@brightchain/brightchain-lib 0.7.0 → 0.8.0

package/brightchain-lib/README.md

@@ -13,9 +13,11 @@
 - **Brokered Anonymity**: Forward Error Correction with quorum-based identity recovery
 
 ### 📦 Owner-Free File System (OFFS)
+- **TUPLE Storage**: All data stored as 3-block TUPLEs (data + 2 randomizers) for complete plausible deniability
 - **Block-based Storage**: Files broken into encrypted blocks with XOR randomization
 - **Deduplication**: SHA-512 based block identification prevents duplicate storage
 - **Distributed Architecture**: Decentralized storage with no single point of failure
+- **Legal Protection**: True owner-free storage ensures no single party can be compelled to produce meaningful data
 
 ### ⚡ Energy-Efficient Design
 - **Joule Currency**: All operations measured in actual energy consumption
@@ -255,7 +257,43 @@ If you're upgrading from BrightChain v1.x, see our comprehensive [Migration Guid
 
 See [MIGRATION.md](./MIGRATION.md) for complete details.
 
-### Working with Encrypted Blocks
+### TUPLE Storage
+
+BrightChain v2.1+ implements complete Owner-Free Filesystem compliance through TUPLE storage:
+
+```typescript
+import { TupleStorageService, BlockSize } from '@brightchain/brightchain-lib';
+
+// Initialize TUPLE storage service
+const blockStore = ...; // Your block store instance
+const tupleService = new TupleStorageService(blockStore);
+
+// Store data as a TUPLE (3 blocks: data ⊕ R1 ⊕ R2, R1, R2)
+const data = new TextEncoder().encode("Sensitive information");
+const result = await tupleService.storeTuple(data, {
+  durabilityLevel: DurabilityLevel.High,
+  expiresAt: new Date(Date.now() + 86400000), // 24 hours
+});
+
+console.log('TUPLE Magnet URL:', result.magnetUrl);
+// magnet:?xt=urn:brightchain:tuple&bs=1024&d=abc...&r1=def...&r2=ghi...
+
+// Retrieve original data from TUPLE
+const components = tupleService.parseTupleMagnetUrl(result.magnetUrl);
+const originalData = await tupleService.retrieveTuple(
+  components.dataBlockId,
+  components.randomizerBlockIds,
+  components.parityBlockIds,
+);
+```
+
+**Why TUPLEs?**
+- **Plausible Deniability**: No single block contains identifiable data
+- **Legal Protection**: Node operators cannot be compelled to produce meaningful data
+- **Complete OFF Compliance**: All data stored as 3 blocks (not just 2)
+- **Brokered Anonymity**: Supports quorum-based identity recovery
+
+See [TUPLE Storage Architecture](../../docs/TUPLE_Storage_Architecture.md) for complete details.
 
 ```typescript
 import { 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@brightchain/brightchain-lib",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "description": "BrightChain core library - browser-compatible blockchain storage",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -37,7 +37,7 @@
   "author": "Digital Defiance",
   "license": "MIT",
   "dependencies": {
-    "@digitaldefiance/ecies-lib": "^4.12.8",
+    "@digitaldefiance/ecies-lib": "^4.13.1",
     "@digitaldefiance/i18n-lib": "^3.8.16",
     "tslib": "^2.3.0"
   },

package/src/index.d.ts

@@ -1,4 +1,4 @@
 export * from './lib';
-export { CBL, default as CONSTANTS, FEC, JWT, SEALING, SITE, TUPLE, } from './lib/constants';
+export { BC_FEC, CBL, default as CONSTANTS, SEALING, SITE, TUPLE, } from './lib/constants';
 export { EciesConfig } from './lib/ecies-config';
 //# sourceMappingURL=index.d.ts.map

package/src/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../brightchain-lib/src/index.ts"],"names":[],"mappings":"AAEA,cAAc,OAAO,CAAC;AAGtB,OAAO,EACL,GAAG,EACH,OAAO,IAAI,SAAS,EACpB,GAAG,EACH,GAAG,EACH,OAAO,EACP,IAAI,EACJ,KAAK,GACN,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../brightchain-lib/src/index.ts"],"names":[],"mappings":"AAEA,cAAc,OAAO,CAAC;AAGtB,OAAO,EACL,MAAM,EACN,GAAG,EACH,OAAO,IAAI,SAAS,EACpB,OAAO,EACP,IAAI,EACJ,KAAK,GACN,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC"}

package/src/index.js

@@ -1,16 +1,15 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.EciesConfig = exports.TUPLE = exports.SITE = exports.SEALING = exports.JWT = exports.FEC = exports.CONSTANTS = exports.CBL = void 0;
+exports.EciesConfig = exports.TUPLE = exports.SITE = exports.SEALING = exports.CONSTANTS = exports.CBL = exports.BC_FEC = void 0;
 const tslib_1 = require("tslib");
 // Full Node.js exports (includes all functionality)
 // For browser-only exports, use './browser'
 tslib_1.__exportStar(require("./lib"), exports);
 // Export constants with named exports for backward compatibility
 var constants_1 = require("./lib/constants");
+Object.defineProperty(exports, "BC_FEC", { enumerable: true, get: function () { return constants_1.BC_FEC; } });
 Object.defineProperty(exports, "CBL", { enumerable: true, get: function () { return constants_1.CBL; } });
 Object.defineProperty(exports, "CONSTANTS", { enumerable: true, get: function () { return constants_1.default; } });
-Object.defineProperty(exports, "FEC", { enumerable: true, get: function () { return constants_1.FEC; } });
-Object.defineProperty(exports, "JWT", { enumerable: true, get: function () { return constants_1.JWT; } });
 Object.defineProperty(exports, "SEALING", { enumerable: true, get: function () { return constants_1.SEALING; } });
 Object.defineProperty(exports, "SITE", { enumerable: true, get: function () { return constants_1.SITE; } });
 Object.defineProperty(exports, "TUPLE", { enumerable: true, get: function () { return constants_1.TUPLE; } });

package/src/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../brightchain-lib/src/index.ts"],"names":[],"mappings":";;;;AAAA,oDAAoD;AACpD,4CAA4C;AAC5C,gDAAsB;AAEtB,iEAAiE;AACjE,6CAQyB;AAPvB,gGAAA,GAAG,OAAA;AACH,sGAAA,OAAO,OAAa;AACpB,gGAAA,GAAG,OAAA;AACH,gGAAA,GAAG,OAAA;AACH,oGAAA,OAAO,OAAA;AACP,iGAAA,IAAI,OAAA;AACJ,kGAAA,KAAK,OAAA;AAEP,mDAAiD;AAAxC,2GAAA,WAAW,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../brightchain-lib/src/index.ts"],"names":[],"mappings":";;;;AAAA,oDAAoD;AACpD,4CAA4C;AAC5C,gDAAsB;AAEtB,iEAAiE;AACjE,6CAOyB;AANvB,mGAAA,MAAM,OAAA;AACN,gGAAA,GAAG,OAAA;AACH,sGAAA,OAAO,OAAa;AACpB,oGAAA,OAAO,OAAA;AACP,iGAAA,IAAI,OAAA;AACJ,kGAAA,KAAK,OAAA;AAEP,mDAAiD;AAAxC,2GAAA,WAAW,OAAA"}

package/src/lib/access/ecies.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ecies.d.ts","sourceRoot":"","sources":["../../../../../brightchain-lib/src/lib/access/ecies.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,qBAAa,UAAU;WACD,OAAO,CACzB,iBAAiB,EAAE,UAAU,EAC7B,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,UAAU,CAAC;WASF,OAAO,CACzB,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,UAAU,GACxB,OAAO,CAAC,UAAU,CAAC;WASF,qBAAqB,CACvC,UAAU,EAAE,UAAU,EACtB,kBAAkB,EAAE,UAAU,EAC9B,EAAE,EAAE,UAAU,EACd,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC;QACT,SAAS,EAAE,UAAU,CAAC;QACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;KAC3B,CAAC;CAWH"}
+{"version":3,"file":"ecies.d.ts","sourceRoot":"","sources":["../../../../../brightchain-lib/src/lib/access/ecies.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,qBAAa,UAAU;WACD,OAAO,CACzB,iBAAiB,EAAE,UAAU,EAC7B,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,UAAU,CAAC;WAQF,OAAO,CACzB,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,UAAU,GACxB,OAAO,CAAC,UAAU,CAAC;WAQF,qBAAqB,CACvC,UAAU,EAAE,UAAU,EACtB,kBAAkB,EAAE,UAAU,EAC9B,EAAE,EAAE,UAAU,EACd,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC;QACT,SAAS,EAAE,UAAU,CAAC;QACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;KAC3B,CAAC;CAWH"}

package/src/lib/access/ecies.js

@@ -9,14 +9,14 @@ const service_provider_1 = require("../services/service.provider");
 class BlockECIES {
     static async encrypt(receiverPublicKey, message) {
         // Use encryptSimpleOrSingle (encryptSimple = true) from new ECIES service
-        return service_provider_1.ServiceProvider.getInstance().eciesService.encryptSimpleOrSingle(true, receiverPublicKey, message);
+        return service_provider_1.ServiceProvider.getInstance().eciesService.encryptBasic(receiverPublicKey, message);
     }
     static async decrypt(privateKey, encryptedData) {
         // Use decryptSimpleOrSingleWithHeader (decryptSimple = false) from new ECIES service
-        return service_provider_1.ServiceProvider.getInstance().eciesService.decryptSimpleOrSingleWithHeader(false, privateKey, encryptedData);
+        return service_provider_1.ServiceProvider.getInstance().eciesService.decryptWithLengthAndHeader(privateKey, encryptedData);
     }
     static async decryptWithComponents(privateKey, ephemeralPublicKey, iv, authTag, encrypted) {
-        const result = service_provider_1.ServiceProvider.getInstance().eciesService.decryptSingleWithComponents(privateKey, ephemeralPublicKey, iv, authTag, encrypted);
+        const result = service_provider_1.ServiceProvider.getInstance().eciesService.decryptWithComponents(privateKey, ephemeralPublicKey, iv, authTag, encrypted);
         return result;
     }
 }

package/src/lib/access/ecies.js.map

@@ -1 +1 @@
-{"version":3,"file":"ecies.js","sourceRoot":"","sources":["../../../../../brightchain-lib/src/lib/access/ecies.ts"],"names":[],"mappings":";;;AAAA,mEAA+D;AAE/D;;;GAGG;AACH,MAAa,UAAU;IACd,MAAM,CAAC,KAAK,CAAC,OAAO,CACzB,iBAA6B,EAC7B,OAAmB;QAEnB,0EAA0E;QAC1E,OAAO,kCAAe,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,qBAAqB,CACrE,IAAI,EACJ,iBAAiB,EACjB,OAAO,CACR,CAAC;IACJ,CAAC;IAEM,MAAM,CAAC,KAAK,CAAC,OAAO,CACzB,UAAsB,EACtB,aAAyB;QAEzB,qFAAqF;QACrF,OAAO,kCAAe,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,+BAA+B,CAC/E,KAAK,EACL,UAAU,EACV,aAAa,CACd,CAAC;IACJ,CAAC;IAEM,MAAM,CAAC,KAAK,CAAC,qBAAqB,CACvC,UAAsB,EACtB,kBAA8B,EAC9B,EAAc,EACd,OAAmB,EACnB,SAAqB;QAKrB,MAAM,MAAM,GACV,kCAAe,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,2BAA2B,CACpE,UAAU,EACV,kBAAkB,EAClB,EAAE,EACF,OAAO,EACP,SAAS,CACV,CAAC;QACJ,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AA7CD,gCA6CC"}
+{"version":3,"file":"ecies.js","sourceRoot":"","sources":["../../../../../brightchain-lib/src/lib/access/ecies.ts"],"names":[],"mappings":";;;AAAA,mEAA+D;AAE/D;;;GAGG;AACH,MAAa,UAAU;IACd,MAAM,CAAC,KAAK,CAAC,OAAO,CACzB,iBAA6B,EAC7B,OAAmB;QAEnB,0EAA0E;QAC1E,OAAO,kCAAe,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,YAAY,CAC5D,iBAAiB,EACjB,OAAO,CACR,CAAC;IACJ,CAAC;IAEM,MAAM,CAAC,KAAK,CAAC,OAAO,CACzB,UAAsB,EACtB,aAAyB;QAEzB,qFAAqF;QACrF,OAAO,kCAAe,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,0BAA0B,CAC1E,UAAU,EACV,aAAa,CACd,CAAC;IACJ,CAAC;IAEM,MAAM,CAAC,KAAK,CAAC,qBAAqB,CACvC,UAAsB,EACtB,kBAA8B,EAC9B,EAAc,EACd,OAAmB,EACnB,SAAqB;QAKrB,MAAM,MAAM,GACV,kCAAe,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,qBAAqB,CAC9D,UAAU,EACV,kBAAkB,EAClB,EAAE,EACF,OAAO,EACP,SAAS,CACV,CAAC;QACJ,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AA3CD,gCA2CC"}

package/src/lib/blocks/encrypted.d.ts

@@ -1,4 +1,4 @@
-import { IMultiEncryptedParsedHeader, ISingleEncryptedParsedHeader, Member, type PlatformID } from '@digitaldefiance/ecies-lib';
+import { IMultiEncryptedParsedHeader, ISingleEncryptedParsedHeader, Member, TypedIdProviderWrapper, type PlatformID } from '@digitaldefiance/ecies-lib';
 import { EncryptedBlockMetadata } from '../encryptedBlockMetadata';
 import { BlockDataType } from '../enumerations/blockDataType';
 import { BlockEncryptionType } from '../enumerations/blockEncryptionType';
@@ -6,25 +6,85 @@ import { BlockSize } from '../enumerations/blockSize';
 import { BlockType } from '../enumerations/blockType';
 import { IEncryptedBlock } from '../interfaces/blocks/encrypted';
 import { IEphemeralBlock } from '../interfaces/blocks/ephemeral';
+import { ServiceProvider } from '../services/service.provider';
 import { Checksum } from '../types/checksum';
 import { EphemeralBlock } from './ephemeral';
 /**
  * Base class for encrypted blocks.
  * Adds encryption-specific header data and overhead calculations.
  *
+ * BrightChain adopts ecies-lib's versioned encryption format as the canonical standard.
+ *
  * Block Structure:
  * [Layer 0 Header][Layer 1 Header][...][Encryption Header][Encrypted Payload][Padding]
  *
- * Single Encryption Header:
- * [Encryption Type (1 byte)][Recipient GUID (16 bytes)][Ephemeral Public Key (65 bytes)][IV (16 bytes)][Auth Tag (16 bytes)][Data]
+ * ═══════════════════════════════════════════════════════════════════════════════════════
+ * SINGLE-RECIPIENT ENCRYPTION (WITH_LENGTH format, type 0x42)
+ * ═══════════════════════════════════════════════════════════════════════════════════════
+ *
+ * BrightChain uses WITH_LENGTH format for single-recipient encryption because:
+ * 1. The data length field enables streaming decryption
+ * 2. It's only 8 bytes more than BASIC
+ * 3. Block sizes are known, making length verification valuable
+ *
+ * Byte Layout:
+ * ┌─────────────────────────────────────────────────────────────────────────────────────┐
+ * │ [EncType][RecipientID][Version][CipherSuite][Type][PubKey][IV][AuthTag][Len][Data]  │
+ * │ [1     ][idSize     ][1      ][1          ][1   ][33    ][12][16     ][8  ][...]   │
+ * └─────────────────────────────────────────────────────────────────────────────────────┘
+ *
+ * | Offset      | Size   | Field            | Description                              |
+ * |-------------|--------|------------------|------------------------------------------|
+ * | 0           | 1      | EncryptionType   | BlockEncryptionType.SingleRecipient (1)  |
+ * | 1           | idSize | RecipientID      | BrightChain routing ID                   |
+ * | 1+idSize    | 1      | Version          | Protocol version (0x01)                  |
+ * | 2+idSize    | 1      | CipherSuite      | AES-256-GCM (0x01)                       |
+ * | 3+idSize    | 1      | EncryptionType   | WITH_LENGTH (0x42)                       |
+ * | 4+idSize    | 33     | EphemeralPubKey  | Compressed secp256k1 public key          |
+ * | 37+idSize   | 12     | IV               | Initialization vector (NIST SP 800-38D)  |
+ * | 49+idSize   | 16     | AuthTag          | GCM authentication tag                   |
+ * | 65+idSize   | 8      | DataLength       | Original data length (big-endian)        |
+ * | 73+idSize   | ...    | EncryptedData    | Ciphertext                               |
+ *
+ * Total overhead: 1 + idSize + ECIES.WITH_LENGTH.FIXED_OVERHEAD_SIZE = 1 + idSize + 72
+ * Default (GUID, idSize=16): 1 + 16 + 72 = 89 bytes
+ * ObjectID (idSize=12):      1 + 12 + 72 = 85 bytes
+ *
+ * ═══════════════════════════════════════════════════════════════════════════════════════
+ * MULTI-RECIPIENT ENCRYPTION (MULTIPLE format, type 0x63)
+ * ═══════════════════════════════════════════════════════════════════════════════════════
+ *
+ * Byte Layout:
+ * ┌─────────────────────────────────────────────────────────────────────────────────────┐
+ * │ [EncType][Ver][CS][PubKey][IV][Tag][Len][Count][RecipientEntries...][EncryptedData] │
+ * │ [1     ][1  ][1 ][33    ][12][16 ][8  ][2    ][variable           ][...]           │
+ * └─────────────────────────────────────────────────────────────────────────────────────┘
+ *
+ * Recipient Entry Layout (per recipient):
+ * | Offset      | Size   | Field         | Description                               |
+ * |-------------|--------|---------------|-------------------------------------------|
+ * | 0           | idSize | RecipientID   | Recipient identifier                      |
+ * | idSize      | 12     | KeyIV         | IV for this recipient's key encryption    |
+ * | idSize+12   | 16     | KeyAuthTag    | Auth tag for key encryption               |
+ * | idSize+28   | 32     | EncryptedKey  | Encrypted symmetric key                   |
+ *
+ * Per-recipient overhead: idSize + ECIES.MULTIPLE.ENCRYPTED_KEY_SIZE = idSize + 60
+ *
+ * Total overhead formula:
+ *   1 + ECIES.MULTIPLE.FIXED_OVERHEAD_SIZE + DATA_LENGTH_SIZE + RECIPIENT_COUNT_SIZE
+ *     + (recipientCount * (idSize + ENCRYPTED_KEY_SIZE))
+ *   = 1 + 64 + 8 + 2 + (recipientCount * (idSize + 60))
+ *   = 75 + (recipientCount * (idSize + 60))
  *
- * Multi Encryption Header:
- * [Encryption Type (1 byte)][Data Length (8 bytes)][Recipient count (2 bytes)][Recipient GUIDs (16 bytes * recipientCount)][Recipient keys (129 bytes)][Data]
+ * @see design.md for complete format specification
+ * @see Requirements 2.2, 2.3, 3.3, 8.4
  */
 export declare class EncryptedBlock<TID extends PlatformID = Uint8Array> extends EphemeralBlock<TID> implements IEncryptedBlock<TID> {
     protected readonly _encryptionType: BlockEncryptionType;
     protected readonly _recipients: Array<TID>;
     protected readonly _recipientWithKey: Member<TID>;
+    protected readonly _serviceProvider: ServiceProvider<TID>;
+    protected readonly _idProvider: TypedIdProviderWrapper<TID>;
     protected _cachedEncryptionDetails?: ISingleEncryptedParsedHeader | IMultiEncryptedParsedHeader<TID>;
     /**
      * Creates an instance of EncryptedBlock.
@@ -67,9 +127,19 @@ export declare class EncryptedBlock<TID extends PlatformID = Uint8Array> extends
      */
     get blockTypeHeader(): BlockType;
     /**
-     * The total overhead of the block, including encryption overhead
-     * For encrypted blocks, the overhead is just the ECIES overhead since the
-     * encryption header is part of the data buffer
+     * The total overhead of the block, including encryption overhead.
+     * For encrypted blocks, the overhead is the ECIES overhead since the
+     * encryption header is part of the data buffer.
+     *
+     * Single-recipient uses WITH_LENGTH format (72 bytes fixed overhead):
+     *   overhead = UINT8_SIZE (encryption type) + idSize + ECIES.WITH_LENGTH.FIXED_OVERHEAD_SIZE
+     *            = 1 + idSize + 72
+     *
+     * Multi-recipient uses MULTIPLE format:
+     *   overhead = UINT8_SIZE (encryption type) + calculateECIESMultipleRecipientOverhead()
+     *            = 1 + 74 + (recipientCount * (idSize + 60))
+     *
+     * @see Requirements 2.3, 3.3, 5.4
      */
     get layerOverheadSize(): number;
     /**
@@ -81,7 +151,15 @@ export declare class EncryptedBlock<TID extends PlatformID = Uint8Array> extends
      */
     get layerPayload(): Uint8Array;
     /**
-     * Get the length of the payload including padding
+     * Get the length of the encrypted payload (excluding header and padding).
+     *
+     * For encrypted blocks, the payload is the actual encrypted data portion.
+     * This is calculated as: total data length - header overhead
+     *
+     * Note: This returns the encrypted data size, not the original plaintext size.
+     * Use lengthBeforeEncryption for the original data size.
+     *
+     * @see Requirements 2.2
      */
     get layerPayloadSize(): number;
     /**

package/src/lib/blocks/encrypted.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encrypted.d.ts","sourceRoot":"","sources":["../../../../../brightchain-lib/src/lib/blocks/encrypted.ts"],"names":[],"mappings":"AACA,OAAO,EAIL,2BAA2B,EAC3B,4BAA4B,EAC5B,MAAM,EACN,KAAK,UAAU,EAChB,MAAM,4BAA4B,CAAC;AAGpC,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAEnE,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,qCAAqC,CAAC;AAE1E,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EACL,SAAS,EAGV,MAAM,2BAA2B,CAAC;AAQnC,OAAO,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AAGjE,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C;;;;;;;;;;;;GAYG;AACH,qBAAa,cAAc,CAAC,GAAG,SAAS,UAAU,GAAG,UAAU,CAC7D,SAAQ,cAAc,CAAC,GAAG,CAC1B,YAAW,eAAe,CAAC,GAAG,CAAC;IAE/B,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,mBAAmB,CAAC;IACxD,SAAS,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3C,SAAS,CAAC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IAClD,SAAS,CAAC,wBAAwB,CAAC,EAC/B,4BAA4B,GAC5B,2BAA2B,CAAC,GAAG,CAAC,CAAa;IAEjD;;;;;;;;;OASG;gBAED,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,aAAa,EACvB,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,QAAQ,EAClB,QAAQ,EAAE,sBAAsB,CAAC,GAAG,CAAC,EACrC,gBAAgB,EAAE,MAAM,CAAC,GAAG,CAAC,EAC7B,OAAO,UAAO,EACd,UAAU,UAAO;IAgEnB;;OAEG;WAC0B,IAAI,CAAC,GAAG,SAAS,UAAU,GAAG,UAAU,EACnE,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,aAAa,EACvB,SAAS,EAAE,SAAS,EACpB,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,EACpB,WAAW,CAAC,EAAE,IAAI,EAClB,sBAAsB,CAAC,EAAE,MAAM,EAC/B,OAAO,CAAC,EAAE,OAAO,EACjB,UAAU,CAAC,EAAE,OAAO,EACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,EAC9B,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;IAuB/B;;;OAGG;IACa,UAAU,IAAI,OAAO;IAKrB,eAAe,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO;IAI1C,OAAO,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC;IAI9C;;OAEG;IACH,IAAW,cAAc,IAAI,mBAAmB,CAE/C;IAED;;OAEG;IACH,IAAW,UAAU,IAAI,KAAK,CAAC,GAAG,CAAC,CAElC;IAED,IAAW,gBAAgB,IAAI,MAAM,CAAC,GAAG,CAAC,CAEzC;IAED;;OAEG;IACH,IAAW,iBAAiB,IACxB,4BAA4B,GAC5B,2BAA2B,CAAC,GAAG,CAAC,CAqCnC;IAEY,OAAO,CAAC,CAAC,SAAS,eAAe,CAAC,GAAG,CAAC,EACjD,YAAY,EAAE,SAAS,GACtB,OAAO,CAAC,CAAC,CAAC;IAuBb;;OAEG;IACH,IAAW,eAAe,IAAI,SAAS,CAKtC;IAED;;;;OAIG;IACH,IAAoB,iBAAiB,IAAI,MAAM,CAY9C;IAED;;OAEG;IACH,IAAoB,eAAe,IAAI,UAAU,CAOhD;IAED;;OAEG;IACH,IAAoB,YAAY,IAAI,UAAU,CAS7C;IAED;;OAEG;IACH,IAAoB,gBAAgB,IAAI,MAAM,CAI7C;IAED;;OAEG;IACH,IAAW,eAAe,IAAI,MAAM,CAEnC;IAED;;;OAGG;IACmB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAgGpD;;;OAGG;IACa,YAAY,IAAI,IAAI;IA8EpC;;;OAGG;IACa,QAAQ,IAAI,IAAI;CAGjC"}
+{"version":3,"file":"encrypted.d.ts","sourceRoot":"","sources":["../../../../../brightchain-lib/src/lib/blocks/encrypted.ts"],"names":[],"mappings":"AACA,OAAO,EAIL,2BAA2B,EAC3B,4BAA4B,EAC5B,MAAM,EACN,sBAAsB,EAEtB,KAAK,UAAU,EAChB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAEnE,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,qCAAqC,CAAC;AAE1E,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EACL,SAAS,EAGV,MAAM,2BAA2B,CAAC;AAQnC,OAAO,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqEG;AACH,qBAAa,cAAc,CAAC,GAAG,SAAS,UAAU,GAAG,UAAU,CAC7D,SAAQ,cAAc,CAAC,GAAG,CAC1B,YAAW,eAAe,CAAC,GAAG,CAAC;IAE/B,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,mBAAmB,CAAC;IACxD,SAAS,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3C,SAAS,CAAC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IAClD,SAAS,CAAC,QAAQ,CAAC,gBAAgB,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC;IAC1D,SAAS,CAAC,QAAQ,CAAC,WAAW,EAAE,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAC5D,SAAS,CAAC,wBAAwB,CAAC,EAC/B,4BAA4B,GAC5B,2BAA2B,CAAC,GAAG,CAAC,CAAa;IAEjD;;;;;;;;;OASG;gBAED,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,aAAa,EACvB,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,QAAQ,EAClB,QAAQ,EAAE,sBAAsB,CAAC,GAAG,CAAC,EACrC,gBAAgB,EAAE,MAAM,CAAC,GAAG,CAAC,EAC7B,OAAO,UAAO,EACd,UAAU,UAAO;IA4DnB;;OAEG;WAC0B,IAAI,CAAC,GAAG,SAAS,UAAU,GAAG,UAAU,EACnE,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,aAAa,EACvB,SAAS,EAAE,SAAS,EACpB,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,EACpB,WAAW,CAAC,EAAE,IAAI,EAClB,sBAAsB,CAAC,EAAE,MAAM,EAC/B,OAAO,CAAC,EAAE,OAAO,EACjB,UAAU,CAAC,EAAE,OAAO,EACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,EAC9B,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;IAuB/B;;;OAGG;IACa,UAAU,IAAI,OAAO;IAKrB,eAAe,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO;IAI1C,OAAO,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC;IAI9C;;OAEG;IACH,IAAW,cAAc,IAAI,mBAAmB,CAE/C;IAED;;OAEG;IACH,IAAW,UAAU,IAAI,KAAK,CAAC,GAAG,CAAC,CAElC;IAED,IAAW,gBAAgB,IAAI,MAAM,CAAC,GAAG,CAAC,CAEzC;IAED;;OAEG;IACH,IAAW,iBAAiB,IACxB,4BAA4B,GAC5B,2BAA2B,CAAC,GAAG,CAAC,CAqCnC;IAEY,OAAO,CAAC,CAAC,SAAS,eAAe,CAAC,GAAG,CAAC,EACjD,YAAY,EAAE,SAAS,GACtB,OAAO,CAAC,CAAC,CAAC;IAuBb;;OAEG;IACH,IAAW,eAAe,IAAI,SAAS,CAKtC;IAED;;;;;;;;;;;;;;OAcG;IACH,IAAoB,iBAAiB,IAAI,MAAM,CAoB9C;IAED;;OAEG;IACH,IAAoB,eAAe,IAAI,UAAU,CAOhD;IAED;;OAEG;IACH,IAAoB,YAAY,IAAI,UAAU,CAS7C;IAED;;;;;;;;;;OAUG;IACH,IAAoB,gBAAgB,IAAI,MAAM,CAK7C;IAED;;OAEG;IACH,IAAW,eAAe,IAAI,MAAM,CAEnC;IAED;;;OAGG;IACmB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IA6FpD;;;OAGG;IACa,YAAY,IAAI,IAAI;IA+EpC;;;OAGG;IACa,QAAQ,IAAI,IAAI;CAGjC"}

package/src/lib/blocks/encrypted.js

@@ -4,7 +4,6 @@ exports.EncryptedBlock = void 0;
 /* eslint-disable @typescript-eslint/no-explicit-any */
 const ecies_lib_1 = require("@digitaldefiance/ecies-lib");
 const browserConfig_1 = require("../browserConfig");
-const constants_1 = require("../constants");
 const encryptedBlockMetadata_1 = require("../encryptedBlockMetadata");
 const blockAccessErrorType_1 = require("../enumerations/blockAccessErrorType");
 const blockEncryptionType_1 = require("../enumerations/blockEncryptionType");
@@ -13,20 +12,76 @@ const blockType_1 = require("../enumerations/blockType");
 const blockValidationErrorType_1 = require("../enumerations/blockValidationErrorType");
 const block_1 = require("../errors/block");
 const service_provider_1 = require("../services/service.provider");
-const serviceLocator_1 = require("../services/serviceLocator");
 const ephemeral_1 = require("./ephemeral");
 /**
  * Base class for encrypted blocks.
  * Adds encryption-specific header data and overhead calculations.
  *
+ * BrightChain adopts ecies-lib's versioned encryption format as the canonical standard.
+ *
  * Block Structure:
  * [Layer 0 Header][Layer 1 Header][...][Encryption Header][Encrypted Payload][Padding]
  *
- * Single Encryption Header:
- * [Encryption Type (1 byte)][Recipient GUID (16 bytes)][Ephemeral Public Key (65 bytes)][IV (16 bytes)][Auth Tag (16 bytes)][Data]
+ * ═══════════════════════════════════════════════════════════════════════════════════════
+ * SINGLE-RECIPIENT ENCRYPTION (WITH_LENGTH format, type 0x42)
+ * ═══════════════════════════════════════════════════════════════════════════════════════
+ *
+ * BrightChain uses WITH_LENGTH format for single-recipient encryption because:
+ * 1. The data length field enables streaming decryption
+ * 2. It's only 8 bytes more than BASIC
+ * 3. Block sizes are known, making length verification valuable
+ *
+ * Byte Layout:
+ * ┌─────────────────────────────────────────────────────────────────────────────────────┐
+ * │ [EncType][RecipientID][Version][CipherSuite][Type][PubKey][IV][AuthTag][Len][Data]  │
+ * │ [1     ][idSize     ][1      ][1          ][1   ][33    ][12][16     ][8  ][...]   │
+ * └─────────────────────────────────────────────────────────────────────────────────────┘
+ *
+ * | Offset      | Size   | Field            | Description                              |
+ * |-------------|--------|------------------|------------------------------------------|
+ * | 0           | 1      | EncryptionType   | BlockEncryptionType.SingleRecipient (1)  |
+ * | 1           | idSize | RecipientID      | BrightChain routing ID                   |
+ * | 1+idSize    | 1      | Version          | Protocol version (0x01)                  |
+ * | 2+idSize    | 1      | CipherSuite      | AES-256-GCM (0x01)                       |
+ * | 3+idSize    | 1      | EncryptionType   | WITH_LENGTH (0x42)                       |
+ * | 4+idSize    | 33     | EphemeralPubKey  | Compressed secp256k1 public key          |
+ * | 37+idSize   | 12     | IV               | Initialization vector (NIST SP 800-38D)  |
+ * | 49+idSize   | 16     | AuthTag          | GCM authentication tag                   |
+ * | 65+idSize   | 8      | DataLength       | Original data length (big-endian)        |
+ * | 73+idSize   | ...    | EncryptedData    | Ciphertext                               |
+ *
+ * Total overhead: 1 + idSize + ECIES.WITH_LENGTH.FIXED_OVERHEAD_SIZE = 1 + idSize + 72
+ * Default (GUID, idSize=16): 1 + 16 + 72 = 89 bytes
+ * ObjectID (idSize=12):      1 + 12 + 72 = 85 bytes
+ *
+ * ═══════════════════════════════════════════════════════════════════════════════════════
+ * MULTI-RECIPIENT ENCRYPTION (MULTIPLE format, type 0x63)
+ * ═══════════════════════════════════════════════════════════════════════════════════════
+ *
+ * Byte Layout:
+ * ┌─────────────────────────────────────────────────────────────────────────────────────┐
+ * │ [EncType][Ver][CS][PubKey][IV][Tag][Len][Count][RecipientEntries...][EncryptedData] │
+ * │ [1     ][1  ][1 ][33    ][12][16 ][8  ][2    ][variable           ][...]           │
+ * └─────────────────────────────────────────────────────────────────────────────────────┘
  *
- * Multi Encryption Header:
- * [Encryption Type (1 byte)][Data Length (8 bytes)][Recipient count (2 bytes)][Recipient GUIDs (16 bytes * recipientCount)][Recipient keys (129 bytes)][Data]
+ * Recipient Entry Layout (per recipient):
+ * | Offset      | Size   | Field         | Description                               |
+ * |-------------|--------|---------------|-------------------------------------------|
+ * | 0           | idSize | RecipientID   | Recipient identifier                      |
+ * | idSize      | 12     | KeyIV         | IV for this recipient's key encryption    |
+ * | idSize+12   | 16     | KeyAuthTag    | Auth tag for key encryption               |
+ * | idSize+28   | 32     | EncryptedKey  | Encrypted symmetric key                   |
+ *
+ * Per-recipient overhead: idSize + ECIES.MULTIPLE.ENCRYPTED_KEY_SIZE = idSize + 60
+ *
+ * Total overhead formula:
+ *   1 + ECIES.MULTIPLE.FIXED_OVERHEAD_SIZE + DATA_LENGTH_SIZE + RECIPIENT_COUNT_SIZE
+ *     + (recipientCount * (idSize + ENCRYPTED_KEY_SIZE))
+ *   = 1 + 64 + 8 + 2 + (recipientCount * (idSize + 60))
+ *   = 75 + (recipientCount * (idSize + 60))
+ *
+ * @see design.md for complete format specification
+ * @see Requirements 2.2, 2.3, 3.3, 8.4
  */
 class EncryptedBlock extends ephemeral_1.EphemeralBlock {
     /**
@@ -42,6 +97,8 @@ class EncryptedBlock extends ephemeral_1.EphemeralBlock {
     constructor(type, dataType, data, checksum, metadata, recipientWithKey, canRead = true, canPersist = true) {
         super(type, dataType, data, checksum, metadata, canRead, canPersist);
         this._cachedEncryptionDetails = undefined;
+        this._serviceProvider = service_provider_1.ServiceProvider.getInstance();
+        this._idProvider = this._serviceProvider.idProvider;
         // Read encryption type directly from data to avoid circular dependency
         const blockEncryptionType = data[0];
         if (metadata.encryptionType !== blockEncryptionType ||
@@ -50,14 +107,12 @@ class EncryptedBlock extends ephemeral_1.EphemeralBlock {
         }
         this._encryptionType = blockEncryptionType;
         if (blockEncryptionType === blockEncryptionType_1.BlockEncryptionType.SingleRecipient) {
-            const recipientIdBytes = data.subarray(constants_1.ENCRYPTION.ENCRYPTION_TYPE_SIZE, constants_1.ENCRYPTION.ENCRYPTION_TYPE_SIZE + constants_1.ENCRYPTION.RECIPIENT_ID_SIZE);
-            // Ensure we have exactly 16 bytes for the GUID
-            if (recipientIdBytes.length !== 16) {
+            const recipientIdBytes = data.subarray(ecies_lib_1.UINT8_SIZE, ecies_lib_1.UINT8_SIZE + this._idProvider.byteLength);
+            // Ensure we have exactly the expected bytes for the recipient ID
+            if (recipientIdBytes.length !== this._idProvider.byteLength) {
                 throw new block_1.BlockValidationError(blockValidationErrorType_1.BlockValidationErrorType.InvalidRecipientIds);
             }
-            this._recipients = [
-                service_provider_1.ServiceProvider.getInstance().idProvider.fromBytes(recipientIdBytes),
-            ];
+            this._recipients = [this._idProvider.fromBytes(recipientIdBytes)];
         }
         else {
             const details = this
@@ -78,7 +133,7 @@ class EncryptedBlock extends ephemeral_1.EphemeralBlock {
             }
             else {
                 // For Guid objects, get the bytes using the idProvider
-                const result = service_provider_1.ServiceProvider.getInstance().idProvider.toBytes(r);
+                const result = this._idProvider.toBytes(r);
                 rBytes = result;
             }
             return (0, ecies_lib_1.arraysEqual)(rBytes, recipientWithKey.idBytes);
@@ -133,15 +188,15 @@ class EncryptedBlock extends ephemeral_1.EphemeralBlock {
         const encryptionType = this.encryptionType;
         if (encryptionType === blockEncryptionType_1.BlockEncryptionType.SingleRecipient) {
             const headerData = new Uint8Array(this.layerHeaderData.buffer.slice(this.layerHeaderData.byteOffset +
-                constants_1.ENCRYPTION.ENCRYPTION_TYPE_SIZE +
-                constants_1.ENCRYPTION.RECIPIENT_ID_SIZE, this.layerHeaderData.byteOffset + this.layerHeaderData.byteLength));
+                ecies_lib_1.UINT8_SIZE +
+                this._idProvider.byteLength, this.layerHeaderData.byteOffset + this.layerHeaderData.byteLength));
             this._cachedEncryptionDetails =
-                serviceLocator_1.ServiceLocator.getServiceProvider().eciesService.parseSingleEncryptedHeader(ecies_lib_1.EciesEncryptionTypeEnum.Single, headerData);
+                this._serviceProvider.eciesService.parseSingleEncryptedHeader(ecies_lib_1.EciesEncryptionTypeEnum.WithLength, headerData);
         }
         else if (encryptionType === blockEncryptionType_1.BlockEncryptionType.MultiRecipient) {
-            const headerData = new Uint8Array(this.layerHeaderData.buffer.slice(this.layerHeaderData.byteOffset + constants_1.ENCRYPTION.ENCRYPTION_TYPE_SIZE, this.layerHeaderData.byteOffset + this.layerHeaderData.byteLength));
+            const headerData = new Uint8Array(this.layerHeaderData.buffer.slice(this.layerHeaderData.byteOffset + ecies_lib_1.UINT8_SIZE, this.layerHeaderData.byteOffset + this.layerHeaderData.byteLength));
             this._cachedEncryptionDetails =
-                serviceLocator_1.ServiceLocator.getServiceProvider().eciesService.parseMultiEncryptedHeader(headerData);
+                this._serviceProvider.eciesService.parseMultiEncryptedHeader(headerData);
         }
         else {
             throw new block_1.BlockError(blockErrorType_1.BlockErrorType.UnexpectedEncryptedBlockType);
@@ -165,8 +220,8 @@ class EncryptedBlock extends ephemeral_1.EphemeralBlock {
             throw new block_1.BlockError(blockErrorType_1.BlockErrorType.CreatorPrivateKeyRequired);
         }
         return (this.encryptionType === blockEncryptionType_1.BlockEncryptionType.SingleRecipient
-            ? await serviceLocator_1.ServiceLocator.getServiceProvider().blockService.decrypt(this.recipientWithKey, this, newBlockType)
-            : await serviceLocator_1.ServiceLocator.getServiceProvider().blockService.decryptMultiple(this.recipientWithKey, this));
+            ? await this._serviceProvider.blockService.decrypt(this.recipientWithKey, this, newBlockType)
+            : await this._serviceProvider.blockService.decryptMultiple(this.recipientWithKey, this));
     }
     /**
      * The block type stored in the header
@@ -178,17 +233,33 @@ class EncryptedBlock extends ephemeral_1.EphemeralBlock {
         return this.layerHeaderData[0];
     }
     /**
-     * The total overhead of the block, including encryption overhead
-     * For encrypted blocks, the overhead is just the ECIES overhead since the
-     * encryption header is part of the data buffer
+     * The total overhead of the block, including encryption overhead.
+     * For encrypted blocks, the overhead is the ECIES overhead since the
+     * encryption header is part of the data buffer.
+     *
+     * Single-recipient uses WITH_LENGTH format (72 bytes fixed overhead):
+     *   overhead = UINT8_SIZE (encryption type) + idSize + ECIES.WITH_LENGTH.FIXED_OVERHEAD_SIZE
+     *            = 1 + idSize + 72
+     *
+     * Multi-recipient uses MULTIPLE format:
+     *   overhead = UINT8_SIZE (encryption type) + calculateECIESMultipleRecipientOverhead()
+     *            = 1 + 74 + (recipientCount * (idSize + 60))
+     *
+     * @see Requirements 2.3, 3.3, 5.4
      */
     get layerOverheadSize() {
-        return ((this.encryptionType === blockEncryptionType_1.BlockEncryptionType.SingleRecipient
-            ? constants_1.ECIES.OVERHEAD_SIZE +
-                constants_1.ENCRYPTION.ENCRYPTION_TYPE_SIZE +
-                constants_1.ENCRYPTION.RECIPIENT_ID_SIZE
-            : (0, browserConfig_1.calculateECIESMultipleRecipientOverhead)(this.encryptionDetails
-                .recipientCount, false)) + constants_1.ENCRYPTION.ENCRYPTION_TYPE_SIZE);
+        if (this.encryptionType === blockEncryptionType_1.BlockEncryptionType.SingleRecipient) {
+            // Single-recipient: [EncType(1)][RecipientID(idSize)][ecies-lib WITH_LENGTH header(72)]
+            return (ecies_lib_1.UINT8_SIZE +
+                this._idProvider.byteLength +
+                ecies_lib_1.ECIES.WITH_LENGTH.FIXED_OVERHEAD_SIZE);
+        }
+        else {
+            // Multi-recipient: [EncType(1)][ecies-lib MULTIPLE header]
+            return (ecies_lib_1.UINT8_SIZE +
+                (0, browserConfig_1.calculateECIESMultipleRecipientOverhead)(this.encryptionDetails
+                    .recipientCount, true, this._idProvider.byteLength));
+        }
     }
     /**
      * Get this layer's header data (encryption metadata)
@@ -212,12 +283,21 @@ class EncryptedBlock extends ephemeral_1.EphemeralBlock {
         return this.data.subarray(headerLength, headerLength + this.layerPayloadSize);
     }
     /**
-     * Get the length of the payload including padding
+     * Get the length of the encrypted payload (excluding header and padding).
+     *
+     * For encrypted blocks, the payload is the actual encrypted data portion.
+     * This is calculated as: total data length - header overhead
+     *
+     * Note: This returns the encrypted data size, not the original plaintext size.
+     * Use lengthBeforeEncryption for the original data size.
+     *
+     * @see Requirements 2.2
      */
     get layerPayloadSize() {
-        return this.encryptionType === blockEncryptionType_1.BlockEncryptionType.SingleRecipient
-            ? constants_1.ECIES.OVERHEAD_SIZE
-            : constants_1.ECIES.MULTIPLE.ENCRYPTED_MESSAGE_OVERHEAD_SIZE;
+        // The payload is everything after the header up to the end of encrypted data
+        // For encrypted blocks, we use lengthBeforeEncryption to determine the actual
+        // encrypted content size (the ciphertext is the same size as plaintext in GCM mode)
+        return this.lengthBeforeEncryption;
     }
     /**
      * Get the total encrypted length including headers and payload
@@ -232,21 +312,22 @@ class EncryptedBlock extends ephemeral_1.EphemeralBlock {
     async validateAsync() {
         // Call parent validation first
         await super.validateAsync();
-        // Validate encryption header lengths
-        if (this.layerHeaderData.length !== constants_1.ECIES.OVERHEAD_SIZE) {
+        // Validate encryption header length matches the calculated overhead
+        const expectedHeaderLength = this.layerOverheadSize;
+        if (this.layerHeaderData.length !== expectedHeaderLength) {
             throw new block_1.BlockValidationError(blockValidationErrorType_1.BlockValidationErrorType.InvalidEncryptionHeaderLength);
         }
         if (this.encryptionType === blockEncryptionType_1.BlockEncryptionType.SingleRecipient) {
             const details = this
                 .encryptionDetails;
             // Validate individual components
-            if (details.ephemeralPublicKey.length !== constants_1.ECIES.PUBLIC_KEY_LENGTH) {
+            if (details.ephemeralPublicKey.length !== ecies_lib_1.ECIES.PUBLIC_KEY_LENGTH) {
                 throw new block_1.BlockValidationError(blockValidationErrorType_1.BlockValidationErrorType.InvalidEphemeralPublicKeyLength);
             }
-            if (details.iv.length !== constants_1.ECIES.IV_LENGTH) {
+            if (details.iv.length !== ecies_lib_1.ECIES.IV_SIZE) {
                 throw new block_1.BlockValidationError(blockValidationErrorType_1.BlockValidationErrorType.InvalidIVLength);
             }
-            if (details.authTag.length !== constants_1.ECIES.AUTH_TAG_LENGTH) {
+            if (details.authTag.length !== ecies_lib_1.ECIES.AUTH_TAG_SIZE) {
                 throw new block_1.BlockValidationError(blockValidationErrorType_1.BlockValidationErrorType.InvalidAuthTagLength);
             }
         }
@@ -260,13 +341,11 @@ class EncryptedBlock extends ephemeral_1.EphemeralBlock {
                 throw new block_1.BlockValidationError(blockValidationErrorType_1.BlockValidationErrorType.InvalidRecipientIds);
             }
             else if (details.recipientIds
-                .map((id) => id instanceof ecies_lib_1.Guid
-                ? service_provider_1.ServiceProvider.getInstance().idProvider.toBytes(id)
-                : id)
-                .some((id) => id.length !== constants_1.default['GUID_SIZE'])) {
+                .map((id) => this._idProvider.toBytes(id))
+                .some((id) => id.length !== id.byteLength)) {
                 throw new block_1.BlockValidationError(blockValidationErrorType_1.BlockValidationErrorType.InvalidRecipientIds);
             }
-            else if (details.recipientKeys.some((k) => k.length !== constants_1.ECIES.MULTIPLE.ENCRYPTED_KEY_SIZE)) {
+            else if (details.recipientKeys.some((k) => k.length !== ecies_lib_1.ECIES.MULTIPLE.ENCRYPTED_KEY_SIZE)) {
                 throw new block_1.BlockValidationError(blockValidationErrorType_1.BlockValidationErrorType.InvalidRecipientKeys);
             }
         }
@@ -276,7 +355,7 @@ class EncryptedBlock extends ephemeral_1.EphemeralBlock {
         }
         // Validate actual data length
         if (this.lengthBeforeEncryption >
-            service_provider_1.ServiceProvider.getInstance().blockCapacityCalculator.calculateCapacity({
+            this._serviceProvider.blockCapacityCalculator.calculateCapacity({
                 blockSize: this.blockSize,
                 blockType: this.blockType,
                 encryptionType: this.encryptionType,
@@ -296,20 +375,21 @@ class EncryptedBlock extends ephemeral_1.EphemeralBlock {
     validateSync() {
         // Call parent validation first
         super.validateSync();
-        // Validate encryption header lengths
-        if (this.layerHeaderData.length !== constants_1.ECIES.OVERHEAD_SIZE) {
+        // Validate encryption header length matches the calculated overhead
+        const expectedHeaderLength = this.layerOverheadSize;
+        if (this.layerHeaderData.length !== expectedHeaderLength) {
             throw new block_1.BlockValidationError(blockValidationErrorType_1.BlockValidationErrorType.InvalidEncryptionHeaderLength);
         }
         if (this._encryptionType === blockEncryptionType_1.BlockEncryptionType.SingleRecipient) {
             const details = this.encryptionDetails;
             // Validate individual components
-            if (details.ephemeralPublicKey.length !== constants_1.ECIES.PUBLIC_KEY_LENGTH) {
+            if (details.ephemeralPublicKey.length !== ecies_lib_1.ECIES.PUBLIC_KEY_LENGTH) {
                 throw new block_1.BlockValidationError(blockValidationErrorType_1.BlockValidationErrorType.InvalidEphemeralPublicKeyLength);
             }
-            if (details.iv.length !== constants_1.ECIES.IV_LENGTH) {
+            if (details.iv.length !== ecies_lib_1.ECIES.IV_SIZE) {
                 throw new block_1.BlockValidationError(blockValidationErrorType_1.BlockValidationErrorType.InvalidIVLength);
             }
-            if (details.authTag.length !== constants_1.ECIES.AUTH_TAG_LENGTH) {
+            if (details.authTag.length !== ecies_lib_1.ECIES.AUTH_TAG_SIZE) {
                 throw new block_1.BlockValidationError(blockValidationErrorType_1.BlockValidationErrorType.InvalidAuthTagLength);
             }
         }
@@ -331,7 +411,7 @@ class EncryptedBlock extends ephemeral_1.EphemeralBlock {
         }
         // Validate actual data length
         if (this.lengthBeforeEncryption >
-            service_provider_1.ServiceProvider.getInstance().blockCapacityCalculator.calculateCapacity({
+            this._serviceProvider.blockCapacityCalculator.calculateCapacity({
                 blockSize: this.blockSize,
                 blockType: this.blockType,
                 encryptionType: this.encryptionType,