v0.1.4-beta

Architecture Update: The Pure Skein & Wide-Block Expansion

This release focuses entirely on establishing an ultra-conservative, quantum-resistant symmetric foundation by integrating the Threefish tweakable block cipher and the Skein hash function family natively into the PQPG engine.

New Cryptographic Primitives

• Threefish-EtM Integration: Added support for Threefish-256, Threefish-512, and the massive Threefish-1024 block ciphers. These are deployed using a native Encrypt-then-MAC (EtM) wrapper to ensure full authenticated encryption over immensely wide blocks.
• Skein Hash Family: Integrated Skein-256, Skein-512, and Skein-1024. Operating in Unique Block Iteration (UBI) chaining mode, Skein serves natively as both the XOF and Key Derivation Function across the core protocols.
• "Pure Skein" Identity Profiles: Added dedicated identity suites (Options 68–70) that seamlessly pair the Threefish cipher with its corresponding Skein hash size, creating a unified mathematical core that drastically reduces the application's attack surface against future classical cryptanalysis and Grover's algorithm.

Critical Security & Vulnerability Patches

• Dynamic Key Sizing Validation: Patched a silent failure vulnerability where orchestrators implicitly hardcoded 32-byte key boundaries, causing massive wide-block algorithms (like Threefish-1024, which requires 160 bytes for an EtM profile) to silently fail open and generate ghost files. aead.KeySize() bounds are now strictly and dynamically enforced across the network, vault, and time-lock protocols.
• Zero-Padding Entropy Stretch Fixed: Fixed an architectural flaw in the fixed-hash adapters (SHA-2/SHA-3) where deriving keys larger than the native digest size resulted in zero-padded tail bytes. The engine now automatically routes oversized requests through a SHAKE256 entropy sponge to guarantee full cryptographic saturation.
• Goroutine Deadlock Prevented: Resolved a critical resource exhaustion vector where corrupt or truncated payload chunks would throw an error during decompression, permanently blocking the io.Pipe() writer goroutine and risking an Out-Of-Memory (OOM) kernel panic. Pipe closures are now explicitly deferred in the orchestrator bounds.
• Timing Side-Channel Mitigated: Replaced native bytes.Equal logic with subtle.ConstantTimeCompare across the entire Double Ratchet key-hint routing schema, preventing eavesdroppers from statistically analyzing rejection times to profile local identity databases.
• Memory Hygiene Enforced: Added a deterministic crypto.Wipe() utility to enforce the immediate, mathematically guaranteed shredding of shared secrets, derived keys, and header authenticators from local RAM after execution.
• CTR Keystream Overlap Eliminated: Re-engineered the buildChunkNonce function for all EtM wrappers. Chunk counters are now XOR'd into the Most Significant Bytes (MSB) of the nonce array, completely preventing mathematical overlap with the underlying Counter Mode (CTR) incrementer.