npm - shogun-core - Versions diffs - 5.2.0 → 5.2.2 - Mend

shogun-core 5.2.0 → 5.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (186) hide show

package/README.md +145 -1143
package/dist/browser/defaultVendors-node_modules_hpke_chacha20poly1305_esm_mod_js.shogun-core.js +1220 -0
package/dist/browser/defaultVendors-node_modules_hpke_chacha20poly1305_esm_mod_js.shogun-core.js.map +1 -0
package/dist/browser/defaultVendors-node_modules_hpke_hybridkem-x-wing_esm_mod_js.shogun-core.js +844 -0
package/dist/browser/defaultVendors-node_modules_hpke_hybridkem-x-wing_esm_mod_js.shogun-core.js.map +1 -0
package/dist/browser/defaultVendors-node_modules_mlkem_esm_mod_js.shogun-core.js +2335 -0
package/dist/browser/defaultVendors-node_modules_mlkem_esm_mod_js.shogun-core.js.map +1 -0
package/dist/browser/defaultVendors-node_modules_noble_ciphers_chacha_js.shogun-core.js +999 -0
package/dist/browser/defaultVendors-node_modules_noble_ciphers_chacha_js.shogun-core.js.map +1 -0
package/dist/browser/defaultVendors-node_modules_noble_curves_esm_abstract_curve_js-node_modules_noble_curves_esm_-1ce4ed.shogun-core.js +1651 -0
package/dist/browser/defaultVendors-node_modules_noble_curves_esm_abstract_curve_js-node_modules_noble_curves_esm_-1ce4ed.shogun-core.js.map +1 -0
package/dist/browser/defaultVendors-node_modules_noble_curves_esm_abstract_edwards_js-node_modules_noble_curves_es-a82056.shogun-core.js +825 -0
package/dist/browser/defaultVendors-node_modules_noble_curves_esm_abstract_edwards_js-node_modules_noble_curves_es-a82056.shogun-core.js.map +1 -0
package/dist/browser/defaultVendors-node_modules_noble_curves_esm_ed25519_js.shogun-core.js +508 -0
package/dist/browser/defaultVendors-node_modules_noble_curves_esm_ed25519_js.shogun-core.js.map +1 -0
package/dist/browser/defaultVendors-node_modules_noble_curves_esm_ed448_js.shogun-core.js +747 -0
package/dist/browser/defaultVendors-node_modules_noble_curves_esm_ed448_js.shogun-core.js.map +1 -0
package/dist/browser/defaultVendors-node_modules_noble_curves_esm_nist_js.shogun-core.js +1608 -0
package/dist/browser/defaultVendors-node_modules_noble_curves_esm_nist_js.shogun-core.js.map +1 -0
package/dist/browser/defaultVendors-node_modules_noble_post-quantum_ml-dsa_js.shogun-core.js +2117 -0
package/dist/browser/defaultVendors-node_modules_noble_post-quantum_ml-dsa_js.shogun-core.js.map +1 -0
package/dist/browser/defaultVendors-node_modules_openpgp_dist_openpgp_min_mjs.shogun-core.js +86 -0
package/dist/browser/defaultVendors-node_modules_openpgp_dist_openpgp_min_mjs.shogun-core.js.map +1 -0
package/dist/browser/node_modules_hpke_ml-kem_esm_mod_js.shogun-core.js +539 -0
package/dist/browser/node_modules_hpke_ml-kem_esm_mod_js.shogun-core.js.map +1 -0
package/dist/browser/shogun-core.js +160386 -0
package/dist/browser/shogun-core.js.map +1 -0
package/dist/config/simplified-config.js +236 -0
package/dist/core.js +329 -0
package/dist/crypto/asymmetric.js +99 -0
package/dist/crypto/double-ratchet.js +370 -0
package/dist/crypto/file-encryption.js +213 -0
package/dist/crypto/hashing.js +87 -0
package/dist/crypto/index.js +34 -0
package/dist/crypto/mls-codec.js +202 -0
package/dist/crypto/mls.js +550 -0
package/dist/crypto/pgp.js +390 -0
package/dist/crypto/random-generation.js +341 -0
package/dist/crypto/sframe.js +350 -0
package/dist/crypto/signal-protocol.js +376 -0
package/dist/crypto/symmetric.js +91 -0
package/dist/crypto/types.js +2 -0
package/dist/crypto/utils.js +140 -0
package/dist/examples/auth-test.js +253 -0
package/dist/examples/crypto-identity-example.js +151 -0
package/dist/examples/crypto-working-test.js +83 -0
package/dist/examples/double-ratchet-test.js +155 -0
package/dist/examples/mls-advanced-example.js +294 -0
package/dist/examples/mls-sframe-test.js +304 -0
package/dist/examples/pgp-example.js +200 -0
package/dist/examples/quick-auth-test.js +61 -0
package/dist/examples/random-generation-test.js +151 -0
package/dist/examples/signal-protocol-test.js +38 -0
package/dist/examples/simple-api-test.js +114 -0
package/dist/examples/simple-crypto-identity-example.js +84 -0
package/dist/examples/timeout-test.js +227 -0
package/dist/examples/zkproof-credentials-example.js +212 -0
package/dist/examples/zkproof-example.js +201 -0
package/dist/gundb/api.js +435 -0
package/dist/gundb/crypto.js +283 -0
package/dist/gundb/db.js +1946 -0
package/dist/gundb/derive.js +232 -0
package/dist/gundb/errors.js +76 -0
package/dist/gundb/index.js +22 -0
package/dist/gundb/rxjs.js +447 -0
package/dist/gundb/types.js +5 -0
package/dist/index.js +58 -0
package/dist/interfaces/common.js +2 -0
package/dist/interfaces/events.js +40 -0
package/dist/interfaces/plugin.js +2 -0
package/dist/interfaces/shogun.js +37 -0
package/dist/managers/AuthManager.js +226 -0
package/dist/managers/CoreInitializer.js +228 -0
package/dist/managers/CryptoIdentityManager.js +366 -0
package/dist/managers/EventManager.js +70 -0
package/dist/managers/PluginManager.js +299 -0
package/dist/plugins/base.js +50 -0
package/dist/plugins/index.js +32 -0
package/dist/plugins/nostr/index.js +20 -0
package/dist/plugins/nostr/nostrConnector.js +419 -0
package/dist/plugins/nostr/nostrConnectorPlugin.js +453 -0
package/dist/plugins/nostr/nostrSigner.js +319 -0
package/dist/plugins/nostr/types.js +2 -0
package/dist/plugins/smartwallet/index.js +18 -0
package/dist/plugins/smartwallet/smartWalletPlugin.js +511 -0
package/dist/plugins/smartwallet/types.js +2 -0
package/dist/plugins/web3/index.js +20 -0
package/dist/plugins/web3/types.js +2 -0
package/dist/plugins/web3/web3Connector.js +533 -0
package/dist/plugins/web3/web3ConnectorPlugin.js +455 -0
package/dist/plugins/web3/web3Signer.js +314 -0
package/dist/plugins/webauthn/index.js +19 -0
package/dist/plugins/webauthn/types.js +14 -0
package/dist/plugins/webauthn/webauthn.js +496 -0
package/dist/plugins/webauthn/webauthnPlugin.js +489 -0
package/dist/plugins/webauthn/webauthnSigner.js +310 -0
package/dist/plugins/zkproof/index.js +53 -0
package/dist/plugins/zkproof/types.js +2 -0
package/dist/plugins/zkproof/zkCredentials.js +213 -0
package/dist/plugins/zkproof/zkProofConnector.js +198 -0
package/dist/plugins/zkproof/zkProofPlugin.js +272 -0
package/dist/storage/storage.js +145 -0
package/dist/types/config/simplified-config.d.ts +114 -0
package/dist/types/core.d.ts +305 -0
package/dist/types/crypto/asymmetric.d.ts +6 -0
package/dist/types/crypto/double-ratchet.d.ts +22 -0
package/dist/types/crypto/file-encryption.d.ts +19 -0
package/dist/types/crypto/hashing.d.ts +9 -0
package/dist/types/crypto/index.d.ts +13 -0
package/dist/types/crypto/mls-codec.d.ts +39 -0
package/dist/types/crypto/mls.d.ts +130 -0
package/dist/types/crypto/pgp.d.ts +95 -0
package/dist/types/crypto/random-generation.d.ts +35 -0
package/dist/types/crypto/sframe.d.ts +102 -0
package/dist/types/crypto/signal-protocol.d.ts +26 -0
package/dist/types/crypto/symmetric.d.ts +9 -0
package/dist/types/crypto/types.d.ts +144 -0
package/dist/types/crypto/utils.d.ts +22 -0
package/dist/types/examples/auth-test.d.ts +8 -0
package/dist/types/examples/crypto-identity-example.d.ts +5 -0
package/dist/types/examples/crypto-working-test.d.ts +1 -0
package/dist/types/examples/double-ratchet-test.d.ts +1 -0
package/dist/types/examples/mls-advanced-example.d.ts +53 -0
package/dist/types/examples/mls-sframe-test.d.ts +1 -0
package/dist/types/examples/pgp-example.d.ts +75 -0
package/dist/types/examples/quick-auth-test.d.ts +8 -0
package/dist/types/examples/random-generation-test.d.ts +1 -0
package/dist/types/examples/signal-protocol-test.d.ts +1 -0
package/dist/types/examples/simple-api-test.d.ts +10 -0
package/dist/types/examples/simple-crypto-identity-example.d.ts +6 -0
package/dist/types/examples/timeout-test.d.ts +8 -0
package/dist/types/examples/zkproof-credentials-example.d.ts +12 -0
package/dist/types/examples/zkproof-example.d.ts +11 -0
package/dist/types/gundb/api.d.ts +185 -0
package/dist/types/gundb/crypto.d.ts +95 -0
package/dist/types/gundb/db.d.ts +397 -0
package/dist/types/gundb/derive.d.ts +21 -0
package/dist/types/gundb/errors.d.ts +42 -0
package/dist/types/gundb/index.d.ts +3 -0
package/dist/types/gundb/rxjs.d.ts +110 -0
package/dist/types/gundb/types.d.ts +255 -0
package/dist/types/index.d.ts +16 -0
package/dist/types/interfaces/common.d.ts +85 -0
package/dist/types/interfaces/events.d.ts +131 -0
package/dist/types/interfaces/plugin.d.ts +162 -0
package/dist/types/interfaces/shogun.d.ts +208 -0
package/dist/types/managers/AuthManager.d.ts +72 -0
package/dist/types/managers/CoreInitializer.d.ts +40 -0
package/dist/types/managers/CryptoIdentityManager.d.ts +102 -0
package/dist/types/managers/EventManager.d.ts +49 -0
package/dist/types/managers/PluginManager.d.ts +145 -0
package/dist/types/plugins/base.d.ts +35 -0
package/dist/types/plugins/index.d.ts +18 -0
package/dist/types/plugins/nostr/index.d.ts +4 -0
package/dist/types/plugins/nostr/nostrConnector.d.ts +119 -0
package/dist/types/plugins/nostr/nostrConnectorPlugin.d.ts +163 -0
package/dist/types/plugins/nostr/nostrSigner.d.ts +105 -0
package/dist/types/plugins/nostr/types.d.ts +122 -0
package/dist/types/plugins/smartwallet/index.d.ts +2 -0
package/dist/types/plugins/smartwallet/smartWalletPlugin.d.ts +67 -0
package/dist/types/plugins/smartwallet/types.d.ts +80 -0
package/dist/types/plugins/web3/index.d.ts +4 -0
package/dist/types/plugins/web3/types.d.ts +107 -0
package/dist/types/plugins/web3/web3Connector.d.ts +129 -0
package/dist/types/plugins/web3/web3ConnectorPlugin.d.ts +160 -0
package/dist/types/plugins/web3/web3Signer.d.ts +114 -0
package/dist/types/plugins/webauthn/index.d.ts +3 -0
package/dist/types/plugins/webauthn/types.d.ts +183 -0
package/dist/types/plugins/webauthn/webauthn.d.ts +129 -0
package/dist/types/plugins/webauthn/webauthnPlugin.d.ts +179 -0
package/dist/types/plugins/webauthn/webauthnSigner.d.ts +91 -0
package/dist/types/plugins/zkproof/index.d.ts +48 -0
package/dist/types/plugins/zkproof/types.d.ts +123 -0
package/dist/types/plugins/zkproof/zkCredentials.d.ts +112 -0
package/dist/types/plugins/zkproof/zkProofConnector.d.ts +46 -0
package/dist/types/plugins/zkproof/zkProofPlugin.d.ts +76 -0
package/dist/types/storage/storage.d.ts +51 -0
package/dist/types/utils/errorHandler.d.ts +119 -0
package/dist/types/utils/eventEmitter.d.ts +39 -0
package/dist/types/utils/seedPhrase.d.ts +50 -0
package/dist/types/utils/validation.d.ts +27 -0
package/dist/utils/errorHandler.js +246 -0
package/dist/utils/eventEmitter.js +79 -0
package/dist/utils/seedPhrase.js +97 -0
package/dist/utils/validation.js +81 -0
package/package.json +10 -57

package/dist/browser/defaultVendors-node_modules_noble_post-quantum_ml-dsa_js.shogun-core.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"defaultVendors-node_modules_noble_post-quantum_ml-dsa_js.shogun-core.js","mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACO;AACP;AACA,oCAAoC,MAAM;AAC1C,2BAA2B,OAAO,6BAA6B,EAAE;AACjE;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA,oCAAoC,MAAM;AAC1C,+CAA+C,OAAO;AACtD,sCAAsC,IAAI,YAAY,aAAa;AACnE;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACO;AACP;AACA;AACA;AACO;AACP,oBAAoB,mBAAmB;AACvC;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACO;AACP;AACA;AACA;AACO;AACP;AACA;AACA;AACO;AACP;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACO;AACP,oBAAoB,gBAAgB;AACpC;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACA;AACA,2CAA2C,aAAa;AACxD;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACA,oBAAoB,kBAAkB;AACtC;AACA;AACA;AACA;AACA;AACA,iBAAiB;AACjB;AACA;AACA,+BAA+B;AAC/B;AACA,qCAAqC;AACrC;AACA,qCAAqC;AACrC;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,6BAA6B,SAAS;AACtC;AACA;AACA;AACA;AACA;AACA;AACA,kCAAkC;AAClC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACO;AACP;AACA,oBAAoB,WAAW;AAC/B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA,0DAA0D;AAC1D;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACO;AACP;AACA,oBAAoB,mBAAmB;AACvC;AACA;AACA;AACA;AACA;AACA,6BAA6B,mBAAmB;AAChD;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP,gCAAgC;AAChC;AACA;AACA;AACA;AACA;AACO,yCAAyC;AAChD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA,CAAC;AACD,iC;;ACjPA;AACA;AACA;AACA;AACA;AACwJ;AACnC;AACrH;AACA;AACO;AACP;AACA,oCAAoC,MAAM;AAC1C;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,QAAQ,OAAO;AACf;AACA;AACO;AACP;AACA,oCAAoC,MAAM;AAC1C;AACA;AACA;AACO;AACP;AACA;AACA;AACO;AACP;AACA;AACA,kDAAkD;AAClD;AACA;AACO;AACP,uBAAuB,UAAW;AAClC;AACO;AACP,uBAAuB,UAAW,WAAW,MAAO;AACpD;AACO;AACP,IAAI,OAAO;AACX;AACA,gBAAgB,UAAW;AAC3B;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACO;AACP,WAAW,UAAW;AACtB;AACA;AACO;AACP;AACA;AACA;AACA,oBAAoB,cAAc;AAClC;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA,oEAAoE,SAAS,cAAc,UAAU,cAAc,EAAE;AACrH;AACA;AACA,KAAK;AACL;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA,+BAA+B;AAC/B;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA,kBAAkB,SAAS;AAC3B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA,uBAAuB,4BAA4B;AACnD;AACO;AACP;AACA;AACA;AACA;AACA;AACA,6BAA6B;AAC7B;AACO;AACP,IAAI,OAAO;AACX,IAAI,OAAO;AACX;AACA;AACA,8CAA8C;AAC9C;AACA;AACA;AACA;AACA;AACA,0BAA0B;AAC1B,0BAA0B;AAC1B,eAAe;AACf;AACA;AACA;AACA;AACA;AACA,qCAAqC,WAAY,eAAe;AAChE;AACA;AACA,4BAA4B;AAC5B,iBAAiB;AACjB;AACA;AACA,4BAA4B;AAC5B,iBAAiB;AACjB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAe,WAAY;AAC3B;AACA;AACA;AACA,sBAAsB;AACtB,6BAA6B;AAC7B;AACA;AACA;AACA;AACA;AACA;AACA;AACO,2CAA2C,gBAAgB;AAClE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,sCAAsC,UAAU,yBAAyB,aAAa,QAAQ,QAAQ;AACtG;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,iC;;AChPA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,iBAAiB;AACjB,aAAa;AACb;AACA;AACA;AACA;AACA;AACA,oBAAoB,SAAS;AAC7B,gBAAgB,OAAO;AACvB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,aAAa;AACb;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACgL;AAChL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,2CAAe,GAAG,EAAC;AACnB,gC;;AClEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACkE;AAClE;AAC8G;AAC9G;AACA;AACA;AACA,MAAM,OAAG;AACT,MAAM,OAAG;AACT;AACA;AACA;AACA;AACA;AACA;AACA,uBAAuB;AACvB,wBAAwB,OAAG,gBAAgB,YAAY;AACvD;AACA;AACA;AACA;AACA;AACA;AACA,YAAY,OAAG;AACf,oBAAoB,OAAO;AAC3B,mBAAmB,OAAG;AACtB;AACA,iBAAiB,OAAG,MAAM,OAAG,iBAAiB,OAAG;AACjD;AACA;AACA;AACA,cAAc,KAAK;AACnB;AACA;AACA;AACA,qCAAqC,MAAM,YAAY,MAAM;AAC7D,qCAAqC,MAAM,YAAY,MAAM;AAC7D;AACO;AACP;AACA;AACA,kCAAkC,YAAY;AAC9C;AACA,wBAAwB,QAAQ;AAChC;AACA,wBAAwB,QAAQ;AAChC;AACA;AACA;AACA;AACA;AACA;AACA,4BAA4B,QAAQ;AACpC;AACA;AACA;AACA;AACA;AACA;AACA;AACA,wBAAwB,QAAQ;AAChC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,wBAAwB,QAAQ;AAChC,4BAA4B,QAAQ;AACpC;AACA,4BAA4B,QAAQ;AACpC;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,KAAK;AACT;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,QAAQ,OAAO;AACf;AACA;AACA;AACA;AACA;AACA,uBAAuB,GAAG;AAC1B;AACA;AACA;AACA;AACA;AACA,QAAQ,UAAU;AAClB;AACA,QAAQ,UAAU;AAClB;AACA;AACA;AACA;AACA,QAAQ,OAAO;AACf,QAAQ,MAAM;AACd,gBAAgB,kBAAkB;AAClC;AACA,0BAA0B,UAAU;AACpC;AACA,4BAA4B,UAAU;AACtC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,gBAAgB,+BAA+B;AAC/C;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,QAAQ,OAAO;AACf,QAAQ,MAAM;AACd;AACA;AACA,gBAAgB,WAAW;AAC3B,4CAA4C,UAAU;AACtD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,QAAQ,OAAO;AACf;AACA;AACA;AACA,QAAQ,OAAO;AACf;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,QAAQ,KAAK;AACb;AACA;AACA,gBAAgB,iDAAiD;AACjE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,yDAAyD,KAAK,YAAY;AAC1E;AACO;AACP,gBAAgB,OAAO;AACvB;AACO;AACP,gBAAgB,OAAO;AACvB;AACO;AACP,gBAAgB,OAAO;AACvB;AACO;AACP,gBAAgB,OAAO;AACvB;AACO;AACP;AACO;AACP;AACO;AACP;AACO;AACP,wDAAwD,KAAK,YAAY,WAAW;AACpF;AACO;AACP;AACA,wCAAwC,OAAO;AAC/C;AACO;AACP;AACA,wCAAwC,OAAO;AAC/C;AACO;AACP;AACA,wCAAwC,OAAO;AAC/C;AACO;AACP;AACA,wCAAwC,OAAO;AAC/C,gC;;AC7PA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA,oBAAoB,UAAU;AAC9B;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA,oBAAoB,OAAO;AAC3B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA,MAAM,MAAG;AACT;AACA;AACA,WAAW,sCAAsC,MAAG,eAAe;AACnE;AACA;AACA;AACA;AACO;AACP;AACA,kCAAkC,MAAG;AACrC;AACA,WAAW,aAAa,MAAG,MAAM,MAAG,EAAE,4BAA4B,MAAG;AACrE;AACA;AACA;AACA;AACA;AACA;AACA,6BAA6B,OAAO;AACpC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,mCAAmC,YAAY;AAC/C;AACA,0BAA0B;AAC1B;AACA,6CAA6C,gBAAgB;AAC7D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,gBAAgB,0BAA0B;AAC1C;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP,YAAY,uEAAuE;AACnF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,+BAA+B,uBAAuB;AACtD;AACA;AACA;AACA;AACA;AACA;AACA,4BAA4B,OAAO;AACnC;AACA,2CAA2C,QAAQ;AACnD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,mDAAmD;AACnD;AACA;AACA;AACA;AACA,kDAAkD;AAClD;AACA;AACA;AACA,kDAAkD;AAClD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP;AACA;AACA;AACA,+CAA+C,kCAAkC;AACjF;AACA;AACA,mCAAmC,iCAAiC;AACpE;AACA,mCAAmC,kCAAkC;AACrE,+BAA+B,gCAAgC,GAAG;AAClE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA;AACA,yDAAyD;AACzD;AACA,4BAA4B,gBAAgB;AAC5C;AACA;AACA;AACA,uEAAuE,KAAK;AAC5E;AACA,SAAS;AACT;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,wBAAwB,gBAAgB;AACxC;AACA,4DAA4D,GAAG,KAAK,cAAc;AAClF;AACA,2DAA2D,OAAO,QAAQ,EAAE;AAC5E;AACA;AACA;AACA;AACA;AACA,wBAAwB,OAAO;AAC/B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,4BAA4B,cAAc;AAC1C;AACA;AACA,SAAS;AACT;AACA;AACA,uCAAuC,QAAQ;AAC/C;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA,4BAA4B,SAAS;AACrC;AACA;AACA,SAAS;AACT;AACA;AACA;AACA,4BAA4B,SAAS;AACrC;AACA;AACA,SAAS;AACT;AACA;AACA;AACA,4BAA4B,SAAS;AACrC;AACA;AACA,SAAS;AACT;AACA;AACA;AACA;AACA;AACA;AACA,oCAAoC,cAAc;AAClD;AACA;AACA;AACA;AACA;AACA;AACA,oCAAoC,SAAS;AAC7C,wCAAwC,SAAS;AACjD,qDAAqD;AACrD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,gCAAgC,gBAAgB;AAChD;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA,2CAA2C,cAAc;AACzD;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA,4BAA4B,cAAc;AAC1C;AACA;AACA,SAAS;AACT;AACA;AACA;AACA,4BAA4B,cAAc;AAC1C;AACA;AACA,SAAS;AACT;AACA;AACA;AACA;AACA,gCAAgC,OAAO;AACvC;AACA;AACA;AACA;AACA,aAAa;AACb;AACA;AACA;AACA;AACA,2CAA2C,QAAQ;AACnD;AACA;AACA,aAAa;AACb,SAAS;AACT;AACA;AACA;AACA,oFAAoF;AACpF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,qEAAqE;AACrE;AACA,gCAAgC,OAAO;AACvC;AACA;AACA,gCAAgC,OAAO;AACvC;AACA;AACA,aAAa;AACb;AACA;AACA;AACA;AACA,mCAAmC;AACnC,wDAAwD;AACxD;AACA,gCAAgC,cAAc;AAC9C;AACA;AACA;AACA,aAAa;AACb,SAAS;AACT;AACA;AACA;AACA;AACA;AACA;AACA,6CAA6C,OAAO;AACpD;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA,+B;;ACzaA;AACA;AACA;AACA;AACA;AACgH;AAChE;AACzB;AAChB,MAAM,iBAAW,GAAG,WAAK;AAChC;AACO,SAAS,gBAAU;AAC1B;AACA;AACA;AACA,oBAAoB,cAAc;AAClC;AACA;AACA;AACA;AACO,SAAS,eAAS;AACzB;AACA;AACO;AACP;AACA,qDAAqD,OAAO;AAC5D;AACA;AACO;AACP;AACA;AACA,QAAQ,MAAM;AACd;AACO;AACP;AACA;AACA,QAAQ,MAAM;AACd;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACA,qCAAqC,oBAAoB;AACzD;AACA;AACA;AACA,gBAAgB,MAAO;AACvB;AACA;AACA,+BAA+B;AAC/B;AACA;AACA;AACA,SAAS;AACT;AACA,YAAY,MAAO;AACnB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA,iEAAiE,SAAS,cAAc,OAAO;AAC/F;AACA,qCAAqC,cAAc;AACnD;AACA;AACA,2BAA2B;AAC3B;AACA;AACA;AACA,SAAS;AACT;AACA,YAAY,MAAO;AACnB;AACA,4BAA4B,cAAc;AAC1C;AACA;AACA,SAAS;AACT;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP,4BAA4B;AAC5B;AACO;AACA;AACP,IAAI,MAAO;AACX,IAAI,MAAO;AACX;AACA;AACA,WAAW,WAAW;AACtB;AACA;AACA;AACO;AACP,sBAAsB,gBAAU;AAChC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP,IAAI,MAAO;AACX,IAAI,MAAO;AACX;AACA;AACA;AACA,WAAW,WAAW;AACtB;AACA,iC;;ACzIA;AACA;AACA;AACA;AACA;AACqE;AACV;AACV;AAC1C;AACP;AACA,YAAY,oDAAoD;AAChE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,wBAAwB,OAAO;AAC/B,sBAAsB,WAAW;AACjC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,gBAAgB,OAAO,UAAU,wBAAwB;AACzD,gBAAgB,OAAO,UAAU,uBAAuB;AACxD;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA,4BAA4B,cAAc;AAC1C;AACA;AACA,SAAS;AACT;AACA;AACA;AACA,qBAAqB,OAAO;AAC5B;AACA;AACA;AACA;AACA;AACA,8DAA8D,iBAAiB;AAC/E;AACA;AACA,2BAA2B,aAAa;AACxC,yCAAyC,OAAO;AAChD;AACA;AACA,aAAa;AACb;AACA;AACA,8DAA8D,kBAAkB;AAChF;AACA;AACA,2BAA2B,aAAa;AACxC;AACA;AACA;AACA,aAAa;AACb;AACA;AACA,aAAa;AACb;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,0CAA0C;AAC1C,2BAA2B;AAC3B;AACA;AACA;AACA,wBAAwB,aAAa;AACrC;AACA;AACA;AACA;AACA,+BAA+B;AAC/B;AACA;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA,YAAY,UAAU;AACtB,SAAS;AACT;AACA;AACO,8CAA8C,QAAQ;AACtD,8CAA8C,QAAQ;AAC7D,qC;;ACjIA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAC+C;AACE;AACY;AAC6H;AAC1L;AACA,IAAI,YAAY;AAChB;AACA,QAAQ,KAAK;AACb;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO;AACP,SAAS,8EAA8E;AACvF,SAAS,8EAA8E;AACvF,SAAS,8EAA8E;AACvF;AACA;AACA,QAAQ,4BAA4B,EAAE,WAAW;AACjD;AACA;AACA;AACA;AACA;AACA;AACA;AACA,CAAC;AACD;AACA;AACA;AACA;AACA,CAAC;AACD;AACA,oBAAoB,cAAc;AAClC;AACA;AACA;AACA;AACA,oBAAoB,cAAc;AAClC;AACA;AACA;AACA;AACA,oBAAoB,OAAO;AAC3B;AACA;AACA;AACA;AACA;AACA,oBAAoB,OAAO;AAC3B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oBAAoB,cAAc;AAClC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,oBAAoB,MAAM;AAC1B;AACA;AACA;AACA,wBAAwB,4BAA4B;AACpD,kFAAkF;AAClF;AACA;AACA;AACA;AACA;AACA;AACA;AACA,YAAY,wCAAwC;AACpD,YAAY,oEAAoE;AAChF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,qBAAqB;AACrB;AACA,iBAAiB,UAAU;AAC3B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,gBAAgB,SAAS;AACzB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,iBAAiB;AACjB;AACA;AACA;AACA;AACA;AACA,+DAA+D;AAC/D;AACA,mCAAmC,OAAO;AAC1C,gCAAgC,OAAO;AACvC;AACA;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA,4BAA4B,OAAO;AACnC;AACA;AACA;AACA,gCAAgC,oBAAoB;AACpD;AACA;AACA;AACA;AACA;AACA;AACA;AACA,4BAA4B,WAAW;AACvC;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA,mDAAmD,GAAG,wBAAwB,KAAK,IAAI,IAAI;AAC3F;AACA,KAAK;AACL;AACA;AACA;AACA;AACA;AACA,kBAAkB,QAAQ;AAC1B;AACA,wBAAwB,UAAU,kBAAkB,QAAQ;AAC5D,wBAAwB,UAAU,gCAAgC,QAAQ,eAAe,QAAQ,eAAe,QAAQ;AACxH,qBAAqB,UAAU,6BAA6B,QAAQ;AACpE;AACA;AACA;AACA;AACA;AACA;AACA;AACA,wBAAwB,MAAM;AAC9B;AACA,4BAA4B,uBAAuB;AACnD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,8DAA8D,UAAU;AACxE;AACA,kBAAkB,QAAQ,UAAU;AACpC,mCAAmC,QAAQ;AAC3C;AACA;AACA,iEAAiE,OAAO;AACxE;AACA,mBAAmB,MAAM;AACzB;AACA,0BAA0B,QAAQ;AAClC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,wBAAwB,cAAc;AACtC,oBAAoB,SAAS;AAC7B;AACA;AACA;AACA,iBAAiB;AACjB;AACA;AACA,wBAAwB,OAAO;AAC/B;AACA;AACA;AACA;AACA;AACA;AACA,wBAAwB,OAAO;AAC/B;AACA;AACA;AACA;AACA,iBAAiB;AACjB;AACA;AACA,sBAAsB,UAAU;AAChC;AACA;AACA,gBAAgB,yBAAyB;AACzC;AACA;AACA;AACA;AACA;AACA;AACA,SAAS;AACT;AACA;AACA;AACA;AACA;AACA,uBAAuB,iBAAW;AAClC,YAAY,MAAM;AAClB;AACA;AACA,gBAAgB,UAAU;AAC1B;AACA;AACA,yDAAyD,QAAQ,YAAY,2BAA2B;AACxG;AACA;AACA,4BAA4B,OAAO;AACnC;AACA;AACA,4BAA4B,WAAW;AACvC;AACA;AACA;AACA;AACA;AACA;AACA,4BAA4B,OAAO;AACnC;AACA,gBAAgB,UAAU,KAAK;AAC/B,gCAAgC,OAAO;AACvC,2DAA2D;AAC3D;AACA;AACA;AACA,wBAAwB,SAAS,qCAAqC;AACtE;AACA;AACA;AACA,6DAA6D;AAC7D,uBAAuB,QAAQ,cAAc,iBAAiB,GAAG;AACjE,6EAA6E;AAC7E;AACA;AACA;AACA,4BAA4B,oBAAoB,cAAc,oBAAoB,eAAe;AACjG,2BAA2B,qBAAqB,cAAc,qBAAqB,cAAc;AACjG,YAAY,UAAU;AACtB,qBAAqB;AACrB,SAAS;AACT;AACA,+EAA+E;AAC/E;AACA;AACA;AACA;AACA,4BAA4B,OAAO;AACnC;AACA,gCAAgC,OAAO;AACvC,2DAA2D;AAC3D,+DAA+D;AAC/D;AACA,iCAAiC;AACjC,qCAAqC;AACrC,wBAAwB,KAAK,uBAAuB;AACpD;AACA;AACA;AACA,YAAY,UAAU;AACtB;AACA,SAAS;AACT;AACA,wCAAwC;AACxC,YAAY,eAAe;AAC3B;AACA,kBAAkB,2CAA2C;AAC7D;AACA;AACA,6EAA6E;AAC7E;AACA,0BAA0B;AAC1B;AACA,4BAA4B,OAAO;AACnC;AACA,gCAAgC,OAAO;AACvC;AACA;AACA;AACA;AACA,4BAA4B,OAAO;AACnC,mCAAmC;AACnC,4BAA4B,OAAO;AACnC,mCAAmC;AACnC,mCAAmC;AACnC;AACA;AACA;AACA;AACA,kBAAkB,QAAQ,UAAU,kBAAkB,mCAAmC;AACzF;AACA;AACA;AACA;AACA,sBAAsB,iBAAW;AACjC;AACA,YAAY,MAAM;AAClB,6BAA6B,QAAQ;AACrC,0BAA0B,kBAAkB;AAC5C;AACA;AACA;AACA,2BAA2B;AAC3B,YAAY,MAAM;AAClB;AACA;AACA,2CAA2C;AAC3C;AACA;AACA,gCAAgC,OAAO;AACvC;AACA;AACA;AACA,gCAAgC,OAAO;AACvC;AACA;AACA,oCAAoC,OAAO;AAC3C;AACA;AACA;AACA;AACA,0DAA0D;AAC1D,yCAAyC,UAAU;AACnD,+BAA+B,QAAQ;AACvC,8BAA8B,sBAAsB;AACpD;AACA;AACA;AACA;AACA,+DAA+D,0BAA0B;AACzF;AACA;AACA,gCAAgC,OAAO;AACvC,uDAAuD;AACvD;AACA,4CAA4C;AAC5C;AACA;AACA;AACA;AACA,gCAAgC,OAAO;AACvC,uEAAuE;AACvE,gEAAgE;AAChE;AACA,4CAA4C;AAC5C,uEAAuE;AACvE;AACA;AACA;AACA;AACA,0DAA0D;AAC1D;AACA;AACA;AACA;AACA,8BAA8B;AAC9B;AACA,+DAA+D;AAC/D;AACA,gBAAgB,UAAU;AAC1B;AACA;AACA;AACA;AACA,SAAS;AACT,+CAA+C;AAC/C;AACA,oBAAoB,qBAAqB;AACzC;AACA,6DAA6D;AAC7D,uBAAuB,QAAQ,cAAc,iBAAiB,GAAG;AACjE;AACA,8BAA8B;AAC9B,yDAAyD;AACzD;AACA,8BAA8B;AAC9B,4BAA4B,OAAO;AACnC;AACA;AACA;AACA;AACA,kBAAkB,QAAQ,UAAU,kBAAkB,mCAAmC;AACzF;AACA,wDAAwD;AACxD,kDAAkD;AAClD,4BAA4B,OAAO;AACnC;AACA;AACA;AACA,4BAA4B,OAAO;AACnC,8EAA8E;AAC9E,uCAAuC;AACvC,gCAAgC,OAAO;AACvC,2DAA2D;AAC3D;AACA;AACA;AACA;AACA;AACA,yDAAyD;AACzD;AACA;AACA,wDAAwD;AACxD,uBAAuB,QAAQ;AAC/B,0BAA0B,sBAAsB;AAChD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,mBAAmB,gBAAU;AAC7B,SAAS;AACT;AACA;AACA,gBAAgB,gBAAgB;AAChC;AACA;AACA;AACA;AACA;AACA,wCAAwC;AACxC,YAAY,eAAe;AAC3B,sBAAsB,UAAU;AAChC;AACA,YAAY,UAAU;AACtB;AACA,SAAS;AACT,+CAA+C;AAC/C,YAAY,eAAe;AAC3B,wCAAwC,UAAU;AAClD,SAAS;AACT;AACA,YAAY,SAAS;AACrB;AACA,wBAAwB,oBAAoB;AAC5C;AACA;AACA;AACA;AACA,gDAAgD;AAChD,oBAAoB,eAAe;AACnC,8BAA8B,iBAAiB;AAC/C;AACA,oBAAoB,UAAU;AAC9B;AACA,iBAAiB;AACjB,uDAAuD;AACvD,oBAAoB,eAAe;AACnC,gDAAgD,iBAAiB;AACjE,iBAAiB;AACjB;AACA,SAAS;AACT;AACA;AACA;AACO;AACP;AACA;AACA;AACA;AACA,UAAU;AACV,UAAU;AACV;AACA,CAAC;AACD;AACO;AACP;AACA;AACA;AACA;AACA,UAAU;AACV,UAAU;AACV;AACA,CAAC;AACD;AACO;AACP;AACA;AACA;AACA;AACA,UAAU;AACV,UAAU;AACV;AACA,CAAC;AACD,kC","sources":["webpack://ShogunCore/./node_modules/@noble/post-quantum/node_modules/@noble/hashes/utils.js","webpack://ShogunCore/./node_modules/@noble/post-quantum/node_modules/@noble/curves/utils.js","webpack://ShogunCore/./node_modules/@noble/post-quantum/node_modules/@noble/hashes/_u64.js","webpack://ShogunCore/./node_modules/@noble/post-quantum/node_modules/@noble/hashes/sha3.js","webpack://ShogunCore/./node_modules/@noble/post-quantum/node_modules/@noble/curves/abstract/fft.js","webpack://ShogunCore/./node_modules/@noble/post-quantum/utils.js","webpack://ShogunCore/./node_modules/@noble/post-quantum/_crystals.js","webpack://ShogunCore/./node_modules/@noble/post-quantum/ml-dsa.js"],"sourcesContent":["/**\n * Utilities for hex, bytes, CSPRNG.\n * @module\n */\n/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */\n/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */\nexport function isBytes(a) {\n return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');\n}\n/** Asserts something is positive integer. */\nexport function anumber(n, title = '') {\n if (!Number.isSafeInteger(n) || n < 0) {\n const prefix = title && `\"${title}\" `;\n throw new Error(`${prefix}expected integer >= 0, got ${n}`);\n }\n}\n/** Asserts something is Uint8Array. */\nexport function abytes(value, length, title = '') {\n const bytes = isBytes(value);\n const len = value?.length;\n const needsLen = length !== undefined;\n if (!bytes || (needsLen && len !== length)) {\n const prefix = title && `\"${title}\" `;\n const ofLen = needsLen ? ` of length ${length}` : '';\n const got = bytes ? `length=${len}` : `type=${typeof value}`;\n throw new Error(prefix + 'expected Uint8Array' + ofLen + ', got ' + got);\n }\n return value;\n}\n/** Asserts something is hash */\nexport function ahash(h) {\n if (typeof h !== 'function' || typeof h.create !== 'function')\n throw new Error('Hash must wrapped by utils.createHasher');\n anumber(h.outputLen);\n anumber(h.blockLen);\n}\n/** Asserts a hash instance has not been destroyed / finished */\nexport function aexists(instance, checkFinished = true) {\n if (instance.destroyed)\n throw new Error('Hash instance has been destroyed');\n if (checkFinished && instance.finished)\n throw new Error('Hash#digest() has already been called');\n}\n/** Asserts output is properly-sized byte array */\nexport function aoutput(out, instance) {\n abytes(out, undefined, 'digestInto() output');\n const min = instance.outputLen;\n if (out.length < min) {\n throw new Error('\"digestInto() output\" expected to be of length >=' + min);\n }\n}\n/** Cast u8 / u16 / u32 to u8. */\nexport function u8(arr) {\n return new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);\n}\n/** Cast u8 / u16 / u32 to u32. */\nexport function u32(arr) {\n return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));\n}\n/** Zeroize a byte array. Warning: JS provides no guarantees. */\nexport function clean(...arrays) {\n for (let i = 0; i < arrays.length; i++) {\n arrays[i].fill(0);\n }\n}\n/** Create DataView of an array for easy byte-level manipulation. */\nexport function createView(arr) {\n return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);\n}\n/** The rotate right (circular right shift) operation for uint32 */\nexport function rotr(word, shift) {\n return (word << (32 - shift)) | (word >>> shift);\n}\n/** The rotate left (circular left shift) operation for uint32 */\nexport function rotl(word, shift) {\n return (word << shift) | ((word >>> (32 - shift)) >>> 0);\n}\n/** Is current platform little-endian? Most are. Big-Endian platform: IBM */\nexport const isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();\n/** The byte swap operation for uint32 */\nexport function byteSwap(word) {\n return (((word << 24) & 0xff000000) |\n ((word << 8) & 0xff0000) |\n ((word >>> 8) & 0xff00) |\n ((word >>> 24) & 0xff));\n}\n/** Conditionally byte swap if on a big-endian platform */\nexport const swap8IfBE = isLE\n ? (n) => n\n : (n) => byteSwap(n);\n/** In place byte swap for Uint32Array */\nexport function byteSwap32(arr) {\n for (let i = 0; i < arr.length; i++) {\n arr[i] = byteSwap(arr[i]);\n }\n return arr;\n}\nexport const swap32IfBE = isLE\n ? (u) => u\n : byteSwap32;\n// Built-in hex conversion https://caniuse.com/mdn-javascript_builtins_uint8array_fromhex\nconst hasHexBuiltin = /* @__PURE__ */ (() => \n// @ts-ignore\ntypeof Uint8Array.from([]).toHex === 'function' && typeof Uint8Array.fromHex === 'function')();\n// Array where index 0xf0 (240) is mapped to string 'f0'\nconst hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));\n/**\n * Convert byte array to hex string. Uses built-in function, when available.\n * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'\n */\nexport function bytesToHex(bytes) {\n abytes(bytes);\n // @ts-ignore\n if (hasHexBuiltin)\n return bytes.toHex();\n // pre-caching improves the speed 6x\n let hex = '';\n for (let i = 0; i < bytes.length; i++) {\n hex += hexes[bytes[i]];\n }\n return hex;\n}\n// We use optimized technique to convert hex string to byte array\nconst asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };\nfunction asciiToBase16(ch) {\n if (ch >= asciis._0 && ch <= asciis._9)\n return ch - asciis._0; // '2' => 50-48\n if (ch >= asciis.A && ch <= asciis.F)\n return ch - (asciis.A - 10); // 'B' => 66-(65-10)\n if (ch >= asciis.a && ch <= asciis.f)\n return ch - (asciis.a - 10); // 'b' => 98-(97-10)\n return;\n}\n/**\n * Convert hex string to byte array. Uses built-in function, when available.\n * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])\n */\nexport function hexToBytes(hex) {\n if (typeof hex !== 'string')\n throw new Error('hex string expected, got ' + typeof hex);\n // @ts-ignore\n if (hasHexBuiltin)\n return Uint8Array.fromHex(hex);\n const hl = hex.length;\n const al = hl / 2;\n if (hl % 2)\n throw new Error('hex string expected, got unpadded hex of length ' + hl);\n const array = new Uint8Array(al);\n for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {\n const n1 = asciiToBase16(hex.charCodeAt(hi));\n const n2 = asciiToBase16(hex.charCodeAt(hi + 1));\n if (n1 === undefined || n2 === undefined) {\n const char = hex[hi] + hex[hi + 1];\n throw new Error('hex string expected, got non-hex character \"' + char + '\" at index ' + hi);\n }\n array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163\n }\n return array;\n}\n/**\n * There is no setImmediate in browser and setTimeout is slow.\n * Call of async fn will return Promise, which will be fullfiled only on\n * next scheduler queue processing step and this is exactly what we need.\n */\nexport const nextTick = async () => { };\n/** Returns control to thread each 'tick' ms to avoid blocking. */\nexport async function asyncLoop(iters, tick, cb) {\n let ts = Date.now();\n for (let i = 0; i < iters; i++) {\n cb(i);\n // Date.now() is not monotonic, so in case if clock goes backwards we return return control too\n const diff = Date.now() - ts;\n if (diff >= 0 && diff < tick)\n continue;\n await nextTick();\n ts += diff;\n }\n}\n/**\n * Converts string to bytes using UTF8 encoding.\n * Built-in doesn't validate input to be string: we do the check.\n * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])\n */\nexport function utf8ToBytes(str) {\n if (typeof str !== 'string')\n throw new Error('string expected');\n return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809\n}\n/**\n * Helper for KDFs: consumes uint8array or string.\n * When string is passed, does utf8 decoding, using TextDecoder.\n */\nexport function kdfInputToBytes(data, errorTitle = '') {\n if (typeof data === 'string')\n return utf8ToBytes(data);\n return abytes(data, undefined, errorTitle);\n}\n/** Copies several Uint8Arrays into one. */\nexport function concatBytes(...arrays) {\n let sum = 0;\n for (let i = 0; i < arrays.length; i++) {\n const a = arrays[i];\n abytes(a);\n sum += a.length;\n }\n const res = new Uint8Array(sum);\n for (let i = 0, pad = 0; i < arrays.length; i++) {\n const a = arrays[i];\n res.set(a, pad);\n pad += a.length;\n }\n return res;\n}\n/** Merges default options and passed options. */\nexport function checkOpts(defaults, opts) {\n if (opts !== undefined && {}.toString.call(opts) !== '[object Object]')\n throw new Error('options must be object or undefined');\n const merged = Object.assign(defaults, opts);\n return merged;\n}\n/** Creates function with outputLen, blockLen, create properties from a class constructor. */\nexport function createHasher(hashCons, info = {}) {\n const hashC = (msg, opts) => hashCons(opts).update(msg).digest();\n const tmp = hashCons(undefined);\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = (opts) => hashCons(opts);\n Object.assign(hashC, info);\n return Object.freeze(hashC);\n}\n/** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */\nexport function randomBytes(bytesLength = 32) {\n const cr = typeof globalThis === 'object' ? globalThis.crypto : null;\n if (typeof cr?.getRandomValues !== 'function')\n throw new Error('crypto.getRandomValues must be defined');\n return cr.getRandomValues(new Uint8Array(bytesLength));\n}\n/** Creates OID opts for NIST hashes, with prefix 06 09 60 86 48 01 65 03 04 02. */\nexport const oidNist = (suffix) => ({\n oid: Uint8Array.from([0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, suffix]),\n});\n//# sourceMappingURL=utils.js.map","/**\n * Hex, bytes and number utilities.\n * @module\n */\n/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { abytes as abytes_, anumber, bytesToHex as bytesToHex_, concatBytes as concatBytes_, hexToBytes as hexToBytes_, } from '@noble/hashes/utils.js';\nexport { abytes, anumber, bytesToHex, concatBytes, hexToBytes, isBytes, randomBytes, } from '@noble/hashes/utils.js';\nconst _0n = /* @__PURE__ */ BigInt(0);\nconst _1n = /* @__PURE__ */ BigInt(1);\nexport function abool(value, title = '') {\n if (typeof value !== 'boolean') {\n const prefix = title && `\"${title}\" `;\n throw new Error(prefix + 'expected boolean, got type=' + typeof value);\n }\n return value;\n}\n// Used in weierstrass, der\nfunction abignumber(n) {\n if (typeof n === 'bigint') {\n if (!isPosBig(n))\n throw new Error('positive bigint expected, got ' + n);\n }\n else\n anumber(n);\n return n;\n}\nexport function asafenumber(value, title = '') {\n if (!Number.isSafeInteger(value)) {\n const prefix = title && `\"${title}\" `;\n throw new Error(prefix + 'expected safe integer, got type=' + typeof value);\n }\n}\nexport function numberToHexUnpadded(num) {\n const hex = abignumber(num).toString(16);\n return hex.length & 1 ? '0' + hex : hex;\n}\nexport function hexToNumber(hex) {\n if (typeof hex !== 'string')\n throw new Error('hex string expected, got ' + typeof hex);\n return hex === '' ? _0n : BigInt('0x' + hex); // Big Endian\n}\n// BE: Big Endian, LE: Little Endian\nexport function bytesToNumberBE(bytes) {\n return hexToNumber(bytesToHex_(bytes));\n}\nexport function bytesToNumberLE(bytes) {\n return hexToNumber(bytesToHex_(copyBytes(abytes_(bytes)).reverse()));\n}\nexport function numberToBytesBE(n, len) {\n anumber(len);\n n = abignumber(n);\n const res = hexToBytes_(n.toString(16).padStart(len * 2, '0'));\n if (res.length !== len)\n throw new Error('number too large');\n return res;\n}\nexport function numberToBytesLE(n, len) {\n return numberToBytesBE(n, len).reverse();\n}\n// Unpadded, rarely used\nexport function numberToVarBytesBE(n) {\n return hexToBytes_(numberToHexUnpadded(abignumber(n)));\n}\n// Compares 2 u8a-s in kinda constant time\nexport function equalBytes(a, b) {\n if (a.length !== b.length)\n return false;\n let diff = 0;\n for (let i = 0; i < a.length; i++)\n diff |= a[i] ^ b[i];\n return diff === 0;\n}\n/**\n * Copies Uint8Array. We can't use u8a.slice(), because u8a can be Buffer,\n * and Buffer#slice creates mutable copy. Never use Buffers!\n */\nexport function copyBytes(bytes) {\n return Uint8Array.from(bytes);\n}\n/**\n * Decodes 7-bit ASCII string to Uint8Array, throws on non-ascii symbols\n * Should be safe to use for things expected to be ASCII.\n * Returns exact same result as `TextEncoder` for ASCII or throws.\n */\nexport function asciiToBytes(ascii) {\n return Uint8Array.from(ascii, (c, i) => {\n const charCode = c.charCodeAt(0);\n if (c.length !== 1 || charCode > 127) {\n throw new Error(`string contains non-ASCII character \"${ascii[i]}\" with code ${charCode} at position ${i}`);\n }\n return charCode;\n });\n}\n// Is positive bigint\nconst isPosBig = (n) => typeof n === 'bigint' && _0n <= n;\nexport function inRange(n, min, max) {\n return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;\n}\n/**\n * Asserts min <= n < max. NOTE: It's < max and not <= max.\n * @example\n * aInRange('x', x, 1n, 256n); // would assume x is in (1n..255n)\n */\nexport function aInRange(title, n, min, max) {\n // Why min <= n < max and not a (min < n < max) OR b (min <= n <= max)?\n // consider P=256n, min=0n, max=P\n // - a for min=0 would require -1: `inRange('x', x, -1n, P)`\n // - b would commonly require subtraction: `inRange('x', x, 0n, P - 1n)`\n // - our way is the cleanest: `inRange('x', x, 0n, P)\n if (!inRange(n, min, max))\n throw new Error('expected valid ' + title + ': ' + min + ' <= n < ' + max + ', got ' + n);\n}\n// Bit operations\n/**\n * Calculates amount of bits in a bigint.\n * Same as `n.toString(2).length`\n * TODO: merge with nLength in modular\n */\nexport function bitLen(n) {\n let len;\n for (len = 0; n > _0n; n >>= _1n, len += 1)\n ;\n return len;\n}\n/**\n * Gets single bit at position.\n * NOTE: first bit position is 0 (same as arrays)\n * Same as `!!+Array.from(n.toString(2)).reverse()[pos]`\n */\nexport function bitGet(n, pos) {\n return (n >> BigInt(pos)) & _1n;\n}\n/**\n * Sets single bit at position.\n */\nexport function bitSet(n, pos, value) {\n return n | ((value ? _1n : _0n) << BigInt(pos));\n}\n/**\n * Calculate mask for N bits. Not using ** operator with bigints because of old engines.\n * Same as BigInt(`0b${Array(i).fill('1').join('')}`)\n */\nexport const bitMask = (n) => (_1n << BigInt(n)) - _1n;\n/**\n * Minimal HMAC-DRBG from NIST 800-90 for RFC6979 sigs.\n * @returns function that will call DRBG until 2nd arg returns something meaningful\n * @example\n * const drbg = createHmacDRBG<Key>(32, 32, hmac);\n * drbg(seed, bytesToKey); // bytesToKey must return Key or undefined\n */\nexport function createHmacDrbg(hashLen, qByteLen, hmacFn) {\n anumber(hashLen, 'hashLen');\n anumber(qByteLen, 'qByteLen');\n if (typeof hmacFn !== 'function')\n throw new Error('hmacFn must be a function');\n const u8n = (len) => new Uint8Array(len); // creates Uint8Array\n const NULL = Uint8Array.of();\n const byte0 = Uint8Array.of(0x00);\n const byte1 = Uint8Array.of(0x01);\n const _maxDrbgIters = 1000;\n // Step B, Step C: set hashLen to 8*ceil(hlen/8)\n let v = u8n(hashLen); // Minimal non-full-spec HMAC-DRBG from NIST 800-90 for RFC6979 sigs.\n let k = u8n(hashLen); // Steps B and C of RFC6979 3.2: set hashLen, in our case always same\n let i = 0; // Iterations counter, will throw when over 1000\n const reset = () => {\n v.fill(1);\n k.fill(0);\n i = 0;\n };\n const h = (...msgs) => hmacFn(k, concatBytes_(v, ...msgs)); // hmac(k)(v, ...values)\n const reseed = (seed = NULL) => {\n // HMAC-DRBG reseed() function. Steps D-G\n k = h(byte0, seed); // k = hmac(k || v || 0x00 || seed)\n v = h(); // v = hmac(k || v)\n if (seed.length === 0)\n return;\n k = h(byte1, seed); // k = hmac(k || v || 0x01 || seed)\n v = h(); // v = hmac(k || v)\n };\n const gen = () => {\n // HMAC-DRBG generate() function\n if (i++ >= _maxDrbgIters)\n throw new Error('drbg: tried max amount of iterations');\n let len = 0;\n const out = [];\n while (len < qByteLen) {\n v = h();\n const sl = v.slice();\n out.push(sl);\n len += v.length;\n }\n return concatBytes_(...out);\n };\n const genUntil = (seed, pred) => {\n reset();\n reseed(seed); // Steps D-G\n let res = undefined; // Step H: grind until k is in [1..n-1]\n while (!(res = pred(gen())))\n reseed();\n reset();\n return res;\n };\n return genUntil;\n}\nexport function validateObject(object, fields = {}, optFields = {}) {\n if (!object || typeof object !== 'object')\n throw new Error('expected valid options object');\n function checkField(fieldName, expectedType, isOpt) {\n const val = object[fieldName];\n if (isOpt && val === undefined)\n return;\n const current = typeof val;\n if (current !== expectedType || val === null)\n throw new Error(`param \"${fieldName}\" is invalid: expected ${expectedType}, got ${current}`);\n }\n const iter = (f, isOpt) => Object.entries(f).forEach(([k, v]) => checkField(k, v, isOpt));\n iter(fields, false);\n iter(optFields, true);\n}\n/**\n * throws not implemented error\n */\nexport const notImplemented = () => {\n throw new Error('not implemented');\n};\n/**\n * Memoizes (caches) computation result.\n * Uses WeakMap: the value is going auto-cleaned by GC after last reference is removed.\n */\nexport function memoized(fn) {\n const map = new WeakMap();\n return (arg, ...args) => {\n const val = map.get(arg);\n if (val !== undefined)\n return val;\n const computed = fn(arg, ...args);\n map.set(arg, computed);\n return computed;\n };\n}\n//# sourceMappingURL=utils.js.map","/**\n * Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.\n * @todo re-check https://issues.chromium.org/issues/42212588\n * @module\n */\nconst U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);\nconst _32n = /* @__PURE__ */ BigInt(32);\nfunction fromBig(n, le = false) {\n if (le)\n return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };\n return { h: Number((n >> _32n) & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };\n}\nfunction split(lst, le = false) {\n const len = lst.length;\n let Ah = new Uint32Array(len);\n let Al = new Uint32Array(len);\n for (let i = 0; i < len; i++) {\n const { h, l } = fromBig(lst[i], le);\n [Ah[i], Al[i]] = [h, l];\n }\n return [Ah, Al];\n}\nconst toBig = (h, l) => (BigInt(h >>> 0) << _32n) | BigInt(l >>> 0);\n// for Shift in [0, 32)\nconst shrSH = (h, _l, s) => h >>> s;\nconst shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);\n// Right rotate for Shift in [1, 32)\nconst rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));\nconst rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);\n// Right rotate for Shift in (32, 64), NOTE: 32 is special case.\nconst rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));\nconst rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));\n// Right rotate for shift===32 (just swaps l&h)\nconst rotr32H = (_h, l) => l;\nconst rotr32L = (h, _l) => h;\n// Left rotate for Shift in [1, 32)\nconst rotlSH = (h, l, s) => (h << s) | (l >>> (32 - s));\nconst rotlSL = (h, l, s) => (l << s) | (h >>> (32 - s));\n// Left rotate for Shift in (32, 64), NOTE: 32 is special case.\nconst rotlBH = (h, l, s) => (l << (s - 32)) | (h >>> (64 - s));\nconst rotlBL = (h, l, s) => (h << (s - 32)) | (l >>> (64 - s));\n// JS uses 32-bit signed integers for bitwise operations which means we cannot\n// simple take carry out of low bit sum by shift, we need to use division.\nfunction add(Ah, Al, Bh, Bl) {\n const l = (Al >>> 0) + (Bl >>> 0);\n return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };\n}\n// Addition with more than 2 elements\nconst add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);\nconst add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;\nconst add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);\nconst add4H = (low, Ah, Bh, Ch, Dh) => (Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;\nconst add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);\nconst add5H = (low, Ah, Bh, Ch, Dh, Eh) => (Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;\n// prettier-ignore\nexport { add, add3H, add3L, add4H, add4L, add5H, add5L, fromBig, rotlBH, rotlBL, rotlSH, rotlSL, rotr32H, rotr32L, rotrBH, rotrBL, rotrSH, rotrSL, shrSH, shrSL, split, toBig };\n// prettier-ignore\nconst u64 = {\n fromBig, split, toBig,\n shrSH, shrSL,\n rotrSH, rotrSL, rotrBH, rotrBL,\n rotr32H, rotr32L,\n rotlSH, rotlSL, rotlBH, rotlBL,\n add, add3L, add3H, add4L, add4H, add5H, add5L,\n};\nexport default u64;\n//# sourceMappingURL=_u64.js.map","/**\n * SHA3 (keccak) hash function, based on a new \"Sponge function\" design.\n * Different from older hashes, the internal state is bigger than output size.\n *\n * Check out [FIPS-202](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf),\n * [Website](https://keccak.team/keccak.html),\n * [the differences between SHA-3 and Keccak](https://crypto.stackexchange.com/questions/15727/what-are-the-key-differences-between-the-draft-sha-3-standard-and-the-keccak-sub).\n *\n * Check out `sha3-addons` module for cSHAKE, k12, and others.\n * @module\n */\nimport { rotlBH, rotlBL, rotlSH, rotlSL, split } from \"./_u64.js\";\n// prettier-ignore\nimport { abytes, aexists, anumber, aoutput, clean, createHasher, oidNist, swap32IfBE, u32 } from \"./utils.js\";\n// No __PURE__ annotations in sha3 header:\n// EVERYTHING is in fact used on every export.\n// Various per round constants calculations\nconst _0n = BigInt(0);\nconst _1n = BigInt(1);\nconst _2n = BigInt(2);\nconst _7n = BigInt(7);\nconst _256n = BigInt(256);\nconst _0x71n = BigInt(0x71);\nconst SHA3_PI = [];\nconst SHA3_ROTL = [];\nconst _SHA3_IOTA = []; // no pure annotation: var is always used\nfor (let round = 0, R = _1n, x = 1, y = 0; round < 24; round++) {\n // Pi\n [x, y] = [y, (2 * x + 3 * y) % 5];\n SHA3_PI.push(2 * (5 * y + x));\n // Rotational\n SHA3_ROTL.push((((round + 1) * (round + 2)) / 2) % 64);\n // Iota\n let t = _0n;\n for (let j = 0; j < 7; j++) {\n R = ((R << _1n) ^ ((R >> _7n) * _0x71n)) % _256n;\n if (R & _2n)\n t ^= _1n << ((_1n << BigInt(j)) - _1n);\n }\n _SHA3_IOTA.push(t);\n}\nconst IOTAS = split(_SHA3_IOTA, true);\nconst SHA3_IOTA_H = IOTAS[0];\nconst SHA3_IOTA_L = IOTAS[1];\n// Left rotation (without 0, 32, 64)\nconst rotlH = (h, l, s) => (s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s));\nconst rotlL = (h, l, s) => (s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s));\n/** `keccakf1600` internal function, additionally allows to adjust round count. */\nexport function keccakP(s, rounds = 24) {\n const B = new Uint32Array(5 * 2);\n // NOTE: all indices are x2 since we store state as u32 instead of u64 (bigints to slow in js)\n for (let round = 24 - rounds; round < 24; round++) {\n // Theta θ\n for (let x = 0; x < 10; x++)\n B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];\n for (let x = 0; x < 10; x += 2) {\n const idx1 = (x + 8) % 10;\n const idx0 = (x + 2) % 10;\n const B0 = B[idx0];\n const B1 = B[idx0 + 1];\n const Th = rotlH(B0, B1, 1) ^ B[idx1];\n const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];\n for (let y = 0; y < 50; y += 10) {\n s[x + y] ^= Th;\n s[x + y + 1] ^= Tl;\n }\n }\n // Rho (ρ) and Pi (π)\n let curH = s[2];\n let curL = s[3];\n for (let t = 0; t < 24; t++) {\n const shift = SHA3_ROTL[t];\n const Th = rotlH(curH, curL, shift);\n const Tl = rotlL(curH, curL, shift);\n const PI = SHA3_PI[t];\n curH = s[PI];\n curL = s[PI + 1];\n s[PI] = Th;\n s[PI + 1] = Tl;\n }\n // Chi (χ)\n for (let y = 0; y < 50; y += 10) {\n for (let x = 0; x < 10; x++)\n B[x] = s[y + x];\n for (let x = 0; x < 10; x++)\n s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10];\n }\n // Iota (ι)\n s[0] ^= SHA3_IOTA_H[round];\n s[1] ^= SHA3_IOTA_L[round];\n }\n clean(B);\n}\n/** Keccak sponge function. */\nexport class Keccak {\n state;\n pos = 0;\n posOut = 0;\n finished = false;\n state32;\n destroyed = false;\n blockLen;\n suffix;\n outputLen;\n enableXOF = false;\n rounds;\n // NOTE: we accept arguments in bytes instead of bits here.\n constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {\n this.blockLen = blockLen;\n this.suffix = suffix;\n this.outputLen = outputLen;\n this.enableXOF = enableXOF;\n this.rounds = rounds;\n // Can be passed from user as dkLen\n anumber(outputLen, 'outputLen');\n // 1600 = 5x5 matrix of 64bit. 1600 bits === 200 bytes\n // 0 < blockLen < 200\n if (!(0 < blockLen && blockLen < 200))\n throw new Error('only keccak-f1600 function is supported');\n this.state = new Uint8Array(200);\n this.state32 = u32(this.state);\n }\n clone() {\n return this._cloneInto();\n }\n keccak() {\n swap32IfBE(this.state32);\n keccakP(this.state32, this.rounds);\n swap32IfBE(this.state32);\n this.posOut = 0;\n this.pos = 0;\n }\n update(data) {\n aexists(this);\n abytes(data);\n const { blockLen, state } = this;\n const len = data.length;\n for (let pos = 0; pos < len;) {\n const take = Math.min(blockLen - this.pos, len - pos);\n for (let i = 0; i < take; i++)\n state[this.pos++] ^= data[pos++];\n if (this.pos === blockLen)\n this.keccak();\n }\n return this;\n }\n finish() {\n if (this.finished)\n return;\n this.finished = true;\n const { state, suffix, pos, blockLen } = this;\n // Do the padding\n state[pos] ^= suffix;\n if ((suffix & 0x80) !== 0 && pos === blockLen - 1)\n this.keccak();\n state[blockLen - 1] ^= 0x80;\n this.keccak();\n }\n writeInto(out) {\n aexists(this, false);\n abytes(out);\n this.finish();\n const bufferOut = this.state;\n const { blockLen } = this;\n for (let pos = 0, len = out.length; pos < len;) {\n if (this.posOut >= blockLen)\n this.keccak();\n const take = Math.min(blockLen - this.posOut, len - pos);\n out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);\n this.posOut += take;\n pos += take;\n }\n return out;\n }\n xofInto(out) {\n // Sha3/Keccak usage with XOF is probably mistake, only SHAKE instances can do XOF\n if (!this.enableXOF)\n throw new Error('XOF is not possible for this instance');\n return this.writeInto(out);\n }\n xof(bytes) {\n anumber(bytes);\n return this.xofInto(new Uint8Array(bytes));\n }\n digestInto(out) {\n aoutput(out, this);\n if (this.finished)\n throw new Error('digest() was already called');\n this.writeInto(out);\n this.destroy();\n return out;\n }\n digest() {\n return this.digestInto(new Uint8Array(this.outputLen));\n }\n destroy() {\n this.destroyed = true;\n clean(this.state);\n }\n _cloneInto(to) {\n const { blockLen, suffix, outputLen, rounds, enableXOF } = this;\n to ||= new Keccak(blockLen, suffix, outputLen, enableXOF, rounds);\n to.state32.set(this.state32);\n to.pos = this.pos;\n to.posOut = this.posOut;\n to.finished = this.finished;\n to.rounds = rounds;\n // Suffix can change in cSHAKE\n to.suffix = suffix;\n to.outputLen = outputLen;\n to.enableXOF = enableXOF;\n to.destroyed = this.destroyed;\n return to;\n }\n}\nconst genKeccak = (suffix, blockLen, outputLen, info = {}) => createHasher(() => new Keccak(blockLen, suffix, outputLen), info);\n/** SHA3-224 hash function. */\nexport const sha3_224 = /* @__PURE__ */ genKeccak(0x06, 144, 28, \n/* @__PURE__ */ oidNist(0x07));\n/** SHA3-256 hash function. Different from keccak-256. */\nexport const sha3_256 = /* @__PURE__ */ genKeccak(0x06, 136, 32, \n/* @__PURE__ */ oidNist(0x08));\n/** SHA3-384 hash function. */\nexport const sha3_384 = /* @__PURE__ */ genKeccak(0x06, 104, 48, \n/* @__PURE__ */ oidNist(0x09));\n/** SHA3-512 hash function. */\nexport const sha3_512 = /* @__PURE__ */ genKeccak(0x06, 72, 64, \n/* @__PURE__ */ oidNist(0x0a));\n/** keccak-224 hash function. */\nexport const keccak_224 = /* @__PURE__ */ genKeccak(0x01, 144, 28);\n/** keccak-256 hash function. Different from SHA3-256. */\nexport const keccak_256 = /* @__PURE__ */ genKeccak(0x01, 136, 32);\n/** keccak-384 hash function. */\nexport const keccak_384 = /* @__PURE__ */ genKeccak(0x01, 104, 48);\n/** keccak-512 hash function. */\nexport const keccak_512 = /* @__PURE__ */ genKeccak(0x01, 72, 64);\nconst genShake = (suffix, blockLen, outputLen, info = {}) => createHasher((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === undefined ? outputLen : opts.dkLen, true), info);\n/** SHAKE128 XOF with 128-bit security. */\nexport const shake128 = \n/* @__PURE__ */\ngenShake(0x1f, 168, 16, /* @__PURE__ */ oidNist(0x0b));\n/** SHAKE256 XOF with 256-bit security. */\nexport const shake256 = \n/* @__PURE__ */\ngenShake(0x1f, 136, 32, /* @__PURE__ */ oidNist(0x0c));\n/** SHAKE128 XOF with 256-bit output (NIST version). */\nexport const shake128_32 = \n/* @__PURE__ */\ngenShake(0x1f, 168, 32, /* @__PURE__ */ oidNist(0x0b));\n/** SHAKE256 XOF with 512-bit output (NIST version). */\nexport const shake256_64 = \n/* @__PURE__ */\ngenShake(0x1f, 136, 64, /* @__PURE__ */ oidNist(0x0c));\n//# sourceMappingURL=sha3.js.map","function checkU32(n) {\n // 0xff_ff_ff_ff\n if (!Number.isSafeInteger(n) || n < 0 || n > 0xffffffff)\n throw new Error('wrong u32 integer:' + n);\n return n;\n}\n/** Checks if integer is in form of `1 << X` */\nexport function isPowerOfTwo(x) {\n checkU32(x);\n return (x & (x - 1)) === 0 && x !== 0;\n}\nexport function nextPowerOfTwo(n) {\n checkU32(n);\n if (n <= 1)\n return 1;\n return (1 << (log2(n - 1) + 1)) >>> 0;\n}\nexport function reverseBits(n, bits) {\n checkU32(n);\n let reversed = 0;\n for (let i = 0; i < bits; i++, n >>>= 1)\n reversed = (reversed << 1) | (n & 1);\n return reversed;\n}\n/** Similar to `bitLen(x)-1` but much faster for small integers, like indices */\nexport function log2(n) {\n checkU32(n);\n return 31 - Math.clz32(n);\n}\n/**\n * Moves lowest bit to highest position, which at first step splits\n * array on even and odd indices, then it applied again to each part,\n * which is core of fft\n */\nexport function bitReversalInplace(values) {\n const n = values.length;\n if (n < 2 || !isPowerOfTwo(n))\n throw new Error('n must be a power of 2 and greater than 1. Got ' + n);\n const bits = log2(n);\n for (let i = 0; i < n; i++) {\n const j = reverseBits(i, bits);\n if (i < j) {\n const tmp = values[i];\n values[i] = values[j];\n values[j] = tmp;\n }\n }\n return values;\n}\nexport function bitReversalPermutation(values) {\n return bitReversalInplace(values.slice());\n}\nconst _1n = /** @__PURE__ */ BigInt(1);\nfunction findGenerator(field) {\n let G = BigInt(2);\n for (; field.eql(field.pow(G, field.ORDER >> _1n), field.ONE); G++)\n ;\n return G;\n}\n/** We limit roots up to 2**31, which is a lot: 2-billion polynomimal should be rare. */\nexport function rootsOfUnity(field, generator) {\n // Factor field.ORDER-1 as oddFactor * 2^powerOfTwo\n let oddFactor = field.ORDER - _1n;\n let powerOfTwo = 0;\n for (; (oddFactor & _1n) !== _1n; powerOfTwo++, oddFactor >>= _1n)\n ;\n // Find non quadratic residue\n let G = generator !== undefined ? BigInt(generator) : findGenerator(field);\n // Powers of generator\n const omegas = new Array(powerOfTwo + 1);\n omegas[powerOfTwo] = field.pow(G, oddFactor);\n for (let i = powerOfTwo; i > 0; i--)\n omegas[i - 1] = field.sqr(omegas[i]);\n // Compute all roots of unity for powers up to maxPower\n const rootsCache = [];\n const checkBits = (bits) => {\n checkU32(bits);\n if (bits > 31 || bits > powerOfTwo)\n throw new Error('rootsOfUnity: wrong bits ' + bits + ' powerOfTwo=' + powerOfTwo);\n return bits;\n };\n const precomputeRoots = (maxPower) => {\n checkBits(maxPower);\n for (let power = maxPower; power >= 0; power--) {\n if (rootsCache[power])\n continue; // Skip if we've already computed roots for this power\n const rootsAtPower = [];\n for (let j = 0, cur = field.ONE; j < 2 ** power; j++, cur = field.mul(cur, omegas[power]))\n rootsAtPower.push(cur);\n rootsCache[power] = rootsAtPower;\n }\n return rootsCache[maxPower];\n };\n const brpCache = new Map();\n const inverseCache = new Map();\n // NOTE: we use bits instead of power, because power = 2**bits,\n // but power is not neccesary isPowerOfTwo(power)!\n return {\n info: { G, powerOfTwo, oddFactor },\n roots: (bits) => {\n const b = checkBits(bits);\n return precomputeRoots(b);\n },\n brp(bits) {\n const b = checkBits(bits);\n if (brpCache.has(b))\n return brpCache.get(b);\n else {\n const res = bitReversalPermutation(this.roots(b));\n brpCache.set(b, res);\n return res;\n }\n },\n inverse(bits) {\n const b = checkBits(bits);\n if (inverseCache.has(b))\n return inverseCache.get(b);\n else {\n const res = field.invertBatch(this.roots(b));\n inverseCache.set(b, res);\n return res;\n }\n },\n omega: (bits) => omegas[checkBits(bits)],\n clear: () => {\n rootsCache.splice(0, rootsCache.length);\n brpCache.clear();\n },\n };\n}\n/**\n * Constructs different flavors of FFT. radix2 implementation of low level mutating API. Flavors:\n *\n * - DIT (Decimation-in-Time): Bottom-Up (leaves -> root), Cool-Turkey\n * - DIF (Decimation-in-Frequency): Top-Down (root -> leaves), Gentleman–Sande\n *\n * DIT takes brp input, returns natural output.\n * DIF takes natural input, returns brp output.\n *\n * The output is actually identical. Time / frequence distinction is not meaningful\n * for Polynomial multiplication in fields.\n * Which means if protocol supports/needs brp output/inputs, then we can skip this step.\n *\n * Cyclic NTT: Rq = Zq[x]/(x^n-1). butterfly_DIT+loop_DIT OR butterfly_DIF+loop_DIT, roots are omega\n * Negacyclic NTT: Rq = Zq[x]/(x^n+1). butterfly_DIT+loop_DIF, at least for mlkem / mldsa\n */\nexport const FFTCore = (F, coreOpts) => {\n const { N, roots, dit, invertButterflies = false, skipStages = 0, brp = true } = coreOpts;\n const bits = log2(N);\n if (!isPowerOfTwo(N))\n throw new Error('FFT: Polynomial size should be power of two');\n const isDit = dit !== invertButterflies;\n isDit;\n return (values) => {\n if (values.length !== N)\n throw new Error('FFT: wrong Polynomial length');\n if (dit && brp)\n bitReversalInplace(values);\n for (let i = 0, g = 1; i < bits - skipStages; i++) {\n // For each stage s (sub-FFT length m = 2^s)\n const s = dit ? i + 1 + skipStages : bits - i;\n const m = 1 << s;\n const m2 = m >> 1;\n const stride = N >> s;\n // Loop over each subarray of length m\n for (let k = 0; k < N; k += m) {\n // Loop over each butterfly within the subarray\n for (let j = 0, grp = g++; j < m2; j++) {\n const rootPos = invertButterflies ? (dit ? N - grp : grp) : j * stride;\n const i0 = k + j;\n const i1 = k + j + m2;\n const omega = roots[rootPos];\n const b = values[i1];\n const a = values[i0];\n // Inlining gives us 10% perf in kyber vs functions\n if (isDit) {\n const t = F.mul(b, omega); // Standard DIT butterfly\n values[i0] = F.add(a, t);\n values[i1] = F.sub(a, t);\n }\n else if (invertButterflies) {\n values[i0] = F.add(b, a); // DIT loop + inverted butterflies (Kyber decode)\n values[i1] = F.mul(F.sub(b, a), omega);\n }\n else {\n values[i0] = F.add(a, b); // Standard DIF butterfly\n values[i1] = F.mul(F.sub(a, b), omega);\n }\n }\n }\n }\n if (!dit && brp)\n bitReversalInplace(values);\n return values;\n };\n};\n/**\n * NTT aka FFT over finite field (NOT over complex numbers).\n * Naming mirrors other libraries.\n */\nexport function FFT(roots, opts) {\n const getLoop = (N, roots, brpInput = false, brpOutput = false) => {\n if (brpInput && brpOutput) {\n // we cannot optimize this case, but lets support it anyway\n return (values) => FFTCore(opts, { N, roots, dit: false, brp: false })(bitReversalInplace(values));\n }\n if (brpInput)\n return FFTCore(opts, { N, roots, dit: true, brp: false });\n if (brpOutput)\n return FFTCore(opts, { N, roots, dit: false, brp: false });\n return FFTCore(opts, { N, roots, dit: true, brp: true }); // all natural\n };\n return {\n direct(values, brpInput = false, brpOutput = false) {\n const N = values.length;\n if (!isPowerOfTwo(N))\n throw new Error('FFT: Polynomial size should be power of two');\n const bits = log2(N);\n return getLoop(N, roots.roots(bits), brpInput, brpOutput)(values.slice());\n },\n inverse(values, brpInput = false, brpOutput = false) {\n const N = values.length;\n const bits = log2(N);\n const res = getLoop(N, roots.inverse(bits), brpInput, brpOutput)(values.slice());\n const ivm = opts.inv(BigInt(values.length)); // scale\n // we can get brp output if we use dif instead of dit!\n for (let i = 0; i < res.length; i++)\n res[i] = opts.mul(res[i], ivm);\n // Allows to re-use non-inverted roots, but is VERY fragile\n // return [res[0]].concat(res.slice(1).reverse());\n // inverse calculated as pow(-1), which transforms into ω^{-kn} (-> reverses indices)\n return res;\n },\n };\n}\nexport function poly(field, roots, create, fft, length) {\n const F = field;\n const _create = create ||\n ((len, elm) => new Array(len).fill(elm ?? F.ZERO));\n const isPoly = (x) => Array.isArray(x) || ArrayBuffer.isView(x);\n const checkLength = (...lst) => {\n if (!lst.length)\n return 0;\n for (const i of lst)\n if (!isPoly(i))\n throw new Error('poly: not polynomial: ' + i);\n const L = lst[0].length;\n for (let i = 1; i < lst.length; i++)\n if (lst[i].length !== L)\n throw new Error(`poly: mismatched lengths ${L} vs ${lst[i].length}`);\n if (length !== undefined && L !== length)\n throw new Error(`poly: expected fixed length ${length}, got ${L}`);\n return L;\n };\n function findOmegaIndex(x, n, brp = false) {\n const bits = log2(n);\n const omega = brp ? roots.brp(bits) : roots.roots(bits);\n for (let i = 0; i < n; i++)\n if (F.eql(x, omega[i]))\n return i;\n return -1;\n }\n // TODO: mutating versions for mlkem/mldsa\n return {\n roots,\n create: _create,\n length,\n extend: (a, len) => {\n checkLength(a);\n const out = _create(len, F.ZERO);\n for (let i = 0; i < a.length; i++)\n out[i] = a[i];\n return out;\n },\n degree: (a) => {\n checkLength(a);\n for (let i = a.length - 1; i >= 0; i--)\n if (!F.is0(a[i]))\n return i;\n return -1;\n },\n add: (a, b) => {\n const len = checkLength(a, b);\n const out = _create(len);\n for (let i = 0; i < len; i++)\n out[i] = F.add(a[i], b[i]);\n return out;\n },\n sub: (a, b) => {\n const len = checkLength(a, b);\n const out = _create(len);\n for (let i = 0; i < len; i++)\n out[i] = F.sub(a[i], b[i]);\n return out;\n },\n dot: (a, b) => {\n const len = checkLength(a, b);\n const out = _create(len);\n for (let i = 0; i < len; i++)\n out[i] = F.mul(a[i], b[i]);\n return out;\n },\n mul: (a, b) => {\n if (isPoly(b)) {\n const len = checkLength(a, b);\n if (fft) {\n const A = fft.direct(a, false, true);\n const B = fft.direct(b, false, true);\n for (let i = 0; i < A.length; i++)\n A[i] = F.mul(A[i], B[i]);\n return fft.inverse(A, true, false);\n }\n else {\n // NOTE: this is quadratic and mostly for compat tests with FFT\n const res = _create(len);\n for (let i = 0; i < len; i++) {\n for (let j = 0; j < len; j++) {\n const k = (i + j) % len; // wrap mod length\n res[k] = F.add(res[k], F.mul(a[i], b[j]));\n }\n }\n return res;\n }\n }\n else {\n const out = _create(checkLength(a));\n for (let i = 0; i < out.length; i++)\n out[i] = F.mul(a[i], b);\n return out;\n }\n },\n convolve(a, b) {\n const len = nextPowerOfTwo(a.length + b.length - 1);\n return this.mul(this.extend(a, len), this.extend(b, len));\n },\n shift(p, factor) {\n const out = _create(checkLength(p));\n out[0] = p[0];\n for (let i = 1, power = F.ONE; i < p.length; i++) {\n power = F.mul(power, factor);\n out[i] = F.mul(p[i], power);\n }\n return out;\n },\n clone: (a) => {\n checkLength(a);\n const out = _create(a.length);\n for (let i = 0; i < a.length; i++)\n out[i] = a[i];\n return out;\n },\n eval: (a, basis) => {\n checkLength(a);\n let acc = F.ZERO;\n for (let i = 0; i < a.length; i++)\n acc = F.add(acc, F.mul(a[i], basis[i]));\n return acc;\n },\n monomial: {\n basis: (x, n) => {\n const out = _create(n);\n let pow = F.ONE;\n for (let i = 0; i < n; i++) {\n out[i] = pow;\n pow = F.mul(pow, x);\n }\n return out;\n },\n eval: (a, x) => {\n checkLength(a);\n // Same as eval(a, monomialBasis(x, a.length)), but it is faster this way\n let acc = F.ZERO;\n for (let i = a.length - 1; i >= 0; i--)\n acc = F.add(F.mul(acc, x), a[i]);\n return acc;\n },\n },\n lagrange: {\n basis: (x, n, brp = false, weights) => {\n const bits = log2(n);\n const cache = weights || brp ? roots.brp(bits) : roots.roots(bits); // [ω⁰, ω¹, ..., ωⁿ⁻¹]\n const out = _create(n);\n // Fast Kronecker-δ shortcut\n const idx = findOmegaIndex(x, n, brp);\n if (idx !== -1) {\n out[idx] = F.ONE;\n return out;\n }\n const tm = F.pow(x, BigInt(n));\n const c = F.mul(F.sub(tm, F.ONE), F.inv(BigInt(n))); // c = (xⁿ - 1)/n\n const denom = _create(n);\n for (let i = 0; i < n; i++)\n denom[i] = F.sub(x, cache[i]);\n const inv = F.invertBatch(denom);\n for (let i = 0; i < n; i++)\n out[i] = F.mul(c, F.mul(cache[i], inv[i]));\n return out;\n },\n eval(a, x, brp = false) {\n checkLength(a);\n const idx = findOmegaIndex(x, a.length, brp);\n if (idx !== -1)\n return a[idx]; // fast path\n const L = this.basis(x, a.length, brp); // Lᵢ(x)\n let acc = F.ZERO;\n for (let i = 0; i < a.length; i++)\n if (!F.is0(a[i]))\n acc = F.add(acc, F.mul(a[i], L[i]));\n return acc;\n },\n },\n vanishing(roots) {\n checkLength(roots);\n const out = _create(roots.length + 1, F.ZERO);\n out[0] = F.ONE;\n for (const r of roots) {\n const neg = F.neg(r);\n for (let j = out.length - 1; j > 0; j--)\n out[j] = F.add(F.mul(out[j], neg), out[j - 1]);\n out[0] = F.mul(out[0], neg);\n }\n return out;\n },\n };\n}\n//# sourceMappingURL=fft.js.map","/**\n * Utilities for hex, bytearray and number handling.\n * @module\n */\n/*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) */\nimport { abytes, abytes as abytes_, concatBytes, isBytes, randomBytes as randb, } from '@noble/hashes/utils.js';\nexport { abytes } from '@noble/hashes/utils.js';\nexport { concatBytes };\nexport const randomBytes = randb;\n// Compares 2 u8a-s in kinda constant time\nexport function equalBytes(a, b) {\n if (a.length !== b.length)\n return false;\n let diff = 0;\n for (let i = 0; i < a.length; i++)\n diff |= a[i] ^ b[i];\n return diff === 0;\n}\n// copy bytes to new u8a (aligned). Because Buffer.slice is broken.\nexport function copyBytes(bytes) {\n return Uint8Array.from(bytes);\n}\nexport function validateOpts(opts) {\n // We try to catch u8a, since it was previously valid argument at this position\n if (typeof opts !== 'object' || opts === null || isBytes(opts))\n throw new Error('expected opts to be an object');\n}\nexport function validateVerOpts(opts) {\n validateOpts(opts);\n if (opts.context !== undefined)\n abytes(opts.context, undefined, 'opts.context');\n}\nexport function validateSigOpts(opts) {\n validateVerOpts(opts);\n if (opts.extraEntropy !== false && opts.extraEntropy !== undefined)\n abytes(opts.extraEntropy, undefined, 'opts.extraEntropy');\n}\nexport function splitCoder(label, ...lengths) {\n const getLength = (c) => (typeof c === 'number' ? c : c.bytesLen);\n const bytesLen = lengths.reduce((sum, a) => sum + getLength(a), 0);\n return {\n bytesLen,\n encode: (bufs) => {\n const res = new Uint8Array(bytesLen);\n for (let i = 0, pos = 0; i < lengths.length; i++) {\n const c = lengths[i];\n const l = getLength(c);\n const b = typeof c === 'number' ? bufs[i] : c.encode(bufs[i]);\n abytes_(b, l, label);\n res.set(b, pos);\n if (typeof c !== 'number')\n b.fill(0); // clean\n pos += l;\n }\n return res;\n },\n decode: (buf) => {\n abytes_(buf, bytesLen, label);\n const res = [];\n for (const c of lengths) {\n const l = getLength(c);\n const b = buf.subarray(0, l);\n res.push(typeof c === 'number' ? b : c.decode(b));\n buf = buf.subarray(l);\n }\n return res;\n },\n };\n}\n// nano-packed.array (fixed size)\nexport function vecCoder(c, vecLen) {\n const bytesLen = vecLen * c.bytesLen;\n return {\n bytesLen,\n encode: (u) => {\n if (u.length !== vecLen)\n throw new Error(`vecCoder.encode: wrong length=${u.length}. Expected: ${vecLen}`);\n const res = new Uint8Array(bytesLen);\n for (let i = 0, pos = 0; i < u.length; i++) {\n const b = c.encode(u[i]);\n res.set(b, pos);\n b.fill(0); // clean\n pos += b.length;\n }\n return res;\n },\n decode: (a) => {\n abytes_(a, bytesLen);\n const r = [];\n for (let i = 0; i < a.length; i += c.bytesLen)\n r.push(c.decode(a.subarray(i, i + c.bytesLen)));\n return r;\n },\n };\n}\n// cleanBytes(Uint8Array.of(), [Uint16Array.of(), Uint32Array.of()])\nexport function cleanBytes(...list) {\n for (const t of list) {\n if (Array.isArray(t))\n for (const b of t)\n b.fill(0);\n else\n t.fill(0);\n }\n}\nexport function getMask(bits) {\n return (1 << bits) - 1; // 4 -> 0b1111\n}\nexport const EMPTY = Uint8Array.of();\nexport function getMessage(msg, ctx = EMPTY) {\n abytes_(msg);\n abytes_(ctx);\n if (ctx.length > 255)\n throw new Error('context should be less than 255 bytes');\n return concatBytes(new Uint8Array([0, ctx.length]), ctx, msg);\n}\n// 06 09 60 86 48 01 65 03 04 02\nconst oidNistP = /* @__PURE__ */ Uint8Array.from([6, 9, 0x60, 0x86, 0x48, 1, 0x65, 3, 4, 2]);\nexport function checkHash(hash, requiredStrength = 0) {\n if (!hash.oid || !equalBytes(hash.oid.subarray(0, 10), oidNistP))\n throw new Error('hash.oid is invalid: expected NIST hash');\n const collisionResistance = (hash.outputLen * 8) / 2;\n if (requiredStrength > collisionResistance) {\n throw new Error('Pre-hash security strength too low: ' +\n collisionResistance +\n ', required: ' +\n requiredStrength);\n }\n}\nexport function getMessagePrehash(hash, msg, ctx = EMPTY) {\n abytes_(msg);\n abytes_(ctx);\n if (ctx.length > 255)\n throw new Error('context should be less than 255 bytes');\n const hashed = hash(msg);\n return concatBytes(new Uint8Array([1, ctx.length]), ctx, hash.oid, hashed);\n}\n//# sourceMappingURL=utils.js.map","/**\n * Internal methods for lattice-based ML-KEM and ML-DSA.\n * @module\n */\n/*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) */\nimport { FFTCore, reverseBits } from '@noble/curves/abstract/fft.js';\nimport { shake128, shake256 } from '@noble/hashes/sha3.js';\nimport { cleanBytes, getMask } from \"./utils.js\";\nexport const genCrystals = (opts) => {\n // isKyber: true means Kyber, false means Dilithium\n const { newPoly, N, Q, F, ROOT_OF_UNITY, brvBits, isKyber } = opts;\n const mod = (a, modulo = Q) => {\n const result = a % modulo | 0;\n return (result >= 0 ? result | 0 : (modulo + result) | 0) | 0;\n };\n // -(Q-1)/2 < a <= (Q-1)/2\n const smod = (a, modulo = Q) => {\n const r = mod(a, modulo) | 0;\n return (r > modulo >> 1 ? (r - modulo) | 0 : r) | 0;\n };\n // Generate zettas (different from roots of unity, negacyclic uses phi, where acyclic uses omega)\n function getZettas() {\n const out = newPoly(N);\n for (let i = 0; i < N; i++) {\n const b = reverseBits(i, brvBits);\n const p = BigInt(ROOT_OF_UNITY) ** BigInt(b) % BigInt(Q);\n out[i] = Number(p) | 0;\n }\n return out;\n }\n const nttZetas = getZettas();\n // Number-Theoretic Transform\n // Explained: https://electricdusk.com/ntt.html\n // Kyber has slightly different params, since there is no 512th primitive root of unity mod q,\n // only 256th primitive root of unity mod. Which also complicates MultiplyNTT.\n const field = {\n add: (a, b) => mod((a | 0) + (b | 0)) | 0,\n sub: (a, b) => mod((a | 0) - (b | 0)) | 0,\n mul: (a, b) => mod((a | 0) * (b | 0)) | 0,\n inv: (_a) => {\n throw new Error('not implemented');\n },\n };\n const nttOpts = {\n N,\n roots: nttZetas,\n invertButterflies: true,\n skipStages: isKyber ? 1 : 0,\n brp: false,\n };\n const dif = FFTCore(field, { dit: false, ...nttOpts });\n const dit = FFTCore(field, { dit: true, ...nttOpts });\n const NTT = {\n encode: (r) => {\n return dif(r);\n },\n decode: (r) => {\n dit(r);\n // kyber uses 128 here, because brv && stuff\n for (let i = 0; i < r.length; i++)\n r[i] = mod(F * r[i]);\n return r;\n },\n };\n // Encode polynominal as bits\n const bitsCoder = (d, c) => {\n const mask = getMask(d);\n const bytesLen = d * (N / 8);\n return {\n bytesLen,\n encode: (poly) => {\n const r = new Uint8Array(bytesLen);\n for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {\n buf |= (c.encode(poly[i]) & mask) << bufLen;\n bufLen += d;\n for (; bufLen >= 8; bufLen -= 8, buf >>= 8)\n r[pos++] = buf & getMask(bufLen);\n }\n return r;\n },\n decode: (bytes) => {\n const r = newPoly(N);\n for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {\n buf |= bytes[i] << bufLen;\n bufLen += 8;\n for (; bufLen >= d; bufLen -= d, buf >>= d)\n r[pos++] = c.decode(buf & mask);\n }\n return r;\n },\n };\n };\n return { mod, smod, nttZetas, NTT, bitsCoder };\n};\nconst createXofShake = (shake) => (seed, blockLen) => {\n if (!blockLen)\n blockLen = shake.blockLen;\n // Optimizations that won't mater:\n // - cached seed update (two .update(), on start and on the end)\n // - another cache which cloned into working copy\n // Faster than multiple updates, since seed less than blockLen\n const _seed = new Uint8Array(seed.length + 2);\n _seed.set(seed);\n const seedLen = seed.length;\n const buf = new Uint8Array(blockLen); // == shake128.blockLen\n let h = shake.create({});\n let calls = 0;\n let xofs = 0;\n return {\n stats: () => ({ calls, xofs }),\n get: (x, y) => {\n _seed[seedLen + 0] = x;\n _seed[seedLen + 1] = y;\n h.destroy();\n h = shake.create({}).update(_seed);\n calls++;\n return () => {\n xofs++;\n return h.xofInto(buf);\n };\n },\n clean: () => {\n h.destroy();\n cleanBytes(buf, _seed);\n },\n };\n};\nexport const XOF128 = /* @__PURE__ */ createXofShake(shake128);\nexport const XOF256 = /* @__PURE__ */ createXofShake(shake256);\n//# sourceMappingURL=_crystals.js.map","/**\n * ML-DSA: Module Lattice-based Digital Signature Algorithm from\n * [FIPS-204](https://csrc.nist.gov/pubs/fips/204/ipd). A.k.a. CRYSTALS-Dilithium.\n *\n * Has similar internals to ML-KEM, but their keys and params are different.\n * Check out [official site](https://www.pq-crystals.org/dilithium/index.shtml),\n * [repo](https://github.com/pq-crystals/dilithium).\n * @module\n */\n/*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) */\nimport { abool } from '@noble/curves/utils.js';\nimport { shake256 } from '@noble/hashes/sha3.js';\nimport { genCrystals, XOF128, XOF256 } from \"./_crystals.js\";\nimport { abytes, checkHash, cleanBytes, equalBytes, getMessage, getMessagePrehash, randomBytes, splitCoder, validateOpts, validateSigOpts, validateVerOpts, vecCoder, } from \"./utils.js\";\nfunction validateInternalOpts(opts) {\n validateOpts(opts);\n if (opts.externalMu !== undefined)\n abool(opts.externalMu, 'opts.externalMu');\n}\n// Constants\nconst N = 256;\n// 2**23 − 2**13 + 1, 23 bits: multiply will be 46. We have enough precision in JS to avoid bigints\nconst Q = 8380417;\nconst ROOT_OF_UNITY = 1753;\n// f = 256**−1 mod q, pow(256, -1, q) = 8347681 (python3)\nconst F = 8347681;\nconst D = 13;\n// Dilithium is kinda parametrized over GAMMA2, but everything will break with any other value.\nconst GAMMA2_1 = Math.floor((Q - 1) / 88) | 0;\nconst GAMMA2_2 = Math.floor((Q - 1) / 32) | 0;\n/** Internal params for different versions of ML-DSA */\n// prettier-ignore\nexport const PARAMS = {\n 2: { K: 4, L: 4, D, GAMMA1: 2 ** 17, GAMMA2: GAMMA2_1, TAU: 39, ETA: 2, OMEGA: 80 },\n 3: { K: 6, L: 5, D, GAMMA1: 2 ** 19, GAMMA2: GAMMA2_2, TAU: 49, ETA: 4, OMEGA: 55 },\n 5: { K: 8, L: 7, D, GAMMA1: 2 ** 19, GAMMA2: GAMMA2_2, TAU: 60, ETA: 2, OMEGA: 75 },\n};\nconst newPoly = (n) => new Int32Array(n);\nconst { mod, smod, NTT, bitsCoder } = genCrystals({\n N,\n Q,\n F,\n ROOT_OF_UNITY,\n newPoly,\n isKyber: false,\n brvBits: 8,\n});\nconst id = (n) => n;\nconst polyCoder = (d, compress = id, verify = id) => bitsCoder(d, {\n encode: (i) => compress(verify(i)),\n decode: (i) => verify(compress(i)),\n});\nconst polyAdd = (a, b) => {\n for (let i = 0; i < a.length; i++)\n a[i] = mod(a[i] + b[i]);\n return a;\n};\nconst polySub = (a, b) => {\n for (let i = 0; i < a.length; i++)\n a[i] = mod(a[i] - b[i]);\n return a;\n};\nconst polyShiftl = (p) => {\n for (let i = 0; i < N; i++)\n p[i] <<= D;\n return p;\n};\nconst polyChknorm = (p, B) => {\n // Not very sure about this, but FIPS204 doesn't provide any function for that :(\n for (let i = 0; i < N; i++)\n if (Math.abs(smod(p[i])) >= B)\n return true;\n return false;\n};\nconst MultiplyNTTs = (a, b) => {\n // NOTE: we don't use montgomery reduction in code, since it requires 64 bit ints,\n // which is not available in JS. mod(a[i] * b[i]) is ok, since Q is 23 bit,\n // which means a[i] * b[i] is 46 bit, which is safe to use in JS. (number is 53 bits).\n // Barrett reduction is slower than mod :(\n const c = newPoly(N);\n for (let i = 0; i < a.length; i++)\n c[i] = mod(a[i] * b[i]);\n return c;\n};\n// Return poly in NTT representation\nfunction RejNTTPoly(xof) {\n // Samples a polynomial ∈ Tq.\n const r = newPoly(N);\n // NOTE: we can represent 3xu24 as 4xu32, but it doesn't improve perf :(\n for (let j = 0; j < N;) {\n const b = xof();\n if (b.length % 3)\n throw new Error('RejNTTPoly: unaligned block');\n for (let i = 0; j < N && i <= b.length - 3; i += 3) {\n const t = (b[i + 0] | (b[i + 1] << 8) | (b[i + 2] << 16)) & 0x7fffff; // 3 bytes\n if (t < Q)\n r[j++] = t;\n }\n }\n return r;\n}\nfunction getDilithium(opts) {\n const { K, L, GAMMA1, GAMMA2, TAU, ETA, OMEGA } = opts;\n const { CRH_BYTES, TR_BYTES, C_TILDE_BYTES, XOF128, XOF256, securityLevel } = opts;\n if (![2, 4].includes(ETA))\n throw new Error('Wrong ETA');\n if (![1 << 17, 1 << 19].includes(GAMMA1))\n throw new Error('Wrong GAMMA1');\n if (![GAMMA2_1, GAMMA2_2].includes(GAMMA2))\n throw new Error('Wrong GAMMA2');\n const BETA = TAU * ETA;\n const decompose = (r) => {\n // Decomposes r into (r1, r0) such that r ≡ r1(2γ2) + r0 mod q.\n const rPlus = mod(r);\n const r0 = smod(rPlus, 2 * GAMMA2) | 0;\n if (rPlus - r0 === Q - 1)\n return { r1: 0 | 0, r0: (r0 - 1) | 0 };\n const r1 = Math.floor((rPlus - r0) / (2 * GAMMA2)) | 0;\n return { r1, r0 }; // r1 = HighBits, r0 = LowBits\n };\n const HighBits = (r) => decompose(r).r1;\n const LowBits = (r) => decompose(r).r0;\n const MakeHint = (z, r) => {\n // Compute hint bit indicating whether adding z to r alters the high bits of r.\n // From dilithium code\n const res0 = z <= GAMMA2 || z > Q - GAMMA2 || (z === Q - GAMMA2 && r === 0) ? 0 : 1;\n // from FIPS204:\n // // const r1 = HighBits(r);\n // // const v1 = HighBits(r + z);\n // // const res1 = +(r1 !== v1);\n // But they return different results! However, decompose is same.\n // So, either there is a bug in Dilithium ref implementation or in FIPS204.\n // For now, lets use dilithium one, so test vectors can be passed.\n // See\n // https://github.com/GiacomoPope/dilithium-py?tab=readme-ov-file#optimising-decomposition-and-making-hints\n return res0;\n };\n const UseHint = (h, r) => {\n // Returns the high bits of r adjusted according to hint h\n const m = Math.floor((Q - 1) / (2 * GAMMA2));\n const { r1, r0 } = decompose(r);\n // 3: if h = 1 and r0 > 0 return (r1 + 1) mod m\n // 4: if h = 1 and r0 ≤ 0 return (r1 − 1) mod m\n if (h === 1)\n return r0 > 0 ? mod(r1 + 1, m) | 0 : mod(r1 - 1, m) | 0;\n return r1 | 0;\n };\n const Power2Round = (r) => {\n // Decomposes r into (r1, r0) such that r ≡ r1*(2**d) + r0 mod q.\n const rPlus = mod(r);\n const r0 = smod(rPlus, 2 ** D) | 0;\n return { r1: Math.floor((rPlus - r0) / 2 ** D) | 0, r0 };\n };\n const hintCoder = {\n bytesLen: OMEGA + K,\n encode: (h) => {\n if (h === false)\n throw new Error('hint.encode: hint is false'); // should never happen\n const res = new Uint8Array(OMEGA + K);\n for (let i = 0, k = 0; i < K; i++) {\n for (let j = 0; j < N; j++)\n if (h[i][j] !== 0)\n res[k++] = j;\n res[OMEGA + i] = k;\n }\n return res;\n },\n decode: (buf) => {\n const h = [];\n let k = 0;\n for (let i = 0; i < K; i++) {\n const hi = newPoly(N);\n if (buf[OMEGA + i] < k || buf[OMEGA + i] > OMEGA)\n return false;\n for (let j = k; j < buf[OMEGA + i]; j++) {\n if (j > k && buf[j] <= buf[j - 1])\n return false;\n hi[buf[j]] = 1;\n }\n k = buf[OMEGA + i];\n h.push(hi);\n }\n for (let j = k; j < OMEGA; j++)\n if (buf[j] !== 0)\n return false;\n return h;\n },\n };\n const ETACoder = polyCoder(ETA === 2 ? 3 : 4, (i) => ETA - i, (i) => {\n if (!(-ETA <= i && i <= ETA))\n throw new Error(`malformed key s1/s3 ${i} outside of ETA range [${-ETA}, ${ETA}]`);\n return i;\n });\n const T0Coder = polyCoder(13, (i) => (1 << (D - 1)) - i);\n const T1Coder = polyCoder(10);\n // Requires smod. Need to fix!\n const ZCoder = polyCoder(GAMMA1 === 1 << 17 ? 18 : 20, (i) => smod(GAMMA1 - i));\n const W1Coder = polyCoder(GAMMA2 === GAMMA2_1 ? 6 : 4);\n const W1Vec = vecCoder(W1Coder, K);\n // Main structures\n const publicCoder = splitCoder('publicKey', 32, vecCoder(T1Coder, K));\n const secretCoder = splitCoder('secretKey', 32, 32, TR_BYTES, vecCoder(ETACoder, L), vecCoder(ETACoder, K), vecCoder(T0Coder, K));\n const sigCoder = splitCoder('signature', C_TILDE_BYTES, vecCoder(ZCoder, L), hintCoder);\n const CoefFromHalfByte = ETA === 2\n ? (n) => (n < 15 ? 2 - (n % 5) : false)\n : (n) => (n < 9 ? 4 - n : false);\n // Return poly in NTT representation\n function RejBoundedPoly(xof) {\n // Samples an element a ∈ Rq with coeffcients in [−η, η] computed via rejection sampling from ρ.\n const r = newPoly(N);\n for (let j = 0; j < N;) {\n const b = xof();\n for (let i = 0; j < N && i < b.length; i += 1) {\n // half byte. Should be superfast with vector instructions. But very slow with js :(\n const d1 = CoefFromHalfByte(b[i] & 0x0f);\n const d2 = CoefFromHalfByte((b[i] >> 4) & 0x0f);\n if (d1 !== false)\n r[j++] = d1;\n if (j < N && d2 !== false)\n r[j++] = d2;\n }\n }\n return r;\n }\n const SampleInBall = (seed) => {\n // Samples a polynomial c ∈ Rq with coeffcients from {−1, 0, 1} and Hamming weight τ\n const pre = newPoly(N);\n const s = shake256.create({}).update(seed);\n const buf = new Uint8Array(shake256.blockLen);\n s.xofInto(buf);\n const masks = buf.slice(0, 8);\n for (let i = N - TAU, pos = 8, maskPos = 0, maskBit = 0; i < N; i++) {\n let b = i + 1;\n for (; b > i;) {\n b = buf[pos++];\n if (pos < shake256.blockLen)\n continue;\n s.xofInto(buf);\n pos = 0;\n }\n pre[i] = pre[b];\n pre[b] = 1 - (((masks[maskPos] >> maskBit++) & 1) << 1);\n if (maskBit >= 8) {\n maskPos++;\n maskBit = 0;\n }\n }\n return pre;\n };\n const polyPowerRound = (p) => {\n const res0 = newPoly(N);\n const res1 = newPoly(N);\n for (let i = 0; i < p.length; i++) {\n const { r0, r1 } = Power2Round(p[i]);\n res0[i] = r0;\n res1[i] = r1;\n }\n return { r0: res0, r1: res1 };\n };\n const polyUseHint = (u, h) => {\n for (let i = 0; i < N; i++)\n u[i] = UseHint(h[i], u[i]);\n return u;\n };\n const polyMakeHint = (a, b) => {\n const v = newPoly(N);\n let cnt = 0;\n for (let i = 0; i < N; i++) {\n const h = MakeHint(a[i], b[i]);\n v[i] = h;\n cnt += h;\n }\n return { v, cnt };\n };\n const signRandBytes = 32;\n const seedCoder = splitCoder('seed', 32, 64, 32);\n // API & argument positions are exactly as in FIPS204.\n const internal = {\n info: { type: 'internal-ml-dsa' },\n lengths: {\n secretKey: secretCoder.bytesLen,\n publicKey: publicCoder.bytesLen,\n seed: 32,\n signature: sigCoder.bytesLen,\n signRand: signRandBytes,\n },\n keygen: (seed) => {\n // H(𝜉||IntegerToBytes(𝑘, 1)||IntegerToBytes(ℓ, 1), 128) 2: ▷ expand seed\n const seedDst = new Uint8Array(32 + 2);\n const randSeed = seed === undefined;\n if (randSeed)\n seed = randomBytes(32);\n abytes(seed, 32, 'seed');\n seedDst.set(seed);\n if (randSeed)\n cleanBytes(seed);\n seedDst[32] = K;\n seedDst[33] = L;\n const [rho, rhoPrime, K_] = seedCoder.decode(shake256(seedDst, { dkLen: seedCoder.bytesLen }));\n const xofPrime = XOF256(rhoPrime);\n const s1 = [];\n for (let i = 0; i < L; i++)\n s1.push(RejBoundedPoly(xofPrime.get(i & 0xff, (i >> 8) & 0xff)));\n const s2 = [];\n for (let i = L; i < L + K; i++)\n s2.push(RejBoundedPoly(xofPrime.get(i & 0xff, (i >> 8) & 0xff)));\n const s1Hat = s1.map((i) => NTT.encode(i.slice()));\n const t0 = [];\n const t1 = [];\n const xof = XOF128(rho);\n const t = newPoly(N);\n for (let i = 0; i < K; i++) {\n // t ← NTT−1(A*NTT(s1)) + s2\n cleanBytes(t); // don't-reallocate\n for (let j = 0; j < L; j++) {\n const aij = RejNTTPoly(xof.get(j, i)); // super slow!\n polyAdd(t, MultiplyNTTs(aij, s1Hat[j]));\n }\n NTT.decode(t);\n const { r0, r1 } = polyPowerRound(polyAdd(t, s2[i])); // (t1, t0) ← Power2Round(t, d)\n t0.push(r0);\n t1.push(r1);\n }\n const publicKey = publicCoder.encode([rho, t1]); // pk ← pkEncode(ρ, t1)\n const tr = shake256(publicKey, { dkLen: TR_BYTES }); // tr ← H(BytesToBits(pk), 512)\n const secretKey = secretCoder.encode([rho, K_, tr, s1, s2, t0]); // sk ← skEncode(ρ, K,tr, s1, s2, t0)\n xof.clean();\n xofPrime.clean();\n // STATS\n // Kyber512: { calls: 4, xofs: 12 }, Kyber768: { calls: 9, xofs: 27 }, Kyber1024: { calls: 16, xofs: 48 }\n // DSA44: { calls: 24, xofs: 24 }, DSA65: { calls: 41, xofs: 41 }, DSA87: { calls: 71, xofs: 71 }\n cleanBytes(rho, rhoPrime, K_, s1, s2, s1Hat, t, t0, t1, tr, seedDst);\n return { publicKey, secretKey };\n },\n getPublicKey: (secretKey) => {\n const [rho, _K, _tr, s1, s2, _t0] = secretCoder.decode(secretKey); // (ρ, K,tr, s1, s2, t0) ← skDecode(sk)\n const xof = XOF128(rho);\n const s1Hat = s1.map((p) => NTT.encode(p.slice()));\n const t1 = [];\n const tmp = newPoly(N);\n for (let i = 0; i < K; i++) {\n tmp.fill(0);\n for (let j = 0; j < L; j++) {\n const aij = RejNTTPoly(xof.get(j, i)); // A_ij in NTT\n polyAdd(tmp, MultiplyNTTs(aij, s1Hat[j])); // += A_ij * s1_j\n }\n NTT.decode(tmp); // NTT⁻¹\n polyAdd(tmp, s2[i]); // t_i = A·s1 + s2\n const { r1 } = polyPowerRound(tmp); // r1 = t1, r0 ≈ t0\n t1.push(r1);\n }\n xof.clean();\n cleanBytes(tmp, s1Hat, _t0, s1, s2);\n return publicCoder.encode([rho, t1]);\n },\n // NOTE: random is optional.\n sign: (msg, secretKey, opts = {}) => {\n validateSigOpts(opts);\n validateInternalOpts(opts);\n let { extraEntropy: random, externalMu = false } = opts;\n // This part can be pre-cached per secretKey, but there is only minor performance improvement,\n // since we re-use a lot of variables to computation.\n const [rho, _K, tr, s1, s2, t0] = secretCoder.decode(secretKey); // (ρ, K,tr, s1, s2, t0) ← skDecode(sk)\n // Cache matrix to avoid re-compute later\n const A = []; // A ← ExpandA(ρ)\n const xof = XOF128(rho);\n for (let i = 0; i < K; i++) {\n const pv = [];\n for (let j = 0; j < L; j++)\n pv.push(RejNTTPoly(xof.get(j, i)));\n A.push(pv);\n }\n xof.clean();\n for (let i = 0; i < L; i++)\n NTT.encode(s1[i]); // sˆ1 ← NTT(s1)\n for (let i = 0; i < K; i++) {\n NTT.encode(s2[i]); // sˆ2 ← NTT(s2)\n NTT.encode(t0[i]); // tˆ0 ← NTT(t0)\n }\n // This part is per msg\n const mu = externalMu\n ? msg\n : shake256.create({ dkLen: CRH_BYTES }).update(tr).update(msg).digest(); // 6: µ ← H(tr||M, 512) ▷ Compute message representative µ\n // Compute private random seed\n const rnd = random === false\n ? new Uint8Array(32)\n : random === undefined\n ? randomBytes(signRandBytes)\n : random;\n abytes(rnd, 32, 'extraEntropy');\n const rhoprime = shake256\n .create({ dkLen: CRH_BYTES })\n .update(_K)\n .update(rnd)\n .update(mu)\n .digest(); // ρ′← H(K||rnd||µ, 512)\n abytes(rhoprime, CRH_BYTES);\n const x256 = XOF256(rhoprime, ZCoder.bytesLen);\n // Rejection sampling loop\n main_loop: for (let kappa = 0;;) {\n const y = [];\n // y ← ExpandMask(ρ , κ)\n for (let i = 0; i < L; i++, kappa++)\n y.push(ZCoder.decode(x256.get(kappa & 0xff, kappa >> 8)()));\n const z = y.map((i) => NTT.encode(i.slice()));\n const w = [];\n for (let i = 0; i < K; i++) {\n // w ← NTT−1(A ◦ NTT(y))\n const wi = newPoly(N);\n for (let j = 0; j < L; j++)\n polyAdd(wi, MultiplyNTTs(A[i][j], z[j]));\n NTT.decode(wi);\n w.push(wi);\n }\n const w1 = w.map((j) => j.map(HighBits)); // w1 ← HighBits(w)\n // Commitment hash: c˜ ∈{0, 1 2λ } ← H(µ||w1Encode(w1), 2λ)\n const cTilde = shake256\n .create({ dkLen: C_TILDE_BYTES })\n .update(mu)\n .update(W1Vec.encode(w1))\n .digest();\n // Verifer’s challenge\n const cHat = NTT.encode(SampleInBall(cTilde)); // c ← SampleInBall(c˜1); cˆ ← NTT(c)\n // ⟨⟨cs1⟩⟩ ← NTT−1(cˆ◦ sˆ1)\n const cs1 = s1.map((i) => MultiplyNTTs(i, cHat));\n for (let i = 0; i < L; i++) {\n polyAdd(NTT.decode(cs1[i]), y[i]); // z ← y + ⟨⟨cs1⟩⟩\n if (polyChknorm(cs1[i], GAMMA1 - BETA))\n continue main_loop; // ||z||∞ ≥ γ1 − β\n }\n // cs1 is now z (▷ Signer’s response)\n let cnt = 0;\n const h = [];\n for (let i = 0; i < K; i++) {\n const cs2 = NTT.decode(MultiplyNTTs(s2[i], cHat)); // ⟨⟨cs2⟩⟩ ← NTT−1(cˆ◦ sˆ2)\n const r0 = polySub(w[i], cs2).map(LowBits); // r0 ← LowBits(w − ⟨⟨cs2⟩⟩)\n if (polyChknorm(r0, GAMMA2 - BETA))\n continue main_loop; // ||r0||∞ ≥ γ2 − β\n const ct0 = NTT.decode(MultiplyNTTs(t0[i], cHat)); // ⟨⟨ct0⟩⟩ ← NTT−1(cˆ◦ tˆ0)\n if (polyChknorm(ct0, GAMMA2))\n continue main_loop;\n polyAdd(r0, ct0);\n // ▷ Signer’s hint\n const hint = polyMakeHint(r0, w1[i]); // h ← MakeHint(−⟨⟨ct0⟩⟩, w− ⟨⟨cs2⟩⟩ + ⟨⟨ct0⟩⟩)\n h.push(hint.v);\n cnt += hint.cnt;\n }\n if (cnt > OMEGA)\n continue; // the number of 1’s in h is greater than ω\n x256.clean();\n const res = sigCoder.encode([cTilde, cs1, h]); // σ ← sigEncode(c˜, z mod±q, h)\n // rho, _K, tr is subarray of secretKey, cannot clean.\n cleanBytes(cTilde, cs1, h, cHat, w1, w, z, y, rhoprime, mu, s1, s2, t0, ...A);\n return res;\n }\n // @ts-ignore\n throw new Error('Unreachable code path reached, report this error');\n },\n verify: (sig, msg, publicKey, opts = {}) => {\n validateInternalOpts(opts);\n const { externalMu = false } = opts;\n // ML-DSA.Verify(pk, M, σ): Verifes a signature σ for a message M.\n const [rho, t1] = publicCoder.decode(publicKey); // (ρ, t1) ← pkDecode(pk)\n const tr = shake256(publicKey, { dkLen: TR_BYTES }); // 6: tr ← H(BytesToBits(pk), 512)\n if (sig.length !== sigCoder.bytesLen)\n return false; // return false instead of exception\n const [cTilde, z, h] = sigCoder.decode(sig); // (c˜, z, h) ← sigDecode(σ), ▷ Signer’s commitment hash c ˜, response z and hint\n if (h === false)\n return false; // if h = ⊥ then return false\n for (let i = 0; i < L; i++)\n if (polyChknorm(z[i], GAMMA1 - BETA))\n return false;\n const mu = externalMu\n ? msg\n : shake256.create({ dkLen: CRH_BYTES }).update(tr).update(msg).digest(); // 7: µ ← H(tr||M, 512)\n // Compute verifer’s challenge from c˜\n const c = NTT.encode(SampleInBall(cTilde)); // c ← SampleInBall(c˜1)\n const zNtt = z.map((i) => i.slice()); // zNtt = NTT(z)\n for (let i = 0; i < L; i++)\n NTT.encode(zNtt[i]);\n const wTick1 = [];\n const xof = XOF128(rho);\n for (let i = 0; i < K; i++) {\n const ct12d = MultiplyNTTs(NTT.encode(polyShiftl(t1[i])), c); //c * t1 * (2**d)\n const Az = newPoly(N); // // A * z\n for (let j = 0; j < L; j++) {\n const aij = RejNTTPoly(xof.get(j, i)); // A[i][j] inplace\n polyAdd(Az, MultiplyNTTs(aij, zNtt[j]));\n }\n // wApprox = A*z - c*t1 * (2**d)\n const wApprox = NTT.decode(polySub(Az, ct12d));\n // Reconstruction of signer’s commitment\n wTick1.push(polyUseHint(wApprox, h[i])); // w ′ ← UseHint(h, w'approx )\n }\n xof.clean();\n // c˜′← H (µ||w1Encode(w′1), 2λ), Hash it; this should match c˜\n const c2 = shake256\n .create({ dkLen: C_TILDE_BYTES })\n .update(mu)\n .update(W1Vec.encode(wTick1))\n .digest();\n // Additional checks in FIPS-204:\n // [[ ||z||∞ < γ1 − β ]] and [[c ˜ = c˜′]] and [[number of 1’s in h is ≤ ω]]\n for (const t of h) {\n const sum = t.reduce((acc, i) => acc + i, 0);\n if (!(sum <= OMEGA))\n return false;\n }\n for (const t of z)\n if (polyChknorm(t, GAMMA1 - BETA))\n return false;\n return equalBytes(cTilde, c2);\n },\n };\n return {\n info: { type: 'ml-dsa' },\n internal,\n securityLevel: securityLevel,\n keygen: internal.keygen,\n lengths: internal.lengths,\n getPublicKey: internal.getPublicKey,\n sign: (msg, secretKey, opts = {}) => {\n validateSigOpts(opts);\n const M = getMessage(msg, opts.context);\n const res = internal.sign(M, secretKey, opts);\n cleanBytes(M);\n return res;\n },\n verify: (sig, msg, publicKey, opts = {}) => {\n validateVerOpts(opts);\n return internal.verify(sig, getMessage(msg, opts.context), publicKey);\n },\n prehash: (hash) => {\n checkHash(hash, securityLevel);\n return {\n info: { type: 'hashml-dsa' },\n securityLevel: securityLevel,\n lengths: internal.lengths,\n keygen: internal.keygen,\n getPublicKey: internal.getPublicKey,\n sign: (msg, secretKey, opts = {}) => {\n validateSigOpts(opts);\n const M = getMessagePrehash(hash, msg, opts.context);\n const res = internal.sign(M, secretKey, opts);\n cleanBytes(M);\n return res;\n },\n verify: (sig, msg, publicKey, opts = {}) => {\n validateVerOpts(opts);\n return internal.verify(sig, getMessagePrehash(hash, msg, opts.context), publicKey);\n },\n };\n },\n };\n}\n/** ML-DSA-44 for 128-bit security level. Not recommended after 2030, as per ASD. */\nexport const ml_dsa44 = /* @__PURE__ */ getDilithium({\n ...PARAMS[2],\n CRH_BYTES: 64,\n TR_BYTES: 64,\n C_TILDE_BYTES: 32,\n XOF128,\n XOF256,\n securityLevel: 128,\n});\n/** ML-DSA-65 for 192-bit security level. Not recommended after 2030, as per ASD. */\nexport const ml_dsa65 = /* @__PURE__ */ getDilithium({\n ...PARAMS[3],\n CRH_BYTES: 64,\n TR_BYTES: 64,\n C_TILDE_BYTES: 48,\n XOF128,\n XOF256,\n securityLevel: 192,\n});\n/** ML-DSA-87 for 256-bit security level. OK after 2030, as per ASD. */\nexport const ml_dsa87 = /* @__PURE__ */ getDilithium({\n ...PARAMS[5],\n CRH_BYTES: 64,\n TR_BYTES: 64,\n C_TILDE_BYTES: 64,\n XOF128,\n XOF256,\n securityLevel: 256,\n});\n//# sourceMappingURL=ml-dsa.js.map"],"names":[],"sourceRoot":""}