npm - leviathan-crypto - Versions diffs - 2.1.0 → 3.0.0 - Mend

leviathan-crypto 2.1.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (296) hide show

package/CLAUDE.md +86 -443
package/README.md +198 -65
package/dist/aes/aes-cbc.d.ts +40 -0
package/dist/aes/aes-cbc.js +158 -0
package/dist/aes/aes-ctr.d.ts +50 -0
package/dist/aes/aes-ctr.js +141 -0
package/dist/aes/aes-gcm-siv.d.ts +67 -0
package/dist/aes/aes-gcm-siv.js +217 -0
package/dist/aes/aes-gcm.d.ts +61 -0
package/dist/aes/aes-gcm.js +226 -0
package/dist/aes/cipher-suite.d.ts +21 -0
package/dist/aes/cipher-suite.js +179 -0
package/dist/aes/embedded.d.ts +1 -0
package/dist/aes/embedded.js +26 -0
package/dist/aes/generator.d.ts +14 -0
package/dist/aes/generator.js +103 -0
package/dist/aes/index.d.ts +58 -0
package/dist/aes/index.js +125 -0
package/dist/aes/ops.d.ts +60 -0
package/dist/aes/ops.js +164 -0
package/dist/aes/pool-worker.d.ts +1 -0
package/dist/aes/pool-worker.js +92 -0
package/dist/aes/types.d.ts +1 -0
package/dist/aes/types.js +23 -0
package/dist/aes.wasm +0 -0
package/dist/blake3/embedded.d.ts +1 -0
package/dist/blake3/embedded.js +26 -0
package/dist/blake3/index.d.ts +143 -0
package/dist/blake3/index.js +620 -0
package/dist/blake3/types.d.ts +102 -0
package/dist/blake3/types.js +31 -0
package/dist/blake3/validate.d.ts +29 -0
package/dist/blake3/validate.js +80 -0
package/dist/blake3.wasm +0 -0
package/dist/chacha20/cipher-suite.js +47 -25
package/dist/chacha20/generator.d.ts +2 -2
package/dist/chacha20/generator.js +4 -4
package/dist/chacha20/index.d.ts +16 -15
package/dist/chacha20/index.js +52 -46
package/dist/chacha20/ops.d.ts +7 -7
package/dist/chacha20/ops.js +34 -34
package/dist/chacha20/pool-worker.js +5 -3
package/dist/cte-wasm.d.ts +1 -0
package/dist/cte-wasm.js +3 -0
package/dist/curve25519.wasm +0 -0
package/dist/ecdsa/der.d.ts +23 -0
package/dist/ecdsa/der.js +192 -0
package/dist/ecdsa/ecprivatekey-der.d.ts +32 -0
package/dist/ecdsa/ecprivatekey-der.js +230 -0
package/dist/ecdsa/embedded.d.ts +1 -0
package/dist/ecdsa/embedded.js +25 -0
package/dist/ecdsa/index.d.ts +124 -0
package/dist/ecdsa/index.js +366 -0
package/dist/ecdsa/types.d.ts +31 -0
package/dist/ecdsa/types.js +28 -0
package/dist/ecdsa/validate.d.ts +18 -0
package/dist/ecdsa/validate.js +92 -0
package/dist/ed25519/embedded.d.ts +1 -0
package/dist/ed25519/embedded.js +31 -0
package/dist/ed25519/index.d.ts +70 -0
package/dist/ed25519/index.js +308 -0
package/dist/ed25519/types.d.ts +27 -0
package/dist/ed25519/types.js +27 -0
package/dist/ed25519/validate.d.ts +7 -0
package/dist/ed25519/validate.js +77 -0
package/dist/embedded/aes-pool-worker.d.ts +1 -0
package/dist/embedded/aes-pool-worker.js +5 -0
package/dist/embedded/aes.d.ts +1 -0
package/dist/embedded/aes.js +3 -0
package/dist/embedded/blake3.d.ts +1 -0
package/dist/embedded/blake3.js +3 -0
package/dist/embedded/chacha20-pool-worker.d.ts +1 -1
package/dist/embedded/chacha20-pool-worker.js +2 -2
package/dist/embedded/chacha20.d.ts +1 -1
package/dist/embedded/chacha20.js +2 -2
package/dist/embedded/curve25519.d.ts +1 -0
package/dist/embedded/curve25519.js +3 -0
package/dist/embedded/mldsa.d.ts +1 -0
package/dist/embedded/mldsa.js +3 -0
package/dist/embedded/mlkem.d.ts +1 -0
package/dist/embedded/mlkem.js +3 -0
package/dist/embedded/p256.d.ts +1 -0
package/dist/embedded/p256.js +3 -0
package/dist/embedded/serpent-pool-worker.d.ts +1 -1
package/dist/embedded/serpent-pool-worker.js +2 -2
package/dist/embedded/serpent.d.ts +1 -1
package/dist/embedded/serpent.js +2 -2
package/dist/embedded/sha2.d.ts +1 -1
package/dist/embedded/sha2.js +2 -2
package/dist/embedded/sha3.d.ts +1 -1
package/dist/embedded/sha3.js +2 -2
package/dist/embedded/slhdsa.d.ts +1 -0
package/dist/embedded/slhdsa.js +3 -0
package/dist/errors.d.ts +92 -1
package/dist/errors.js +111 -1
package/dist/fortuna.d.ts +5 -5
package/dist/fortuna.js +37 -64
package/dist/index.d.ts +38 -9
package/dist/index.js +63 -19
package/dist/init.d.ts +1 -1
package/dist/init.js +11 -25
package/dist/keccak/embedded.js +1 -1
package/dist/keccak/index.d.ts +2 -0
package/dist/keccak/index.js +4 -2
package/dist/loader.d.ts +1 -24
package/dist/loader.js +13 -16
package/dist/merkle/blake3-tree.d.ts +35 -0
package/dist/merkle/blake3-tree.js +187 -0
package/dist/merkle/checkpoint.d.ts +58 -0
package/dist/merkle/checkpoint.js +217 -0
package/dist/merkle/index.d.ts +19 -0
package/dist/merkle/index.js +37 -0
package/dist/merkle/merkle-log.d.ts +130 -0
package/dist/merkle/merkle-log.js +207 -0
package/dist/merkle/merkle-verifier.d.ts +126 -0
package/dist/merkle/merkle-verifier.js +296 -0
package/dist/merkle/proof.d.ts +70 -0
package/dist/merkle/proof.js +300 -0
package/dist/merkle/sha256-tree.d.ts +33 -0
package/dist/merkle/sha256-tree.js +145 -0
package/dist/merkle/signed-log.d.ts +156 -0
package/dist/merkle/signed-log.js +356 -0
package/dist/merkle/signed-note.d.ts +309 -0
package/dist/merkle/signed-note.js +648 -0
package/dist/merkle/sth.d.ts +31 -0
package/dist/merkle/sth.js +31 -0
package/dist/merkle/storage.d.ts +40 -0
package/dist/merkle/storage.js +71 -0
package/dist/merkle/tree.d.ts +68 -0
package/dist/merkle/tree.js +94 -0
package/dist/mldsa/embedded.d.ts +1 -0
package/dist/{kyber → mldsa}/embedded.js +5 -5
package/dist/mldsa/expand.d.ts +53 -0
package/dist/mldsa/expand.js +188 -0
package/dist/mldsa/format.d.ts +16 -0
package/dist/mldsa/format.js +68 -0
package/dist/mldsa/hashvariant.d.ts +32 -0
package/dist/mldsa/hashvariant.js +248 -0
package/dist/mldsa/index.d.ts +142 -0
package/dist/mldsa/index.js +463 -0
package/dist/mldsa/keygen.d.ts +16 -0
package/dist/mldsa/keygen.js +232 -0
package/dist/mldsa/params.d.ts +21 -0
package/dist/mldsa/params.js +55 -0
package/dist/mldsa/sha3-helpers.d.ts +30 -0
package/dist/mldsa/sha3-helpers.js +124 -0
package/dist/mldsa/sign.d.ts +36 -0
package/dist/mldsa/sign.js +380 -0
package/dist/mldsa/types.d.ts +91 -0
package/dist/mldsa/types.js +25 -0
package/dist/mldsa/validate.d.ts +55 -0
package/dist/mldsa/validate.js +125 -0
package/dist/mldsa/verify.d.ts +29 -0
package/dist/mldsa/verify.js +269 -0
package/dist/mldsa.wasm +0 -0
package/dist/mlkem/embedded.d.ts +1 -0
package/dist/mlkem/embedded.js +27 -0
package/dist/mlkem/indcpa.d.ts +49 -0
package/dist/{kyber → mlkem}/indcpa.js +44 -44
package/dist/mlkem/index.d.ts +37 -0
package/dist/{kyber → mlkem}/index.js +24 -34
package/dist/mlkem/kem.d.ts +21 -0
package/dist/{kyber → mlkem}/kem.js +44 -64
package/dist/{kyber → mlkem}/params.d.ts +4 -4
package/dist/{kyber → mlkem}/params.js +2 -2
package/dist/mlkem/suite.d.ts +12 -0
package/dist/{kyber → mlkem}/suite.js +17 -12
package/dist/{kyber → mlkem}/types.d.ts +3 -3
package/dist/{kyber → mlkem}/types.js +1 -1
package/dist/{kyber → mlkem}/validate.d.ts +7 -7
package/dist/{kyber → mlkem}/validate.js +7 -7
package/dist/{kyber.wasm → mlkem.wasm} +0 -0
package/dist/p256.wasm +0 -0
package/dist/ratchet/index.d.ts +2 -0
package/dist/ratchet/index.js +1 -0
package/dist/ratchet/kdf-chain.js +3 -3
package/dist/ratchet/ratchet-keypair.js +2 -2
package/dist/ratchet/root-kdf.js +7 -7
package/dist/ratchet/skipped-key-store.js +4 -4
package/dist/ratchet/types.d.ts +1 -1
package/dist/serpent/cipher-suite.js +20 -17
package/dist/serpent/generator.d.ts +1 -1
package/dist/serpent/generator.js +2 -2
package/dist/serpent/index.d.ts +8 -7
package/dist/serpent/index.js +18 -27
package/dist/serpent/pool-worker.js +7 -5
package/dist/serpent/serpent-cbc.d.ts +4 -4
package/dist/serpent/serpent-cbc.js +11 -8
package/dist/serpent/shared-ops.d.ts +3 -23
package/dist/serpent/shared-ops.js +50 -85
package/dist/serpent.wasm +0 -0
package/dist/sha2/hkdf.js +5 -5
package/dist/sha2/index.d.ts +21 -1
package/dist/sha2/index.js +65 -10
package/dist/sha2/types.d.ts +41 -2
package/dist/sha2.wasm +0 -0
package/dist/sha3/index.d.ts +72 -3
package/dist/sha3/index.js +240 -14
package/dist/sha3/kmac.d.ts +121 -0
package/dist/sha3/kmac.js +800 -0
package/dist/sha3.wasm +0 -0
package/dist/shared/pkcs7.d.ts +22 -0
package/dist/shared/pkcs7.js +84 -0
package/dist/sign/ctx.d.ts +41 -0
package/dist/sign/ctx.js +102 -0
package/dist/sign/envelope.d.ts +45 -0
package/dist/sign/envelope.js +152 -0
package/dist/sign/hasher.d.ts +9 -0
package/dist/sign/hasher.js +132 -0
package/dist/sign/index.d.ts +11 -0
package/dist/sign/index.js +34 -0
package/dist/sign/sign-stream.d.ts +25 -0
package/dist/sign/sign-stream.js +112 -0
package/dist/sign/suites/ecdsa-p256.d.ts +2 -0
package/dist/sign/suites/ecdsa-p256.js +120 -0
package/dist/sign/suites/ed25519.d.ts +3 -0
package/dist/sign/suites/ed25519.js +165 -0
package/dist/sign/suites/hybrid-classical.d.ts +23 -0
package/dist/sign/suites/hybrid-classical.js +526 -0
package/dist/sign/suites/hybrid-pq.d.ts +4 -0
package/dist/sign/suites/hybrid-pq.js +234 -0
package/dist/sign/suites/mldsa.d.ts +7 -0
package/dist/sign/suites/mldsa.js +161 -0
package/dist/sign/suites/slhdsa.d.ts +7 -0
package/dist/sign/suites/slhdsa.js +176 -0
package/dist/sign/types.d.ts +106 -0
package/dist/sign/types.js +28 -0
package/dist/sign/verify-stream.d.ts +30 -0
package/dist/sign/verify-stream.js +227 -0
package/dist/slhdsa/embedded.d.ts +1 -0
package/dist/slhdsa/embedded.js +26 -0
package/dist/slhdsa/index.d.ts +149 -0
package/dist/slhdsa/index.js +493 -0
package/dist/slhdsa/params.d.ts +26 -0
package/dist/slhdsa/params.js +70 -0
package/dist/slhdsa/prehash.d.ts +68 -0
package/dist/slhdsa/prehash.js +307 -0
package/dist/slhdsa/sign.d.ts +39 -0
package/dist/slhdsa/sign.js +116 -0
package/dist/slhdsa/types.d.ts +129 -0
package/dist/slhdsa/types.js +27 -0
package/dist/slhdsa/validate.d.ts +60 -0
package/dist/slhdsa/validate.js +127 -0
package/dist/slhdsa/verify.d.ts +32 -0
package/dist/slhdsa/verify.js +107 -0
package/dist/slhdsa.wasm +0 -0
package/dist/stream/header.js +3 -3
package/dist/stream/index.d.ts +1 -0
package/dist/stream/index.js +1 -0
package/dist/stream/open-stream.js +31 -10
package/dist/stream/seal-stream-pool.d.ts +1 -0
package/dist/stream/seal-stream-pool.js +63 -26
package/dist/stream/seal-stream.d.ts +1 -1
package/dist/stream/seal-stream.js +20 -9
package/dist/stream/seal.js +6 -6
package/dist/stream/types.d.ts +3 -1
package/dist/stream/types.js +1 -1
package/dist/types.d.ts +1 -1
package/dist/types.js +1 -1
package/dist/utils.d.ts +3 -3
package/dist/utils.js +46 -54
package/dist/wasm-source.d.ts +7 -7
package/dist/wasm-source.js +1 -1
package/dist/x25519/embedded.d.ts +1 -0
package/dist/x25519/embedded.js +31 -0
package/dist/x25519/index.d.ts +43 -0
package/dist/x25519/index.js +159 -0
package/dist/x25519/types.d.ts +25 -0
package/dist/x25519/types.js +27 -0
package/dist/x25519/validate.d.ts +2 -0
package/dist/x25519/validate.js +39 -0
package/package.json +70 -26
package/SECURITY.md +0 -163
package/dist/ct-wasm.d.ts +0 -1
package/dist/ct-wasm.js +0 -3
package/dist/docs/aead.md +0 -363
package/dist/docs/architecture.md +0 -1011
package/dist/docs/argon2id.md +0 -305
package/dist/docs/chacha20.md +0 -781
package/dist/docs/exports.md +0 -277
package/dist/docs/fortuna.md +0 -530
package/dist/docs/init.md +0 -301
package/dist/docs/loader.md +0 -256
package/dist/docs/serpent.md +0 -617
package/dist/docs/sha2.md +0 -671
package/dist/docs/sha3.md +0 -612
package/dist/docs/types.md +0 -416
package/dist/docs/utils.md +0 -457
package/dist/embedded/kyber.d.ts +0 -1
package/dist/embedded/kyber.js +0 -3
package/dist/kyber/embedded.d.ts +0 -1
package/dist/kyber/indcpa.d.ts +0 -49
package/dist/kyber/index.d.ts +0 -38
package/dist/kyber/kem.d.ts +0 -21
package/dist/kyber/suite.d.ts +0 -12
/package/dist/{ct.wasm → cte.wasm} +0 -0

package/dist/sign/suites/hybrid-classical.js ADDED Viewed

@@ -0,0 +1,526 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/sign/suites/hybrid-classical.ts
+//
+// Composite classical+PQ hybrid suites,
+// draft-ietf-lamps-pq-composite-sigs-19 (composite-sigs). Two internal
+// factories (Ed25519, ECDSA-P256) build the four exported
+// StreamableSignatureSuite consts 0x20..0x23:
+//
+//   0x20  MlDsa44Ed25519Suite     OID 1.3.6.1.5.5.7.6.39
+//   0x21  MlDsa65Ed25519Suite     OID 1.3.6.1.5.5.7.6.48
+//   0x22  MlDsa44EcdsaP256Suite   OID 1.3.6.1.5.5.7.6.40
+//   0x23  MlDsa65EcdsaP256Suite   OID 1.3.6.1.5.5.7.6.45
+//
+// composite-sigs §2.2 / §3.2 construction:
+//   M'       = Prefix || Label || len(ctx) || ctx || PH(M)
+//   sig_pq   = ML-DSA.Sign(sk_pq_expanded, M', ctx=Label)
+//              pure (FIPS 204 §5.2 Algorithm 2), NOT HashML-DSA
+//              (composite-sigs §2.1)
+//   sig_trad = Trad.Sign(sk_trad, M')
+//              Ed25519: RFC 8032 §5.1.6.
+//              ECDSA-P256: FIPS 186-5 §6.4 over SHA-256(M'),
+//              composite-sigs §6 `ecdsa-with-SHA256`.
+//   sig      = sig_pq || sig_trad (composite-sigs §4.3, PQ-first).
+//
+// sk_pq is the 32-byte ML-DSA seed only; expanded sk is re-derived
+// per sign via FIPS 204 §6.1 KeyGen_internal (composite-sigs §4.2).
+// user_ctx cap = 255 (composite-sigs §3.2 step 1, FIPS 204 §3.6.1
+// match); overflow throws SigningError('sig-ctx-too-long').
+//
+// verifyPrehashed runs BOTH sub-verifies before AND-reducing.
+// composite-sigs §3.3 permits early-fail on the ML-DSA half;
+// leviathan declines for parity with hybrid-pq.ts.
+//
+// Wire layout, OID table, M' breakdown, hedged posture, and
+// constant-time discipline:
+// docs/signaturesuite.md#classicalpq-hybrid-composite-encoding.
+import { concat, randomBytes, utf8ToBytes, wipe } from '../../utils.js';
+import { SigningError } from '../../errors.js';
+import { MlDsa44, MlDsa65, MLDSA44, MLDSA65, } from '../../mldsa/index.js';
+import { Ed25519 } from '../../ed25519/index.js';
+import { EcdsaP256, encodeEcPrivateKey, decodeEcPrivateKey, } from '../../ecdsa/index.js';
+import { ecdsaSignatureToDer, ecdsaSignatureFromDer } from '../../ecdsa/der.js';
+import { CTX_DOMAIN_MAX } from '../ctx.js';
+import { sha256OneShot, sha512OneShot } from '../hasher.js';
+// ── Module-level constants ─────────────────────────────────────────────────
+// composite-sigs §2.2, Prefix wedged at the head of every M'.
+const COMPOSITE_PREFIX = utf8ToBytes('CompositeAlgorithmSignatures2025');
+const COMPOSITE_USER_CTX_MAX = 255;
+const LABEL_MLDSA44_ED25519 = utf8ToBytes('COMPSIG-MLDSA44-Ed25519-SHA512');
+const LABEL_MLDSA65_ED25519 = utf8ToBytes('COMPSIG-MLDSA65-Ed25519-SHA512');
+const LABEL_MLDSA44_ECDSA_P256 = utf8ToBytes('COMPSIG-MLDSA44-ECDSA-P256-SHA256');
+const LABEL_MLDSA65_ECDSA_P256 = utf8ToBytes('COMPSIG-MLDSA65-ECDSA-P256-SHA512');
+// secp256r1 group order n (SP 800-186 §3.2.1.3). Used by the composite
+// ECDSA verify path to normalise high-S to low-S before delegating to
+// EcdsaP256.verify (composite-sigs §3.3 permits both s and n - s under
+// FIPS 186-5 §6.5; leviathan's standalone verify is strict low-S).
+// Rationale: docs/signaturesuite.md#composite-ecdsa-low-s.
+const SECP256R1_N = 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551n;
+const SECP256R1_HALF_N = SECP256R1_N >> 1n;
+function be32ToBig(b) {
+    let x = 0n;
+    for (const v of b)
+        x = (x << 8n) | BigInt(v);
+    return x;
+}
+function bigToBe32(x) {
+    const out = new Uint8Array(32);
+    for (let i = 31; i >= 0; i--) {
+        out[i] = Number(x & 0xffn);
+        x >>= 8n;
+    }
+    return out;
+}
+/**
+ * Normalise raw 64-byte (r, s) to low-S (FIPS 186-5 §6.5).
+ * Rationale: docs/signaturesuite.md#composite-ecdsa-low-s.
+ */
+function normaliseEcdsaSigLowS(raw64) {
+    const s = be32ToBig(raw64.subarray(32, 64));
+    if (s <= SECP256R1_HALF_N)
+        return raw64;
+    const sLow = SECP256R1_N - s;
+    const out = new Uint8Array(64);
+    out.set(raw64.subarray(0, 32), 0);
+    out.set(bigToBe32(sLow), 32);
+    return out;
+}
+// ── M' construction ────────────────────────────────────────────────────────
+/**
+ * composite-sigs §3.2 step 2:
+ *   M' := Prefix || Label || len(ctx) || ctx || PH(M)
+ *
+ * `len(ctx)` is encoded as a single unsigned byte (composite-sigs §3.2
+ * step 2; Appendix D worked example confirms `len(ctx) == 0x00` for empty
+ * context and a single byte for non-empty). The caller is responsible for
+ * the `ctx.length <= COMPOSITE_USER_CTX_MAX` check.
+ */
+function buildMPrime(label, ctx, digest) {
+    const out = new Uint8Array(COMPOSITE_PREFIX.length + label.length + 1 + ctx.length + digest.length);
+    let p = 0;
+    out.set(COMPOSITE_PREFIX, p);
+    p += COMPOSITE_PREFIX.length;
+    out.set(label, p);
+    p += label.length;
+    out[p++] = ctx.length;
+    out.set(ctx, p);
+    p += ctx.length;
+    out.set(digest, p);
+    return out;
+}
+// ── ML-DSA + Ed25519 factory ───────────────────────────────────────────────
+function MldsaEd25519HybridSuite(MlDsaClass, mldsaParams, formatEnum, formatName, ctxDomain, label) {
+    if (utf8ToBytes(ctxDomain).length > CTX_DOMAIN_MAX)
+        throw new Error(`leviathan-crypto: ctxDomain '${ctxDomain}' too long for ${formatName}`);
+    const wasmModules = Object.freeze(['mldsa', 'sha3', 'curve25519', 'sha2']);
+    const prehashAlgorithm = 'sha-512';
+    const prehashSize = 64;
+    const pkSize = mldsaParams.pkBytes + 32;
+    const skSize = 32 + 32;
+    // composite-sigs Appendix A Table 4 + RFC 8032 §5.1.6: fixed 64-byte Ed25519 sig.
+    const sigMaxSize = mldsaParams.sigBytes + 64;
+    return {
+        formatEnum,
+        formatName,
+        ctxDomain,
+        pkSize,
+        skSize,
+        sigMaxSize,
+        wasmModules,
+        prehashAlgorithm,
+        prehashSize,
+        sign(sk, msg, ctx) {
+            // One-shot SHA-512 over the message; the composite PH for these
+            // two suites is SHA-512 (composite-sigs §6).
+            const digest = sha512OneShot(msg);
+            try {
+                return this.signPrehashed(sk, digest, ctx);
+            }
+            finally {
+                wipe(digest);
+            }
+        },
+        verify(pk, msg, sig, ctx) {
+            const digest = sha512OneShot(msg);
+            try {
+                return this.verifyPrehashed(pk, digest, sig, ctx);
+            }
+            finally {
+                wipe(digest);
+            }
+        },
+        keygen() {
+            const seedMldsa = randomBytes(32);
+            let mldsaPk;
+            const mldsaInst = new MlDsaClass();
+            try {
+                const kp = mldsaInst.keygenDerand(seedMldsa);
+                mldsaPk = kp.verificationKey;
+                wipe(kp.signingKey);
+            }
+            finally {
+                mldsaInst.dispose();
+            }
+            const edInst = new Ed25519();
+            let edPk;
+            let seedEd;
+            try {
+                const kp = edInst.keygen();
+                edPk = kp.publicKey;
+                seedEd = kp.secretKey;
+            }
+            finally {
+                edInst.dispose();
+            }
+            try {
+                return {
+                    pk: concat(mldsaPk, edPk),
+                    sk: concat(seedMldsa, seedEd),
+                };
+            }
+            finally {
+                wipe(seedMldsa);
+                wipe(seedEd);
+            }
+        },
+        signPrehashed(sk, digest, ctx) {
+            if (digest.length !== prehashSize)
+                throw new SigningError('sig-malformed-input', `digest length ${digest.length} != ${prehashSize} for ${formatName}`);
+            if (sk.length !== skSize)
+                throw new SigningError('sig-key-size', `sk length ${sk.length} != ${skSize} for ${formatName}`);
+            if (ctx.length > COMPOSITE_USER_CTX_MAX)
+                throw new SigningError('sig-ctx-too-long', `user_ctx length ${ctx.length} > ${COMPOSITE_USER_CTX_MAX} `
+                    + '(composite-sigs §3.2 step 1)');
+            const seedMldsa = sk.subarray(0, 32);
+            const seedEd = sk.subarray(32, 64);
+            const mPrime = buildMPrime(label, ctx, digest);
+            try {
+                // composite-sigs §4.2: re-derive expanded sk from 32-byte
+                // seed (FIPS 204 §6.1 KeyGen_internal); sign with
+                // mldsa_ctx = Label (composite-sigs §3.2 step 4).
+                let sigMldsa;
+                const mldsaInst = new MlDsaClass();
+                let expandedSk = null;
+                try {
+                    const kp = mldsaInst.keygenDerand(seedMldsa);
+                    expandedSk = kp.signingKey;
+                    wipe(kp.verificationKey);
+                    sigMldsa = mldsaInst.sign(expandedSk, mPrime, label);
+                }
+                finally {
+                    if (expandedSk)
+                        wipe(expandedSk);
+                    mldsaInst.dispose();
+                }
+                // Ed25519 half: pure sign over M', composite-sigs §3.2 step 4 + RFC 8032 §5.1.6.
+                let sigEd;
+                const edInst = new Ed25519();
+                try {
+                    sigEd = edInst._signInternalPk(seedEd, mPrime);
+                }
+                finally {
+                    edInst.dispose();
+                }
+                // composite-sigs §4.3 SerializeSignatureValue: PQ-first,
+                // no length prefix.
+                return concat(sigMldsa, sigEd);
+            }
+            finally {
+                wipe(mPrime);
+            }
+        },
+        verifyPrehashed(pk, digest, sig, ctx) {
+            // Wire-shape rejects → false (attacker-observable bytes;
+            // composite-sigs §3.3 returns "Invalid signature").
+            if (pk.length !== pkSize)
+                return false;
+            if (sig.length !== sigMaxSize)
+                return false;
+            // Caller-side contract violations throw, symmetric with the
+            // sign side: digest length and ctx length are properties of
+            // the caller's input shape, not signature validity.
+            if (digest.length !== prehashSize)
+                throw new SigningError('sig-malformed-input', `digest length ${digest.length} != ${prehashSize} for ${formatName}`);
+            if (ctx.length > COMPOSITE_USER_CTX_MAX)
+                throw new SigningError('sig-ctx-too-long', `user_ctx length ${ctx.length} > ${COMPOSITE_USER_CTX_MAX} `
+                    + '(composite-sigs §3.2 step 1)');
+            const pkMldsa = pk.subarray(0, mldsaParams.pkBytes);
+            const pkEd = pk.subarray(mldsaParams.pkBytes);
+            const sigMldsa = sig.subarray(0, mldsaParams.sigBytes);
+            const sigEd = sig.subarray(mldsaParams.sigBytes);
+            const mPrime = buildMPrime(label, ctx, digest);
+            // Both sub-verifies must run before AND-reduce
+            // (constant-time gate).
+            let mldsaOk;
+            let edOk;
+            try {
+                const mldsaInst = new MlDsaClass();
+                try {
+                    mldsaOk = mldsaInst.verify(pkMldsa, mPrime, sigMldsa, label);
+                }
+                finally {
+                    mldsaInst.dispose();
+                }
+                const edInst = new Ed25519();
+                try {
+                    edOk = edInst.verify(pkEd, mPrime, sigEd);
+                }
+                finally {
+                    edInst.dispose();
+                }
+            }
+            finally {
+                wipe(mPrime);
+            }
+            // Do NOT wipe sub-sig / sub-pk subarrays; they alias caller-owned buffers.
+            return mldsaOk && edOk;
+        },
+    };
+}
+// ── ML-DSA + ECDSA-P256 factory ────────────────────────────────────────────
+function MldsaEcdsaP256HybridSuite(MlDsaClass, mldsaParams, formatEnum, formatName, ctxDomain, label, prehashAlgorithm, prehashSize) {
+    if (utf8ToBytes(ctxDomain).length > CTX_DOMAIN_MAX)
+        throw new Error(`leviathan-crypto: ctxDomain '${ctxDomain}' too long for ${formatName}`);
+    // 'p256' drives ECDSA; 'sha2' covers both the composite PH (SHA-256
+    // for 0x22, SHA-512 for 0x23) and ECDSA's internal SHA-256(M').
+    const wasmModules = Object.freeze(['mldsa', 'sha3', 'p256', 'sha2']);
+    const pkSize = mldsaParams.pkBytes + 65;
+    const skSize = 32 + 51;
+    // composite-sigs Appendix A Table 4 + RFC 3279 §2.2.3, 72-byte DER ceiling.
+    const sigMaxSize = mldsaParams.sigBytes + 72;
+    return {
+        formatEnum,
+        formatName,
+        ctxDomain,
+        pkSize,
+        skSize,
+        sigMaxSize,
+        wasmModules,
+        prehashAlgorithm,
+        prehashSize,
+        sign(sk, msg, ctx) {
+            const digest = prehashAlgorithm === 'sha-256'
+                ? sha256OneShot(msg)
+                : sha512OneShot(msg);
+            try {
+                return this.signPrehashed(sk, digest, ctx);
+            }
+            finally {
+                wipe(digest);
+            }
+        },
+        verify(pk, msg, sig, ctx) {
+            const digest = prehashAlgorithm === 'sha-256'
+                ? sha256OneShot(msg)
+                : sha512OneShot(msg);
+            try {
+                return this.verifyPrehashed(pk, digest, sig, ctx);
+            }
+            finally {
+                wipe(digest);
+            }
+        },
+        keygen() {
+            const seedMldsa = randomBytes(32);
+            let mldsaPk;
+            const mldsaInst = new MlDsaClass();
+            try {
+                const kp = mldsaInst.keygenDerand(seedMldsa);
+                mldsaPk = kp.verificationKey;
+                wipe(kp.signingKey);
+            }
+            finally {
+                mldsaInst.dispose();
+            }
+            // ECDSA-P256 half: 65-byte uncompressed pk (SEC 1 §2.3.4,
+            // composite-sigs §4) and 51-byte DER ECPrivateKey
+            // (RFC 5915 §3, composite-sigs §4.2).
+            let ecPk;
+            let ecScalar;
+            const ecInst = new EcdsaP256();
+            try {
+                const kp = ecInst.keygenUncompressed();
+                ecPk = kp.publicKey;
+                ecScalar = kp.secretKey;
+            }
+            finally {
+                ecInst.dispose();
+            }
+            let ecDer;
+            try {
+                ecDer = encodeEcPrivateKey(ecScalar);
+            }
+            finally {
+                wipe(ecScalar);
+            }
+            try {
+                return {
+                    pk: concat(mldsaPk, ecPk),
+                    sk: concat(seedMldsa, ecDer),
+                };
+            }
+            finally {
+                wipe(seedMldsa);
+                wipe(ecDer);
+            }
+        },
+        signPrehashed(sk, digest, ctx) {
+            if (digest.length !== prehashSize)
+                throw new SigningError('sig-malformed-input', `digest length ${digest.length} != ${prehashSize} for ${formatName}`);
+            if (sk.length !== skSize)
+                throw new SigningError('sig-key-size', `sk length ${sk.length} != ${skSize} for ${formatName}`);
+            if (ctx.length > COMPOSITE_USER_CTX_MAX)
+                throw new SigningError('sig-ctx-too-long', `user_ctx length ${ctx.length} > ${COMPOSITE_USER_CTX_MAX} `
+                    + '(composite-sigs §3.2 step 1)');
+            const seedMldsa = sk.subarray(0, 32);
+            const ecDer = sk.subarray(32, 83);
+            // RFC 5915 §3 ECPrivateKey decode; strict DER per the codec's
+            // X.690 §10 hygiene rules. Throws on syntax violation.
+            const ecScalar = decodeEcPrivateKey(ecDer);
+            const mPrime = buildMPrime(label, ctx, digest);
+            // composite-sigs §6, ECDSA half is SHA-256(M') for both 0x22 and 0x23.
+            const ecDigest = sha256OneShot(mPrime);
+            const rnd = randomBytes(32);
+            try {
+                let sigMldsa;
+                const mldsaInst = new MlDsaClass();
+                let expandedSk = null;
+                try {
+                    const kp = mldsaInst.keygenDerand(seedMldsa);
+                    expandedSk = kp.signingKey;
+                    wipe(kp.verificationKey);
+                    sigMldsa = mldsaInst.sign(expandedSk, mPrime, label);
+                }
+                finally {
+                    if (expandedSk)
+                        wipe(expandedSk);
+                    mldsaInst.dispose();
+                }
+                let sigEcRaw;
+                const ecInst = new EcdsaP256();
+                try {
+                    sigEcRaw = ecInst._signInternalPk(ecScalar, ecDigest, rnd);
+                }
+                finally {
+                    ecInst.dispose();
+                }
+                let sigEcDer;
+                try {
+                    // composite-sigs §4.3, DER on the wire.
+                    sigEcDer = ecdsaSignatureToDer(sigEcRaw);
+                }
+                finally {
+                    wipe(sigEcRaw);
+                }
+                return concat(sigMldsa, sigEcDer);
+            }
+            finally {
+                wipe(rnd);
+                wipe(ecScalar);
+                wipe(ecDigest);
+                wipe(mPrime);
+            }
+        },
+        verifyPrehashed(pk, digest, sig, ctx) {
+            // Wire-shape rejects → false. 8-byte DER floor per RFC 3279 §2.2.3.
+            if (pk.length !== pkSize)
+                return false;
+            if (sig.length < mldsaParams.sigBytes + 8)
+                return false;
+            if (sig.length > sigMaxSize)
+                return false;
+            if (digest.length !== prehashSize)
+                throw new SigningError('sig-malformed-input', `digest length ${digest.length} != ${prehashSize} for ${formatName}`);
+            if (ctx.length > COMPOSITE_USER_CTX_MAX)
+                throw new SigningError('sig-ctx-too-long', `user_ctx length ${ctx.length} > ${COMPOSITE_USER_CTX_MAX} `
+                    + '(composite-sigs §3.2 step 1)');
+            const pkMldsa = pk.subarray(0, mldsaParams.pkBytes);
+            const pkEc = pk.subarray(mldsaParams.pkBytes, mldsaParams.pkBytes + 65);
+            const sigMldsa = sig.subarray(0, mldsaParams.sigBytes);
+            const sigEcDer = sig.subarray(mldsaParams.sigBytes);
+            const mPrime = buildMPrime(label, ctx, digest);
+            const ecDigest = sha256OneShot(mPrime);
+            let mldsaOk;
+            let ecOk;
+            try {
+                const mldsaInst = new MlDsaClass();
+                try {
+                    mldsaOk = mldsaInst.verify(pkMldsa, mPrime, sigMldsa, label);
+                }
+                finally {
+                    mldsaInst.dispose();
+                }
+                let sigEcRaw = null;
+                try {
+                    sigEcRaw = ecdsaSignatureFromDer(sigEcDer);
+                }
+                catch {
+                    sigEcRaw = null;
+                }
+                if (sigEcRaw === null) {
+                    ecOk = false;
+                }
+                else {
+                    const sigEcLowS = normaliseEcdsaSigLowS(sigEcRaw);
+                    const ecInst = new EcdsaP256();
+                    try {
+                        ecOk = ecInst.verify(pkEc, ecDigest, sigEcLowS);
+                    }
+                    finally {
+                        ecInst.dispose();
+                    }
+                    wipe(sigEcLowS);
+                    wipe(sigEcRaw);
+                }
+            }
+            finally {
+                wipe(mPrime);
+                wipe(ecDigest);
+            }
+            return mldsaOk && ecOk;
+        },
+    };
+}
+// ── Exported suite consts ──────────────────────────────────────────────────
+/**
+ * Composite ML-DSA-44 + Ed25519 with SHA-512 prehash.
+ * composite-sigs §6, id-MLDSA44-Ed25519-SHA512 (OID 1.3.6.1.5.5.7.6.39).
+ */
+export const MlDsa44Ed25519Suite = MldsaEd25519HybridSuite(MlDsa44, MLDSA44, 0x20, 'mldsa44-ed25519', 'mldsa44-ed25519-envelope-v3', LABEL_MLDSA44_ED25519);
+/**
+ * Composite ML-DSA-65 + Ed25519 with SHA-512 prehash.
+ * composite-sigs §6, id-MLDSA65-Ed25519-SHA512 (OID 1.3.6.1.5.5.7.6.48).
+ */
+export const MlDsa65Ed25519Suite = MldsaEd25519HybridSuite(MlDsa65, MLDSA65, 0x21, 'mldsa65-ed25519', 'mldsa65-ed25519-envelope-v3', LABEL_MLDSA65_ED25519);
+/**
+ * Composite ML-DSA-44 + ECDSA-P256 with SHA-256 prehash.
+ * composite-sigs §6, id-MLDSA44-ECDSA-P256-SHA256 (OID 1.3.6.1.5.5.7.6.40).
+ */
+export const MlDsa44EcdsaP256Suite = MldsaEcdsaP256HybridSuite(MlDsa44, MLDSA44, 0x22, 'mldsa44-ecdsa-p256', 'mldsa44-ecdsa-p256-envelope-v3', LABEL_MLDSA44_ECDSA_P256, 'sha-256', 32);
+/**
+ * Composite ML-DSA-65 + ECDSA-P256 with SHA-512 prehash on the composite
+ * layer; the ECDSA half still hashes M' with SHA-256 per composite-sigs §6
+ * `ecdsa-with-SHA256` and §10.1 (deployment-fit rationale).
+ * composite-sigs §6, id-MLDSA65-ECDSA-P256-SHA512 (OID 1.3.6.1.5.5.7.6.45).
+ */
+export const MlDsa65EcdsaP256Suite = MldsaEcdsaP256HybridSuite(MlDsa65, MLDSA65, 0x23, 'mldsa65-ecdsa-p256', 'mldsa65-ecdsa-p256-envelope-v3', LABEL_MLDSA65_ECDSA_P256, 'sha-512', 64);

package/dist/sign/suites/hybrid-pq.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { StreamableSignatureSuite } from '../types.js';
+export declare const MlDsa44SlhDsa128fSuite: StreamableSignatureSuite;
+export declare const MlDsa65SlhDsa192fSuite: StreamableSignatureSuite;
+export declare const MlDsa87SlhDsa256fSuite: StreamableSignatureSuite;