils.js';
+import { SigningError } from '../errors.js';
+import { createRunningHash } from './hasher.js';
+var State;
+(function (State) {
+    State[State["ParsingHeader"] = 0] = "ParsingHeader";
+    State[State["ParsingPayload"] = 1] = "ParsingPayload";
+    State[State["ParsingSig"] = 2] = "ParsingSig";
+    State[State["Finalized"] = 3] = "Finalized";
+    State[State["Disposed"] = 4] = "Disposed";
+})(State || (State = {}));
+export class VerifyStream {
+    suite;
+    pk;
+    expectedCtx;
+    state = State.ParsingHeader;
+    headerBuf = new Uint8Array(0);
+    payloadChunks = [];
+    payloadHasher;
+    payloadRemaining = 0;
+    sigBuf = new Uint8Array(0);
+    constructor(suite, pk, ctx) {
+        this.suite = suite;
+        this.pk = pk;
+        this.expectedCtx = ctx;
+    }
+    /**
+     * Feed bytes from the wire. Header parsing is byte-by-byte tolerant;
+     * payload bytes accumulate up to the wire-declared payload_len; the
+     * trailing sig bytes accumulate until finalize.
+     */
+    update(chunk) {
+        if (this.state === State.Disposed)
+            throw new SigningError('sig-stream-disposed');
+        if (this.state === State.Finalized)
+            throw new SigningError('sig-stream-finalized');
+        let rest = chunk;
+        if (this.state === State.ParsingHeader) {
+            rest = this.consumeHeaderBytes(rest);
+            if (this.state === State.ParsingHeader)
+                return;
+        }
+        if (rest.length === 0)
+            return;
+        if (this.state === State.ParsingPayload) {
+            rest = this.consumePayloadBytes(rest);
+            if (rest.length === 0)
+                return;
+        }
+        if (this.state === State.ParsingSig) {
+            this.consumeSigBytes(rest);
+        }
+    }
+    /**
+     * Verify the buffered signature. Returns the payload on success.
+     * Throws and wipes the buffered payload on verification failure.
+     */
+    finalize() {
+        if (this.state === State.Disposed)
+            throw new SigningError('sig-stream-disposed');
+        if (this.state === State.Finalized)
+            throw new SigningError('sig-stream-finalized');
+        // From here on, the stream transitions to Finalized regardless of
+        // success/failure so a partial parse cannot leave the hasher (and
+        // its WASM module) held.
+        const priorState = this.state;
+        this.state = State.Finalized;
+        const h = this.payloadHasher;
+        this.payloadHasher = undefined;
+        try {
+            if (priorState !== State.ParsingSig) {
+                this.wipeBuffers();
+                throw new SigningError('sig-blob-too-short', 'finalize before payload completed');
+            }
+            if (this.sigBuf.length === 0) {
+                this.wipeBuffers();
+                throw new SigningError('sig-blob-too-short', 'finalize before any sig bytes arrived');
+            }
+            if (this.sigBuf.length > this.suite.sigMaxSize) {
+                this.wipeBuffers();
+                throw new SigningError('sig-blob-too-short', `trailing sig ${this.sigBuf.length} > suite.sigMaxSize ${this.suite.sigMaxSize}`);
+            }
+            const digest = h.finalize();
+            try {
+                const sig = this.sigBuf;
+                try {
+                    if (!this.suite.verifyPrehashed(this.pk, digest, sig, this.expectedCtx)) {
+                        this.wipeBuffers();
+                        throw new SigningError('verify-failed');
+                    }
+                }
+                catch (e) {
+                    this.wipeBuffers();
+                    throw e;
+                }
+                const out = concat(...this.payloadChunks);
+                this.wipeBuffers();
+                return out;
+            }
+            finally {
+                wipe(digest);
+            }
+        }
+        finally {
+            if (h !== undefined)
+                h.dispose();
+        }
+    }
+    /** Wipe all internal state. Idempotent. */
+    dispose() {
+        if (this.state === State.Disposed)
+            return;
+        this.state = State.Disposed;
+        if (this.payloadHasher !== undefined) {
+            this.payloadHasher.dispose();
+            this.payloadHasher = undefined;
+        }
+        this.wipeBuffers();
+    }
+    consumeHeaderBytes(chunk) {
+        const combined = new Uint8Array(this.headerBuf.length + chunk.length);
+        combined.set(this.headerBuf, 0);
+        combined.set(chunk, this.headerBuf.length);
+        if (combined.length < 2) {
+            this.headerBuf = combined;
+            return new Uint8Array(0);
+        }
+        const suiteByte = combined[0];
+        if (suiteByte !== this.suite.formatEnum) {
+            this.state = State.Finalized;
+            this.wipeBuffers();
+            throw new SigningError('sig-suite-mismatch', `wire suite 0x${suiteByte.toString(16)} != suite.formatEnum 0x${this.suite.formatEnum.toString(16)}`);
+        }
+        const ctxLen = combined[1];
+        const headerEnd = 2 + ctxLen + 4;
+        if (combined.length < headerEnd) {
+            this.headerBuf = combined;
+            return new Uint8Array(0);
+        }
+        const wireCtx = combined.subarray(2, 2 + ctxLen);
+        if (!constantTimeEqual(wireCtx, this.expectedCtx)) {
+            this.state = State.Finalized;
+            this.wipeBuffers();
+            throw new SigningError('sig-ctx-mismatch');
+        }
+        // payload_len lives at offset 2 + ctxLen, u32 BE per the v3
+        // envelope wire. Multiply the high byte instead of <<24 so a
+        // 0x80-or-higher high byte does not turn the result negative
+        // and silently bypass the payload-overflow check downstream.
+        const lOff = 2 + ctxLen;
+        this.payloadRemaining =
+            combined[lOff] * 0x1000000
+                + ((combined[lOff + 1] << 16)
+                    | (combined[lOff + 2] << 8)
+                    | combined[lOff + 3]);
+        this.payloadHasher = createRunningHash(this.suite.prehashAlgorithm);
+        this.headerBuf = new Uint8Array(0);
+        this.state = this.payloadRemaining === 0
+            ? State.ParsingSig
+            : State.ParsingPayload;
+        return combined.subarray(headerEnd);
+    }
+    consumePayloadBytes(chunk) {
+        if (this.payloadRemaining === 0) {
+            this.state = State.ParsingSig;
+            return chunk;
+        }
+        const take = Math.min(chunk.length, this.payloadRemaining);
+        const segment = chunk.subarray(0, take);
+        // Copy so a caller-side mutation cannot retroactively alter the
+        // buffered payload we return at finalize.
+        const owned = new Uint8Array(segment);
+        this.payloadChunks.push(owned);
+        this.payloadHasher.update(owned);
+        this.payloadRemaining -= take;
+        if (this.payloadRemaining === 0)
+            this.state = State.ParsingSig;
+        return chunk.subarray(take);
+    }
+    consumeSigBytes(chunk) {
+        const combined = new Uint8Array(this.sigBuf.length + chunk.length);
+        combined.set(this.sigBuf, 0);
+        combined.set(chunk, this.sigBuf.length);
+        this.sigBuf = combined;
+    }
+    wipeBuffers() {
+        for (const c of this.payloadChunks)
+            c.fill(0);
+        this.payloadChunks = [];
+        if (this.sigBuf.length > 0) {
+            this.sigBuf.fill(0);
+            this.sigBuf = new Uint8Array(0);
+        }
+        if (this.headerBuf.length > 0) {
+            this.headerBuf.fill(0);
+            this.headerBuf = new Uint8Array(0);
+        }
+    }
+}

package/dist/slhdsa/embedded.d.ts

@@ -0,0 +1 @@
+export { WASM_GZ_BASE64 as slhdsaWasm } from '../embedded/slhdsa.js';

package/dist/slhdsa/embedded.js

@@ -0,0 +1,26 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/slhdsa/embedded.ts
+//
+// Exports the gzip+base64 slhdsa WASM blob for use as a WasmSource.
+// Import via `leviathan-crypto/slhdsa/embedded`.
+export { WASM_GZ_BASE64 as slhdsaWasm } from '../embedded/slhdsa.js';

package/dist/slhdsa/index.d.ts

@@ -0,0 +1,149 @@
+import { isInitialized } from '../init.js';
+import type { WasmSource } from '../wasm-source.js';
+import type { SlhDsaExports, SlhDsaKeyPair } from './types.js';
+import { type SlhDsaParams, SLHDSA128F, SLHDSA192F, SLHDSA256F } from './params.js';
+import { type PreHashAlgorithm } from './prehash.js';
+export declare function slhdsaInit(source: WasmSource): Promise<void>;
+export type { WasmSource };
+export type { SlhDsaExports, SlhDsaKeyPair } from './types.js';
+export { SLHDSA128F, SLHDSA192F, SLHDSA256F };
+export type { SlhDsaParams };
+export type { PreHashAlgorithm } from './prehash.js';
+export { isInitialized };
+/** Return the slhdsa WASM instance exports. Internal helper for tests that
+ *  need raw access to the ADRS / hash / sponge primitives; consumers use
+ *  the SlhDsa* classes below. */
+export declare function getSlhDsaExports(): SlhDsaExports;
+export declare class SlhDsaBase {
+    readonly params: SlhDsaParams;
+    constructor(params: SlhDsaParams);
+    private get x();
+    private get sx();
+    private get sha2x();
+    /**
+     * Deterministic key generation, FIPS 205 §9.1 Algorithm 18.
+     * @param seed 3n bytes laid out as `SK.seed ‖ SK.prf ‖ PK.seed`. Each
+     *             component is `n` bytes (16 for 128f, 24 for 192f, 32 for
+     *             256f). The slh_keygen_internal entry consumes this layout
+     *             directly.
+     */
+    keygenDerand(seed: Uint8Array): SlhDsaKeyPair;
+    /** Random key generation, wraps `keygenDerand` with `randomBytes(3n)`. */
+    keygen(): SlhDsaKeyPair;
+    /**
+     * Hedged signing, FIPS 205 §3.4 / §10.2.1 Algorithm 22.
+     * Generates a fresh n-byte addrnd (opt_rand) per signature; two
+     * signatures over the same (sk, M, ctx) produce different bytes.
+     * Hedged signing is recommended over deterministic because hedged
+     * signatures remain unforgeable under fault attacks that bias the
+     * rejection-sampling stream (FIPS 205 §3.4 / §9.2).
+     */
+    sign(sk: Uint8Array, M: Uint8Array, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Deterministic signing, FIPS 205 §3.4. Sets opt_rand ← PK.seed so two
+     * signatures over the same (sk, M, ctx) produce identical bytes.
+     * Caller accepts the §3.4 caveat: deterministic signatures are
+     * vulnerable to fault attacks that bias secret-derived intermediates;
+     * use only when no entropy is available or determinism is a hard
+     * protocol requirement. PK.seed lives at sk[2n..3n] inside the
+     * `SK.seed ‖ SK.prf ‖ PK.seed ‖ PK.root` encoding (FIPS 205 §9.1).
+     */
+    signDeterministic(sk: Uint8Array, M: Uint8Array, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Externally-randomised signing, testing / CAVP API. Caller supplies
+     * the n-byte opt_rand; library does not mix in additional entropy.
+     * Hard contract on the caller: opt_rand MUST come from an approved
+     * RBG and MUST NOT be reused across signatures. ACVP SLH-DSA sigGen
+     * vectors (with a supplied additionalRandomness) drive this path.
+     */
+    signDerand(sk: Uint8Array, M: Uint8Array, optRand: Uint8Array, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Pure SLH-DSA verify, FIPS 205 §10.3 Algorithm 24 / §9.3 Algorithm 20.
+     *
+     * Returns boolean. Wrong-length pk / sig return false (FIPS 205 §3.6.2
+     * structural mismatch; same posture as ML-DSA verify). Throws
+     * `SigningError('sig-ctx-too-long')` only on the caller-side contract
+     * violation `ctx.length > 255`.
+     */
+    verify(pk: Uint8Array, M: Uint8Array, sig: Uint8Array, ctx?: Uint8Array): boolean;
+    private _assertHashPrereqs;
+    /**
+     * Hedged HashSLH-DSA sign, FIPS 205 §10.2.2 Algorithm 23.
+     *
+     * Pre-hashes `M` with the chosen approved function `ph`, builds
+     * M' = 0x01 ‖ |ctx| ‖ ctx ‖ OID(ph) ‖ PH_M, then drives
+     * slh_sign_internal with a fresh n-byte opt_rand (FIPS 205 §3.4
+     * recommended default; see {@link sign} for the rationale).
+     */
+    signHash(sk: Uint8Array, M: Uint8Array, ph: PreHashAlgorithm, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Deterministic HashSLH-DSA sign, FIPS 205 §10.2.2 Algorithm 23 with
+     * opt_rand ← PK.seed (the deterministic substitute per FIPS 205 §3.4).
+     * Same fault-attack caveat as {@link signDeterministic}.
+     */
+    signHashDeterministic(sk: Uint8Array, M: Uint8Array, ph: PreHashAlgorithm, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Externally-randomised HashSLH-DSA sign, testing / CAVP API. Caller
+     * supplies the n-byte opt_rand (same contract as {@link signDerand}).
+     * Used to oracle ACVP HashSLH-DSA sigGen vectors with byte-identical
+     * output.
+     */
+    signHashDerand(sk: Uint8Array, M: Uint8Array, ph: PreHashAlgorithm, optRand: Uint8Array, ctx?: Uint8Array): Uint8Array;
+    /**
+     * HashSLH-DSA verify, FIPS 205 §10.3 Algorithm 25.
+     *
+     * Same return / throw posture as {@link verify}: returns boolean for
+     * every signature outcome (including malformed-σ → false), throws
+     * `SigningError` only on caller-side contract violations
+     * (`ctx.length > 255`) or `RangeError` on category violations and
+     * unsupported `ph`.
+     */
+    verifyHash(pk: Uint8Array, M: Uint8Array, sig: Uint8Array, ph: PreHashAlgorithm, ctx?: Uint8Array): boolean;
+    /**
+     * Hedged HashSLH-DSA sign with a caller-supplied prehash. FIPS 205
+     * §10.2.2 Algorithm 23 lines 18-25 (the post-PH path).
+     *
+     * `digest` must be exactly `digestSize(ph)` bytes; a mismatch throws
+     * `SigningError('sig-malformed-input')`. The caller owns `digest`
+     * and is responsible for wiping it; this method never mutates the
+     * buffer. Hedged variant generates a fresh n-byte opt_rand per call.
+     */
+    signHashPrehashed(sk: Uint8Array, digest: Uint8Array, ph: PreHashAlgorithm, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Deterministic HashSLH-DSA sign with a caller-supplied prehash,
+     * opt_rand ← PK.seed per FIPS 205 §3.4. Same fault-attack caveat as
+     * {@link signDeterministic}.
+     */
+    signHashPrehashedDeterministic(sk: Uint8Array, digest: Uint8Array, ph: PreHashAlgorithm, ctx?: Uint8Array): Uint8Array;
+    /**
+     * Externally-randomised HashSLH-DSA sign with a caller-supplied
+     * prehash, testing / CAVP API. Caller supplies the n-byte opt_rand:
+     * MUST come from an approved RBG and MUST NOT be reused across
+     * signatures.
+     */
+    signHashPrehashedDerand(sk: Uint8Array, digest: Uint8Array, ph: PreHashAlgorithm, optRand: Uint8Array, ctx?: Uint8Array): Uint8Array;
+    /**
+     * HashSLH-DSA verify with a caller-supplied prehash. FIPS 205 §10.3
+     * Algorithm 25 lines 16-19 (the post-PH path).
+     *
+     * Returns boolean for every signature outcome. Wrong-length pk / σ
+     * and wrong-size `digest` all return `false` (FIPS 205 §3.6.2 /
+     * §10.3 structural mismatch). Throws on caller-side contract
+     * violations only (`ctx.length > 255`, unsupported `ph`, category
+     * mismatch).
+     */
+    verifyHashPrehashed(pk: Uint8Array, digest: Uint8Array, sig: Uint8Array, ph: PreHashAlgorithm, ctx?: Uint8Array): boolean;
+    dispose(): void;
+}
+/** SLH-DSA-SHAKE-128f, FIPS 205 §11.1 Table 2 (NIST security category 1). */
+export declare class SlhDsa128f extends SlhDsaBase {
+    constructor();
+}
+/** SLH-DSA-SHAKE-192f, FIPS 205 §11.1 Table 2 (NIST security category 3). */
+export declare class SlhDsa192f extends SlhDsaBase {
+    constructor();
+}
+/** SLH-DSA-SHAKE-256f, FIPS 205 §11.1 Table 2 (NIST security category 5). */
+export declare class SlhDsa256f extends SlhDsaBase {
+    constructor();
+}