Remove usage of nistSecurityLevel.

Author: msporny

lib/constants.js

@@ -21,12 +21,5 @@ export const MULTICODEC_MLDSA44_PUBLIC_KEY_HEADER =
 export const MULTICODEC_MLDSA44_SECRET_KEY_HEADER =
   new Uint8Array([0x97, 0x26]);
 
-// Supported NIST Security Levels
-export const NIST_SECURITY_LEVEL_2 = 2;
-
-// MLDSA hash functions
-export const MLDSA_HASH = {
-  SHA256: 'SHA-256',
-  SHA384: 'SHA-384',
-  SHA512: 'SHA-512'
-};
+// MLDSA hash function for ML-DSA-44
+export const MLDSA44_HASH = 'SHA-256';

lib/crypto-browser.js

@@ -2,13 +2,13 @@
  * Copyright (c) 2023-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import {
+  ALGORITHM_MAP,
   CryptoKey,
   mldsaExportKey,
   mldsaGenerateKey,
   mldsaImportKey,
   mldsaSign,
   mldsaVerify,
-  resolveNistSecurityLevel,
 } from './crypto-util.js';
 
 // Extends the browser's native subtle crypto with ML-DSA support. Non-ML-DSA
@@ -107,15 +107,10 @@ class BrowserCrypto {
 }
 
 function _isMldsaAlgorithm(algorithm) {
-  if(!algorithm) {
-    return false;
-  }
-  try {
-    resolveNistSecurityLevel(algorithm);
-    return true;
-  } catch(e) {
+  if(!algorithm?.name) {
     return false;
   }
+  return ALGORITHM_MAP.has(algorithm.name);
 }
 
 const _nativeCrypto = self.crypto ?? window.crypto;

lib/crypto-util.js

@@ -3,11 +3,11 @@
  */
 import * as base64url from 'base64url-universal';
 import {ml_dsa44} from '@noble/post-quantum/ml-dsa.js';
-import {ALGORITHM, NIST_SECURITY_LEVEL_2} from './constants.js';
+import {ALGORITHM} from './constants.js';
 
-// Maps NIST security level to noble implementation and algorithm name
-export const NIST_LEVEL_MAP = new Map([
-  [2, {impl: ml_dsa44, name: ALGORITHM.MLDSA44}],
+// Maps algorithm name to noble implementation
+export const ALGORITHM_MAP = new Map([
+  [ALGORITHM.MLDSA44, {impl: ml_dsa44}],
 ]);
 
 export class CryptoKey {
@@ -34,7 +34,7 @@ export class CryptoKey {
     return this._extractable;
   }
 
-  // algorithm: KeyAlgorithm object (e.g. {name: "MLDSA", nistSecurityLevel: 2})
+  // algorithm: KeyAlgorithm object (e.g. {name: "ML-DSA-44"})
   get algorithm() {
     return this._algorithm;
   }
@@ -48,7 +48,7 @@ export class CryptoKey {
 // Signs data using ML-DSA.
 export async function mldsaSign(key, data) {
   assertMldsaKey(key, 'private', 'sign');
-  const {impl} = getImpl(key.algorithm.nistSecurityLevel);
+  const {impl} = getImpl(key.algorithm.name);
   const msg = toUint8Array(data);
   const sig = impl.sign(msg, key._keyBytes);
   return sig.buffer.slice(sig.byteOffset, sig.byteOffset + sig.byteLength);
@@ -57,7 +57,7 @@ export async function mldsaSign(key, data) {
 // Verifies a signature over data using ML-DSA.
 export async function mldsaVerify(key, signature, data) {
   assertMldsaKey(key, 'public', 'verify');
-  const {impl} = getImpl(key.algorithm.nistSecurityLevel);
+  const {impl} = getImpl(key.algorithm.name);
   const msg = toUint8Array(data);
   const sig = toUint8Array(signature);
   try {
@@ -69,12 +69,9 @@ export async function mldsaVerify(key, signature, data) {
 
 // Generates a new ML-DSA key pair from a 32-byte seed.
 export function mldsaGenerateKey(algorithm, extractable, keyUsages, seed) {
-  const nistSecurityLevel = resolveNistSecurityLevel(algorithm);
-  const {impl} = getImpl(nistSecurityLevel);
-  const keyAlgorithm = {
-    name: NIST_LEVEL_MAP.get(nistSecurityLevel).name,
-    nistSecurityLevel
-  };
+  const algorithmName = resolveAlgorithmName(algorithm);
+  const {impl} = getImpl(algorithmName);
+  const keyAlgorithm = {name: algorithmName};
 
   const {publicKey: pubBytes, secretKey: secBytes} = impl.keygen(seed);
 
@@ -101,12 +98,9 @@ export function mldsaGenerateKey(algorithm, extractable, keyUsages, seed) {
 // Imports an ML-DSA key from various formats.
 export function mldsaImportKey(format, keyData, algorithm, extractable,
   keyUsages) {
-  const nistSecurityLevel = resolveNistSecurityLevel(algorithm);
-  const {impl} = getImpl(nistSecurityLevel);
-  const keyAlgorithm = {
-    name: NIST_LEVEL_MAP.get(nistSecurityLevel).name,
-    nistSecurityLevel
-  };
+  const algorithmName = resolveAlgorithmName(algorithm);
+  const {impl} = getImpl(algorithmName);
+  const keyAlgorithm = {name: algorithmName};
 
   if(format === 'spki' || format === 'pkcs8') {
     throw new DOMException(
@@ -152,7 +146,7 @@ export function mldsaImportKey(format, keyData, algorithm, extractable,
   }
 
   if(format === 'jwk') {
-    return importJwk({keyData, keyAlgorithm, nistSecurityLevel, impl,
+    return importJwk({keyData, keyAlgorithm, algorithmName, impl,
       extractable, keyUsages});
   }
 
@@ -165,8 +159,7 @@ export function mldsaExportKey(format, key) {
   if(!key.extractable) {
     throw new DOMException('Key is not extractable.', 'InvalidAccessError');
   }
-  const {nistSecurityLevel} = key.algorithm;
-  const {name} = getImpl(nistSecurityLevel);
+  const {name} = key.algorithm;
 
   if(format === 'spki' || format === 'pkcs8') {
     throw new DOMException(
@@ -233,27 +226,26 @@ export function mldsaExportKey(format, key) {
     'NotSupportedError');
 }
 
-// Resolves nistSecurityLevel from an algorithm object or integer.
-export function resolveNistSecurityLevel(algorithm) {
-  if(algorithm?.nistSecurityLevel) {
-    return algorithm.nistSecurityLevel;
+// Resolves algorithm name from an algorithm object or string.
+export function resolveAlgorithmName(algorithm) {
+  if(typeof algorithm === 'string') {
+    return algorithm;
   }
-  if(algorithm.name === ALGORITHM.MLDSA44) {
-    return NIST_SECURITY_LEVEL_2;
+  if(algorithm?.name) {
+    return algorithm.name;
   }
   throw new DOMException(
-    `Unknown NIST security level for given algorithm "${algorithm}". ` +
-    'Only ML-DSA-44 (level 2) is supported.',
+    `Unknown algorithm "${algorithm}". Only ML-DSA-44 is supported.`,
     'NotSupportedError');
 }
 
-// Returns the noble implementation and name for a given NIST security level.
-export function getImpl(nistSecurityLevel) {
-  const entry = NIST_LEVEL_MAP.get(nistSecurityLevel);
+// Returns the noble implementation for a given algorithm name.
+export function getImpl(algorithmName) {
+  const entry = ALGORITHM_MAP.get(algorithmName);
   if(!entry) {
     throw new DOMException(
-      `Unsupported NIST security level "${nistSecurityLevel}". ` +
-      'Only ML-DSA-44 (level 2) is supported.',
+      `Unsupported algorithm "${algorithmName}". ` +
+      'Only ML-DSA-44 is supported.',
       'NotSupportedError');
   }
   return entry;
@@ -287,8 +279,8 @@ export function toUint8Array(data) {
 
 // Imports a JWK-formatted key per webcryptomldsa spec Section 7.4.4.
 function importJwk({
-  keyData, keyAlgorithm, nistSecurityLevel, impl, extractable, keyUsages}) {
-  const {name} = getImpl(nistSecurityLevel);
+  keyData, keyAlgorithm, algorithmName, impl, extractable, keyUsages}) {
+  const {name} = keyAlgorithm;
   const jwk = keyData;
 
   if(jwk.kty !== 'AKP') {

lib/factory.js

@@ -1,27 +1,18 @@
 /*!
  * Copyright (c) 2023-2026 Digital Bazaar, Inc. All rights reserved.
  */
-import {ALGORITHM, NIST_SECURITY_LEVEL_2, MLDSA_HASH} from './constants.js';
+import {MLDSA44_HASH} from './constants.js';
 import {webcrypto} from './crypto.js';
 
-// returns algorithm name for a given NIST security level
-function _getAlgorithmName(nistSecurityLevel) {
-  if(nistSecurityLevel === NIST_SECURITY_LEVEL_2) {
-    return ALGORITHM.MLDSA44;
-  }
-  return 'ML-DSA-UNKNOWN';
-}
-
 // exposes sign method
 export function createSigner({id, secretKey}) {
   if(!secretKey) {
     throw new Error('"secretKey" is required for signing.');
   }
-  const {nistSecurityLevel} = secretKey.algorithm;
-  const name = _getAlgorithmName(nistSecurityLevel);
+  const {name} = secretKey.algorithm;
   const algorithm = {
     name,
-    hash: {name: _getMldsaHash({nistSecurityLevel})}};
+    hash: {name: _getMldsaHash(name)}};
   return {
     algorithm,
     id,
@@ -37,11 +28,10 @@ export function createVerifier({id, publicKey}) {
   if(!publicKey) {
     throw new Error('"publicKey" is required for verifying.');
   }
-  const {nistSecurityLevel} = publicKey.algorithm;
-  const name = _getAlgorithmName(nistSecurityLevel);
+  const {name} = publicKey.algorithm;
   const algorithm = {
     name,
-    hash: {name: _getMldsaHash({nistSecurityLevel})}
+    hash: {name: _getMldsaHash(name)}
   };
   return {
     algorithm,
@@ -53,10 +43,10 @@ export function createVerifier({id, publicKey}) {
 }
 
 // retrieves name of appropriate ML-DSA hash function
-function _getMldsaHash({nistSecurityLevel}) {
-  if(nistSecurityLevel === NIST_SECURITY_LEVEL_2) {
-    return MLDSA_HASH.SHA256;
+function _getMldsaHash(algorithmName) {
+  if(algorithmName === 'ML-DSA-44') {
+    return MLDSA44_HASH;
   }
   throw new TypeError(
-    `Unsupported NIST Security Level "${nistSecurityLevel}".`);
+    `Unsupported algorithm "${algorithmName}".`);
 }

lib/helpers.js

@@ -5,49 +5,49 @@ import {sha256} from '@noble/hashes/sha2.js';
 import * as base58 from 'base58-universal';
 import * as base64url from 'base64url-universal';
 import {
+  ALGORITHM,
   MULTIBASE_BASE64URL_HEADER,
   MULTICODEC_MLDSA44_PUBLIC_KEY_HEADER,
   MULTICODEC_MLDSA44_SECRET_KEY_HEADER,
-  NIST_SECURITY_LEVEL_2,
 } from './constants.js';
 
-// retrieves name of appropriate NIST security level from public Multikey
-export function getNistSecurityLevelFromPublicMultikey({publicMultikey}) {
+// retrieves algorithm name from public Multikey header bytes
+export function getAlgorithmFromPublicMultikey({publicMultikey}) {
   if(publicMultikey[0] === MULTICODEC_MLDSA44_PUBLIC_KEY_HEADER[0] &&
     publicMultikey[1] === MULTICODEC_MLDSA44_PUBLIC_KEY_HEADER[1]) {
-    return NIST_SECURITY_LEVEL_2;
+    return ALGORITHM.MLDSA44;
   }
 
   throw new TypeError('Unsupported public multikey header.');
 }
 
-// retrieves name of appropriate NIST security level from secret Multikey
-export function getNistSecurityLevelFromSecretMultikey({secretMultikey}) {
+// retrieves algorithm name from secret Multikey header bytes
+export function getAlgorithmFromSecretMultikey({secretMultikey}) {
   if(secretMultikey[0] === MULTICODEC_MLDSA44_SECRET_KEY_HEADER[0] &&
     secretMultikey[1] === MULTICODEC_MLDSA44_SECRET_KEY_HEADER[1]) {
-    return NIST_SECURITY_LEVEL_2;
+    return ALGORITHM.MLDSA44;
   }
 
   throw new TypeError('Unsupported secret multikey header.');
 }
 
 // retrieves byte size of secret key
-export function getSecretKeySize({nistSecurityLevel}) {
-  if(nistSecurityLevel === NIST_SECURITY_LEVEL_2) {
+export function getSecretKeySize({algorithm}) {
+  if(algorithm === ALGORITHM.MLDSA44) {
     return 2560;
   }
 
-  throw new TypeError(`Unsupported nistSecurityLevel "${nistSecurityLevel}".`);
+  throw new TypeError(`Unsupported algorithm "${algorithm}".`);
 }
 
 // sets secret key header bytes on key pair
-export function setSecretKeyHeader({nistSecurityLevel, buffer}) {
-  if(nistSecurityLevel === NIST_SECURITY_LEVEL_2) {
+export function setSecretKeyHeader({algorithm, buffer}) {
+  if(algorithm === ALGORITHM.MLDSA44) {
     buffer[0] = MULTICODEC_MLDSA44_SECRET_KEY_HEADER[0];
     buffer[1] = MULTICODEC_MLDSA44_SECRET_KEY_HEADER[1];
   } else {
     throw new TypeError(
-      `Unsupported NIST security level "${nistSecurityLevel}".`);
+      `Unsupported algorithm "${algorithm}".`);
   }
 }
 
@@ -77,12 +77,12 @@ export function publicKeyBytesToKeyId({publicKeyBytes}) {
 }
 
 // sets public key header bytes on key pair
-export function setPublicKeyHeader({nistSecurityLevel, buffer}) {
-  if(nistSecurityLevel === NIST_SECURITY_LEVEL_2) {
+export function setPublicKeyHeader({algorithm, buffer}) {
+  if(algorithm === ALGORITHM.MLDSA44) {
     buffer[0] = MULTICODEC_MLDSA44_PUBLIC_KEY_HEADER[0];
     buffer[1] = MULTICODEC_MLDSA44_PUBLIC_KEY_HEADER[1];
   } else {
     throw new TypeError(
-      `Unsupported NIST security level "${nistSecurityLevel}".`);
+      `Unsupported algorithm "${algorithm}".`);
   }
 }

lib/index.js

@@ -4,8 +4,7 @@
 import {
   ALGORITHM,
   EXTRACTABLE,
-  MULTIKEY_CONTEXT_V1_URL,
-  NIST_SECURITY_LEVEL_2
+  MULTIKEY_CONTEXT_V1_URL
 } from './constants.js';
 import {CryptoKey, webcrypto} from './crypto.js';
 import {createSigner, createVerifier} from './factory.js';
@@ -22,11 +21,10 @@ import {
 import {toMultikey} from './translators.js';
 
 // generates ML-DSA key pair
-export async function generate({id, controller, nistSecurityLevel = 2} = {}) {
-  const algorithm = {nistSecurityLevel};
-  if(nistSecurityLevel === 2) {
-    algorithm.name = ALGORITHM.MLDSA44;
-  }
+export async function generate({
+  id, controller, algorithm: algorithmName = ALGORITHM.MLDSA44
+} = {}) {
+  const algorithm = {name: algorithmName};
   const keyPair = await webcrypto.subtle.generateKey(
     algorithm, EXTRACTABLE, ['sign', 'verify']);
   keyPair.secretKey = keyPair.privateKey;
@@ -111,15 +109,15 @@ export async function toJwk({keyPair, secretKey = false} = {}) {
 
 // raw import from secretKey and/or publicKey bytes
 export async function fromRaw({
-  nistSecurityLevel = NIST_SECURITY_LEVEL_2, secretKey, publicKey
+  algorithm: algorithmName = ALGORITHM.MLDSA44, secretKey, publicKey
 } = {}) {
   if(secretKey && !(secretKey instanceof Uint8Array)) {
     throw new TypeError('"secretKey" must be a Uint8Array.');
   }
   if(!(publicKey instanceof Uint8Array)) {
     throw new TypeError('"publicKey" must be a Uint8Array.');
   }
-  const cryptoKey = await cryptoKeyfromRaw({nistSecurityLevel,
+  const cryptoKey = await cryptoKeyfromRaw({algorithm: algorithmName,
     secretKey, publicKey});
   const jwk = await webcrypto.subtle.exportKey('jwk', cryptoKey);
   return fromJwk({jwk, secretKey: !!secretKey});