@didcid/cipher 0.1.3 → 0.2.1

package/dist/cjs/{cipher-base-D2GtcXrx.cjs → cipher-base-CsSWgNEp.cjs}

@@ -2,6 +2,7 @@
 
 var bip39 = require('bip39');
 var secp = require('@noble/secp256k1');
+var aes = require('./aes-B3jnKULi.cjs');
 var canonicalizeModule = require('canonicalize');
 
 function _interopNamespaceDefault(e) {
@@ -244,435 +245,6 @@ rfc4648({
     bitsPerChar: 6
 });
 
-/**
- * Utilities for hex, bytes, CSPRNG.
- * @module
- */
-/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.
-// node.js versions earlier than v19 don't declare it in global scope.
-// For node.js, package.json#exports field mapping rewrites import
-// from `crypto` to `cryptoNode`, which imports native module.
-// Makes the utils un-importable in browsers without a bundler.
-// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.
-/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
-function isBytes$2(a) {
-    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
-}
-/** Asserts something is positive integer. */
-function anumber(n) {
-    if (!Number.isSafeInteger(n) || n < 0)
-        throw new Error('positive integer expected, got ' + n);
-}
-/** Asserts something is Uint8Array. */
-function abytes(b, ...lengths) {
-    if (!isBytes$2(b))
-        throw new Error('Uint8Array expected');
-    if (lengths.length > 0 && !lengths.includes(b.length))
-        throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length);
-}
-/** Asserts something is hash */
-function ahash(h) {
-    if (typeof h !== 'function' || typeof h.create !== 'function')
-        throw new Error('Hash should be wrapped by utils.createHasher');
-    anumber(h.outputLen);
-    anumber(h.blockLen);
-}
-/** Asserts a hash instance has not been destroyed / finished */
-function aexists(instance, checkFinished = true) {
-    if (instance.destroyed)
-        throw new Error('Hash instance has been destroyed');
-    if (checkFinished && instance.finished)
-        throw new Error('Hash#digest() has already been called');
-}
-/** Asserts output is properly-sized byte array */
-function aoutput(out, instance) {
-    abytes(out);
-    const min = instance.outputLen;
-    if (out.length < min) {
-        throw new Error('digestInto() expects output buffer of length at least ' + min);
-    }
-}
-/** Zeroize a byte array. Warning: JS provides no guarantees. */
-function clean(...arrays) {
-    for (let i = 0; i < arrays.length; i++) {
-        arrays[i].fill(0);
-    }
-}
-/** Create DataView of an array for easy byte-level manipulation. */
-function createView$1(arr) {
-    return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
-}
-/** The rotate right (circular right shift) operation for uint32 */
-function rotr(word, shift) {
-    return (word << (32 - shift)) | (word >>> shift);
-}
-/**
- * Converts string to bytes using UTF8 encoding.
- * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])
- */
-function utf8ToBytes$1(str) {
-    if (typeof str !== 'string')
-        throw new Error('string expected');
-    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
-}
-/**
- * Normalizes (non-hex) string or Uint8Array to Uint8Array.
- * Warning: when Uint8Array is passed, it would NOT get copied.
- * Keep in mind for future mutable operations.
- */
-function toBytes$1(data) {
-    if (typeof data === 'string')
-        data = utf8ToBytes$1(data);
-    abytes(data);
-    return data;
-}
-/** For runtime check if class implements interface */
-class Hash {
-}
-/** Wraps hash function, creating an interface on top of it */
-function createHasher(hashCons) {
-    const hashC = (msg) => hashCons().update(toBytes$1(msg)).digest();
-    const tmp = hashCons();
-    hashC.outputLen = tmp.outputLen;
-    hashC.blockLen = tmp.blockLen;
-    hashC.create = () => hashCons();
-    return hashC;
-}
-
-/**
- * HMAC: RFC2104 message authentication code.
- * @module
- */
-class HMAC extends Hash {
-    constructor(hash, _key) {
-        super();
-        this.finished = false;
-        this.destroyed = false;
-        ahash(hash);
-        const key = toBytes$1(_key);
-        this.iHash = hash.create();
-        if (typeof this.iHash.update !== 'function')
-            throw new Error('Expected instance of class which extends utils.Hash');
-        this.blockLen = this.iHash.blockLen;
-        this.outputLen = this.iHash.outputLen;
-        const blockLen = this.blockLen;
-        const pad = new Uint8Array(blockLen);
-        // blockLen can be bigger than outputLen
-        pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
-        for (let i = 0; i < pad.length; i++)
-            pad[i] ^= 0x36;
-        this.iHash.update(pad);
-        // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
-        this.oHash = hash.create();
-        // Undo internal XOR && apply outer XOR
-        for (let i = 0; i < pad.length; i++)
-            pad[i] ^= 0x36 ^ 0x5c;
-        this.oHash.update(pad);
-        clean(pad);
-    }
-    update(buf) {
-        aexists(this);
-        this.iHash.update(buf);
-        return this;
-    }
-    digestInto(out) {
-        aexists(this);
-        abytes(out, this.outputLen);
-        this.finished = true;
-        this.iHash.digestInto(out);
-        this.oHash.update(out);
-        this.oHash.digestInto(out);
-        this.destroy();
-    }
-    digest() {
-        const out = new Uint8Array(this.oHash.outputLen);
-        this.digestInto(out);
-        return out;
-    }
-    _cloneInto(to) {
-        // Create new instance without calling constructor since key already in state and we don't know it.
-        to || (to = Object.create(Object.getPrototypeOf(this), {}));
-        const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
-        to = to;
-        to.finished = finished;
-        to.destroyed = destroyed;
-        to.blockLen = blockLen;
-        to.outputLen = outputLen;
-        to.oHash = oHash._cloneInto(to.oHash);
-        to.iHash = iHash._cloneInto(to.iHash);
-        return to;
-    }
-    clone() {
-        return this._cloneInto();
-    }
-    destroy() {
-        this.destroyed = true;
-        this.oHash.destroy();
-        this.iHash.destroy();
-    }
-}
-/**
- * HMAC: RFC2104 message authentication code.
- * @param hash - function that would be used e.g. sha256
- * @param key - message key
- * @param message - message data
- * @example
- * import { hmac } from '@noble/hashes/hmac';
- * import { sha256 } from '@noble/hashes/sha2';
- * const mac1 = hmac(sha256, 'key', 'message');
- */
-const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
-hmac.create = (hash, key) => new HMAC(hash, key);
-
-/**
- * Internal Merkle-Damgard hash utils.
- * @module
- */
-/** Polyfill for Safari 14. https://caniuse.com/mdn-javascript_builtins_dataview_setbiguint64 */
-function setBigUint64$1(view, byteOffset, value, isLE) {
-    if (typeof view.setBigUint64 === 'function')
-        return view.setBigUint64(byteOffset, value, isLE);
-    const _32n = BigInt(32);
-    const _u32_max = BigInt(0xffffffff);
-    const wh = Number((value >> _32n) & _u32_max);
-    const wl = Number(value & _u32_max);
-    const h = isLE ? 4 : 0;
-    const l = isLE ? 0 : 4;
-    view.setUint32(byteOffset + h, wh, isLE);
-    view.setUint32(byteOffset + l, wl, isLE);
-}
-/** Choice: a ? b : c */
-function Chi(a, b, c) {
-    return (a & b) ^ (~a & c);
-}
-/** Majority function, true if any two inputs is true. */
-function Maj(a, b, c) {
-    return (a & b) ^ (a & c) ^ (b & c);
-}
-/**
- * Merkle-Damgard hash construction base class.
- * Could be used to create MD5, RIPEMD, SHA1, SHA2.
- */
-class HashMD extends Hash {
-    constructor(blockLen, outputLen, padOffset, isLE) {
-        super();
-        this.finished = false;
-        this.length = 0;
-        this.pos = 0;
-        this.destroyed = false;
-        this.blockLen = blockLen;
-        this.outputLen = outputLen;
-        this.padOffset = padOffset;
-        this.isLE = isLE;
-        this.buffer = new Uint8Array(blockLen);
-        this.view = createView$1(this.buffer);
-    }
-    update(data) {
-        aexists(this);
-        data = toBytes$1(data);
-        abytes(data);
-        const { view, buffer, blockLen } = this;
-        const len = data.length;
-        for (let pos = 0; pos < len;) {
-            const take = Math.min(blockLen - this.pos, len - pos);
-            // Fast path: we have at least one block in input, cast it to view and process
-            if (take === blockLen) {
-                const dataView = createView$1(data);
-                for (; blockLen <= len - pos; pos += blockLen)
-                    this.process(dataView, pos);
-                continue;
-            }
-            buffer.set(data.subarray(pos, pos + take), this.pos);
-            this.pos += take;
-            pos += take;
-            if (this.pos === blockLen) {
-                this.process(view, 0);
-                this.pos = 0;
-            }
-        }
-        this.length += data.length;
-        this.roundClean();
-        return this;
-    }
-    digestInto(out) {
-        aexists(this);
-        aoutput(out, this);
-        this.finished = true;
-        // Padding
-        // We can avoid allocation of buffer for padding completely if it
-        // was previously not allocated here. But it won't change performance.
-        const { buffer, view, blockLen, isLE } = this;
-        let { pos } = this;
-        // append the bit '1' to the message
-        buffer[pos++] = 0b10000000;
-        clean(this.buffer.subarray(pos));
-        // we have less than padOffset left in buffer, so we cannot put length in
-        // current block, need process it and pad again
-        if (this.padOffset > blockLen - pos) {
-            this.process(view, 0);
-            pos = 0;
-        }
-        // Pad until full block byte with zeros
-        for (let i = pos; i < blockLen; i++)
-            buffer[i] = 0;
-        // Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that
-        // You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen.
-        // So we just write lowest 64 bits of that value.
-        setBigUint64$1(view, blockLen - 8, BigInt(this.length * 8), isLE);
-        this.process(view, 0);
-        const oview = createView$1(out);
-        const len = this.outputLen;
-        // NOTE: we do division by 4 later, which should be fused in single op with modulo by JIT
-        if (len % 4)
-            throw new Error('_sha2: outputLen should be aligned to 32bit');
-        const outLen = len / 4;
-        const state = this.get();
-        if (outLen > state.length)
-            throw new Error('_sha2: outputLen bigger than state');
-        for (let i = 0; i < outLen; i++)
-            oview.setUint32(4 * i, state[i], isLE);
-    }
-    digest() {
-        const { buffer, outputLen } = this;
-        this.digestInto(buffer);
-        const res = buffer.slice(0, outputLen);
-        this.destroy();
-        return res;
-    }
-    _cloneInto(to) {
-        to || (to = new this.constructor());
-        to.set(...this.get());
-        const { blockLen, buffer, length, finished, destroyed, pos } = this;
-        to.destroyed = destroyed;
-        to.finished = finished;
-        to.length = length;
-        to.pos = pos;
-        if (length % blockLen)
-            to.buffer.set(buffer);
-        return to;
-    }
-    clone() {
-        return this._cloneInto();
-    }
-}
-/**
- * Initial SHA-2 state: fractional parts of square roots of first 16 primes 2..53.
- * Check out `test/misc/sha2-gen-iv.js` for recomputation guide.
- */
-/** Initial SHA256 state. Bits 0..32 of frac part of sqrt of primes 2..19 */
-const SHA256_IV = /* @__PURE__ */ Uint32Array.from([
-    0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
-]);
-
-/**
- * SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256.
- * SHA256 is the fastest hash implementable in JS, even faster than Blake3.
- * Check out [RFC 4634](https://datatracker.ietf.org/doc/html/rfc4634) and
- * [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
- * @module
- */
-/**
- * Round constants:
- * First 32 bits of fractional parts of the cube roots of the first 64 primes 2..311)
- */
-// prettier-ignore
-const SHA256_K = /* @__PURE__ */ Uint32Array.from([
-    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
-    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
-    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
-    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
-    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
-    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
-    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
-    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
-]);
-/** Reusable temporary buffer. "W" comes straight from spec. */
-const SHA256_W = /* @__PURE__ */ new Uint32Array(64);
-class SHA256 extends HashMD {
-    constructor(outputLen = 32) {
-        super(64, outputLen, 8, false);
-        // We cannot use array here since array allows indexing by variable
-        // which means optimizer/compiler cannot use registers.
-        this.A = SHA256_IV[0] | 0;
-        this.B = SHA256_IV[1] | 0;
-        this.C = SHA256_IV[2] | 0;
-        this.D = SHA256_IV[3] | 0;
-        this.E = SHA256_IV[4] | 0;
-        this.F = SHA256_IV[5] | 0;
-        this.G = SHA256_IV[6] | 0;
-        this.H = SHA256_IV[7] | 0;
-    }
-    get() {
-        const { A, B, C, D, E, F, G, H } = this;
-        return [A, B, C, D, E, F, G, H];
-    }
-    // prettier-ignore
-    set(A, B, C, D, E, F, G, H) {
-        this.A = A | 0;
-        this.B = B | 0;
-        this.C = C | 0;
-        this.D = D | 0;
-        this.E = E | 0;
-        this.F = F | 0;
-        this.G = G | 0;
-        this.H = H | 0;
-    }
-    process(view, offset) {
-        // Extend the first 16 words into the remaining 48 words w[16..63] of the message schedule array
-        for (let i = 0; i < 16; i++, offset += 4)
-            SHA256_W[i] = view.getUint32(offset, false);
-        for (let i = 16; i < 64; i++) {
-            const W15 = SHA256_W[i - 15];
-            const W2 = SHA256_W[i - 2];
-            const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ (W15 >>> 3);
-            const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ (W2 >>> 10);
-            SHA256_W[i] = (s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16]) | 0;
-        }
-        // Compression function main loop, 64 rounds
-        let { A, B, C, D, E, F, G, H } = this;
-        for (let i = 0; i < 64; i++) {
-            const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
-            const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;
-            const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);
-            const T2 = (sigma0 + Maj(A, B, C)) | 0;
-            H = G;
-            G = F;
-            F = E;
-            E = (D + T1) | 0;
-            D = C;
-            C = B;
-            B = A;
-            A = (T1 + T2) | 0;
-        }
-        // Add the compressed chunk to the current hash value
-        A = (A + this.A) | 0;
-        B = (B + this.B) | 0;
-        C = (C + this.C) | 0;
-        D = (D + this.D) | 0;
-        E = (E + this.E) | 0;
-        F = (F + this.F) | 0;
-        G = (G + this.G) | 0;
-        H = (H + this.H) | 0;
-        this.set(A, B, C, D, E, F, G, H);
-    }
-    roundClean() {
-        clean(SHA256_W);
-    }
-    destroy() {
-        this.set(0, 0, 0, 0, 0, 0, 0, 0);
-        clean(this.buffer);
-    }
-}
-/**
- * SHA2-256 hash function from RFC 4634.
- *
- * It is the fastest JS hash, even faster than Blake3.
- * To break sha256 using birthday attack, attackers need to try 2^128 hashes.
- * BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
- */
-const sha256$1 = /* @__PURE__ */ createHasher(() => new SHA256());
-
 /**
  * SHA2-256 a.k.a. sha256. In JS, it is the fastest hash, even faster than Blake3.
  *
@@ -684,141 +256,7 @@ const sha256$1 = /* @__PURE__ */ createHasher(() => new SHA256());
  * @deprecated
  */
 /** @deprecated Use import from `noble/hashes/sha2` module */
-const sha256 = sha256$1;
-
-/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
-// Cast array to different type
-const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
-function isBytes$1(a) {
-    return (a instanceof Uint8Array ||
-        (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));
-}
-// Cast array to view
-const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
-// big-endian hardware is rare. Just in case someone still decides to run ciphers:
-// early-throw an error because we don't support BE yet.
-const isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44;
-if (!isLE)
-    throw new Error('Non little-endian hardware is not supported');
-/**
- * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
- */
-function utf8ToBytes(str) {
-    if (typeof str !== 'string')
-        throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
-    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
-}
-function bytesToUtf8(bytes) {
-    return new TextDecoder().decode(bytes);
-}
-/**
- * Normalizes (non-hex) string or Uint8Array to Uint8Array.
- * Warning: when Uint8Array is passed, it would NOT get copied.
- * Keep in mind for future mutable operations.
- */
-function toBytes(data) {
-    if (typeof data === 'string')
-        data = utf8ToBytes(data);
-    else if (isBytes$1(data))
-        data = data.slice();
-    else
-        throw new Error(`expected Uint8Array, got ${typeof data}`);
-    return data;
-}
-/**
- * Copies several Uint8Arrays into one.
- */
-function concatBytes(...arrays) {
-    let sum = 0;
-    for (let i = 0; i < arrays.length; i++) {
-        const a = arrays[i];
-        if (!isBytes$1(a))
-            throw new Error('Uint8Array expected');
-        sum += a.length;
-    }
-    const res = new Uint8Array(sum);
-    for (let i = 0, pad = 0; i < arrays.length; i++) {
-        const a = arrays[i];
-        res.set(a, pad);
-        pad += a.length;
-    }
-    return res;
-}
-// Check if object doens't have custom constructor (like Uint8Array/Array)
-const isPlainObject = (obj) => Object.prototype.toString.call(obj) === '[object Object]' && obj.constructor === Object;
-function checkOpts(defaults, opts) {
-    if (opts !== undefined && (typeof opts !== 'object' || !isPlainObject(opts)))
-        throw new Error('options must be object or undefined');
-    const merged = Object.assign(defaults, opts);
-    return merged;
-}
-function ensureBytes(b, len) {
-    if (!isBytes$1(b))
-        throw new Error('Uint8Array expected');
-    if (typeof len === 'number')
-        if (b.length !== len)
-            throw new Error(`Uint8Array length ${len} expected`);
-}
-// Compares 2 u8a-s in kinda constant time
-function equalBytes(a, b) {
-    if (a.length !== b.length)
-        return false;
-    let diff = 0;
-    for (let i = 0; i < a.length; i++)
-        diff |= a[i] ^ b[i];
-    return diff === 0;
-}
-const wrapCipher = (params, c) => {
-    Object.assign(c, params);
-    return c;
-};
-// Polyfill for Safari 14
-function setBigUint64(view, byteOffset, value, isLE) {
-    if (typeof view.setBigUint64 === 'function')
-        return view.setBigUint64(byteOffset, value, isLE);
-    const _32n = BigInt(32);
-    const _u32_max = BigInt(0xffffffff);
-    const wh = Number((value >> _32n) & _u32_max);
-    const wl = Number(value & _u32_max);
-    const h = 4 ;
-    const l = 0 ;
-    view.setUint32(byteOffset + h, wh, isLE);
-    view.setUint32(byteOffset + l, wl, isLE);
-}
-
-function number(n) {
-    if (!Number.isSafeInteger(n) || n < 0)
-        throw new Error(`wrong positive integer: ${n}`);
-}
-function bool(b) {
-    if (typeof b !== 'boolean')
-        throw new Error(`boolean expected, not ${b}`);
-}
-// TODO: merge with utils
-function isBytes(a) {
-    return (a != null &&
-        typeof a === 'object' &&
-        (a instanceof Uint8Array || a.constructor.name === 'Uint8Array'));
-}
-function bytes(b, ...lengths) {
-    if (!isBytes(b))
-        throw new Error('Uint8Array expected');
-    if (lengths.length > 0 && !lengths.includes(b.length))
-        throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`);
-}
-function exists(instance, checkFinished = true) {
-    if (instance.destroyed)
-        throw new Error('Hash instance has been destroyed');
-    if (checkFinished && instance.finished)
-        throw new Error('Hash#digest() has already been called');
-}
-function output(out, instance) {
-    bytes(out);
-    const min = instance.outputLen;
-    if (out.length < min) {
-        throw new Error(`digestInto() expects output buffer of length at least ${min}`);
-    }
-}
+const sha256 = aes.sha256;
 
 // Poly1305 is a fast and parallel secret-key message-authentication code.
 // https://cr.yp.to/mac.html, https://cr.yp.to/mac/poly1305-20050329.pdf
@@ -835,8 +273,8 @@ class Poly1305 {
         this.pad = new Uint16Array(8);
         this.pos = 0;
         this.finished = false;
-        key = toBytes(key);
-        ensureBytes(key, 32);
+        key = aes.toBytes(key);
+        aes.ensureBytes(key, 32);
         const t0 = u8to16(key, 0);
         const t1 = u8to16(key, 2);
         const t2 = u8to16(key, 4);
@@ -1015,9 +453,9 @@ class Poly1305 {
         }
     }
     update(data) {
-        exists(this);
+        aes.exists(this);
         const { buffer, blockLen } = this;
-        data = toBytes(data);
+        data = aes.toBytes(data);
         const len = data.length;
         for (let pos = 0; pos < len;) {
             const take = Math.min(blockLen - this.pos, len - pos);
@@ -1044,8 +482,8 @@ class Poly1305 {
         this.pad.fill(0);
     }
     digestInto(out) {
-        exists(this);
-        output(out, this);
+        aes.exists(this);
+        aes.output(out, this);
         this.finished = true;
         const { buffer, h } = this;
         let { pos } = this;
@@ -1073,7 +511,7 @@ class Poly1305 {
     }
 }
 function wrapConstructorWithKey(hashCons) {
-    const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest();
+    const hashC = (msg, key) => hashCons(key).update(aes.toBytes(msg)).digest();
     const tmp = hashCons(new Uint8Array(32));
     hashC.outputLen = tmp.outputLen;
     hashC.blockLen = tmp.blockLen;
@@ -1117,10 +555,10 @@ xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal
 [^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/
 [^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2
 */
-const sigma16 = utf8ToBytes('expand 16-byte k');
-const sigma32 = utf8ToBytes('expand 32-byte k');
-const sigma16_32 = u32(sigma16);
-const sigma32_32 = u32(sigma32);
+const sigma16 = aes.utf8ToBytes('expand 16-byte k');
+const sigma32 = aes.utf8ToBytes('expand 32-byte k');
+const sigma16_32 = aes.u32(sigma16);
+const sigma32_32 = aes.u32(sigma32);
 function rotl(a, b) {
     return (a << b) | (a >>> (32 - b));
 }
@@ -1138,11 +576,11 @@ const U32_EMPTY = new Uint32Array();
 function runCipher(core, sigma, key, nonce, data, output, counter, rounds) {
     const len = data.length;
     const block = new Uint8Array(BLOCK_LEN);
-    const b32 = u32(block);
+    const b32 = aes.u32(block);
     // Make sure that buffers aligned to 4 bytes
     const isAligned = isAligned32(data) && isAligned32(output);
-    const d32 = isAligned ? u32(data) : U32_EMPTY;
-    const o32 = isAligned ? u32(output) : U32_EMPTY;
+    const d32 = isAligned ? aes.u32(data) : U32_EMPTY;
+    const o32 = isAligned ? aes.u32(output) : U32_EMPTY;
     for (let pos = 0; pos < len; counter++) {
         core(sigma, key, nonce, b32, counter, rounds);
         if (counter >= MAX_COUNTER)
@@ -1168,22 +606,22 @@ function runCipher(core, sigma, key, nonce, data, output, counter, rounds) {
     }
 }
 function createCipher(core, opts) {
-    const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts);
+    const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = aes.checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts);
     if (typeof core !== 'function')
         throw new Error('core must be a function');
-    number(counterLength);
-    number(rounds);
-    bool(counterRight);
-    bool(allowShortKeys);
+    aes.number(counterLength);
+    aes.number(rounds);
+    aes.bool(counterRight);
+    aes.bool(allowShortKeys);
     return (key, nonce, data, output, counter = 0) => {
-        bytes(key);
-        bytes(nonce);
-        bytes(data);
+        aes.bytes(key);
+        aes.bytes(nonce);
+        aes.bytes(data);
         const len = data.length;
         if (!output)
             output = new Uint8Array(len);
-        bytes(output);
-        number(counter);
+        aes.bytes(output);
+        aes.number(counter);
         if (counter < 0 || counter >= MAX_COUNTER)
             throw new Error('arx: counter overflow');
         if (output.length < len)
@@ -1219,12 +657,12 @@ function createCipher(core, opts) {
             nonce = nonce.slice();
             toClean.push(nonce);
         }
-        const k32 = u32(k);
+        const k32 = aes.u32(k);
         // hsalsa & hchacha: handle extended nonce
         if (extendNonceFn) {
             if (nonce.length !== 24)
                 throw new Error(`arx: extended nonce must be 24 bytes`);
-            extendNonceFn(sigma, k32, u32(nonce.subarray(0, 16)), k32);
+            extendNonceFn(sigma, k32, aes.u32(nonce.subarray(0, 16)), k32);
             nonce = nonce.subarray(16);
         }
         // Handle nonce counter
@@ -1238,7 +676,7 @@ function createCipher(core, opts) {
             nonce = nc;
             toClean.push(nonce);
         }
-        const n32 = u32(nonce);
+        const n32 = aes.u32(nonce);
         runCipher(core, sigma, k32, n32, data, output, counter, rounds);
         while (toClean.length > 0)
             toClean.pop().fill(0);
@@ -1457,9 +895,9 @@ function computeTag(fn, key, nonce, data, AAD) {
         updatePadded(h, AAD);
     updatePadded(h, data);
     const num = new Uint8Array(16);
-    const view = createView(num);
-    setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true);
-    setBigUint64(view, 8, BigInt(data.length), true);
+    const view = aes.createView(num);
+    aes.setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true);
+    aes.setBigUint64(view, 8, BigInt(data.length), true);
     h.update(num);
     const res = h.digest();
     authKey.fill(0);
@@ -1476,14 +914,14 @@ function computeTag(fn, key, nonce, data, AAD) {
  */
 const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
     const tagLength = 16;
-    ensureBytes(key, 32);
-    ensureBytes(nonce);
+    aes.ensureBytes(key, 32);
+    aes.ensureBytes(nonce);
     return {
         encrypt: (plaintext, output) => {
             const plength = plaintext.length;
             const clength = plength + tagLength;
             if (output) {
-                ensureBytes(output, clength);
+                aes.ensureBytes(output, clength);
             }
             else {
                 output = new Uint8Array(clength);
@@ -1499,7 +937,7 @@ const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
             if (clength < tagLength)
                 throw new Error(`encrypted data must be at least ${tagLength} bytes`);
             if (output) {
-                ensureBytes(output, plength);
+                aes.ensureBytes(output, plength);
             }
             else {
                 output = new Uint8Array(plength);
@@ -1507,7 +945,7 @@ const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
             const data = ciphertext.subarray(0, -tagLength);
             const passedTag = ciphertext.subarray(-tagLength);
             const tag = computeTag(xorStream, key, nonce, data, AAD);
-            if (!equalBytes(passedTag, tag))
+            if (!aes.equalBytes(passedTag, tag))
                 throw new Error('invalid tag');
             xorStream(key, nonce, data, output, 1);
             return output;
@@ -1519,7 +957,7 @@ const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
  * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha
  * With 24-byte nonce, it's safe to use fill it with random (CSPRNG).
  */
-const xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20));
+const xchacha20poly1305 = /* @__PURE__ */ aes.wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20));
 
 const crypto = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
 
@@ -1540,13 +978,13 @@ function randomBytes(bytesLength = 32) {
 }
 // Uses CSPRG for nonce, nonce injected in ciphertext
 function managedNonce(fn) {
-    number(fn.nonceLength);
+    aes.number(fn.nonceLength);
     return ((key, ...args) => ({
         encrypt: (plaintext, ...argsEnc) => {
             const { nonceLength } = fn;
             const nonce = randomBytes(nonceLength);
             const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc);
-            const out = concatBytes(nonce, ciphertext);
+            const out = aes.concatBytes(nonce, ciphertext);
             ciphertext.fill(0);
             return out;
         },
@@ -1573,9 +1011,180 @@ function managedNonce(fn) {
 // const wcbc2 = managedNonce(managedNonce(cbc));
 // const wecb = managedNonce(ecb);
 
+/**
+ * Concat KDF (Single Step KDF) per NIST SP 800-56A and RFC 7518 §4.6.2.
+ *
+ * Derives a symmetric key from an ECDH shared secret for use in JWE.
+ *
+ * @param sharedSecret - The raw ECDH shared secret (Z)
+ * @param keyBitLength - Desired key length in bits (e.g. 128, 256)
+ * @param algorithmId  - The "enc" value for ECDH-ES or "alg" for ECDH-ES+A*KW
+ * @param apu          - Agreement PartyUInfo (typically empty)
+ * @param apv          - Agreement PartyVInfo (typically empty)
+ * @returns Derived key as Uint8Array
+ */
+function concatKdf(sharedSecret, keyBitLength, algorithmId, apu = new Uint8Array(0), apv = new Uint8Array(0)) {
+    const algIdBytes = new TextEncoder().encode(algorithmId);
+    // Build otherInfo per RFC 7518 §4.6.2:
+    //   AlgorithmID  = len(algId) || algId
+    //   PartyUInfo   = len(apu)   || apu
+    //   PartyVInfo   = len(apv)   || apv
+    //   SuppPubInfo  = keydatalen (32-bit BE, in bits)
+    const otherInfo = concatBytes(uint32BE(algIdBytes.length), algIdBytes, uint32BE(apu.length), apu, uint32BE(apv.length), apv, uint32BE(keyBitLength));
+    const hashLength = 256; // SHA-256 output in bits
+    const reps = Math.ceil(keyBitLength / hashLength);
+    const result = new Uint8Array(reps * 32);
+    for (let counter = 1; counter <= reps; counter++) {
+        const input = concatBytes(uint32BE(counter), sharedSecret, otherInfo);
+        const digest = sha256(input);
+        result.set(digest, (counter - 1) * 32);
+    }
+    return result.slice(0, keyBitLength / 8);
+}
+function uint32BE(value) {
+    const buf = new Uint8Array(4);
+    buf[0] = (value >>> 24) & 0xff;
+    buf[1] = (value >>> 16) & 0xff;
+    buf[2] = (value >>> 8) & 0xff;
+    buf[3] = value & 0xff;
+    return buf;
+}
+function concatBytes(...arrays) {
+    let totalLength = 0;
+    for (const arr of arrays)
+        totalLength += arr.length;
+    const result = new Uint8Array(totalLength);
+    let offset = 0;
+    for (const arr of arrays) {
+        result.set(arr, offset);
+        offset += arr.length;
+    }
+    return result;
+}
+
+const ENCODER = new TextEncoder();
+const DECODER = new TextDecoder();
+/**
+ * Build a JWE Compact Serialization string using ECDH-ES + A256GCM.
+ *
+ * Uses an ephemeral secp256k1 keypair for key agreement.
+ * The sender's identity key is NOT involved — only the recipient's public key.
+ *
+ * @param recipientPubKey - Recipient's public key (secp256k1 JWK)
+ * @param plaintext       - Data to encrypt
+ * @returns JWE Compact string: header.encryptedKey.iv.ciphertext.tag
+ */
+function buildJweCompact(recipientPubKey, plaintext) {
+    // 1. Generate ephemeral keypair
+    const ephemeralPrivKey = secp__namespace.utils.randomPrivateKey();
+    const ephemeralPubKeyBytes = secp__namespace.getPublicKey(ephemeralPrivKey);
+    // Get uncompressed public key coordinates for the JWE header
+    const ephemeralPubHex = secp__namespace.etc.bytesToHex(ephemeralPubKeyBytes);
+    const curvePoints = secp__namespace.ProjectivePoint.fromHex(ephemeralPubHex);
+    const uncompressed = curvePoints.toRawBytes(false);
+    const epkX = base64url.baseEncode(uncompressed.subarray(1, 33));
+    const epkY = base64url.baseEncode(uncompressed.subarray(33, 65));
+    // 2. Build protected header
+    const header = {
+        alg: 'ECDH-ES',
+        enc: 'A256GCM',
+        epk: {
+            kty: 'EC',
+            crv: 'secp256k1',
+            x: epkX,
+            y: epkY,
+        },
+    };
+    const headerJson = JSON.stringify(header);
+    const headerB64 = base64url.baseEncode(ENCODER.encode(headerJson));
+    // 3. ECDH key agreement: ephemeral private + recipient public
+    const recipientPubBytes = jwkToCompressedBytes(recipientPubKey);
+    const sharedSecret = secp__namespace.getSharedSecret(ephemeralPrivKey, recipientPubBytes);
+    // 4. Derive CEK via Concat KDF (RFC 7518 §4.6.2)
+    // For ECDH-ES (direct), algorithmId = enc value
+    const cek = concatKdf(sharedSecret.slice(1), 256, 'A256GCM');
+    // 5. Generate random 96-bit IV
+    const iv = secp__namespace.utils.randomPrivateKey().slice(0, 12);
+    // 6. Encrypt with AES-256-GCM
+    // AAD = ASCII bytes of the base64url-encoded protected header
+    const aad = ENCODER.encode(headerB64);
+    const cipher = aes.gcm(cek, iv, aad);
+    const encrypted = cipher.encrypt(plaintext); // returns ciphertext || tag
+    // 7. Split ciphertext and tag (tag is last 16 bytes)
+    const ciphertext = encrypted.slice(0, encrypted.length - 16);
+    const tag = encrypted.slice(encrypted.length - 16);
+    // 8. Assemble JWE Compact: header.encryptedKey.iv.ciphertext.tag
+    // For ECDH-ES (direct), encrypted key is empty
+    return [
+        headerB64,
+        '', // empty encrypted key
+        base64url.baseEncode(iv),
+        base64url.baseEncode(ciphertext),
+        base64url.baseEncode(tag),
+    ].join('.');
+}
+/**
+ * Parse and decrypt a JWE Compact Serialization string.
+ *
+ * @param recipientPrivKey - Recipient's private key (secp256k1 JWK)
+ * @param jweCompact       - The JWE Compact string to decrypt
+ * @returns Decrypted plaintext
+ */
+function parseJweCompact(recipientPrivKey, jweCompact) {
+    // 1. Split into 5 parts
+    const parts = jweCompact.split('.');
+    if (parts.length !== 5) {
+        throw new Error('Invalid JWE Compact: expected 5 segments');
+    }
+    const [headerB64, , ivB64, ciphertextB64, tagB64] = parts;
+    // 2. Parse protected header
+    const headerJson = DECODER.decode(base64url.baseDecode(headerB64));
+    const header = JSON.parse(headerJson);
+    if (header.alg !== 'ECDH-ES') {
+        throw new Error(`Unsupported JWE alg: ${header.alg}`);
+    }
+    if (header.enc !== 'A256GCM') {
+        throw new Error(`Unsupported JWE enc: ${header.enc}`);
+    }
+    // 3. Reconstruct ephemeral public key from header
+    const epk = header.epk;
+    const ephemeralPubBytes = jwkToCompressedBytes(epk);
+    // 4. ECDH key agreement: recipient private + ephemeral public
+    const recipientPrivBytes = base64url.baseDecode(recipientPrivKey.d);
+    const sharedSecret = secp__namespace.getSharedSecret(recipientPrivBytes, ephemeralPubBytes);
+    // 5. Derive CEK via Concat KDF
+    const cek = concatKdf(sharedSecret.slice(1), 256, 'A256GCM');
+    // 6. Decrypt with AES-256-GCM
+    const iv = base64url.baseDecode(ivB64);
+    const ciphertext = base64url.baseDecode(ciphertextB64);
+    const tag = base64url.baseDecode(tagB64);
+    // Reassemble ciphertext || tag for @noble/ciphers GCM
+    const encrypted = new Uint8Array(ciphertext.length + tag.length);
+    encrypted.set(ciphertext, 0);
+    encrypted.set(tag, ciphertext.length);
+    const aad = ENCODER.encode(headerB64);
+    const cipher = aes.gcm(cek, iv, aad);
+    return cipher.decrypt(encrypted);
+}
+/**
+ * Detect whether a string is a JWE Compact Serialization.
+ */
+function isJweCompact(ciphertext) {
+    return ciphertext.startsWith('eyJ') && ciphertext.split('.').length === 5;
+}
+/**
+ * Convert a JWK public key to compressed secp256k1 bytes.
+ */
+function jwkToCompressedBytes(jwk) {
+    const xBytes = base64url.baseDecode(jwk.x);
+    const yBytes = base64url.baseDecode(jwk.y);
+    const prefix = yBytes[yBytes.length - 1] % 2 === 0 ? 0x02 : 0x03;
+    return new Uint8Array([prefix, ...xBytes]);
+}
+
 const canonicalize = canonicalizeModule;
 // Polyfill for synchronous signatures
-secp__namespace.etc.hmacSha256Sync = (k, ...m) => hmac(sha256, k, secp__namespace.etc.concatBytes(...m));
+secp__namespace.etc.hmacSha256Sync = (k, ...m) => aes.hmac(sha256, k, secp__namespace.etc.concatBytes(...m));
 class CipherBase {
     generateMnemonic() {
         return bip39__namespace.generateMnemonic();
@@ -1627,16 +1236,27 @@ class CipherBase {
         const signature = secp__namespace.Signature.fromCompact(sigHex);
         return secp__namespace.verify(signature, msgHash, compressedPublicKeyBytes);
     }
-    encryptBytes(pubKey, privKey, data) {
-        const priv = base64url.baseDecode(privKey.d);
-        const pub = this.convertJwkToCompressedBytes(pubKey);
-        const ss = secp__namespace.getSharedSecret(priv, pub);
-        const key = ss.slice(0, 32);
-        const chacha = managedNonce(xchacha20poly1305)(key);
-        const ciphertext = chacha.encrypt(data);
-        return base64url.baseEncode(ciphertext);
+    encryptBytes(recipientPubKey, data) {
+        return buildJweCompact(recipientPubKey, data);
     }
-    decryptBytes(pubKey, privKey, ciphertext) {
+    decryptBytes(recipientPrivKey, ciphertext, legacyPubKey) {
+        if (isJweCompact(ciphertext)) {
+            return parseJweCompact(recipientPrivKey, ciphertext);
+        }
+        if (legacyPubKey) {
+            return this.decryptBytesLegacy(legacyPubKey, recipientPrivKey, ciphertext);
+        }
+        throw new Error('Cannot decrypt: not a JWE and no legacy public key provided. Pass legacyPubKey as the third argument for old ciphertext.');
+    }
+    encryptMessage(recipientPubKey, message) {
+        const data = aes.utf8ToBytes(message);
+        return this.encryptBytes(recipientPubKey, data);
+    }
+    decryptMessage(recipientPrivKey, ciphertext, legacyPubKey) {
+        const data = this.decryptBytes(recipientPrivKey, ciphertext, legacyPubKey);
+        return aes.bytesToUtf8(data);
+    }
+    decryptBytesLegacy(pubKey, privKey, ciphertext) {
         const priv = base64url.baseDecode(privKey.d);
         const pub = this.convertJwkToCompressedBytes(pubKey);
         const ss = secp__namespace.getSharedSecret(priv, pub);
@@ -1645,13 +1265,9 @@ class CipherBase {
         const cipherdata = base64url.baseDecode(ciphertext);
         return chacha.decrypt(cipherdata);
     }
-    encryptMessage(pubKey, privKey, message) {
-        const data = utf8ToBytes(message);
-        return this.encryptBytes(pubKey, privKey, data);
-    }
-    decryptMessage(pubKey, privKey, ciphertext) {
-        const data = this.decryptBytes(pubKey, privKey, ciphertext);
-        return bytesToUtf8(data);
+    decryptMessageLegacy(pubKey, privKey, ciphertext) {
+        const data = this.decryptBytesLegacy(pubKey, privKey, ciphertext);
+        return aes.bytesToUtf8(data);
     }
     hasLeadingZeroBits(hexHash, bits) {
         const binary = BigInt('0x' + hexHash).toString(2).padStart(hexHash.length * 4, '0');