Skip to content
Brivora

@brivora/crypto API Reference

crypto.createIdentity()

Section titled “crypto.createIdentity()”
async function createIdentity(): Promise<Identity>

Creates a new hybrid PQC identity with key pairs for signing and encryption.

Returns: Identity — contains publicKey, privateKey, fingerprint, algorithm, createdAt.

crypto.sign(data, privateKey, options?)

Section titled “crypto.sign(data, privateKey, options?)”
async function sign(
  data: string | Uint8Array,
  privateKey: HybridPrivateKey,
  options?: { hybrid?: boolean }
): Promise<SignedPayload>

Sign data with ML-DSA-65 (and Ed25519 in hybrid mode).

ParameterTypeDescription
datastring | Uint8ArrayData to sign
privateKeyHybridPrivateKeySigner’s private key
options.hybridbooleanUse hybrid mode (default: true)

crypto.verify(signed, publicKey)

Section titled “crypto.verify(signed, publicKey)”
async function verify(
  signed: SignedPayload,
  publicKey: HybridPublicKey
): Promise<{ valid: boolean; data: Uint8Array }>

Verify a signed payload. Returns valid: true if at least one signature verifies.

crypto.encrypt(data, publicKey, options?)

Section titled “crypto.encrypt(data, publicKey, options?)”
async function encrypt(
  data: string | Uint8Array,
  publicKey: HybridPublicKey,
  options?: { hybrid?: boolean }
): Promise<EncryptedPayload>

Encrypt data using ML-KEM-768 (and X25519 in hybrid mode) with AES-256-GCM.

crypto.decrypt(encrypted, privateKey)

Section titled “crypto.decrypt(encrypted, privateKey)”
async function decrypt(
  encrypted: EncryptedPayload,
  privateKey: HybridPrivateKey
): Promise<Uint8Array>

Decrypt an encrypted payload. Returns the original plaintext as Uint8Array.

crypto.rotateKeys(identity)

Section titled “crypto.rotateKeys(identity)”
async function rotateKeys(
  identity: Identity
): Promise<{ newIdentity: Identity; migration: SignedPayload }>

Generate a new identity and a signed migration proof linking old key to new key.

crypto.deriveKey(master, context)

Section titled “crypto.deriveKey(master, context)”
function deriveKey(
  master: Uint8Array,
  context: string
): { key: Uint8Array; context: string }

Derive a context-specific key from a master secret using HKDF-SHA256. Deterministic: same inputs produce same outputs.

crypto.upgradeKey(ed25519Key)

Section titled “crypto.upgradeKey(ed25519Key)”
async function upgradeKey(key: {
  publicKey: Uint8Array;
  secretKey: Uint8Array;
}): Promise<{ identity: Identity; migration: SignedPayload }>

Upgrade an existing Ed25519 key to a hybrid PQC identity. Produces a migration proof signed by both old and new keys.

crypto.exportPublicKey(identity)

Section titled “crypto.exportPublicKey(identity)”
function exportPublicKey(identity: Identity): string

Export an identity’s public key as a base64-encoded string. Safe to share publicly.

crypto.importPublicKey(encoded)

Section titled “crypto.importPublicKey(encoded)”
function importPublicKey(encoded: string): HybridPublicKey

Import a previously exported public key string.

crypto.randomBytes(length)

Section titled “crypto.randomBytes(length)”
function randomBytes(length: number): Uint8Array

Generate cryptographically secure random bytes.