@didcid/gatekeeper 0.3.6 → 0.4.0

package/dist/cjs/gatekeeper.cjs

@@ -38283,7 +38283,7 @@ const toU8 = (a, len) => abytes$1(isStr(a) ? hexToBytes(a) : u8fr(abytes$1(a)),
 const cr = () => globalThis?.crypto; // WebCrypto is available in all modern environments
 const subtle = () => cr()?.subtle ?? err('crypto.subtle must be defined');
 // prettier-ignore
-const concatBytes$1 = (...arrs) => {
+const concatBytes$2 = (...arrs) => {
     const r = u8n(arrs.reduce((sum, a) => sum + abytes$1(a).length, 0)); // create u8a of summed length
     let pad = 0; // walk through each array,
     arrs.forEach(a => { r.set(a, pad); pad += a.length; }); // ensure they have proper type
@@ -38524,8 +38524,8 @@ class Point {
         const { x, y } = this.assertValidity().toAffine();
         const x32b = numTo32b(x);
         if (isCompressed)
-            return concatBytes$1(getPrefix(y), x32b);
-        return concatBytes$1(u8of(0x04), x32b, numTo32b(y));
+            return concatBytes$2(getPrefix(y), x32b);
+        return concatBytes$2(u8of(0x04), x32b, numTo32b(y));
     }
     /** Create 3d xyz point from 2d xy. (0, 0) => (0, 1, 0), not (0, 0, 1) */
     static fromAffine(ap) {
@@ -38599,7 +38599,7 @@ class Signature {
     }
     toBytes() {
         const { r, s } = this;
-        return concatBytes$1(numTo32b(r), numTo32b(s));
+        return concatBytes$2(numTo32b(r), numTo32b(s));
     }
     /** Copy signature, with newly added recovery bit. */
     addRecoveryBit(bit) {
@@ -38691,7 +38691,7 @@ const prepSig = (msgh, priv, opts = signOpts) => {
         }
         return new Signature(r, normS, recovery); // use normS, not s
     };
-    return { seed: concatBytes$1(...seed), k2sig };
+    return { seed: concatBytes$2(...seed), k2sig };
 };
 // HMAC-DRBG from NIST 800-90. Minimal, non-full-spec - used for RFC6979 signatures.
 const hmacDrbg = (asynchronous) => {
@@ -38809,7 +38809,7 @@ const recoverPublicKey = (sig, msgh) => {
     const radj = recovery === 2 || recovery === 3 ? r + N : r;
     afield(radj); // ensure q.x is still a field element
     const head = getPrefix(big(recovery)); // head is 0x02 or 0x03
-    const Rb = concatBytes$1(head, numTo32b(radj)); // concat head + r
+    const Rb = concatBytes$2(head, numTo32b(radj)); // concat head + r
     const R = Point.fromBytes(Rb);
     const ir = invert(radj, N); // r^-1
     const u1 = modN(-h * ir); // -hr^-1
@@ -38842,7 +38842,7 @@ const _sha = 'SHA-256';
 const etc = {
     hexToBytes: hexToBytes,
     bytesToHex: bytesToHex,
-    concatBytes: concatBytes$1,
+    concatBytes: concatBytes$2,
     bytesToNumberBE: bytesToNumBE,
     numberToBytesBE: numTo32b,
     mod: M,
@@ -38851,7 +38851,7 @@ const etc = {
         const s = subtle();
         const name = 'HMAC';
         const k = await s.importKey('raw', key, { name, hash: { name: _sha } }, false, ['sign']);
-        return u8n(await s.sign(name, k, concatBytes$1(...msgs)));
+        return u8n(await s.sign(name, k, concatBytes$2(...msgs)));
     },
     hmacSha256Sync: undefined, // For TypeScript. Actual logic is below
     hashToPrivateKey: hashToPrivateKey,
@@ -39387,6 +39387,7 @@ const sha256$1 = sha256$2;
 
 /*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
 // Cast array to different type
+const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);
 const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
 function isBytes$1(a) {
     return (a instanceof Uint8Array ||
@@ -39427,7 +39428,7 @@ function toBytes(data) {
 /**
  * Copies several Uint8Arrays into one.
  */
-function concatBytes(...arrays) {
+function concatBytes$1(...arrays) {
     let sum = 0;
     for (let i = 0; i < arrays.length; i++) {
         const a = arrays[i];
@@ -39479,8 +39480,8 @@ function setBigUint64(view, byteOffset, value, isLE) {
     const _u32_max = BigInt(0xffffffff);
     const wh = Number((value >> _32n) & _u32_max);
     const wl = Number(value & _u32_max);
-    const h = 4 ;
-    const l = 0 ;
+    const h = isLE ? 4 : 0;
+    const l = isLE ? 0 : 4;
     view.setUint32(byteOffset + h, wh, isLE);
     view.setUint32(byteOffset + l, wl, isLE);
 }
@@ -39771,7 +39772,7 @@ class Poly1305 {
         return res;
     }
 }
-function wrapConstructorWithKey(hashCons) {
+function wrapConstructorWithKey$1(hashCons) {
     const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest();
     const tmp = hashCons(new Uint8Array(32));
     hashC.outputLen = tmp.outputLen;
@@ -39779,7 +39780,7 @@ function wrapConstructorWithKey(hashCons) {
     hashC.create = (key) => hashCons(key);
     return hashC;
 }
-const poly1305 = wrapConstructorWithKey((key) => new Poly1305(key));
+const poly1305 = wrapConstructorWithKey$1((key) => new Poly1305(key));
 
 // Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers.
 /*
@@ -40140,17 +40141,17 @@ const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, {
     extendNonceFn: hchacha,
     allowShortKeys: false,
 });
-const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
+const ZEROS16$1 = /* @__PURE__ */ new Uint8Array(16);
 // Pad to digest size with zeros
 const updatePadded = (h, msg) => {
     h.update(msg);
     const left = msg.length % 16;
     if (left)
-        h.update(ZEROS16.subarray(left));
+        h.update(ZEROS16$1.subarray(left));
 };
-const ZEROS32 = /* @__PURE__ */ new Uint8Array(32);
-function computeTag(fn, key, nonce, data, AAD) {
-    const authKey = fn(key, nonce, ZEROS32);
+const ZEROS32$1 = /* @__PURE__ */ new Uint8Array(32);
+function computeTag$1(fn, key, nonce, data, AAD) {
+    const authKey = fn(key, nonce, ZEROS32$1);
     const h = poly1305.create(authKey);
     if (AAD)
         updatePadded(h, AAD);
@@ -40188,7 +40189,7 @@ const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
                 output = new Uint8Array(clength);
             }
             xorStream(key, nonce, plaintext, output, 1);
-            const tag = computeTag(xorStream, key, nonce, output.subarray(0, -tagLength), AAD);
+            const tag = computeTag$1(xorStream, key, nonce, output.subarray(0, -tagLength), AAD);
             output.set(tag, plength); // append tag
             return output;
         },
@@ -40205,7 +40206,7 @@ const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
             }
             const data = ciphertext.subarray(0, -tagLength);
             const passedTag = ciphertext.subarray(-tagLength);
-            const tag = computeTag(xorStream, key, nonce, data, AAD);
+            const tag = computeTag$1(xorStream, key, nonce, data, AAD);
             if (!equalBytes(passedTag, tag))
                 throw new Error('invalid tag');
             xorStream(key, nonce, data, output, 1);
@@ -40245,7 +40246,7 @@ function managedNonce(fn) {
             const { nonceLength } = fn;
             const nonce = randomBytes(nonceLength);
             const ciphertext = fn(key, nonce, ...args).encrypt(plaintext, ...argsEnc);
-            const out = concatBytes(nonce, ciphertext);
+            const out = concatBytes$1(nonce, ciphertext);
             ciphertext.fill(0);
             return out;
         },
@@ -40272,6 +40273,979 @@ function managedNonce(fn) {
 // const wcbc2 = managedNonce(managedNonce(cbc));
 // const wecb = managedNonce(ecb);
 
+// GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV.
+// Implemented in terms of GHash with conversion function for keys
+// GCM GHASH from NIST SP800-38d, SIV from RFC 8452.
+// https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
+// GHASH   modulo: x^128 + x^7   + x^2   + x     + 1
+// POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1
+const BLOCK_SIZE$1 = 16;
+// TODO: rewrite
+// temporary padding buffer
+const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
+const ZEROS32 = u32(ZEROS16);
+const POLY$1 = 0xe1; // v = 2*v % POLY
+// v = 2*v % POLY
+// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x
+// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor)
+const mul2$1 = (s0, s1, s2, s3) => {
+    const hiBit = s3 & 1;
+    return {
+        s3: (s2 << 31) | (s3 >>> 1),
+        s2: (s1 << 31) | (s2 >>> 1),
+        s1: (s0 << 31) | (s1 >>> 1),
+        s0: (s0 >>> 1) ^ ((POLY$1 << 24) & -(hiBit & 1)), // reduce % poly
+    };
+};
+const swapLE = (n) => (((n >>> 0) & 0xff) << 24) |
+    (((n >>> 8) & 0xff) << 16) |
+    (((n >>> 16) & 0xff) << 8) |
+    ((n >>> 24) & 0xff) |
+    0;
+/**
+ * `mulX_POLYVAL(ByteReverse(H))` from spec
+ * @param k mutated in place
+ */
+function _toGHASHKey(k) {
+    k.reverse();
+    const hiBit = k[15] & 1;
+    // k >>= 1
+    let carry = 0;
+    for (let i = 0; i < k.length; i++) {
+        const t = k[i];
+        k[i] = (t >>> 1) | carry;
+        carry = (t & 1) << 7;
+    }
+    k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000;
+    return k;
+}
+const estimateWindow = (bytes) => {
+    if (bytes > 64 * 1024)
+        return 8;
+    if (bytes > 1024)
+        return 4;
+    return 2;
+};
+class GHASH {
+    // We select bits per window adaptively based on expectedLength
+    constructor(key, expectedLength) {
+        this.blockLen = BLOCK_SIZE$1;
+        this.outputLen = BLOCK_SIZE$1;
+        this.s0 = 0;
+        this.s1 = 0;
+        this.s2 = 0;
+        this.s3 = 0;
+        this.finished = false;
+        key = toBytes(key);
+        ensureBytes(key, 16);
+        const kView = createView(key);
+        let k0 = kView.getUint32(0, false);
+        let k1 = kView.getUint32(4, false);
+        let k2 = kView.getUint32(8, false);
+        let k3 = kView.getUint32(12, false);
+        // generate table of doubled keys (half of montgomery ladder)
+        const doubles = [];
+        for (let i = 0; i < 128; i++) {
+            doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) });
+            ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2$1(k0, k1, k2, k3));
+        }
+        const W = estimateWindow(expectedLength || 1024);
+        if (![1, 2, 4, 8].includes(W))
+            throw new Error(`ghash: wrong window size=${W}, should be 2, 4 or 8`);
+        this.W = W;
+        const bits = 128; // always 128 bits;
+        const windows = bits / W;
+        const windowSize = (this.windowSize = 2 ** W);
+        const items = [];
+        // Create precompute table for window of W bits
+        for (let w = 0; w < windows; w++) {
+            // truth table: 00, 01, 10, 11
+            for (let byte = 0; byte < windowSize; byte++) {
+                // prettier-ignore
+                let s0 = 0, s1 = 0, s2 = 0, s3 = 0;
+                for (let j = 0; j < W; j++) {
+                    const bit = (byte >>> (W - j - 1)) & 1;
+                    if (!bit)
+                        continue;
+                    const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j];
+                    (s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3);
+                }
+                items.push({ s0, s1, s2, s3 });
+            }
+        }
+        this.t = items;
+    }
+    _updateBlock(s0, s1, s2, s3) {
+        (s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3);
+        const { W, t, windowSize } = this;
+        // prettier-ignore
+        let o0 = 0, o1 = 0, o2 = 0, o3 = 0;
+        const mask = (1 << W) - 1; // 2**W will kill performance.
+        let w = 0;
+        for (const num of [s0, s1, s2, s3]) {
+            for (let bytePos = 0; bytePos < 4; bytePos++) {
+                const byte = (num >>> (8 * bytePos)) & 0xff;
+                for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) {
+                    const bit = (byte >>> (W * bitPos)) & mask;
+                    const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit];
+                    (o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3);
+                    w += 1;
+                }
+            }
+        }
+        this.s0 = o0;
+        this.s1 = o1;
+        this.s2 = o2;
+        this.s3 = o3;
+    }
+    update(data) {
+        data = toBytes(data);
+        exists(this);
+        const b32 = u32(data);
+        const blocks = Math.floor(data.length / BLOCK_SIZE$1);
+        const left = data.length % BLOCK_SIZE$1;
+        for (let i = 0; i < blocks; i++) {
+            this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]);
+        }
+        if (left) {
+            ZEROS16.set(data.subarray(blocks * BLOCK_SIZE$1));
+            this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]);
+            ZEROS32.fill(0); // clean tmp buffer
+        }
+        return this;
+    }
+    destroy() {
+        const { t } = this;
+        // clean precompute table
+        for (const elm of t) {
+            (elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0);
+        }
+    }
+    digestInto(out) {
+        exists(this);
+        output(out, this);
+        this.finished = true;
+        const { s0, s1, s2, s3 } = this;
+        const o32 = u32(out);
+        o32[0] = s0;
+        o32[1] = s1;
+        o32[2] = s2;
+        o32[3] = s3;
+        return out;
+    }
+    digest() {
+        const res = new Uint8Array(BLOCK_SIZE$1);
+        this.digestInto(res);
+        this.destroy();
+        return res;
+    }
+}
+class Polyval extends GHASH {
+    constructor(key, expectedLength) {
+        key = toBytes(key);
+        const ghKey = _toGHASHKey(key.slice());
+        super(ghKey, expectedLength);
+        ghKey.fill(0);
+    }
+    update(data) {
+        data = toBytes(data);
+        exists(this);
+        const b32 = u32(data);
+        const left = data.length % BLOCK_SIZE$1;
+        const blocks = Math.floor(data.length / BLOCK_SIZE$1);
+        for (let i = 0; i < blocks; i++) {
+            this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0]));
+        }
+        if (left) {
+            ZEROS16.set(data.subarray(blocks * BLOCK_SIZE$1));
+            this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0]));
+            ZEROS32.fill(0); // clean tmp buffer
+        }
+        return this;
+    }
+    digestInto(out) {
+        exists(this);
+        output(out, this);
+        this.finished = true;
+        // tmp ugly hack
+        const { s0, s1, s2, s3 } = this;
+        const o32 = u32(out);
+        o32[0] = s0;
+        o32[1] = s1;
+        o32[2] = s2;
+        o32[3] = s3;
+        return out.reverse();
+    }
+}
+function wrapConstructorWithKey(hashCons) {
+    const hashC = (msg, key) => hashCons(key, msg.length).update(toBytes(msg)).digest();
+    const tmp = hashCons(new Uint8Array(16), 0);
+    hashC.outputLen = tmp.outputLen;
+    hashC.blockLen = tmp.blockLen;
+    hashC.create = (key, expectedLength) => hashCons(key, expectedLength);
+    return hashC;
+}
+const ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength));
+const polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength));
+
+// AES (Advanced Encryption Standard) aka Rijndael block cipher.
+//
+// Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256bit). Every round:
+// 1. **S-box**, table substitution
+// 2. **Shift rows**, cyclic shift left of all rows of data array
+// 3. **Mix columns**, multiplying every column by fixed polynomial
+// 4. **Add round key**, round_key xor i-th column of array
+//
+// Resources:
+// - FIPS-197 https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf
+// - Original proposal: https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf
+const BLOCK_SIZE = 16;
+const BLOCK_SIZE32 = 4;
+const EMPTY_BLOCK = new Uint8Array(BLOCK_SIZE);
+const POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8
+// TODO: remove multiplication, binary ops only
+function mul2(n) {
+    return (n << 1) ^ (POLY & -(n >> 7));
+}
+function mul(a, b) {
+    let res = 0;
+    for (; b > 0; b >>= 1) {
+        // Montgomery ladder
+        res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time).
+        a = mul2(a); // a = 2*a
+    }
+    return res;
+}
+// AES S-box is generated using finite field inversion,
+// an affine transform, and xor of a constant 0x63.
+const _sbox = /* @__PURE__ */ (() => {
+    let t = new Uint8Array(256);
+    for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x))
+        t[i] = x;
+    const sbox = new Uint8Array(256);
+    sbox[0] = 0x63; // first elm
+    for (let i = 0; i < 255; i++) {
+        let x = t[255 - i];
+        x |= x << 8;
+        sbox[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff;
+    }
+    return sbox;
+})();
+// Inverted S-box
+const _inv_sbox = /* @__PURE__ */ _sbox.map((_, j) => _sbox.indexOf(j));
+// Rotate u32 by 8
+const rotr32_8 = (n) => (n << 24) | (n >>> 8);
+const rotl32_8 = (n) => (n << 8) | (n >>> 24);
+// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes:
+// - LE instead of BE
+// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23;
+//   so index is u16, instead of u8. This speeds up things, unexpectedly
+function genTtable(sbox, fn) {
+    if (sbox.length !== 256)
+        throw new Error('Wrong sbox length');
+    const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j]));
+    const T1 = T0.map(rotl32_8);
+    const T2 = T1.map(rotl32_8);
+    const T3 = T2.map(rotl32_8);
+    const T01 = new Uint32Array(256 * 256);
+    const T23 = new Uint32Array(256 * 256);
+    const sbox2 = new Uint16Array(256 * 256);
+    for (let i = 0; i < 256; i++) {
+        for (let j = 0; j < 256; j++) {
+            const idx = i * 256 + j;
+            T01[idx] = T0[i] ^ T1[j];
+            T23[idx] = T2[i] ^ T3[j];
+            sbox2[idx] = (sbox[i] << 8) | sbox[j];
+        }
+    }
+    return { sbox, sbox2, T0, T1, T2, T3, T01, T23 };
+}
+const TABLE_ENC = /* @__PURE__ */ genTtable(_sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2));
+const TABLE_DEC = /* @__PURE__ */ genTtable(_inv_sbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14));
+const POWX = /* @__PURE__ */ (() => {
+    const p = new Uint8Array(16);
+    for (let i = 0, x = 1; i < 16; i++, x = mul2(x))
+        p[i] = x;
+    return p;
+})();
+function expandKeyLE(key) {
+    ensureBytes(key);
+    const len = key.length;
+    if (![16, 24, 32].includes(len))
+        throw new Error(`aes: wrong key size: should be 16, 24 or 32, got: ${len}`);
+    const { sbox2 } = TABLE_ENC;
+    const k32 = u32(key);
+    const Nk = k32.length;
+    const subByte = (n) => applySbox(sbox2, n, n, n, n);
+    const xk = new Uint32Array(len + 28); // expanded key
+    xk.set(k32);
+    // 4.3.1 Key expansion
+    for (let i = Nk; i < xk.length; i++) {
+        let t = xk[i - 1];
+        if (i % Nk === 0)
+            t = subByte(rotr32_8(t)) ^ POWX[i / Nk - 1];
+        else if (Nk > 6 && i % Nk === 4)
+            t = subByte(t);
+        xk[i] = xk[i - Nk] ^ t;
+    }
+    return xk;
+}
+function expandKeyDecLE(key) {
+    const encKey = expandKeyLE(key);
+    const xk = encKey.slice();
+    const Nk = encKey.length;
+    const { sbox2 } = TABLE_ENC;
+    const { T0, T1, T2, T3 } = TABLE_DEC;
+    // Inverse key by chunks of 4 (rounds)
+    for (let i = 0; i < Nk; i += 4) {
+        for (let j = 0; j < 4; j++)
+            xk[i + j] = encKey[Nk - i - 4 + j];
+    }
+    encKey.fill(0);
+    // apply InvMixColumn except first & last round
+    for (let i = 4; i < Nk - 4; i++) {
+        const x = xk[i];
+        const w = applySbox(sbox2, x, x, x, x);
+        xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24];
+    }
+    return xk;
+}
+// Apply tables
+function apply0123(T01, T23, s0, s1, s2, s3) {
+    return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^
+        T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]);
+}
+function applySbox(sbox2, s0, s1, s2, s3) {
+    return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] |
+        (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16));
+}
+function encrypt(xk, s0, s1, s2, s3) {
+    const { sbox2, T01, T23 } = TABLE_ENC;
+    let k = 0;
+    (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);
+    const rounds = xk.length / 4 - 2;
+    for (let i = 0; i < rounds; i++) {
+        const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3);
+        const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0);
+        const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1);
+        const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2);
+        (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3);
+    }
+    // last round (without mixcolumns, so using SBOX2 table)
+    const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3);
+    const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0);
+    const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1);
+    const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2);
+    return { s0: t0, s1: t1, s2: t2, s3: t3 };
+}
+function decrypt(xk, s0, s1, s2, s3) {
+    const { sbox2, T01, T23 } = TABLE_DEC;
+    let k = 0;
+    (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);
+    const rounds = xk.length / 4 - 2;
+    for (let i = 0; i < rounds; i++) {
+        const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1);
+        const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2);
+        const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3);
+        const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0);
+        (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3);
+    }
+    // Last round
+    const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1);
+    const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2);
+    const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3);
+    const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0);
+    return { s0: t0, s1: t1, s2: t2, s3: t3 };
+}
+function getDst(len, dst) {
+    if (!dst)
+        return new Uint8Array(len);
+    ensureBytes(dst);
+    if (dst.length < len)
+        throw new Error(`aes: wrong destination length, expected at least ${len}, got: ${dst.length}`);
+    return dst;
+}
+// TODO: investigate merging with ctr32
+function ctrCounter(xk, nonce, src, dst) {
+    ensureBytes(nonce, BLOCK_SIZE);
+    ensureBytes(src);
+    const srcLen = src.length;
+    dst = getDst(srcLen, dst);
+    const ctr = nonce;
+    const c32 = u32(ctr);
+    // Fill block (empty, ctr=0)
+    let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]);
+    const src32 = u32(src);
+    const dst32 = u32(dst);
+    // process blocks
+    for (let i = 0; i + 4 <= src32.length; i += 4) {
+        dst32[i + 0] = src32[i + 0] ^ s0;
+        dst32[i + 1] = src32[i + 1] ^ s1;
+        dst32[i + 2] = src32[i + 2] ^ s2;
+        dst32[i + 3] = src32[i + 3] ^ s3;
+        // Full 128 bit counter with wrap around
+        let carry = 1;
+        for (let i = ctr.length - 1; i >= 0; i--) {
+            carry = (carry + (ctr[i] & 0xff)) | 0;
+            ctr[i] = carry & 0xff;
+            carry >>>= 8;
+        }
+        ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]));
+    }
+    // leftovers (less than block)
+    // It's possible to handle > u32 fast, but is it worth it?
+    const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
+    if (start < srcLen) {
+        const b32 = new Uint32Array([s0, s1, s2, s3]);
+        const buf = u8(b32);
+        for (let i = start, pos = 0; i < srcLen; i++, pos++)
+            dst[i] = src[i] ^ buf[pos];
+    }
+    return dst;
+}
+// AES CTR with overflowing 32 bit counter
+// It's possible to do 32le significantly simpler (and probably faster) by using u32.
+// But, we need both, and perf bottleneck is in ghash anyway.
+function ctr32(xk, isLE, nonce, src, dst) {
+    ensureBytes(nonce, BLOCK_SIZE);
+    ensureBytes(src);
+    dst = getDst(src.length, dst);
+    const ctr = nonce; // write new value to nonce, so it can be re-used
+    const c32 = u32(ctr);
+    const view = createView(ctr);
+    const src32 = u32(src);
+    const dst32 = u32(dst);
+    const ctrPos = isLE ? 0 : 12;
+    const srcLen = src.length;
+    // Fill block (empty, ctr=0)
+    let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value
+    let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]);
+    // process blocks
+    for (let i = 0; i + 4 <= src32.length; i += 4) {
+        dst32[i + 0] = src32[i + 0] ^ s0;
+        dst32[i + 1] = src32[i + 1] ^ s1;
+        dst32[i + 2] = src32[i + 2] ^ s2;
+        dst32[i + 3] = src32[i + 3] ^ s3;
+        ctrNum = (ctrNum + 1) >>> 0; // u32 wrap
+        view.setUint32(ctrPos, ctrNum, isLE);
+        ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]));
+    }
+    // leftovers (less than a block)
+    const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
+    if (start < srcLen) {
+        const b32 = new Uint32Array([s0, s1, s2, s3]);
+        const buf = u8(b32);
+        for (let i = start, pos = 0; i < srcLen; i++, pos++)
+            dst[i] = src[i] ^ buf[pos];
+    }
+    return dst;
+}
+/**
+ * CTR: counter mode. Creates stream cipher.
+ * Requires good IV. Parallelizable. OK, but no MAC.
+ */
+wrapCipher({ blockSize: 16, nonceLength: 16 }, function ctr(key, nonce) {
+    ensureBytes(key);
+    ensureBytes(nonce, BLOCK_SIZE);
+    function processCtr(buf, dst) {
+        const xk = expandKeyLE(key);
+        const n = nonce.slice();
+        const out = ctrCounter(xk, n, buf, dst);
+        xk.fill(0);
+        n.fill(0);
+        return out;
+    }
+    return {
+        encrypt: (plaintext, dst) => processCtr(plaintext, dst),
+        decrypt: (ciphertext, dst) => processCtr(ciphertext, dst),
+    };
+});
+function validateBlockDecrypt(data) {
+    ensureBytes(data);
+    if (data.length % BLOCK_SIZE !== 0) {
+        throw new Error(`aes/(cbc-ecb).decrypt ciphertext should consist of blocks with size ${BLOCK_SIZE}`);
+    }
+}
+function validateBlockEncrypt(plaintext, pcks5, dst) {
+    let outLen = plaintext.length;
+    const remaining = outLen % BLOCK_SIZE;
+    if (!pcks5 && remaining !== 0)
+        throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding');
+    const b = u32(plaintext);
+    if (pcks5) {
+        let left = BLOCK_SIZE - remaining;
+        if (!left)
+            left = BLOCK_SIZE; // if no bytes left, create empty padding block
+        outLen = outLen + left;
+    }
+    const out = getDst(outLen, dst);
+    const o = u32(out);
+    return { b, o, out };
+}
+function validatePCKS(data, pcks5) {
+    if (!pcks5)
+        return data;
+    const len = data.length;
+    if (!len)
+        throw new Error(`aes/pcks5: empty ciphertext not allowed`);
+    const lastByte = data[len - 1];
+    if (lastByte <= 0 || lastByte > 16)
+        throw new Error(`aes/pcks5: wrong padding byte: ${lastByte}`);
+    const out = data.subarray(0, -lastByte);
+    for (let i = 0; i < lastByte; i++)
+        if (data[len - i - 1] !== lastByte)
+            throw new Error(`aes/pcks5: wrong padding`);
+    return out;
+}
+function padPCKS(left) {
+    const tmp = new Uint8Array(16);
+    const tmp32 = u32(tmp);
+    tmp.set(left);
+    const paddingByte = BLOCK_SIZE - left.length;
+    for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++)
+        tmp[i] = paddingByte;
+    return tmp32;
+}
+/**
+ * ECB: Electronic CodeBook. Simple deterministic replacement.
+ * Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/).
+ */
+wrapCipher({ blockSize: 16 }, function ecb(key, opts = {}) {
+    ensureBytes(key);
+    const pcks5 = !opts.disablePadding;
+    return {
+        encrypt: (plaintext, dst) => {
+            ensureBytes(plaintext);
+            const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst);
+            const xk = expandKeyLE(key);
+            let i = 0;
+            for (; i + 4 <= b.length;) {
+                const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]);
+                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
+            }
+            if (pcks5) {
+                const tmp32 = padPCKS(plaintext.subarray(i * 4));
+                const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]);
+                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
+            }
+            xk.fill(0);
+            return _out;
+        },
+        decrypt: (ciphertext, dst) => {
+            validateBlockDecrypt(ciphertext);
+            const xk = expandKeyDecLE(key);
+            const out = getDst(ciphertext.length, dst);
+            const b = u32(ciphertext);
+            const o = u32(out);
+            for (let i = 0; i + 4 <= b.length;) {
+                const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]);
+                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
+            }
+            xk.fill(0);
+            return validatePCKS(out, pcks5);
+        },
+    };
+});
+/**
+ * CBC: Cipher-Block-Chaining. Key is previous round’s block.
+ * Fragile: needs proper padding. Unauthenticated: needs MAC.
+ */
+wrapCipher({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv, opts = {}) {
+    ensureBytes(key);
+    ensureBytes(iv, 16);
+    const pcks5 = !opts.disablePadding;
+    return {
+        encrypt: (plaintext, dst) => {
+            const xk = expandKeyLE(key);
+            const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst);
+            const n32 = u32(iv);
+            // prettier-ignore
+            let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];
+            let i = 0;
+            for (; i + 4 <= b.length;) {
+                (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]);
+                ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));
+                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
+            }
+            if (pcks5) {
+                const tmp32 = padPCKS(plaintext.subarray(i * 4));
+                (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]);
+                ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));
+                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
+            }
+            xk.fill(0);
+            return _out;
+        },
+        decrypt: (ciphertext, dst) => {
+            validateBlockDecrypt(ciphertext);
+            const xk = expandKeyDecLE(key);
+            const n32 = u32(iv);
+            const out = getDst(ciphertext.length, dst);
+            const b = u32(ciphertext);
+            const o = u32(out);
+            // prettier-ignore
+            let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];
+            for (let i = 0; i + 4 <= b.length;) {
+                // prettier-ignore
+                const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3;
+                (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]);
+                const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3);
+                (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3);
+            }
+            xk.fill(0);
+            return validatePCKS(out, pcks5);
+        },
+    };
+});
+// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen
+function computeTag(fn, isLE, key, data, AAD) {
+    const h = fn.create(key, data.length + (AAD?.length || 0));
+    if (AAD)
+        h.update(AAD);
+    h.update(data);
+    const num = new Uint8Array(16);
+    const view = createView(num);
+    if (AAD)
+        setBigUint64(view, 0, BigInt(AAD.length * 8), isLE);
+    setBigUint64(view, 8, BigInt(data.length * 8), isLE);
+    h.update(num);
+    return h.digest();
+}
+/**
+ * GCM: Galois/Counter Mode.
+ * Good, modern version of CTR, parallel, with MAC.
+ * Be careful: MACs can be forged.
+ */
+const gcm = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) {
+    ensureBytes(nonce);
+    // Nonce can be pretty much anything (even 1 byte). But smaller nonces less secure.
+    if (nonce.length === 0)
+        throw new Error('aes/gcm: empty nonce');
+    const tagLength = 16;
+    function _computeTag(authKey, tagMask, data) {
+        const tag = computeTag(ghash, false, authKey, data, AAD);
+        for (let i = 0; i < tagMask.length; i++)
+            tag[i] ^= tagMask[i];
+        return tag;
+    }
+    function deriveKeys() {
+        const xk = expandKeyLE(key);
+        const authKey = EMPTY_BLOCK.slice();
+        const counter = EMPTY_BLOCK.slice();
+        ctr32(xk, false, counter, counter, authKey);
+        if (nonce.length === 12) {
+            counter.set(nonce);
+        }
+        else {
+            // Spec (NIST 800-38d) supports variable size nonce.
+            // Not supported for now, but can be useful.
+            const nonceLen = EMPTY_BLOCK.slice();
+            const view = createView(nonceLen);
+            setBigUint64(view, 8, BigInt(nonce.length * 8), false);
+            // ghash(nonce || u64be(0) || u64be(nonceLen*8))
+            ghash.create(authKey).update(nonce).update(nonceLen).digestInto(counter);
+        }
+        const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK);
+        return { xk, authKey, counter, tagMask };
+    }
+    return {
+        encrypt: (plaintext) => {
+            ensureBytes(plaintext);
+            const { xk, authKey, counter, tagMask } = deriveKeys();
+            const out = new Uint8Array(plaintext.length + tagLength);
+            ctr32(xk, false, counter, plaintext, out);
+            const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength));
+            out.set(tag, plaintext.length);
+            xk.fill(0);
+            return out;
+        },
+        decrypt: (ciphertext) => {
+            ensureBytes(ciphertext);
+            if (ciphertext.length < tagLength)
+                throw new Error(`aes/gcm: ciphertext less than tagLen (${tagLength})`);
+            const { xk, authKey, counter, tagMask } = deriveKeys();
+            const data = ciphertext.subarray(0, -tagLength);
+            const passedTag = ciphertext.subarray(-tagLength);
+            const tag = _computeTag(authKey, tagMask, data);
+            if (!equalBytes(tag, passedTag))
+                throw new Error('aes/gcm: invalid ghash tag');
+            const out = ctr32(xk, false, counter, data);
+            authKey.fill(0);
+            tagMask.fill(0);
+            xk.fill(0);
+            return out;
+        },
+    };
+});
+const limit = (name, min, max) => (value) => {
+    if (!Number.isSafeInteger(value) || min > value || value > max)
+        throw new Error(`${name}: invalid value=${value}, must be [${min}..${max}]`);
+};
+/**
+ * AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance.
+ * Guarantees that, when a nonce is repeated, the only security loss is that identical
+ * plaintexts will produce identical ciphertexts.
+ * RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452
+ */
+wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function siv(key, nonce, AAD) {
+    const tagLength = 16;
+    // From RFC 8452: Section 6
+    const AAD_LIMIT = limit('AAD', 0, 2 ** 36);
+    const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36);
+    const NONCE_LIMIT = limit('nonce', 12, 12);
+    const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16);
+    ensureBytes(nonce);
+    NONCE_LIMIT(nonce.length);
+    if (AAD) {
+        ensureBytes(AAD);
+        AAD_LIMIT(AAD.length);
+    }
+    function deriveKeys() {
+        const len = key.length;
+        if (len !== 16 && len !== 24 && len !== 32)
+            throw new Error(`key length must be 16, 24 or 32 bytes, got: ${len} bytes`);
+        const xk = expandKeyLE(key);
+        const encKey = new Uint8Array(len);
+        const authKey = new Uint8Array(16);
+        const n32 = u32(nonce);
+        // prettier-ignore
+        let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2];
+        let counter = 0;
+        for (const derivedKey of [authKey, encKey].map(u32)) {
+            const d32 = u32(derivedKey);
+            for (let i = 0; i < d32.length; i += 2) {
+                // aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ...
+                const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3);
+                d32[i + 0] = o0;
+                d32[i + 1] = o1;
+                s0 = ++counter; // increment counter inside state
+            }
+        }
+        xk.fill(0);
+        return { authKey, encKey: expandKeyLE(encKey) };
+    }
+    function _computeTag(encKey, authKey, data) {
+        const tag = computeTag(polyval, true, authKey, data, AAD);
+        // Compute the expected tag by XORing S_s and the nonce, clearing the
+        // most significant bit of the last byte and encrypting with the
+        // message-encryption key.
+        for (let i = 0; i < 12; i++)
+            tag[i] ^= nonce[i];
+        tag[15] &= 0x7f; // Clear the highest bit
+        // encrypt tag as block
+        const t32 = u32(tag);
+        // prettier-ignore
+        let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3];
+        ({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3));
+        (t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3);
+        return tag;
+    }
+    // actual decrypt/encrypt of message.
+    function processSiv(encKey, tag, input) {
+        let block = tag.slice();
+        block[15] |= 0x80; // Force highest bit
+        return ctr32(encKey, true, block, input);
+    }
+    return {
+        encrypt: (plaintext) => {
+            ensureBytes(plaintext);
+            PLAIN_LIMIT(plaintext.length);
+            const { encKey, authKey } = deriveKeys();
+            const tag = _computeTag(encKey, authKey, plaintext);
+            const out = new Uint8Array(plaintext.length + tagLength);
+            out.set(tag, plaintext.length);
+            out.set(processSiv(encKey, tag, plaintext));
+            encKey.fill(0);
+            authKey.fill(0);
+            return out;
+        },
+        decrypt: (ciphertext) => {
+            ensureBytes(ciphertext);
+            CIPHER_LIMIT(ciphertext.length);
+            const tag = ciphertext.subarray(-tagLength);
+            const { encKey, authKey } = deriveKeys();
+            const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength));
+            const expectedTag = _computeTag(encKey, authKey, plaintext);
+            encKey.fill(0);
+            authKey.fill(0);
+            if (!equalBytes(tag, expectedTag))
+                throw new Error('invalid polyval tag');
+            return plaintext;
+        },
+    };
+});
+
+/**
+ * Concat KDF (Single Step KDF) per NIST SP 800-56A and RFC 7518 §4.6.2.
+ *
+ * Derives a symmetric key from an ECDH shared secret for use in JWE.
+ *
+ * @param sharedSecret - The raw ECDH shared secret (Z)
+ * @param keyBitLength - Desired key length in bits (e.g. 128, 256)
+ * @param algorithmId  - The "enc" value for ECDH-ES or "alg" for ECDH-ES+A*KW
+ * @param apu          - Agreement PartyUInfo (typically empty)
+ * @param apv          - Agreement PartyVInfo (typically empty)
+ * @returns Derived key as Uint8Array
+ */
+function concatKdf(sharedSecret, keyBitLength, algorithmId, apu = new Uint8Array(0), apv = new Uint8Array(0)) {
+    const algIdBytes = new TextEncoder().encode(algorithmId);
+    // Build otherInfo per RFC 7518 §4.6.2:
+    //   AlgorithmID  = len(algId) || algId
+    //   PartyUInfo   = len(apu)   || apu
+    //   PartyVInfo   = len(apv)   || apv
+    //   SuppPubInfo  = keydatalen (32-bit BE, in bits)
+    const otherInfo = concatBytes(uint32BE(algIdBytes.length), algIdBytes, uint32BE(apu.length), apu, uint32BE(apv.length), apv, uint32BE(keyBitLength));
+    const hashLength = 256; // SHA-256 output in bits
+    const reps = Math.ceil(keyBitLength / hashLength);
+    const result = new Uint8Array(reps * 32);
+    for (let counter = 1; counter <= reps; counter++) {
+        const input = concatBytes(uint32BE(counter), sharedSecret, otherInfo);
+        const digest = sha256$1(input);
+        result.set(digest, (counter - 1) * 32);
+    }
+    return result.slice(0, keyBitLength / 8);
+}
+function uint32BE(value) {
+    const buf = new Uint8Array(4);
+    buf[0] = (value >>> 24) & 0xff;
+    buf[1] = (value >>> 16) & 0xff;
+    buf[2] = (value >>> 8) & 0xff;
+    buf[3] = value & 0xff;
+    return buf;
+}
+function concatBytes(...arrays) {
+    let totalLength = 0;
+    for (const arr of arrays)
+        totalLength += arr.length;
+    const result = new Uint8Array(totalLength);
+    let offset = 0;
+    for (const arr of arrays) {
+        result.set(arr, offset);
+        offset += arr.length;
+    }
+    return result;
+}
+
+const ENCODER = new TextEncoder();
+const DECODER = new TextDecoder();
+/**
+ * Build a JWE Compact Serialization string using ECDH-ES + A256GCM.
+ *
+ * Uses an ephemeral secp256k1 keypair for key agreement.
+ * The sender's identity key is NOT involved — only the recipient's public key.
+ *
+ * @param recipientPubKey - Recipient's public key (secp256k1 JWK)
+ * @param plaintext       - Data to encrypt
+ * @returns JWE Compact string: header.encryptedKey.iv.ciphertext.tag
+ */
+function buildJweCompact(recipientPubKey, plaintext) {
+    // 1. Generate ephemeral keypair
+    const ephemeralPrivKey = utils.randomPrivateKey();
+    const ephemeralPubKeyBytes = getPublicKey(ephemeralPrivKey);
+    // Get uncompressed public key coordinates for the JWE header
+    const ephemeralPubHex = etc.bytesToHex(ephemeralPubKeyBytes);
+    const curvePoints = Point.fromHex(ephemeralPubHex);
+    const uncompressed = curvePoints.toRawBytes(false);
+    const epkX = base64url.baseEncode(uncompressed.subarray(1, 33));
+    const epkY = base64url.baseEncode(uncompressed.subarray(33, 65));
+    // 2. Build protected header
+    const header = {
+        alg: 'ECDH-ES',
+        enc: 'A256GCM',
+        epk: {
+            kty: 'EC',
+            crv: 'secp256k1',
+            x: epkX,
+            y: epkY,
+        },
+    };
+    const headerJson = JSON.stringify(header);
+    const headerB64 = base64url.baseEncode(ENCODER.encode(headerJson));
+    // 3. ECDH key agreement: ephemeral private + recipient public
+    const recipientPubBytes = jwkToCompressedBytes(recipientPubKey);
+    const sharedSecret = getSharedSecret(ephemeralPrivKey, recipientPubBytes);
+    // 4. Derive CEK via Concat KDF (RFC 7518 §4.6.2)
+    // For ECDH-ES (direct), algorithmId = enc value
+    const cek = concatKdf(sharedSecret.slice(1), 256, 'A256GCM');
+    // 5. Generate random 96-bit IV
+    const iv = utils.randomPrivateKey().slice(0, 12);
+    // 6. Encrypt with AES-256-GCM
+    // AAD = ASCII bytes of the base64url-encoded protected header
+    const aad = ENCODER.encode(headerB64);
+    const cipher = gcm(cek, iv, aad);
+    const encrypted = cipher.encrypt(plaintext); // returns ciphertext || tag
+    // 7. Split ciphertext and tag (tag is last 16 bytes)
+    const ciphertext = encrypted.slice(0, encrypted.length - 16);
+    const tag = encrypted.slice(encrypted.length - 16);
+    // 8. Assemble JWE Compact: header.encryptedKey.iv.ciphertext.tag
+    // For ECDH-ES (direct), encrypted key is empty
+    return [
+        headerB64,
+        '', // empty encrypted key
+        base64url.baseEncode(iv),
+        base64url.baseEncode(ciphertext),
+        base64url.baseEncode(tag),
+    ].join('.');
+}
+/**
+ * Parse and decrypt a JWE Compact Serialization string.
+ *
+ * @param recipientPrivKey - Recipient's private key (secp256k1 JWK)
+ * @param jweCompact       - The JWE Compact string to decrypt
+ * @returns Decrypted plaintext
+ */
+function parseJweCompact(recipientPrivKey, jweCompact) {
+    // 1. Split into 5 parts
+    const parts = jweCompact.split('.');
+    if (parts.length !== 5) {
+        throw new Error('Invalid JWE Compact: expected 5 segments');
+    }
+    const [headerB64, , ivB64, ciphertextB64, tagB64] = parts;
+    // 2. Parse protected header
+    const headerJson = DECODER.decode(base64url.baseDecode(headerB64));
+    const header = JSON.parse(headerJson);
+    if (header.alg !== 'ECDH-ES') {
+        throw new Error(`Unsupported JWE alg: ${header.alg}`);
+    }
+    if (header.enc !== 'A256GCM') {
+        throw new Error(`Unsupported JWE enc: ${header.enc}`);
+    }
+    // 3. Reconstruct ephemeral public key from header
+    const epk = header.epk;
+    const ephemeralPubBytes = jwkToCompressedBytes(epk);
+    // 4. ECDH key agreement: recipient private + ephemeral public
+    const recipientPrivBytes = base64url.baseDecode(recipientPrivKey.d);
+    const sharedSecret = getSharedSecret(recipientPrivBytes, ephemeralPubBytes);
+    // 5. Derive CEK via Concat KDF
+    const cek = concatKdf(sharedSecret.slice(1), 256, 'A256GCM');
+    // 6. Decrypt with AES-256-GCM
+    const iv = base64url.baseDecode(ivB64);
+    const ciphertext = base64url.baseDecode(ciphertextB64);
+    const tag = base64url.baseDecode(tagB64);
+    // Reassemble ciphertext || tag for @noble/ciphers GCM
+    const encrypted = new Uint8Array(ciphertext.length + tag.length);
+    encrypted.set(ciphertext, 0);
+    encrypted.set(tag, ciphertext.length);
+    const aad = ENCODER.encode(headerB64);
+    const cipher = gcm(cek, iv, aad);
+    return cipher.decrypt(encrypted);
+}
+/**
+ * Detect whether a string is a JWE Compact Serialization.
+ */
+function isJweCompact(ciphertext) {
+    return ciphertext.startsWith('eyJ') && ciphertext.split('.').length === 5;
+}
+/**
+ * Convert a JWK public key to compressed secp256k1 bytes.
+ */
+function jwkToCompressedBytes(jwk) {
+    const xBytes = base64url.baseDecode(jwk.x);
+    const yBytes = base64url.baseDecode(jwk.y);
+    const prefix = yBytes[yBytes.length - 1] % 2 === 0 ? 0x02 : 0x03;
+    return new Uint8Array([prefix, ...xBytes]);
+}
+
 const canonicalize = canonicalizeModule;
 // Polyfill for synchronous signatures
 etc.hmacSha256Sync = (k, ...m) => hmac(sha256$1, k, etc.concatBytes(...m));
@@ -40326,16 +41300,27 @@ class CipherBase {
         const signature = Signature.fromCompact(sigHex);
         return verify(signature, msgHash, compressedPublicKeyBytes);
     }
-    encryptBytes(pubKey, privKey, data) {
-        const priv = base64url.baseDecode(privKey.d);
-        const pub = this.convertJwkToCompressedBytes(pubKey);
-        const ss = getSharedSecret(priv, pub);
-        const key = ss.slice(0, 32);
-        const chacha = managedNonce(xchacha20poly1305)(key);
-        const ciphertext = chacha.encrypt(data);
-        return base64url.baseEncode(ciphertext);
+    encryptBytes(recipientPubKey, data) {
+        return buildJweCompact(recipientPubKey, data);
+    }
+    decryptBytes(recipientPrivKey, ciphertext, legacyPubKey) {
+        if (isJweCompact(ciphertext)) {
+            return parseJweCompact(recipientPrivKey, ciphertext);
+        }
+        if (legacyPubKey) {
+            return this.decryptBytesLegacy(legacyPubKey, recipientPrivKey, ciphertext);
+        }
+        throw new Error('Cannot decrypt: not a JWE and no legacy public key provided. Pass legacyPubKey as the third argument for old ciphertext.');
     }
-    decryptBytes(pubKey, privKey, ciphertext) {
+    encryptMessage(recipientPubKey, message) {
+        const data = utf8ToBytes(message);
+        return this.encryptBytes(recipientPubKey, data);
+    }
+    decryptMessage(recipientPrivKey, ciphertext, legacyPubKey) {
+        const data = this.decryptBytes(recipientPrivKey, ciphertext, legacyPubKey);
+        return bytesToUtf8(data);
+    }
+    decryptBytesLegacy(pubKey, privKey, ciphertext) {
         const priv = base64url.baseDecode(privKey.d);
         const pub = this.convertJwkToCompressedBytes(pubKey);
         const ss = getSharedSecret(priv, pub);
@@ -40344,12 +41329,8 @@ class CipherBase {
         const cipherdata = base64url.baseDecode(ciphertext);
         return chacha.decrypt(cipherdata);
     }
-    encryptMessage(pubKey, privKey, message) {
-        const data = utf8ToBytes(message);
-        return this.encryptBytes(pubKey, privKey, data);
-    }
-    decryptMessage(pubKey, privKey, ciphertext) {
-        const data = this.decryptBytes(pubKey, privKey, ciphertext);
+    decryptMessageLegacy(pubKey, privKey, ciphertext) {
+        const data = this.decryptBytesLegacy(pubKey, privKey, ciphertext);
         return bytesToUtf8(data);
     }
     hasLeadingZeroBits(hexHash, bits) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@didcid/gatekeeper",
-  "version": "0.3.6",
+  "version": "0.4.0",
   "description": "Archon Gatekeeper",
   "type": "module",
   "module": "./dist/esm/index.js",
@@ -106,7 +106,7 @@
   "author": "David McFadzean <davidmc@gmail.com>",
   "license": "MIT",
   "dependencies": {
-    "@didcid/cipher": "^0.1.3",
+    "@didcid/cipher": "^0.2.0",
     "@didcid/common": "^0.1.3",
     "@didcid/ipfs": "^0.1.3",
     "axios": "^1.7.7",
@@ -124,5 +124,5 @@
   "devDependencies": {
     "@rollup/plugin-json": "^6.1.0"
   },
-  "gitHead": "2f8305e87026fc82787fabb06d6dab419e77679b"
+  "gitHead": "4692cc18e1377cafc96aaf7a55cd969a0b09b77c"
 }