diff --git a/dhkem-x25519/index.html b/dhkem-x25519/index.html
new file mode 100644
index 000000000..8f0788ff2
--- /dev/null
+++ b/dhkem-x25519/index.html
@@ -0,0 +1,86 @@
+<html>
+  <head><title>@hpke/dhkem-x25519 test</title></head>
+  <body>
+    <script type="module">
+      import { KdfId, AeadId, CipherSuite } from './src/hpke-core.js';
+      import { DhkemX25519HkdfSha256 } from './src/hpke-dhkem-x25519.js';
+
+      const kdfs = [
+        KdfId.HkdfSha256,
+        KdfId.HkdfSha384,
+        KdfId.HkdfSha512,
+      ];
+
+      const aeads = [
+        AeadId.Aes128Gcm,
+        AeadId.Aes256Gcm,
+      ];
+
+      globalThis.run = async () => {
+        let pass = 0;
+        let fail = 0;
+        const kem = new DhkemX25519HkdfSha256();
+        for (const kdf of kdfs) {
+          for (const aead of aeads) {
+            try {
+              const suite = new CipherSuite({ kem: kem, kdf: kdf, aead: aead });
+      
+              const rkp = await suite.generateKeyPair();
+      
+              const sender = await suite.createSenderContext({
+                recipientPublicKey: rkp.publicKey
+              });
+      
+              const recipient = await suite.createRecipientContext({
+                recipientKey: rkp,
+                enc: sender.enc,
+              });
+      
+              // encrypt
+              const ct = await sender.seal(new TextEncoder().encode('hello world!'));
+      
+              // decrypt
+              const pt = await recipient.open(ct);
+
+              // hello world!
+              'hello world!' === new TextDecoder().decode(pt) ? pass++ : fail++;
+
+            } catch (e) {
+              fail++;
+            }
+          }
+        }
+        document.getElementById("pass").innerHTML = pass;
+        document.getElementById("fail").innerHTML = fail;
+      }
+
+      globalThis.reset = () => {
+        document.getElementById("pass").innerHTML = "-";
+        document.getElementById("fail").innerHTML = "-";
+      }
+      
+    </script>
+
+    <h1><a href="https://github.com/dajiaji/hpke-js">@hpke/dhkem-x25519</a> test</h1>
+
+    <div id="operation">
+      <button type="button" onclick="run()">run</button>
+      <button type="button" onclick="reset()">reset</button>
+    </div>
+
+    <br>
+
+    <div id="test">  
+      <table>
+        <tr>
+          <th><font color="green">pass: </font></th>
+          <td id="pass">-</td>
+        </tr>
+        <tr>
+          <th><font color="red">fail: </font></th>
+          <td id="fail">-</td>
+        </tr>
+      </table>
+    </div>
+  </body>
+</html>
diff --git a/dhkem-x25519/src/.gitkeep b/dhkem-x25519/src/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/dhkem-x25519/src/hpke-core.js b/dhkem-x25519/src/hpke-core.js
new file mode 100644
index 000000000..f44bf224d
--- /dev/null
+++ b/dhkem-x25519/src/hpke-core.js
@@ -0,0 +1 @@
+var A=["deriveBits"],pe=["encrypt","decrypt"];var c=new Uint8Array(0),oe=new Uint8Array([72,80,75,69,45,118,49]),be=new Uint8Array([72,80,75,69,0,0,0,0,0,0]),_e=new Uint8Array([75,69,77,0,0]),we=new Uint8Array([100,107,112,95,112,114,107]),xe=new Uint8Array([101,97,101,95,112,114,107]),me=new Uint8Array([105,110,102,111,95,104,97,115,104]),ge=new Uint8Array([112,115,107,95,105,100,95,104,97,115,104]),ke=new Uint8Array([115,101,99,114,101,116]),Pe=new Uint8Array([115,104,97,114,101,100,95,115,101,99,114,101,116]),Ee=new Uint8Array([107,101,121]),Se=new Uint8Array([98,97,115,101,95,110,111,110,99,101]),Ae=new Uint8Array([101,120,112]),ve=new Uint8Array([115,101,99]),Ke=new Uint8Array([99,97,110,100,105,100,97,116,101]),Qe=new Uint8Array([115,107]),Ie=new Uint8Array([255,255,255,255,0,0,0,0,255,255,255,255,255,255,255,255,188,230,250,173,167,23,158,132,243,185,202,194,252,99,37,81]),Le=new Uint8Array([255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,199,99,77,129,244,55,45,223,88,26,13,178,72,176,167,122,236,236,25,106,204,197,41,115]),Ue=new Uint8Array([1,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,250,81,134,135,131,191,47,150,107,127,204,1,72,247,9,165,208,59,181,201,184,137,156,71,174,187,111,183,30,145,56,100,9]);var G=class{constructor(){Object.defineProperty(this,"_api",{enumerable:!0,configurable:!0,writable:!0,value:void 0})}checkInit(){if(typeof this._api>"u")throw new Error("Not initialized. Call init()")}},y=class extends G{constructor(){super()}init(e){this._api=e}},Y=class extends G{constructor(){super(),Object.defineProperty(this,"_suiteId",{enumerable:!0,configurable:!0,writable:!0,value:c})}init(e,t){this._api=e,this._suiteId=t}};var m={Base:0,Psk:1,Auth:2,AuthPsk:3},Ye={DhkemP256HkdfSha256:16,DhkemP384HkdfSha384:17,DhkemP521HkdfSha512:18,DhkemSecp256k1HkdfSha256:19,DhkemX25519HkdfSha256:32,DhkemX448HkdfSha512:33},h=Ye,Fe={HkdfSha256:1,HkdfSha384:2,HkdfSha512:3},g=Fe,qe={Aes128Gcm:1,Aes256Gcm:2,Chacha20Poly1305:3,ExportOnly:65535},p=qe;var F=class{constructor(e,t){Object.defineProperty(this,"_rawKey",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_key",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_api",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),this._api=e,this._rawKey=t}async seal(e,t,r){this._key===void 0&&(this._key=await this.importKey(this._rawKey),new Uint8Array(this._rawKey).fill(0));let n={name:"AES-GCM",iv:e,additionalData:r};return await this._api.encrypt(n,this._key,t)}async open(e,t,r){this._key===void 0&&(this._key=await this.importKey(this._rawKey),new Uint8Array(this._rawKey).fill(0));let n={name:"AES-GCM",iv:e,additionalData:r};return await this._api.decrypt(n,this._key,t)}async importKey(e){return await this._api.importKey("raw",e,{name:"AES-GCM"},!0,pe)}},z=class extends y{constructor(){super(...arguments),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:p.Aes128Gcm}),Object.defineProperty(this,"keySize",{enumerable:!0,configurable:!0,writable:!0,value:16}),Object.defineProperty(this,"nonceSize",{enumerable:!0,configurable:!0,writable:!0,value:12}),Object.defineProperty(this,"tagSize",{enumerable:!0,configurable:!0,writable:!0,value:16})}createEncryptionContext(e){return this.checkInit(),new F(this._api,e)}},N=class extends y{constructor(){super(...arguments),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:p.Aes256Gcm}),Object.defineProperty(this,"keySize",{enumerable:!0,configurable:!0,writable:!0,value:32}),Object.defineProperty(this,"nonceSize",{enumerable:!0,configurable:!0,writable:!0,value:12}),Object.defineProperty(this,"tagSize",{enumerable:!0,configurable:!0,writable:!0,value:16})}createEncryptionContext(e){return this.checkInit(),new F(this._api,e)}};var l=class extends Error{constructor(e){let t;e instanceof Error?t=e.message:typeof e=="string"?t=e:t="",super(t),Error.captureStackTrace&&Error.captureStackTrace(this,this.constructor),this.name=this.constructor.name,this.message===""?this.message=this.name:this.message=this.name+": "+this.message}},f=class extends l{},He=class extends l{},q=class extends l{},K=class extends l{},W=class extends l{},X=class extends l{},$=class extends l{},J=class extends l{},V=class extends l{},Z=class extends l{},Q=class extends l{},w=class extends l{};var I=class{constructor(e,t,r){Object.defineProperty(this,"_api",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"exporterSecret",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_kdf",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),this._api=e,this._kdf=t,this.exporterSecret=r}async seal(e,t){return await this._emitError()}async open(e,t){return await this._emitError()}async export(e,t){if(e.byteLength>128)throw new f("Too long exporter context");try{return await this._kdf.labeledExpand(this.exporterSecret,ve,new Uint8Array(e),t)}catch(r){throw new $(r)}}_emitError(){return new Promise((e,t)=>{t(new w("Not available"))})}},ee=class extends I{},te=class extends I{constructor(e,t,r,n){super(e,t,r),Object.defineProperty(this,"enc",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),this.enc=n}};var re=class extends y{constructor(){super(...arguments),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:p.ExportOnly}),Object.defineProperty(this,"keySize",{enumerable:!0,configurable:!0,writable:!0,value:0}),Object.defineProperty(this,"nonceSize",{enumerable:!0,configurable:!0,writable:!0,value:0}),Object.defineProperty(this,"tagSize",{enumerable:!0,configurable:!0,writable:!0,value:0})}createEncryptionContext(e){throw new w("createEncryptionContext() is not supported on ExportOnly")}};var C=class extends Y{constructor(){super(),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:g.HkdfSha256}),Object.defineProperty(this,"hashSize",{enumerable:!0,configurable:!0,writable:!0,value:0}),Object.defineProperty(this,"algHash",{enumerable:!0,configurable:!0,writable:!0,value:{name:"HMAC",hash:"SHA-256",length:256}})}buildLabeledIkm(e,t){let r=new Uint8Array(7+this._suiteId.byteLength+e.byteLength+t.byteLength);return r.set(oe,0),r.set(this._suiteId,7),r.set(e,7+this._suiteId.byteLength),r.set(t,7+this._suiteId.byteLength+e.byteLength),r}buildLabeledInfo(e,t,r){let n=new Uint8Array(9+this._suiteId.byteLength+e.byteLength+t.byteLength);return n.set(new Uint8Array([0,r]),0),n.set(oe,2),n.set(this._suiteId,9),n.set(e,9+this._suiteId.byteLength),n.set(t,9+this._suiteId.byteLength+e.byteLength),n}async extract(e,t){if(this.checkInit(),e.byteLength===0&&(e=new ArrayBuffer(this.hashSize)),e.byteLength!==this.hashSize)throw new f("The salt length must be the same as the hashSize");let r=await this._api.importKey("raw",e,this.algHash,!1,["sign"]);return await this._api.sign("HMAC",r,t)}async expand(e,t,r){this.checkInit();let n=await this._api.importKey("raw",e,this.algHash,!1,["sign"]),s=new ArrayBuffer(r),o=new Uint8Array(s),a=c,u=new Uint8Array(t),b=new Uint8Array(1);if(r>255*this.hashSize)throw new Error("Entropy limit reached");let _=new Uint8Array(this.hashSize+u.length+1);for(let B=1,d=0;d<o.length;B++)b[0]=B,_.set(a,0),_.set(u,a.length),_.set(b,a.length+u.length),a=new Uint8Array(await this._api.sign("HMAC",n,_.slice(0,a.length+u.length+1))),o.length-d>=a.length?(o.set(a,d),d+=a.length):(o.set(a.slice(0,o.length-d),d),d+=o.length-d);return s}async extractAndExpand(e,t,r,n){this.checkInit();let s=await this._api.importKey("raw",t,"HKDF",!1,A);return await this._api.deriveBits({name:"HKDF",hash:this.algHash.hash,salt:e,info:r},s,n*8)}async labeledExtract(e,t,r){return await this.extract(e,this.buildLabeledIkm(t,r))}async labeledExpand(e,t,r,n){return await this.expand(e,this.buildLabeledInfo(t,r,n),n)}},P=class extends C{constructor(){super(...arguments),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:g.HkdfSha256}),Object.defineProperty(this,"hashSize",{enumerable:!0,configurable:!0,writable:!0,value:32}),Object.defineProperty(this,"algHash",{enumerable:!0,configurable:!0,writable:!0,value:{name:"HMAC",hash:"SHA-256",length:256}})}},E=class extends C{constructor(){super(...arguments),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:g.HkdfSha384}),Object.defineProperty(this,"hashSize",{enumerable:!0,configurable:!0,writable:!0,value:48}),Object.defineProperty(this,"algHash",{enumerable:!0,configurable:!0,writable:!0,value:{name:"HMAC",hash:"SHA-384",length:384}})}},S=class extends C{constructor(){super(...arguments),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:g.HkdfSha512}),Object.defineProperty(this,"hashSize",{enumerable:!0,configurable:!0,writable:!0,value:64}),Object.defineProperty(this,"algHash",{enumerable:!0,configurable:!0,writable:!0,value:{name:"HMAC",hash:"SHA-512",length:512}})}};var We={},Oe=Xe(globalThis,We);function Xe(i,e){return new Proxy(i,{get(t,r,n){return r in e?e[r]:i[r]},set(t,r,n){return r in e&&delete e[r],i[r]=n,!0},deleteProperty(t,r){let n=!1;return r in e&&(delete e[r],n=!0),r in i&&(delete i[r],n=!0),n},ownKeys(t){let r=Reflect.ownKeys(i),n=Reflect.ownKeys(e),s=new Set(n);return[...r.filter(o=>!s.has(o)),...n]},defineProperty(t,r,n){return r in e&&delete e[r],Reflect.defineProperty(i,r,n),!0},getOwnPropertyDescriptor(t,r){return r in e?Reflect.getOwnPropertyDescriptor(e,r):Reflect.getOwnPropertyDescriptor(i,r)},has(t,r){return r in e||r in i}})}var De=()=>typeof Oe<"u",Te=()=>typeof caches<"u";var M=i=>typeof i=="object"&&i!==null&&typeof i.privateKey=="object"&&typeof i.publicKey=="object";function x(i,e){if(e<=0)throw new Error("i2Osp: too small size");if(i>=256**e)throw new Error("i2Osp: too large integer");let t=new Uint8Array(e);for(let r=0;r<e&&i;r++)t[e-(r+1)]=i%256,i=i>>8;return t}function je(i,e){if(i.byteLength!==e.byteLength)throw new Error("xor: different length inputs");let t=new Uint8Array(i.byteLength);for(let r=0;r<i.byteLength;r++)t[r]=i[r]^e[r];return t}function R(i,e){let t=new Uint8Array(i.length+e.length);return t.set(i,0),t.set(e,i.length),t}function ze(i,e,t){let r=new Uint8Array(i.length+e.length+t.length);return r.set(i,0),r.set(e,i.length),r.set(t,i.length+e.length),r}var U=class extends I{constructor(e,t,r){if(super(e,t,r.exporterSecret),Object.defineProperty(this,"_aead",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_nK",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_nN",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_nT",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_ctx",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),r.key===void 0||r.baseNonce===void 0||r.seq===void 0)throw new Error("Required parameters are missing");this._aead=r.aead,this._nK=this._aead.keySize,this._nN=this._aead.nonceSize,this._nT=this._aead.tagSize;let n=this._aead.createEncryptionContext(r.key);this._ctx={key:n,baseNonce:r.baseNonce,seq:r.seq}}computeNonce(e){let t=x(e.seq,e.baseNonce.byteLength);return je(e.baseNonce,t)}incrementSeq(e){if(e.seq>Number.MAX_SAFE_INTEGER)throw new Z("Message limit reached");e.seq+=1}};var ie=class extends U{async open(e,t=c){let r;try{r=await this._ctx.key.open(this.computeNonce(this._ctx),e,t)}catch(n){throw new V(n)}return this.incrementSeq(this._ctx),r}};var ne=class extends U{constructor(e,t,r,n){super(e,t,r),Object.defineProperty(this,"enc",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),this.enc=n}async seal(e,t=c){let r;try{r=await this._ctx.key.seal(this.computeNonce(this._ctx),e,t)}catch(n){throw new J(n)}return this.incrementSeq(this._ctx),r}};async function Ne(){if((De()||Te())&&globalThis.crypto!==void 0)return globalThis.crypto.subtle;try{let{webcrypto:i}=await import("crypto");return i.subtle}catch{throw new w("Web Cryptograph API not supported")}}var H=class extends y{constructor(e,t){super(),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:h.DhkemP256HkdfSha256}),Object.defineProperty(this,"secretSize",{enumerable:!0,configurable:!0,writable:!0,value:0}),Object.defineProperty(this,"encSize",{enumerable:!0,configurable:!0,writable:!0,value:0}),Object.defineProperty(this,"publicKeySize",{enumerable:!0,configurable:!0,writable:!0,value:0}),Object.defineProperty(this,"privateKeySize",{enumerable:!0,configurable:!0,writable:!0,value:0}),Object.defineProperty(this,"_prim",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_kdf",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),this._prim=e,this._kdf=t}init(e){super.init(e);let t=new Uint8Array(_e);t.set(x(this.id,2),3),this._prim.init(e),this._kdf.init(e,t),super.init(e)}async generateKeyPair(){try{return await this._prim.generateKeyPair()}catch(e){throw new w(e)}}async deriveKeyPair(e){try{return await this._prim.deriveKeyPair(e)}catch(t){throw new Q(t)}}async serializePublicKey(e){try{return await this._prim.serializePublicKey(e)}catch(t){throw new q(t)}}async deserializePublicKey(e){try{return await this._prim.deserializePublicKey(e)}catch(t){throw new K(t)}}async importKey(e,t,r){try{return await this._prim.importKey(e,t,r)}catch(n){throw new K(n)}}async encap(e){try{let t=e.nonEphemeralKeyPair===void 0?await this.generateKeyPair():e.nonEphemeralKeyPair,r=await this._prim.serializePublicKey(t.publicKey),n=await this._prim.serializePublicKey(e.recipientPublicKey),s;if(e.senderKey===void 0)s=new Uint8Array(await this._prim.dh(t.privateKey,e.recipientPublicKey));else{let u=M(e.senderKey)?e.senderKey.privateKey:e.senderKey,b=new Uint8Array(await this._prim.dh(t.privateKey,e.recipientPublicKey)),_=new Uint8Array(await this._prim.dh(u,e.recipientPublicKey));s=R(b,_)}let o;if(e.senderKey===void 0)o=R(new Uint8Array(r),new Uint8Array(n));else{let u=M(e.senderKey)?e.senderKey.publicKey:await this._prim.derivePublicKey(e.senderKey),b=await this._prim.serializePublicKey(u);o=ze(new Uint8Array(r),new Uint8Array(n),new Uint8Array(b))}let a=await this.generateSharedSecret(s,o);return{enc:r,sharedSecret:a}}catch(t){throw new W(t)}}async decap(e){let t;try{t=await this._prim.deserializePublicKey(e.enc)}catch(r){throw new K(r)}try{let r=M(e.recipientKey)?e.recipientKey.privateKey:e.recipientKey,n=M(e.recipientKey)?e.recipientKey.publicKey:await this._prim.derivePublicKey(e.recipientKey),s=await this._prim.serializePublicKey(n),o;if(e.senderPublicKey===void 0)o=new Uint8Array(await this._prim.dh(r,t));else{let u=new Uint8Array(await this._prim.dh(r,t)),b=new Uint8Array(await this._prim.dh(r,e.senderPublicKey));o=R(u,b)}let a;if(e.senderPublicKey===void 0)a=R(new Uint8Array(e.enc),new Uint8Array(s));else{let u=await this._prim.serializePublicKey(e.senderPublicKey);a=new Uint8Array(e.enc.byteLength+s.byteLength+u.byteLength),a.set(new Uint8Array(e.enc),0),a.set(new Uint8Array(s),e.enc.byteLength),a.set(new Uint8Array(u),e.enc.byteLength+s.byteLength)}return await this.generateSharedSecret(o,a)}catch(r){throw new X(r)}}async generateSharedSecret(e,t){let r=this._kdf.buildLabeledIkm(xe,e),n=this._kdf.buildLabeledInfo(Pe,t,this.secretSize);return await this._kdf.extractAndExpand(c,r,n,this.secretSize)}};var se=class{constructor(e){Object.defineProperty(this,"_num",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),this._num=new Uint8Array(e)}val(){return this._num}reset(){this._num.fill(0)}set(e){if(e.length!==this._num.length)throw new Error("Bignum.set: invalid argument");this._num.set(e)}isZero(){for(let e=0;e<this._num.length;e++)if(this._num[e]!==0)return!1;return!0}lessThan(e){if(e.length!==this._num.length)throw new Error("Bignum.lessThan: invalid argument");for(let t=0;t<this._num.length;t++){if(this._num[t]<e[t])return!0;if(this._num[t]>e[t])return!1}return!1}};var Je=new Uint8Array([48,65,2,1,0,48,19,6,7,42,134,72,206,61,2,1,6,8,42,134,72,206,61,3,1,7,4,39,48,37,2,1,1,4,32]),Ve=new Uint8Array([48,78,2,1,0,48,16,6,7,42,134,72,206,61,2,1,6,5,43,129,4,0,34,4,55,48,53,2,1,1,4,48]),Ze=new Uint8Array([48,96,2,1,0,48,16,6,7,42,134,72,206,61,2,1,6,5,43,129,4,0,35,4,73,48,71,2,1,1,4,66]),O=class extends y{constructor(e,t){switch(super(),Object.defineProperty(this,"_hkdf",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_alg",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_nPk",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_nSk",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_nDh",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_order",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_bitmask",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_pkcs8AlgId",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),this._hkdf=t,e){case h.DhkemP256HkdfSha256:this._alg={name:"ECDH",namedCurve:"P-256"},this._nPk=65,this._nSk=32,this._nDh=32,this._order=Ie,this._bitmask=255,this._pkcs8AlgId=Je;break;case h.DhkemP384HkdfSha384:this._alg={name:"ECDH",namedCurve:"P-384"},this._nPk=97,this._nSk=48,this._nDh=48,this._order=Le,this._bitmask=255,this._pkcs8AlgId=Ve;break;default:this._alg={name:"ECDH",namedCurve:"P-521"},this._nPk=133,this._nSk=66,this._nDh=66,this._order=Ue,this._bitmask=1,this._pkcs8AlgId=Ze;break}}async serializePublicKey(e){this.checkInit();let t=await this._api.exportKey("raw",e);if(t.byteLength!==this._nPk)throw new Error("Invalid public key for the ciphersuite");return t}async deserializePublicKey(e){if(this.checkInit(),e.byteLength!==this._nPk)throw new Error("Invalid public key for the ciphersuite");try{return await this._api.importKey("raw",e,this._alg,!0,[])}catch{throw new Error("Invalid public key for the ciphersuite")}}async importKey(e,t,r){if(this.checkInit(),e==="raw")return await this._importRawKey(t,r);if(t instanceof ArrayBuffer)throw new Error("Invalid jwk key format");return await this._importJWK(t,r)}async _importRawKey(e,t){if(t&&e.byteLength!==this._nPk)throw new Error("Invalid public key for the ciphersuite");if(!t&&e.byteLength!==this._nSk)throw new Error("Invalid private key for the ciphersuite");try{if(t)return await this._api.importKey("raw",e,this._alg,!0,[]);let r=new Uint8Array(e),n=new Uint8Array(this._pkcs8AlgId.length+r.length);return n.set(this._pkcs8AlgId,0),n.set(r,this._pkcs8AlgId.length),await this._api.importKey("pkcs8",n,this._alg,!0,A)}catch{throw new Error("Invalid key for the ciphersuite")}}async _importJWK(e,t){if(typeof e.crv>"u"||e.crv!==this._alg.namedCurve)throw new Error(`Invalid crv: ${e.crv}`);if(t){if(typeof e.d<"u")throw new Error("Invalid key: `d` should not be set");return await this._api.importKey("jwk",e,this._alg,!0,[])}if(typeof e.d>"u")throw new Error("Invalid key: `d` not found");return await this._api.importKey("jwk",e,this._alg,!0,A)}async derivePublicKey(e){this.checkInit();let t=await this._api.exportKey("jwk",e);return delete t.d,delete t.key_ops,await this._api.importKey("jwk",t,this._alg,!0,[])}async generateKeyPair(){return this.checkInit(),await this._api.generateKey(this._alg,!0,A)}async deriveKeyPair(e){this.checkInit();let t=await this._hkdf.labeledExtract(c,we,new Uint8Array(e)),r=new se(this._nSk);for(let o=0;r.isZero()||!r.lessThan(this._order);o++){if(o>255)throw new Error("Faild to derive a key pair");let a=new Uint8Array(await this._hkdf.labeledExpand(t,Ke,x(o,1),this._nSk));a[0]=a[0]&this._bitmask,r.set(a)}let n=new Uint8Array(this._pkcs8AlgId.length+r.val().length);n.set(this._pkcs8AlgId,0),n.set(r.val(),this._pkcs8AlgId.length);let s=await this._api.importKey("pkcs8",n,this._alg,!0,A);return r.reset(),{privateKey:s,publicKey:await this.derivePublicKey(s)}}async dh(e,t){return this.checkInit(),await this._api.deriveBits({name:"ECDH",public:t},e,this._nDh*8)}};var D=class extends H{constructor(){let e=new P,t=new O(h.DhkemP256HkdfSha256,e);super(t,e),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:h.DhkemP256HkdfSha256}),Object.defineProperty(this,"secretSize",{enumerable:!0,configurable:!0,writable:!0,value:32}),Object.defineProperty(this,"encSize",{enumerable:!0,configurable:!0,writable:!0,value:65}),Object.defineProperty(this,"publicKeySize",{enumerable:!0,configurable:!0,writable:!0,value:65}),Object.defineProperty(this,"privateKeySize",{enumerable:!0,configurable:!0,writable:!0,value:32})}},T=class extends H{constructor(){let e=new E,t=new O(h.DhkemP384HkdfSha384,e);super(t,e),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:h.DhkemP384HkdfSha384}),Object.defineProperty(this,"secretSize",{enumerable:!0,configurable:!0,writable:!0,value:48}),Object.defineProperty(this,"encSize",{enumerable:!0,configurable:!0,writable:!0,value:97}),Object.defineProperty(this,"publicKeySize",{enumerable:!0,configurable:!0,writable:!0,value:97}),Object.defineProperty(this,"privateKeySize",{enumerable:!0,configurable:!0,writable:!0,value:48})}},j=class extends H{constructor(){let e=new S,t=new O(h.DhkemP521HkdfSha512,e);super(t,e),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:h.DhkemP521HkdfSha512}),Object.defineProperty(this,"secretSize",{enumerable:!0,configurable:!0,writable:!0,value:64}),Object.defineProperty(this,"encSize",{enumerable:!0,configurable:!0,writable:!0,value:133}),Object.defineProperty(this,"publicKeySize",{enumerable:!0,configurable:!0,writable:!0,value:133}),Object.defineProperty(this,"privateKeySize",{enumerable:!0,configurable:!0,writable:!0,value:64})}};var ae=class{constructor(e){if(Object.defineProperty(this,"_api",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_kem",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_kdf",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_aead",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_suiteId",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),typeof e.kem!="number")this._kem=e.kem;else switch(e.kem){case h.DhkemP256HkdfSha256:this._kem=new D;break;case h.DhkemP384HkdfSha384:this._kem=new T;break;case h.DhkemP521HkdfSha512:this._kem=new j;break;default:throw new f(`The KEM (${e.kem}) cannot be specified by KemId. Use submodule for the KEM`)}if(typeof e.kdf!="number")this._kdf=e.kdf;else switch(e.kdf){case g.HkdfSha256:this._kdf=new P;break;case g.HkdfSha384:this._kdf=new E;break;default:this._kdf=new S;break}if(typeof e.aead!="number")this._aead=e.aead;else switch(e.aead){case p.Aes128Gcm:this._aead=new z;break;case p.Aes256Gcm:this._aead=new N;break;case p.ExportOnly:this._aead=new re;break;default:throw new f(`The AEAD (${e.aead}) cannot be specified by AeadId. Use submodule for the AEAD`)}this._suiteId=new Uint8Array(be),this._suiteId.set(x(this._kem.id,2),4),this._suiteId.set(x(this._kdf.id,2),6),this._suiteId.set(x(this._aead.id,2),8)}get kem(){return this._kem}get kdf(){return this._kdf}get aead(){return this._aead}async generateKeyPair(){return await this._setup(),await this._kem.generateKeyPair()}async deriveKeyPair(e){if(e.byteLength>128)throw new f("Too long ikm");return await this._setup(),await this._kem.deriveKeyPair(e)}async importKey(e,t,r=!0){return await this._setup(),await this._kem.importKey(e,t,r)}async createSenderContext(e){this._validateInputLength(e),await this._setup();let t=await this._kem.encap(e),r;return e.psk!==void 0?r=e.senderKey!==void 0?m.AuthPsk:m.Psk:r=e.senderKey!==void 0?m.Auth:m.Base,await this._keyScheduleS(r,t.sharedSecret,t.enc,e)}async createRecipientContext(e){this._validateInputLength(e),await this._setup();let t=await this._kem.decap(e),r;return e.psk!==void 0?r=e.senderPublicKey!==void 0?m.AuthPsk:m.Psk:r=e.senderPublicKey!==void 0?m.Auth:m.Base,await this._keyScheduleR(r,t,e)}async seal(e,t,r=c){let n=await this.createSenderContext(e);return{ct:await n.seal(t,r),enc:n.enc}}async open(e,t,r=c){return await(await this.createRecipientContext(e)).open(t,r)}async _setup(){if(this._api!==void 0)return;let e=await Ne();this._kem.init(e),this._kdf.init(e,this._suiteId),this._aead.init(e),this._api=e}async _keySchedule(e,t,r){let n=r.psk===void 0?c:new Uint8Array(r.psk.id),s=await this._kdf.labeledExtract(c,ge,n),o=r.info===void 0?c:new Uint8Array(r.info),a=await this._kdf.labeledExtract(c,me,o),u=new Uint8Array(1+s.byteLength+a.byteLength);u.set(new Uint8Array([e]),0),u.set(new Uint8Array(s),1),u.set(new Uint8Array(a),1+s.byteLength);let b=r.psk===void 0?c:new Uint8Array(r.psk.key),_=this._kdf.buildLabeledIkm(ke,b),B=this._kdf.buildLabeledInfo(Ae,u,this._kdf.hashSize),d=await this._kdf.extractAndExpand(t,_,B,this._kdf.hashSize);if(this._aead.id===p.ExportOnly)return{aead:this._aead,exporterSecret:d};let Me=this._kdf.buildLabeledInfo(Ee,u,this._aead.keySize),Re=await this._kdf.extractAndExpand(t,_,Me,this._aead.keySize),Be=this._kdf.buildLabeledInfo(Se,u,this._aead.nonceSize),Ge=await this._kdf.extractAndExpand(t,_,Be,this._aead.nonceSize);return{aead:this._aead,exporterSecret:d,key:Re,baseNonce:new Uint8Array(Ge),seq:0}}async _keyScheduleS(e,t,r,n){let s=await this._keySchedule(e,t,n);return s.key===void 0?new te(this._api,this._kdf,s.exporterSecret,r):new ne(this._api,this._kdf,s,r)}async _keyScheduleR(e,t,r){let n=await this._keySchedule(e,t,r);return n.key===void 0?new ee(this._api,this._kdf,n.exporterSecret):new ie(this._api,this._kdf,n)}_validateInputLength(e){if(e.info!==void 0&&e.info.byteLength>128)throw new f("Too long info");if(e.psk!==void 0){if(e.psk.key.byteLength<32)throw new f(`PSK must have at least ${32} bytes`);if(e.psk.key.byteLength>128)throw new f("Too long psk.key");if(e.psk.id.byteLength>128)throw new f("Too long psk.id")}}};var ue=class extends ae{},ce=class extends D{},he=class extends T{},le=class extends j{},fe=class extends P{},de=class extends E{},ye=class extends S{};export{p as AeadId,z as Aes128Gcm,N as Aes256Gcm,ue as CipherSuite,X as DecapError,Q as DeriveKeyPairError,K as DeserializeError,ce as DhkemP256HkdfSha256,he as DhkemP384HkdfSha384,le as DhkemP521HkdfSha512,W as EncapError,$ as ExportError,fe as HkdfSha256,de as HkdfSha384,ye as HkdfSha512,f as InvalidParamError,g as KdfId,h as KemId,Z as MessageLimitReachedError,w as NotSupportedError,V as OpenError,J as SealError,q as SerializeError,He as ValidationError};
diff --git a/dhkem-x25519/src/hpke-dhkem-x25519.js b/dhkem-x25519/src/hpke-dhkem-x25519.js
new file mode 100644
index 000000000..15cef4c65
--- /dev/null
+++ b/dhkem-x25519/src/hpke-dhkem-x25519.js
@@ -0,0 +1,24 @@
+var Sr={DhkemP256HkdfSha256:16,DhkemP384HkdfSha384:17,DhkemP521HkdfSha512:18,DhkemSecp256k1HkdfSha256:19,DhkemX25519HkdfSha256:32,DhkemX448HkdfSha512:33},Ot=Sr,Lr={HkdfSha256:1,HkdfSha384:2,HkdfSha512:3},oe=Lr;function ie(e){if(!Number.isSafeInteger(e)||e<0)throw new Error(`Wrong positive integer: ${e}`)}function vr(e){if(typeof e!="boolean")throw new Error(`Expected boolean, not ${e}`)}function Re(e,...t){if(!(e instanceof Uint8Array))throw new Error("Expected Uint8Array");if(t.length>0&&!t.includes(e.length))throw new Error(`Expected Uint8Array of length ${t}, not of length=${e.length}`)}function Ir(e){if(typeof e!="function"||typeof e.create!="function")throw new Error("Hash should be wrapped by utils.wrapConstructor");ie(e.outputLen),ie(e.blockLen)}function Ur(e,t=!0){if(e.destroyed)throw new Error("Hash instance has been destroyed");if(t&&e.finished)throw new Error("Hash#digest() has already been called")}function Pr(e,t){Re(e);let r=t.outputLen;if(e.length<r)throw new Error(`digestInto() expects output buffer of length at least ${r}`)}var Hr={number:ie,bool:vr,bytes:Re,hash:Ir,exists:Ur,output:Pr},rt=Hr;var Tt=typeof globalThis=="object"&&"crypto"in globalThis?globalThis.crypto:void 0;var De=e=>e instanceof Uint8Array;var Ct=e=>new DataView(e.buffer,e.byteOffset,e.byteLength),X=(e,t)=>e<<32-t|e>>>t,Kr=new Uint8Array(new Uint32Array([287454020]).buffer)[0]===68;if(!Kr)throw new Error("Non little-endian hardware is not supported");var qn=Array.from({length:256},(e,t)=>t.toString(16).padStart(2,"0"));function se(e){if(typeof e!="string")throw new Error(`utf8ToBytes expected string, got ${typeof e}`);return new Uint8Array(new TextEncoder().encode(e))}function Bt(e){if(typeof e=="string"&&(e=se(e)),!De(e))throw new Error(`expected Uint8Array, got ${typeof e}`);return e}function qe(...e){let t=new Uint8Array(e.reduce((n,o)=>n+o.length,0)),r=0;return e.forEach(n=>{if(!De(n))throw new Error("Uint8Array expected");t.set(n,r),r+=n.length}),t}var yt=class{clone(){return this._cloneInto()}};function ft(e){let t=n=>e().update(Bt(n)).digest(),r=e();return t.outputLen=r.outputLen,t.blockLen=r.blockLen,t.create=()=>e(),t}function ce(e=32){if(Tt&&typeof Tt.getRandomValues=="function")return Tt.getRandomValues(new Uint8Array(e));throw new Error("crypto.getRandomValues must be defined")}var Nt=class extends yt{constructor(t,r){super(),this.finished=!1,this.destroyed=!1,rt.hash(t);let n=Bt(r);if(this.iHash=t.create(),typeof this.iHash.update!="function")throw new Error("Expected instance of class which extends utils.Hash");this.blockLen=this.iHash.blockLen,this.outputLen=this.iHash.outputLen;let o=this.blockLen,i=new Uint8Array(o);i.set(n.length>o?t.create().update(n).digest():n);for(let c=0;c<i.length;c++)i[c]^=54;this.iHash.update(i),this.oHash=t.create();for(let c=0;c<i.length;c++)i[c]^=106;this.oHash.update(i),i.fill(0)}update(t){return rt.exists(this),this.iHash.update(t),this}digestInto(t){rt.exists(this),rt.bytes(t,this.outputLen),this.finished=!0,this.iHash.digestInto(t),this.oHash.update(t),this.oHash.digestInto(t),this.destroy()}digest(){let t=new Uint8Array(this.oHash.outputLen);return this.digestInto(t),t}_cloneInto(t){t||(t=Object.create(Object.getPrototypeOf(this),{}));let{oHash:r,iHash:n,finished:o,destroyed:i,blockLen:c,outputLen:a}=this;return t=t,t.finished=o,t.destroyed=i,t.blockLen=c,t.outputLen=a,t.oHash=r._cloneInto(t.oHash),t.iHash=n._cloneInto(t.iHash),t}destroy(){this.destroyed=!0,this.oHash.destroy(),this.iHash.destroy()}},ae=(e,t,r)=>new Nt(e,t).update(r).digest();ae.create=(e,t)=>new Nt(e,t);function kr(e,t,r,n){if(typeof e.setBigUint64=="function")return e.setBigUint64(t,r,n);let o=BigInt(32),i=BigInt(4294967295),c=Number(r>>o&i),a=Number(r&i),s=n?4:0,u=n?0:4;e.setUint32(t+s,c,n),e.setUint32(t+u,a,n)}var wt=class extends yt{constructor(t,r,n,o){super(),this.blockLen=t,this.outputLen=r,this.padOffset=n,this.isLE=o,this.finished=!1,this.length=0,this.pos=0,this.destroyed=!1,this.buffer=new Uint8Array(t),this.view=Ct(this.buffer)}update(t){rt.exists(this);let{view:r,buffer:n,blockLen:o}=this;t=Bt(t);let i=t.length;for(let c=0;c<i;){let a=Math.min(o-this.pos,i-c);if(a===o){let s=Ct(t);for(;o<=i-c;c+=o)this.process(s,c);continue}n.set(t.subarray(c,c+a),this.pos),this.pos+=a,c+=a,this.pos===o&&(this.process(r,0),this.pos=0)}return this.length+=t.length,this.roundClean(),this}digestInto(t){rt.exists(this),rt.output(t,this),this.finished=!0;let{buffer:r,view:n,blockLen:o,isLE:i}=this,{pos:c}=this;r[c++]=128,this.buffer.subarray(c).fill(0),this.padOffset>o-c&&(this.process(n,0),c=0);for(let h=c;h<o;h++)r[h]=0;kr(n,o-8,BigInt(this.length*8),i),this.process(n,0);let a=Ct(t),s=this.outputLen;if(s%4)throw new Error("_sha2: outputLen should be aligned to 32bit");let u=s/4,f=this.get();if(u>f.length)throw new Error("_sha2: outputLen bigger than state");for(let h=0;h<u;h++)a.setUint32(4*h,f[h],i)}digest(){let{buffer:t,outputLen:r}=this;this.digestInto(t);let n=t.slice(0,r);return this.destroy(),n}_cloneInto(t){t||(t=new this.constructor),t.set(...this.get());let{blockLen:r,buffer:n,length:o,finished:i,destroyed:c,pos:a}=this;return t.length=o,t.pos=a,t.finished=i,t.destroyed=c,o%r&&t.buffer.set(n),t}};var Or=(e,t,r)=>e&t^~e&r,Tr=(e,t,r)=>e&t^e&r^t&r,Cr=new Uint32Array([1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298]),ut=new Uint32Array([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]),lt=new Uint32Array(64),Rt=class extends wt{constructor(){super(64,32,8,!1),this.A=ut[0]|0,this.B=ut[1]|0,this.C=ut[2]|0,this.D=ut[3]|0,this.E=ut[4]|0,this.F=ut[5]|0,this.G=ut[6]|0,this.H=ut[7]|0}get(){let{A:t,B:r,C:n,D:o,E:i,F:c,G:a,H:s}=this;return[t,r,n,o,i,c,a,s]}set(t,r,n,o,i,c,a,s){this.A=t|0,this.B=r|0,this.C=n|0,this.D=o|0,this.E=i|0,this.F=c|0,this.G=a|0,this.H=s|0}process(t,r){for(let h=0;h<16;h++,r+=4)lt[h]=t.getUint32(r,!1);for(let h=16;h<64;h++){let p=lt[h-15],A=lt[h-2],v=X(p,7)^X(p,18)^p>>>3,I=X(A,17)^X(A,19)^A>>>10;lt[h]=I+lt[h-7]+v+lt[h-16]|0}let{A:n,B:o,C:i,D:c,E:a,F:s,G:u,H:f}=this;for(let h=0;h<64;h++){let p=X(a,6)^X(a,11)^X(a,25),A=f+p+Or(a,s,u)+Cr[h]+lt[h]|0,I=(X(n,2)^X(n,13)^X(n,22))+Tr(n,o,i)|0;f=u,u=s,s=a,a=c+A|0,c=i,i=o,o=n,n=A+I|0}n=n+this.A|0,o=o+this.B|0,i=i+this.C|0,c=c+this.D|0,a=a+this.E|0,s=s+this.F|0,u=u+this.G|0,f=f+this.H|0,this.set(n,o,i,c,a,s,u,f)}roundClean(){lt.fill(0)}destroy(){this.set(0,0,0,0,0,0,0,0),this.buffer.fill(0)}},fe=class extends Rt{constructor(){super(),this.A=-1056596264,this.B=914150663,this.C=812702999,this.D=-150054599,this.E=-4191439,this.F=1750603025,this.G=1694076839,this.H=-1090891868,this.outputLen=28}},ze=ft(()=>new Rt),Xn=ft(()=>new fe);var Dt=["deriveBits"];var nt=new Uint8Array(0),ue=new Uint8Array([72,80,75,69,45,118,49]),Qn=new Uint8Array([72,80,75,69,0,0,0,0,0,0]),Me=new Uint8Array([75,69,77,0,0]),Ge=new Uint8Array([100,107,112,95,112,114,107]),je=new Uint8Array([101,97,101,95,112,114,107]),Jn=new Uint8Array([105,110,102,111,95,104,97,115,104]),to=new Uint8Array([112,115,107,95,105,100,95,104,97,115,104]),eo=new Uint8Array([115,101,99,114,101,116]),Fe=new Uint8Array([115,104,97,114,101,100,95,115,101,99,114,101,116]),ro=new Uint8Array([107,101,121]),no=new Uint8Array([98,97,115,101,95,110,111,110,99,101]),oo=new Uint8Array([101,120,112]),io=new Uint8Array([115,101,99]),so=new Uint8Array([99,97,110,100,105,100,97,116,101]),Ve=new Uint8Array([115,107]),co=new Uint8Array([255,255,255,255,0,0,0,0,255,255,255,255,255,255,255,255,188,230,250,173,167,23,158,132,243,185,202,194,252,99,37,81]),ao=new Uint8Array([255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,199,99,77,129,244,55,45,223,88,26,13,178,72,176,167,122,236,236,25,106,204,197,41,115]),fo=new Uint8Array([1,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,250,81,134,135,131,191,47,150,107,127,204,1,72,247,9,165,208,59,181,201,184,137,156,71,174,187,111,183,30,145,56,100,9]);var qt=class{constructor(){Object.defineProperty(this,"_api",{enumerable:!0,configurable:!0,writable:!0,value:void 0})}checkInit(){if(typeof this._api>"u")throw new Error("Not initialized. Call init()")}},gt=class extends qt{constructor(){super()}init(t){this._api=t}},zt=class extends qt{constructor(){super(),Object.defineProperty(this,"_suiteId",{enumerable:!0,configurable:!0,writable:!0,value:nt})}init(t,r){this._api=t,this._suiteId=r}};var ot=class extends Error{constructor(t){let r;t instanceof Error?r=t.message:typeof t=="string"?r=t:r="",super(r),Error.captureStackTrace&&Error.captureStackTrace(this,this.constructor),this.name=this.constructor.name,this.message===""?this.message=this.name:this.message=this.name+": "+this.message}},Mt=class extends ot{};var Gt=class extends ot{},mt=class extends ot{},jt=class extends ot{},Ft=class extends ot{};var Vt=class extends ot{},Zt=class extends ot{};var le=class extends zt{constructor(){super(),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:oe.HkdfSha256}),Object.defineProperty(this,"hashSize",{enumerable:!0,configurable:!0,writable:!0,value:0}),Object.defineProperty(this,"algHash",{enumerable:!0,configurable:!0,writable:!0,value:{name:"HMAC",hash:"SHA-256",length:256}})}buildLabeledIkm(t,r){let n=new Uint8Array(7+this._suiteId.byteLength+t.byteLength+r.byteLength);return n.set(ue,0),n.set(this._suiteId,7),n.set(t,7+this._suiteId.byteLength),n.set(r,7+this._suiteId.byteLength+t.byteLength),n}buildLabeledInfo(t,r,n){let o=new Uint8Array(9+this._suiteId.byteLength+t.byteLength+r.byteLength);return o.set(new Uint8Array([0,n]),0),o.set(ue,2),o.set(this._suiteId,9),o.set(t,9+this._suiteId.byteLength),o.set(r,9+this._suiteId.byteLength+t.byteLength),o}async extract(t,r){if(this.checkInit(),t.byteLength===0&&(t=new ArrayBuffer(this.hashSize)),t.byteLength!==this.hashSize)throw new Mt("The salt length must be the same as the hashSize");let n=await this._api.importKey("raw",t,this.algHash,!1,["sign"]);return await this._api.sign("HMAC",n,r)}async expand(t,r,n){this.checkInit();let o=await this._api.importKey("raw",t,this.algHash,!1,["sign"]),i=new ArrayBuffer(n),c=new Uint8Array(i),a=nt,s=new Uint8Array(r),u=new Uint8Array(1);if(n>255*this.hashSize)throw new Error("Entropy limit reached");let f=new Uint8Array(this.hashSize+s.length+1);for(let h=1,p=0;p<c.length;h++)u[0]=h,f.set(a,0),f.set(s,a.length),f.set(u,a.length+s.length),a=new Uint8Array(await this._api.sign("HMAC",o,f.slice(0,a.length+s.length+1))),c.length-p>=a.length?(c.set(a,p),p+=a.length):(c.set(a.slice(0,c.length-p),p),p+=c.length-p);return i}async extractAndExpand(t,r,n,o){this.checkInit();let i=await this._api.importKey("raw",r,"HKDF",!1,Dt);return await this._api.deriveBits({name:"HKDF",hash:this.algHash.hash,salt:t,info:n},i,o*8)}async labeledExtract(t,r,n){return await this.extract(t,this.buildLabeledIkm(r,n))}async labeledExpand(t,r,n,o){return await this.expand(t,this.buildLabeledInfo(r,n,o),o)}},$t=class extends le{constructor(){super(...arguments),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:oe.HkdfSha256}),Object.defineProperty(this,"hashSize",{enumerable:!0,configurable:!0,writable:!0,value:32}),Object.defineProperty(this,"algHash",{enumerable:!0,configurable:!0,writable:!0,value:{name:"HMAC",hash:"SHA-256",length:256}})}};var Yt=class extends $t{async extract(t,r){if(this.checkInit(),t.byteLength===0&&(t=new ArrayBuffer(this.hashSize)),t.byteLength!==this.hashSize)return ae(ze,new Uint8Array(t),new Uint8Array(r));let n=await this._api.importKey("raw",t,this.algHash,!1,["sign"]);return await this._api.sign("HMAC",n,r)}};var Nr={},Rr=Dr(globalThis,Nr);function Dr(e,t){return new Proxy(e,{get(r,n,o){return n in t?t[n]:e[n]},set(r,n,o){return n in t&&delete t[n],e[n]=o,!0},deleteProperty(r,n){let o=!1;return n in t&&(delete t[n],o=!0),n in e&&(delete e[n],o=!0),o},ownKeys(r){let n=Reflect.ownKeys(e),o=Reflect.ownKeys(t),i=new Set(o);return[...n.filter(c=>!i.has(c)),...o]},defineProperty(r,n,o){return n in t&&delete t[n],Reflect.defineProperty(e,n,o),!0},getOwnPropertyDescriptor(r,n){return n in t?Reflect.getOwnPropertyDescriptor(t,n):Reflect.getOwnPropertyDescriptor(e,n)},has(r,n){return n in t||n in e}})}var St=e=>typeof e=="object"&&e!==null&&typeof e.privateKey=="object"&&typeof e.publicKey=="object";function $e(e,t){if(t<=0)throw new Error("i2Osp: too small size");if(e>=256**t)throw new Error("i2Osp: too large integer");let r=new Uint8Array(t);for(let n=0;n<t&&e;n++)r[t-(n+1)]=e%256,e=e>>8;return r}function Lt(e,t){let r=new Uint8Array(e.length+t.length);return r.set(e,0),r.set(t,e.length),r}function Ye(e,t,r){let n=new Uint8Array(e.length+t.length+r.length);return n.set(e,0),n.set(t,e.length),n.set(r,e.length+t.length),n}function he(e){let t=e.replace(/-/g,"+").replace(/_/g,"/"),r=atob(t),n=new Uint8Array(r.length);for(let o=0;o<r.length;o++)n[o]=r.charCodeAt(o);return n}var Xt=class extends gt{constructor(t,r){super(),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:Ot.DhkemP256HkdfSha256}),Object.defineProperty(this,"secretSize",{enumerable:!0,configurable:!0,writable:!0,value:0}),Object.defineProperty(this,"encSize",{enumerable:!0,configurable:!0,writable:!0,value:0}),Object.defineProperty(this,"publicKeySize",{enumerable:!0,configurable:!0,writable:!0,value:0}),Object.defineProperty(this,"privateKeySize",{enumerable:!0,configurable:!0,writable:!0,value:0}),Object.defineProperty(this,"_prim",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_kdf",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),this._prim=t,this._kdf=r}init(t){super.init(t);let r=new Uint8Array(Me);r.set($e(this.id,2),3),this._prim.init(t),this._kdf.init(t,r),super.init(t)}async generateKeyPair(){try{return await this._prim.generateKeyPair()}catch(t){throw new Zt(t)}}async deriveKeyPair(t){try{return await this._prim.deriveKeyPair(t)}catch(r){throw new Vt(r)}}async serializePublicKey(t){try{return await this._prim.serializePublicKey(t)}catch(r){throw new Gt(r)}}async deserializePublicKey(t){try{return await this._prim.deserializePublicKey(t)}catch(r){throw new mt(r)}}async importKey(t,r,n){try{return await this._prim.importKey(t,r,n)}catch(o){throw new mt(o)}}async encap(t){try{let r=t.nonEphemeralKeyPair===void 0?await this.generateKeyPair():t.nonEphemeralKeyPair,n=await this._prim.serializePublicKey(r.publicKey),o=await this._prim.serializePublicKey(t.recipientPublicKey),i;if(t.senderKey===void 0)i=new Uint8Array(await this._prim.dh(r.privateKey,t.recipientPublicKey));else{let s=St(t.senderKey)?t.senderKey.privateKey:t.senderKey,u=new Uint8Array(await this._prim.dh(r.privateKey,t.recipientPublicKey)),f=new Uint8Array(await this._prim.dh(s,t.recipientPublicKey));i=Lt(u,f)}let c;if(t.senderKey===void 0)c=Lt(new Uint8Array(n),new Uint8Array(o));else{let s=St(t.senderKey)?t.senderKey.publicKey:await this._prim.derivePublicKey(t.senderKey),u=await this._prim.serializePublicKey(s);c=Ye(new Uint8Array(n),new Uint8Array(o),new Uint8Array(u))}let a=await this.generateSharedSecret(i,c);return{enc:n,sharedSecret:a}}catch(r){throw new jt(r)}}async decap(t){let r;try{r=await this._prim.deserializePublicKey(t.enc)}catch(n){throw new mt(n)}try{let n=St(t.recipientKey)?t.recipientKey.privateKey:t.recipientKey,o=St(t.recipientKey)?t.recipientKey.publicKey:await this._prim.derivePublicKey(t.recipientKey),i=await this._prim.serializePublicKey(o),c;if(t.senderPublicKey===void 0)c=new Uint8Array(await this._prim.dh(n,r));else{let s=new Uint8Array(await this._prim.dh(n,r)),u=new Uint8Array(await this._prim.dh(n,t.senderPublicKey));c=Lt(s,u)}let a;if(t.senderPublicKey===void 0)a=Lt(new Uint8Array(t.enc),new Uint8Array(i));else{let s=await this._prim.serializePublicKey(t.senderPublicKey);a=new Uint8Array(t.enc.byteLength+i.byteLength+s.byteLength),a.set(new Uint8Array(t.enc),0),a.set(new Uint8Array(i),t.enc.byteLength),a.set(new Uint8Array(s),t.enc.byteLength+i.byteLength)}return await this.generateSharedSecret(c,a)}catch(n){throw new Ft(n)}}async generateSharedSecret(t,r){let n=this._kdf.buildLabeledIkm(je,t),o=this._kdf.buildLabeledInfo(Fe,r,this.secretSize);return await this._kdf.extractAndExpand(nt,n,o,this.secretSize)}};var Wt=BigInt(4294967295),de=BigInt(32);function Xe(e,t=!1){return t?{h:Number(e&Wt),l:Number(e>>de&Wt)}:{h:Number(e>>de&Wt)|0,l:Number(e&Wt)|0}}function zr(e,t=!1){let r=new Uint32Array(e.length),n=new Uint32Array(e.length);for(let o=0;o<e.length;o++){let{h:i,l:c}=Xe(e[o],t);[r[o],n[o]]=[i,c]}return[r,n]}var Mr=(e,t)=>BigInt(e>>>0)<<de|BigInt(t>>>0),Gr=(e,t,r)=>e>>>r,jr=(e,t,r)=>e<<32-r|t>>>r,Fr=(e,t,r)=>e>>>r|t<<32-r,Vr=(e,t,r)=>e<<32-r|t>>>r,Zr=(e,t,r)=>e<<64-r|t>>>r-32,$r=(e,t,r)=>e>>>r-32|t<<64-r,Yr=(e,t)=>t,Xr=(e,t)=>e,Wr=(e,t,r)=>e<<r|t>>>32-r,Qr=(e,t,r)=>t<<r|e>>>32-r,Jr=(e,t,r)=>t<<r-32|e>>>64-r,tn=(e,t,r)=>e<<r-32|t>>>64-r;function en(e,t,r,n){let o=(t>>>0)+(n>>>0);return{h:e+r+(o/2**32|0)|0,l:o|0}}var rn=(e,t,r)=>(e>>>0)+(t>>>0)+(r>>>0),nn=(e,t,r,n)=>t+r+n+(e/2**32|0)|0,on=(e,t,r,n)=>(e>>>0)+(t>>>0)+(r>>>0)+(n>>>0),sn=(e,t,r,n,o)=>t+r+n+o+(e/2**32|0)|0,cn=(e,t,r,n,o)=>(e>>>0)+(t>>>0)+(r>>>0)+(n>>>0)+(o>>>0),an=(e,t,r,n,o,i)=>t+r+n+o+i+(e/2**32|0)|0,fn={fromBig:Xe,split:zr,toBig:Mr,shrSH:Gr,shrSL:jr,rotrSH:Fr,rotrSL:Vr,rotrBH:Zr,rotrBL:$r,rotr32H:Yr,rotr32L:Xr,rotlSH:Wr,rotlSL:Qr,rotlBH:Jr,rotlBL:tn,add:en,add3L:rn,add3H:nn,add4L:on,add4H:sn,add5H:an,add5L:cn},g=fn;var[un,ln]=g.split(["0x428a2f98d728ae22","0x7137449123ef65cd","0xb5c0fbcfec4d3b2f","0xe9b5dba58189dbbc","0x3956c25bf348b538","0x59f111f1b605d019","0x923f82a4af194f9b","0xab1c5ed5da6d8118","0xd807aa98a3030242","0x12835b0145706fbe","0x243185be4ee4b28c","0x550c7dc3d5ffb4e2","0x72be5d74f27b896f","0x80deb1fe3b1696b1","0x9bdc06a725c71235","0xc19bf174cf692694","0xe49b69c19ef14ad2","0xefbe4786384f25e3","0x0fc19dc68b8cd5b5","0x240ca1cc77ac9c65","0x2de92c6f592b0275","0x4a7484aa6ea6e483","0x5cb0a9dcbd41fbd4","0x76f988da831153b5","0x983e5152ee66dfab","0xa831c66d2db43210","0xb00327c898fb213f","0xbf597fc7beef0ee4","0xc6e00bf33da88fc2","0xd5a79147930aa725","0x06ca6351e003826f","0x142929670a0e6e70","0x27b70a8546d22ffc","0x2e1b21385c26c926","0x4d2c6dfc5ac42aed","0x53380d139d95b3df","0x650a73548baf63de","0x766a0abb3c77b2a8","0x81c2c92e47edaee6","0x92722c851482353b","0xa2bfe8a14cf10364","0xa81a664bbc423001","0xc24b8b70d0f89791","0xc76c51a30654be30","0xd192e819d6ef5218","0xd69906245565a910","0xf40e35855771202a","0x106aa07032bbd1b8","0x19a4c116b8d2d0c8","0x1e376c085141ab53","0x2748774cdf8eeb99","0x34b0bcb5e19b48a8","0x391c0cb3c5c95a63","0x4ed8aa4ae3418acb","0x5b9cca4f7763e373","0x682e6ff3d6b2b8a3","0x748f82ee5defb2fc","0x78a5636f43172f60","0x84c87814a1f0ab72","0x8cc702081a6439ec","0x90befffa23631e28","0xa4506cebde82bde9","0xbef9a3f7b2c67915","0xc67178f2e372532b","0xca273eceea26619c","0xd186b8c721c0c207","0xeada7dd6cde0eb1e","0xf57d4f7fee6ed178","0x06f067aa72176fba","0x0a637dc5a2c898a6","0x113f9804bef90dae","0x1b710b35131c471b","0x28db77f523047d84","0x32caab7b40c72493","0x3c9ebe0a15c9bebc","0x431d67c49c100d4c","0x4cc5d4becb3e42b6","0x597f299cfc657e2a","0x5fcb6fab3ad6faec","0x6c44198c4a475817"].map(e=>BigInt(e))),ht=new Uint32Array(80),dt=new Uint32Array(80),Et=class extends wt{constructor(){super(128,64,16,!1),this.Ah=1779033703,this.Al=-205731576,this.Bh=-1150833019,this.Bl=-2067093701,this.Ch=1013904242,this.Cl=-23791573,this.Dh=-1521486534,this.Dl=1595750129,this.Eh=1359893119,this.El=-1377402159,this.Fh=-1694144372,this.Fl=725511199,this.Gh=528734635,this.Gl=-79577749,this.Hh=1541459225,this.Hl=327033209}get(){let{Ah:t,Al:r,Bh:n,Bl:o,Ch:i,Cl:c,Dh:a,Dl:s,Eh:u,El:f,Fh:h,Fl:p,Gh:A,Gl:v,Hh:I,Hl:L}=this;return[t,r,n,o,i,c,a,s,u,f,h,p,A,v,I,L]}set(t,r,n,o,i,c,a,s,u,f,h,p,A,v,I,L){this.Ah=t|0,this.Al=r|0,this.Bh=n|0,this.Bl=o|0,this.Ch=i|0,this.Cl=c|0,this.Dh=a|0,this.Dl=s|0,this.Eh=u|0,this.El=f|0,this.Fh=h|0,this.Fl=p|0,this.Gh=A|0,this.Gl=v|0,this.Hh=I|0,this.Hl=L|0}process(t,r){for(let d=0;d<16;d++,r+=4)ht[d]=t.getUint32(r),dt[d]=t.getUint32(r+=4);for(let d=16;d<80;d++){let m=ht[d-15]|0,y=dt[d-15]|0,N=g.rotrSH(m,y,1)^g.rotrSH(m,y,8)^g.shrSH(m,y,7),Y=g.rotrSL(m,y,1)^g.rotrSL(m,y,8)^g.shrSL(m,y,7),K=ht[d-2]|0,O=dt[d-2]|0,z=g.rotrSH(K,O,19)^g.rotrBH(K,O,61)^g.shrSH(K,O,6),R=g.rotrSL(K,O,19)^g.rotrBL(K,O,61)^g.shrSL(K,O,6),V=g.add4L(Y,R,dt[d-7],dt[d-16]),T=g.add4H(V,N,z,ht[d-7],ht[d-16]);ht[d]=T|0,dt[d]=V|0}let{Ah:n,Al:o,Bh:i,Bl:c,Ch:a,Cl:s,Dh:u,Dl:f,Eh:h,El:p,Fh:A,Fl:v,Gh:I,Gl:L,Hh:q,Hl:F}=this;for(let d=0;d<80;d++){let m=g.rotrSH(h,p,14)^g.rotrSH(h,p,18)^g.rotrBH(h,p,41),y=g.rotrSL(h,p,14)^g.rotrSL(h,p,18)^g.rotrBL(h,p,41),N=h&A^~h&I,Y=p&v^~p&L,K=g.add5L(F,y,Y,ln[d],dt[d]),O=g.add5H(K,q,m,N,un[d],ht[d]),z=K|0,R=g.rotrSH(n,o,28)^g.rotrBH(n,o,34)^g.rotrBH(n,o,39),V=g.rotrSL(n,o,28)^g.rotrBL(n,o,34)^g.rotrBL(n,o,39),T=n&i^n&a^i&a,_t=o&c^o&s^c&s;q=I|0,F=L|0,I=A|0,L=v|0,A=h|0,v=p|0,{h,l:p}=g.add(u|0,f|0,O|0,z|0),u=a|0,f=s|0,a=i|0,s=c|0,i=n|0,c=o|0;let ct=g.add3L(z,V,_t);n=g.add3H(ct,O,R,T),o=ct|0}({h:n,l:o}=g.add(this.Ah|0,this.Al|0,n|0,o|0)),{h:i,l:c}=g.add(this.Bh|0,this.Bl|0,i|0,c|0),{h:a,l:s}=g.add(this.Ch|0,this.Cl|0,a|0,s|0),{h:u,l:f}=g.add(this.Dh|0,this.Dl|0,u|0,f|0),{h,l:p}=g.add(this.Eh|0,this.El|0,h|0,p|0),{h:A,l:v}=g.add(this.Fh|0,this.Fl|0,A|0,v|0),{h:I,l:L}=g.add(this.Gh|0,this.Gl|0,I|0,L|0),{h:q,l:F}=g.add(this.Hh|0,this.Hl|0,q|0,F|0),this.set(n,o,i,c,a,s,u,f,h,p,A,v,I,L,q,F)}roundClean(){ht.fill(0),dt.fill(0)}destroy(){this.buffer.fill(0),this.set(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)}},xe=class extends Et{constructor(){super(),this.Ah=-1942145080,this.Al=424955298,this.Bh=1944164710,this.Bl=-1982016298,this.Ch=502970286,this.Cl=855612546,this.Dh=1738396948,this.Dl=1479516111,this.Eh=258812777,this.El=2077511080,this.Fh=2011393907,this.Fl=79989058,this.Gh=1067287976,this.Gl=1780299464,this.Hh=286451373,this.Hl=-1848208735,this.outputLen=28}},pe=class extends Et{constructor(){super(),this.Ah=573645204,this.Al=-64227540,this.Bh=-1621794909,this.Bl=-934517566,this.Ch=596883563,this.Cl=1867755857,this.Dh=-1774684391,this.Dl=1497426621,this.Eh=-1775747358,this.El=-1467023389,this.Fh=-1101128155,this.Fl=1401305490,this.Gh=721525244,this.Gl=746961066,this.Hh=246885852,this.Hl=-2117784414,this.outputLen=32}},be=class extends Et{constructor(){super(),this.Ah=-876896931,this.Al=-1056596264,this.Bh=1654270250,this.Bl=914150663,this.Ch=-1856437926,this.Cl=812702999,this.Dh=355462360,this.Dl=-150054599,this.Eh=1731405415,this.El=-4191439,this.Fh=-1900787065,this.Fl=1750603025,this.Gh=-619958771,this.Gl=1694076839,this.Hh=1203062813,this.Hl=-1090891868,this.outputLen=48}},ye=ft(()=>new Et),Io=ft(()=>new xe),Uo=ft(()=>new pe),Po=ft(()=>new be);var Ko=BigInt(0),hn=BigInt(1),dn=BigInt(2),Qt=e=>e instanceof Uint8Array,xn=Array.from({length:256},(e,t)=>t.toString(16).padStart(2,"0"));function vt(e){if(!Qt(e))throw new Error("Uint8Array expected");let t="";for(let r=0;r<e.length;r++)t+=xn[e[r]];return t}function We(e){if(typeof e!="string")throw new Error("hex string expected, got "+typeof e);return BigInt(e===""?"0":`0x${e}`)}function Qe(e){if(typeof e!="string")throw new Error("hex string expected, got "+typeof e);let t=e.length;if(t%2)throw new Error("padded hex string expected, got unpadded hex of length "+t);let r=new Uint8Array(t/2);for(let n=0;n<r.length;n++){let o=n*2,i=e.slice(o,o+2),c=Number.parseInt(i,16);if(Number.isNaN(c)||c<0)throw new Error("Invalid byte sequence");r[n]=c}return r}function we(e){return We(vt(e))}function J(e){if(!Qt(e))throw new Error("Uint8Array expected");return We(vt(Uint8Array.from(e).reverse()))}function ge(e,t){return Qe(e.toString(16).padStart(t*2,"0"))}function xt(e,t){return ge(e,t).reverse()}function j(e,t,r){let n;if(typeof t=="string")try{n=Qe(t)}catch(i){throw new Error(`${e} must be valid hex string, got "${t}". Cause: ${i}`)}else if(Qt(t))n=Uint8Array.from(t);else throw new Error(`${e} must be hex string or Uint8Array`);let o=n.length;if(typeof r=="number"&&o!==r)throw new Error(`${e} expected ${r} bytes, got ${o}`);return n}function Jt(...e){let t=new Uint8Array(e.reduce((n,o)=>n+o.length,0)),r=0;return e.forEach(n=>{if(!Qt(n))throw new Error("Uint8Array expected");t.set(n,r),r+=n.length}),t}var Je=e=>(dn<<BigInt(e-1))-hn;var pn={bigint:e=>typeof e=="bigint",function:e=>typeof e=="function",boolean:e=>typeof e=="boolean",string:e=>typeof e=="string",isSafeInteger:e=>Number.isSafeInteger(e),array:e=>Array.isArray(e),field:(e,t)=>t.Fp.isValid(e),hash:e=>typeof e=="function"&&Number.isSafeInteger(e.outputLen)};function it(e,t,r={}){let n=(o,i,c)=>{let a=pn[i];if(typeof a!="function")throw new Error(`Invalid validator "${i}", expected function`);let s=e[o];if(!(c&&s===void 0)&&!a(s,e))throw new Error(`Invalid param ${String(o)}=${s} (${typeof s}), expected ${i}`)};for(let[o,i]of Object.entries(t))n(o,i,!1);for(let[o,i]of Object.entries(r))n(o,i,!0);return e}var C=BigInt(0),k=BigInt(1),pt=BigInt(2),yn=BigInt(3),me=BigInt(4),tr=BigInt(5),er=BigInt(8),wn=BigInt(9),gn=BigInt(16);function H(e,t){let r=e%t;return r>=C?r:t+r}function Ee(e,t,r){if(r<=C||t<C)throw new Error("Expected power/modulo > 0");if(r===k)return C;let n=k;for(;t>C;)t&k&&(n=n*e%r),e=e*e%r,t>>=k;return n}function $(e,t,r){let n=e;for(;t-- >C;)n*=n,n%=r;return n}function rr(e,t){if(e===C||t<=C)throw new Error(`invert: expected positive integers, got n=${e} mod=${t}`);let r=H(e,t),n=t,o=C,i=k,c=k,a=C;for(;r!==C;){let u=n/r,f=n%r,h=o-c*u,p=i-a*u;n=r,r=f,o=c,i=a,c=h,a=p}if(n!==k)throw new Error("invert: does not exist");return H(o,t)}function mn(e){let t=(e-k)/pt,r,n,o;for(r=e-k,n=0;r%pt===C;r/=pt,n++);for(o=pt;o<e&&Ee(o,t,e)!==e-k;o++);if(n===1){let c=(e+k)/me;return function(s,u){let f=s.pow(u,c);if(!s.eql(s.sqr(f),u))throw new Error("Cannot find square root");return f}}let i=(r+k)/pt;return function(a,s){if(a.pow(s,t)===a.neg(a.ONE))throw new Error("Cannot find square root");let u=n,f=a.pow(a.mul(a.ONE,o),r),h=a.pow(s,i),p=a.pow(s,r);for(;!a.eql(p,a.ONE);){if(a.eql(p,a.ZERO))return a.ZERO;let A=1;for(let I=a.sqr(p);A<u&&!a.eql(I,a.ONE);A++)I=a.sqr(I);let v=a.pow(f,k<<BigInt(u-A-1));f=a.sqr(v),h=a.mul(h,v),p=a.mul(p,f),u=A}return h}}function En(e){if(e%me===yn){let t=(e+k)/me;return function(n,o){let i=n.pow(o,t);if(!n.eql(n.sqr(i),o))throw new Error("Cannot find square root");return i}}if(e%er===tr){let t=(e-tr)/er;return function(n,o){let i=n.mul(o,pt),c=n.pow(i,t),a=n.mul(o,c),s=n.mul(n.mul(a,pt),c),u=n.mul(a,n.sub(s,n.ONE));if(!n.eql(n.sqr(u),o))throw new Error("Cannot find square root");return u}}return e%gn,mn(e)}var nr=(e,t)=>(H(e,t)&k)===k,_n=["create","isValid","is0","neg","inv","sqrt","sqr","eql","add","sub","mul","pow","div","addN","subN","mulN","sqrN"];function or(e){let t={ORDER:"bigint",MASK:"bigint",BYTES:"isSafeInteger",BITS:"isSafeInteger"},r=_n.reduce((n,o)=>(n[o]="function",n),t);return it(e,r)}function Bn(e,t,r){if(r<C)throw new Error("Expected power > 0");if(r===C)return e.ONE;if(r===k)return t;let n=e.ONE,o=t;for(;r>C;)r&k&&(n=e.mul(n,o)),o=e.sqr(o),r>>=k;return n}function An(e,t){let r=new Array(t.length),n=t.reduce((i,c,a)=>e.is0(c)?i:(r[a]=i,e.mul(i,c)),e.ONE),o=e.inv(n);return t.reduceRight((i,c,a)=>e.is0(c)?i:(r[a]=e.mul(i,r[a]),e.mul(i,c)),o),r}function _e(e,t){let r=t!==void 0?t:e.toString(2).length,n=Math.ceil(r/8);return{nBitLength:r,nByteLength:n}}function ir(e,t,r=!1,n={}){if(e<=C)throw new Error(`Expected Fp ORDER > 0, got ${e}`);let{nBitLength:o,nByteLength:i}=_e(e,t);if(i>2048)throw new Error("Field lengths over 2048 bytes are not supported");let c=En(e),a=Object.freeze({ORDER:e,BITS:o,BYTES:i,MASK:Je(o),ZERO:C,ONE:k,create:s=>H(s,e),isValid:s=>{if(typeof s!="bigint")throw new Error(`Invalid field element: expected bigint, got ${typeof s}`);return C<=s&&s<e},is0:s=>s===C,isOdd:s=>(s&k)===k,neg:s=>H(-s,e),eql:(s,u)=>s===u,sqr:s=>H(s*s,e),add:(s,u)=>H(s+u,e),sub:(s,u)=>H(s-u,e),mul:(s,u)=>H(s*u,e),pow:(s,u)=>Bn(a,s,u),div:(s,u)=>H(s*rr(u,e),e),sqrN:s=>s*s,addN:(s,u)=>s+u,subN:(s,u)=>s-u,mulN:(s,u)=>s*u,inv:s=>rr(s,e),sqrt:n.sqrt||(s=>c(a,s)),invertBatch:s=>An(a,s),cmov:(s,u,f)=>f?u:s,toBytes:s=>r?xt(s,i):ge(s,i),fromBytes:s=>{if(s.length!==i)throw new Error(`Fp.fromBytes: expected ${i}, got ${s.length}`);return r?J(s):we(s)}});return Object.freeze(a)}function sr(e,t){if(!e.isOdd)throw new Error("Field doesn't have isOdd");let r=e.sqrt(t);return e.isOdd(r)?e.neg(r):r}var Sn=BigInt(0),Be=BigInt(1);function cr(e,t){let r=(o,i)=>{let c=i.negate();return o?c:i},n=o=>{let i=Math.ceil(t/o)+1,c=2**(o-1);return{windows:i,windowSize:c}};return{constTimeNegate:r,unsafeLadder(o,i){let c=e.ZERO,a=o;for(;i>Sn;)i&Be&&(c=c.add(a)),a=a.double(),i>>=Be;return c},precomputeWindow(o,i){let{windows:c,windowSize:a}=n(i),s=[],u=o,f=u;for(let h=0;h<c;h++){f=u,s.push(f);for(let p=1;p<a;p++)f=f.add(u),s.push(f);u=f.double()}return s},wNAF(o,i,c){let{windows:a,windowSize:s}=n(o),u=e.ZERO,f=e.BASE,h=BigInt(2**o-1),p=2**o,A=BigInt(o);for(let v=0;v<a;v++){let I=v*s,L=Number(c&h);c>>=A,L>s&&(L-=p,c+=Be);let q=I,F=I+Math.abs(L)-1,d=v%2!==0,m=L<0;L===0?f=f.add(r(d,i[q])):u=u.add(r(m,i[F]))}return{p:u,f}},wNAFCached(o,i,c,a){let s=o._WINDOW_SIZE||1,u=i.get(o);return u||(u=this.precomputeWindow(o,s),s!==1&&i.set(o,a(u))),this.wNAF(s,u,c)}}}function ar(e){return or(e.Fp),it(e,{n:"bigint",h:"bigint",Gx:"field",Gy:"field"},{nBitLength:"isSafeInteger",nByteLength:"isSafeInteger"}),Object.freeze({..._e(e.n,e.nBitLength),...e,p:e.Fp.ORDER})}var W=BigInt(0),Z=BigInt(1),te=BigInt(2),Ln=BigInt(8),vn={zip215:!0};function In(e){let t=ar(e);return it(e,{hash:"function",a:"bigint",d:"bigint",randomBytes:"function"},{adjustScalarBytes:"function",domain:"function",uvRatio:"function",mapToCurve:"function"}),Object.freeze({...t})}function ee(e){let t=In(e),{Fp:r,n,prehash:o,hash:i,randomBytes:c,nByteLength:a,h:s}=t,u=te<<BigInt(a*8)-Z,f=r.create,h=t.uvRatio||((x,l)=>{try{return{isValid:!0,value:r.sqrt(x*r.inv(l))}}catch{return{isValid:!1,value:W}}}),p=t.adjustScalarBytes||(x=>x),A=t.domain||((x,l,b)=>{if(l.length||b)throw new Error("Contexts/pre-hash are not supported");return x}),v=x=>typeof x=="bigint"&&W<x,I=(x,l)=>v(x)&&v(l)&&x<l,L=x=>x===W||I(x,u);function q(x,l){if(I(x,l))return x;throw new Error(`Expected valid scalar < ${l}, got ${typeof x} ${x}`)}function F(x){return x===W?x:q(x,n)}let d=new Map;function m(x){if(!(x instanceof y))throw new Error("ExtendedPoint expected")}class y{constructor(l,b,w,E){if(this.ex=l,this.ey=b,this.ez=w,this.et=E,!L(l))throw new Error("x required");if(!L(b))throw new Error("y required");if(!L(w))throw new Error("z required");if(!L(E))throw new Error("t required")}get x(){return this.toAffine().x}get y(){return this.toAffine().y}static fromAffine(l){if(l instanceof y)throw new Error("extended point not allowed");let{x:b,y:w}=l||{};if(!L(b)||!L(w))throw new Error("invalid affine point");return new y(b,w,Z,f(b*w))}static normalizeZ(l){let b=r.invertBatch(l.map(w=>w.ez));return l.map((w,E)=>w.toAffine(b[E])).map(y.fromAffine)}_setWindowSize(l){this._WINDOW_SIZE=l,d.delete(this)}assertValidity(){let{a:l,d:b}=t;if(this.is0())throw new Error("bad point: ZERO");let{ex:w,ey:E,ez:_,et:S}=this,P=f(w*w),B=f(E*E),U=f(_*_),D=f(U*U),M=f(P*l),Q=f(U*f(M+B)),G=f(D+f(b*f(P*B)));if(Q!==G)throw new Error("bad point: equation left != right (1)");let at=f(w*E),et=f(_*S);if(at!==et)throw new Error("bad point: equation left != right (2)")}equals(l){m(l);let{ex:b,ey:w,ez:E}=this,{ex:_,ey:S,ez:P}=l,B=f(b*P),U=f(_*E),D=f(w*P),M=f(S*E);return B===U&&D===M}is0(){return this.equals(y.ZERO)}negate(){return new y(f(-this.ex),this.ey,this.ez,f(-this.et))}double(){let{a:l}=t,{ex:b,ey:w,ez:E}=this,_=f(b*b),S=f(w*w),P=f(te*f(E*E)),B=f(l*_),U=b+w,D=f(f(U*U)-_-S),M=B+S,Q=M-P,G=B-S,at=f(D*Q),et=f(M*G),Kt=f(D*G),kt=f(Q*M);return new y(at,et,kt,Kt)}add(l){m(l);let{a:b,d:w}=t,{ex:E,ey:_,ez:S,et:P}=this,{ex:B,ey:U,ez:D,et:M}=l;if(b===BigInt(-1)){let He=f((_-E)*(U+B)),Ke=f((_+E)*(U-B)),ne=f(Ke-He);if(ne===W)return this.double();let ke=f(S*te*M),Oe=f(P*te*D),Te=Oe+ke,Ce=Ke+He,Ne=Oe-ke,Er=f(Te*ne),_r=f(Ce*Ne),Br=f(Te*Ne),Ar=f(ne*Ce);return new y(Er,_r,Ar,Br)}let Q=f(E*B),G=f(_*U),at=f(P*w*M),et=f(S*D),Kt=f((E+_)*(B+U)-Q-G),kt=et-at,Ue=et+at,Pe=f(G-b*Q),yr=f(Kt*kt),wr=f(Ue*Pe),gr=f(Kt*Pe),mr=f(kt*Ue);return new y(yr,wr,mr,gr)}subtract(l){return this.add(l.negate())}wNAF(l){return K.wNAFCached(this,d,l,y.normalizeZ)}multiply(l){let{p:b,f:w}=this.wNAF(q(l,n));return y.normalizeZ([b,w])[0]}multiplyUnsafe(l){let b=F(l);return b===W?Y:this.equals(Y)||b===Z?this:this.equals(N)?this.wNAF(b).p:K.unsafeLadder(this,b)}isSmallOrder(){return this.multiplyUnsafe(s).is0()}isTorsionFree(){return K.unsafeLadder(this,n).is0()}toAffine(l){let{ex:b,ey:w,ez:E}=this,_=this.is0();l==null&&(l=_?Ln:r.inv(E));let S=f(b*l),P=f(w*l),B=f(E*l);if(_)return{x:W,y:Z};if(B!==Z)throw new Error("invZ was invalid");return{x:S,y:P}}clearCofactor(){let{h:l}=t;return l===Z?this:this.multiplyUnsafe(l)}static fromHex(l,b=!1){let{d:w,a:E}=t,_=r.BYTES;l=j("pointHex",l,_);let S=l.slice(),P=l[_-1];S[_-1]=P&-129;let B=J(S);B===W||(b?q(B,u):q(B,r.ORDER));let U=f(B*B),D=f(U-Z),M=f(w*U-E),{isValid:Q,value:G}=h(D,M);if(!Q)throw new Error("Point.fromHex: invalid y coordinate");let at=(G&Z)===Z,et=(P&128)!==0;if(!b&&G===W&&et)throw new Error("Point.fromHex: x=0 and x_0=1");return et!==at&&(G=f(-G)),y.fromAffine({x:G,y:B})}static fromPrivateKey(l){return R(l).point}toRawBytes(){let{x:l,y:b}=this.toAffine(),w=xt(b,r.BYTES);return w[w.length-1]|=l&Z?128:0,w}toHex(){return vt(this.toRawBytes())}}y.BASE=new y(t.Gx,t.Gy,Z,f(t.Gx*t.Gy)),y.ZERO=new y(W,Z,Z,W);let{BASE:N,ZERO:Y}=y,K=cr(y,a*8);function O(x){return H(x,n)}function z(x){return O(J(x))}function R(x){let l=a;x=j("private key",x,l);let b=j("hashed private key",i(x),2*l),w=p(b.slice(0,l)),E=b.slice(l,2*l),_=z(w),S=N.multiply(_),P=S.toRawBytes();return{head:w,prefix:E,scalar:_,point:S,pointBytes:P}}function V(x){return R(x).pointBytes}function T(x=new Uint8Array,...l){let b=Jt(...l);return z(i(A(b,j("context",x),!!o)))}function _t(x,l,b={}){x=j("message",x),o&&(x=o(x));let{prefix:w,scalar:E,pointBytes:_}=R(l),S=T(b.context,w,x),P=N.multiply(S).toRawBytes(),B=T(b.context,P,_,x),U=O(S+B*E);F(U);let D=Jt(P,xt(U,r.BYTES));return j("result",D,a*2)}let ct=vn;function Pt(x,l,b,w=ct){let{context:E,zip215:_}=w,S=r.BYTES;x=j("signature",x,2*S),l=j("message",l),o&&(l=o(l));let P=J(x.slice(S,2*S)),B,U,D;try{B=y.fromHex(b,_),U=y.fromHex(x.slice(0,S),_),D=N.multiplyUnsafe(P)}catch{return!1}if(!_&&B.isSmallOrder())return!1;let M=T(E,U.toRawBytes(),B.toRawBytes(),l);return U.add(B.multiplyUnsafe(M)).subtract(D).clearCofactor().equals(y.ZERO)}return N._setWindowSize(8),{CURVE:t,getPublicKey:V,sign:_t,verify:Pt,ExtendedPoint:y,utils:{getExtendedPublicKey:R,randomPrivateKey:()=>c(r.BYTES),precompute(x=8,l=y.BASE){return l._setWindowSize(x),l.multiply(BigInt(3)),l}}}}var It=BigInt(0),Ae=BigInt(1);function Un(e){return it(e,{a:"bigint"},{montgomeryBits:"isSafeInteger",nByteLength:"isSafeInteger",adjustScalarBytes:"function",domain:"function",powPminus2:"function",Gu:"bigint"}),Object.freeze({...e})}function fr(e){let t=Un(e),{P:r}=t,n=d=>H(d,r),o=t.montgomeryBits,i=Math.ceil(o/8),c=t.nByteLength,a=t.adjustScalarBytes||(d=>d),s=t.powPminus2||(d=>Ee(d,r-BigInt(2),r));function u(d,m,y){let N=n(d*(m-y));return m=n(m-N),y=n(y+N),[m,y]}function f(d){if(typeof d=="bigint"&&It<=d&&d<r)return d;throw new Error("Expected valid scalar 0 < scalar < CURVE.P")}let h=(t.a-BigInt(2))/BigInt(4);function p(d,m){let y=f(d),N=f(m),Y=y,K=Ae,O=It,z=y,R=Ae,V=It,T;for(let ct=BigInt(o-1);ct>=It;ct--){let Pt=N>>ct&Ae;V^=Pt,T=u(V,K,z),K=T[0],z=T[1],T=u(V,O,R),O=T[0],R=T[1],V=Pt;let Ht=K+O,x=n(Ht*Ht),l=K-O,b=n(l*l),w=x-b,E=z+R,_=z-R,S=n(_*Ht),P=n(E*l),B=S+P,U=S-P;z=n(B*B),R=n(Y*n(U*U)),K=n(x*b),O=n(w*(x+n(h*w)))}T=u(V,K,z),K=T[0],z=T[1],T=u(V,O,R),O=T[0],R=T[1];let _t=s(O);return n(K*_t)}function A(d){return xt(n(d),i)}function v(d){let m=j("u coordinate",d,i);return c===i&&(m[c-1]&=127),J(m)}function I(d){let m=j("scalar",d);if(m.length!==i&&m.length!==c)throw new Error(`Expected ${i} or ${c} bytes, got ${m.length}`);return J(a(m))}function L(d,m){let y=v(m),N=I(d),Y=p(y,N);if(Y===It)throw new Error("Invalid private or public key received");return A(Y)}let q=A(t.Gu);function F(d){return L(d,q)}return{scalarMult:L,scalarMultBase:F,getSharedSecret:(d,m)=>L(d,m),getPublicKey:d=>F(d),utils:{randomPrivateKey:()=>t.randomBytes(t.nByteLength)},GuBytes:q}}var Ut=BigInt("57896044618658097711785492504343953926634992332820282019728792003956564819949"),ur=BigInt("19681161376707505956807079304988542015446066515923890162744021073123829784752"),ii=BigInt(0),Pn=BigInt(1),Se=BigInt(2),Hn=BigInt(5),lr=BigInt(10),Kn=BigInt(20),kn=BigInt(40),hr=BigInt(80);function dr(e){let t=Ut,n=e*e%t*e%t,o=$(n,Se,t)*n%t,i=$(o,Pn,t)*e%t,c=$(i,Hn,t)*i%t,a=$(c,lr,t)*c%t,s=$(a,Kn,t)*a%t,u=$(s,kn,t)*s%t,f=$(u,hr,t)*u%t,h=$(f,hr,t)*u%t,p=$(h,lr,t)*c%t;return{pow_p_5_8:$(p,Se,t)*e%t,b2:n}}function xr(e){return e[0]&=248,e[31]&=127,e[31]|=64,e}function On(e,t){let r=Ut,n=H(t*t*t,r),o=H(n*n*t,r),i=dr(e*o).pow_p_5_8,c=H(e*n*i,r),a=H(t*c*c,r),s=c,u=H(c*ur,r),f=a===e,h=a===H(-e,r),p=a===H(-e*ur,r);return f&&(c=s),(h||p)&&(c=u),nr(c,r)&&(c=H(-c,r)),{isValid:f||h,value:c}}var st=ir(Ut,void 0,!0),Le={a:BigInt(-1),d:BigInt("37095705934669439343138083508754565189542113879843219016388785533085940283555"),Fp:st,n:BigInt("7237005577332262213973186563042994240857116359379907606001950938285454250989"),h:BigInt(8),Gx:BigInt("15112221349535400772501151409588531511454012693041857206046113283949847762202"),Gy:BigInt("46316835694926478169428394003475163141307993866256225615783033603165251855960"),hash:ye,randomBytes:ce,adjustScalarBytes:xr,uvRatio:On},pr=ee(Le);function br(e,t,r){if(t.length>255)throw new Error("Context is too big");return qe(se("SigEd25519 no Ed25519 collisions"),new Uint8Array([r?1:0,t.length]),t,e)}var si=ee({...Le,domain:br}),ci=ee({...Le,domain:br,prehash:ye}),ve=(()=>fr({P:Ut,a:BigInt(486662),montgomeryBits:255,nByteLength:32,Gu:BigInt(9),powPminus2:e=>{let t=Ut,{pow_p_5_8:r,b2:n}=dr(e);return H($(r,BigInt(3),t)*n,t)},adjustScalarBytes:xr,randomBytes:ce}))();var Tn=(st.ORDER+BigInt(3))/BigInt(8),ai=st.pow(Se,Tn),fi=st.sqrt(st.neg(st.ONE)),ui=(st.ORDER-BigInt(5))/BigInt(8),li=BigInt(486662);var hi=sr(st,st.neg(BigInt(486664)));var di=BigInt("25063068953384623474111414158702152701244531502492656460079210482610430750235"),xi=BigInt("54469307008909316920995813868745141605393597292927456921205312896311721017578"),pi=BigInt("1159843021668779879193775521855586647937357759715417654439879720876111806838"),bi=BigInt("40440834346308536858101042469323190826248399146238708352240133220865137265952");var yi=BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff");var tt=class{constructor(t,r,n){Object.defineProperty(this,"key",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"type",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"extractable",{enumerable:!0,configurable:!0,writable:!0,value:!0}),Object.defineProperty(this,"algorithm",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"usages",{enumerable:!0,configurable:!0,writable:!0,value:Dt}),this.key=r,this.type=n,this.algorithm={name:t},n==="public"&&(this.usages=[])}};var bt="X25519",re=class extends gt{constructor(t){super(),Object.defineProperty(this,"_hkdf",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_nPk",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"_nSk",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),this._hkdf=t,this._nPk=32,this._nSk=32}async serializePublicKey(t){return await this._serializePublicKey(t)}async deserializePublicKey(t){return await this._deserializePublicKey(t)}async importKey(t,r,n){if(t==="raw")return await this._importRawKey(r,n);if(r instanceof ArrayBuffer)throw new Error("Invalid jwk key format");return await this._importJWK(r,n)}async derivePublicKey(t){return await this._derivePublicKey(t)}async generateKeyPair(){let t=pr.utils.randomPrivateKey(),r=new tt(bt,t,"private");return{publicKey:await this.derivePublicKey(r),privateKey:r}}async deriveKeyPair(t){let r=await this._hkdf.labeledExtract(nt,Ge,new Uint8Array(t)),n=await this._hkdf.labeledExpand(r,Ve,nt,this._nSk),o=new tt(bt,new Uint8Array(n),"private");return{privateKey:o,publicKey:await this.derivePublicKey(o)}}async dh(t,r){return await this._dh(t,r)}_serializePublicKey(t){return new Promise(r=>{r(t.key.buffer)})}_deserializePublicKey(t){return new Promise((r,n)=>{t.byteLength!==this._nPk?n(new Error("Invalid public key for the ciphersuite")):r(new tt(bt,new Uint8Array(t),"public"))})}_importRawKey(t,r){return new Promise((n,o)=>{r&&t.byteLength!==this._nPk&&o(new Error("Invalid public key for the ciphersuite")),!r&&t.byteLength!==this._nSk&&o(new Error("Invalid private key for the ciphersuite")),n(new tt(bt,new Uint8Array(t),r?"public":"private"))})}_importJWK(t,r){return new Promise((n,o)=>{(typeof t.kty>"u"||t.kty!=="OKP")&&o(new Error(`Invalid kty: ${t.kty}`)),(typeof t.crv>"u"||t.crv!=="X25519")&&o(new Error(`Invalid crv: ${t.crv}`)),r?(typeof t.d<"u"&&o(new Error("Invalid key: `d` should not be set")),typeof t.x>"u"&&o(new Error("Invalid key: `x` not found")),n(new tt(bt,he(t.x),"public"))):(typeof t.d!="string"&&o(new Error("Invalid key: `d` not found")),n(new tt(bt,he(t.d),"private")))})}_derivePublicKey(t){return new Promise(r=>{let n=ve.getPublicKey(t.key);r(new tt(bt,n,"public"))})}_dh(t,r){return new Promise((n,o)=>{try{n(ve.getSharedSecret(t.key,r.key).buffer)}catch(i){o(i)}})}};var Ie=class extends Xt{constructor(){let t=new Yt,r=new re(t);super(r,t),Object.defineProperty(this,"id",{enumerable:!0,configurable:!0,writable:!0,value:Ot.DhkemX25519HkdfSha256}),Object.defineProperty(this,"secretSize",{enumerable:!0,configurable:!0,writable:!0,value:32}),Object.defineProperty(this,"encSize",{enumerable:!0,configurable:!0,writable:!0,value:32}),Object.defineProperty(this,"publicKeySize",{enumerable:!0,configurable:!0,writable:!0,value:32}),Object.defineProperty(this,"privateKeySize",{enumerable:!0,configurable:!0,writable:!0,value:32})}};export{Ie as DhkemX25519HkdfSha256};
+/*! Bundled license information:
+
+@noble/hashes/esm/utils.js:
+  (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+
+@noble/curves/esm/abstract/utils.js:
+  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+
+@noble/curves/esm/abstract/modular.js:
+  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+
+@noble/curves/esm/abstract/curve.js:
+  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+
+@noble/curves/esm/abstract/edwards.js:
+  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+
+@noble/curves/esm/abstract/montgomery.js:
+  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+
+@noble/curves/esm/ed25519.js:
+  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+*/