test suite - xero/leviathan-crypto GitHub Wiki
Describes the unit and e2e test inventory, gate structure, and the complete vector corpus with source provenance for all 2107 tests.
| Type | Runner | Tests | Status |
|---|---|---|---|
| Unit | Vitest | 1813 | All pass |
| e2e | Playwright | 294 (98 tests × 3 browsers) | All pass |
| Total | 2107 | All pass |
| File | Description | Vectors / Tests | Gate |
|---|---|---|---|
init.test.ts |
init() API: error-before-init (serpent, sha3, keccak), unknown module rejection, embedded (single, multiple, all four modules), ArrayBuffer source, idempotent, partial init isolation, keccak alias (init, shared instance, cross-name, idempotent, both names, subpath init, embedded re-export), WASM getModuleId() exports (modules 0–3) |
18 tests | — |
init/exclusivity.test.ts |
Per-module exclusivity guard for stateful classes. sha3 (SHAKE128/256, reset() keeps token, atomic SHA3_256 blocked), chacha20 (ChaCha20, atomic Poly1305/ChaCha20Poly1305/XChaCha20Poly1305 blocked), serpent (SerpentCtr/SerpentCbc, atomic Serpent blocked, SerpentCipher via Seal blocked), cross-module independence, idempotent dispose, shared-state clobber reproducer, post-dispose method-call guards (SHAKE128/256 reset/absorb/squeeze/hash, ChaCha20 beginEncrypt/encryptChunk, SerpentCtr, SerpentCbc encrypt/decrypt), disposed-instance-does-not-clobber-new-instance, kyber ↔ sha3 interleave (SHAKE128 blocks MlKem768 keygen/encapsulate/decapsulate/checkEncapsulationKey via assertNotOwned, atomic ops do not persist token, MlKemBase.dispose() preserves live SHAKE128 state) | 45 tests | — |
init/init-race.test.ts |
Concurrent initModule calls coalesce via the pending-promise cache (2-way reference equality, single compile, sequential init after concurrent is a no-op); _resetForTesting clears instances, owners, and pending maps |
6 tests | — |
init/atomic-defense.test.ts |
Per-method _assertNotOwned guard on atomic WASM-touching methods. sha3 (SHA3_256/512/384/224.hash blocked by SHAKE128), chacha20 (Poly1305.mac, ChaCha20Poly1305 encrypt/decrypt, XChaCha20Poly1305 encrypt/decrypt, XChaCha20Cipher.sealChunk via Seal.encrypt blocked by ChaCha20), serpent (Serpent.loadKey/encryptBlock/decryptBlock blocked by SerpentCtr), sha2 simulated (SHA256/512/384.hash + HMAC_SHA256/512/384.hash + dispose blocked by _acquireModule), HKDF indirection via HMAC |
26 tests | — |
init/internal-api-stripped.test.ts |
@internal-tagged init exports (_resetForTesting, _acquireModule, _releaseModule, _isModuleBusy, _assertNotOwned) are absent from dist/init.d.ts. Root-barrel leakage check (dist/index.d.ts, dist/index.js) and Fortuna class (dist/fortuna.d.ts). Public _<module>Ready probes survive. Gated on dist files existing — skipped in sessions without bun bake. |
10 tests | — |
errors.test.ts |
AuthenticationError: constructor, message format, prototype chain, instanceof |
5 tests | — |
utils.test.ts |
hex (odd-length throw), utf8, base64 (url-safe unpadded), constantTimeEqual, wipe, xor, variadic concat, randomBytes
|
37 tests | — |
loader/wasm_source.test.ts |
WasmSource loading: all 7 source types (embedded string, URL, ArrayBuffer, Uint8Array, WebAssembly.Module, Response, Promise<Response>), invalid inputs (null, number, empty string, corrupt base64, truncated ArrayBuffer), double-init idempotency |
14 tests | — |
loader/thenable-dispatch.test.ts |
Loader thenable dispatch: Promise<Response> / Promise<ArrayBuffer> / Promise<Uint8Array> / Promise<string> resolve and re-dispatch by runtime type; nested native Promise.resolve chains collapse during await; depth-4 seeded recursion trips thenable nesting too deep (max 3)
|
6 tests | — |
ct/compare-branch-free.test.ts |
constantTimeEqual SIMD branch-free implementation: equal/diff inputs across length sweep (0, 1, 15..33, …), single-bit difference at every position, length-mismatch returns false, prefix attack returns false |
20 tests | — |
ct/module-shape.test.ts |
ct.wasm invariants: imports nothing, exports a memory of kind memory sized at 1 page, exports a compare function |
3 tests | — |
serpent/serpent_sbox.test.ts |
S-box table entries (serpent_ecb_tbl.txt) |
1536 vectors, 2 tests | Gate 1 |
serpent/serpent_iv.test.ts |
Key schedule intermediate values (serpent_ecb_iv.txt) |
3 key sizes, 2 tests | Gate 2 |
serpent/serpent_kat.test.ts |
KAT variable-text + variable-key (serpent_ecb_vt/vk.txt) |
960 vectors, 6 tests | — |
serpent/serpent_nessie128.test.ts |
NESSIE 128-bit vectors | 1028 vectors, 3 tests | — |
serpent/serpent_nessie192.test.ts |
NESSIE 192-bit vectors | 1156 vectors, 3 tests | — |
serpent/serpent_nessie256.test.ts |
NESSIE 256-bit vectors | 1284 vectors, 3 tests | — |
serpent/serpent_ctr.test.ts |
CTR mode cases A–E | 5 tests | — |
serpent/serpent_wipe.test.ts |
wipeBuffers() verification |
1 test | — |
serpent/serpent.test.ts |
SerpentCbc/SerpentCtr dangerUnauthenticated gate |
4 tests | — |
serpent/serpent_cbc.test.ts |
CBC PKCS7 padding lengths (0–17B), round-trips (single/partial/four blocks, 65536B/65537B chunk-boundary, empty), invalid padding rejection (tamper, bad length, empty, zero-byte), IV sensitivity, CBC chaining verification, WASM chunk boundary (CHUNK_SIZE encrypt/reject/roundtrip, overflow guard), parameter validation | 28 tests | — |
serpent/pkcs7-oracle.test.ts |
CT-safe PKCS7 padding: all failure modes throw the same generic error, error messages leak no numeric data, happy-path round-trip preserved, timing-invariance sweep, SerpentCipher HMAC-verifies before pkcs7Strip runs, pkcs7Strip correctness across padLen ∈ [1,16] and rejection of every out-of-range trailing byte |
398 tests | — |
serpent/exclusivity-preservation.test.ts |
Exclusivity-guard preservation across the higher-level wrappers: Seal.encrypt(SerpentCipher), Seal.decrypt(SerpentCipher), SealStream.push(SerpentCipher) all surface _assertNotOwned clearly when the serpent module is held by a stateful instance |
9 tests | — |
serpent/pool-shared-ops.test.ts |
Shared-ops module (worker bridge): cbcEncryptChunk and SIMD cbcDecryptChunk parity with main thread, pkcs7Strip branch-free padding check, hmacSha256 against RFC 4231, end-to-end pkcs7 round-trip against the shared-ops surface |
32 tests | — |
serpent/serpent_montecarlo.test.ts |
ECB Monte Carlo (1200 × 10000 enc + dec, serpent_ecb_e_m.txt / serpent_ecb_d_m.txt) |
2400 outer, 4 tests | — |
serpent/serpent_cbc_montecarlo.test.ts |
CBC Monte Carlo (1200 × 10000 enc + dec, serpent_cbc_e_m.txt / serpent_cbc_d_m.txt) |
2400 outer, 4 tests | — |
serpent/serpent_simd_gate.test.ts |
SIMD 4-wide ECB gate: byte-identical to scalar for two keys | 2 tests | GATE |
serpent/serpent_simd_ctr.test.ts |
SIMD CTR cross-check: cases A–E, SIMD output matches scalar byte-for-byte | 5 tests | — |
serpent/serpent_simd_cbc.test.ts |
SIMD CBC decrypt cross-check: 1–12 block sweep + 4KB/16KB/64KB, SIMD matches scalar | 15 tests | — |
serpent/serpent_simd_cbc_gate.test.ts |
SIMD CBC decrypt gate: inner loop, scalar tail, multi-iteration, chaining continuity across chunk boundaries | 6 tests | GATE |
chacha20/chacha20.test.ts |
ChaCha20 block + encryption + round-trips | 6 tests | Gate 3 |
chacha20/chacha20_simd_4x_gate.test.ts |
4-wide inter-block SIMD: byte-identical to scalar for 192/256/320/512/337 bytes | 5 tests | GATE |
chacha20/chacha20_simd.test.ts |
SIMD cross-check: RFC §2.4.2 vector + size sweep (64–65536B) + round-trip | 11 tests | — |
chacha20/poly1305.test.ts |
Poly1305 MAC vectors (§2.5.2, §2.6.2, A.3 #1–#6) | 9 tests | Gate 4 |
chacha20/chacha20poly1305.test.ts |
ChaCha20-Poly1305 AEAD (§2.8.2, round-trips, tamper, validation) | 26 tests | Gate 5 |
chacha20/xchacha20.test.ts |
XChaCha20-Poly1305 (HChaCha20, §A.3.2, round-trips, tamper, validation) | 19 tests | Gate 6 |
chacha20/single-use-guard.test.ts |
Strict single-use guard on ChaCha20Poly1305.encrypt() and XChaCha20Poly1305.encrypt(): happy path locks after one call; crypto-path throw locks; validation throws on key/nonce length ALSO lock — every retry on a used instance surfaces the single-use error |
8 tests | — |
chacha20/aead-decrypt-wipe.test.ts |
ChaCha20Poly1305.decrypt wipe-on-auth-failure: CHUNK_CT region zeroed, CHACHA_BLOCK_BUFFER zeroed, POLY_KEY_BUFFER zeroed (regression for residual key bytes after tamper) |
3 tests | — |
sha2/sha256.test.ts |
SHA-256 vectors, streaming, wipeBuffers, leviathan cross-check |
11 tests | Gate 3 |
sha2/sha512.test.ts |
SHA-512, SHA-384 vectors, streaming, leviathan cross-check | 14 tests | Gate 4 |
sha2/hmac.test.ts |
HMAC-SHA256/512/384 vectors (RFC 4231 TC1/TC2/TC6), leviathan cross-check | 14 tests | Gates 5, 6 |
sha2/hkdf.test.ts |
HKDF-SHA256 RFC 5869 A.1–A.3, HKDF-SHA512 generated vectors, extract/expand isolation, derive consistency, RangeError guards, salt defaults, dispose | 22 tests | Gate 8 |
sha3/sha3.test.ts |
SHA3-224/256/384/512, SHAKE128/256 (single + multi-block), incremental absorb/squeeze, state machine guards, dispose zeroes TS buffer, wipeBuffers, leviathan cross-check |
61 tests | Gate 7 |
sha3/shake_xof.test.ts |
SHAKE128/256 multi-squeeze KAT: rate-boundary crossing (MS-1–3, MS-5–7), byte-by-byte squeeze (MS-4, MS-8), reset after multi-squeeze (MS-9) | 10 tests | — |
kyber/poly_arithmetic.test.ts |
Gate-based WASM primitive tests: instantiation + buffer layout, Montgomery reduce, Barrett reduce, fqmul, zetas verification, NTT roundtrip, basemul commutativity, serialization roundtrip, compression bounds, message encode/decode, rejection sampling, CBD bounds, CT verify/cmov | 47 tests | Gates 1–6 |
kyber/ntt_simd_gate.test.ts |
SIMD NTT/poly gate: ntt_simd byte-identical to ntt_scalar (100 random polys), invntt_simd byte-identical to invntt_scalar (100 random polys), roundtrip identity, poly_add/sub/reduce match scalar semantics, poly_ntt/invntt match |
11 tests | Gates 1–2 |
kyber/mlkem.test.ts |
ML-KEM ACVP validation: init system wiring, IND-CPA keygen (all 3 param sets), encapsulation, valid decapsulation, implicit rejection, encapsulation-key validation, decapsulation-key validation, round-trip property, implicit-rejection property. 240 NIST ACVP vectors | 332 tests | Gates 0–9 |
kyber/kyber_suite.test.ts |
KyberSuite integration: all 6 parameter pairings (MlKem512/768/1024 × XChaCha20/Serpent), param-set key-size invariants, error cases (mismatched ek/dk, wrong cipher key, post-dispose use) |
47 tests | — |
kyber/keygen-scratch-wipe.test.ts |
kemKeypairDerand — scratch slots wiped after keygen across all parameter sets |
6 tests | — |
kyber/encap-scratch-wipe.test.ts |
kemEncapsulateDerand — scratch slots wiped after encap across all parameter sets |
8 tests | — |
kyber/decap-scratch-wipe.test.ts |
kemDecapsulate — scratch slots wiped after decap across all parameter sets (regression for residual sharedSecret/ciphertext bytes) |
9 tests | — |
kyber/sha3-scratch-wipe.test.ts |
sha3 scratch wiped after every public kyber op; belt-and-suspenders across param sets; checkDecapsulationKey length-gate early return does NOT need to reach the sha3 wipe |
9 tests | — |
ratchet/ratchet_kdf.test.ts |
ratchetInit KDF_SCKA_INIT (HKDF-SHA-256) + KDFChain: KAT vector sweep (6 sk/context combos), nextChainKey propagation, dispose guards, input guards (sk length, ck length, counter overflow), context-isolation, ratchetReady() and uninitialized-sha2 throws |
23 tests | GATE |
ratchet/kem_ratchet.test.ts |
kemRatchetEncap/kemRatchetDecap KDF_SCKA: ACVP-derived sharedSecret gate, kemCt length invariant, context isolation, direction symmetry (alice.send === bob.recv), round-trip nextRootKey match |
5 tests | GATE |
ratchet/kem-ratchet-info-binding.test.ts |
KEM-ratchet HKDF info-string binding: (peerEk, kemCt, context) defense-in-depth on top of FO transform; flipping any byte produces a different nextRootKey
|
5 tests | — |
ratchet/skipped_key_store.test.ts |
SkippedKeyStore: happy-path commit, rollback, rollback + legitimate delivery, wipeAll, resolve() argument validation, settle guards (double-settle throws, key access after settle throws), key lifecycle, split budgets (maxCacheSize, maxSkipPerResolve) |
25 tests | — |
ratchet/resolve-handle-dos-mitigation.test.ts |
DoS-mitigation: rollback() returns the key to the store under the same counter so a later legitimate delivery at that counter can still decrypt; bounded HKDF work via maxSkipPerResolve
|
2 tests | — |
ratchet/ratchet_keypair.test.ts |
RatchetKeypair: round-trip keygen/decap, single-use guard (second decap throws), dispose() is idempotent, context round-trip |
8 tests | — |
fortuna.test.ts |
Fortuna CSPRNG: Fortuna.create(), get() (always Uint8Array), entropy threshold, stop() disposes instance, SerpentCtr exclusivity coexistence, stop() exception-safety when serpent module is held by SerpentCtr (disposed flag set, key material wiped, throw surfaced). All tests run with SerpentGenerator + SHA256Hash to preserve historical coverage. |
11 tests | — |
fortuna/wipe-lifecycle.test.ts |
Wipe-before-reassign discipline in pseudoRandomData, reseed, addRandomEvent, and pool reset (4 tests); stop() wipes genKey + genCnt + every pool-hash chain and calls wipeBuffers() on every WASM module the chosen generator and hash touched (3 tests) |
7 tests | — |
fortuna/spec-conformance.test.ts |
Fortuna pool-selection conformance with Practical Cryptography §9.5.5: pool P_i consumed iff 2^i divides reseedCnt. Walks reseeds 1..16, asserts the consumed-pool set matches the divisibility rule per reseed. Includes pool 0 consumed on every reseed regression for the F-1 fix |
2 tests | — |
fortuna/pluggable-primitives.test.ts |
Fortuna (Generator, HashFn) combinations: 4 KAT round-trip groups (Serpent+SHA2, Serpent+SHA3, ChaCha20+SHA2, ChaCha20+SHA3) against fortuna_kat.ts vectors, size-mismatch validation, missing-arg validation, F-2 zero-entropy regression |
16 tests | Gate (cross-primitive plumbing) |
fortuna/generator-output-shape.test.ts |
SerpentGenerator and ChaCha20Generator output shape: result.length === buffer.byteLength === n for n ∈ {0, 1, 15, 16, 17, 30, 31, 32, …}; no extra keystream bytes beyond requested length |
26 tests | — |
fortuna/generator-hash-wipe.test.ts |
Per-call WASM-scratch wipe in SerpentGenerator.generate, ChaCha20Generator.generate, SHA256Hash.digest, and SHA3_256Hash.digest. Asserts the relevant key/input/output offsets in shared linear memory are zeroed after each call, so secret-derived bytes do not outlive the operation in the shared module |
4 tests | — |
stream/header.test.ts |
readHeader strict length (exact, short, long), writeHeader formatEnum range, makeCounterNonce safe-integer guards (0, MAX_SAFE_INTEGER, overflow, negative, fractional, NaN, Infinity) |
16 tests | — |
stream/sealstream.test.ts |
SealStream/OpenStream: round-trip, AAD, framed mode, authentication (tamper, reorder, replay), seek, TransformStream round-trip, empty-stream key wipe, state machine, dispose, chunk-size validation, key validation, _nonce validation, header chunkSize validation. Both XChaCha20 and Serpent ciphers. Cross-cipher rejection, CipherSuite contract verification, Serpent-specific key separation/IV determinism/counter binding |
99 tests | — |
stream/sealstream_kat.test.ts |
SealStream v2 KAT: pinned vectors for XChaCha20 (XC1, XC3, XCF1) and Serpent (SC1, SC3, SCF1), including framed variants. Header match, per-chunk ciphertext match, round-trip |
18 tests | — |
stream/seal.test.ts |
Seal symmetric round-trips (both ciphers), Seal blob is OpenStream-compatible, Seal._fromNonce determinism, error handling, CipherSuite new properties, regression for cipher keygen()
|
25 tests | — |
stream/seal_kat.test.ts |
Seal KAT pinned vectors: xc1 (XChaCha20, 100B), xc_empty (XChaCha20, empty), sc1 (Serpent, 100B), sc_empty (Serpent, empty) |
16 tests | — |
stream/seek-forward-only.test.ts |
OpenStream.seek forward-only: backward seeks throw RangeError with 'forward-only', indices above MAX_SAFE_INTEGER throw without mutating counter, fully validates before mutating |
9 tests | — |
stream/failed-state.test.ts |
'failed' terminal state: SealStream and OpenStream crypto-path throws (auth failure, WASM errors, cipher exceptions) wipe derived keys and lock the stream; subsequent ops and seek() throw 'failed'; dispose() on 'failed' is a no-op; argument-validation errors are NON-terminal (state stays 'ready') |
14 tests | — |
stream/pool.test.ts |
SealStreamPool: round-trip (both ciphers), auth failure, lifecycle (destroy, double-destroy, dead pool), key-material wipe (both ciphers), worker count, WASM loading variants, seal-twice guard, header validation (format mismatch, chunkSize mismatch, short ciphertext), KEM rejection |
54 tests | — |
stream/pool-byte-exact.test.ts |
SealStream output === SealStreamPool output for both ciphers across size sweep including 5 MB payload — proves single-thread ↔ pool wire-format byte-equivalence |
14 tests | — |
stream/pool-terminal-on-throw.test.ts |
SealStreamPool.seal() is uniformly terminal on any throw. Crypto-path failure (worker-side wipe via type: 'wipe' injection) and output-assembly failure (fake worker result with length === MAX_SAFE_INTEGER forces new Uint8Array(totalLen) RangeError) both route through _killAll: pool.dead flips true, _masterKey and _keys nulled, subsequent seal() throws "pool is dead" |
2 tests | — |
stream/pool-wipe-handshake.test.ts |
SealStreamPool wipe ACK handshake: master-thread waits for every worker to ACK its key wipe before resolving destroy() — guarantees no key bytes outlive the pool in any worker |
2 tests | — |
All tests run in three browsers: Chromium, Firefox, and WebKit.
| File | Description | Tests |
|---|---|---|
serpent_kat.spec.ts |
KAT vt (384) + vk (576) + decrypt (384) + S-box (1536) | 4 |
serpent_iv.spec.ts |
Intermediate values — final CT for 3 key sizes | 1 |
serpent_nessie.spec.ts |
NESSIE 256-bit (1284) + 128-bit (1028) | 2 |
serpent_ctr.spec.ts |
CTR mode cases A–E (parameterized over CTR_VECTORS) |
5 |
serpent_montecarlo.spec.ts |
ECB MC + CBC MC enc + CBC MC dec (50 outer × 10000 inner) | 3 |
chacha20.spec.ts |
ChaCha20 RFC §2.4.2 encryption + 128B round-trip | 2 |
chacha20_simd.spec.ts |
SIMD ChaCha20: 114B/256B/320B SIMD === scalar | 3 |
poly1305.spec.ts |
Poly1305 RFC §2.5.2 gate + wipeBuffers verification |
2 |
chacha20poly1305.spec.ts |
ChaCha20-Poly1305 RFC §2.8.2 sunscreen AEAD + round-trip | 2 |
xchacha20.spec.ts |
XChaCha20-Poly1305 draft §A.3.2 AEAD + round-trip | 2 |
sha256.spec.ts |
SHA-256 empty (Gate 3), "abc", streaming 4×64B | 3 |
sha512.spec.ts |
SHA-512 "abc" (Gate 4), SHA-384 "abc", streaming 4×128B | 3 |
hmac.spec.ts |
HMAC-SHA256 TC1 (Gate 5), HMAC-SHA512 TC6 (Gate 6), HMAC-SHA256 TC2 | 3 |
sha3.spec.ts |
SHA3-256 empty (Gate 7), SHA3-512 "abc", SHAKE128 empty/32B | 3 |
chacha20_simd_bench.spec.ts |
ChaCha20 SIMD throughput benchmark (256B, 16KB, 64KB) | 3 |
serpent_simd_cbc.spec.ts |
SIMD CBC decrypt round-trip (8-block + 5-block) | 2 |
serpent_simd_ctr.spec.ts |
SIMD CTR mode cases A–E (parameterized over CTR_VECTORS) |
5 |
serpent_simd_bench.spec.ts |
Serpent SIMD throughput benchmark (1KB, 16KB, 64KB) | 3 |
seal.spec.ts |
Seal round-trip (XChaCha20 + Serpent) + Seal.encrypt → OpenStream.finalize unified wire format (both ciphers) |
4 |
sealstream_kat.spec.ts |
SealStream KAT batch — XChaCha20 (XC1, XC3, XCF1) + Serpent (SC1, SC3, SCF1) |
2 |
pool.spec.ts |
SealStreamPool: XChaCha20 + Serpent round-trip (2 workers), pool seal → OpenStream open, large payload multi-worker, cross-instance seal/open (both ciphers), tampered ciphertext puts the pool in dead state |
7 |
pool_dispose.spec.ts |
Explicit destroy() during in-flight seal() and open() — both settle cleanly without leaving dangling worker promises |
2 |
serpent_large_pool.spec.ts |
SealStreamPool Serpent large-chunk: 256 KB (4 full chunks), 5 MB hash comparison, regression for pre-fix corruption (full chunks decrypt correctly, not just trailing partial) |
3 |
kyber_suite.spec.ts |
KyberSuite (MlKem768 + XChaCha20): Seal one-shot round-trip, SealStream/OpenStream streaming round-trip, preamble length (HEADER_SIZE + 1088B) |
3 |
loader.spec.ts |
WasmSource loader: all 7 source types (embedded, URL, ArrayBuffer, Uint8Array, WebAssembly.Module, Response, Promise<Response>) via init() + SHA3-256 FIPS 202 digest proof, plus regression that nested Promise.resolve(Promise.resolve(...)) wrapping doesn't false-positive trip the depth guard |
8 |
loader_csp.spec.ts |
All 7 WasmSource types under a strict Content-Security-Policy page (no unsafe-eval, no unsafe-inline) — proves none of the loader code paths require an eval-unfriendly compile route |
7 |
fortuna.spec.ts |
Fortuna CSPRNG: four (generator, hash) pair smoke (Serpent/ChaCha20 × SHA-256/SHA3-256), DOM entropy collector wiring (mouse + keyboard via Playwright synthesis), stop() listener removal (post-stop methods throw), SerpentCtr exclusivity coexistence, external entropy seed |
5 |
ratchet.spec.ts |
SPQR ratchet (MlKem768 + SerpentCipher + Seal): same-realm two-party 10-message round-trip, out-of-order delivery via SkippedKeyStore (5 messages reordered with ResolveHandle.commit/rollback), tamper + rollback preserves the key for legitimate retry |
3 |
worker_context.spec.ts |
Library functions inside a Web Worker: SHA-256 "abc" digest, Seal round-trip (XChaCha20), Fortuna with external entropy. Validates dynamic import(), init(), primitive use, and disposal all work cross-realm |
3 |
Note
E2E Monte Carlo tests use 50 outer iterations in Playwright (vs 1200 in Vitest) for cross-browser performance. A correct 50-iteration result is strong evidence of correct 1200-iteration behavior as errors compound within the first few iterations.
| File | Source | Vectors | Status |
|---|---|---|---|
serpent_ecb_vt.txt |
AES submission floppy4 — variable text | 384 | VERIFIED |
serpent_ecb_vk.txt |
AES submission floppy4 — variable key | 576 | VERIFIED |
serpent_ecb_tbl.txt |
AES submission floppy4 — S-box table | 1536 | VERIFIED (gate: Serpent S-box) |
serpent_ecb_iv.txt |
AES submission floppy4 — intermediate values | 3 key sizes | VERIFIED (gate: Serpent key schedule) |
serpent_ecb_e_m.txt |
AES submission floppy4 — ECB Monte Carlo encrypt | 1200 | VERIFIED |
serpent_ecb_d_m.txt |
AES submission floppy4 — ECB Monte Carlo decrypt | 1200 | VERIFIED |
serpent_cbc_e_m.txt |
AES submission floppy4 — CBC Monte Carlo encrypt | 1200 | VERIFIED |
serpent_cbc_d_m.txt |
AES submission floppy4 — CBC Monte Carlo decrypt | 1200 | VERIFIED |
serpent_nessie-128.txt |
NESSIE project | 1028 | VERIFIED |
serpent_nessie-192.txt |
NESSIE project | 1156 | VERIFIED |
serpent_nessie-256.txt |
NESSIE project | 1284 | VERIFIED |
serpent_ctr.ts |
Self-generated by ctr_harness.c on the floppy1 AES-submission reference (darwin-arm64). 5 cases (A–E) covering 128/192/256-bit keys, zero-IV and counter-wrap nonces. |
5 | SELF-GENERATED (gate: Serpent CTR mode) |
serpent.ts |
Serpent round-trip fixture (3 × 1024-byte chunks) | 1 | VERIFIED |
seal_v2.ts |
Self-generated — Seal v2 KAT vectors for XChaCha20 (XC1, XC_EMPTY) and Serpent (SC1, SC_EMPTY). Single-chunk STREAM construction, independently verified against raw primitives (HKDF-SHA-256, HChaCha20, ChaCha20-Poly1305, SerpentCbc, HMAC-SHA-256). | 4 | SELF-GENERATED |
sealstream_v2.ts |
Self-generated — SealStream KAT vectors for XChaCha20 (XC1, XC3, XCF1) and Serpent (SC1, SC3, SCF1). Generated with fixed nonce seams, each chunk independently verified against raw primitives (HKDF-SHA-256, HChaCha20, ChaCha20-Poly1305, SerpentCbc, HMAC-SHA-256). Includes framed mode variants. | 6 | SELF-GENERATED |
shake_xof.ts |
Self-generated — SHAKE128/256 multi-squeeze vectors (MS-1–MS-9). All chunks are slices of externally-verified KATs from sha3.ts, verified against Node.js crypto.createHash. |
8 | SELF-GENERATED |
chacha20.ts |
RFC 8439 §2.2.1 — ChaCha20 block function | 1 | VERIFIED (gate: ChaCha20 block function) |
chacha20.ts |
RFC 8439 §2.4.2 — ChaCha20 114-byte encryption | 1 | VERIFIED |
chacha20.ts |
RFC 8439 §2.5.2 — Poly1305 34-byte message | 1 | VERIFIED (gate: Poly1305) |
chacha20.ts |
RFC 8439 §2.6.2 — Poly1305 key generation | 1 | VERIFIED |
chacha20.ts |
RFC 8439 §A.3 — Poly1305 TV #1–#6 | 6 | VERIFIED |
chacha20.ts |
RFC 8439 §2.8.2 — ChaCha20-Poly1305 sunscreen AEAD | 1 | VERIFIED (gate: ChaCha20-Poly1305 AEAD) |
chacha20.ts |
draft-irtf-cfrg-xchacha-03 §A.3.1 — HChaCha20 subkey | 1 | VERIFIED (gate: HChaCha20/XChaCha20) |
chacha20.ts |
draft-irtf-cfrg-xchacha-03 §A.3.2 — XChaCha20-Poly1305 AEAD | 1 | VERIFIED |
sha2.ts |
FIPS 180-4 §B.1 — SHA-256 "abc" | 1 | VERIFIED |
sha2.ts |
FIPS 180-4 §B.2 — SHA-256 448-bit message | 1 | VERIFIED |
sha2.ts |
FIPS 180-4 §B.3 — SHA-256 "a" × 1M | 1 | VERIFIED |
sha2.ts |
FIPS 180-4 — SHA-256 boundary cases (empty, 55B, 56B, 64B) | 4 | VERIFIED (gate: SHA-256 empty) |
sha2.ts |
FIPS 180-4 §C.1–C.3 — SHA-512 spec vectors | 4 | VERIFIED (gate: SHA-512 "abc") |
sha2.ts |
FIPS 180-4 — SHA-512 boundary cases (empty, 111B, 112B, 128B) | 3 | VERIFIED |
sha2.ts |
FIPS 180-4 §D.1–D.2 — SHA-384 spec vectors | 3 | VERIFIED |
sha2.ts |
RFC 4231 §4.2/§4.3/§4.7 — HMAC-SHA256 TC1, TC2, TC6 | 3 | VERIFIED (gate: HMAC-SHA256 TC1) |
sha2.ts |
RFC 4231 §4.2/§4.3/§4.7 — HMAC-SHA512 TC1, TC2, TC6 | 3 | VERIFIED (gate: HMAC-SHA512 TC6) |
sha2.ts |
RFC 4231 §4.2/§4.3/§4.7 — HMAC-SHA384 TC1, TC2, TC6 | 3 | VERIFIED |
sha2.ts |
RFC 5869 §A.1/§A.2/§A.3 — HKDF-SHA256 | 3 | VERIFIED (gate: HKDF-SHA-256 A.1) |
sha2.ts |
Node.js crypto.hkdfSync — HKDF-SHA512 (same inputs as RFC A.1–A.3) | 3 | VERIFIED |
sha3.ts |
FIPS 202 §A.1 — SHA3-256 (empty, "abc", 448-bit) | 3 | VERIFIED (gate: SHA3-256 empty) |
sha3.ts |
FIPS 202 — SHA3-256 rate boundary cases (135B, 136B, 137B) | 3 | VERIFIED |
sha3.ts |
FIPS 202 §A.4 — SHA3-512 (empty, "abc") | 2 | VERIFIED |
sha3.ts |
FIPS 202 — SHA3-512 rate boundary cases (71B, 72B, 73B) | 3 | VERIFIED |
sha3.ts |
FIPS 202 — SHA3-384 (empty, "abc") + rate boundary (103B, 104B) | 4 | VERIFIED |
sha3.ts |
FIPS 202 — SHA3-224 (empty, "abc") + rate boundary (143B, 144B) | 4 | VERIFIED |
sha3.ts |
FIPS 202 — SHAKE128 (empty×32, "abc"×32, empty×64, rate boundary) | 5 | VERIFIED |
sha3.ts |
Node.js crypto / Python hashlib — SHAKE128 multi-block (empty×200, empty×336, empty×400, "abc"×200) | 4 | VERIFIED |
sha3.ts |
FIPS 202 — SHAKE256 (empty×32, "abc"×64, rate boundary) | 4 | VERIFIED |
sha3.ts |
Node.js crypto / Python hashlib — SHAKE256 multi-block (empty×200, empty×272, empty×300, "abc"×200) | 4 | VERIFIED |
kyber_keygen.ts |
NIST ACVP — ML-KEM keygen (d+z → ek+dk) | 75 (25×3) | VERIFIED (gate: ML-KEM keygen, mlkem.test.ts Gates 1–2) |
kyber_encapdecap.ts |
NIST ACVP — ML-KEM encap (75 AFT), decap (30 VAL including implicit rejection), key validity checks (60 VAL) | 165 | VERIFIED (gate: ML-KEM encap/decap, mlkem.test.ts Gates 3–9) |
ratchet_kat.ts |
Self-generated — HKDF-SHA-256 ratchet KAT vectors (ratchetInitVectors, kdfChainVectors, kemRatchetDecapVectors). HKDF outputs independently verified against Python hmac/hashlib; KEM inputs sourced from NIST ACVP tcId 77. |
9 entries | SELF-GENERATED (gate: ratchetInit, kemRatchetDecap) |
Important
All vector files are read-only. Integrity is verified via
SHA256SUMS,
which pins the expected hashes for the checked-in vector files, whether the
underlying vectors are externally sourced or self-generated. They are the
immutable truth and must never be modified to make tests pass.
Note
seal_v2.ts, sealstream_v2.ts, shake_xof.ts, and ratchet_kat.ts are
self-generated; there is no external authority for these wire formats or
output slices. Each was produced with fixed inputs and independently verified
against the underlying primitives. These vectors are regression trip-wires for
format stability, not proof of correctness against an external reference.
Generation scripts are kept in the repo so derivations can be audited or
reproduced.
- index — Project Documentation index
- lexicon — Glossary of cryptographic terms
- architecture — architecture overview, module relationships, buffer layouts, and build pipeline
- init —
init()API, loading modes, subpath imports- serpent — Serpent-256 TypeScript API (tested primitives)
- chacha20 — ChaCha20/Poly1305 TypeScript API (tested primitives)
- sha2 — SHA-2/HMAC/HKDF TypeScript API (tested primitives)
- sha3 — SHA-3/SHAKE TypeScript API (tested primitives)
- kyber — ML-KEM (FIPS 203) TypeScript API (tested primitive)
- ratchet — SPQR ratchet TypeScript API (tested primitive)
- authenticated encryption —
Seal,SealStream,OpenStream,SealStreamPool(tested primitives)- loader — WASM binary loading strategies (tested in unit + e2e)
- fortuna — Fortuna CSPRNG (tested primitive)
- utils — encoding utilities and
constantTimeEqual(tested primitives)- types — public interfaces verified by the test suite
