panva
diff --git a/‎README.md‎
Lines changed: 4 additions & 2 deletions b/‎README.md‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎docs/README.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/README.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/type-aliases/KDFFactory.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/type-aliases/KDFFactory.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/variables/KDF_TurboSHAKE128.md‎
Lines changed: 22 additions & 0 deletions b/‎docs/variables/KDF_TurboSHAKE128.md‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎docs/variables/KDF_TurboSHAKE256.md‎
Lines changed: 22 additions & 0 deletions b/‎docs/variables/KDF_TurboSHAKE256.md‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎index.html‎
Lines changed: 6 additions & 1 deletion b/‎index.html‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎index.ts‎
Lines changed: 62 additions & 0 deletions b/‎index.ts‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎test/run-workerd.js‎
Lines changed: 6 additions & 1 deletion b/‎test/run-workerd.js‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎test/support.ts‎
Lines changed: 8 additions & 0 deletions b/‎test/support.ts‎
Lines changed: 8 additions & 0 deletions
@@ -112,8 +112,8 @@ Below are the algorithms built in (based on Web Cryptography) and their runtime
 | HKDF-SHA512 <sub>`0x0003`</sub>   |    ✓     |  ✓   |  ✓  |     ✓      |      ✓       |         ✓         |
 | SHAKE128 <sub>`0x0010`</sub>      | ✓[^24.7] |      |     |            |              |         ✓         |
 | SHAKE256 <sub>`0x0011`</sub>      | ✓[^24.7] |      |     |            |              |         ✓         |
-| TurboSHAKE128 <sub>`0x0012`</sub> |          |      |     |            |              |         ✓         |
-| TurboSHAKE256 <sub>`0x0013`</sub> |          |      |     |            |              |         ✓         |
+| TurboSHAKE128 <sub>`0x0012`</sub> | ✓[^todo] |      |     |            |              |         ✓         |
+| TurboSHAKE256 <sub>`0x0013`</sub> | ✓[^todo] |      |     |            |              |         ✓         |
 
 ### Authenticated Encryption (AEAD)
 
@@ -146,3 +146,5 @@ specifications.
 [browsers]: https://panva.github.io/hpke/
 
 [^24.7]: Available in Node.js versions >= 24.7.0
+
+[^todo]: Available in Node.js versions >= TODO
@@ -1331,6 +1331,8 @@ export type KEMFactory = () => Readonly<KEM>
  * - {@link KDF_HKDF_SHA512 | HKDF-SHA512}
  * - {@link KDF_SHAKE128 | SHAKE128}
  * - {@link KDF_SHAKE256 | SHAKE256}
+ * - {@link KDF_TurboSHAKE128 | TurboSHAKE128}
+ * - {@link KDF_TurboSHAKE256 | TurboSHAKE256}
  *
  * > [!TIP]\
  * > {@link CipherSuite} is not limited to using only these exported KDF implementations. Any function
@@ -2532,6 +2534,66 @@ export const KDF_SHAKE256: KDFFactory = function (): SHAKE {
   }
 }
 
+/**
+ * TurboSHAKE128 key derivation function.
+ *
+ * A one-stage KDF using the TurboSHAKE128 extendable-output function (XOF) with an output length
+ * (Nh) of 32 bytes.
+ *
+ * Depends on the following Web Cryptography algorithms being supported in the runtime:
+ *
+ * - TurboSHAKE128 digest
+ *
+ * This is a factory function that must be passed to the {@link CipherSuite} constructor.
+ *
+ * > [!TIP]\
+ * > An implementation of this algorithm not reliant on Web Cryptography is also exported by
+ * > [`@panva/hpke-noble`](https://www.npmjs.com/package/@panva/hpke-noble)
+ *
+ * @group KDF Algorithms
+ * @see [HPKE-PQ One-Stage KDFs](https://datatracker.ietf.org/doc/html/draft-ietf-hpke-pq-04.html#section-5)
+ */
+export const KDF_TurboSHAKE128: KDFFactory = function (): SHAKE {
+  return {
+    id: 0x0012,
+    type: 'KDF',
+    name: 'TurboSHAKE128',
+    Nh: 32,
+    algorithm: 'TurboSHAKE128',
+    ...SHAKE_SHARED(),
+  }
+}
+
+/**
+ * TurboSHAKE256 key derivation function.
+ *
+ * A one-stage KDF using the TurboSHAKE256 extendable-output function (XOF) with an output length
+ * (Nh) of 64 bytes.
+ *
+ * Depends on the following Web Cryptography algorithms being supported in the runtime:
+ *
+ * - TurboSHAKE256 digest
+ *
+ * This is a factory function that must be passed to the {@link CipherSuite} constructor.
+ *
+ * > [!TIP]\
+ * > An implementation of this algorithm not reliant on Web Cryptography is also exported by
+ * > [`@panva/hpke-noble`](https://www.npmjs.com/package/@panva/hpke-noble)
+ *
+ * @group KDF Algorithms
+ * @see [HPKE-PQ One-Stage KDFs](https://datatracker.ietf.org/doc/html/draft-ietf-hpke-pq-04.html#section-5)
+ */
+export const KDF_TurboSHAKE256: KDFFactory = function (): SHAKE {
+  return {
+    id: 0x0013,
+    type: 'KDF',
+    name: 'TurboSHAKE256',
+    Nh: 64,
+    algorithm: 'TurboSHAKE256',
+    ...SHAKE_SHARED(),
+  }
+}
+
 async function getPublicKeyByExport(
   name: string,
   key: CryptoKey,
 
@@ -17,7 +17,12 @@ const unsupported = {
     'KEM_MLKEM768_P256',
     'KEM_MLKEM1024_P384',
   ],
-  kdf: ['KDF_SHAKE128', 'KDF_SHAKE256'],
+  kdf: [
+    'KDF_SHAKE128',
+    'KDF_SHAKE256',
+    'KDF_TurboSHAKE128',
+    'KDF_TurboSHAKE256',
+  ],
   aead: ['AEAD_ChaCha20Poly1305'],
 }
 
 
@@ -58,6 +58,14 @@ export const supported: Record<string, () => boolean | undefined> = {
     // @ts-expect-error
     return supports('digest', { name: 'cSHAKE256', outputLength: 512, length: 512 })
   },
+  KDF_TurboSHAKE128() {
+    // @ts-expect-error
+    return supports('digest', { name: 'TurboSHAKE128', outputLength: 256 })
+  },
+  KDF_TurboSHAKE256() {
+    // @ts-expect-error
+    return supports('digest', { name: 'TurboSHAKE256', outputLength: 512 })
+  },
   KEM_ML_KEM_512() {
     return supports('generateKey', 'ML-KEM-512')
   },