leviathan-crypto 2.0.1 → 3.0.0

package/dist/docs/types.md

@@ -1,276 +0,0 @@
-# TypeScript Interfaces
-
-> [!NOTE]
-> Defines the abstract interfaces all leviathan-crypto cryptographic classes implement. These are type-only exports; they contain no runtime code and generate no JavaScript output.
-
-> ### Table of Contents
-> - [API Reference](#api-reference)
-> - [Usage Examples](#usage-examples)
-> - [WasmSource](#wasmsource)
-> - [CipherSuite](#ciphersuite)
-> - [DerivedKeys](#derivedkeys)
-> - [SealStreamOpts](#sealstreamopts)
-> - [PoolOpts](#poolopts)
-
----
-
-## API Reference
-
-Use these interfaces when you need generic code that works with any hash function, any cipher, or any AEAD scheme without depending on a specific implementation. They are available immediately on import with no `init()` call required.
-
-### Hash
-
-```typescript
-interface Hash {
-  hash(msg: Uint8Array): Uint8Array;
-  dispose(): void;
-}
-```
-
-Interface for unkeyed hash functions (e.g., SHA-256, SHA-512, SHA-3).
-
-| Method | Description |
-|---|---|
-| `hash(msg)` | Hashes the entire message and returns the digest as a new `Uint8Array`. |
-| `dispose()` | Releases WASM resources and wipes internal buffers. Call when done. |
-
----
-
-### KeyedHash
-
-```typescript
-interface KeyedHash {
-  hash(key: Uint8Array, msg: Uint8Array): Uint8Array;
-  dispose(): void;
-}
-```
-
-Interface for keyed hash functions / MACs (e.g., HMAC-SHA256, HMAC-SHA512).
-
-`KeyedHash` does **not** extend `Hash`. Its `hash` method takes a `key` parameter in addition to the message.
-
-| Method | Description |
-|---|---|
-| `hash(key, msg)` | Computes the keyed hash / MAC over `msg` using `key`. Returns the tag as a new `Uint8Array`. |
-| `dispose()` | Releases WASM resources and wipes internal buffers. Call when done. |
-
----
-
-### Blockcipher
-
-```typescript
-interface Blockcipher {
-  encrypt(block: Uint8Array): Uint8Array;
-  decrypt(block: Uint8Array): Uint8Array;
-  dispose(): void;
-}
-```
-
-Interface for raw block ciphers (e.g., Serpent in ECB mode). Operates on single blocks.
-
-| Method | Description |
-|---|---|
-| `encrypt(block)` | Encrypts a single block and returns the ciphertext. |
-| `decrypt(block)` | Decrypts a single block and returns the plaintext. |
-| `dispose()` | Releases WASM resources and wipes internal buffers (including expanded key schedule). |
-
----
-
-### Streamcipher
-
-```typescript
-interface Streamcipher {
-  encrypt(msg: Uint8Array): Uint8Array;
-  decrypt(msg: Uint8Array): Uint8Array;
-  dispose(): void;
-}
-```
-
-Interface for stream ciphers and block cipher streaming modes (e.g., Serpent-CTR, ChaCha20). Handles arbitrary-length messages.
-
-| Method | Description |
-|---|---|
-| `encrypt(msg)` | Encrypts an arbitrary-length message. Returns the ciphertext (same length as input). |
-| `decrypt(msg)` | Decrypts an arbitrary-length ciphertext. Returns the plaintext (same length as input). |
-| `dispose()` | Releases WASM resources and wipes internal buffers. |
-
----
-
-### AEAD
-
-```typescript
-interface AEAD {
-  encrypt(msg: Uint8Array, aad?: Uint8Array): Uint8Array;
-  decrypt(ciphertext: Uint8Array, aad?: Uint8Array): Uint8Array;
-  dispose(): void;
-}
-```
-
-Interface for authenticated encryption with associated data (e.g., XChaCha20-Poly1305). Provides both confidentiality and integrity.
-
-| Method | Description |
-|---|---|
-| `encrypt(msg, aad?)` | Encrypts `msg` and authenticates both `msg` and optional `aad`. Returns ciphertext with appended authentication tag. |
-| `decrypt(ciphertext, aad?)` | Decrypts and verifies the authentication tag. Returns plaintext on success. Throws `Error` on authentication failure. Never returns null. |
-| `dispose()` | Releases WASM resources and wipes internal buffers. |
-
----
-
-## Usage Examples
-
-### Type-constraining a function parameter
-
-```typescript
-import type { Hash } from 'leviathan-crypto'
-
-function digestAndLog(hasher: Hash, data: Uint8Array): Uint8Array {
-  const digest = hasher.hash(data)
-  console.log('digest length:', digest.length)
-  return digest
-}
-```
-
-This function accepts any `Hash` implementation (`SHA256`, `SHA512`, `SHA3_256`, etc.) without importing any of them directly.
-
----
-
-### Accepting any AEAD scheme
-
-```typescript
-import type { AEAD } from 'leviathan-crypto'
-
-function sealMessage(aead: AEAD, plaintext: Uint8Array, metadata: Uint8Array): Uint8Array {
-  return aead.encrypt(plaintext, metadata)
-}
-
-function openMessage(aead: AEAD, ciphertext: Uint8Array, metadata: Uint8Array): Uint8Array {
-  // decrypt() throws on auth failure, no null check needed
-  return aead.decrypt(ciphertext, metadata)
-}
-```
-
----
-
-### Generic keyed-hash wrapper
-
-```typescript
-import type { KeyedHash } from 'leviathan-crypto'
-
-function authenticate(mac: KeyedHash, key: Uint8Array, ...parts: Uint8Array[]): Uint8Array {
-  // Concatenate all message parts, then compute the tag
-  const total = parts.reduce((sum, p) => sum + p.length, 0)
-  const msg = new Uint8Array(total)
-  let offset = 0
-  for (const part of parts) {
-    msg.set(part, offset)
-    offset += part.length
-  }
-  return mac.hash(key, msg)
-}
-```
-
----
-
-### Storing a cipher with its interface type
-
-```typescript
-import type { Streamcipher, Blockcipher } from 'leviathan-crypto'
-
-interface EncryptionContext {
-  cipher: Streamcipher | Blockcipher
-  mode: 'stream' | 'block'
-}
-
-function cleanup(ctx: EncryptionContext): void {
-  ctx.cipher.dispose()
-}
-```
-
----
-
-## WasmSource
-
-Union type for WASM module sources. Accepted by `init()`, `serpentInit()`, etc.
-
-`string | URL | ArrayBuffer | Uint8Array | WebAssembly.Module | Response | Promise<Response>`
-
----
-
-## CipherSuite
-
-Cipher-specific logic injected into `SealStream` and `OpenStream`.
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `formatEnum` | `number` | Wire format ID encoded in header byte 0 bits 0-5 (max 0x3f): bits 0-3 = cipher nibble (0x1=xchacha20, 0x2=serpent), bits 4-5 = KEM selector (0x00=none, 0x10=ML-KEM-512, 0x20=ML-KEM-768, 0x30=ML-KEM-1024), bit 6 reserved |
-| `formatName` | `string` | Human-readable label, e.g. `'xchacha20'`, `'serpent'`, `'mlkem768+xchacha20'` |
-| `hkdfInfo` | `string` | HKDF info string for key derivation |
-| `keySize` | `number` | Seal/encrypt key size in bytes (encapsulation key bytes for KEM suites) |
-| `decKeySize` | `number \| undefined` | Open/decrypt key size in bytes (decapsulation key bytes for KEM suites). Absent → same as `keySize` (symmetric case) |
-| `kemCtSize` | `number` | KEM ciphertext byte length appended to the header in the preamble. `0` for symmetric suites |
-| `tagSize` | `number` | Authentication tag size in bytes |
-| `padded` | `boolean` | Whether ciphertext includes padding (PKCS7 for CBC) |
-| `wasmChunkSize` | `number` | WASM buffer capacity for one padded chunk. `SealStreamPool.create()` validates `paddedFull ≤ wasmChunkSize` at startup for padded ciphers and throws `RangeError` if the check fails. `SerpentCipher`: 65552. `XChaCha20Cipher`: 65536. `KyberSuite` forwards from its inner cipher. |
-| `wasmModules` | `readonly string[]` | Cipher-specific WASM modules used by pool workers and per-chunk operations (not transitive dependencies such as HKDF-SHA-256 used by `deriveKeys()`) |
-
-| Method | Signature | Description |
-|--------|-----------|-------------|
-| `deriveKeys` | `(masterKey, nonce) → DerivedKeys` | HKDF key derivation |
-| `sealChunk` | `(keys, counterNonce, chunk, aad?) → Uint8Array` | Encrypt one chunk |
-| `openChunk` | `(keys, counterNonce, chunk, aad?) → Uint8Array` | Decrypt one chunk |
-| `wipeKeys` | `(keys) → void` | Zero derived key material |
-| `createPoolWorker` | `() → Worker` | Create a Web Worker for pool use |
-
-Implementations: `XChaCha20Cipher`, `SerpentCipher` (plain `const` objects, not classes), and `KyberSuite` (factory function returning a `CipherSuite`). See [ciphersuite.md](./ciphersuite.md).
-
-> [!IMPORTANT]
-> All CipherSuite implementations use HKDF-SHA-256 in `deriveKeys()`. The stream layer requires
-> `sha2` to be initialized regardless of which cipher is selected.
-
----
-
-## DerivedKeys
-
-Opaque key material returned by `CipherSuite.deriveKeys()`.
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `bytes` | `readonly Uint8Array` | Raw derived key bytes (opaque to the stream layer) |
-
----
-
-## SealStreamOpts
-
-Options for `SealStream` constructor.
-
-| Field | Type | Default | Description |
-|-------|------|---------|-------------|
-| `chunkSize` | `number` | `65536` | Chunk size in bytes. Range: [1024, 16777215]. |
-| `framed` | `boolean` | `false` | Enable u32be length-prefixed framing. |
-
----
-
-## PoolOpts
-
-Options for `SealStreamPool.create()`.
-
-| Field | Type | Default | Description |
-|-------|------|---------|-------------|
-| `wasm` | `WasmSource \| Record<string, WasmSource>` | | WASM module source(s). Single source for single-module ciphers, Record for multi-module. |
-| `workers` | `number` | `navigator.hardwareConcurrency ?? 4` | Number of Web Workers. |
-| `chunkSize` | `number` | `65536` | Chunk size in bytes. |
-| `framed` | `boolean` | `false` | Enable framed mode. |
-| `jobTimeout` | `number` | `30000` | Per-job timeout in milliseconds. |
-
----
-
-> ## Cross-References
->
-> - [index](./README.md) — Project Documentation index
-> - [architecture](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline
-> - [utils](./utils.md) — encoding utilities and `constantTimeEqual` for verifying MACs from `KeyedHash`
-> - [serpent](./serpent.md) — Serpent classes implement `Blockcipher`, `Streamcipher`, and `AEAD`
-> - [chacha20](./chacha20.md) — `XChaCha20Cipher` is a `CipherSuite` for `SealStream`/`OpenStream`/`Seal`; `Seal` provides one-shot AEAD over any `CipherSuite`; `ChaCha20`/`ChaCha20Poly1305`/`XChaCha20Poly1305` are stateless primitives
-> - [sha2](./sha2.md) — SHA-2 classes implement `Hash`; HMAC classes implement `KeyedHash`
-> - [sha3](./sha3.md) — SHA-3 classes implement `Hash`; SHAKE classes extend with XOF API
-> - [test-suite](./test-suite.md) — test suite structure and vector corpus

package/dist/docs/utils.md

@@ -1,367 +0,0 @@
-# Utilities
-
-> [!NOTE]
-> Pure TypeScript utilities that ship alongside the WASM-backed primitives. No `init()` call required; all functions work immediately on import.
-
-> ### Table of Contents
-> - [Security Notes](#security-notes)
-> - [API Reference](#api-reference)
-> - [Usage Examples](#usage-examples)
-> - [Error Conditions](#error-conditions)
-
----
-
-The module covers encoding (hex, UTF-8, and base64 conversions between strings and `Uint8Array`), security (constant-time comparison and secure memory wiping), byte manipulation (XOR and concatenation), and random byte generation.
-
-## Security Notes
-
-**`constantTimeEqual`** uses a WASM SIMD module when available to remove the JS JIT compiler from the timing picture, falling back to an XOR-accumulate loop on older runtimes. Use this function whenever you compare MACs, hashes, authentication tags, or any secret-derived values. Never use `===`, `Buffer.equals`, or a manual loop-with-break for security comparisons. Those leak timing information that attackers can exploit to recover secrets. Inputs are limited to [`CT_MAX_BYTES`](#ct_max_bytes) (32768 bytes) per side.
-
-The length check in `constantTimeEqual` is not constant-time, because array length is non-secret in all standard protocols. If your use case treats length as secret, pad to equal length before comparing.
-
-**`wipe`** zeroes a typed array in-place. Call it on keys, plaintext buffers, and any other sensitive data as soon as you are done with them. JavaScript's garbage collector does not guarantee timely or complete erasure of memory.
-
-**`randomBytes`** delegates to `crypto.getRandomValues` (Web Crypto API), which is cryptographically secure in all modern browsers and Node.js 19+. It does not fall back to `Math.random` or any insecure source.
-
-The encoding functions (`hexToBytes`, `bytesToHex`, `utf8ToBytes`, `bytesToUtf8`, `base64ToBytes`, `bytesToBase64`) perform no security-sensitive operations.
-
----
-
-## API Reference
-
-### hexToBytes
-
-```typescript
-hexToBytes(hex: string): Uint8Array
-```
-
-Converts a hex string to a `Uint8Array`. Accepts lowercase or uppercase characters. An optional `0x` or `0X` prefix is stripped automatically. Throws `RangeError` on odd-length input.
-
----
-
-### bytesToHex
-
-```typescript
-bytesToHex(bytes: Uint8Array): string
-```
-
-Converts a `Uint8Array` to a lowercase hex string (no prefix).
-
----
-
-### utf8ToBytes
-
-```typescript
-utf8ToBytes(str: string): Uint8Array
-```
-
-Encodes a JavaScript string as UTF-8 bytes using the platform `TextEncoder`.
-
----
-
-### bytesToUtf8
-
-```typescript
-bytesToUtf8(bytes: Uint8Array): string
-```
-
-Decodes UTF-8 bytes to a JavaScript string using the platform `TextDecoder`.
-
----
-
-### base64ToBytes
-
-```typescript
-base64ToBytes(b64: string): Uint8Array | undefined
-```
-
-Decodes a base64 or base64url string to a `Uint8Array`. Handles padded, unpadded, and legacy `%3d` padding. Unpadded base64url input is accepted (RFC 4648 §5). Returns `undefined` if the input is not valid base64 (illegal characters or `rem=1` length).
-
----
-
-### bytesToBase64
-
-```typescript
-bytesToBase64(bytes: Uint8Array, url?: boolean): string
-```
-
-Encodes a `Uint8Array` to a base64 string. Pass `url = true` for base64url (RFC 4648 §5), which uses `-` and `_` instead of `+` and `/` with no padding characters. Defaults to standard base64.
-
----
-
-### constantTimeEqual
-
-```typescript
-constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean
-```
-
-Returns `true` if `a` and `b` contain identical bytes. Returns `false` immediately if the arrays differ in length (length is non-secret in all standard protocols).
-
-When WebAssembly SIMD is available the comparison runs inside a WASM module, removing the JS JIT compiler from the timing picture. Speculative optimisation and branch prediction inside the engine cannot short-circuit the loop. On runtimes without SIMD support the function falls back to an XOR-accumulate loop in JavaScript, which is best-effort but not a hardware-level guarantee. The overall posture is best-available constant-time, not a cryptographic proof of timing safety.
-
-Maximum input size is [`CT_MAX_BYTES`](#ct_max_bytes) (32768 bytes) per side. Throws `RangeError` if either array exceeds this limit.
-
-Use this function when working with lower-level unauthenticated primitives or building custom authenticated protocols on top of the hashing and KDF APIs. Three common cases:
-
-**Encrypt-then-MAC with `SerpentCbc` or `SerpentCtr`.** If you use the `dangerUnauthenticated` primitive directly and compute your own HMAC-SHA256 tag, compare that tag with `constantTimeEqual`. See the [example below](#encrypt-then-mac-with-serpentcbc).
-
-**Argon2id key verification.** When re-deriving an Argon2id hash to verify a passphrase, the final comparison must be constant-time. See [argon2id.md](./argon2id.md#password-hashing-and-verification) for the full example.
-
-**Custom HMAC protocols.** Any protocol where you derive a MAC with `HMAC_SHA256` or `HMAC_SHA512` and compare it against a received value. See [examples.md](./examples.md#hmac-sha256-message-authentication) for a complete example.
-
----
-
-### CT_MAX_BYTES
-
-```typescript
-const CT_MAX_BYTES: 32768
-```
-
-Maximum input size accepted by [`constantTimeEqual`](#constanttimeequal) per side, in bytes. Reflects the physical layout of the WASM comparison module: one 64 KiB page of linear memory split equally between the two input buffers (32 KiB each).
-
-In practice the largest comparison performed anywhere in this library is a 32-byte HMAC-SHA-256 tag. This limit only matters for custom protocols that compare unusually large values. Use this constant to guard your own inputs rather than hardcoding the magic number:
-
-```typescript
-import { constantTimeEqual, CT_MAX_BYTES } from 'leviathan-crypto'
-
-if (a.length > CT_MAX_BYTES || b.length > CT_MAX_BYTES) {
-  throw new RangeError(`comparison input exceeds CT_MAX_BYTES (${CT_MAX_BYTES})`)
-}
-const match = constantTimeEqual(a, b)
-```
-
----
-
-### wipe
-
-```typescript
-wipe(data: Uint8Array | Uint16Array | Uint32Array): void
-```
-
-Zeroes a typed array in-place by calling `fill(0)`. Use this to clear keys, plaintext, or any sensitive material when you are done with it.
-
----
-
-### xor
-
-```typescript
-xor(a: Uint8Array, b: Uint8Array): Uint8Array
-```
-
-Returns a new `Uint8Array` where each byte is `a[i] ^ b[i]`. Both arrays must have the same length. Throws `RangeError` if they differ.
-
----
-
-### concat
-
-```typescript
-concat(...arrays: Uint8Array[]): Uint8Array
-```
-
-Concatenates one or more `Uint8Array`s into a new array.
-
----
-
-### randomBytes
-
-```typescript
-randomBytes(n: number): Uint8Array
-```
-
-Returns `n` cryptographically secure random bytes via the Web Crypto API (`crypto.getRandomValues`).
-
----
-
-### hasSIMD
-
-```typescript
-hasSIMD(): boolean
-```
-
-Returns `true` if the current runtime supports WebAssembly SIMD (the `v128`
-type and associated operations). The result is computed once on first call by
-validating a minimal v128 WASM module, then cached for subsequent calls.
-
-`SerpentCtr.encryptChunk`, `SerpentCbc.decrypt`, and `ChaCha20.encryptChunk`
-call this internally to select the fast SIMD path at runtime. It is exported
-for informational purposes. You do not need to call it yourself. SIMD dispatch
-is fully automatic.
-
-Supported in all modern browsers and Node.js 16+. Returns `false` in older
-environments, which fall back silently to the scalar path.
-
----
-
-## Usage Examples
-
-### Converting between formats
-
-```typescript
-import { hexToBytes, bytesToHex, utf8ToBytes, bytesToUtf8 } from 'leviathan-crypto'
-
-// Hex round-trip
-const bytes = hexToBytes('deadbeef')
-console.log(bytesToHex(bytes)) // "deadbeef"
-
-// 0x prefix is accepted
-const prefixed = hexToBytes('0xCAFE')
-console.log(bytesToHex(prefixed)) // "cafe"
-
-// UTF-8 round-trip
-const encoded = utf8ToBytes('hello world')
-console.log(bytesToUtf8(encoded)) // "hello world"
-```
-
----
-
-### Base64 encoding and decoding
-
-```typescript
-import { bytesToBase64, base64ToBytes, utf8ToBytes, bytesToUtf8 } from 'leviathan-crypto'
-
-const data = utf8ToBytes('leviathan-crypto')
-const b64 = bytesToBase64(data)
-console.log(b64) // "bGV2aWF0aGFuLWNyeXB0bw=="
-
-// base64url variant (safe for URLs and filenames, no padding)
-const b64url = bytesToBase64(data, true)
-console.log(b64url) // "bGV2aWF0aGFuLWNyeXB0bw"
-
-// Decoding (accepts both standard and url variants)
-const decoded = base64ToBytes(b64)
-if (decoded) console.log(bytesToUtf8(decoded)) // "leviathan-crypto"
-```
-
----
-
-### Encrypt-then-MAC with SerpentCbc
-
-If you use `SerpentCbc` or `SerpentCtr` directly with `{ dangerUnauthenticated: true }`, you are responsible for authentication. The correct pattern is Encrypt-then-MAC: encrypt first, then compute HMAC-SHA256 over the ciphertext, and use `constantTimeEqual` to verify on decrypt.
-
-```typescript
-import {
-  init, SerpentCbc, HMAC_SHA256,
-  constantTimeEqual, randomBytes, wipe, concat,
-} from 'leviathan-crypto'
-import { serpentWasm } from 'leviathan-crypto/serpent/embedded'
-import { sha2Wasm }    from 'leviathan-crypto/sha2/embedded'
-
-await init({ serpent: serpentWasm, sha2: sha2Wasm })
-
-const encKey = randomBytes(32)
-const macKey = randomBytes(32)
-const iv     = randomBytes(16)
-
-// ── Encrypt ──────────────────────────────────────────────────────────────────
-
-const cbc = new SerpentCbc({ dangerUnauthenticated: true })
-const ct  = cbc.encrypt(encKey, iv, plaintext)
-cbc.dispose()
-
-// MAC covers iv || ct so the IV is authenticated too
-const hmac = new HMAC_SHA256()
-const tag  = hmac.hash(macKey, concat(iv, ct))
-hmac.dispose()
-
-const envelope = concat(iv, ct, tag)  // store or transmit this
-
-// ── Decrypt ──────────────────────────────────────────────────────────────────
-
-const receivedIv  = envelope.subarray(0, 16)
-const receivedCt  = envelope.subarray(16, envelope.length - 32)
-const receivedTag = envelope.subarray(envelope.length - 32)
-
-const hmac2       = new HMAC_SHA256()
-const expectedTag = hmac2.hash(macKey, concat(receivedIv, receivedCt))
-hmac2.dispose()
-
-// Always verify before decrypting — never decrypt unauthenticated ciphertext
-if (!constantTimeEqual(expectedTag, receivedTag)) {
-  wipe(expectedTag)
-  throw new Error('Authentication failed')
-}
-
-const cbc2 = new SerpentCbc({ dangerUnauthenticated: true })
-const pt   = cbc2.decrypt(encKey, receivedIv, receivedCt)
-cbc2.dispose()
-wipe(expectedTag)
-```
-
-> [!NOTE]
-> `Seal` with `SerpentCipher` does all of this for you — key derivation, IV handling, Encrypt-then-MAC, and constant-time verification — with no manual steps. The pattern above is only relevant if you need direct access to the raw `SerpentCbc` primitive.
-
----
-
-### Generating random keys and nonces
-
-```typescript
-import { randomBytes } from 'leviathan-crypto'
-
-const key   = randomBytes(32)  // 256-bit symmetric key
-const nonce = randomBytes(24)  // 192-bit nonce for XChaCha20
-const iv    = randomBytes(16)  // 128-bit IV for Serpent-CBC
-```
-
----
-
-### Wiping sensitive data after use
-
-```typescript
-import { randomBytes, wipe } from 'leviathan-crypto'
-
-const key = randomBytes(32)
-
-// ... use the key for encryption / decryption ...
-
-// When done, zero the key material so it does not linger in memory
-wipe(key)
-// key is now all zeroes
-```
-
----
-
-### XOR and concatenation
-
-```typescript
-import { xor, concat, randomBytes } from 'leviathan-crypto'
-
-const a = randomBytes(16)
-const b = randomBytes(16)
-
-// XOR two equal-length arrays
-const xored = xor(a, b)
-
-// Concatenate two arrays
-const combined = concat(a, b)
-console.log(combined.length) // 32
-```
-
----
-
-## Error Conditions
-
-| Function | Condition | Behavior |
-|---|---|---|
-| `hexToBytes` | Odd-length string | Throws `RangeError` |
-| `hexToBytes` | Invalid hex characters | Bytes decode as `NaN` -> `0` |
-| `base64ToBytes` | Invalid length or characters | Returns `undefined` |
-| `constantTimeEqual` | Arrays differ in length | Returns `false` immediately |
-| `constantTimeEqual` | Either array exceeds `CT_MAX_BYTES` | Throws `RangeError` |
-| `xor` | Arrays differ in length | Throws `RangeError` |
-| `randomBytes` | `crypto` not available | Throws (runtime-dependent) |
-| `hasSIMD` | `WebAssembly` not available | Returns `false` |
-
----
-
-> ## Cross-References
->
-> - [index](./README.md) — Project Documentation index
-> - [architecture](./architecture.md) — architecture overview, module relationships, buffer layouts, and build pipeline
-> - [serpent](./serpent.md) — Serpent modes consume keys from `randomBytes`; wrappers use `wipe` and `constantTimeEqual`
-> - [chacha20](./chacha20.md) — ChaCha20/Poly1305 classes use `randomBytes` for nonce generation
-> - [sha2](./sha2.md) — SHA-2 and HMAC classes; output often converted with `bytesToHex`
-> - [sha3](./sha3.md) — SHA-3 and SHAKE classes; output often converted with `bytesToHex`
-> - [argon2id](./argon2id.md) — passphrase-based encryption; uses `constantTimeEqual` for hash verification
-> - [examples](./examples.md) — full HMAC-SHA256 custom protocol example using `constantTimeEqual`
-> - [types](./types.md) — public interfaces whose implementations rely on these utilities
-> - [test-suite](./test-suite.md) — test suite structure and vector corpus

package/dist/embedded/kyber.d.ts

@@ -1 +0,0 @@
-export declare const WASM_GZ_BASE64 = "H4sIAAAAAAAAA61ae4xcVRk/z/uc2ZmiCNZCv3upPMQtj7ZQWh57lmdLwUZCND6y3W5nN3t3drc7c3ewgsw2QuwfhAQjpIomxSAQFAwmoFGQrhoVNP6DRGNQ+UONf6iJEgP7mB37nXPv7J3Z2Skm0Ow95/vu953zPX7nnO/cgQxXJykhhO70DhBaP8DqdXKA1skBXseeqNcNg9YPEIJvad0waV2L0Dq/8QbS6z+LSMEYY1LalHJOKePYcsYY50JQSoVwXCEFcu0fOTf6Y6X4tulDs+XSnkOE9CFVmpyuHNk/PFaqEloYK8X7p8tH7ihPx4PD1RJhWc4d458vEZ7LcC4lLEteRkSWvJzILLmNWFlyO7Gz5A7iZMkriJslryReltxJ/Cx5FcmdkZC10kjL+HwHU9vfV2hnXkryHZzLSKGDczkpdnC2kQ0dnO3kjA7ODvK+Ds4V5P0dnCvJmfmxUnxHqXToY6Oj1VJMPoCO3VYdS8izMGP7JxLqbKTuSKkPInV9nFAbi5raXxmfLCWsD+Fsn5we3V8ZTTib/LvGD5cGZ0dHS5UqOQcB8KlSPFxNXp9rJwyy2T44XC1NzpYJeFNxPFQdGS4PV0iQH5+qZeiQT8UxOc8yXLJlw+T0VDw2PVmqHBmqlA7NjpTIh/sODlcqpThOGefL0Rkc+ILc4enykaF4+uCRuFQlF/ZpcrQyPWkYF+U1Y2R68nClVK2SjxQ0fajU4lyca6lMVsfIR71kQCT6/ZSYnorJ1rM0lfg0tGolucTMMlaKp6bHqyVyuaPp4UOHyDbTrc4eJNvNaIkHO8wL9PgK8yLx/0ptYq000vJq54aUs+rYVcWU1/Jk1xkpK+Pebj9l4thX96VUMtk1LUZi1rUtebT+unNTKvV6eGQk6/mAXylFQ7NT46PTlUmi3JF4qFaqjI8eIYP2SDw0MjldI9dbk3p/YCRHmXfsqhsEUdIX5DriS6LmQD+Ffm7Rzwv186P6eal+btfPnfp5tW8RNXeS6OZnpvmlGaqoid8b3t9N845pjlHdHDfNU6b5gWl+qZsTpjlpmjd/a5o3jcg/jcgC9fvQZEXUib/SZV9Pe8Lx+wgQRWN1wom2UuI/TimrAwG+ygO6lbJQAMOGl0MJcl4dHS3Pq6MbyxOqODvfjYdaJKSoRULWTSLaTQkQoMDL4SkjOvUZiG78aDdl/guUOnVFA6bmaGDzAbAVu10MKBI4fAAcNcduEQPAQqpoFDCgq84EFtjgRIHkAyDB2SsGgGiOonEUCnTXKocUaMe0AQcBBBwthq4Bn0D7KRhCO+PgdE6O+j5IsNOurehsYGPXf4RRr66aJGCKBS4fAFfN0X3acI8PgJc1fKLDcAdc8KJA8AEQ4BnDPW0OxxDbQLSA5ljIkVFAgQOdR2de/gYtq7m5uWKkNs4at+bRZAsctHVivpvTKOChT552RICbdl1F48DFbofpqU2YdvWYXw4oMDjdyP7POHPq4m5FA44ZZXwAmHJMRikfAJqMnkFlIJCKMC+NYuACBWaCQ0GgqKuhxUw8ZIMIEvqNHH2r/V/jYdp4mAY5kCiekfXABb/xIoVc40nayNE8Idm/xvO08RxVxcZ3qBZ8CQWf6i3YuJ+GfuMh2vAFAQke+I0HDUGVEwVUB5aBaHURNwy7OhysdzisNBydgciGIYG3DXYnvO1sBBA9Dtga4FKvDg11HL+Hlf7rFvPq8m7EN1csyaLY19NsB6mJ1GypzZaJ2atQtrNeuMgRUeCBBd48eOuD2wUHhAG3ANEFgm0uyYxLcSbw6QrtCcSJBIj5bvHP4Kov64mVwPJBGiLMggJIKEChkXv5dkKyf4iiHCGEZf8az1K1EXG1Dug0IsMc5N6j8Rr3G7TmwYe+xkO053qyUOzdrZ/8u18/vVdLkrRWquAWMdDIPSbb/+mECNyiTrspsC7a786pror/n5MpMv334ynZcQz65yALud2w72/Sb+l8twPUv49SUU+QjQClOnaKakzi2uLA51VhVh3dOBMFeOoxxctRqNeoYkZGH+eJTCh3EQIchBIxSNVs8hnl1Cq7CNVMTYvaLsJwoijZLEprjcBJZD9hAddz0jgUaBLIfkLwQUOpnLiimptnTOkgEqOBm5lFrYIvMrP8y6JuHXehm/QSNlsStCaMQ65Y6ncgsBZRvEVLTYsWbWlatmhb01aLdjRtt2hXu8HiKPT0m7YIp8FTIlZH85Fa+q8oq001dARNE6cTrGDMPTiVhx4jndr11len4MGpk6CHugXW+uoM8Ix0e6g74KyvzjNpkv9vasKs2zJWc/lIrfyQldWHap1ZC7NOdIieJqFh1oEO1e65luXeuW4fJPSVXDfb7aJJtrP5bBdQLAZf8VoFpLLjJLuWWRY0TVc22x3qNEbpWgUcZcU6Pe3Z7RDnMTiK4bgiu9z8lzi11qw3s8KTtaBPv35CQq4KM7gpKSdSomYWdGYjwhzW2t/3BAyG3uonNLDBwj1EYMMDjo0IpB5cxBGSJHTUZjN3MVKyNTePQyud3TYuylqli6iVIBOvHbWu7w1ScYOKwVb2OqOIzO4lMPpdpWQqRbvPZfAKEiHAlbXOKHYqxWvtL7Pp+xTluCnzNKwcMxWIVrQdk0iOwTEhUAQEsFlFZybU0fxM+4BJSarHHs8OrdYMmizwdFi8PdD2DYXOAIsrQRZvaEoEQp8+qzNdb2airRsJbd2S1CteOWDA4dRR1H4stleD/n/wgqnNPUlMvcfjUABB+IpI1x2n3g1MhHYRgCsWG0SEAmgUOumGIKLQAldLm6JalEMPC9b2m66duWs7eMm2QWIjy7gDrblrr+VNmJucBLfrTVyA3a0Axpt0Nm6PJnVB6jPVjkUhw+OX9ROKhy92mCqaDldnx5WQqdeffv1pOYOJqSX9qCdoEDKKxaGsKT4DAqEbYXdiffh8vYtxWC90Ny5k6pXHv0wTk3Q3winTfsY6kVrH2qyzymidbazjEXZ7WHeW3txuMmgrXqprzOJlvr+bssx6wnW+CiKsPjU0sJPeBDNjvnvdh9bovkYZq7O7W1VwR83L8bIhcAAQ79Vlg+NlgwN/jy8bmTXpESDF84AUd/gWdrf4F1Oqa0jge5MkzvFypLHhxlHxwmxI1sq6sRFFneJFWdmf2zRXB668m8SA1hF7NeQE6uizRKiTrBwFliIBz6BSahyFdub4z9YQXvzM4NH8PYPf//NvyL2DcGywaX/xyUB/gFmtdcLssdtdw9Uaq9VQ9lzvrmEDfh8w5YnUS1Er+uD3Vgx9U3g4pr5w0rrR1fUdHjZJZaGsGJm1pHTAgxFrg9Wg6mI9EPr0XhtTS8f0TYyp3YqpRq5l9l65Tkj9+JnBufw9g29894J7BzcfG2wWdEQtvad0i2hXBVcrrAb01CbdW8HTCqtFZjaQXRV8rdAqNfFa3lshpxVWa9E85Hsr5LWC3bVE7qrQBzZw5eOlS0c5KUILUOipFxYQEhIc3M8LKSQkuAgBXTEhJJBGCHD80oVVkKs8Uy5K8BE8HlZFu4gECTllI7g0eCxN09ougl+k8gi7nHLxDS6TPiyY8wZ2rqZ5bRfxusPM9/8gad/adUxa65iut47TxWJjJemA3U8EWmL3Ex66OH3QWkbIJPigoW1up7apvuZEpLya+YSmdwU/rS2xxNYrpLuwn1aXySIT68olVabX8ep0iy4NgK8DoBddrn3R5RJgeP1EBhI8POpZjC0LLfQfuyK0lYcOF2aCPDKwjsHWCh1MLnad0FVuItOHDA9R4/UTNywgVIIi+AZ6yCT4oOEGE8fkejDnRMrXfvlmK/DSOFqIhg146ekq7KVxzHd5xdNy2MZU0HWHEGnK0g8M68glRXpfl1dJfV4wWyRbd4ikQi92vFoH2xea8oAC25tcrlwscovnAS/uyBb1oTn42gWLW04v0jbK1qQaMQhC/ITSVCMy0t9Oi9uy5t1sfkWiwIqXKKo/hxpVdeIoS9VponkJft/CF21j6IP+EYr3STOAwIJe361CCXzfDP5QAlYUunjrc8DF2i9dMPg9O7CQh7/KJB+NTh0iRzfuSRaAzj7G18zoJ8PbKDKTkbEzMsmvIHTCv9qEI6kmhL6I4FzJlalaCbJn3yCO0KQzz3xh8LpjT/qK8rrCH5D0kltdlPrrF35m0vsxWLrUw9FmqrjlZrN/nDGiHnB8tokSddzxjzGB/0MEJeQfS17jqyvvW3xdPig301fJnc0pdpH1AvkJv33p2sUX5TXstUWH1ulPl78nf7xwb/MTjQX+BjvAFhcepduaf1z4hXiA/b7xNn9r8TX5t5V3FgR7p3lyZbTx7EJt6V7ykvz28hPNf69cyydIddFt7lmurMzzTYsXN07S3y19i8ml55aepRezW/k5S2O8zxonT9Bb2XPkzOYfV7avnG/NWl7T418Sk823l38ln2gMiVcX7mPHlz9Lv0n30EPN55uX8T3i0+wg+4hcWrx5cY6qpc81fyJeWXxk+Q3y2aX7F4aWrEW2tJFvXHx6+WvLf6Jfaf565S/8z/zHfN/if+RnLBIWq9OzlZHSbcOHD49Pjd358X3FrZdMHDlYqmy9a7g6uXVy+PD/ADWXD1qaIgAA";

package/dist/embedded/kyber.js

@@ -1,3 +0,0 @@
-// Generated by scripts/embed-wasm.ts — do not edit
-// gzip-compressed WASM binary, base64-encoded. Decoded and decompressed by loadEmbedded().
-export const WASM_GZ_BASE64 = 'H4sIAAAAAAAAA61ae4xcVRk/z/uc2ZmiCNZCv3upPMQtj7ZQWh57lmdLwUZCND6y3W5nN3t3drc7c3ewgsw2QuwfhAQjpIomxSAQFAwmoFGQrhoVNP6DRGNQ+UONf6iJEgP7mB37nXPv7J3Z2Skm0Ow95/vu953zPX7nnO/cgQxXJykhhO70DhBaP8DqdXKA1skBXseeqNcNg9YPEIJvad0waV2L0Dq/8QbS6z+LSMEYY1LalHJOKePYcsYY50JQSoVwXCEFcu0fOTf6Y6X4tulDs+XSnkOE9CFVmpyuHNk/PFaqEloYK8X7p8tH7ihPx4PD1RJhWc4d458vEZ7LcC4lLEteRkSWvJzILLmNWFlyO7Gz5A7iZMkriJslryReltxJ/Cx5FcmdkZC10kjL+HwHU9vfV2hnXkryHZzLSKGDczkpdnC2kQ0dnO3kjA7ODvK+Ds4V5P0dnCvJmfmxUnxHqXToY6Oj1VJMPoCO3VYdS8izMGP7JxLqbKTuSKkPInV9nFAbi5raXxmfLCWsD+Fsn5we3V8ZTTib/LvGD5cGZ0dHS5UqOQcB8KlSPFxNXp9rJwyy2T44XC1NzpYJeFNxPFQdGS4PV0iQH5+qZeiQT8UxOc8yXLJlw+T0VDw2PVmqHBmqlA7NjpTIh/sODlcqpThOGefL0Rkc+ILc4enykaF4+uCRuFQlF/ZpcrQyPWkYF+U1Y2R68nClVK2SjxQ0fajU4lyca6lMVsfIR71kQCT6/ZSYnorJ1rM0lfg0tGolucTMMlaKp6bHqyVyuaPp4UOHyDbTrc4eJNvNaIkHO8wL9PgK8yLx/0ptYq000vJq54aUs+rYVcWU1/Jk1xkpK+Pebj9l4thX96VUMtk1LUZi1rUtebT+unNTKvV6eGQk6/mAXylFQ7NT46PTlUmi3JF4qFaqjI8eIYP2SDw0MjldI9dbk3p/YCRHmXfsqhsEUdIX5DriS6LmQD+Ffm7Rzwv186P6eal+btfPnfp5tW8RNXeS6OZnpvmlGaqoid8b3t9N845pjlHdHDfNU6b5gWl+qZsTpjlpmjd/a5o3jcg/jcgC9fvQZEXUib/SZV9Pe8Lx+wgQRWN1wom2UuI/TimrAwG+ygO6lbJQAMOGl0MJcl4dHS3Pq6MbyxOqODvfjYdaJKSoRULWTSLaTQkQoMDL4SkjOvUZiG78aDdl/guUOnVFA6bmaGDzAbAVu10MKBI4fAAcNcduEQPAQqpoFDCgq84EFtjgRIHkAyDB2SsGgGiOonEUCnTXKocUaMe0AQcBBBwthq4Bn0D7KRhCO+PgdE6O+j5IsNOurehsYGPXf4RRr66aJGCKBS4fAFfN0X3acI8PgJc1fKLDcAdc8KJA8AEQ4BnDPW0OxxDbQLSA5ljIkVFAgQOdR2de/gYtq7m5uWKkNs4at+bRZAsctHVivpvTKOChT552RICbdl1F48DFbofpqU2YdvWYXw4oMDjdyP7POHPq4m5FA44ZZXwAmHJMRikfAJqMnkFlIJCKMC+NYuACBWaCQ0GgqKuhxUw8ZIMIEvqNHH2r/V/jYdp4mAY5kCiekfXABb/xIoVc40nayNE8Idm/xvO08RxVxcZ3qBZ8CQWf6i3YuJ+GfuMh2vAFAQke+I0HDUGVEwVUB5aBaHURNwy7OhysdzisNBydgciGIYG3DXYnvO1sBBA9Dtga4FKvDg11HL+Hlf7rFvPq8m7EN1csyaLY19NsB6mJ1GypzZaJ2atQtrNeuMgRUeCBBd48eOuD2wUHhAG3ANEFgm0uyYxLcSbw6QrtCcSJBIj5bvHP4Kov64mVwPJBGiLMggJIKEChkXv5dkKyf4iiHCGEZf8az1K1EXG1Dug0IsMc5N6j8Rr3G7TmwYe+xkO053qyUOzdrZ/8u18/vVdLkrRWquAWMdDIPSbb/+mECNyiTrspsC7a786pror/n5MpMv334ynZcQz65yALud2w72/Sb+l8twPUv49SUU+QjQClOnaKakzi2uLA51VhVh3dOBMFeOoxxctRqNeoYkZGH+eJTCh3EQIchBIxSNVs8hnl1Cq7CNVMTYvaLsJwoijZLEprjcBJZD9hAddz0jgUaBLIfkLwQUOpnLiimptnTOkgEqOBm5lFrYIvMrP8y6JuHXehm/QSNlsStCaMQ65Y6ncgsBZRvEVLTYsWbWlatmhb01aLdjRtt2hXu8HiKPT0m7YIp8FTIlZH85Fa+q8oq001dARNE6cTrGDMPTiVhx4jndr11len4MGpk6CHugXW+uoM8Ix0e6g74KyvzjNpkv9vasKs2zJWc/lIrfyQldWHap1ZC7NOdIieJqFh1oEO1e65luXeuW4fJPSVXDfb7aJJtrP5bBdQLAZf8VoFpLLjJLuWWRY0TVc22x3qNEbpWgUcZcU6Pe3Z7RDnMTiK4bgiu9z8lzi11qw3s8KTtaBPv35CQq4KM7gpKSdSomYWdGYjwhzW2t/3BAyG3uonNLDBwj1EYMMDjo0IpB5cxBGSJHTUZjN3MVKyNTePQyud3TYuylqli6iVIBOvHbWu7w1ScYOKwVb2OqOIzO4lMPpdpWQqRbvPZfAKEiHAlbXOKHYqxWvtL7Pp+xTluCnzNKwcMxWIVrQdk0iOwTEhUAQEsFlFZybU0fxM+4BJSarHHs8OrdYMmizwdFi8PdD2DYXOAIsrQRZvaEoEQp8+qzNdb2airRsJbd2S1CteOWDA4dRR1H4stleD/n/wgqnNPUlMvcfjUABB+IpI1x2n3g1MhHYRgCsWG0SEAmgUOumGIKLQAldLm6JalEMPC9b2m66duWs7eMm2QWIjy7gDrblrr+VNmJucBLfrTVyA3a0Axpt0Nm6PJnVB6jPVjkUhw+OX9ROKhy92mCqaDldnx5WQqdeffv1pOYOJqSX9qCdoEDKKxaGsKT4DAqEbYXdiffh8vYtxWC90Ny5k6pXHv0wTk3Q3winTfsY6kVrH2qyzymidbazjEXZ7WHeW3txuMmgrXqprzOJlvr+bssx6wnW+CiKsPjU0sJPeBDNjvnvdh9bovkYZq7O7W1VwR83L8bIhcAAQ79Vlg+NlgwN/jy8bmTXpESDF84AUd/gWdrf4F1Oqa0jge5MkzvFypLHhxlHxwmxI1sq6sRFFneJFWdmf2zRXB668m8SA1hF7NeQE6uizRKiTrBwFliIBz6BSahyFdub4z9YQXvzM4NH8PYPf//NvyL2DcGywaX/xyUB/gFmtdcLssdtdw9Uaq9VQ9lzvrmEDfh8w5YnUS1Er+uD3Vgx9U3g4pr5w0rrR1fUdHjZJZaGsGJm1pHTAgxFrg9Wg6mI9EPr0XhtTS8f0TYyp3YqpRq5l9l65Tkj9+JnBufw9g29894J7BzcfG2wWdEQtvad0i2hXBVcrrAb01CbdW8HTCqtFZjaQXRV8rdAqNfFa3lshpxVWa9E85Hsr5LWC3bVE7qrQBzZw5eOlS0c5KUILUOipFxYQEhIc3M8LKSQkuAgBXTEhJJBGCHD80oVVkKs8Uy5K8BE8HlZFu4gECTllI7g0eCxN09ougl+k8gi7nHLxDS6TPiyY8wZ2rqZ5bRfxusPM9/8gad/adUxa65iut47TxWJjJemA3U8EWmL3Ex66OH3QWkbIJPigoW1up7apvuZEpLya+YSmdwU/rS2xxNYrpLuwn1aXySIT68olVabX8ep0iy4NgK8DoBddrn3R5RJgeP1EBhI8POpZjC0LLfQfuyK0lYcOF2aCPDKwjsHWCh1MLnad0FVuItOHDA9R4/UTNywgVIIi+AZ6yCT4oOEGE8fkejDnRMrXfvlmK/DSOFqIhg146ekq7KVxzHd5xdNy2MZU0HWHEGnK0g8M68glRXpfl1dJfV4wWyRbd4ikQi92vFoH2xea8oAC25tcrlwscovnAS/uyBb1oTn42gWLW04v0jbK1qQaMQhC/ITSVCMy0t9Oi9uy5t1sfkWiwIqXKKo/hxpVdeIoS9VponkJft/CF21j6IP+EYr3STOAwIJe361CCXzfDP5QAlYUunjrc8DF2i9dMPg9O7CQh7/KJB+NTh0iRzfuSRaAzj7G18zoJ8PbKDKTkbEzMsmvIHTCv9qEI6kmhL6I4FzJlalaCbJn3yCO0KQzz3xh8LpjT/qK8rrCH5D0kltdlPrrF35m0vsxWLrUw9FmqrjlZrN/nDGiHnB8tokSddzxjzGB/0MEJeQfS17jqyvvW3xdPig301fJnc0pdpH1AvkJv33p2sUX5TXstUWH1ulPl78nf7xwb/MTjQX+BjvAFhcepduaf1z4hXiA/b7xNn9r8TX5t5V3FgR7p3lyZbTx7EJt6V7ykvz28hPNf69cyydIddFt7lmurMzzTYsXN07S3y19i8ml55aepRezW/k5S2O8zxonT9Bb2XPkzOYfV7avnG/NWl7T418Sk823l38ln2gMiVcX7mPHlz9Lv0n30EPN55uX8T3i0+wg+4hcWrx5cY6qpc81fyJeWXxk+Q3y2aX7F4aWrEW2tJFvXHx6+WvLf6Jfaf565S/8z/zHfN/if+RnLBIWq9OzlZHSbcOHD49Pjd358X3FrZdMHDlYqmy9a7g6uXVy+PD/ADWXD1qaIgAA';

package/dist/kyber/embedded.d.ts

@@ -1 +0,0 @@
-export { WASM_GZ_BASE64 as kyberWasm } from '../embedded/kyber.js';