leviathan-crypto 2.1.0 → 3.0.0

package/dist/fortuna.js

@@ -21,7 +21,7 @@
 //
 // src/ts/fortuna.ts
 //
-// Fortuna CSPRNG — Ferguson & Schneier, Practical Cryptography (2003), Chapter 9.
+// Fortuna CSPRNG, Ferguson & Schneier, Practical Cryptography (2003), Chapter 9.
 // Backed by a pluggable Generator (cipher PRF) and HashFn (accumulator hash).
 // Requires init() for the modules used by the chosen generator and hash pair.
 import { isInitialized, getInstance } from './init.js';
@@ -29,17 +29,17 @@ import { wipe, utf8ToBytes, concat } from './utils.js';
 const isBrowser = typeof window !== 'undefined';
 const isNode = typeof process !== 'undefined' && typeof process.pid === 'number';
 /**
- * Fortuna CSPRNG — spec §9.3–§9.5
+ * Fortuna CSPRNG, spec §9.3-§9.5
  *
  * Use `Fortuna.create({ generator, hash })` to instantiate. Direct construction is not allowed.
  */
 export class Fortuna {
     // ── Constants ──────────────────────────────────────────────────────────
     static NUM_POOLS = 32;
-    static RESEED_LIMIT = 64; // bits — pool 0 threshold (spec §9.5)
-    static MS_PER_RESEED = 100; // ms — minimum reseed interval (spec §9.5)
-    static NODE_STATS_INTERVAL = 1000; // ms — OS stats collector interval
-    static CRYPTO_INTERVAL = 3000; // ms — crypto.randomBytes interval
+    static RESEED_LIMIT = 64; // bits, pool 0 threshold (spec §9.5)
+    static MS_PER_RESEED = 100; // ms, minimum reseed interval (spec §9.5)
+    static NODE_STATS_INTERVAL = 1000; // ms, OS stats collector interval
+    static CRYPTO_INTERVAL = 3000; // ms, crypto.randomBytes interval
     // ── State ─────────────────────────────────────────────────────────────
     gen;
     hash;
@@ -74,7 +74,7 @@ export class Fortuna {
         }
         const f = new Fortuna(opts.generator, opts.hash, opts.msPerReseed ?? Fortuna.MS_PER_RESEED);
         f.initialize(opts.entropy);
-        // Force the first reseed — pool[0] is saturated by initialize(),
+        // Force the first reseed, pool[0] is saturated by initialize(),
         // so this call triggers an immediate reseed and guarantees get() never
         // returns undefined. The byte is discarded.
         f.get(1);
@@ -101,14 +101,14 @@ export class Fortuna {
         }
     }
     // ── Public API ────────────────────────────────────────────────────────
-    /** Get n random bytes. Always returns Uint8Array — instance is guaranteed seeded after create(). */
+    /** Get n random bytes. Always returns Uint8Array, instance is guaranteed seeded after create(). */
     get(length) {
         if (this.disposed)
             throw new Error('Fortuna instance has been disposed');
-        // Capture hrtime jitter at call time (Node.js) — spec §9.5
+        // Capture hrtime jitter at call time (Node.js), spec §9.5
         if (isNode)
             this.captureHrtime();
-        // Check reseed trigger — spec §9.5
+        // Check reseed trigger, spec §9.5
         if (this.poolEntropy[0] >= Fortuna.RESEED_LIMIT &&
             Date.now() >= this.lastReseed + this.msPerReseed) {
             this.reseedCnt = (this.reseedCnt + 1) >>> 0; // u32 wrap
@@ -121,7 +121,7 @@ export class Fortuna {
                     // Pool digest = current chain hash
                     seed = concat(seed, this.poolHash[i]);
                     strength += this.poolEntropy[i];
-                    // Reset pool — wipe old chain hash before dropping the reference.
+                    // Reset pool, wipe old chain hash before dropping the reference.
                     const old = this.poolHash[i];
                     this.poolHash[i] = new Uint8Array(this.hash.outputSize);
                     wipe(old);
@@ -152,21 +152,17 @@ export class Fortuna {
     stop() {
         if (this.disposed)
             throw new Error('Fortuna instance has been disposed');
-        // Mark disposed FIRST. WASM wipeBuffers can throw if a stateful instance
-        // holds the module; we must not allow get()/addEntropy()/getEntropy() to
-        // run on a partially-disposed instance.
+        // Mark disposed first so partially-disposed reentry throws cleanly.
         this.disposed = true;
         this.stopCollectors();
         wipe(this.genKey);
         wipe(this.genCnt);
-        // Wipe all 32 pool-hash chain values so residual entropy-bearing
+        // Wipe the 32 pool-hash chain values so residual entropy-bearing
         // bytes do not outlive the instance.
         for (const p of this.poolHash)
             wipe(p);
         this.reseedCnt = 0;
-        // Best-effort wipe of WASM scratch buffers for every module the chosen
-        // generator and hash touched. Surface the first error so the caller
-        // knows the WASM scratch leak occurred.
+        // Best-effort wipe of WASM scratch; surface the first error.
         const required = new Set([...this.gen.wasmModules, ...this.hash.wasmModules]);
         let err;
         for (const mod of required) {
@@ -181,24 +177,24 @@ export class Fortuna {
             throw err;
     }
     // ── Test-only accessors ───────────────────────────────────────────────
-    /** @internal — exposed for testing key replacement */
+    /** @internal, exposed for testing key replacement */
     _getGenKey() {
         return this.genKey;
     }
-    /** @internal — exposed for testing pool state */
+    /** @internal, exposed for testing pool state */
     _getPoolEntropy() {
         return this.poolEntropy;
     }
-    /** @internal — exposed for testing reseed count */
+    /** @internal, exposed for testing reseed count */
     _getReseedCnt() {
         return this.reseedCnt;
     }
-    /** @internal — exposed for testing pool-hash backing arrays */
+    /** @internal, exposed for testing pool-hash backing arrays */
     _getPoolHash() {
         return this.poolHash;
     }
     /**
-     * @internal — test-only deterministic factory. Seeds pool[0] with the provided
+     * @internal, test-only deterministic factory. Seeds pool[0] with the provided
      * entropy and triggers one reseed directly, bypassing all OS entropy collection
      * and the hrtime jitter capture in get(). This makes KAT vectors reproducible
      * across runs. Not suitable for production use.
@@ -219,20 +215,20 @@ export class Fortuna {
         const f = new Fortuna(opts.generator, opts.hash, 0);
         // Seed pool[0] with the provided entropy, no OS collection.
         f.addRandomEvent(opts.entropy, 0, opts.entropy.length * 8);
-        // Manually trigger reseed #1 without calling get() — get() calls captureHrtime()
+        // Manually trigger reseed #1 without calling get(), get() calls captureHrtime()
         // in Node.js which adds non-deterministic data before the reseed fires.
         f.reseedFromPool0();
         return f;
     }
     // ── Generator (spec §9.4) ─────────────────────────────────────────────
-    /** Get length pseudo-random bytes. — spec §9.4 */
+    /** Get length pseudo-random bytes., spec §9.4 */
     pseudoRandomData(length) {
         const blocks = Math.ceil(length / this.gen.blockSize);
         const out = this.gen.generate(this.genKey, this.genCnt, length);
-        // External counter advance — generator is stateless and does not mutate caller's counter
+        // External counter advance, generator is stateless and does not mutate caller's counter
         for (let i = 0; i < blocks; i++)
             this.incrementCounter();
-        // Key replacement — mandatory forward secrecy (spec §9.4).
+        // Key replacement, mandatory forward secrecy (spec §9.4).
         // Wipe the prior key BEFORE dropping its reference so no key bytes are
         // reachable after key replacement; anyone holding a Uint8Array view to
         // the old key now observes zero.
@@ -243,7 +239,7 @@ export class Fortuna {
         this.genKey = newKey;
         return out;
     }
-    /** Reseed the generator — spec §9.4 */
+    /** Reseed the generator, spec §9.4 */
     reseed(seed) {
         // genKey = hash(genKey ‖ seed). Wipe both the hash input and the
         // prior key before dropping references.
@@ -252,7 +248,7 @@ export class Fortuna {
         wipe(combined);
         wipe(this.genKey);
         this.genKey = newKey;
-        // Increment counter — makes it nonzero on first reseed, marking generator as seeded
+        // Increment counter, makes it nonzero on first reseed, marking generator as seeded
         this.incrementCounter();
         this.lastReseed = Date.now();
     }
@@ -271,7 +267,7 @@ export class Fortuna {
         this.reseed(seed);
         wipe(seed);
     }
-    /** Increment little-endian counter. — spec §9.4 */
+    /** Increment little-endian counter., spec §9.4 */
     incrementCounter() {
         for (let i = 0; i < this.genCnt.length; i++) {
             if (++this.genCnt[i] !== 0)
@@ -300,7 +296,7 @@ export class Fortuna {
     }
     // ── Initialization ────────────────────────────────────────────────────
     initialize(entropy) {
-        // Initial seeding — crypto random per pool (spec §9.5)
+        // Initial seeding, crypto random per pool (spec §9.5)
         for (let i = 0; i < Fortuna.NUM_POOLS * 4; i++) {
             this.collectorCryptoRandom();
         }
@@ -319,7 +315,7 @@ export class Fortuna {
         // runtimes). This post-init check covers all silent-failure paths uniformly.
         if (this.poolEntropy[0] < Fortuna.RESEED_LIMIT)
             throw new Error('leviathan-crypto: Fortuna initialization could not gather sufficient entropy. '
-                + 'No working crypto.getRandomValues or node:crypto in this environment.');
+                + 'No working crypto.getRandomValues in this environment.');
         this.startCollectors();
     }
     // ── Collectors ────────────────────────────────────────────────────────
@@ -349,7 +345,7 @@ export class Fortuna {
             // OS stats timer
             this.timers.push(setInterval(() => this.collectNodeStats(), Fortuna.NODE_STATS_INTERVAL));
         }
-        // Crypto timer — both environments
+        // Crypto timer, both environments
         this.timers.push(setInterval(() => this.collectorCryptoRandom(), Fortuna.CRYPTO_INTERVAL));
         this.active = true;
     }
@@ -458,19 +454,12 @@ export class Fortuna {
     }
     collectorCryptoRandom() {
         try {
+            // Web Crypto is the only secure source. No node:crypto fallback: an absent
+            // source must fail loud via the init invariant below, never be polyfilled.
+            if (typeof globalThis.crypto === 'undefined' || typeof globalThis.crypto.getRandomValues !== 'function')
+                return;
             const rnd = new Uint8Array(128);
-            if (typeof globalThis.crypto !== 'undefined' && typeof globalThis.crypto.getRandomValues === 'function') {
-                globalThis.crypto.getRandomValues(rnd);
-            }
-            else if (isNode) {
-                // eslint-disable-next-line @typescript-eslint/no-require-imports
-                const nodeCrypto = require('node:crypto');
-                const buf = nodeCrypto.randomBytes(128);
-                rnd.set(new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength));
-            }
-            else {
-                return; // no crypto source available
-            }
+            globalThis.crypto.getRandomValues(rnd);
             this.addRandomEvent(rnd, this.robin.rnd, 1024);
             this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
         }
@@ -489,14 +478,14 @@ export class Fortuna {
     }
     collectNodeStats() {
         try {
-            // hrtime — nanosecond scheduling jitter
+            // hrtime, nanosecond scheduling jitter
             const hr = process.hrtime.bigint();
             const hrBytes = new Uint8Array(8);
             for (let i = 0; i < 8; i++)
                 hrBytes[i] = Number((hr >> BigInt(i * 8)) & 0xffn);
             this.addRandomEvent(hrBytes, this.robin.time, 8);
             this.robin.time = (this.robin.time + 1) % Fortuna.NUM_POOLS;
-            // cpuUsage — user + system CPU microseconds
+            // cpuUsage, user + system CPU microseconds
             const cpu = process.cpuUsage();
             const cpuBytes = new Uint8Array(8);
             cpuBytes[0] = cpu.user & 0xff;
@@ -509,7 +498,7 @@ export class Fortuna {
             cpuBytes[7] = (cpu.system >>> 24) & 0xff;
             this.addRandomEvent(cpuBytes, this.robin.rnd, 2);
             this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
-            // memoryUsage — heapUsed changes constantly
+            // memoryUsage, heapUsed changes constantly
             const mem = process.memoryUsage();
             const memVal = mem.heapUsed;
             const memBytes = new Uint8Array(4);
@@ -519,22 +508,6 @@ export class Fortuna {
             memBytes[3] = (memVal >>> 24) & 0xff;
             this.addRandomEvent(memBytes, this.robin.rnd, 1);
             this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
-            // loadavg — slow-changing but real system state
-            // eslint-disable-next-line @typescript-eslint/no-require-imports
-            const os = require('node:os');
-            const la = os.loadavg();
-            const laStr = la.map((n) => Math.round(n * 1000).toString()).join('');
-            this.addRandomEvent(utf8ToBytes(laStr), this.robin.time, 1);
-            this.robin.time = (this.robin.time + 1) % Fortuna.NUM_POOLS;
-            // freemem — changes with allocation activity
-            const fm = os.freemem();
-            const fmBytes = new Uint8Array(4);
-            fmBytes[0] = fm & 0xff;
-            fmBytes[1] = (fm >>> 8) & 0xff;
-            fmBytes[2] = (fm >>> 16) & 0xff;
-            fmBytes[3] = (fm >>> 24) & 0xff;
-            this.addRandomEvent(fmBytes, this.robin.rnd, 1);
-            this.robin.rnd = (this.robin.rnd + 1) % Fortuna.NUM_POOLS;
         }
         catch { /* Node APIs may not be available */ }
     }

package/dist/index.d.ts

@@ -1,5 +1,11 @@
 import type { Module } from './init.js';
 import type { WasmSource } from './wasm-source.js';
+/**
+ * Top-level init() input. Accepts the canonical module keys plus the
+ * `ed25519` and `x25519` aliases; both aliases resolve to the underlying
+ * `curve25519` WASM module and are de-duped if given identical sources.
+ */
+export type InitInput = Partial<Record<Module | 'ed25519' | 'x25519', WasmSource>>;
 /**
  * Load one or more WASM modules. Each key is a module name; the value is the
  * WasmSource to load it from (embedded blob, URL, ArrayBuffer, etc.).
@@ -10,22 +16,45 @@ import type { WasmSource } from './wasm-source.js';
  * import { sha2Wasm }    from 'leviathan-crypto/sha2/embedded';
  * await init({ serpent: serpentWasm, sha2: sha2Wasm });
  * ```
+ *
+ * `ed25519` and `x25519` are aliases for the underlying `curve25519`
+ * module. `init({ ed25519: src })` and `init({ x25519: src })` both work,
+ * and `init({ ed25519: src, x25519: src })` is accepted (single underlying
+ * init). Two different sources for the same underlying module is rejected.
  */
-export declare function init(sources: Partial<Record<Module, WasmSource>>): Promise<void>;
+export declare function init(sources: InitInput): Promise<void>;
 export type { Module, WasmSource };
 export { isInitialized } from './init.js';
-export { AuthenticationError } from './errors.js';
-export { serpentInit, Serpent, SerpentCtr, SerpentCbc, SerpentCipher, SerpentGenerator, _serpentReady } from './serpent/index.js';
-export { chacha20Init, ChaCha20, Poly1305, ChaCha20Poly1305, XChaCha20Poly1305, XChaCha20Cipher, ChaCha20Generator, _chachaReady } from './chacha20/index.js';
-export { sha2Init, SHA256, SHA512, SHA384, HMAC_SHA256, HMAC_SHA512, HMAC_SHA384, HKDF_SHA256, HKDF_SHA512, SHA256Hash, _sha2Ready } from './sha2/index.js';
-export { sha3Init, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHAKE128, SHAKE256, SHA3_256Hash, _sha3Ready } from './sha3/index.js';
+export { AuthenticationError, SigningError, KeyAgreementError, MerkleCodecError, MerkleLogError } from './errors.js';
+export { serpentInit, Serpent, SerpentCtr, SerpentCbc, SerpentCipher, SerpentGenerator } from './serpent/index.js';
+export { chacha20Init, ChaCha20, Poly1305, ChaCha20Poly1305, XChaCha20Poly1305, XChaCha20Cipher, ChaCha20Generator } from './chacha20/index.js';
+export { sha2Init, SHA256, SHA224, SHA384, SHA512, SHA512_224, SHA512_256, HMAC_SHA256, HMAC_SHA512, HMAC_SHA384, HKDF_SHA256, HKDF_SHA512, SHA256Hash } from './sha2/index.js';
+export { sha3Init, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHA3_256Stream, SHA3_512Stream, SHAKE128, SHAKE256, SHAKE128Stream, SHAKE256Stream, SHA3_256Hash, CSHAKE128, CSHAKE256, KMAC128, KMAC256, KMACXOF128, KMACXOF256 } from './sha3/index.js';
 export { keccakInit } from './keccak/index.js';
-export { kyberInit, MlKem512, MlKem768, MlKem1024, MlKemBase, KyberSuite, _kyberReady } from './kyber/index.js';
-export type { KyberKeyPair, KyberEncapsulation, KyberParams } from './kyber/index.js';
+export { mlkemInit, MlKem512, MlKem768, MlKem1024, MlKemBase, MlKemSuite } from './mlkem/index.js';
+export { aesInit, AES, AESCbc, AESCtr, AESGCM, AESGCMSIV, AESGenerator, AESGCMSIVCipher } from './aes/index.js';
+export { mldsaInit, MlDsa44, MlDsa65, MlDsa87, MlDsaBase, MLDSA44, MLDSA65, MLDSA87 } from './mldsa/index.js';
+export { slhdsaInit, SlhDsaBase, SlhDsa128f, SlhDsa192f, SlhDsa256f, SLHDSA128F, SLHDSA192F, SLHDSA256F, } from './slhdsa/index.js';
+export { blake3Init, BLAKE3, BLAKE3KeyedHash, BLAKE3DeriveKey, BLAKE3Stream, BLAKE3KeyedHashStream, BLAKE3DeriveKeyStream, BLAKE3OutputReader, BLAKE3Hash, } from './blake3/index.js';
+export { ecdsaP256Init, EcdsaP256, pointDecompress, encodeEcPrivateKey, decodeEcPrivateKey, } from './ecdsa/index.js';
+export type { EcdsaP256KeyPair } from './ecdsa/index.js';
+export { ecdsaSignatureToDer, ecdsaSignatureFromDer } from './ecdsa/der.js';
+export { ed25519Init, Ed25519 } from './ed25519/index.js';
+export type { Ed25519KeyPair } from './ed25519/index.js';
+export { x25519Init, X25519 } from './x25519/index.js';
+export type { X25519KeyPair } from './x25519/index.js';
+export type { MlKemKeyPair, MlKemEncapsulation, MlKemParams } from './mlkem/index.js';
+export type { MlDsaKeyPair, MlDsaParams, PreHashAlgorithm } from './mldsa/index.js';
+export type { SlhDsaKeyPair, SlhDsaParams } from './slhdsa/index.js';
 export { SealStream, OpenStream, Seal, SealStreamPool, FLAG_FRAMED, TAG_DATA, TAG_FINAL, HEADER_SIZE, CHUNK_MIN, CHUNK_MAX } from './stream/index.js';
 export type { CipherSuite, DerivedKeys, SealStreamOpts, PoolOpts } from './stream/index.js';
+export { MemoryStorage, Sha256Hasher, Sha256Tree, Blake3Hasher, Blake3Tree, splitPoint, verifyInclusionProof, verifyConsistencyProof, buildInclusionProof, buildConsistencyProof, serializeCheckpointBody, parseCheckpointBody, emitSignedNote, parseSignedNote, deriveKeyId, suiteFormatEnumToAlgoByte, lookupAlgoEntryByFormatEnum, lookupAlgoEntryByByte, buildCosigSignedMessage, buildCosignedMessage, emitCosigSignaturePayload, parseCosigSignaturePayload, ALGO_BYTE_ED25519_NOTE, ALGO_BYTE_ED25519_COSIG, ALGO_BYTE_MLDSA44_COSIG, SignedLog, MerkleVerifier, MerkleLog, } from './merkle/index.js';
+export type { Hasher, MerkleTree, MerkleStorage, VerifyInclusionInput, VerifyConsistencyInput, BuildInclusionInput, BuildConsistencyInput, GetNode, Checkpoint, SignatureLine, SignedNote, SignedTreeHead, AlgoEntry, MessageConstruction, SignaturePayload, CosignedMessageInput, SignedLogOpts, MerkleVerifierOpts, MerkleLogCreateOpts, MerkleLogGenerateOpts, } from './merkle/index.js';
+export { Sign, SignStream, VerifyStream } from './sign/index.js';
+export type { SignatureSuite, StreamableSignatureSuite, PrehashAlgorithm, } from './sign/index.js';
+export { Ed25519Suite, Ed25519PreHashSuite, EcdsaP256Suite, MlDsa44Suite, MlDsa65Suite, MlDsa87Suite, MlDsa44PreHashSuite, MlDsa65PreHashSuite, MlDsa87PreHashSuite, SlhDsa128fSuite, SlhDsa192fSuite, SlhDsa256fSuite, SlhDsa128fPreHashSuite, SlhDsa192fPreHashSuite, SlhDsa256fPreHashSuite, MlDsa44SlhDsa128fSuite, MlDsa65SlhDsa192fSuite, MlDsa87SlhDsa256fSuite, MlDsa44Ed25519Suite, MlDsa65Ed25519Suite, MlDsa44EcdsaP256Suite, MlDsa65EcdsaP256Suite, } from './sign/index.js';
 export { Fortuna } from './fortuna.js';
 export type { Hash, KeyedHash, Blockcipher, Streamcipher, AEAD, Generator, HashFn } from './types.js';
 export { KDFChain, ratchetInit, kemRatchetEncap, kemRatchetDecap, ratchetReady, SkippedKeyStore, RatchetKeypair, } from './ratchet/index.js';
 export type { RatchetInitResult, KemEncapResult, KemDecapResult, MlKemLike, RatchetMessageHeader, ResolveHandle, SkippedKeyStoreOpts, } from './ratchet/index.js';
-export { hexToBytes, bytesToHex, utf8ToBytes, bytesToUtf8, base64ToBytes, bytesToBase64, constantTimeEqual, CT_MAX_BYTES, wipe, xor, concat, randomBytes, hasSIMD, } from './utils.js';
+export { hexToBytes, bytesToHex, utf8ToBytes, bytesToUtf8, base64ToBytes, bytesToBase64, constantTimeEqual, CTE_MAX_BYTES, wipe, xor, concat, randomBytes, hasSIMD, } from './utils.js';

package/dist/index.js

@@ -19,21 +19,35 @@
 //   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
 //                           ▀█████▀▀
 //
-// Root barrel — re-exports everything
+// Root barrel, re-exports everything
 import { serpentInit } from './serpent/index.js';
 import { chacha20Init } from './chacha20/index.js';
 import { sha2Init } from './sha2/index.js';
 import { sha3Init } from './sha3/index.js';
 import { keccakInit } from './keccak/index.js';
-import { kyberInit } from './kyber/index.js';
+import { mlkemInit } from './mlkem/index.js';
+import { aesInit } from './aes/index.js';
+import { mldsaInit } from './mldsa/index.js';
+import { slhdsaInit } from './slhdsa/index.js';
+import { blake3Init } from './blake3/index.js';
+import { ecdsaP256Init } from './ecdsa/index.js';
+import { initModule } from './init.js';
 import { hasSIMD } from './utils.js';
+// curve25519 backs ed25519 + x25519. Public surface is the
+// per-primitive alias; 'curve25519' key accepted for Module symmetry.
 const _dispatchers = {
     serpent: serpentInit,
     chacha20: chacha20Init,
     sha2: sha2Init,
     sha3: sha3Init,
     keccak: keccakInit,
-    kyber: kyberInit,
+    mlkem: mlkemInit,
+    aes: aesInit,
+    mldsa: mldsaInit,
+    slhdsa: slhdsaInit,
+    blake3: blake3Init,
+    curve25519: (source) => initModule('curve25519', source),
+    p256: ecdsaP256Init,
 };
 /**
  * Load one or more WASM modules. Each key is a module name; the value is the
@@ -45,30 +59,60 @@ const _dispatchers = {
  * import { sha2Wasm }    from 'leviathan-crypto/sha2/embedded';
  * await init({ serpent: serpentWasm, sha2: sha2Wasm });
  * ```
+ *
+ * `ed25519` and `x25519` are aliases for the underlying `curve25519`
+ * module. `init({ ed25519: src })` and `init({ x25519: src })` both work,
+ * and `init({ ed25519: src, x25519: src })` is accepted (single underlying
+ * init). Two different sources for the same underlying module is rejected.
  */
 export async function init(sources) {
     const entries = Object.entries(sources);
-    // SIMD preflight — serpent, chacha20, and kyber modules contain SIMD instructions
-    if (('serpent' in sources || 'chacha20' in sources || 'kyber' in sources) && !hasSIMD())
-        throw new Error('leviathan-crypto: serpent, chacha20, and kyber require WebAssembly SIMD — '
-            + 'this runtime does not support it');
-    for (const [mod, src] of entries) {
-        if (!Object.hasOwn(_dispatchers, mod))
-            throw new Error(`leviathan-crypto: unknown module "${mod}" — expected one of: ${Object.keys(_dispatchers).join(', ')}`);
+    const resolved = new Map();
+    for (const [key, src] of entries) {
         if (src == null)
-            throw new TypeError(`leviathan-crypto: source for "${mod}" is null or undefined`);
+            throw new TypeError(`leviathan-crypto: source for "${key}" is null or undefined`);
+        const target = (key === 'ed25519' || key === 'x25519') ? 'curve25519' : key;
+        if (!Object.hasOwn(_dispatchers, target))
+            throw new Error(`leviathan-crypto: unknown module "${key}", expected one of: `
+                + `${Object.keys(_dispatchers).join(', ')}, ed25519, x25519`);
+        const prior = resolved.get(target);
+        if (prior !== undefined) {
+            if (prior !== src)
+                throw new Error('leviathan-crypto: init() called with different sources for "ed25519" and "x25519" '
+                    + '(both alias to curve25519, sources must be identical)');
+            continue;
+        }
+        resolved.set(target, src);
     }
-    await Promise.all(entries.map(([mod, src]) => _dispatchers[mod](src)));
+    // SIMD preflight for modules that contain v128 instructions
+    // (see scripts/lib/modules.ts).
+    if ((resolved.has('serpent') || resolved.has('chacha20') || resolved.has('mlkem')
+        || resolved.has('aes') || resolved.has('mldsa') || resolved.has('blake3'))
+        && !hasSIMD())
+        throw new Error('leviathan-crypto: serpent, chacha20, mlkem, aes, mldsa, and blake3 require WebAssembly SIMD, '
+            + 'this runtime does not support it');
+    await Promise.all(Array.from(resolved.entries()).map(([mod, src]) => _dispatchers[mod](src)));
 }
 export { isInitialized } from './init.js';
-export { AuthenticationError } from './errors.js';
-export { serpentInit, Serpent, SerpentCtr, SerpentCbc, SerpentCipher, SerpentGenerator, _serpentReady } from './serpent/index.js';
-export { chacha20Init, ChaCha20, Poly1305, ChaCha20Poly1305, XChaCha20Poly1305, XChaCha20Cipher, ChaCha20Generator, _chachaReady } from './chacha20/index.js';
-export { sha2Init, SHA256, SHA512, SHA384, HMAC_SHA256, HMAC_SHA512, HMAC_SHA384, HKDF_SHA256, HKDF_SHA512, SHA256Hash, _sha2Ready } from './sha2/index.js';
-export { sha3Init, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHAKE128, SHAKE256, SHA3_256Hash, _sha3Ready } from './sha3/index.js';
+export { AuthenticationError, SigningError, KeyAgreementError, MerkleCodecError, MerkleLogError } from './errors.js';
+export { serpentInit, Serpent, SerpentCtr, SerpentCbc, SerpentCipher, SerpentGenerator } from './serpent/index.js';
+export { chacha20Init, ChaCha20, Poly1305, ChaCha20Poly1305, XChaCha20Poly1305, XChaCha20Cipher, ChaCha20Generator } from './chacha20/index.js';
+export { sha2Init, SHA256, SHA224, SHA384, SHA512, SHA512_224, SHA512_256, HMAC_SHA256, HMAC_SHA512, HMAC_SHA384, HKDF_SHA256, HKDF_SHA512, SHA256Hash } from './sha2/index.js';
+export { sha3Init, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHA3_256Stream, SHA3_512Stream, SHAKE128, SHAKE256, SHAKE128Stream, SHAKE256Stream, SHA3_256Hash, CSHAKE128, CSHAKE256, KMAC128, KMAC256, KMACXOF128, KMACXOF256 } from './sha3/index.js';
 export { keccakInit } from './keccak/index.js';
-export { kyberInit, MlKem512, MlKem768, MlKem1024, MlKemBase, KyberSuite, _kyberReady } from './kyber/index.js';
+export { mlkemInit, MlKem512, MlKem768, MlKem1024, MlKemBase, MlKemSuite } from './mlkem/index.js';
+export { aesInit, AES, AESCbc, AESCtr, AESGCM, AESGCMSIV, AESGenerator, AESGCMSIVCipher } from './aes/index.js';
+export { mldsaInit, MlDsa44, MlDsa65, MlDsa87, MlDsaBase, MLDSA44, MLDSA65, MLDSA87 } from './mldsa/index.js';
+export { slhdsaInit, SlhDsaBase, SlhDsa128f, SlhDsa192f, SlhDsa256f, SLHDSA128F, SLHDSA192F, SLHDSA256F, } from './slhdsa/index.js';
+export { blake3Init, BLAKE3, BLAKE3KeyedHash, BLAKE3DeriveKey, BLAKE3Stream, BLAKE3KeyedHashStream, BLAKE3DeriveKeyStream, BLAKE3OutputReader, BLAKE3Hash, } from './blake3/index.js';
+export { ecdsaP256Init, EcdsaP256, pointDecompress, encodeEcPrivateKey, decodeEcPrivateKey, } from './ecdsa/index.js';
+export { ecdsaSignatureToDer, ecdsaSignatureFromDer } from './ecdsa/der.js';
+export { ed25519Init, Ed25519 } from './ed25519/index.js';
+export { x25519Init, X25519 } from './x25519/index.js';
 export { SealStream, OpenStream, Seal, SealStreamPool, FLAG_FRAMED, TAG_DATA, TAG_FINAL, HEADER_SIZE, CHUNK_MIN, CHUNK_MAX } from './stream/index.js';
+export { MemoryStorage, Sha256Hasher, Sha256Tree, Blake3Hasher, Blake3Tree, splitPoint, verifyInclusionProof, verifyConsistencyProof, buildInclusionProof, buildConsistencyProof, serializeCheckpointBody, parseCheckpointBody, emitSignedNote, parseSignedNote, deriveKeyId, suiteFormatEnumToAlgoByte, lookupAlgoEntryByFormatEnum, lookupAlgoEntryByByte, buildCosigSignedMessage, buildCosignedMessage, emitCosigSignaturePayload, parseCosigSignaturePayload, ALGO_BYTE_ED25519_NOTE, ALGO_BYTE_ED25519_COSIG, ALGO_BYTE_MLDSA44_COSIG, SignedLog, MerkleVerifier, MerkleLog, } from './merkle/index.js';
+export { Sign, SignStream, VerifyStream } from './sign/index.js';
+export { Ed25519Suite, Ed25519PreHashSuite, EcdsaP256Suite, MlDsa44Suite, MlDsa65Suite, MlDsa87Suite, MlDsa44PreHashSuite, MlDsa65PreHashSuite, MlDsa87PreHashSuite, SlhDsa128fSuite, SlhDsa192fSuite, SlhDsa256fSuite, SlhDsa128fPreHashSuite, SlhDsa192fPreHashSuite, SlhDsa256fPreHashSuite, MlDsa44SlhDsa128fSuite, MlDsa65SlhDsa192fSuite, MlDsa87SlhDsa256fSuite, MlDsa44Ed25519Suite, MlDsa65Ed25519Suite, MlDsa44EcdsaP256Suite, MlDsa65EcdsaP256Suite, } from './sign/index.js';
 export { Fortuna } from './fortuna.js';
 export { KDFChain, ratchetInit, kemRatchetEncap, kemRatchetDecap, ratchetReady, SkippedKeyStore, RatchetKeypair, } from './ratchet/index.js';
-export { hexToBytes, bytesToHex, utf8ToBytes, bytesToUtf8, base64ToBytes, bytesToBase64, constantTimeEqual, CT_MAX_BYTES, wipe, xor, concat, randomBytes, hasSIMD, } from './utils.js';
+export { hexToBytes, bytesToHex, utf8ToBytes, bytesToUtf8, base64ToBytes, bytesToBase64, constantTimeEqual, CTE_MAX_BYTES, wipe, xor, concat, randomBytes, hasSIMD, } from './utils.js';

package/dist/init.d.ts

@@ -1,5 +1,5 @@
 import type { WasmSource } from './wasm-source.js';
-export type Module = 'serpent' | 'chacha20' | 'sha2' | 'sha3' | 'keccak' | 'kyber';
+export type Module = 'serpent' | 'chacha20' | 'sha2' | 'sha3' | 'keccak' | 'mlkem' | 'aes' | 'mldsa' | 'slhdsa' | 'blake3' | 'curve25519' | 'p256';
 export declare function initModule(mod: Module, source: WasmSource): Promise<void>;
 export declare function getInstance(mod: Module): WebAssembly.Instance;
 export declare function isInitialized(mod: Module): boolean;

package/dist/init.js

@@ -1,17 +1,15 @@
 import { loadWasm } from './loader.js';
 import { hasSIMD } from './utils.js';
-// 'keccak' is an alias for 'sha3' — same WASM binary, same instance slot
+// 'keccak' is an alias for 'sha3', same WASM binary, same instance slot
 const ALIASES = { keccak: 'sha3' };
 function resolve(mod) {
     return ALIASES[mod] ?? mod;
 }
-// Module-scope cache: one WebAssembly.Instance per canonical module
+// Per-canonical-module instance cache.
 const instances = new Map();
-// Pending inits — coalesces concurrent initModule calls for the same module.
+// Coalesces concurrent initModule calls.
 const pending = new Map();
-// Exclusivity registry: per-module ownership token held by a stateful wrapper
-// for its entire lifetime. Prevents shared-WASM-state clobber when two
-// instances from the same module would otherwise trample each other's memory.
+// Per-module exclusivity token held by a stateful wrapper.
 const owners = new Map();
 export async function initModule(mod, source) {
     const resolved = resolve(mod);
@@ -22,8 +20,8 @@ export async function initModule(mod, source) {
         await inflight;
         return;
     }
-    if ((resolved === 'serpent' || resolved === 'chacha20' || resolved === 'kyber') && !hasSIMD())
-        throw new Error('leviathan-crypto: serpent, chacha20, and kyber require WebAssembly SIMD — '
+    if ((resolved === 'serpent' || resolved === 'chacha20' || resolved === 'mlkem' || resolved === 'aes' || resolved === 'mldsa' || resolved === 'blake3') && !hasSIMD())
+        throw new Error('leviathan-crypto: serpent, chacha20, mlkem, aes, mldsa, and blake3 require WebAssembly SIMD, '
             + 'this runtime does not support it');
     const p = loadWasm(source);
     pending.set(resolved, p);
@@ -41,7 +39,7 @@ export function getInstance(mod) {
         throw new Error(`leviathan-crypto: call init({ ${mod}: ... }) before using this class`);
     }
     if (owners.has(r)) {
-        throw new Error(`leviathan-crypto: another stateful instance is using the '${r}' WASM module — `
+        throw new Error(`leviathan-crypto: another stateful instance is using the '${r}' WASM module, `
             + 'call dispose() on it before constructing a new one');
     }
     return inst;
@@ -57,7 +55,7 @@ export function isInitialized(mod) {
 export function _acquireModule(mod) {
     const r = resolve(mod);
     if (owners.has(r))
-        throw new Error(`leviathan-crypto: another stateful instance is using the '${r}' WASM module — `
+        throw new Error(`leviathan-crypto: another stateful instance is using the '${r}' WASM module, `
             + 'call dispose() on it before constructing a new one');
     const tok = Symbol(r);
     owners.set(r, tok);
@@ -80,27 +78,15 @@ export function _releaseModule(mod, tok) {
 export function _isModuleBusy(mod) {
     return owners.has(resolve(mod));
 }
-/**
- * Throw if `mod` is currently held by a stateful instance. Called at the top
- * of every atomic WASM-touching method so that cached-exports access paths
- * cannot silently clobber a live stateful instance's WASM state.
- *
- * The error message is intentionally identical to `_acquireModule`'s so that
- * error handlers matching on text work uniformly across construction-time and
- * method-time ownership failures.
- * @internal
- */
+/** @internal */
 export function _assertNotOwned(mod) {
-    // Deliberately unoptimized. Do not add caching or epoch tracking: the
-    // check must read current ownership on every call so an atomic op cannot
-    // race ahead of a stateful acquirer.
     const r = resolve(mod);
     if (owners.has(r))
-        throw new Error(`leviathan-crypto: another stateful instance is using the '${r}' WASM module — `
+        throw new Error(`leviathan-crypto: another stateful instance is using the '${r}' WASM module, `
             + 'call dispose() on it before constructing a new one');
 }
 /**
- * Reset all cached instances — for testing only. Clears `instances`, `pending`,
+ * Reset all cached instances, for testing only. Clears `instances`, `pending`,
  * and `owners` so tests can re-exercise module lifecycle (init, exclusivity,
  * race) from a known-empty state.
  * @internal

package/dist/keccak/embedded.js

@@ -22,6 +22,6 @@
 // src/ts/keccak/embedded.ts
 //
 // Re-exports the sha3 WASM blob under the keccak name.
-// The keccak alias shares the sha3 binary — no separate keccak.wasm exists.
+// The keccak alias shares the sha3 binary, no separate keccak.wasm exists.
 // Import via `leviathan-crypto/keccak/embedded`.
 export { WASM_GZ_BASE64 as keccakWasm } from '../embedded/sha3.js';

package/dist/keccak/index.d.ts

@@ -1,4 +1,6 @@
 import type { WasmSource } from '../wasm-source.js';
 export declare function keccakInit(source: WasmSource): Promise<void>;
 export type { WasmSource };
+export { isInitialized } from '../init.js';
 export { SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHAKE128, SHAKE256 } from '../sha3/index.js';
+export { CSHAKE128, CSHAKE256, KMAC128, KMAC256, KMACXOF128, KMACXOF256 } from '../sha3/index.js';

package/dist/keccak/index.js

@@ -21,11 +21,13 @@
 //
 // src/ts/keccak/index.ts
 //
-// Keccak alias subpath — resolves to the sha3 WASM module slot.
-// Consumers who prefer the Keccak name (e.g. Kyber/ML-KEM implementations)
+// Keccak alias subpath, resolves to the sha3 WASM module slot.
+// Consumers who prefer the Keccak name (e.g. ML-KEM implementations)
 // can import from `leviathan-crypto/keccak` instead of `leviathan-crypto/sha3`.
 import { initModule } from '../init.js';
 export async function keccakInit(source) {
     return initModule('keccak', source);
 }
+export { isInitialized } from '../init.js';
 export { SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHAKE128, SHAKE256 } from '../sha3/index.js';
+export { CSHAKE128, CSHAKE256, KMAC128, KMAC256, KMACXOF128, KMACXOF256 } from '../sha3/index.js';

package/dist/loader.d.ts

@@ -1,24 +1 @@
-import type { WasmSource } from './wasm-source.js';
-/**
- * Decode a gzip+base64 embedded WASM string to raw bytes.
- * Guards against missing DecompressionStream (Node <18, non-browser runtimes).
- * Exported for pool worker launchers that decode blobs before spawning threads.
- */
-export declare function decodeWasm(b64: string): Promise<Uint8Array>;
-/**
- * Compile a WASM source to a Module without instantiating.
- * Used by pool infrastructure to send compiled modules to workers.
- *
- * Thenable sources (Promise<Response>, Promise<ArrayBuffer>, etc.) are
- * resolved and then re-dispatched by the runtime type of the resolved value.
- * Depth is capped at `MAX_THENABLE_DEPTH` to prevent runaway recursion.
- */
-export declare function compileWasm(source: WasmSource, _depth?: number): Promise<WebAssembly.Module>;
-/**
- * Load a WASM module from any accepted source type.
- * The loading strategy is inferred from the argument type — no mode string.
- *
- * Throws `TypeError` for null, numeric, or unrecognised inputs, or if a
- * thenable source nests deeper than `MAX_THENABLE_DEPTH`.
- */
-export declare function loadWasm(source: WasmSource): Promise<WebAssembly.Instance>;
+export {};