w3pk 0.9.3 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -52,6 +52,7 @@ const endpoints = await w3pk.getEndpoints(1)
52
52
  - EIP-1193 provider for ethers, viem, wagmi, RainbowKit (`getEIP1193Provider`)
53
53
  - ERC-5564 stealth addresses (opt-in)
54
54
  - ZK primitives (zero-knowledge proof generation and verification)
55
+ - Post-quantum encryption (ML-KEM-1024/Kyber NIST FIPS 203)
55
56
  - Chainlist support (2390+ networks)
56
57
  - EIP-7702 network detection (329+ networks)
57
58
  - External wallet integration (delegate MetaMask/Ledger to w3pk via EIP-7702)
@@ -337,6 +338,15 @@ if (result.isForUser) {
337
338
  const myPayments = await w3pk.stealth?.scanAnnouncements(announcements)
338
339
  ```
339
340
 
341
+ ### ML-KEM encryption
342
+
343
+ ```typescript
344
+ // Encrypt with post-quantum security (NIST FIPS 203)
345
+ const pubKey = await w3pk.deriveMLKemPublicKey()
346
+ const encrypted = await w3pk.mlkemEncrypt('secret', [pubKey])
347
+ const plaintext = await w3pk.mlkemDecrypt(encrypted)
348
+ ```
349
+
340
350
  ### Backup & Recovery
341
351
 
342
352
  ```typescript
package/dist/index.d.mts CHANGED
@@ -1016,6 +1016,111 @@ declare class Web3Passkey {
1016
1016
  * @param hours - Duration in hours
1017
1017
  */
1018
1018
  setSessionDuration(hours: number): void;
1019
+ /**
1020
+ * Derive ML-KEM-1024 public key from the current wallet
1021
+ *
1022
+ * Returns the public key that can be shared with others for encryption.
1023
+ * The keypair is derived deterministically from the wallet's private key.
1024
+ *
1025
+ * @param options - Optional configuration
1026
+ * @param options.context - Context string for domain separation (default: 'mlkem-v1')
1027
+ * @param options.mode - Security mode (default: 'YOLO' to access private key)
1028
+ * @param options.tag - Tag for address derivation (default: 'MAIN')
1029
+ * @param options.origin - Origin for derivation (default: current origin)
1030
+ * @param options.requireAuth - Force WebAuthn re-authentication
1031
+ * @returns Base64-encoded ML-KEM public key (1568 bytes)
1032
+ *
1033
+ * @example
1034
+ * ```typescript
1035
+ * const w3pk = createWeb3Passkey();
1036
+ * await w3pk.login();
1037
+ *
1038
+ * const publicKey = await w3pk.deriveMLKemPublicKey();
1039
+ * // Share publicKey with others so they can encrypt data for you
1040
+ * ```
1041
+ */
1042
+ deriveMLKemPublicKey(options?: {
1043
+ context?: string;
1044
+ mode?: SecurityMode;
1045
+ tag?: string;
1046
+ origin?: string;
1047
+ requireAuth?: boolean;
1048
+ }): Promise<string>;
1049
+ /**
1050
+ * Encrypt data using ML-KEM-1024 for self + additional recipients
1051
+ *
1052
+ * Encrypts data such that you (the sender) and specified recipients can decrypt.
1053
+ * Your ML-KEM keypair is derived from your wallet, so you can always decrypt later.
1054
+ *
1055
+ * @param plaintext - The data to encrypt
1056
+ * @param recipientPublicKeys - Array of recipient ML-KEM public keys (base64 strings or Uint8Arrays)
1057
+ * @param options - Optional configuration
1058
+ * @param options.context - Context string for key derivation (default: 'mlkem-v1')
1059
+ * @param options.mode - Security mode (default: 'YOLO' to access private key)
1060
+ * @param options.tag - Tag for address derivation (default: 'MAIN')
1061
+ * @param options.origin - Origin for derivation (default: current origin)
1062
+ * @param options.requireAuth - Force WebAuthn re-authentication
1063
+ * @returns Encrypted payload that can be decrypted by sender or recipients
1064
+ *
1065
+ * @example
1066
+ * ```typescript
1067
+ * const w3pk = createWeb3Passkey();
1068
+ * await w3pk.login();
1069
+ *
1070
+ * // Get server's public key
1071
+ * const serverPubKey = await fetch('/api/mlkem-public-key').then(r => r.text());
1072
+ *
1073
+ * // Encrypt for yourself + server
1074
+ * const encrypted = await w3pk.mlkemEncrypt(
1075
+ * 'my secret data',
1076
+ * [serverPubKey]
1077
+ * );
1078
+ *
1079
+ * // Later: decrypt with the same wallet
1080
+ * const decrypted = await w3pk.mlkemDecrypt(encrypted);
1081
+ * ```
1082
+ */
1083
+ mlkemEncrypt(plaintext: string, recipientPublicKeys: Array<string | Uint8Array>, options?: {
1084
+ context?: string;
1085
+ mode?: SecurityMode;
1086
+ tag?: string;
1087
+ origin?: string;
1088
+ requireAuth?: boolean;
1089
+ }): Promise<any>;
1090
+ /**
1091
+ * Decrypt ML-KEM encrypted data using current wallet
1092
+ *
1093
+ * Decrypts data that was encrypted for this wallet.
1094
+ * The ML-KEM keypair is derived from your wallet's private key.
1095
+ *
1096
+ * @param payload - The encrypted payload (from mlkemEncrypt)
1097
+ * @param options - Optional configuration
1098
+ * @param options.context - Context string for key derivation (default: 'mlkem-v1', must match encryption)
1099
+ * @param options.mode - Security mode (default: 'YOLO' to access private key)
1100
+ * @param options.tag - Tag for address derivation (default: 'MAIN')
1101
+ * @param options.origin - Origin for derivation (default: current origin)
1102
+ * @param options.requireAuth - Force WebAuthn re-authentication
1103
+ * @returns Decrypted plaintext
1104
+ *
1105
+ * @example
1106
+ * ```typescript
1107
+ * const w3pk = createWeb3Passkey();
1108
+ * await w3pk.login();
1109
+ *
1110
+ * // Retrieve encrypted data
1111
+ * const encrypted = await fetch('/api/my-data').then(r => r.json());
1112
+ *
1113
+ * // Decrypt locally (server never sees plaintext!)
1114
+ * const plaintext = await w3pk.mlkemDecrypt(encrypted);
1115
+ * ```
1116
+ */
1117
+ mlkemDecrypt(payload: any, options?: {
1118
+ context?: string;
1119
+ mode?: SecurityMode;
1120
+ tag?: string;
1121
+ origin?: string;
1122
+ requireAuth?: boolean;
1123
+ }): Promise<string>;
1019
1124
  }
1020
1125
 
1021
1126
  /**
@@ -1209,6 +1314,14 @@ interface AuthenticationCredential {
1209
1314
  signature: ArrayBuffer;
1210
1315
  userHandle?: ArrayBuffer;
1211
1316
  };
1317
+ getClientExtensionResults(): {
1318
+ prf?: {
1319
+ results?: {
1320
+ first?: ArrayBuffer;
1321
+ second?: ArrayBuffer;
1322
+ };
1323
+ };
1324
+ };
1212
1325
  }
1213
1326
 
1214
1327
  /**
@@ -2067,6 +2180,105 @@ declare function inspect(options?: BrowserInspectOptions): Promise<BrowserInspec
2067
2180
  */
2068
2181
  declare function inspectNow(options?: BrowserInspectOptions): Promise<void>;
2069
2182
 
2183
+ interface MLKemKeypair {
2184
+ publicKey: Uint8Array;
2185
+ privateKey: Uint8Array;
2186
+ }
2187
+ interface EncryptedPayload {
2188
+ recipients: Array<{
2189
+ publicKey: string;
2190
+ ciphertext: string;
2191
+ }>;
2192
+ encryptedData: string;
2193
+ iv: string;
2194
+ authTag: string;
2195
+ }
2196
+ /**
2197
+ * Derive deterministic ML-KEM-1024 keypair from any private key material
2198
+ *
2199
+ * Uses HKDF-SHA256 to derive a 64-byte seed from the input key material,
2200
+ * then generates a reproducible ML-KEM-1024 keypair.
2201
+ *
2202
+ * @param privateKey - Private key material (hex string with optional 0x prefix, or Uint8Array)
2203
+ * @param context - Context string for domain separation (default: 'mlkem-v1')
2204
+ * @returns ML-KEM-1024 keypair (publicKey: 1568 bytes, privateKey: 3168 bytes)
2205
+ *
2206
+ * @example
2207
+ * ```typescript
2208
+ * // Derive from Ethereum private key
2209
+ * const ethPrivateKey = '0x1234...';
2210
+ * const keypair = await deriveMLKemKeypair(ethPrivateKey, 'my-app');
2211
+ *
2212
+ * // Derive from any 32-byte key
2213
+ * const randomKey = crypto.getRandomValues(new Uint8Array(32));
2214
+ * const keypair2 = await deriveMLKemKeypair(randomKey);
2215
+ * ```
2216
+ */
2217
+ declare function deriveMLKemKeypair(privateKey: string | Uint8Array, context?: string): Promise<MLKemKeypair>;
2218
+ /**
2219
+ * Encrypt data using ML-KEM-1024 + AES-256-GCM for multiple recipients
2220
+ *
2221
+ * @param plaintext - The data to encrypt
2222
+ * @param publicKeys - Array of ML-KEM-1024 public keys (base64 strings or Uint8Arrays, 1568 bytes each)
2223
+ * @returns Encrypted payload with per-recipient ciphertexts and shared encrypted data
2224
+ */
2225
+ declare function mlkemEncrypt(plaintext: string, publicKeys: (string | Uint8Array) | Array<string | Uint8Array>): Promise<EncryptedPayload>;
2226
+ /**
2227
+ * Decrypt data encrypted with mlkemEncrypt()
2228
+ *
2229
+ * @param payload - The encrypted payload
2230
+ * @param privateKey - ML-KEM-1024 private key (base64 string or Uint8Array, 3168 bytes)
2231
+ * @param publicKey - Optional: Your public key to find the correct recipient entry (base64 string or Uint8Array, 1568 bytes)
2232
+ * @returns Decrypted plaintext
2233
+ */
2234
+ declare function mlkemDecrypt(payload: EncryptedPayload, privateKey: string | Uint8Array, publicKey?: string | Uint8Array): Promise<string>;
2235
+ /**
2236
+ * Encrypt data with ML-KEM using derived keypairs from private keys
2237
+ *
2238
+ * This is a convenience function that derives ML-KEM keypairs from private key material,
2239
+ * then encrypts the data for all recipients. The sender's keypair is derived and used
2240
+ * as one of the recipients.
2241
+ *
2242
+ * @param plaintext - The data to encrypt
2243
+ * @param senderPrivateKey - Sender's private key (hex string or Uint8Array)
2244
+ * @param recipientPublicKeys - Array of recipient ML-KEM public keys (from deriveMLKemKeypair)
2245
+ * @param senderContext - Context for sender's key derivation (default: 'mlkem-v1')
2246
+ * @returns Encrypted payload with sender + recipients
2247
+ *
2248
+ * @example
2249
+ * ```typescript
2250
+ * // Encrypt for yourself + server
2251
+ * const serverKeypair = await deriveMLKemKeypair(serverPrivateKey, 'server');
2252
+ * const encrypted = await mlkemEncryptWithKey(
2253
+ * 'secret data',
2254
+ * myEthPrivateKey,
2255
+ * [serverKeypair.publicKey]
2256
+ * );
2257
+ * ```
2258
+ */
2259
+ declare function mlkemEncryptWithKey(plaintext: string, senderPrivateKey: string | Uint8Array, recipientPublicKeys: Array<string | Uint8Array>, senderContext?: string): Promise<EncryptedPayload>;
2260
+ /**
2261
+ * Decrypt data with ML-KEM using a derived keypair from private key
2262
+ *
2263
+ * This is a convenience function that derives an ML-KEM keypair from private key material,
2264
+ * then decrypts the payload.
2265
+ *
2266
+ * @param payload - The encrypted payload
2267
+ * @param privateKey - Private key material (hex string or Uint8Array)
2268
+ * @param context - Context for key derivation (default: 'mlkem-v1')
2269
+ * @returns Decrypted plaintext
2270
+ *
2271
+ * @example
2272
+ * ```typescript
2273
+ * // Decrypt with your Ethereum private key
2274
+ * const plaintext = await mlkemDecryptWithKey(
2275
+ * encryptedPayload,
2276
+ * myEthPrivateKey
2277
+ * );
2278
+ * ```
2279
+ */
2280
+ declare function mlkemDecryptWithKey(payload: EncryptedPayload, privateKey: string | Uint8Array, context?: string): Promise<string>;
2281
+
2070
2282
  declare function createWeb3Passkey(config?: Web3PasskeyConfig): Web3Passkey;
2071
2283
 
2072
- export { ApiError, AuthenticationError, type BackupStatus, type BrowserInspectOptions, type BrowserInspectResult, CryptoError, DEFAULT_MODE, DEFAULT_TAG, type DeviceInfo, type EIP1193Provider, type EIP7702Authorization, type EncryptedBackupInfo, type Guardian, type GuardianInvite, type PasskeySelectionResult, type QRBackupOptions, type RecoveryProgress, type RecoveryScenario, type RecoveryShare, RecoverySimulator, RegistrationError, type SecurityScore, type SignAuthorizationParams, type SimulationResult, type SiweMessage, type SocialRecoveryConfig, SocialRecoveryManager, type StealthAddressConfig, StealthAddressModule, type StealthAddressResult, type StealthKeys, StorageError, type SyncCapabilities, type SyncStatus, type SyncVault, type UserInfo, WalletError, type WalletInfo, Web3Passkey, type Web3PasskeyConfig, Web3PasskeyError, arrayBufferToBase64Url, assertEthereumAddress, assertMnemonic, assertUsername, authenticateWithPasskey, base64ToArrayBuffer, base64UrlDecode, base64UrlToArrayBuffer, canControlStealthAddress, checkStealthAddress, clearCache, computeStealthPrivateKey, createSiweMessage, createWalletFromMnemonic, createWeb3Passkey, createWeb3Passkey as default, deriveAddressFromP256PublicKey, deriveIndexFromOriginModeAndTag, deriveStealthKeys, deriveWalletFromMnemonic, detectWalletProvider, encodeEIP7702AuthorizationMessage, extractRS, generateBIP39Wallet, generateSiweNonce, generateStealthAddress, getAllChains, getAllTopics, getChainById, getCurrentBuildHash, getCurrentOrigin, getDefaultProvider, getEndpoints, getExplainer, getOriginSpecificAddress, getPackageVersion, getW3pkBuildHash, hashEIP7702AuthorizationMessage, inspect, inspectNow, isStrongPassword, normalizeOrigin, parseSiweMessage, promptPasskeySelection, requestExternalWalletAuthorization, safeAtob, safeBtoa, searchExplainers, supportsEIP7702Authorization, validateEthereumAddress, validateMnemonic, validateSiweMessage, validateUsername, verifyBuildHash, verifyEIP7702Authorization, verifySiweSignature };
2284
+ export { ApiError, AuthenticationError, type BackupStatus, type BrowserInspectOptions, type BrowserInspectResult, CryptoError, DEFAULT_MODE, DEFAULT_TAG, type DeviceInfo, type EIP1193Provider, type EIP7702Authorization, type EncryptedBackupInfo, type EncryptedPayload, type Guardian, type GuardianInvite, type MLKemKeypair, type PasskeySelectionResult, type QRBackupOptions, type RecoveryProgress, type RecoveryScenario, type RecoveryShare, RecoverySimulator, RegistrationError, type SecurityScore, type SignAuthorizationParams, type SimulationResult, type SiweMessage, type SocialRecoveryConfig, SocialRecoveryManager, type StealthAddressConfig, StealthAddressModule, type StealthAddressResult, type StealthKeys, StorageError, type SyncCapabilities, type SyncStatus, type SyncVault, type UserInfo, WalletError, type WalletInfo, Web3Passkey, type Web3PasskeyConfig, Web3PasskeyError, arrayBufferToBase64Url, assertEthereumAddress, assertMnemonic, assertUsername, authenticateWithPasskey, base64ToArrayBuffer, base64UrlDecode, base64UrlToArrayBuffer, canControlStealthAddress, checkStealthAddress, clearCache, computeStealthPrivateKey, createSiweMessage, createWalletFromMnemonic, createWeb3Passkey, createWeb3Passkey as default, deriveAddressFromP256PublicKey, deriveIndexFromOriginModeAndTag, deriveMLKemKeypair, deriveStealthKeys, deriveWalletFromMnemonic, detectWalletProvider, encodeEIP7702AuthorizationMessage, extractRS, generateBIP39Wallet, generateSiweNonce, generateStealthAddress, getAllChains, getAllTopics, getChainById, getCurrentBuildHash, getCurrentOrigin, getDefaultProvider, getEndpoints, getExplainer, getOriginSpecificAddress, getPackageVersion, getW3pkBuildHash, hashEIP7702AuthorizationMessage, inspect, inspectNow, isStrongPassword, mlkemDecrypt, mlkemDecryptWithKey, mlkemEncrypt, mlkemEncryptWithKey, normalizeOrigin, parseSiweMessage, promptPasskeySelection, requestExternalWalletAuthorization, safeAtob, safeBtoa, searchExplainers, supportsEIP7702Authorization, validateEthereumAddress, validateMnemonic, validateSiweMessage, validateUsername, verifyBuildHash, verifyEIP7702Authorization, verifySiweSignature };
package/dist/index.d.ts CHANGED
@@ -1016,6 +1016,111 @@ declare class Web3Passkey {
1016
1016
  * @param hours - Duration in hours
1017
1017
  */
1018
1018
  setSessionDuration(hours: number): void;
1019
+ /**
1020
+ * Derive ML-KEM-1024 public key from the current wallet
1021
+ *
1022
+ * Returns the public key that can be shared with others for encryption.
1023
+ * The keypair is derived deterministically from the wallet's private key.
1024
+ *
1025
+ * @param options - Optional configuration
1026
+ * @param options.context - Context string for domain separation (default: 'mlkem-v1')
1027
+ * @param options.mode - Security mode (default: 'YOLO' to access private key)
1028
+ * @param options.tag - Tag for address derivation (default: 'MAIN')
1029
+ * @param options.origin - Origin for derivation (default: current origin)
1030
+ * @param options.requireAuth - Force WebAuthn re-authentication
1031
+ * @returns Base64-encoded ML-KEM public key (1568 bytes)
1032
+ *
1033
+ * @example
1034
+ * ```typescript
1035
+ * const w3pk = createWeb3Passkey();
1036
+ * await w3pk.login();
1037
+ *
1038
+ * const publicKey = await w3pk.deriveMLKemPublicKey();
1039
+ * // Share publicKey with others so they can encrypt data for you
1040
+ * ```
1041
+ */
1042
+ deriveMLKemPublicKey(options?: {
1043
+ context?: string;
1044
+ mode?: SecurityMode;
1045
+ tag?: string;
1046
+ origin?: string;
1047
+ requireAuth?: boolean;
1048
+ }): Promise<string>;
1049
+ /**
1050
+ * Encrypt data using ML-KEM-1024 for self + additional recipients
1051
+ *
1052
+ * Encrypts data such that you (the sender) and specified recipients can decrypt.
1053
+ * Your ML-KEM keypair is derived from your wallet, so you can always decrypt later.
1054
+ *
1055
+ * @param plaintext - The data to encrypt
1056
+ * @param recipientPublicKeys - Array of recipient ML-KEM public keys (base64 strings or Uint8Arrays)
1057
+ * @param options - Optional configuration
1058
+ * @param options.context - Context string for key derivation (default: 'mlkem-v1')
1059
+ * @param options.mode - Security mode (default: 'YOLO' to access private key)
1060
+ * @param options.tag - Tag for address derivation (default: 'MAIN')
1061
+ * @param options.origin - Origin for derivation (default: current origin)
1062
+ * @param options.requireAuth - Force WebAuthn re-authentication
1063
+ * @returns Encrypted payload that can be decrypted by sender or recipients
1064
+ *
1065
+ * @example
1066
+ * ```typescript
1067
+ * const w3pk = createWeb3Passkey();
1068
+ * await w3pk.login();
1069
+ *
1070
+ * // Get server's public key
1071
+ * const serverPubKey = await fetch('/api/mlkem-public-key').then(r => r.text());
1072
+ *
1073
+ * // Encrypt for yourself + server
1074
+ * const encrypted = await w3pk.mlkemEncrypt(
1075
+ * 'my secret data',
1076
+ * [serverPubKey]
1077
+ * );
1078
+ *
1079
+ * // Later: decrypt with the same wallet
1080
+ * const decrypted = await w3pk.mlkemDecrypt(encrypted);
1081
+ * ```
1082
+ */
1083
+ mlkemEncrypt(plaintext: string, recipientPublicKeys: Array<string | Uint8Array>, options?: {
1084
+ context?: string;
1085
+ mode?: SecurityMode;
1086
+ tag?: string;
1087
+ origin?: string;
1088
+ requireAuth?: boolean;
1089
+ }): Promise<any>;
1090
+ /**
1091
+ * Decrypt ML-KEM encrypted data using current wallet
1092
+ *
1093
+ * Decrypts data that was encrypted for this wallet.
1094
+ * The ML-KEM keypair is derived from your wallet's private key.
1095
+ *
1096
+ * @param payload - The encrypted payload (from mlkemEncrypt)
1097
+ * @param options - Optional configuration
1098
+ * @param options.context - Context string for key derivation (default: 'mlkem-v1', must match encryption)
1099
+ * @param options.mode - Security mode (default: 'YOLO' to access private key)
1100
+ * @param options.tag - Tag for address derivation (default: 'MAIN')
1101
+ * @param options.origin - Origin for derivation (default: current origin)
1102
+ * @param options.requireAuth - Force WebAuthn re-authentication
1103
+ * @returns Decrypted plaintext
1104
+ *
1105
+ * @example
1106
+ * ```typescript
1107
+ * const w3pk = createWeb3Passkey();
1108
+ * await w3pk.login();
1109
+ *
1110
+ * // Retrieve encrypted data
1111
+ * const encrypted = await fetch('/api/my-data').then(r => r.json());
1112
+ *
1113
+ * // Decrypt locally (server never sees plaintext!)
1114
+ * const plaintext = await w3pk.mlkemDecrypt(encrypted);
1115
+ * ```
1116
+ */
1117
+ mlkemDecrypt(payload: any, options?: {
1118
+ context?: string;
1119
+ mode?: SecurityMode;
1120
+ tag?: string;
1121
+ origin?: string;
1122
+ requireAuth?: boolean;
1123
+ }): Promise<string>;
1019
1124
  }
1020
1125
 
1021
1126
  /**
@@ -1209,6 +1314,14 @@ interface AuthenticationCredential {
1209
1314
  signature: ArrayBuffer;
1210
1315
  userHandle?: ArrayBuffer;
1211
1316
  };
1317
+ getClientExtensionResults(): {
1318
+ prf?: {
1319
+ results?: {
1320
+ first?: ArrayBuffer;
1321
+ second?: ArrayBuffer;
1322
+ };
1323
+ };
1324
+ };
1212
1325
  }
1213
1326
 
1214
1327
  /**
@@ -2067,6 +2180,105 @@ declare function inspect(options?: BrowserInspectOptions): Promise<BrowserInspec
2067
2180
  */
2068
2181
  declare function inspectNow(options?: BrowserInspectOptions): Promise<void>;
2069
2182
 
2183
+ interface MLKemKeypair {
2184
+ publicKey: Uint8Array;
2185
+ privateKey: Uint8Array;
2186
+ }
2187
+ interface EncryptedPayload {
2188
+ recipients: Array<{
2189
+ publicKey: string;
2190
+ ciphertext: string;
2191
+ }>;
2192
+ encryptedData: string;
2193
+ iv: string;
2194
+ authTag: string;
2195
+ }
2196
+ /**
2197
+ * Derive deterministic ML-KEM-1024 keypair from any private key material
2198
+ *
2199
+ * Uses HKDF-SHA256 to derive a 64-byte seed from the input key material,
2200
+ * then generates a reproducible ML-KEM-1024 keypair.
2201
+ *
2202
+ * @param privateKey - Private key material (hex string with optional 0x prefix, or Uint8Array)
2203
+ * @param context - Context string for domain separation (default: 'mlkem-v1')
2204
+ * @returns ML-KEM-1024 keypair (publicKey: 1568 bytes, privateKey: 3168 bytes)
2205
+ *
2206
+ * @example
2207
+ * ```typescript
2208
+ * // Derive from Ethereum private key
2209
+ * const ethPrivateKey = '0x1234...';
2210
+ * const keypair = await deriveMLKemKeypair(ethPrivateKey, 'my-app');
2211
+ *
2212
+ * // Derive from any 32-byte key
2213
+ * const randomKey = crypto.getRandomValues(new Uint8Array(32));
2214
+ * const keypair2 = await deriveMLKemKeypair(randomKey);
2215
+ * ```
2216
+ */
2217
+ declare function deriveMLKemKeypair(privateKey: string | Uint8Array, context?: string): Promise<MLKemKeypair>;
2218
+ /**
2219
+ * Encrypt data using ML-KEM-1024 + AES-256-GCM for multiple recipients
2220
+ *
2221
+ * @param plaintext - The data to encrypt
2222
+ * @param publicKeys - Array of ML-KEM-1024 public keys (base64 strings or Uint8Arrays, 1568 bytes each)
2223
+ * @returns Encrypted payload with per-recipient ciphertexts and shared encrypted data
2224
+ */
2225
+ declare function mlkemEncrypt(plaintext: string, publicKeys: (string | Uint8Array) | Array<string | Uint8Array>): Promise<EncryptedPayload>;
2226
+ /**
2227
+ * Decrypt data encrypted with mlkemEncrypt()
2228
+ *
2229
+ * @param payload - The encrypted payload
2230
+ * @param privateKey - ML-KEM-1024 private key (base64 string or Uint8Array, 3168 bytes)
2231
+ * @param publicKey - Optional: Your public key to find the correct recipient entry (base64 string or Uint8Array, 1568 bytes)
2232
+ * @returns Decrypted plaintext
2233
+ */
2234
+ declare function mlkemDecrypt(payload: EncryptedPayload, privateKey: string | Uint8Array, publicKey?: string | Uint8Array): Promise<string>;
2235
+ /**
2236
+ * Encrypt data with ML-KEM using derived keypairs from private keys
2237
+ *
2238
+ * This is a convenience function that derives ML-KEM keypairs from private key material,
2239
+ * then encrypts the data for all recipients. The sender's keypair is derived and used
2240
+ * as one of the recipients.
2241
+ *
2242
+ * @param plaintext - The data to encrypt
2243
+ * @param senderPrivateKey - Sender's private key (hex string or Uint8Array)
2244
+ * @param recipientPublicKeys - Array of recipient ML-KEM public keys (from deriveMLKemKeypair)
2245
+ * @param senderContext - Context for sender's key derivation (default: 'mlkem-v1')
2246
+ * @returns Encrypted payload with sender + recipients
2247
+ *
2248
+ * @example
2249
+ * ```typescript
2250
+ * // Encrypt for yourself + server
2251
+ * const serverKeypair = await deriveMLKemKeypair(serverPrivateKey, 'server');
2252
+ * const encrypted = await mlkemEncryptWithKey(
2253
+ * 'secret data',
2254
+ * myEthPrivateKey,
2255
+ * [serverKeypair.publicKey]
2256
+ * );
2257
+ * ```
2258
+ */
2259
+ declare function mlkemEncryptWithKey(plaintext: string, senderPrivateKey: string | Uint8Array, recipientPublicKeys: Array<string | Uint8Array>, senderContext?: string): Promise<EncryptedPayload>;
2260
+ /**
2261
+ * Decrypt data with ML-KEM using a derived keypair from private key
2262
+ *
2263
+ * This is a convenience function that derives an ML-KEM keypair from private key material,
2264
+ * then decrypts the payload.
2265
+ *
2266
+ * @param payload - The encrypted payload
2267
+ * @param privateKey - Private key material (hex string or Uint8Array)
2268
+ * @param context - Context for key derivation (default: 'mlkem-v1')
2269
+ * @returns Decrypted plaintext
2270
+ *
2271
+ * @example
2272
+ * ```typescript
2273
+ * // Decrypt with your Ethereum private key
2274
+ * const plaintext = await mlkemDecryptWithKey(
2275
+ * encryptedPayload,
2276
+ * myEthPrivateKey
2277
+ * );
2278
+ * ```
2279
+ */
2280
+ declare function mlkemDecryptWithKey(payload: EncryptedPayload, privateKey: string | Uint8Array, context?: string): Promise<string>;
2281
+
2070
2282
  declare function createWeb3Passkey(config?: Web3PasskeyConfig): Web3Passkey;
2071
2283
 
2072
- export { ApiError, AuthenticationError, type BackupStatus, type BrowserInspectOptions, type BrowserInspectResult, CryptoError, DEFAULT_MODE, DEFAULT_TAG, type DeviceInfo, type EIP1193Provider, type EIP7702Authorization, type EncryptedBackupInfo, type Guardian, type GuardianInvite, type PasskeySelectionResult, type QRBackupOptions, type RecoveryProgress, type RecoveryScenario, type RecoveryShare, RecoverySimulator, RegistrationError, type SecurityScore, type SignAuthorizationParams, type SimulationResult, type SiweMessage, type SocialRecoveryConfig, SocialRecoveryManager, type StealthAddressConfig, StealthAddressModule, type StealthAddressResult, type StealthKeys, StorageError, type SyncCapabilities, type SyncStatus, type SyncVault, type UserInfo, WalletError, type WalletInfo, Web3Passkey, type Web3PasskeyConfig, Web3PasskeyError, arrayBufferToBase64Url, assertEthereumAddress, assertMnemonic, assertUsername, authenticateWithPasskey, base64ToArrayBuffer, base64UrlDecode, base64UrlToArrayBuffer, canControlStealthAddress, checkStealthAddress, clearCache, computeStealthPrivateKey, createSiweMessage, createWalletFromMnemonic, createWeb3Passkey, createWeb3Passkey as default, deriveAddressFromP256PublicKey, deriveIndexFromOriginModeAndTag, deriveStealthKeys, deriveWalletFromMnemonic, detectWalletProvider, encodeEIP7702AuthorizationMessage, extractRS, generateBIP39Wallet, generateSiweNonce, generateStealthAddress, getAllChains, getAllTopics, getChainById, getCurrentBuildHash, getCurrentOrigin, getDefaultProvider, getEndpoints, getExplainer, getOriginSpecificAddress, getPackageVersion, getW3pkBuildHash, hashEIP7702AuthorizationMessage, inspect, inspectNow, isStrongPassword, normalizeOrigin, parseSiweMessage, promptPasskeySelection, requestExternalWalletAuthorization, safeAtob, safeBtoa, searchExplainers, supportsEIP7702Authorization, validateEthereumAddress, validateMnemonic, validateSiweMessage, validateUsername, verifyBuildHash, verifyEIP7702Authorization, verifySiweSignature };
2284
+ export { ApiError, AuthenticationError, type BackupStatus, type BrowserInspectOptions, type BrowserInspectResult, CryptoError, DEFAULT_MODE, DEFAULT_TAG, type DeviceInfo, type EIP1193Provider, type EIP7702Authorization, type EncryptedBackupInfo, type EncryptedPayload, type Guardian, type GuardianInvite, type MLKemKeypair, type PasskeySelectionResult, type QRBackupOptions, type RecoveryProgress, type RecoveryScenario, type RecoveryShare, RecoverySimulator, RegistrationError, type SecurityScore, type SignAuthorizationParams, type SimulationResult, type SiweMessage, type SocialRecoveryConfig, SocialRecoveryManager, type StealthAddressConfig, StealthAddressModule, type StealthAddressResult, type StealthKeys, StorageError, type SyncCapabilities, type SyncStatus, type SyncVault, type UserInfo, WalletError, type WalletInfo, Web3Passkey, type Web3PasskeyConfig, Web3PasskeyError, arrayBufferToBase64Url, assertEthereumAddress, assertMnemonic, assertUsername, authenticateWithPasskey, base64ToArrayBuffer, base64UrlDecode, base64UrlToArrayBuffer, canControlStealthAddress, checkStealthAddress, clearCache, computeStealthPrivateKey, createSiweMessage, createWalletFromMnemonic, createWeb3Passkey, createWeb3Passkey as default, deriveAddressFromP256PublicKey, deriveIndexFromOriginModeAndTag, deriveMLKemKeypair, deriveStealthKeys, deriveWalletFromMnemonic, detectWalletProvider, encodeEIP7702AuthorizationMessage, extractRS, generateBIP39Wallet, generateSiweNonce, generateStealthAddress, getAllChains, getAllTopics, getChainById, getCurrentBuildHash, getCurrentOrigin, getDefaultProvider, getEndpoints, getExplainer, getOriginSpecificAddress, getPackageVersion, getW3pkBuildHash, hashEIP7702AuthorizationMessage, inspect, inspectNow, isStrongPassword, mlkemDecrypt, mlkemDecryptWithKey, mlkemEncrypt, mlkemEncryptWithKey, normalizeOrigin, parseSiweMessage, promptPasskeySelection, requestExternalWalletAuthorization, safeAtob, safeBtoa, searchExplainers, supportsEIP7702Authorization, validateEthereumAddress, validateMnemonic, validateSiweMessage, validateUsername, verifyBuildHash, verifyEIP7702Authorization, verifySiweSignature };