shogun-core 5.2.0 → 5.2.2

package/dist/browser/defaultVendors-node_modules_noble_post-quantum_ml-dsa_js.shogun-core.js

@@ -0,0 +1,2117 @@
+"use strict";
+(this["webpackChunkShogunCore"] = this["webpackChunkShogunCore"] || []).push([["defaultVendors-node_modules_noble_post-quantum_ml-dsa_js"],{
+
+/***/ "./node_modules/@noble/post-quantum/ml-dsa.js":
+/*!****************************************************************!*\
+  !*** ./node_modules/@noble/post-quantum/ml-dsa.js + 7 modules ***!
+  \****************************************************************/
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+// ESM COMPAT FLAG
+__webpack_require__.r(__webpack_exports__);
+
+// EXPORTS
+__webpack_require__.d(__webpack_exports__, {
+  PARAMS: () => (/* binding */ PARAMS),
+  ml_dsa44: () => (/* binding */ ml_dsa44),
+  ml_dsa65: () => (/* binding */ ml_dsa65),
+  ml_dsa87: () => (/* binding */ ml_dsa87)
+});
+
+;// ./node_modules/@noble/post-quantum/node_modules/@noble/hashes/utils.js
+/**
+ * Utilities for hex, bytes, CSPRNG.
+ * @module
+ */
+/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
+function isBytes(a) {
+    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
+}
+/** Asserts something is positive integer. */
+function anumber(n, title = '') {
+    if (!Number.isSafeInteger(n) || n < 0) {
+        const prefix = title && `"${title}" `;
+        throw new Error(`${prefix}expected integer >= 0, got ${n}`);
+    }
+}
+/** Asserts something is Uint8Array. */
+function abytes(value, length, title = '') {
+    const bytes = isBytes(value);
+    const len = value?.length;
+    const needsLen = length !== undefined;
+    if (!bytes || (needsLen && len !== length)) {
+        const prefix = title && `"${title}" `;
+        const ofLen = needsLen ? ` of length ${length}` : '';
+        const got = bytes ? `length=${len}` : `type=${typeof value}`;
+        throw new Error(prefix + 'expected Uint8Array' + ofLen + ', got ' + got);
+    }
+    return value;
+}
+/** Asserts something is hash */
+function ahash(h) {
+    if (typeof h !== 'function' || typeof h.create !== 'function')
+        throw new Error('Hash must wrapped by utils.createHasher');
+    anumber(h.outputLen);
+    anumber(h.blockLen);
+}
+/** Asserts a hash instance has not been destroyed / finished */
+function aexists(instance, checkFinished = true) {
+    if (instance.destroyed)
+        throw new Error('Hash instance has been destroyed');
+    if (checkFinished && instance.finished)
+        throw new Error('Hash#digest() has already been called');
+}
+/** Asserts output is properly-sized byte array */
+function aoutput(out, instance) {
+    abytes(out, undefined, 'digestInto() output');
+    const min = instance.outputLen;
+    if (out.length < min) {
+        throw new Error('"digestInto() output" expected to be of length >=' + min);
+    }
+}
+/** Cast u8 / u16 / u32 to u8. */
+function u8(arr) {
+    return new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+/** Cast u8 / u16 / u32 to u32. */
+function u32(arr) {
+    return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
+}
+/** Zeroize a byte array. Warning: JS provides no guarantees. */
+function clean(...arrays) {
+    for (let i = 0; i < arrays.length; i++) {
+        arrays[i].fill(0);
+    }
+}
+/** Create DataView of an array for easy byte-level manipulation. */
+function createView(arr) {
+    return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+/** The rotate right (circular right shift) operation for uint32 */
+function rotr(word, shift) {
+    return (word << (32 - shift)) | (word >>> shift);
+}
+/** The rotate left (circular left shift) operation for uint32 */
+function rotl(word, shift) {
+    return (word << shift) | ((word >>> (32 - shift)) >>> 0);
+}
+/** Is current platform little-endian? Most are. Big-Endian platform: IBM */
+const isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();
+/** The byte swap operation for uint32 */
+function byteSwap(word) {
+    return (((word << 24) & 0xff000000) |
+        ((word << 8) & 0xff0000) |
+        ((word >>> 8) & 0xff00) |
+        ((word >>> 24) & 0xff));
+}
+/** Conditionally byte swap if on a big-endian platform */
+const swap8IfBE = isLE
+    ? (n) => n
+    : (n) => byteSwap(n);
+/** In place byte swap for Uint32Array */
+function byteSwap32(arr) {
+    for (let i = 0; i < arr.length; i++) {
+        arr[i] = byteSwap(arr[i]);
+    }
+    return arr;
+}
+const swap32IfBE = isLE
+    ? (u) => u
+    : byteSwap32;
+// Built-in hex conversion https://caniuse.com/mdn-javascript_builtins_uint8array_fromhex
+const hasHexBuiltin = /* @__PURE__ */ (() => 
+// @ts-ignore
+typeof Uint8Array.from([]).toHex === 'function' && typeof Uint8Array.fromHex === 'function')();
+// Array where index 0xf0 (240) is mapped to string 'f0'
+const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));
+/**
+ * Convert byte array to hex string. Uses built-in function, when available.
+ * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
+ */
+function bytesToHex(bytes) {
+    abytes(bytes);
+    // @ts-ignore
+    if (hasHexBuiltin)
+        return bytes.toHex();
+    // pre-caching improves the speed 6x
+    let hex = '';
+    for (let i = 0; i < bytes.length; i++) {
+        hex += hexes[bytes[i]];
+    }
+    return hex;
+}
+// We use optimized technique to convert hex string to byte array
+const asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
+function asciiToBase16(ch) {
+    if (ch >= asciis._0 && ch <= asciis._9)
+        return ch - asciis._0; // '2' => 50-48
+    if (ch >= asciis.A && ch <= asciis.F)
+        return ch - (asciis.A - 10); // 'B' => 66-(65-10)
+    if (ch >= asciis.a && ch <= asciis.f)
+        return ch - (asciis.a - 10); // 'b' => 98-(97-10)
+    return;
+}
+/**
+ * Convert hex string to byte array. Uses built-in function, when available.
+ * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
+ */
+function hexToBytes(hex) {
+    if (typeof hex !== 'string')
+        throw new Error('hex string expected, got ' + typeof hex);
+    // @ts-ignore
+    if (hasHexBuiltin)
+        return Uint8Array.fromHex(hex);
+    const hl = hex.length;
+    const al = hl / 2;
+    if (hl % 2)
+        throw new Error('hex string expected, got unpadded hex of length ' + hl);
+    const array = new Uint8Array(al);
+    for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+        const n1 = asciiToBase16(hex.charCodeAt(hi));
+        const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
+        if (n1 === undefined || n2 === undefined) {
+            const char = hex[hi] + hex[hi + 1];
+            throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
+        }
+        array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163
+    }
+    return array;
+}
+/**
+ * There is no setImmediate in browser and setTimeout is slow.
+ * Call of async fn will return Promise, which will be fullfiled only on
+ * next scheduler queue processing step and this is exactly what we need.
+ */
+const nextTick = async () => { };
+/** Returns control to thread each 'tick' ms to avoid blocking. */
+async function asyncLoop(iters, tick, cb) {
+    let ts = Date.now();
+    for (let i = 0; i < iters; i++) {
+        cb(i);
+        // Date.now() is not monotonic, so in case if clock goes backwards we return return control too
+        const diff = Date.now() - ts;
+        if (diff >= 0 && diff < tick)
+            continue;
+        await nextTick();
+        ts += diff;
+    }
+}
+/**
+ * Converts string to bytes using UTF8 encoding.
+ * Built-in doesn't validate input to be string: we do the check.
+ * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])
+ */
+function utf8ToBytes(str) {
+    if (typeof str !== 'string')
+        throw new Error('string expected');
+    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
+}
+/**
+ * Helper for KDFs: consumes uint8array or string.
+ * When string is passed, does utf8 decoding, using TextDecoder.
+ */
+function kdfInputToBytes(data, errorTitle = '') {
+    if (typeof data === 'string')
+        return utf8ToBytes(data);
+    return abytes(data, undefined, errorTitle);
+}
+/** Copies several Uint8Arrays into one. */
+function concatBytes(...arrays) {
+    let sum = 0;
+    for (let i = 0; i < arrays.length; i++) {
+        const a = arrays[i];
+        abytes(a);
+        sum += a.length;
+    }
+    const res = new Uint8Array(sum);
+    for (let i = 0, pad = 0; i < arrays.length; i++) {
+        const a = arrays[i];
+        res.set(a, pad);
+        pad += a.length;
+    }
+    return res;
+}
+/** Merges default options and passed options. */
+function checkOpts(defaults, opts) {
+    if (opts !== undefined && {}.toString.call(opts) !== '[object Object]')
+        throw new Error('options must be object or undefined');
+    const merged = Object.assign(defaults, opts);
+    return merged;
+}
+/** Creates function with outputLen, blockLen, create properties from a class constructor. */
+function createHasher(hashCons, info = {}) {
+    const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
+    const tmp = hashCons(undefined);
+    hashC.outputLen = tmp.outputLen;
+    hashC.blockLen = tmp.blockLen;
+    hashC.create = (opts) => hashCons(opts);
+    Object.assign(hashC, info);
+    return Object.freeze(hashC);
+}
+/** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */
+function randomBytes(bytesLength = 32) {
+    const cr = typeof globalThis === 'object' ? globalThis.crypto : null;
+    if (typeof cr?.getRandomValues !== 'function')
+        throw new Error('crypto.getRandomValues must be defined');
+    return cr.getRandomValues(new Uint8Array(bytesLength));
+}
+/** Creates OID opts for NIST hashes, with prefix 06 09 60 86 48 01 65 03 04 02. */
+const oidNist = (suffix) => ({
+    oid: Uint8Array.from([0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, suffix]),
+});
+//# sourceMappingURL=utils.js.map
+;// ./node_modules/@noble/post-quantum/node_modules/@noble/curves/utils.js
+/**
+ * Hex, bytes and number utilities.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+
+
+const _0n = /* @__PURE__ */ BigInt(0);
+const _1n = /* @__PURE__ */ BigInt(1);
+function abool(value, title = '') {
+    if (typeof value !== 'boolean') {
+        const prefix = title && `"${title}" `;
+        throw new Error(prefix + 'expected boolean, got type=' + typeof value);
+    }
+    return value;
+}
+// Used in weierstrass, der
+function abignumber(n) {
+    if (typeof n === 'bigint') {
+        if (!isPosBig(n))
+            throw new Error('positive bigint expected, got ' + n);
+    }
+    else
+        anumber(n);
+    return n;
+}
+function asafenumber(value, title = '') {
+    if (!Number.isSafeInteger(value)) {
+        const prefix = title && `"${title}" `;
+        throw new Error(prefix + 'expected safe integer, got type=' + typeof value);
+    }
+}
+function numberToHexUnpadded(num) {
+    const hex = abignumber(num).toString(16);
+    return hex.length & 1 ? '0' + hex : hex;
+}
+function hexToNumber(hex) {
+    if (typeof hex !== 'string')
+        throw new Error('hex string expected, got ' + typeof hex);
+    return hex === '' ? _0n : BigInt('0x' + hex); // Big Endian
+}
+// BE: Big Endian, LE: Little Endian
+function bytesToNumberBE(bytes) {
+    return hexToNumber(bytesToHex(bytes));
+}
+function bytesToNumberLE(bytes) {
+    return hexToNumber(bytesToHex(copyBytes(abytes(bytes)).reverse()));
+}
+function numberToBytesBE(n, len) {
+    anumber(len);
+    n = abignumber(n);
+    const res = hexToBytes(n.toString(16).padStart(len * 2, '0'));
+    if (res.length !== len)
+        throw new Error('number too large');
+    return res;
+}
+function numberToBytesLE(n, len) {
+    return numberToBytesBE(n, len).reverse();
+}
+// Unpadded, rarely used
+function numberToVarBytesBE(n) {
+    return hexToBytes(numberToHexUnpadded(abignumber(n)));
+}
+// Compares 2 u8a-s in kinda constant time
+function equalBytes(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a[i] ^ b[i];
+    return diff === 0;
+}
+/**
+ * Copies Uint8Array. We can't use u8a.slice(), because u8a can be Buffer,
+ * and Buffer#slice creates mutable copy. Never use Buffers!
+ */
+function copyBytes(bytes) {
+    return Uint8Array.from(bytes);
+}
+/**
+ * Decodes 7-bit ASCII string to Uint8Array, throws on non-ascii symbols
+ * Should be safe to use for things expected to be ASCII.
+ * Returns exact same result as `TextEncoder` for ASCII or throws.
+ */
+function asciiToBytes(ascii) {
+    return Uint8Array.from(ascii, (c, i) => {
+        const charCode = c.charCodeAt(0);
+        if (c.length !== 1 || charCode > 127) {
+            throw new Error(`string contains non-ASCII character "${ascii[i]}" with code ${charCode} at position ${i}`);
+        }
+        return charCode;
+    });
+}
+// Is positive bigint
+const isPosBig = (n) => typeof n === 'bigint' && _0n <= n;
+function inRange(n, min, max) {
+    return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
+}
+/**
+ * Asserts min <= n < max. NOTE: It's < max and not <= max.
+ * @example
+ * aInRange('x', x, 1n, 256n); // would assume x is in (1n..255n)
+ */
+function aInRange(title, n, min, max) {
+    // Why min <= n < max and not a (min < n < max) OR b (min <= n <= max)?
+    // consider P=256n, min=0n, max=P
+    // - a for min=0 would require -1:          `inRange('x', x, -1n, P)`
+    // - b would commonly require subtraction:  `inRange('x', x, 0n, P - 1n)`
+    // - our way is the cleanest:               `inRange('x', x, 0n, P)
+    if (!inRange(n, min, max))
+        throw new Error('expected valid ' + title + ': ' + min + ' <= n < ' + max + ', got ' + n);
+}
+// Bit operations
+/**
+ * Calculates amount of bits in a bigint.
+ * Same as `n.toString(2).length`
+ * TODO: merge with nLength in modular
+ */
+function bitLen(n) {
+    let len;
+    for (len = 0; n > _0n; n >>= _1n, len += 1)
+        ;
+    return len;
+}
+/**
+ * Gets single bit at position.
+ * NOTE: first bit position is 0 (same as arrays)
+ * Same as `!!+Array.from(n.toString(2)).reverse()[pos]`
+ */
+function bitGet(n, pos) {
+    return (n >> BigInt(pos)) & _1n;
+}
+/**
+ * Sets single bit at position.
+ */
+function bitSet(n, pos, value) {
+    return n | ((value ? _1n : _0n) << BigInt(pos));
+}
+/**
+ * Calculate mask for N bits. Not using ** operator with bigints because of old engines.
+ * Same as BigInt(`0b${Array(i).fill('1').join('')}`)
+ */
+const bitMask = (n) => (_1n << BigInt(n)) - _1n;
+/**
+ * Minimal HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
+ * @returns function that will call DRBG until 2nd arg returns something meaningful
+ * @example
+ *   const drbg = createHmacDRBG<Key>(32, 32, hmac);
+ *   drbg(seed, bytesToKey); // bytesToKey must return Key or undefined
+ */
+function createHmacDrbg(hashLen, qByteLen, hmacFn) {
+    anumber(hashLen, 'hashLen');
+    anumber(qByteLen, 'qByteLen');
+    if (typeof hmacFn !== 'function')
+        throw new Error('hmacFn must be a function');
+    const u8n = (len) => new Uint8Array(len); // creates Uint8Array
+    const NULL = Uint8Array.of();
+    const byte0 = Uint8Array.of(0x00);
+    const byte1 = Uint8Array.of(0x01);
+    const _maxDrbgIters = 1000;
+    // Step B, Step C: set hashLen to 8*ceil(hlen/8)
+    let v = u8n(hashLen); // Minimal non-full-spec HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
+    let k = u8n(hashLen); // Steps B and C of RFC6979 3.2: set hashLen, in our case always same
+    let i = 0; // Iterations counter, will throw when over 1000
+    const reset = () => {
+        v.fill(1);
+        k.fill(0);
+        i = 0;
+    };
+    const h = (...msgs) => hmacFn(k, concatBytes(v, ...msgs)); // hmac(k)(v, ...values)
+    const reseed = (seed = NULL) => {
+        // HMAC-DRBG reseed() function. Steps D-G
+        k = h(byte0, seed); // k = hmac(k || v || 0x00 || seed)
+        v = h(); // v = hmac(k || v)
+        if (seed.length === 0)
+            return;
+        k = h(byte1, seed); // k = hmac(k || v || 0x01 || seed)
+        v = h(); // v = hmac(k || v)
+    };
+    const gen = () => {
+        // HMAC-DRBG generate() function
+        if (i++ >= _maxDrbgIters)
+            throw new Error('drbg: tried max amount of iterations');
+        let len = 0;
+        const out = [];
+        while (len < qByteLen) {
+            v = h();
+            const sl = v.slice();
+            out.push(sl);
+            len += v.length;
+        }
+        return concatBytes(...out);
+    };
+    const genUntil = (seed, pred) => {
+        reset();
+        reseed(seed); // Steps D-G
+        let res = undefined; // Step H: grind until k is in [1..n-1]
+        while (!(res = pred(gen())))
+            reseed();
+        reset();
+        return res;
+    };
+    return genUntil;
+}
+function validateObject(object, fields = {}, optFields = {}) {
+    if (!object || typeof object !== 'object')
+        throw new Error('expected valid options object');
+    function checkField(fieldName, expectedType, isOpt) {
+        const val = object[fieldName];
+        if (isOpt && val === undefined)
+            return;
+        const current = typeof val;
+        if (current !== expectedType || val === null)
+            throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
+    }
+    const iter = (f, isOpt) => Object.entries(f).forEach(([k, v]) => checkField(k, v, isOpt));
+    iter(fields, false);
+    iter(optFields, true);
+}
+/**
+ * throws not implemented error
+ */
+const notImplemented = () => {
+    throw new Error('not implemented');
+};
+/**
+ * Memoizes (caches) computation result.
+ * Uses WeakMap: the value is going auto-cleaned by GC after last reference is removed.
+ */
+function memoized(fn) {
+    const map = new WeakMap();
+    return (arg, ...args) => {
+        const val = map.get(arg);
+        if (val !== undefined)
+            return val;
+        const computed = fn(arg, ...args);
+        map.set(arg, computed);
+        return computed;
+    };
+}
+//# sourceMappingURL=utils.js.map
+;// ./node_modules/@noble/post-quantum/node_modules/@noble/hashes/_u64.js
+/**
+ * Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.
+ * @todo re-check https://issues.chromium.org/issues/42212588
+ * @module
+ */
+const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
+const _32n = /* @__PURE__ */ BigInt(32);
+function fromBig(n, le = false) {
+    if (le)
+        return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };
+    return { h: Number((n >> _32n) & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
+}
+function split(lst, le = false) {
+    const len = lst.length;
+    let Ah = new Uint32Array(len);
+    let Al = new Uint32Array(len);
+    for (let i = 0; i < len; i++) {
+        const { h, l } = fromBig(lst[i], le);
+        [Ah[i], Al[i]] = [h, l];
+    }
+    return [Ah, Al];
+}
+const toBig = (h, l) => (BigInt(h >>> 0) << _32n) | BigInt(l >>> 0);
+// for Shift in [0, 32)
+const shrSH = (h, _l, s) => h >>> s;
+const shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
+// Right rotate for Shift in [1, 32)
+const rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));
+const rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
+// Right rotate for Shift in (32, 64), NOTE: 32 is special case.
+const rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));
+const rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));
+// Right rotate for shift===32 (just swaps l&h)
+const rotr32H = (_h, l) => l;
+const rotr32L = (h, _l) => h;
+// Left rotate for Shift in [1, 32)
+const rotlSH = (h, l, s) => (h << s) | (l >>> (32 - s));
+const rotlSL = (h, l, s) => (l << s) | (h >>> (32 - s));
+// Left rotate for Shift in (32, 64), NOTE: 32 is special case.
+const rotlBH = (h, l, s) => (l << (s - 32)) | (h >>> (64 - s));
+const rotlBL = (h, l, s) => (h << (s - 32)) | (l >>> (64 - s));
+// JS uses 32-bit signed integers for bitwise operations which means we cannot
+// simple take carry out of low bit sum by shift, we need to use division.
+function add(Ah, Al, Bh, Bl) {
+    const l = (Al >>> 0) + (Bl >>> 0);
+    return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };
+}
+// Addition with more than 2 elements
+const add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
+const add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;
+const add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
+const add4H = (low, Ah, Bh, Ch, Dh) => (Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;
+const add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
+const add5H = (low, Ah, Bh, Ch, Dh, Eh) => (Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;
+// prettier-ignore
+
+// prettier-ignore
+const u64 = {
+    fromBig, split, toBig,
+    shrSH, shrSL,
+    rotrSH, rotrSL, rotrBH, rotrBL,
+    rotr32H, rotr32L,
+    rotlSH, rotlSL, rotlBH, rotlBL,
+    add, add3L, add3H, add4L, add4H, add5H, add5L,
+};
+/* harmony default export */ const _u64 = (u64);
+//# sourceMappingURL=_u64.js.map
+;// ./node_modules/@noble/post-quantum/node_modules/@noble/hashes/sha3.js
+/**
+ * SHA3 (keccak) hash function, based on a new "Sponge function" design.
+ * Different from older hashes, the internal state is bigger than output size.
+ *
+ * Check out [FIPS-202](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf),
+ * [Website](https://keccak.team/keccak.html),
+ * [the differences between SHA-3 and Keccak](https://crypto.stackexchange.com/questions/15727/what-are-the-key-differences-between-the-draft-sha-3-standard-and-the-keccak-sub).
+ *
+ * Check out `sha3-addons` module for cSHAKE, k12, and others.
+ * @module
+ */
+
+// prettier-ignore
+
+// No __PURE__ annotations in sha3 header:
+// EVERYTHING is in fact used on every export.
+// Various per round constants calculations
+const sha3_0n = BigInt(0);
+const sha3_1n = BigInt(1);
+const _2n = BigInt(2);
+const _7n = BigInt(7);
+const _256n = BigInt(256);
+const _0x71n = BigInt(0x71);
+const SHA3_PI = [];
+const SHA3_ROTL = [];
+const _SHA3_IOTA = []; // no pure annotation: var is always used
+for (let round = 0, R = sha3_1n, x = 1, y = 0; round < 24; round++) {
+    // Pi
+    [x, y] = [y, (2 * x + 3 * y) % 5];
+    SHA3_PI.push(2 * (5 * y + x));
+    // Rotational
+    SHA3_ROTL.push((((round + 1) * (round + 2)) / 2) % 64);
+    // Iota
+    let t = sha3_0n;
+    for (let j = 0; j < 7; j++) {
+        R = ((R << sha3_1n) ^ ((R >> _7n) * _0x71n)) % _256n;
+        if (R & _2n)
+            t ^= sha3_1n << ((sha3_1n << BigInt(j)) - sha3_1n);
+    }
+    _SHA3_IOTA.push(t);
+}
+const IOTAS = split(_SHA3_IOTA, true);
+const SHA3_IOTA_H = IOTAS[0];
+const SHA3_IOTA_L = IOTAS[1];
+// Left rotation (without 0, 32, 64)
+const rotlH = (h, l, s) => (s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s));
+const rotlL = (h, l, s) => (s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s));
+/** `keccakf1600` internal function, additionally allows to adjust round count. */
+function keccakP(s, rounds = 24) {
+    const B = new Uint32Array(5 * 2);
+    // NOTE: all indices are x2 since we store state as u32 instead of u64 (bigints to slow in js)
+    for (let round = 24 - rounds; round < 24; round++) {
+        // Theta θ
+        for (let x = 0; x < 10; x++)
+            B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];
+        for (let x = 0; x < 10; x += 2) {
+            const idx1 = (x + 8) % 10;
+            const idx0 = (x + 2) % 10;
+            const B0 = B[idx0];
+            const B1 = B[idx0 + 1];
+            const Th = rotlH(B0, B1, 1) ^ B[idx1];
+            const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];
+            for (let y = 0; y < 50; y += 10) {
+                s[x + y] ^= Th;
+                s[x + y + 1] ^= Tl;
+            }
+        }
+        // Rho (ρ) and Pi (π)
+        let curH = s[2];
+        let curL = s[3];
+        for (let t = 0; t < 24; t++) {
+            const shift = SHA3_ROTL[t];
+            const Th = rotlH(curH, curL, shift);
+            const Tl = rotlL(curH, curL, shift);
+            const PI = SHA3_PI[t];
+            curH = s[PI];
+            curL = s[PI + 1];
+            s[PI] = Th;
+            s[PI + 1] = Tl;
+        }
+        // Chi (χ)
+        for (let y = 0; y < 50; y += 10) {
+            for (let x = 0; x < 10; x++)
+                B[x] = s[y + x];
+            for (let x = 0; x < 10; x++)
+                s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10];
+        }
+        // Iota (ι)
+        s[0] ^= SHA3_IOTA_H[round];
+        s[1] ^= SHA3_IOTA_L[round];
+    }
+    clean(B);
+}
+/** Keccak sponge function. */
+class Keccak {
+    state;
+    pos = 0;
+    posOut = 0;
+    finished = false;
+    state32;
+    destroyed = false;
+    blockLen;
+    suffix;
+    outputLen;
+    enableXOF = false;
+    rounds;
+    // NOTE: we accept arguments in bytes instead of bits here.
+    constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {
+        this.blockLen = blockLen;
+        this.suffix = suffix;
+        this.outputLen = outputLen;
+        this.enableXOF = enableXOF;
+        this.rounds = rounds;
+        // Can be passed from user as dkLen
+        anumber(outputLen, 'outputLen');
+        // 1600 = 5x5 matrix of 64bit.  1600 bits === 200 bytes
+        // 0 < blockLen < 200
+        if (!(0 < blockLen && blockLen < 200))
+            throw new Error('only keccak-f1600 function is supported');
+        this.state = new Uint8Array(200);
+        this.state32 = u32(this.state);
+    }
+    clone() {
+        return this._cloneInto();
+    }
+    keccak() {
+        swap32IfBE(this.state32);
+        keccakP(this.state32, this.rounds);
+        swap32IfBE(this.state32);
+        this.posOut = 0;
+        this.pos = 0;
+    }
+    update(data) {
+        aexists(this);
+        abytes(data);
+        const { blockLen, state } = this;
+        const len = data.length;
+        for (let pos = 0; pos < len;) {
+            const take = Math.min(blockLen - this.pos, len - pos);
+            for (let i = 0; i < take; i++)
+                state[this.pos++] ^= data[pos++];
+            if (this.pos === blockLen)
+                this.keccak();
+        }
+        return this;
+    }
+    finish() {
+        if (this.finished)
+            return;
+        this.finished = true;
+        const { state, suffix, pos, blockLen } = this;
+        // Do the padding
+        state[pos] ^= suffix;
+        if ((suffix & 0x80) !== 0 && pos === blockLen - 1)
+            this.keccak();
+        state[blockLen - 1] ^= 0x80;
+        this.keccak();
+    }
+    writeInto(out) {
+        aexists(this, false);
+        abytes(out);
+        this.finish();
+        const bufferOut = this.state;
+        const { blockLen } = this;
+        for (let pos = 0, len = out.length; pos < len;) {
+            if (this.posOut >= blockLen)
+                this.keccak();
+            const take = Math.min(blockLen - this.posOut, len - pos);
+            out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);
+            this.posOut += take;
+            pos += take;
+        }
+        return out;
+    }
+    xofInto(out) {
+        // Sha3/Keccak usage with XOF is probably mistake, only SHAKE instances can do XOF
+        if (!this.enableXOF)
+            throw new Error('XOF is not possible for this instance');
+        return this.writeInto(out);
+    }
+    xof(bytes) {
+        anumber(bytes);
+        return this.xofInto(new Uint8Array(bytes));
+    }
+    digestInto(out) {
+        aoutput(out, this);
+        if (this.finished)
+            throw new Error('digest() was already called');
+        this.writeInto(out);
+        this.destroy();
+        return out;
+    }
+    digest() {
+        return this.digestInto(new Uint8Array(this.outputLen));
+    }
+    destroy() {
+        this.destroyed = true;
+        clean(this.state);
+    }
+    _cloneInto(to) {
+        const { blockLen, suffix, outputLen, rounds, enableXOF } = this;
+        to ||= new Keccak(blockLen, suffix, outputLen, enableXOF, rounds);
+        to.state32.set(this.state32);
+        to.pos = this.pos;
+        to.posOut = this.posOut;
+        to.finished = this.finished;
+        to.rounds = rounds;
+        // Suffix can change in cSHAKE
+        to.suffix = suffix;
+        to.outputLen = outputLen;
+        to.enableXOF = enableXOF;
+        to.destroyed = this.destroyed;
+        return to;
+    }
+}
+const genKeccak = (suffix, blockLen, outputLen, info = {}) => createHasher(() => new Keccak(blockLen, suffix, outputLen), info);
+/** SHA3-224 hash function. */
+const sha3_224 = /* @__PURE__ */ genKeccak(0x06, 144, 28, 
+/* @__PURE__ */ oidNist(0x07));
+/** SHA3-256 hash function. Different from keccak-256. */
+const sha3_256 = /* @__PURE__ */ genKeccak(0x06, 136, 32, 
+/* @__PURE__ */ oidNist(0x08));
+/** SHA3-384 hash function. */
+const sha3_384 = /* @__PURE__ */ genKeccak(0x06, 104, 48, 
+/* @__PURE__ */ oidNist(0x09));
+/** SHA3-512 hash function. */
+const sha3_512 = /* @__PURE__ */ genKeccak(0x06, 72, 64, 
+/* @__PURE__ */ oidNist(0x0a));
+/** keccak-224 hash function. */
+const keccak_224 = /* @__PURE__ */ genKeccak(0x01, 144, 28);
+/** keccak-256 hash function. Different from SHA3-256. */
+const keccak_256 = /* @__PURE__ */ genKeccak(0x01, 136, 32);
+/** keccak-384 hash function. */
+const keccak_384 = /* @__PURE__ */ genKeccak(0x01, 104, 48);
+/** keccak-512 hash function. */
+const keccak_512 = /* @__PURE__ */ genKeccak(0x01, 72, 64);
+const genShake = (suffix, blockLen, outputLen, info = {}) => createHasher((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === undefined ? outputLen : opts.dkLen, true), info);
+/** SHAKE128 XOF with 128-bit security. */
+const shake128 = 
+/* @__PURE__ */
+genShake(0x1f, 168, 16, /* @__PURE__ */ oidNist(0x0b));
+/** SHAKE256 XOF with 256-bit security. */
+const shake256 = 
+/* @__PURE__ */
+genShake(0x1f, 136, 32, /* @__PURE__ */ oidNist(0x0c));
+/** SHAKE128 XOF with 256-bit output (NIST version). */
+const shake128_32 = 
+/* @__PURE__ */
+genShake(0x1f, 168, 32, /* @__PURE__ */ oidNist(0x0b));
+/** SHAKE256 XOF with 512-bit output (NIST version). */
+const shake256_64 = 
+/* @__PURE__ */
+genShake(0x1f, 136, 64, /* @__PURE__ */ oidNist(0x0c));
+//# sourceMappingURL=sha3.js.map
+;// ./node_modules/@noble/post-quantum/node_modules/@noble/curves/abstract/fft.js
+function checkU32(n) {
+    // 0xff_ff_ff_ff
+    if (!Number.isSafeInteger(n) || n < 0 || n > 0xffffffff)
+        throw new Error('wrong u32 integer:' + n);
+    return n;
+}
+/** Checks if integer is in form of `1 << X` */
+function isPowerOfTwo(x) {
+    checkU32(x);
+    return (x & (x - 1)) === 0 && x !== 0;
+}
+function nextPowerOfTwo(n) {
+    checkU32(n);
+    if (n <= 1)
+        return 1;
+    return (1 << (log2(n - 1) + 1)) >>> 0;
+}
+function reverseBits(n, bits) {
+    checkU32(n);
+    let reversed = 0;
+    for (let i = 0; i < bits; i++, n >>>= 1)
+        reversed = (reversed << 1) | (n & 1);
+    return reversed;
+}
+/** Similar to `bitLen(x)-1` but much faster for small integers, like indices */
+function log2(n) {
+    checkU32(n);
+    return 31 - Math.clz32(n);
+}
+/**
+ * Moves lowest bit to highest position, which at first step splits
+ * array on even and odd indices, then it applied again to each part,
+ * which is core of fft
+ */
+function bitReversalInplace(values) {
+    const n = values.length;
+    if (n < 2 || !isPowerOfTwo(n))
+        throw new Error('n must be a power of 2 and greater than 1. Got ' + n);
+    const bits = log2(n);
+    for (let i = 0; i < n; i++) {
+        const j = reverseBits(i, bits);
+        if (i < j) {
+            const tmp = values[i];
+            values[i] = values[j];
+            values[j] = tmp;
+        }
+    }
+    return values;
+}
+function bitReversalPermutation(values) {
+    return bitReversalInplace(values.slice());
+}
+const fft_1n = /** @__PURE__ */ BigInt(1);
+function findGenerator(field) {
+    let G = BigInt(2);
+    for (; field.eql(field.pow(G, field.ORDER >> fft_1n), field.ONE); G++)
+        ;
+    return G;
+}
+/** We limit roots up to 2**31, which is a lot: 2-billion polynomimal should be rare. */
+function rootsOfUnity(field, generator) {
+    // Factor field.ORDER-1 as oddFactor * 2^powerOfTwo
+    let oddFactor = field.ORDER - fft_1n;
+    let powerOfTwo = 0;
+    for (; (oddFactor & fft_1n) !== fft_1n; powerOfTwo++, oddFactor >>= fft_1n)
+        ;
+    // Find non quadratic residue
+    let G = generator !== undefined ? BigInt(generator) : findGenerator(field);
+    // Powers of generator
+    const omegas = new Array(powerOfTwo + 1);
+    omegas[powerOfTwo] = field.pow(G, oddFactor);
+    for (let i = powerOfTwo; i > 0; i--)
+        omegas[i - 1] = field.sqr(omegas[i]);
+    // Compute all roots of unity for powers up to maxPower
+    const rootsCache = [];
+    const checkBits = (bits) => {
+        checkU32(bits);
+        if (bits > 31 || bits > powerOfTwo)
+            throw new Error('rootsOfUnity: wrong bits ' + bits + ' powerOfTwo=' + powerOfTwo);
+        return bits;
+    };
+    const precomputeRoots = (maxPower) => {
+        checkBits(maxPower);
+        for (let power = maxPower; power >= 0; power--) {
+            if (rootsCache[power])
+                continue; // Skip if we've already computed roots for this power
+            const rootsAtPower = [];
+            for (let j = 0, cur = field.ONE; j < 2 ** power; j++, cur = field.mul(cur, omegas[power]))
+                rootsAtPower.push(cur);
+            rootsCache[power] = rootsAtPower;
+        }
+        return rootsCache[maxPower];
+    };
+    const brpCache = new Map();
+    const inverseCache = new Map();
+    // NOTE: we use bits instead of power, because power = 2**bits,
+    // but power is not neccesary isPowerOfTwo(power)!
+    return {
+        info: { G, powerOfTwo, oddFactor },
+        roots: (bits) => {
+            const b = checkBits(bits);
+            return precomputeRoots(b);
+        },
+        brp(bits) {
+            const b = checkBits(bits);
+            if (brpCache.has(b))
+                return brpCache.get(b);
+            else {
+                const res = bitReversalPermutation(this.roots(b));
+                brpCache.set(b, res);
+                return res;
+            }
+        },
+        inverse(bits) {
+            const b = checkBits(bits);
+            if (inverseCache.has(b))
+                return inverseCache.get(b);
+            else {
+                const res = field.invertBatch(this.roots(b));
+                inverseCache.set(b, res);
+                return res;
+            }
+        },
+        omega: (bits) => omegas[checkBits(bits)],
+        clear: () => {
+            rootsCache.splice(0, rootsCache.length);
+            brpCache.clear();
+        },
+    };
+}
+/**
+ * Constructs different flavors of FFT. radix2 implementation of low level mutating API. Flavors:
+ *
+ * - DIT (Decimation-in-Time): Bottom-Up (leaves -> root), Cool-Turkey
+ * - DIF (Decimation-in-Frequency): Top-Down (root -> leaves), Gentleman–Sande
+ *
+ * DIT takes brp input, returns natural output.
+ * DIF takes natural input, returns brp output.
+ *
+ * The output is actually identical. Time / frequence distinction is not meaningful
+ * for Polynomial multiplication in fields.
+ * Which means if protocol supports/needs brp output/inputs, then we can skip this step.
+ *
+ * Cyclic NTT: Rq = Zq[x]/(x^n-1). butterfly_DIT+loop_DIT OR butterfly_DIF+loop_DIT, roots are omega
+ * Negacyclic NTT: Rq = Zq[x]/(x^n+1). butterfly_DIT+loop_DIF, at least for mlkem / mldsa
+ */
+const FFTCore = (F, coreOpts) => {
+    const { N, roots, dit, invertButterflies = false, skipStages = 0, brp = true } = coreOpts;
+    const bits = log2(N);
+    if (!isPowerOfTwo(N))
+        throw new Error('FFT: Polynomial size should be power of two');
+    const isDit = dit !== invertButterflies;
+    isDit;
+    return (values) => {
+        if (values.length !== N)
+            throw new Error('FFT: wrong Polynomial length');
+        if (dit && brp)
+            bitReversalInplace(values);
+        for (let i = 0, g = 1; i < bits - skipStages; i++) {
+            // For each stage s (sub-FFT length m = 2^s)
+            const s = dit ? i + 1 + skipStages : bits - i;
+            const m = 1 << s;
+            const m2 = m >> 1;
+            const stride = N >> s;
+            // Loop over each subarray of length m
+            for (let k = 0; k < N; k += m) {
+                // Loop over each butterfly within the subarray
+                for (let j = 0, grp = g++; j < m2; j++) {
+                    const rootPos = invertButterflies ? (dit ? N - grp : grp) : j * stride;
+                    const i0 = k + j;
+                    const i1 = k + j + m2;
+                    const omega = roots[rootPos];
+                    const b = values[i1];
+                    const a = values[i0];
+                    // Inlining gives us 10% perf in kyber vs functions
+                    if (isDit) {
+                        const t = F.mul(b, omega); // Standard DIT butterfly
+                        values[i0] = F.add(a, t);
+                        values[i1] = F.sub(a, t);
+                    }
+                    else if (invertButterflies) {
+                        values[i0] = F.add(b, a); // DIT loop + inverted butterflies (Kyber decode)
+                        values[i1] = F.mul(F.sub(b, a), omega);
+                    }
+                    else {
+                        values[i0] = F.add(a, b); // Standard DIF butterfly
+                        values[i1] = F.mul(F.sub(a, b), omega);
+                    }
+                }
+            }
+        }
+        if (!dit && brp)
+            bitReversalInplace(values);
+        return values;
+    };
+};
+/**
+ * NTT aka FFT over finite field (NOT over complex numbers).
+ * Naming mirrors other libraries.
+ */
+function FFT(roots, opts) {
+    const getLoop = (N, roots, brpInput = false, brpOutput = false) => {
+        if (brpInput && brpOutput) {
+            // we cannot optimize this case, but lets support it anyway
+            return (values) => FFTCore(opts, { N, roots, dit: false, brp: false })(bitReversalInplace(values));
+        }
+        if (brpInput)
+            return FFTCore(opts, { N, roots, dit: true, brp: false });
+        if (brpOutput)
+            return FFTCore(opts, { N, roots, dit: false, brp: false });
+        return FFTCore(opts, { N, roots, dit: true, brp: true }); // all natural
+    };
+    return {
+        direct(values, brpInput = false, brpOutput = false) {
+            const N = values.length;
+            if (!isPowerOfTwo(N))
+                throw new Error('FFT: Polynomial size should be power of two');
+            const bits = log2(N);
+            return getLoop(N, roots.roots(bits), brpInput, brpOutput)(values.slice());
+        },
+        inverse(values, brpInput = false, brpOutput = false) {
+            const N = values.length;
+            const bits = log2(N);
+            const res = getLoop(N, roots.inverse(bits), brpInput, brpOutput)(values.slice());
+            const ivm = opts.inv(BigInt(values.length)); // scale
+            // we can get brp output if we use dif instead of dit!
+            for (let i = 0; i < res.length; i++)
+                res[i] = opts.mul(res[i], ivm);
+            // Allows to re-use non-inverted roots, but is VERY fragile
+            // return [res[0]].concat(res.slice(1).reverse());
+            // inverse calculated as pow(-1), which transforms into ω^{-kn} (-> reverses indices)
+            return res;
+        },
+    };
+}
+function poly(field, roots, create, fft, length) {
+    const F = field;
+    const _create = create ||
+        ((len, elm) => new Array(len).fill(elm ?? F.ZERO));
+    const isPoly = (x) => Array.isArray(x) || ArrayBuffer.isView(x);
+    const checkLength = (...lst) => {
+        if (!lst.length)
+            return 0;
+        for (const i of lst)
+            if (!isPoly(i))
+                throw new Error('poly: not polynomial: ' + i);
+        const L = lst[0].length;
+        for (let i = 1; i < lst.length; i++)
+            if (lst[i].length !== L)
+                throw new Error(`poly: mismatched lengths ${L} vs ${lst[i].length}`);
+        if (length !== undefined && L !== length)
+            throw new Error(`poly: expected fixed length ${length}, got ${L}`);
+        return L;
+    };
+    function findOmegaIndex(x, n, brp = false) {
+        const bits = log2(n);
+        const omega = brp ? roots.brp(bits) : roots.roots(bits);
+        for (let i = 0; i < n; i++)
+            if (F.eql(x, omega[i]))
+                return i;
+        return -1;
+    }
+    // TODO: mutating versions for mlkem/mldsa
+    return {
+        roots,
+        create: _create,
+        length,
+        extend: (a, len) => {
+            checkLength(a);
+            const out = _create(len, F.ZERO);
+            for (let i = 0; i < a.length; i++)
+                out[i] = a[i];
+            return out;
+        },
+        degree: (a) => {
+            checkLength(a);
+            for (let i = a.length - 1; i >= 0; i--)
+                if (!F.is0(a[i]))
+                    return i;
+            return -1;
+        },
+        add: (a, b) => {
+            const len = checkLength(a, b);
+            const out = _create(len);
+            for (let i = 0; i < len; i++)
+                out[i] = F.add(a[i], b[i]);
+            return out;
+        },
+        sub: (a, b) => {
+            const len = checkLength(a, b);
+            const out = _create(len);
+            for (let i = 0; i < len; i++)
+                out[i] = F.sub(a[i], b[i]);
+            return out;
+        },
+        dot: (a, b) => {
+            const len = checkLength(a, b);
+            const out = _create(len);
+            for (let i = 0; i < len; i++)
+                out[i] = F.mul(a[i], b[i]);
+            return out;
+        },
+        mul: (a, b) => {
+            if (isPoly(b)) {
+                const len = checkLength(a, b);
+                if (fft) {
+                    const A = fft.direct(a, false, true);
+                    const B = fft.direct(b, false, true);
+                    for (let i = 0; i < A.length; i++)
+                        A[i] = F.mul(A[i], B[i]);
+                    return fft.inverse(A, true, false);
+                }
+                else {
+                    // NOTE: this is quadratic and mostly for compat tests with FFT
+                    const res = _create(len);
+                    for (let i = 0; i < len; i++) {
+                        for (let j = 0; j < len; j++) {
+                            const k = (i + j) % len; // wrap mod length
+                            res[k] = F.add(res[k], F.mul(a[i], b[j]));
+                        }
+                    }
+                    return res;
+                }
+            }
+            else {
+                const out = _create(checkLength(a));
+                for (let i = 0; i < out.length; i++)
+                    out[i] = F.mul(a[i], b);
+                return out;
+            }
+        },
+        convolve(a, b) {
+            const len = nextPowerOfTwo(a.length + b.length - 1);
+            return this.mul(this.extend(a, len), this.extend(b, len));
+        },
+        shift(p, factor) {
+            const out = _create(checkLength(p));
+            out[0] = p[0];
+            for (let i = 1, power = F.ONE; i < p.length; i++) {
+                power = F.mul(power, factor);
+                out[i] = F.mul(p[i], power);
+            }
+            return out;
+        },
+        clone: (a) => {
+            checkLength(a);
+            const out = _create(a.length);
+            for (let i = 0; i < a.length; i++)
+                out[i] = a[i];
+            return out;
+        },
+        eval: (a, basis) => {
+            checkLength(a);
+            let acc = F.ZERO;
+            for (let i = 0; i < a.length; i++)
+                acc = F.add(acc, F.mul(a[i], basis[i]));
+            return acc;
+        },
+        monomial: {
+            basis: (x, n) => {
+                const out = _create(n);
+                let pow = F.ONE;
+                for (let i = 0; i < n; i++) {
+                    out[i] = pow;
+                    pow = F.mul(pow, x);
+                }
+                return out;
+            },
+            eval: (a, x) => {
+                checkLength(a);
+                // Same as eval(a, monomialBasis(x, a.length)), but it is faster this way
+                let acc = F.ZERO;
+                for (let i = a.length - 1; i >= 0; i--)
+                    acc = F.add(F.mul(acc, x), a[i]);
+                return acc;
+            },
+        },
+        lagrange: {
+            basis: (x, n, brp = false, weights) => {
+                const bits = log2(n);
+                const cache = weights || brp ? roots.brp(bits) : roots.roots(bits); // [ω⁰, ω¹, ..., ωⁿ⁻¹]
+                const out = _create(n);
+                // Fast Kronecker-δ shortcut
+                const idx = findOmegaIndex(x, n, brp);
+                if (idx !== -1) {
+                    out[idx] = F.ONE;
+                    return out;
+                }
+                const tm = F.pow(x, BigInt(n));
+                const c = F.mul(F.sub(tm, F.ONE), F.inv(BigInt(n))); // c = (xⁿ - 1)/n
+                const denom = _create(n);
+                for (let i = 0; i < n; i++)
+                    denom[i] = F.sub(x, cache[i]);
+                const inv = F.invertBatch(denom);
+                for (let i = 0; i < n; i++)
+                    out[i] = F.mul(c, F.mul(cache[i], inv[i]));
+                return out;
+            },
+            eval(a, x, brp = false) {
+                checkLength(a);
+                const idx = findOmegaIndex(x, a.length, brp);
+                if (idx !== -1)
+                    return a[idx]; // fast path
+                const L = this.basis(x, a.length, brp); // Lᵢ(x)
+                let acc = F.ZERO;
+                for (let i = 0; i < a.length; i++)
+                    if (!F.is0(a[i]))
+                        acc = F.add(acc, F.mul(a[i], L[i]));
+                return acc;
+            },
+        },
+        vanishing(roots) {
+            checkLength(roots);
+            const out = _create(roots.length + 1, F.ZERO);
+            out[0] = F.ONE;
+            for (const r of roots) {
+                const neg = F.neg(r);
+                for (let j = out.length - 1; j > 0; j--)
+                    out[j] = F.add(F.mul(out[j], neg), out[j - 1]);
+                out[0] = F.mul(out[0], neg);
+            }
+            return out;
+        },
+    };
+}
+//# sourceMappingURL=fft.js.map
+;// ./node_modules/@noble/post-quantum/utils.js
+/**
+ * Utilities for hex, bytearray and number handling.
+ * @module
+ */
+/*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) */
+
+
+
+const utils_randomBytes = randomBytes;
+// Compares 2 u8a-s in kinda constant time
+function utils_equalBytes(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a[i] ^ b[i];
+    return diff === 0;
+}
+// copy bytes to new u8a (aligned). Because Buffer.slice is broken.
+function utils_copyBytes(bytes) {
+    return Uint8Array.from(bytes);
+}
+function validateOpts(opts) {
+    // We try to catch u8a, since it was previously valid argument at this position
+    if (typeof opts !== 'object' || opts === null || isBytes(opts))
+        throw new Error('expected opts to be an object');
+}
+function validateVerOpts(opts) {
+    validateOpts(opts);
+    if (opts.context !== undefined)
+        abytes(opts.context, undefined, 'opts.context');
+}
+function validateSigOpts(opts) {
+    validateVerOpts(opts);
+    if (opts.extraEntropy !== false && opts.extraEntropy !== undefined)
+        abytes(opts.extraEntropy, undefined, 'opts.extraEntropy');
+}
+function splitCoder(label, ...lengths) {
+    const getLength = (c) => (typeof c === 'number' ? c : c.bytesLen);
+    const bytesLen = lengths.reduce((sum, a) => sum + getLength(a), 0);
+    return {
+        bytesLen,
+        encode: (bufs) => {
+            const res = new Uint8Array(bytesLen);
+            for (let i = 0, pos = 0; i < lengths.length; i++) {
+                const c = lengths[i];
+                const l = getLength(c);
+                const b = typeof c === 'number' ? bufs[i] : c.encode(bufs[i]);
+                abytes(b, l, label);
+                res.set(b, pos);
+                if (typeof c !== 'number')
+                    b.fill(0); // clean
+                pos += l;
+            }
+            return res;
+        },
+        decode: (buf) => {
+            abytes(buf, bytesLen, label);
+            const res = [];
+            for (const c of lengths) {
+                const l = getLength(c);
+                const b = buf.subarray(0, l);
+                res.push(typeof c === 'number' ? b : c.decode(b));
+                buf = buf.subarray(l);
+            }
+            return res;
+        },
+    };
+}
+// nano-packed.array (fixed size)
+function vecCoder(c, vecLen) {
+    const bytesLen = vecLen * c.bytesLen;
+    return {
+        bytesLen,
+        encode: (u) => {
+            if (u.length !== vecLen)
+                throw new Error(`vecCoder.encode: wrong length=${u.length}. Expected: ${vecLen}`);
+            const res = new Uint8Array(bytesLen);
+            for (let i = 0, pos = 0; i < u.length; i++) {
+                const b = c.encode(u[i]);
+                res.set(b, pos);
+                b.fill(0); // clean
+                pos += b.length;
+            }
+            return res;
+        },
+        decode: (a) => {
+            abytes(a, bytesLen);
+            const r = [];
+            for (let i = 0; i < a.length; i += c.bytesLen)
+                r.push(c.decode(a.subarray(i, i + c.bytesLen)));
+            return r;
+        },
+    };
+}
+// cleanBytes(Uint8Array.of(), [Uint16Array.of(), Uint32Array.of()])
+function cleanBytes(...list) {
+    for (const t of list) {
+        if (Array.isArray(t))
+            for (const b of t)
+                b.fill(0);
+        else
+            t.fill(0);
+    }
+}
+function getMask(bits) {
+    return (1 << bits) - 1; // 4 -> 0b1111
+}
+const EMPTY = Uint8Array.of();
+function getMessage(msg, ctx = EMPTY) {
+    abytes(msg);
+    abytes(ctx);
+    if (ctx.length > 255)
+        throw new Error('context should be less than 255 bytes');
+    return concatBytes(new Uint8Array([0, ctx.length]), ctx, msg);
+}
+// 06 09 60 86 48 01 65 03 04 02
+const oidNistP = /* @__PURE__ */ Uint8Array.from([6, 9, 0x60, 0x86, 0x48, 1, 0x65, 3, 4, 2]);
+function checkHash(hash, requiredStrength = 0) {
+    if (!hash.oid || !utils_equalBytes(hash.oid.subarray(0, 10), oidNistP))
+        throw new Error('hash.oid is invalid: expected NIST hash');
+    const collisionResistance = (hash.outputLen * 8) / 2;
+    if (requiredStrength > collisionResistance) {
+        throw new Error('Pre-hash security strength too low: ' +
+            collisionResistance +
+            ', required: ' +
+            requiredStrength);
+    }
+}
+function getMessagePrehash(hash, msg, ctx = EMPTY) {
+    abytes(msg);
+    abytes(ctx);
+    if (ctx.length > 255)
+        throw new Error('context should be less than 255 bytes');
+    const hashed = hash(msg);
+    return concatBytes(new Uint8Array([1, ctx.length]), ctx, hash.oid, hashed);
+}
+//# sourceMappingURL=utils.js.map
+;// ./node_modules/@noble/post-quantum/_crystals.js
+/**
+ * Internal methods for lattice-based ML-KEM and ML-DSA.
+ * @module
+ */
+/*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) */
+
+
+
+const genCrystals = (opts) => {
+    // isKyber: true means Kyber, false means Dilithium
+    const { newPoly, N, Q, F, ROOT_OF_UNITY, brvBits, isKyber } = opts;
+    const mod = (a, modulo = Q) => {
+        const result = a % modulo | 0;
+        return (result >= 0 ? result | 0 : (modulo + result) | 0) | 0;
+    };
+    // -(Q-1)/2 < a <= (Q-1)/2
+    const smod = (a, modulo = Q) => {
+        const r = mod(a, modulo) | 0;
+        return (r > modulo >> 1 ? (r - modulo) | 0 : r) | 0;
+    };
+    // Generate zettas (different from roots of unity, negacyclic uses phi, where acyclic uses omega)
+    function getZettas() {
+        const out = newPoly(N);
+        for (let i = 0; i < N; i++) {
+            const b = reverseBits(i, brvBits);
+            const p = BigInt(ROOT_OF_UNITY) ** BigInt(b) % BigInt(Q);
+            out[i] = Number(p) | 0;
+        }
+        return out;
+    }
+    const nttZetas = getZettas();
+    // Number-Theoretic Transform
+    // Explained: https://electricdusk.com/ntt.html
+    // Kyber has slightly different params, since there is no 512th primitive root of unity mod q,
+    // only 256th primitive root of unity mod. Which also complicates MultiplyNTT.
+    const field = {
+        add: (a, b) => mod((a | 0) + (b | 0)) | 0,
+        sub: (a, b) => mod((a | 0) - (b | 0)) | 0,
+        mul: (a, b) => mod((a | 0) * (b | 0)) | 0,
+        inv: (_a) => {
+            throw new Error('not implemented');
+        },
+    };
+    const nttOpts = {
+        N,
+        roots: nttZetas,
+        invertButterflies: true,
+        skipStages: isKyber ? 1 : 0,
+        brp: false,
+    };
+    const dif = FFTCore(field, { dit: false, ...nttOpts });
+    const dit = FFTCore(field, { dit: true, ...nttOpts });
+    const NTT = {
+        encode: (r) => {
+            return dif(r);
+        },
+        decode: (r) => {
+            dit(r);
+            // kyber uses 128 here, because brv && stuff
+            for (let i = 0; i < r.length; i++)
+                r[i] = mod(F * r[i]);
+            return r;
+        },
+    };
+    // Encode polynominal as bits
+    const bitsCoder = (d, c) => {
+        const mask = getMask(d);
+        const bytesLen = d * (N / 8);
+        return {
+            bytesLen,
+            encode: (poly) => {
+                const r = new Uint8Array(bytesLen);
+                for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {
+                    buf |= (c.encode(poly[i]) & mask) << bufLen;
+                    bufLen += d;
+                    for (; bufLen >= 8; bufLen -= 8, buf >>= 8)
+                        r[pos++] = buf & getMask(bufLen);
+                }
+                return r;
+            },
+            decode: (bytes) => {
+                const r = newPoly(N);
+                for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {
+                    buf |= bytes[i] << bufLen;
+                    bufLen += 8;
+                    for (; bufLen >= d; bufLen -= d, buf >>= d)
+                        r[pos++] = c.decode(buf & mask);
+                }
+                return r;
+            },
+        };
+    };
+    return { mod, smod, nttZetas, NTT, bitsCoder };
+};
+const createXofShake = (shake) => (seed, blockLen) => {
+    if (!blockLen)
+        blockLen = shake.blockLen;
+    // Optimizations that won't mater:
+    // - cached seed update (two .update(), on start and on the end)
+    // - another cache which cloned into working copy
+    // Faster than multiple updates, since seed less than blockLen
+    const _seed = new Uint8Array(seed.length + 2);
+    _seed.set(seed);
+    const seedLen = seed.length;
+    const buf = new Uint8Array(blockLen); // == shake128.blockLen
+    let h = shake.create({});
+    let calls = 0;
+    let xofs = 0;
+    return {
+        stats: () => ({ calls, xofs }),
+        get: (x, y) => {
+            _seed[seedLen + 0] = x;
+            _seed[seedLen + 1] = y;
+            h.destroy();
+            h = shake.create({}).update(_seed);
+            calls++;
+            return () => {
+                xofs++;
+                return h.xofInto(buf);
+            };
+        },
+        clean: () => {
+            h.destroy();
+            cleanBytes(buf, _seed);
+        },
+    };
+};
+const XOF128 = /* @__PURE__ */ createXofShake(shake128);
+const XOF256 = /* @__PURE__ */ createXofShake(shake256);
+//# sourceMappingURL=_crystals.js.map
+;// ./node_modules/@noble/post-quantum/ml-dsa.js
+/**
+ * ML-DSA: Module Lattice-based Digital Signature Algorithm from
+ * [FIPS-204](https://csrc.nist.gov/pubs/fips/204/ipd). A.k.a. CRYSTALS-Dilithium.
+ *
+ * Has similar internals to ML-KEM, but their keys and params are different.
+ * Check out [official site](https://www.pq-crystals.org/dilithium/index.shtml),
+ * [repo](https://github.com/pq-crystals/dilithium).
+ * @module
+ */
+/*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) */
+
+
+
+
+function validateInternalOpts(opts) {
+    validateOpts(opts);
+    if (opts.externalMu !== undefined)
+        abool(opts.externalMu, 'opts.externalMu');
+}
+// Constants
+const N = 256;
+// 2**23 − 2**13 + 1, 23 bits: multiply will be 46. We have enough precision in JS to avoid bigints
+const Q = 8380417;
+const ROOT_OF_UNITY = 1753;
+// f = 256**−1 mod q, pow(256, -1, q) = 8347681 (python3)
+const F = 8347681;
+const D = 13;
+// Dilithium is kinda parametrized over GAMMA2, but everything will break with any other value.
+const GAMMA2_1 = Math.floor((Q - 1) / 88) | 0;
+const GAMMA2_2 = Math.floor((Q - 1) / 32) | 0;
+/** Internal params for different versions of ML-DSA  */
+// prettier-ignore
+const PARAMS = {
+    2: { K: 4, L: 4, D, GAMMA1: 2 ** 17, GAMMA2: GAMMA2_1, TAU: 39, ETA: 2, OMEGA: 80 },
+    3: { K: 6, L: 5, D, GAMMA1: 2 ** 19, GAMMA2: GAMMA2_2, TAU: 49, ETA: 4, OMEGA: 55 },
+    5: { K: 8, L: 7, D, GAMMA1: 2 ** 19, GAMMA2: GAMMA2_2, TAU: 60, ETA: 2, OMEGA: 75 },
+};
+const newPoly = (n) => new Int32Array(n);
+const { mod, smod, NTT, bitsCoder } = genCrystals({
+    N,
+    Q,
+    F,
+    ROOT_OF_UNITY,
+    newPoly,
+    isKyber: false,
+    brvBits: 8,
+});
+const id = (n) => n;
+const polyCoder = (d, compress = id, verify = id) => bitsCoder(d, {
+    encode: (i) => compress(verify(i)),
+    decode: (i) => verify(compress(i)),
+});
+const polyAdd = (a, b) => {
+    for (let i = 0; i < a.length; i++)
+        a[i] = mod(a[i] + b[i]);
+    return a;
+};
+const polySub = (a, b) => {
+    for (let i = 0; i < a.length; i++)
+        a[i] = mod(a[i] - b[i]);
+    return a;
+};
+const polyShiftl = (p) => {
+    for (let i = 0; i < N; i++)
+        p[i] <<= D;
+    return p;
+};
+const polyChknorm = (p, B) => {
+    // Not very sure about this, but FIPS204 doesn't provide any function for that :(
+    for (let i = 0; i < N; i++)
+        if (Math.abs(smod(p[i])) >= B)
+            return true;
+    return false;
+};
+const MultiplyNTTs = (a, b) => {
+    // NOTE: we don't use montgomery reduction in code, since it requires 64 bit ints,
+    // which is not available in JS. mod(a[i] * b[i]) is ok, since Q is 23 bit,
+    // which means a[i] * b[i] is 46 bit, which is safe to use in JS. (number is 53 bits).
+    // Barrett reduction is slower than mod :(
+    const c = newPoly(N);
+    for (let i = 0; i < a.length; i++)
+        c[i] = mod(a[i] * b[i]);
+    return c;
+};
+// Return poly in NTT representation
+function RejNTTPoly(xof) {
+    // Samples a polynomial ∈ Tq.
+    const r = newPoly(N);
+    // NOTE: we can represent 3xu24 as 4xu32, but it doesn't improve perf :(
+    for (let j = 0; j < N;) {
+        const b = xof();
+        if (b.length % 3)
+            throw new Error('RejNTTPoly: unaligned block');
+        for (let i = 0; j < N && i <= b.length - 3; i += 3) {
+            const t = (b[i + 0] | (b[i + 1] << 8) | (b[i + 2] << 16)) & 0x7fffff; // 3 bytes
+            if (t < Q)
+                r[j++] = t;
+        }
+    }
+    return r;
+}
+function getDilithium(opts) {
+    const { K, L, GAMMA1, GAMMA2, TAU, ETA, OMEGA } = opts;
+    const { CRH_BYTES, TR_BYTES, C_TILDE_BYTES, XOF128, XOF256, securityLevel } = opts;
+    if (![2, 4].includes(ETA))
+        throw new Error('Wrong ETA');
+    if (![1 << 17, 1 << 19].includes(GAMMA1))
+        throw new Error('Wrong GAMMA1');
+    if (![GAMMA2_1, GAMMA2_2].includes(GAMMA2))
+        throw new Error('Wrong GAMMA2');
+    const BETA = TAU * ETA;
+    const decompose = (r) => {
+        // Decomposes r into (r1, r0) such that r ≡ r1(2γ2) + r0 mod q.
+        const rPlus = mod(r);
+        const r0 = smod(rPlus, 2 * GAMMA2) | 0;
+        if (rPlus - r0 === Q - 1)
+            return { r1: 0 | 0, r0: (r0 - 1) | 0 };
+        const r1 = Math.floor((rPlus - r0) / (2 * GAMMA2)) | 0;
+        return { r1, r0 }; // r1 = HighBits, r0 = LowBits
+    };
+    const HighBits = (r) => decompose(r).r1;
+    const LowBits = (r) => decompose(r).r0;
+    const MakeHint = (z, r) => {
+        // Compute hint bit indicating whether adding z to r alters the high bits of r.
+        // From dilithium code
+        const res0 = z <= GAMMA2 || z > Q - GAMMA2 || (z === Q - GAMMA2 && r === 0) ? 0 : 1;
+        // from FIPS204:
+        // // const r1 = HighBits(r);
+        // // const v1 = HighBits(r + z);
+        // // const res1 = +(r1 !== v1);
+        // But they return different results! However, decompose is same.
+        // So, either there is a bug in Dilithium ref implementation or in FIPS204.
+        // For now, lets use dilithium one, so test vectors can be passed.
+        // See
+        // https://github.com/GiacomoPope/dilithium-py?tab=readme-ov-file#optimising-decomposition-and-making-hints
+        return res0;
+    };
+    const UseHint = (h, r) => {
+        // Returns the high bits of r adjusted according to hint h
+        const m = Math.floor((Q - 1) / (2 * GAMMA2));
+        const { r1, r0 } = decompose(r);
+        // 3: if h = 1 and r0 > 0 return (r1 + 1) mod m
+        // 4: if h = 1 and r0 ≤ 0 return (r1 − 1) mod m
+        if (h === 1)
+            return r0 > 0 ? mod(r1 + 1, m) | 0 : mod(r1 - 1, m) | 0;
+        return r1 | 0;
+    };
+    const Power2Round = (r) => {
+        // Decomposes r into (r1, r0) such that r ≡ r1*(2**d) + r0 mod q.
+        const rPlus = mod(r);
+        const r0 = smod(rPlus, 2 ** D) | 0;
+        return { r1: Math.floor((rPlus - r0) / 2 ** D) | 0, r0 };
+    };
+    const hintCoder = {
+        bytesLen: OMEGA + K,
+        encode: (h) => {
+            if (h === false)
+                throw new Error('hint.encode: hint is false'); // should never happen
+            const res = new Uint8Array(OMEGA + K);
+            for (let i = 0, k = 0; i < K; i++) {
+                for (let j = 0; j < N; j++)
+                    if (h[i][j] !== 0)
+                        res[k++] = j;
+                res[OMEGA + i] = k;
+            }
+            return res;
+        },
+        decode: (buf) => {
+            const h = [];
+            let k = 0;
+            for (let i = 0; i < K; i++) {
+                const hi = newPoly(N);
+                if (buf[OMEGA + i] < k || buf[OMEGA + i] > OMEGA)
+                    return false;
+                for (let j = k; j < buf[OMEGA + i]; j++) {
+                    if (j > k && buf[j] <= buf[j - 1])
+                        return false;
+                    hi[buf[j]] = 1;
+                }
+                k = buf[OMEGA + i];
+                h.push(hi);
+            }
+            for (let j = k; j < OMEGA; j++)
+                if (buf[j] !== 0)
+                    return false;
+            return h;
+        },
+    };
+    const ETACoder = polyCoder(ETA === 2 ? 3 : 4, (i) => ETA - i, (i) => {
+        if (!(-ETA <= i && i <= ETA))
+            throw new Error(`malformed key s1/s3 ${i} outside of ETA range [${-ETA}, ${ETA}]`);
+        return i;
+    });
+    const T0Coder = polyCoder(13, (i) => (1 << (D - 1)) - i);
+    const T1Coder = polyCoder(10);
+    // Requires smod. Need to fix!
+    const ZCoder = polyCoder(GAMMA1 === 1 << 17 ? 18 : 20, (i) => smod(GAMMA1 - i));
+    const W1Coder = polyCoder(GAMMA2 === GAMMA2_1 ? 6 : 4);
+    const W1Vec = vecCoder(W1Coder, K);
+    // Main structures
+    const publicCoder = splitCoder('publicKey', 32, vecCoder(T1Coder, K));
+    const secretCoder = splitCoder('secretKey', 32, 32, TR_BYTES, vecCoder(ETACoder, L), vecCoder(ETACoder, K), vecCoder(T0Coder, K));
+    const sigCoder = splitCoder('signature', C_TILDE_BYTES, vecCoder(ZCoder, L), hintCoder);
+    const CoefFromHalfByte = ETA === 2
+        ? (n) => (n < 15 ? 2 - (n % 5) : false)
+        : (n) => (n < 9 ? 4 - n : false);
+    // Return poly in NTT representation
+    function RejBoundedPoly(xof) {
+        // Samples an element a ∈ Rq with coeffcients in [−η, η] computed via rejection sampling from ρ.
+        const r = newPoly(N);
+        for (let j = 0; j < N;) {
+            const b = xof();
+            for (let i = 0; j < N && i < b.length; i += 1) {
+                // half byte. Should be superfast with vector instructions. But very slow with js :(
+                const d1 = CoefFromHalfByte(b[i] & 0x0f);
+                const d2 = CoefFromHalfByte((b[i] >> 4) & 0x0f);
+                if (d1 !== false)
+                    r[j++] = d1;
+                if (j < N && d2 !== false)
+                    r[j++] = d2;
+            }
+        }
+        return r;
+    }
+    const SampleInBall = (seed) => {
+        // Samples a polynomial c ∈ Rq with coeffcients from {−1, 0, 1} and Hamming weight τ
+        const pre = newPoly(N);
+        const s = shake256.create({}).update(seed);
+        const buf = new Uint8Array(shake256.blockLen);
+        s.xofInto(buf);
+        const masks = buf.slice(0, 8);
+        for (let i = N - TAU, pos = 8, maskPos = 0, maskBit = 0; i < N; i++) {
+            let b = i + 1;
+            for (; b > i;) {
+                b = buf[pos++];
+                if (pos < shake256.blockLen)
+                    continue;
+                s.xofInto(buf);
+                pos = 0;
+            }
+            pre[i] = pre[b];
+            pre[b] = 1 - (((masks[maskPos] >> maskBit++) & 1) << 1);
+            if (maskBit >= 8) {
+                maskPos++;
+                maskBit = 0;
+            }
+        }
+        return pre;
+    };
+    const polyPowerRound = (p) => {
+        const res0 = newPoly(N);
+        const res1 = newPoly(N);
+        for (let i = 0; i < p.length; i++) {
+            const { r0, r1 } = Power2Round(p[i]);
+            res0[i] = r0;
+            res1[i] = r1;
+        }
+        return { r0: res0, r1: res1 };
+    };
+    const polyUseHint = (u, h) => {
+        for (let i = 0; i < N; i++)
+            u[i] = UseHint(h[i], u[i]);
+        return u;
+    };
+    const polyMakeHint = (a, b) => {
+        const v = newPoly(N);
+        let cnt = 0;
+        for (let i = 0; i < N; i++) {
+            const h = MakeHint(a[i], b[i]);
+            v[i] = h;
+            cnt += h;
+        }
+        return { v, cnt };
+    };
+    const signRandBytes = 32;
+    const seedCoder = splitCoder('seed', 32, 64, 32);
+    // API & argument positions are exactly as in FIPS204.
+    const internal = {
+        info: { type: 'internal-ml-dsa' },
+        lengths: {
+            secretKey: secretCoder.bytesLen,
+            publicKey: publicCoder.bytesLen,
+            seed: 32,
+            signature: sigCoder.bytesLen,
+            signRand: signRandBytes,
+        },
+        keygen: (seed) => {
+            // H(𝜉||IntegerToBytes(𝑘, 1)||IntegerToBytes(ℓ, 1), 128) 2: ▷ expand seed
+            const seedDst = new Uint8Array(32 + 2);
+            const randSeed = seed === undefined;
+            if (randSeed)
+                seed = utils_randomBytes(32);
+            abytes(seed, 32, 'seed');
+            seedDst.set(seed);
+            if (randSeed)
+                cleanBytes(seed);
+            seedDst[32] = K;
+            seedDst[33] = L;
+            const [rho, rhoPrime, K_] = seedCoder.decode(shake256(seedDst, { dkLen: seedCoder.bytesLen }));
+            const xofPrime = XOF256(rhoPrime);
+            const s1 = [];
+            for (let i = 0; i < L; i++)
+                s1.push(RejBoundedPoly(xofPrime.get(i & 0xff, (i >> 8) & 0xff)));
+            const s2 = [];
+            for (let i = L; i < L + K; i++)
+                s2.push(RejBoundedPoly(xofPrime.get(i & 0xff, (i >> 8) & 0xff)));
+            const s1Hat = s1.map((i) => NTT.encode(i.slice()));
+            const t0 = [];
+            const t1 = [];
+            const xof = XOF128(rho);
+            const t = newPoly(N);
+            for (let i = 0; i < K; i++) {
+                // t ← NTT−1(A*NTT(s1)) + s2
+                cleanBytes(t); // don't-reallocate
+                for (let j = 0; j < L; j++) {
+                    const aij = RejNTTPoly(xof.get(j, i)); // super slow!
+                    polyAdd(t, MultiplyNTTs(aij, s1Hat[j]));
+                }
+                NTT.decode(t);
+                const { r0, r1 } = polyPowerRound(polyAdd(t, s2[i])); // (t1, t0) ← Power2Round(t, d)
+                t0.push(r0);
+                t1.push(r1);
+            }
+            const publicKey = publicCoder.encode([rho, t1]); // pk ← pkEncode(ρ, t1)
+            const tr = shake256(publicKey, { dkLen: TR_BYTES }); // tr ← H(BytesToBits(pk), 512)
+            const secretKey = secretCoder.encode([rho, K_, tr, s1, s2, t0]); // sk ← skEncode(ρ, K,tr, s1, s2, t0)
+            xof.clean();
+            xofPrime.clean();
+            // STATS
+            // Kyber512:  { calls: 4, xofs: 12 }, Kyber768: { calls: 9, xofs: 27 }, Kyber1024: { calls: 16, xofs: 48 }
+            // DSA44:    { calls: 24, xofs: 24 }, DSA65:    { calls: 41, xofs: 41 }, DSA87:    { calls: 71, xofs: 71 }
+            cleanBytes(rho, rhoPrime, K_, s1, s2, s1Hat, t, t0, t1, tr, seedDst);
+            return { publicKey, secretKey };
+        },
+        getPublicKey: (secretKey) => {
+            const [rho, _K, _tr, s1, s2, _t0] = secretCoder.decode(secretKey); // (ρ, K,tr, s1, s2, t0) ← skDecode(sk)
+            const xof = XOF128(rho);
+            const s1Hat = s1.map((p) => NTT.encode(p.slice()));
+            const t1 = [];
+            const tmp = newPoly(N);
+            for (let i = 0; i < K; i++) {
+                tmp.fill(0);
+                for (let j = 0; j < L; j++) {
+                    const aij = RejNTTPoly(xof.get(j, i)); // A_ij in NTT
+                    polyAdd(tmp, MultiplyNTTs(aij, s1Hat[j])); // += A_ij * s1_j
+                }
+                NTT.decode(tmp); // NTT⁻¹
+                polyAdd(tmp, s2[i]); // t_i = A·s1 + s2
+                const { r1 } = polyPowerRound(tmp); // r1 = t1, r0 ≈ t0
+                t1.push(r1);
+            }
+            xof.clean();
+            cleanBytes(tmp, s1Hat, _t0, s1, s2);
+            return publicCoder.encode([rho, t1]);
+        },
+        // NOTE: random is optional.
+        sign: (msg, secretKey, opts = {}) => {
+            validateSigOpts(opts);
+            validateInternalOpts(opts);
+            let { extraEntropy: random, externalMu = false } = opts;
+            // This part can be pre-cached per secretKey, but there is only minor performance improvement,
+            // since we re-use a lot of variables to computation.
+            const [rho, _K, tr, s1, s2, t0] = secretCoder.decode(secretKey); // (ρ, K,tr, s1, s2, t0) ← skDecode(sk)
+            // Cache matrix to avoid re-compute later
+            const A = []; // A ← ExpandA(ρ)
+            const xof = XOF128(rho);
+            for (let i = 0; i < K; i++) {
+                const pv = [];
+                for (let j = 0; j < L; j++)
+                    pv.push(RejNTTPoly(xof.get(j, i)));
+                A.push(pv);
+            }
+            xof.clean();
+            for (let i = 0; i < L; i++)
+                NTT.encode(s1[i]); // sˆ1 ← NTT(s1)
+            for (let i = 0; i < K; i++) {
+                NTT.encode(s2[i]); // sˆ2 ← NTT(s2)
+                NTT.encode(t0[i]); // tˆ0 ← NTT(t0)
+            }
+            // This part is per msg
+            const mu = externalMu
+                ? msg
+                : shake256.create({ dkLen: CRH_BYTES }).update(tr).update(msg).digest(); // 6: µ ← H(tr||M, 512) ▷ Compute message representative µ
+            // Compute private random seed
+            const rnd = random === false
+                ? new Uint8Array(32)
+                : random === undefined
+                    ? utils_randomBytes(signRandBytes)
+                    : random;
+            abytes(rnd, 32, 'extraEntropy');
+            const rhoprime = shake256
+                .create({ dkLen: CRH_BYTES })
+                .update(_K)
+                .update(rnd)
+                .update(mu)
+                .digest(); // ρ′← H(K||rnd||µ, 512)
+            abytes(rhoprime, CRH_BYTES);
+            const x256 = XOF256(rhoprime, ZCoder.bytesLen);
+            //  Rejection sampling loop
+            main_loop: for (let kappa = 0;;) {
+                const y = [];
+                // y ← ExpandMask(ρ , κ)
+                for (let i = 0; i < L; i++, kappa++)
+                    y.push(ZCoder.decode(x256.get(kappa & 0xff, kappa >> 8)()));
+                const z = y.map((i) => NTT.encode(i.slice()));
+                const w = [];
+                for (let i = 0; i < K; i++) {
+                    // w ← NTT−1(A ◦ NTT(y))
+                    const wi = newPoly(N);
+                    for (let j = 0; j < L; j++)
+                        polyAdd(wi, MultiplyNTTs(A[i][j], z[j]));
+                    NTT.decode(wi);
+                    w.push(wi);
+                }
+                const w1 = w.map((j) => j.map(HighBits)); // w1 ← HighBits(w)
+                // Commitment hash: c˜ ∈{0, 1 2λ } ← H(µ||w1Encode(w1), 2λ)
+                const cTilde = shake256
+                    .create({ dkLen: C_TILDE_BYTES })
+                    .update(mu)
+                    .update(W1Vec.encode(w1))
+                    .digest();
+                // Verifer’s challenge
+                const cHat = NTT.encode(SampleInBall(cTilde)); // c ← SampleInBall(c˜1); cˆ ← NTT(c)
+                // ⟨⟨cs1⟩⟩ ← NTT−1(cˆ◦ sˆ1)
+                const cs1 = s1.map((i) => MultiplyNTTs(i, cHat));
+                for (let i = 0; i < L; i++) {
+                    polyAdd(NTT.decode(cs1[i]), y[i]); // z ← y + ⟨⟨cs1⟩⟩
+                    if (polyChknorm(cs1[i], GAMMA1 - BETA))
+                        continue main_loop; // ||z||∞ ≥ γ1 − β
+                }
+                // cs1 is now z (▷ Signer’s response)
+                let cnt = 0;
+                const h = [];
+                for (let i = 0; i < K; i++) {
+                    const cs2 = NTT.decode(MultiplyNTTs(s2[i], cHat)); // ⟨⟨cs2⟩⟩ ← NTT−1(cˆ◦ sˆ2)
+                    const r0 = polySub(w[i], cs2).map(LowBits); // r0 ← LowBits(w − ⟨⟨cs2⟩⟩)
+                    if (polyChknorm(r0, GAMMA2 - BETA))
+                        continue main_loop; // ||r0||∞ ≥ γ2 − β
+                    const ct0 = NTT.decode(MultiplyNTTs(t0[i], cHat)); // ⟨⟨ct0⟩⟩ ← NTT−1(cˆ◦ tˆ0)
+                    if (polyChknorm(ct0, GAMMA2))
+                        continue main_loop;
+                    polyAdd(r0, ct0);
+                    // ▷ Signer’s hint
+                    const hint = polyMakeHint(r0, w1[i]); // h ← MakeHint(−⟨⟨ct0⟩⟩, w− ⟨⟨cs2⟩⟩ + ⟨⟨ct0⟩⟩)
+                    h.push(hint.v);
+                    cnt += hint.cnt;
+                }
+                if (cnt > OMEGA)
+                    continue; // the number of 1’s in h is greater than ω
+                x256.clean();
+                const res = sigCoder.encode([cTilde, cs1, h]); // σ ← sigEncode(c˜, z mod±q, h)
+                // rho, _K, tr is subarray of secretKey, cannot clean.
+                cleanBytes(cTilde, cs1, h, cHat, w1, w, z, y, rhoprime, mu, s1, s2, t0, ...A);
+                return res;
+            }
+            // @ts-ignore
+            throw new Error('Unreachable code path reached, report this error');
+        },
+        verify: (sig, msg, publicKey, opts = {}) => {
+            validateInternalOpts(opts);
+            const { externalMu = false } = opts;
+            // ML-DSA.Verify(pk, M, σ): Verifes a signature σ for a message M.
+            const [rho, t1] = publicCoder.decode(publicKey); // (ρ, t1) ← pkDecode(pk)
+            const tr = shake256(publicKey, { dkLen: TR_BYTES }); // 6: tr ← H(BytesToBits(pk), 512)
+            if (sig.length !== sigCoder.bytesLen)
+                return false; // return false instead of exception
+            const [cTilde, z, h] = sigCoder.decode(sig); // (c˜, z, h) ← sigDecode(σ), ▷ Signer’s commitment hash c ˜, response z and hint
+            if (h === false)
+                return false; // if h = ⊥ then return false
+            for (let i = 0; i < L; i++)
+                if (polyChknorm(z[i], GAMMA1 - BETA))
+                    return false;
+            const mu = externalMu
+                ? msg
+                : shake256.create({ dkLen: CRH_BYTES }).update(tr).update(msg).digest(); // 7: µ ← H(tr||M, 512)
+            // Compute verifer’s challenge from c˜
+            const c = NTT.encode(SampleInBall(cTilde)); // c ← SampleInBall(c˜1)
+            const zNtt = z.map((i) => i.slice()); // zNtt = NTT(z)
+            for (let i = 0; i < L; i++)
+                NTT.encode(zNtt[i]);
+            const wTick1 = [];
+            const xof = XOF128(rho);
+            for (let i = 0; i < K; i++) {
+                const ct12d = MultiplyNTTs(NTT.encode(polyShiftl(t1[i])), c); //c * t1 * (2**d)
+                const Az = newPoly(N); // // A * z
+                for (let j = 0; j < L; j++) {
+                    const aij = RejNTTPoly(xof.get(j, i)); // A[i][j] inplace
+                    polyAdd(Az, MultiplyNTTs(aij, zNtt[j]));
+                }
+                // wApprox = A*z - c*t1 * (2**d)
+                const wApprox = NTT.decode(polySub(Az, ct12d));
+                // Reconstruction of signer’s commitment
+                wTick1.push(polyUseHint(wApprox, h[i])); // w ′ ← UseHint(h, w'approx )
+            }
+            xof.clean();
+            // c˜′← H (µ||w1Encode(w′1), 2λ),  Hash it; this should match c˜
+            const c2 = shake256
+                .create({ dkLen: C_TILDE_BYTES })
+                .update(mu)
+                .update(W1Vec.encode(wTick1))
+                .digest();
+            // Additional checks in FIPS-204:
+            // [[ ||z||∞ < γ1 − β ]] and [[c ˜ = c˜′]] and [[number of 1’s in h is ≤ ω]]
+            for (const t of h) {
+                const sum = t.reduce((acc, i) => acc + i, 0);
+                if (!(sum <= OMEGA))
+                    return false;
+            }
+            for (const t of z)
+                if (polyChknorm(t, GAMMA1 - BETA))
+                    return false;
+            return utils_equalBytes(cTilde, c2);
+        },
+    };
+    return {
+        info: { type: 'ml-dsa' },
+        internal,
+        securityLevel: securityLevel,
+        keygen: internal.keygen,
+        lengths: internal.lengths,
+        getPublicKey: internal.getPublicKey,
+        sign: (msg, secretKey, opts = {}) => {
+            validateSigOpts(opts);
+            const M = getMessage(msg, opts.context);
+            const res = internal.sign(M, secretKey, opts);
+            cleanBytes(M);
+            return res;
+        },
+        verify: (sig, msg, publicKey, opts = {}) => {
+            validateVerOpts(opts);
+            return internal.verify(sig, getMessage(msg, opts.context), publicKey);
+        },
+        prehash: (hash) => {
+            checkHash(hash, securityLevel);
+            return {
+                info: { type: 'hashml-dsa' },
+                securityLevel: securityLevel,
+                lengths: internal.lengths,
+                keygen: internal.keygen,
+                getPublicKey: internal.getPublicKey,
+                sign: (msg, secretKey, opts = {}) => {
+                    validateSigOpts(opts);
+                    const M = getMessagePrehash(hash, msg, opts.context);
+                    const res = internal.sign(M, secretKey, opts);
+                    cleanBytes(M);
+                    return res;
+                },
+                verify: (sig, msg, publicKey, opts = {}) => {
+                    validateVerOpts(opts);
+                    return internal.verify(sig, getMessagePrehash(hash, msg, opts.context), publicKey);
+                },
+            };
+        },
+    };
+}
+/** ML-DSA-44 for 128-bit security level. Not recommended after 2030, as per ASD. */
+const ml_dsa44 = /* @__PURE__ */ getDilithium({
+    ...PARAMS[2],
+    CRH_BYTES: 64,
+    TR_BYTES: 64,
+    C_TILDE_BYTES: 32,
+    XOF128: XOF128,
+    XOF256: XOF256,
+    securityLevel: 128,
+});
+/** ML-DSA-65 for 192-bit security level. Not recommended after 2030, as per ASD. */
+const ml_dsa65 = /* @__PURE__ */ getDilithium({
+    ...PARAMS[3],
+    CRH_BYTES: 64,
+    TR_BYTES: 64,
+    C_TILDE_BYTES: 48,
+    XOF128: XOF128,
+    XOF256: XOF256,
+    securityLevel: 192,
+});
+/** ML-DSA-87 for 256-bit security level. OK after 2030, as per ASD. */
+const ml_dsa87 = /* @__PURE__ */ getDilithium({
+    ...PARAMS[5],
+    CRH_BYTES: 64,
+    TR_BYTES: 64,
+    C_TILDE_BYTES: 64,
+    XOF128: XOF128,
+    XOF256: XOF256,
+    securityLevel: 256,
+});
+//# sourceMappingURL=ml-dsa.js.map
+
+/***/ })
+
+}]);
+//# sourceMappingURL=defaultVendors-node_modules_noble_post-quantum_ml-dsa_js.shogun-core.js.map