leviathan-crypto 2.1.0 → 3.0.0

package/dist/slhdsa/validate.d.ts

@@ -0,0 +1,60 @@
+import type { SlhDsaParams } from './params.js';
+import { type PreHashAlgorithm } from './prehash.js';
+/**
+ * FIPS 205 §10.2.1 Algorithm 22 line 1 / §10.2.2 Algorithm 23 line 1,
+ * ctx must be ≤ 255 bytes (the byte that follows the domain separator in
+ * M' encodes |ctx|, so longer values cannot be represented). Throws
+ * `SigningError('sig-ctx-too-long')` per the SigningError discriminator contract.
+ */
+export declare function validateContext(ctx: Uint8Array): void;
+/**
+ * FIPS 205 §3.6.2, public key must be exactly pkBytes long for its
+ * parameter set. Throws here; the public verify*() surfaces catch the
+ * throw and return false so a wrong-length pk reads as "not a valid
+ * signature" rather than a caller error.
+ */
+export declare function validatePublicKey(pk: Uint8Array, params: SlhDsaParams): void;
+/**
+ * Signing key must be exactly skBytes long for its parameter set. Wrong
+ * length is a caller error (the caller produced this sk via keygen* or
+ * loaded it from storage they own); throw RangeError unconditionally.
+ */
+export declare function validateSigningKey(sk: Uint8Array, params: SlhDsaParams): void;
+/**
+ * FIPS 205 §3.6.2, signature must be exactly sigBytes long for its
+ * parameter set. Throws here; the public verify*() surfaces catch and
+ * return false (same protocol shape as wrong-length pk).
+ */
+export declare function validateSignature(sig: Uint8Array, params: SlhDsaParams): void;
+/**
+ * FIPS 205 §3.4 / §9.2 Algorithm 19 line 4, opt_rand (addrnd) must be
+ * exactly n bytes for the parameter set. Used by signDerand (the
+ * testing / CAVP API). Hedged sign supplies opt_rand internally;
+ * deterministic sign substitutes PK.seed; only signDerand exposes
+ * opt_rand to the caller.
+ */
+export declare function validateRnd(rnd: Uint8Array, params: SlhDsaParams): void;
+/**
+ * Confirms M is a Uint8Array. FIPS 205 places no length restriction on
+ * the message; M is absorbed into Hmsg via SHAKE256 / SHA-2 depending on
+ * the chosen instantiation (§11.2 SHAKE family in the shipped scope), so
+ * any byte length is admissible.
+ */
+export declare function validateMessage(M: Uint8Array): void;
+/**
+ * FIPS 205 §10.2.2 Algorithm 23 lines 9-20, the prehash PH_M passed to
+ * HashSLH-DSA's Sign_internal / Verify_internal must be exactly the
+ * digest size of `algo`. Used by the `*Prehashed` family where the
+ * caller computes PH externally; the non-prehashed family produces PH
+ * internally so this check is implicit.
+ *
+ * Throws `SigningError('sig-malformed-input')` on mismatch. The verify
+ * surface intercepts this to return false (a wrong-size digest is a
+ * structural mismatch, indistinguishable from a wrong signature), while
+ * the sign surface lets the throw propagate (the caller supplied bad
+ * input; that is a contract violation).
+ *
+ * Duplicated from `src/ts/mldsa/validate.ts:validateDigest`; extraction is
+ * deferred until a third consumer materialises.
+ */
+export declare function validateDigest(digest: Uint8Array, algo: PreHashAlgorithm): void;

package/dist/slhdsa/validate.js

@@ -0,0 +1,127 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/slhdsa/validate.ts
+//
+// SLH-DSA caller-side input validation. Pure length / type checks. Mirrors
+// `src/ts/mldsa/validate.ts`. Length checks throw RangeError; the public
+// verify() / verifyHash() / verifyHashPrehashed() surfaces intercept pk /
+// sig / digest length mismatches and return false instead of propagating the
+// throw (FIPS 205 §3.6.2 / §10 structural-mismatch posture). ctx, sk, and
+// rnd / opt_rand are caller contract violations and let the throw propagate.
+import { SigningError } from '../errors.js';
+import { digestSize } from './prehash.js';
+/**
+ * FIPS 205 §10.2.1 Algorithm 22 line 1 / §10.2.2 Algorithm 23 line 1,
+ * ctx must be ≤ 255 bytes (the byte that follows the domain separator in
+ * M' encodes |ctx|, so longer values cannot be represented). Throws
+ * `SigningError('sig-ctx-too-long')` per the SigningError discriminator contract.
+ */
+export function validateContext(ctx) {
+    if (!(ctx instanceof Uint8Array))
+        throw new TypeError('leviathan-crypto: ctx must be a Uint8Array');
+    if (ctx.length > 255)
+        throw new SigningError('sig-ctx-too-long', `leviathan-crypto: ctx must be ≤ 255 bytes (got ${ctx.length})`);
+}
+/**
+ * FIPS 205 §3.6.2, public key must be exactly pkBytes long for its
+ * parameter set. Throws here; the public verify*() surfaces catch the
+ * throw and return false so a wrong-length pk reads as "not a valid
+ * signature" rather than a caller error.
+ */
+export function validatePublicKey(pk, params) {
+    if (!(pk instanceof Uint8Array))
+        throw new TypeError('leviathan-crypto: public key must be a Uint8Array');
+    if (pk.length !== params.pkBytes)
+        throw new RangeError(`leviathan-crypto: public key must be ${params.pkBytes} bytes for ${params.paramSet} `
+            + `(got ${pk.length})`);
+}
+/**
+ * Signing key must be exactly skBytes long for its parameter set. Wrong
+ * length is a caller error (the caller produced this sk via keygen* or
+ * loaded it from storage they own); throw RangeError unconditionally.
+ */
+export function validateSigningKey(sk, params) {
+    if (!(sk instanceof Uint8Array))
+        throw new TypeError('leviathan-crypto: signing key must be a Uint8Array');
+    if (sk.length !== params.skBytes)
+        throw new RangeError(`leviathan-crypto: signing key must be ${params.skBytes} bytes for ${params.paramSet} `
+            + `(got ${sk.length})`);
+}
+/**
+ * FIPS 205 §3.6.2, signature must be exactly sigBytes long for its
+ * parameter set. Throws here; the public verify*() surfaces catch and
+ * return false (same protocol shape as wrong-length pk).
+ */
+export function validateSignature(sig, params) {
+    if (!(sig instanceof Uint8Array))
+        throw new TypeError('leviathan-crypto: signature must be a Uint8Array');
+    if (sig.length !== params.sigBytes)
+        throw new RangeError(`leviathan-crypto: signature must be ${params.sigBytes} bytes for ${params.paramSet} `
+            + `(got ${sig.length})`);
+}
+/**
+ * FIPS 205 §3.4 / §9.2 Algorithm 19 line 4, opt_rand (addrnd) must be
+ * exactly n bytes for the parameter set. Used by signDerand (the
+ * testing / CAVP API). Hedged sign supplies opt_rand internally;
+ * deterministic sign substitutes PK.seed; only signDerand exposes
+ * opt_rand to the caller.
+ */
+export function validateRnd(rnd, params) {
+    if (!(rnd instanceof Uint8Array))
+        throw new TypeError('leviathan-crypto: opt_rand must be a Uint8Array');
+    if (rnd.length !== params.n)
+        throw new RangeError(`leviathan-crypto: opt_rand must be ${params.n} bytes for ${params.paramSet} `
+            + `(got ${rnd.length})`);
+}
+/**
+ * Confirms M is a Uint8Array. FIPS 205 places no length restriction on
+ * the message; M is absorbed into Hmsg via SHAKE256 / SHA-2 depending on
+ * the chosen instantiation (§11.2 SHAKE family in the shipped scope), so
+ * any byte length is admissible.
+ */
+export function validateMessage(M) {
+    if (!(M instanceof Uint8Array))
+        throw new TypeError('leviathan-crypto: message must be a Uint8Array');
+}
+/**
+ * FIPS 205 §10.2.2 Algorithm 23 lines 9-20, the prehash PH_M passed to
+ * HashSLH-DSA's Sign_internal / Verify_internal must be exactly the
+ * digest size of `algo`. Used by the `*Prehashed` family where the
+ * caller computes PH externally; the non-prehashed family produces PH
+ * internally so this check is implicit.
+ *
+ * Throws `SigningError('sig-malformed-input')` on mismatch. The verify
+ * surface intercepts this to return false (a wrong-size digest is a
+ * structural mismatch, indistinguishable from a wrong signature), while
+ * the sign surface lets the throw propagate (the caller supplied bad
+ * input; that is a contract violation).
+ *
+ * Duplicated from `src/ts/mldsa/validate.ts:validateDigest`; extraction is
+ * deferred until a third consumer materialises.
+ */
+export function validateDigest(digest, algo) {
+    if (!(digest instanceof Uint8Array))
+        throw new SigningError('sig-malformed-input', 'digest must be a Uint8Array');
+    const expected = digestSize(algo);
+    if (digest.length !== expected)
+        throw new SigningError('sig-malformed-input', `digest length ${digest.length} != ${expected} for ${algo}`);
+}

package/dist/slhdsa/verify.d.ts

@@ -0,0 +1,32 @@
+import type { SlhDsaExports } from './types.js';
+import type { SlhDsaParams } from './params.js';
+import { type PreHashAlgorithm } from './prehash.js';
+/**
+ * Drive slhVerifyInternal with caller-built M' bytes.
+ *
+ * Layout written into INPUT (per src/asm/slhdsa/slh.ts §slhVerifyInternal):
+ *   INPUT = pk (2n) ‖ M' (msgLen) ‖ sig (sigBytes)
+ *
+ * The caller has already filtered wrong-length pk and sig (the public
+ * verify*() surface returns false for those before calling this driver).
+ * Inside this function, length-mismatch only manifests if pk / sig were
+ * truncated post-validation; we defensively re-check to keep the WASM
+ * call within its declared INPUT bounds.
+ *
+ * Returns true iff slhVerifyInternal returns 1 (the §9.3 constant-time
+ * PK.root comparison succeeded plus all FORS / hypertree path checks).
+ */
+export declare function slhVerifyInternalTs(x: SlhDsaExports, params: SlhDsaParams, pk: Uint8Array, MPrime: Uint8Array, sig: Uint8Array): boolean;
+/**
+ * HashSLH-DSA verify, post-prehash. FIPS 205 §10.3 Algorithm 25 lines
+ * 16-19. Builds M' = 0x01 ‖ |ctx| ‖ ctx ‖ OID(algo) ‖ prehash and drives
+ * Verify_internal.
+ *
+ * Same return / throw posture as `slhVerifyInternalTs`: returns a pure
+ * boolean for every signature outcome. Caller (in index.ts) is expected
+ * to have already filtered wrong-length vk / sig / digest with the
+ * appropriate verdict (false) before calling this helper.
+ *
+ * The caller owns `prehash`; this helper never wipes it.
+ */
+export declare function verifyWithPrehash(x: SlhDsaExports, params: SlhDsaParams, pk: Uint8Array, prehash: Uint8Array, sig: Uint8Array, algo: PreHashAlgorithm, ctx: Uint8Array): boolean;

package/dist/slhdsa/verify.js

@@ -0,0 +1,107 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/slhdsa/verify.ts
+//
+// SLH-DSA verify drivers, FIPS 205 §10.3 wrappers around the WASM
+// slhVerifyInternal entry point (FIPS 205 §9.3 Algorithm 20).
+//
+// Two drivers:
+//   • slhVerifyInternalTs, writes (pk ‖ M' ‖ sig) into INPUT, runs
+//     slhVerifyInternal, returns a boolean. M' is the already-domain-
+//     separated bytes built by the caller.
+//   • verifyWithPrehash, builds the HashSLH-DSA M' from
+//     (digest, oid(ph), ctx) and forwards. Mirrors
+//     src/ts/mldsa/verify.ts:verifyWithPrehash.
+//
+// Posture: returns boolean. Any WASM exception during the inner call is
+// swallowed and converted to false; FIPS 205 §10.3 / §3.6.2 model verify
+// as a pure predicate. Caller-side contract violations (ctx > 255 bytes,
+// unsupported ph) are surfaced at the public-method layer, not here.
+//
+// Buffer hygiene: INPUT held pk + M' + sig (all public inputs). The WASM
+// wipe is still applied for consistency with the sign path and to clear
+// any sk residue that might have lingered from a previous sign call.
+import { wipe } from '../utils.js';
+import { constructMPrimeHash } from './prehash.js';
+/**
+ * Drive slhVerifyInternal with caller-built M' bytes.
+ *
+ * Layout written into INPUT (per src/asm/slhdsa/slh.ts §slhVerifyInternal):
+ *   INPUT = pk (2n) ‖ M' (msgLen) ‖ sig (sigBytes)
+ *
+ * The caller has already filtered wrong-length pk and sig (the public
+ * verify*() surface returns false for those before calling this driver).
+ * Inside this function, length-mismatch only manifests if pk / sig were
+ * truncated post-validation; we defensively re-check to keep the WASM
+ * call within its declared INPUT bounds.
+ *
+ * Returns true iff slhVerifyInternal returns 1 (the §9.3 constant-time
+ * PK.root comparison succeeded plus all FORS / hypertree path checks).
+ */
+export function slhVerifyInternalTs(x, params, pk, MPrime, sig) {
+    const inOff = x.getInputOffset();
+    const pkLen = params.pkBytes;
+    const msgLen = MPrime.length;
+    const sigLen = sig.length;
+    const inputTotal = pkLen + msgLen + sigLen;
+    const mem = new Uint8Array(x.memory.buffer);
+    try {
+        params.wasmSelector();
+        mem.set(pk, inOff);
+        mem.set(MPrime, inOff + pkLen);
+        mem.set(sig, inOff + pkLen + msgLen);
+        return x.slhVerifyInternal(msgLen) === 1;
+    }
+    catch {
+        // FIPS 205 §10.3 verify is a pure predicate. Any unexpected
+        // exception (out-of-memory, kernel argument error) is treated
+        // as "did not authenticate". The public surface already filters
+        // caller contract violations (ctx > 255) before reaching this
+        // driver, so swallowing here cannot mask a contract bug.
+        return false;
+    }
+    finally {
+        mem.fill(0, inOff, inOff + inputTotal);
+        x.wipeBuffers();
+    }
+}
+/**
+ * HashSLH-DSA verify, post-prehash. FIPS 205 §10.3 Algorithm 25 lines
+ * 16-19. Builds M' = 0x01 ‖ |ctx| ‖ ctx ‖ OID(algo) ‖ prehash and drives
+ * Verify_internal.
+ *
+ * Same return / throw posture as `slhVerifyInternalTs`: returns a pure
+ * boolean for every signature outcome. Caller (in index.ts) is expected
+ * to have already filtered wrong-length vk / sig / digest with the
+ * appropriate verdict (false) before calling this helper.
+ *
+ * The caller owns `prehash`; this helper never wipes it.
+ */
+export function verifyWithPrehash(x, params, pk, prehash, sig, algo, ctx) {
+    const MPrime = constructMPrimeHash(prehash, algo, ctx);
+    try {
+        return slhVerifyInternalTs(x, params, pk, MPrime, sig);
+    }
+    finally {
+        wipe(MPrime);
+    }
+}

package/dist/stream/header.js

@@ -23,7 +23,7 @@
 //
 // Wire format header encoding/decoding and counter nonce construction.
 import { CHUNK_MAX, CHUNK_MIN, FLAG_FRAMED, HEADER_SIZE, TAG_DATA, TAG_FINAL } from './constants.js';
-// The 16-byte nonce is a HKDF salt — not a direct cipher nonce.
+// The 16-byte nonce is a HKDF salt, not a direct cipher nonce.
 // Both XChaCha20Cipher and SerpentCipher derive their actual key material
 // and nonces from this value via HKDF-SHA-256. The 16-byte size is chosen
 // to satisfy HChaCha20's 16-byte input requirement while also serving as a
@@ -49,7 +49,7 @@ export function readHeader(header) {
         throw new RangeError(`header must be exactly ${HEADER_SIZE} bytes (got ${header.length})`);
     const byte0 = header[0];
     if (byte0 & 0x40)
-        throw new RangeError(`header has reserved bit 6 set (byte0=0x${byte0.toString(16).padStart(2, '0')}) — unknown or malformed wire format`);
+        throw new RangeError(`header has reserved bit 6 set (byte0=0x${byte0.toString(16).padStart(2, '0')}), unknown or malformed wire format`);
     return {
         formatEnum: byte0 & 0x3f,
         framed: !!(byte0 & FLAG_FRAMED),
@@ -65,7 +65,7 @@ export function makeCounterNonce(counter, finalFlag) {
         throw new RangeError(`finalFlag must be TAG_DATA (0x00) or TAG_FINAL (0x01) (got 0x${finalFlag.toString(16).padStart(2, '0')})`);
     const n = new Uint8Array(12);
     // Write counter as 11-byte big-endian.
-    // JS safe integers fit in 53 bits — we only need the lower 53 bits.
+    // JS safe integers fit in 53 bits, we only need the lower 53 bits.
     // Pack from the right (byte 10 down to byte 0).
     let c = counter;
     for (let i = 10; i >= 0; i--) {

package/dist/stream/index.d.ts

@@ -1,3 +1,4 @@
+export { isInitialized } from '../init.js';
 export { SealStream } from './seal-stream.js';
 export { OpenStream } from './open-stream.js';
 export { Seal } from './seal.js';

package/dist/stream/index.js

@@ -20,6 +20,7 @@
 //                           ▀█████▀▀
 //
 // src/ts/stream/index.ts
+export { isInitialized } from '../init.js';
 export { SealStream } from './seal-stream.js';
 export { OpenStream } from './open-stream.js';
 export { Seal } from './seal.js';

package/dist/stream/open-stream.js

@@ -21,9 +21,11 @@
 //
 // src/ts/stream/open-stream.ts
 //
-// OpenStream — cipher-agnostic streaming decryption using the STREAM
+// OpenStream, cipher-agnostic streaming decryption using the STREAM
 // construction (Hoang/Reyhanitabar/Rogaway/Vizár, CRYPTO 2015).
 import { isInitialized } from '../init.js';
+import { constantTimeEqual } from '../utils.js';
+import { AuthenticationError } from '../errors.js';
 import { TAG_DATA, TAG_FINAL, CHUNK_MIN, CHUNK_MAX, HEADER_SIZE } from './constants.js';
 import { readHeader, makeCounterNonce } from './header.js';
 export class OpenStream {
@@ -37,15 +39,16 @@ export class OpenStream {
     constructor(cipher, key, preamble) {
         this.cipher = cipher;
         if (!isInitialized('sha2'))
-            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation — '
+            throw new Error('leviathan-crypto: stream layer requires sha2 for key derivation, '
                 + 'call init({ sha2: ... }) before creating an OpenStream');
         const decKeySize = cipher.decKeySize ?? cipher.keySize;
         if (key.length !== decKeySize)
             throw new RangeError(`key must be ${decKeySize} bytes (got ${key.length})`);
-        const expectedPreambleLen = HEADER_SIZE + cipher.kemCtSize;
+        const expectedPreambleLen = HEADER_SIZE + cipher.kemCtSize + cipher.commitmentSize;
         if (preamble.length !== expectedPreambleLen)
             throw new RangeError(`preamble must be exactly ${expectedPreambleLen} bytes (got ${preamble.length})`);
-        const h = readHeader(preamble.subarray(0, HEADER_SIZE));
+        const headerBytes = preamble.subarray(0, HEADER_SIZE);
+        const h = readHeader(headerBytes);
         if (h.formatEnum !== cipher.formatEnum)
             throw new Error(`expected format 0x${cipher.formatEnum.toString(16).padStart(2, '0')} (${cipher.formatName}), `
                 + `got 0x${h.formatEnum.toString(16).padStart(2, '0')}`);
@@ -54,7 +57,25 @@ export class OpenStream {
         const kemCt = cipher.kemCtSize > 0
             ? preamble.subarray(HEADER_SIZE, HEADER_SIZE + cipher.kemCtSize)
             : undefined;
-        this.keys = cipher.deriveKeys(key, h.nonce, kemCt);
+        const commitmentOffset = HEADER_SIZE + cipher.kemCtSize;
+        const recvCommitment = cipher.commitmentSize > 0
+            ? preamble.subarray(commitmentOffset, commitmentOffset + cipher.commitmentSize)
+            : undefined;
+        this.keys = cipher.deriveKeys(key, h.nonce, kemCt, headerBytes);
+        // Verify commitment before any chunk is processed. Wrong key fails
+        // fast with AuthenticationError, before Poly1305 is consulted.
+        if (cipher.commitmentSize > 0) {
+            const derivedCommitment = this.keys.commitment;
+            if (!derivedCommitment || derivedCommitment.length !== cipher.commitmentSize) {
+                cipher.wipeKeys(this.keys);
+                throw new Error(`leviathan-crypto: ${cipher.formatName}.deriveKeys returned `
+                    + `${derivedCommitment?.length ?? 'no'} commitment bytes, expected ${cipher.commitmentSize}`);
+            }
+            if (!recvCommitment || !constantTimeEqual(derivedCommitment, recvCommitment)) {
+                cipher.wipeKeys(this.keys);
+                throw new AuthenticationError(`commitment-${cipher.formatName}`);
+            }
+        }
         this.chunkSize = h.chunkSize;
         this.framed = h.framed;
         // Max ciphertext chunk: padded plaintext + tag
@@ -113,7 +134,7 @@ export class OpenStream {
             this.cipher.wipeKeys(this.keys);
             this.state = 'finalized';
         }
-        // 'failed' already wiped keys; 'finalized' already wiped keys — no-op.
+        // 'failed' already wiped keys; 'finalized' already wiped keys, no-op.
     }
     seek(index) {
         if (this.state !== 'ready')
@@ -121,17 +142,17 @@ export class OpenStream {
         if (!Number.isSafeInteger(index) || index < 0)
             throw new RangeError(`seek index must be a non-negative safe integer ≤ Number.MAX_SAFE_INTEGER (got ${index})`);
         if (index < this.counter)
-            throw new RangeError(`OpenStream: seek is forward-only — current counter ${this.counter}, requested ${index}. `
+            throw new RangeError(`OpenStream: seek is forward-only, current counter ${this.counter}, requested ${index}. `
                 + 'Backward seeks would permit plaintext replay; construct a new OpenStream to restart.');
         this.counter = index;
     }
     _stripFrame(chunk) {
         if (chunk.length < 4)
-            throw new RangeError(`framed chunk too short — need at least 4 bytes (got ${chunk.length})`);
+            throw new RangeError(`framed chunk too short, need at least 4 bytes (got ${chunk.length})`);
         const dv = new DataView(chunk.buffer, chunk.byteOffset);
         const payloadLen = dv.getUint32(0, false);
         if (payloadLen !== chunk.length - 4)
-            throw new RangeError(`framed chunk length mismatch — prefix says ${payloadLen}, actual payload is ${chunk.length - 4}`);
+            throw new RangeError(`framed chunk length mismatch, prefix says ${payloadLen}, actual payload is ${chunk.length - 4}`);
         return chunk.subarray(4);
     }
     toTransformStream() {
@@ -155,7 +176,7 @@ export class OpenStream {
                         controller.enqueue(this.finalize(buffered));
                     }
                     else {
-                        this.dispose(); // no chunks piped — wipe keys, emit nothing
+                        this.dispose(); // no chunks piped, wipe keys, emit nothing
                     }
                 }
                 catch (err) {

package/dist/stream/seal-stream-pool.d.ts

@@ -13,6 +13,7 @@ export declare class SealStreamPool {
     private readonly _framed;
     private readonly _timeout;
     private readonly _header;
+    private readonly _commitment;
     private _workers;
     private _idle;
     private _queue;