@neuraiproject/neurai-message
Version:
Sign and Verify messages in Neurai
1,556 lines (1,538 loc) • 91.5 kB
JavaScript
var __create = Object.create;
var __defProp = Object.defineProperty;
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
var __getOwnPropNames = Object.getOwnPropertyNames;
var __getProtoOf = Object.getPrototypeOf;
var __hasOwnProp = Object.prototype.hasOwnProperty;
var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
var __commonJS = (cb, mod) => function __require() {
return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
};
var __export = (target, all) => {
for (var name in all)
__defProp(target, name, { get: all[name], enumerable: true });
};
var __copyProps = (to, from, except, desc) => {
if (from && typeof from === "object" || typeof from === "function") {
for (let key of __getOwnPropNames(from))
if (!__hasOwnProp.call(to, key) && key !== except)
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
}
return to;
};
var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
// If the importer is in node compatibility mode or this is not an ESM
// file that has been converted to a CommonJS file using a Babel-
// compatible transform (i.e. "__esModule" has not been set), then set
// "default" to the CommonJS "module.exports" for node compatibility.
isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
mod
));
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
// node_modules/create-hash/index.js
var require_create_hash = __commonJS({
"node_modules/create-hash/index.js"(exports2, module2) {
module2.exports = require("crypto").createHash;
}
});
// node_modules/bech32/dist/index.js
var require_dist = __commonJS({
"node_modules/bech32/dist/index.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.bech32m = exports2.bech32 = void 0;
var ALPHABET = "qpzry9x8gf2tvdw0s3jn54khce6mua7l";
var ALPHABET_MAP = {};
for (let z = 0; z < ALPHABET.length; z++) {
const x = ALPHABET.charAt(z);
ALPHABET_MAP[x] = z;
}
function polymodStep(pre) {
const b = pre >> 25;
return (pre & 33554431) << 5 ^ -(b >> 0 & 1) & 996825010 ^ -(b >> 1 & 1) & 642813549 ^ -(b >> 2 & 1) & 513874426 ^ -(b >> 3 & 1) & 1027748829 ^ -(b >> 4 & 1) & 705979059;
}
function prefixChk(prefix) {
let chk = 1;
for (let i = 0; i < prefix.length; ++i) {
const c = prefix.charCodeAt(i);
if (c < 33 || c > 126)
return "Invalid prefix (" + prefix + ")";
chk = polymodStep(chk) ^ c >> 5;
}
chk = polymodStep(chk);
for (let i = 0; i < prefix.length; ++i) {
const v = prefix.charCodeAt(i);
chk = polymodStep(chk) ^ v & 31;
}
return chk;
}
function convert(data, inBits, outBits, pad) {
let value = 0;
let bits = 0;
const maxV = (1 << outBits) - 1;
const result = [];
for (let i = 0; i < data.length; ++i) {
value = value << inBits | data[i];
bits += inBits;
while (bits >= outBits) {
bits -= outBits;
result.push(value >> bits & maxV);
}
}
if (pad) {
if (bits > 0) {
result.push(value << outBits - bits & maxV);
}
} else {
if (bits >= inBits)
return "Excess padding";
if (value << outBits - bits & maxV)
return "Non-zero padding";
}
return result;
}
function toWords(bytes) {
return convert(bytes, 8, 5, true);
}
function fromWordsUnsafe(words) {
const res = convert(words, 5, 8, false);
if (Array.isArray(res))
return res;
}
function fromWords(words) {
const res = convert(words, 5, 8, false);
if (Array.isArray(res))
return res;
throw new Error(res);
}
function getLibraryFromEncoding(encoding) {
let ENCODING_CONST;
if (encoding === "bech32") {
ENCODING_CONST = 1;
} else {
ENCODING_CONST = 734539939;
}
function encode(prefix, words, LIMIT) {
LIMIT = LIMIT || 90;
if (prefix.length + 7 + words.length > LIMIT)
throw new TypeError("Exceeds length limit");
prefix = prefix.toLowerCase();
let chk = prefixChk(prefix);
if (typeof chk === "string")
throw new Error(chk);
let result = prefix + "1";
for (let i = 0; i < words.length; ++i) {
const x = words[i];
if (x >> 5 !== 0)
throw new Error("Non 5-bit word");
chk = polymodStep(chk) ^ x;
result += ALPHABET.charAt(x);
}
for (let i = 0; i < 6; ++i) {
chk = polymodStep(chk);
}
chk ^= ENCODING_CONST;
for (let i = 0; i < 6; ++i) {
const v = chk >> (5 - i) * 5 & 31;
result += ALPHABET.charAt(v);
}
return result;
}
function __decode(str, LIMIT) {
LIMIT = LIMIT || 90;
if (str.length < 8)
return str + " too short";
if (str.length > LIMIT)
return "Exceeds length limit";
const lowered = str.toLowerCase();
const uppered = str.toUpperCase();
if (str !== lowered && str !== uppered)
return "Mixed-case string " + str;
str = lowered;
const split2 = str.lastIndexOf("1");
if (split2 === -1)
return "No separator character for " + str;
if (split2 === 0)
return "Missing prefix for " + str;
const prefix = str.slice(0, split2);
const wordChars = str.slice(split2 + 1);
if (wordChars.length < 6)
return "Data too short";
let chk = prefixChk(prefix);
if (typeof chk === "string")
return chk;
const words = [];
for (let i = 0; i < wordChars.length; ++i) {
const c = wordChars.charAt(i);
const v = ALPHABET_MAP[c];
if (v === void 0)
return "Unknown character " + c;
chk = polymodStep(chk) ^ v;
if (i + 6 >= wordChars.length)
continue;
words.push(v);
}
if (chk !== ENCODING_CONST)
return "Invalid checksum for " + str;
return { prefix, words };
}
function decodeUnsafe(str, LIMIT) {
const res = __decode(str, LIMIT);
if (typeof res === "object")
return res;
}
function decode(str, LIMIT) {
const res = __decode(str, LIMIT);
if (typeof res === "object")
return res;
throw new Error(res);
}
return {
decodeUnsafe,
decode,
encode,
toWords,
fromWordsUnsafe,
fromWords
};
}
exports2.bech32 = getLibraryFromEncoding("bech32");
exports2.bech32m = getLibraryFromEncoding("bech32m");
}
});
// node_modules/safe-buffer/index.js
var require_safe_buffer = __commonJS({
"node_modules/safe-buffer/index.js"(exports2, module2) {
var buffer = require("buffer");
var Buffer4 = buffer.Buffer;
function copyProps(src, dst) {
for (var key in src) {
dst[key] = src[key];
}
}
if (Buffer4.from && Buffer4.alloc && Buffer4.allocUnsafe && Buffer4.allocUnsafeSlow) {
module2.exports = buffer;
} else {
copyProps(buffer, exports2);
exports2.Buffer = SafeBuffer;
}
function SafeBuffer(arg, encodingOrOffset, length) {
return Buffer4(arg, encodingOrOffset, length);
}
SafeBuffer.prototype = Object.create(Buffer4.prototype);
copyProps(Buffer4, SafeBuffer);
SafeBuffer.from = function(arg, encodingOrOffset, length) {
if (typeof arg === "number") {
throw new TypeError("Argument must not be a number");
}
return Buffer4(arg, encodingOrOffset, length);
};
SafeBuffer.alloc = function(size, fill, encoding) {
if (typeof size !== "number") {
throw new TypeError("Argument must be a number");
}
var buf = Buffer4(size);
if (fill !== void 0) {
if (typeof encoding === "string") {
buf.fill(fill, encoding);
} else {
buf.fill(fill);
}
} else {
buf.fill(0);
}
return buf;
};
SafeBuffer.allocUnsafe = function(size) {
if (typeof size !== "number") {
throw new TypeError("Argument must be a number");
}
return Buffer4(size);
};
SafeBuffer.allocUnsafeSlow = function(size) {
if (typeof size !== "number") {
throw new TypeError("Argument must be a number");
}
return buffer.SlowBuffer(size);
};
}
});
// node_modules/base-x/src/index.js
var require_src = __commonJS({
"node_modules/base-x/src/index.js"(exports2, module2) {
"use strict";
var _Buffer = require_safe_buffer().Buffer;
function base(ALPHABET) {
if (ALPHABET.length >= 255) {
throw new TypeError("Alphabet too long");
}
var BASE_MAP = new Uint8Array(256);
for (var j = 0; j < BASE_MAP.length; j++) {
BASE_MAP[j] = 255;
}
for (var i = 0; i < ALPHABET.length; i++) {
var x = ALPHABET.charAt(i);
var xc = x.charCodeAt(0);
if (BASE_MAP[xc] !== 255) {
throw new TypeError(x + " is ambiguous");
}
BASE_MAP[xc] = i;
}
var BASE = ALPHABET.length;
var LEADER = ALPHABET.charAt(0);
var FACTOR = Math.log(BASE) / Math.log(256);
var iFACTOR = Math.log(256) / Math.log(BASE);
function encode(source) {
if (Array.isArray(source) || source instanceof Uint8Array) {
source = _Buffer.from(source);
}
if (!_Buffer.isBuffer(source)) {
throw new TypeError("Expected Buffer");
}
if (source.length === 0) {
return "";
}
var zeroes = 0;
var length = 0;
var pbegin = 0;
var pend = source.length;
while (pbegin !== pend && source[pbegin] === 0) {
pbegin++;
zeroes++;
}
var size = (pend - pbegin) * iFACTOR + 1 >>> 0;
var b58 = new Uint8Array(size);
while (pbegin !== pend) {
var carry = source[pbegin];
var i2 = 0;
for (var it1 = size - 1; (carry !== 0 || i2 < length) && it1 !== -1; it1--, i2++) {
carry += 256 * b58[it1] >>> 0;
b58[it1] = carry % BASE >>> 0;
carry = carry / BASE >>> 0;
}
if (carry !== 0) {
throw new Error("Non-zero carry");
}
length = i2;
pbegin++;
}
var it2 = size - length;
while (it2 !== size && b58[it2] === 0) {
it2++;
}
var str = LEADER.repeat(zeroes);
for (; it2 < size; ++it2) {
str += ALPHABET.charAt(b58[it2]);
}
return str;
}
function decodeUnsafe(source) {
if (typeof source !== "string") {
throw new TypeError("Expected String");
}
if (source.length === 0) {
return _Buffer.alloc(0);
}
var psz = 0;
var zeroes = 0;
var length = 0;
while (source[psz] === LEADER) {
zeroes++;
psz++;
}
var size = (source.length - psz) * FACTOR + 1 >>> 0;
var b256 = new Uint8Array(size);
while (psz < source.length) {
var charCode = source.charCodeAt(psz);
if (charCode > 255) {
return;
}
var carry = BASE_MAP[charCode];
if (carry === 255) {
return;
}
var i2 = 0;
for (var it3 = size - 1; (carry !== 0 || i2 < length) && it3 !== -1; it3--, i2++) {
carry += BASE * b256[it3] >>> 0;
b256[it3] = carry % 256 >>> 0;
carry = carry / 256 >>> 0;
}
if (carry !== 0) {
throw new Error("Non-zero carry");
}
length = i2;
psz++;
}
var it4 = size - length;
while (it4 !== size && b256[it4] === 0) {
it4++;
}
var vch = _Buffer.allocUnsafe(zeroes + (size - it4));
vch.fill(0, 0, zeroes);
var j2 = zeroes;
while (it4 !== size) {
vch[j2++] = b256[it4++];
}
return vch;
}
function decode(string) {
var buffer = decodeUnsafe(string);
if (buffer) {
return buffer;
}
throw new Error("Non-base" + BASE + " character");
}
return {
encode,
decodeUnsafe,
decode
};
}
module2.exports = base;
}
});
// node_modules/bs58/index.js
var require_bs58 = __commonJS({
"node_modules/bs58/index.js"(exports2, module2) {
var basex = require_src();
var ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
module2.exports = basex(ALPHABET);
}
});
// node_modules/bs58check/base.js
var require_base = __commonJS({
"node_modules/bs58check/base.js"(exports2, module2) {
"use strict";
var base58 = require_bs58();
var Buffer4 = require_safe_buffer().Buffer;
module2.exports = function(checksumFn) {
function encode(payload) {
var checksum = checksumFn(payload);
return base58.encode(Buffer4.concat([
payload,
checksum
], payload.length + 4));
}
function decodeRaw(buffer) {
var payload = buffer.slice(0, -4);
var checksum = buffer.slice(-4);
var newChecksum = checksumFn(payload);
if (checksum[0] ^ newChecksum[0] | checksum[1] ^ newChecksum[1] | checksum[2] ^ newChecksum[2] | checksum[3] ^ newChecksum[3]) return;
return payload;
}
function decodeUnsafe(string) {
var buffer = base58.decodeUnsafe(string);
if (!buffer) return;
return decodeRaw(buffer);
}
function decode(string) {
var buffer = base58.decode(string);
var payload = decodeRaw(buffer, checksumFn);
if (!payload) throw new Error("Invalid checksum");
return payload;
}
return {
encode,
decode,
decodeUnsafe
};
};
}
});
// node_modules/bs58check/index.js
var require_bs58check = __commonJS({
"node_modules/bs58check/index.js"(exports2, module2) {
"use strict";
var createHash3 = require_create_hash();
var bs58checkBase = require_base();
function sha256x2(buffer) {
var tmp = createHash3("sha256").update(buffer).digest();
return createHash3("sha256").update(tmp).digest();
}
module2.exports = bs58checkBase(sha256x2);
}
});
// node_modules/varuint-bitcoin/index.js
var require_varuint_bitcoin = __commonJS({
"node_modules/varuint-bitcoin/index.js"(exports2, module2) {
"use strict";
var Buffer4 = require_safe_buffer().Buffer;
var MAX_SAFE_INTEGER = 9007199254740991;
function checkUInt53(n) {
if (n < 0 || n > MAX_SAFE_INTEGER || n % 1 !== 0) throw new RangeError("value out of range");
}
function encode(number, buffer, offset) {
checkUInt53(number);
if (!buffer) buffer = Buffer4.allocUnsafe(encodingLength(number));
if (!Buffer4.isBuffer(buffer)) throw new TypeError("buffer must be a Buffer instance");
if (!offset) offset = 0;
if (number < 253) {
buffer.writeUInt8(number, offset);
encode.bytes = 1;
} else if (number <= 65535) {
buffer.writeUInt8(253, offset);
buffer.writeUInt16LE(number, offset + 1);
encode.bytes = 3;
} else if (number <= 4294967295) {
buffer.writeUInt8(254, offset);
buffer.writeUInt32LE(number, offset + 1);
encode.bytes = 5;
} else {
buffer.writeUInt8(255, offset);
buffer.writeUInt32LE(number >>> 0, offset + 1);
buffer.writeUInt32LE(number / 4294967296 | 0, offset + 5);
encode.bytes = 9;
}
return buffer;
}
function decode(buffer, offset) {
if (!Buffer4.isBuffer(buffer)) throw new TypeError("buffer must be a Buffer instance");
if (!offset) offset = 0;
var first = buffer.readUInt8(offset);
if (first < 253) {
decode.bytes = 1;
return first;
} else if (first === 253) {
decode.bytes = 3;
return buffer.readUInt16LE(offset + 1);
} else if (first === 254) {
decode.bytes = 5;
return buffer.readUInt32LE(offset + 1);
} else {
decode.bytes = 9;
var lo = buffer.readUInt32LE(offset + 1);
var hi = buffer.readUInt32LE(offset + 5);
var number = hi * 4294967296 + lo;
checkUInt53(number);
return number;
}
}
function encodingLength(number) {
checkUInt53(number);
return number < 253 ? 1 : number <= 65535 ? 3 : number <= 4294967295 ? 5 : 9;
}
module2.exports = { encode, decode, encodingLength };
}
});
// src/index.ts
var index_exports = {};
__export(index_exports, {
sign: () => sign2,
signPQMessage: () => signPQMessage,
verifyLegacyMessage: () => verifyLegacyMessage,
verifyMessage: () => verifyMessage,
verifyPQMessage: () => verifyPQMessage
});
module.exports = __toCommonJS(index_exports);
// src/core.ts
var import_buffer2 = require("buffer");
var import_create_hash2 = __toESM(require_create_hash());
var import_bech322 = __toESM(require_dist());
// node_modules/@noble/hashes/utils.js
function isBytes(a) {
return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
}
function anumber(n, title = "") {
if (!Number.isSafeInteger(n) || n < 0) {
const prefix = title && `"${title}" `;
throw new Error(`${prefix}expected integer >= 0, got ${n}`);
}
}
function abytes(value, length, title = "") {
const bytes = isBytes(value);
const len = value?.length;
const needsLen = length !== void 0;
if (!bytes || needsLen && len !== length) {
const prefix = title && `"${title}" `;
const ofLen = needsLen ? ` of length ${length}` : "";
const got = bytes ? `length=${len}` : `type=${typeof value}`;
throw new Error(prefix + "expected Uint8Array" + ofLen + ", got " + got);
}
return value;
}
function ahash(h) {
if (typeof h !== "function" || typeof h.create !== "function")
throw new Error("Hash must wrapped by utils.createHasher");
anumber(h.outputLen);
anumber(h.blockLen);
}
function aexists(instance, checkFinished = true) {
if (instance.destroyed)
throw new Error("Hash instance has been destroyed");
if (checkFinished && instance.finished)
throw new Error("Hash#digest() has already been called");
}
function aoutput(out, instance) {
abytes(out, void 0, "digestInto() output");
const min = instance.outputLen;
if (out.length < min) {
throw new Error('"digestInto() output" expected to be of length >=' + min);
}
}
function u32(arr) {
return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
}
function clean(...arrays) {
for (let i = 0; i < arrays.length; i++) {
arrays[i].fill(0);
}
}
function createView(arr) {
return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
}
function rotr(word, shift) {
return word << 32 - shift | word >>> shift;
}
var isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68)();
function byteSwap(word) {
return word << 24 & 4278190080 | word << 8 & 16711680 | word >>> 8 & 65280 | word >>> 24 & 255;
}
function byteSwap32(arr) {
for (let i = 0; i < arr.length; i++) {
arr[i] = byteSwap(arr[i]);
}
return arr;
}
var swap32IfBE = isLE ? (u) => u : byteSwap32;
function concatBytes(...arrays) {
let sum = 0;
for (let i = 0; i < arrays.length; i++) {
const a = arrays[i];
abytes(a);
sum += a.length;
}
const res = new Uint8Array(sum);
for (let i = 0, pad = 0; i < arrays.length; i++) {
const a = arrays[i];
res.set(a, pad);
pad += a.length;
}
return res;
}
function createHasher(hashCons, info = {}) {
const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
const tmp = hashCons(void 0);
hashC.outputLen = tmp.outputLen;
hashC.blockLen = tmp.blockLen;
hashC.create = (opts) => hashCons(opts);
Object.assign(hashC, info);
return Object.freeze(hashC);
}
function randomBytes(bytesLength = 32) {
const cr2 = typeof globalThis === "object" ? globalThis.crypto : null;
if (typeof cr2?.getRandomValues !== "function")
throw new Error("crypto.getRandomValues must be defined");
return cr2.getRandomValues(new Uint8Array(bytesLength));
}
var oidNist = (suffix) => ({
oid: Uint8Array.from([6, 9, 96, 134, 72, 1, 101, 3, 4, 2, suffix])
});
// node_modules/@noble/curves/utils.js
function abool(value, title = "") {
if (typeof value !== "boolean") {
const prefix = title && `"${title}" `;
throw new Error(prefix + "expected boolean, got type=" + typeof value);
}
return value;
}
// node_modules/@noble/hashes/_u64.js
var U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
var _32n = /* @__PURE__ */ BigInt(32);
function fromBig(n, le = false) {
if (le)
return { h: Number(n & U32_MASK64), l: Number(n >> _32n & U32_MASK64) };
return { h: Number(n >> _32n & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
}
function split(lst, le = false) {
const len = lst.length;
let Ah = new Uint32Array(len);
let Al = new Uint32Array(len);
for (let i = 0; i < len; i++) {
const { h, l } = fromBig(lst[i], le);
[Ah[i], Al[i]] = [h, l];
}
return [Ah, Al];
}
var rotlSH = (h, l, s) => h << s | l >>> 32 - s;
var rotlSL = (h, l, s) => l << s | h >>> 32 - s;
var rotlBH = (h, l, s) => l << s - 32 | h >>> 64 - s;
var rotlBL = (h, l, s) => h << s - 32 | l >>> 64 - s;
// node_modules/@noble/hashes/sha3.js
var _0n = BigInt(0);
var _1n = BigInt(1);
var _2n = BigInt(2);
var _7n = BigInt(7);
var _256n = BigInt(256);
var _0x71n = BigInt(113);
var SHA3_PI = [];
var SHA3_ROTL = [];
var _SHA3_IOTA = [];
for (let round = 0, R = _1n, x = 1, y = 0; round < 24; round++) {
[x, y] = [y, (2 * x + 3 * y) % 5];
SHA3_PI.push(2 * (5 * y + x));
SHA3_ROTL.push((round + 1) * (round + 2) / 2 % 64);
let t = _0n;
for (let j = 0; j < 7; j++) {
R = (R << _1n ^ (R >> _7n) * _0x71n) % _256n;
if (R & _2n)
t ^= _1n << (_1n << BigInt(j)) - _1n;
}
_SHA3_IOTA.push(t);
}
var IOTAS = split(_SHA3_IOTA, true);
var SHA3_IOTA_H = IOTAS[0];
var SHA3_IOTA_L = IOTAS[1];
var rotlH = (h, l, s) => s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s);
var rotlL = (h, l, s) => s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s);
function keccakP(s, rounds = 24) {
const B = new Uint32Array(5 * 2);
for (let round = 24 - rounds; round < 24; round++) {
for (let x = 0; x < 10; x++)
B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];
for (let x = 0; x < 10; x += 2) {
const idx1 = (x + 8) % 10;
const idx0 = (x + 2) % 10;
const B0 = B[idx0];
const B1 = B[idx0 + 1];
const Th = rotlH(B0, B1, 1) ^ B[idx1];
const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];
for (let y = 0; y < 50; y += 10) {
s[x + y] ^= Th;
s[x + y + 1] ^= Tl;
}
}
let curH = s[2];
let curL = s[3];
for (let t = 0; t < 24; t++) {
const shift = SHA3_ROTL[t];
const Th = rotlH(curH, curL, shift);
const Tl = rotlL(curH, curL, shift);
const PI = SHA3_PI[t];
curH = s[PI];
curL = s[PI + 1];
s[PI] = Th;
s[PI + 1] = Tl;
}
for (let y = 0; y < 50; y += 10) {
for (let x = 0; x < 10; x++)
B[x] = s[y + x];
for (let x = 0; x < 10; x++)
s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10];
}
s[0] ^= SHA3_IOTA_H[round];
s[1] ^= SHA3_IOTA_L[round];
}
clean(B);
}
var Keccak = class _Keccak {
// NOTE: we accept arguments in bytes instead of bits here.
constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {
__publicField(this, "state");
__publicField(this, "pos", 0);
__publicField(this, "posOut", 0);
__publicField(this, "finished", false);
__publicField(this, "state32");
__publicField(this, "destroyed", false);
__publicField(this, "blockLen");
__publicField(this, "suffix");
__publicField(this, "outputLen");
__publicField(this, "enableXOF", false);
__publicField(this, "rounds");
this.blockLen = blockLen;
this.suffix = suffix;
this.outputLen = outputLen;
this.enableXOF = enableXOF;
this.rounds = rounds;
anumber(outputLen, "outputLen");
if (!(0 < blockLen && blockLen < 200))
throw new Error("only keccak-f1600 function is supported");
this.state = new Uint8Array(200);
this.state32 = u32(this.state);
}
clone() {
return this._cloneInto();
}
keccak() {
swap32IfBE(this.state32);
keccakP(this.state32, this.rounds);
swap32IfBE(this.state32);
this.posOut = 0;
this.pos = 0;
}
update(data) {
aexists(this);
abytes(data);
const { blockLen, state } = this;
const len = data.length;
for (let pos = 0; pos < len; ) {
const take = Math.min(blockLen - this.pos, len - pos);
for (let i = 0; i < take; i++)
state[this.pos++] ^= data[pos++];
if (this.pos === blockLen)
this.keccak();
}
return this;
}
finish() {
if (this.finished)
return;
this.finished = true;
const { state, suffix, pos, blockLen } = this;
state[pos] ^= suffix;
if ((suffix & 128) !== 0 && pos === blockLen - 1)
this.keccak();
state[blockLen - 1] ^= 128;
this.keccak();
}
writeInto(out) {
aexists(this, false);
abytes(out);
this.finish();
const bufferOut = this.state;
const { blockLen } = this;
for (let pos = 0, len = out.length; pos < len; ) {
if (this.posOut >= blockLen)
this.keccak();
const take = Math.min(blockLen - this.posOut, len - pos);
out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);
this.posOut += take;
pos += take;
}
return out;
}
xofInto(out) {
if (!this.enableXOF)
throw new Error("XOF is not possible for this instance");
return this.writeInto(out);
}
xof(bytes) {
anumber(bytes);
return this.xofInto(new Uint8Array(bytes));
}
digestInto(out) {
aoutput(out, this);
if (this.finished)
throw new Error("digest() was already called");
this.writeInto(out);
this.destroy();
return out;
}
digest() {
return this.digestInto(new Uint8Array(this.outputLen));
}
destroy() {
this.destroyed = true;
clean(this.state);
}
_cloneInto(to) {
const { blockLen, suffix, outputLen, rounds, enableXOF } = this;
to || (to = new _Keccak(blockLen, suffix, outputLen, enableXOF, rounds));
to.state32.set(this.state32);
to.pos = this.pos;
to.posOut = this.posOut;
to.finished = this.finished;
to.rounds = rounds;
to.suffix = suffix;
to.outputLen = outputLen;
to.enableXOF = enableXOF;
to.destroyed = this.destroyed;
return to;
}
};
var genShake = (suffix, blockLen, outputLen, info = {}) => createHasher((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === void 0 ? outputLen : opts.dkLen, true), info);
var shake128 = /* @__PURE__ */ genShake(31, 168, 16, /* @__PURE__ */ oidNist(11));
var shake256 = /* @__PURE__ */ genShake(31, 136, 32, /* @__PURE__ */ oidNist(12));
// node_modules/@noble/curves/abstract/fft.js
function checkU32(n) {
if (!Number.isSafeInteger(n) || n < 0 || n > 4294967295)
throw new Error("wrong u32 integer:" + n);
return n;
}
function isPowerOfTwo(x) {
checkU32(x);
return (x & x - 1) === 0 && x !== 0;
}
function reverseBits(n, bits) {
checkU32(n);
let reversed = 0;
for (let i = 0; i < bits; i++, n >>>= 1)
reversed = reversed << 1 | n & 1;
return reversed;
}
function log2(n) {
checkU32(n);
return 31 - Math.clz32(n);
}
function bitReversalInplace(values) {
const n = values.length;
if (n < 2 || !isPowerOfTwo(n))
throw new Error("n must be a power of 2 and greater than 1. Got " + n);
const bits = log2(n);
for (let i = 0; i < n; i++) {
const j = reverseBits(i, bits);
if (i < j) {
const tmp = values[i];
values[i] = values[j];
values[j] = tmp;
}
}
return values;
}
var FFTCore = (F2, coreOpts) => {
const { N: N3, roots, dit, invertButterflies = false, skipStages = 0, brp = true } = coreOpts;
const bits = log2(N3);
if (!isPowerOfTwo(N3))
throw new Error("FFT: Polynomial size should be power of two");
const isDit = dit !== invertButterflies;
isDit;
return (values) => {
if (values.length !== N3)
throw new Error("FFT: wrong Polynomial length");
if (dit && brp)
bitReversalInplace(values);
for (let i = 0, g = 1; i < bits - skipStages; i++) {
const s = dit ? i + 1 + skipStages : bits - i;
const m = 1 << s;
const m2 = m >> 1;
const stride = N3 >> s;
for (let k = 0; k < N3; k += m) {
for (let j = 0, grp = g++; j < m2; j++) {
const rootPos = invertButterflies ? dit ? N3 - grp : grp : j * stride;
const i0 = k + j;
const i1 = k + j + m2;
const omega = roots[rootPos];
const b = values[i1];
const a = values[i0];
if (isDit) {
const t = F2.mul(b, omega);
values[i0] = F2.add(a, t);
values[i1] = F2.sub(a, t);
} else if (invertButterflies) {
values[i0] = F2.add(b, a);
values[i1] = F2.mul(F2.sub(b, a), omega);
} else {
values[i0] = F2.add(a, b);
values[i1] = F2.mul(F2.sub(a, b), omega);
}
}
}
}
if (!dit && brp)
bitReversalInplace(values);
return values;
};
};
// node_modules/@noble/post-quantum/utils.js
var abytesDoc = abytes;
var randomBytes2 = randomBytes;
function equalBytes(a, b) {
if (a.length !== b.length)
return false;
let diff = 0;
for (let i = 0; i < a.length; i++)
diff |= a[i] ^ b[i];
return diff === 0;
}
function validateOpts(opts) {
if (Object.prototype.toString.call(opts) !== "[object Object]")
throw new TypeError("expected valid options object");
}
function validateVerOpts(opts) {
validateOpts(opts);
if (opts.context !== void 0)
abytes(opts.context, void 0, "opts.context");
}
function validateSigOpts(opts) {
validateVerOpts(opts);
if (opts.extraEntropy !== false && opts.extraEntropy !== void 0)
abytes(opts.extraEntropy, void 0, "opts.extraEntropy");
}
function splitCoder(label, ...lengths2) {
const getLength = (c) => typeof c === "number" ? c : c.bytesLen;
const bytesLen = lengths2.reduce((sum, a) => sum + getLength(a), 0);
return {
bytesLen,
encode: (bufs) => {
const res = new Uint8Array(bytesLen);
for (let i = 0, pos = 0; i < lengths2.length; i++) {
const c = lengths2[i];
const l = getLength(c);
const b = typeof c === "number" ? bufs[i] : c.encode(bufs[i]);
abytes(b, l, label);
res.set(b, pos);
if (typeof c !== "number")
b.fill(0);
pos += l;
}
return res;
},
decode: (buf) => {
abytes(buf, bytesLen, label);
const res = [];
for (const c of lengths2) {
const l = getLength(c);
const b = buf.subarray(0, l);
res.push(typeof c === "number" ? b : c.decode(b));
buf = buf.subarray(l);
}
return res;
}
};
}
function vecCoder(c, vecLen) {
const bytesLen = vecLen * c.bytesLen;
return {
bytesLen,
encode: (u) => {
if (u.length !== vecLen)
throw new RangeError(`vecCoder.encode: wrong length=${u.length}. Expected: ${vecLen}`);
const res = new Uint8Array(bytesLen);
for (let i = 0, pos = 0; i < u.length; i++) {
const b = c.encode(u[i]);
res.set(b, pos);
b.fill(0);
pos += b.length;
}
return res;
},
decode: (a) => {
abytes(a, bytesLen);
const r = [];
for (let i = 0; i < a.length; i += c.bytesLen)
r.push(c.decode(a.subarray(i, i + c.bytesLen)));
return r;
}
};
}
function cleanBytes(...list) {
for (const t of list) {
if (Array.isArray(t))
for (const b of t)
b.fill(0);
else
t.fill(0);
}
}
function getMask(bits) {
if (!Number.isSafeInteger(bits) || bits < 0 || bits > 32)
throw new RangeError(`expected bits in [0..32], got ${bits}`);
return bits === 32 ? 4294967295 : ~(-1 << bits) >>> 0;
}
var EMPTY = /* @__PURE__ */ Uint8Array.of();
function getMessage(msg, ctx = EMPTY) {
abytes(msg);
abytes(ctx);
if (ctx.length > 255)
throw new RangeError("context should be 255 bytes or less");
return concatBytes(new Uint8Array([0, ctx.length]), ctx, msg);
}
var oidNistP = /* @__PURE__ */ Uint8Array.from([6, 9, 96, 134, 72, 1, 101, 3, 4, 2]);
function checkHash(hash, requiredStrength = 0) {
if (!hash.oid || !equalBytes(hash.oid.subarray(0, 10), oidNistP))
throw new Error("hash.oid is invalid: expected NIST hash");
const collisionResistance = hash.outputLen * 8 / 2;
if (requiredStrength > collisionResistance) {
throw new Error("Pre-hash security strength too low: " + collisionResistance + ", required: " + requiredStrength);
}
}
function getMessagePrehash(hash, msg, ctx = EMPTY) {
abytes(msg);
abytes(ctx);
if (ctx.length > 255)
throw new RangeError("context should be 255 bytes or less");
const hashed = hash(msg);
return concatBytes(new Uint8Array([1, ctx.length]), ctx, hash.oid, hashed);
}
// node_modules/@noble/post-quantum/_crystals.js
var genCrystals = (opts) => {
const { newPoly: newPoly2, N: N3, Q: Q2, F: F2, ROOT_OF_UNITY: ROOT_OF_UNITY2, brvBits, isKyber } = opts;
const mod = (a, modulo = Q2) => {
const result = a % modulo | 0;
return (result >= 0 ? result | 0 : modulo + result | 0) | 0;
};
const smod = (a, modulo = Q2) => {
const r = mod(a, modulo) | 0;
return (r > modulo >> 1 ? r - modulo | 0 : r) | 0;
};
function getZettas() {
const out = newPoly2(N3);
for (let i = 0; i < N3; i++) {
const b = reverseBits(i, brvBits);
const p = BigInt(ROOT_OF_UNITY2) ** BigInt(b) % BigInt(Q2);
out[i] = Number(p) | 0;
}
return out;
}
const nttZetas = getZettas();
const field = {
add: (a, b) => mod((a | 0) + (b | 0)) | 0,
sub: (a, b) => mod((a | 0) - (b | 0)) | 0,
mul: (a, b) => mod((a | 0) * (b | 0)) | 0,
inv: (_a) => {
throw new Error("not implemented");
}
};
const nttOpts = {
N: N3,
roots: nttZetas,
invertButterflies: true,
skipStages: isKyber ? 1 : 0,
brp: false
};
const dif = FFTCore(field, { dit: false, ...nttOpts });
const dit = FFTCore(field, { dit: true, ...nttOpts });
const NTT = {
encode: (r) => {
return dif(r);
},
decode: (r) => {
dit(r);
for (let i = 0; i < r.length; i++)
r[i] = mod(F2 * r[i]);
return r;
}
};
const bitsCoder = (d, c) => {
const mask = getMask(d);
const bytesLen = d * (N3 / 8);
return {
bytesLen,
encode: (poly) => {
const r = new Uint8Array(bytesLen);
for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {
buf |= (c.encode(poly[i]) & mask) << bufLen;
bufLen += d;
for (; bufLen >= 8; bufLen -= 8, buf >>= 8)
r[pos++] = buf & getMask(bufLen);
}
return r;
},
decode: (bytes) => {
const r = newPoly2(N3);
for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {
buf |= bytes[i] << bufLen;
bufLen += 8;
for (; bufLen >= d; bufLen -= d, buf >>= d)
r[pos++] = c.decode(buf & mask);
}
return r;
}
};
};
return { mod, smod, nttZetas, NTT, bitsCoder };
};
var createXofShake = (shake) => (seed, blockLen) => {
if (!blockLen)
blockLen = shake.blockLen;
const _seed = new Uint8Array(seed.length + 2);
_seed.set(seed);
const seedLen = seed.length;
const buf = new Uint8Array(blockLen);
let h = shake.create({});
let calls = 0;
let xofs = 0;
return {
stats: () => ({ calls, xofs }),
get: (x, y) => {
_seed[seedLen + 0] = x;
_seed[seedLen + 1] = y;
h.destroy();
h = shake.create({}).update(_seed);
calls++;
return () => {
xofs++;
return h.xofInto(buf);
};
},
clean: () => {
h.destroy();
cleanBytes(buf, _seed);
}
};
};
var XOF128 = /* @__PURE__ */ createXofShake(shake128);
var XOF256 = /* @__PURE__ */ createXofShake(shake256);
// node_modules/@noble/post-quantum/ml-dsa.js
function validateInternalOpts(opts) {
validateOpts(opts);
if (opts.externalMu !== void 0)
abool(opts.externalMu, "opts.externalMu");
}
var N = 256;
var Q = 8380417;
var ROOT_OF_UNITY = 1753;
var F = 8347681;
var D = 13;
var GAMMA2_1 = Math.floor((Q - 1) / 88) | 0;
var GAMMA2_2 = Math.floor((Q - 1) / 32) | 0;
var PARAMS = /* @__PURE__ */ (() => ({
2: { K: 4, L: 4, D, GAMMA1: 2 ** 17, GAMMA2: GAMMA2_1, TAU: 39, ETA: 2, OMEGA: 80 },
3: { K: 6, L: 5, D, GAMMA1: 2 ** 19, GAMMA2: GAMMA2_2, TAU: 49, ETA: 4, OMEGA: 55 },
5: { K: 8, L: 7, D, GAMMA1: 2 ** 19, GAMMA2: GAMMA2_2, TAU: 60, ETA: 2, OMEGA: 75 }
}))();
var newPoly = (n) => new Int32Array(n);
var crystals = /* @__PURE__ */ genCrystals({
N,
Q,
F,
ROOT_OF_UNITY,
newPoly,
isKyber: false,
brvBits: 8
});
var id = (n) => n;
var polyCoder = (d, compress = id, verify = id) => crystals.bitsCoder(d, {
encode: (i) => compress(verify(i)),
decode: (i) => verify(compress(i))
});
var polyAdd = (a, b) => {
for (let i = 0; i < a.length; i++)
a[i] = crystals.mod(a[i] + b[i]);
return a;
};
var polySub = (a, b) => {
for (let i = 0; i < a.length; i++)
a[i] = crystals.mod(a[i] - b[i]);
return a;
};
var polyShiftl = (p) => {
for (let i = 0; i < N; i++)
p[i] <<= D;
return p;
};
var polyChknorm = (p, B) => {
for (let i = 0; i < N; i++)
if (Math.abs(crystals.smod(p[i])) >= B)
return true;
return false;
};
var MultiplyNTTs = (a, b) => {
const c = newPoly(N);
for (let i = 0; i < a.length; i++)
c[i] = crystals.mod(a[i] * b[i]);
return c;
};
function RejNTTPoly(xof) {
const r = newPoly(N);
for (let j = 0; j < N; ) {
const b = xof();
if (b.length % 3)
throw new Error("RejNTTPoly: unaligned block");
for (let i = 0; j < N && i <= b.length - 3; i += 3) {
const t = (b[i + 0] | b[i + 1] << 8 | b[i + 2] << 16) & 8388607;
if (t < Q)
r[j++] = t;
}
}
return r;
}
function getDilithium(opts) {
const { K, L: L3, GAMMA1, GAMMA2, TAU, ETA, OMEGA } = opts;
const { CRH_BYTES, TR_BYTES, C_TILDE_BYTES, XOF128: XOF1282, XOF256: XOF2562, securityLevel } = opts;
if (![2, 4].includes(ETA))
throw new Error("Wrong ETA");
if (![1 << 17, 1 << 19].includes(GAMMA1))
throw new Error("Wrong GAMMA1");
if (![GAMMA2_1, GAMMA2_2].includes(GAMMA2))
throw new Error("Wrong GAMMA2");
const BETA = TAU * ETA;
const decompose = (r) => {
const rPlus = crystals.mod(r);
const r0 = crystals.smod(rPlus, 2 * GAMMA2) | 0;
if (rPlus - r0 === Q - 1)
return { r1: 0 | 0, r0: r0 - 1 | 0 };
const r1 = Math.floor((rPlus - r0) / (2 * GAMMA2)) | 0;
return { r1, r0 };
};
const HighBits = (r) => decompose(r).r1;
const LowBits = (r) => decompose(r).r0;
const MakeHint = (z, r) => {
const res0 = z <= GAMMA2 || z > Q - GAMMA2 || z === Q - GAMMA2 && r === 0 ? 0 : 1;
return res0;
};
const UseHint = (h, r) => {
const m = Math.floor((Q - 1) / (2 * GAMMA2));
const { r1, r0 } = decompose(r);
if (h === 1)
return r0 > 0 ? crystals.mod(r1 + 1, m) | 0 : crystals.mod(r1 - 1, m) | 0;
return r1 | 0;
};
const Power2Round = (r) => {
const rPlus = crystals.mod(r);
const r0 = crystals.smod(rPlus, 2 ** D) | 0;
return { r1: Math.floor((rPlus - r0) / 2 ** D) | 0, r0 };
};
const hintCoder = {
bytesLen: OMEGA + K,
encode: (h) => {
if (h === false)
throw new Error("hint.encode: hint is false");
const res = new Uint8Array(OMEGA + K);
for (let i = 0, k = 0; i < K; i++) {
for (let j = 0; j < N; j++)
if (h[i][j] !== 0)
res[k++] = j;
res[OMEGA + i] = k;
}
return res;
},
decode: (buf) => {
const h = [];
let k = 0;
for (let i = 0; i < K; i++) {
const hi = newPoly(N);
if (buf[OMEGA + i] < k || buf[OMEGA + i] > OMEGA)
return false;
for (let j = k; j < buf[OMEGA + i]; j++) {
if (j > k && buf[j] <= buf[j - 1])
return false;
hi[buf[j]] = 1;
}
k = buf[OMEGA + i];
h.push(hi);
}
for (let j = k; j < OMEGA; j++)
if (buf[j] !== 0)
return false;
return h;
}
};
const ETACoder = polyCoder(ETA === 2 ? 3 : 4, (i) => ETA - i, (i) => {
if (!(-ETA <= i && i <= ETA))
throw new Error(`malformed key s1/s3 ${i} outside of ETA range [${-ETA}, ${ETA}]`);
return i;
});
const T0Coder = polyCoder(13, (i) => (1 << D - 1) - i);
const T1Coder = polyCoder(10);
const ZCoder = polyCoder(GAMMA1 === 1 << 17 ? 18 : 20, (i) => crystals.smod(GAMMA1 - i));
const W1Coder = polyCoder(GAMMA2 === GAMMA2_1 ? 6 : 4);
const W1Vec = vecCoder(W1Coder, K);
const publicCoder = splitCoder("publicKey", 32, vecCoder(T1Coder, K));
const secretCoder = splitCoder("secretKey", 32, 32, TR_BYTES, vecCoder(ETACoder, L3), vecCoder(ETACoder, K), vecCoder(T0Coder, K));
const sigCoder = splitCoder("signature", C_TILDE_BYTES, vecCoder(ZCoder, L3), hintCoder);
const CoefFromHalfByte = ETA === 2 ? (n) => n < 15 ? 2 - n % 5 : false : (n) => n < 9 ? 4 - n : false;
function RejBoundedPoly(xof) {
const r = newPoly(N);
for (let j = 0; j < N; ) {
const b = xof();
for (let i = 0; j < N && i < b.length; i += 1) {
const d1 = CoefFromHalfByte(b[i] & 15);
const d2 = CoefFromHalfByte(b[i] >> 4 & 15);
if (d1 !== false)
r[j++] = d1;
if (j < N && d2 !== false)
r[j++] = d2;
}
}
return r;
}
const SampleInBall = (seed) => {
const pre = newPoly(N);
const s = shake256.create({}).update(seed);
const buf = new Uint8Array(shake256.blockLen);
s.xofInto(buf);
const masks = buf.slice(0, 8);
for (let i = N - TAU, pos = 8, maskPos = 0, maskBit = 0; i < N; i++) {
let b = i + 1;
for (; b > i; ) {
b = buf[pos++];
if (pos < shake256.blockLen)
continue;
s.xofInto(buf);
pos = 0;
}
pre[i] = pre[b];
pre[b] = 1 - ((masks[maskPos] >> maskBit++ & 1) << 1);
if (maskBit >= 8) {
maskPos++;
maskBit = 0;
}
}
return pre;
};
const polyPowerRound = (p) => {
const res0 = newPoly(N);
const res1 = newPoly(N);
for (let i = 0; i < p.length; i++) {
const { r0, r1 } = Power2Round(p[i]);
res0[i] = r0;
res1[i] = r1;
}
return { r0: res0, r1: res1 };
};
const polyUseHint = (u, h) => {
for (let i = 0; i < N; i++)
u[i] = UseHint(h[i], u[i]);
return u;
};
const polyMakeHint = (a, b) => {
const v = newPoly(N);
let cnt = 0;
for (let i = 0; i < N; i++) {
const h = MakeHint(a[i], b[i]);
v[i] = h;
cnt += h;
}
return { v, cnt };
};
const signRandBytes = 32;
const seedCoder = splitCoder("seed", 32, 64, 32);
const internal = {
info: { type: "internal-ml-dsa" },
lengths: {
secretKey: secretCoder.bytesLen,
publicKey: publicCoder.bytesLen,
seed: 32,
signature: sigCoder.bytesLen,
signRand: signRandBytes
},
keygen: (seed) => {
const seedDst = new Uint8Array(32 + 2);
const randSeed = seed === void 0;
if (randSeed)
seed = randomBytes2(32);
abytesDoc(seed, 32, "seed");
seedDst.set(seed);
if (randSeed)
cleanBytes(seed);
seedDst[32] = K;
seedDst[33] = L3;
const [rho, rhoPrime, K_] = seedCoder.decode(shake256(seedDst, { dkLen: seedCoder.bytesLen }));
const xofPrime = XOF2562(rhoPrime);
const s1 = [];
for (let i = 0; i < L3; i++)
s1.push(RejBoundedPoly(xofPrime.get(i & 255, i >> 8 & 255)));
const s2 = [];
for (let i = L3; i < L3 + K; i++)
s2.push(RejBoundedPoly(xofPrime.get(i & 255, i >> 8 & 255)));
const s1Hat = s1.map((i) => crystals.NTT.encode(i.slice()));
const t0 = [];
const t1 = [];
const xof = XOF1282(rho);
const t = newPoly(N);
for (let i = 0; i < K; i++) {
cleanBytes(t);
for (let j = 0; j < L3; j++) {
const aij = RejNTTPoly(xof.get(j, i));
polyAdd(t, MultiplyNTTs(aij, s1Hat[j]));
}
crystals.NTT.decode(t);
const { r0, r1 } = polyPowerRound(polyAdd(t, s2[i]));
t0.push(r0);
t1.push(r1);
}
const publicKey = publicCoder.encode([rho, t1]);
const tr = shake256(publicKey, { dkLen: TR_BYTES });
const secretKey = secretCoder.encode([rho, K_, tr, s1, s2, t0]);
xof.clean();
xofPrime.clean();
cleanBytes(rho, rhoPrime, K_, s1, s2, s1Hat, t, t0, t1, tr, seedDst);
return { publicKey, secretKey };
},
getPublicKey: (secretKey) => {
const [rho, _K, _tr, s1, s2, _t0] = secretCoder.decode(secretKey);
const xof = XOF1282(rho);
const s1Hat = s1.map((p) => crystals.NTT.encode(p.slice()));
const t1 = [];
const tmp = newPoly(N);
for (let i = 0; i < K; i++) {
tmp.fill(0);
for (let j = 0; j < L3; j++) {
const aij = RejNTTPoly(xof.get(j, i));
polyAdd(tmp, MultiplyNTTs(aij, s1Hat[j]));
}
crystals.NTT.decode(tmp);
polyAdd(tmp, s2[i]);
const { r1 } = polyPowerRound(tmp);
t1.push(r1);
}
xof.clean();
cleanBytes(tmp, s1Hat, _t0, s1, s2);
return publicCoder.encode([rho, t1]);
},
// NOTE: random is optional.
sign: (msg, secretKey, opts2 = {}) => {
validateSigOpts(opts2);
validateInternalOpts(opts2);
let { extraEntropy: random, externalMu = false } = opts2;
const [rho, _K, tr, s1, s2, t0] = secretCoder.decode(secretKey);
const A = [];
const xof = XOF1282(rho);
for (let i = 0; i < K; i++) {
const pv = [];
for (let j = 0; j < L3; j++)
pv.push(RejNTTPoly(xof.get(j, i)));
A.push(pv);
}
xof.clean();
for (let i = 0; i < L3; i++)
crystals.NTT.encode(s1[i]);
for (let i = 0; i < K; i++) {
crystals.NTT.encode(s2[i]);
crystals.NTT.encode(t0[i]);
}
const mu = externalMu ? msg : (
// 6: µ ← H(tr||M, 512)
// ▷ Compute message representative µ
shake256.create({ dkLen: CRH_BYTES }).update(tr).update(msg).digest()
);
const rnd = random === false ? new Uint8Array(32) : random === void 0 ? randomBytes2(signRandBytes) : random;
abytesDoc(rnd, 32, "extraEntropy");
const rhoprime = shake256.create({ dkLen: CRH_BYTES }).update(_K).update(rnd).update(mu).digest();
abytesDoc(rhoprime, CRH_BYTES);
const x256 = XOF2562(rhoprime, ZCoder.bytesLen);
main_loop: for (let kappa = 0; ; ) {
const y = [];
for (let i = 0; i < L3; i++, kappa++)
y.push(ZCoder.decode(x256.get(kappa & 255, kappa >> 8)()));
const z = y.map((i) => crystals.NTT.encode(i.slice()));
const w = [];
for (let i = 0; i < K; i++) {
const wi = newPoly(N);
for (let j = 0; j < L3; j++)
polyAdd(wi, MultiplyNTTs(A[i][j], z[j]));
crystals.NTT.decode(wi);
w.push(wi);
}
const w1 = w.map((j) => j.map(HighBits));
const cTilde = shake256.create({ dkLen: C_TILDE_BYTES }).update(mu).update(W1Vec.encode(w1)).digest();
const cHat = crystals.NTT.encode(SampleInBall(cTilde));
const cs1 = s1.map((i) => MultiplyNTTs(i, cHat));
for (let i = 0; i < L3; i++) {
polyAdd(crystals.NTT.decode(cs1[i]), y[i]);
if (polyChknorm(cs1[i], GAMMA1 - BETA))
continue main_loop;
}
let cnt = 0;
const h = [];
for (let i = 0; i < K; i++) {
const cs2 = crystals.NTT.decode(MultiplyNTTs(s2[i], cHat));
const r0 = polySub(w[i], cs2).map(LowBits);
if (polyChknorm(r0, GAMMA2 - BETA))
continue main_loop;
const ct0 = crystals.NTT.decode(MultiplyNTTs(t0[i], cHat));
if (polyChknorm(ct0, GAMMA2))
continue main_loop;
polyAdd(r0, ct0);
const hint = polyMakeHint(r0, w1[i]);
h.push(hint.v);
cnt += hint.cnt;
}
if (cnt > OMEGA)
continue;
x256.clean();
const res = sigCoder.encode([cTilde, cs1, h]);
cleanBytes(cTilde, cs1, h, cHat, w1, w, z, y, rhoprime, s1, s2, t0, ...A);
if (!externalMu)
cleanBytes(mu);
return res;
}
throw new Error("Unreachable code path reached, report this error");
},
verify: (sig, msg, publicKey, opts2 = {}) => {
validateInternalOpts(opts2);
const { externalMu = false } = opts2;
const [rho, t1] = publicCoder.decode(publicKey);
const tr = shake256(publicKey, { dkLen: TR_BYTES });
if (sig.length !== sig