@didcid/keymaster 0.3.10 → 0.4.0

package/dist/cjs/keymaster.cjs

@@ -6,7 +6,6 @@ var imageSize = require('image-size');
 var fileType = require('file-type');
 var db_typeGuards = require('./db/typeGuards.cjs');
 require('crypto');
-var encryption = require('./encryption.cjs');
 
 function equals$1(aa, bb) {
     if (aa === bb) {
@@ -1082,6 +1081,1582 @@ function isValidDID(did) {
     return isValidCID(suffix);
 }
 
+const crypto = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
+
+/**
+ * Utilities for hex, bytes, CSPRNG.
+ * @module
+ */
+/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.
+// node.js versions earlier than v19 don't declare it in global scope.
+// For node.js, package.json#exports field mapping rewrites import
+// from `crypto` to `cryptoNode`, which imports native module.
+// Makes the utils un-importable in browsers without a bundler.
+// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.
+/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
+function isBytes$2(a) {
+    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
+}
+/** Asserts something is positive integer. */
+function anumber(n) {
+    if (!Number.isSafeInteger(n) || n < 0)
+        throw new Error('positive integer expected, got ' + n);
+}
+/** Asserts something is Uint8Array. */
+function abytes(b, ...lengths) {
+    if (!isBytes$2(b))
+        throw new Error('Uint8Array expected');
+    if (lengths.length > 0 && !lengths.includes(b.length))
+        throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length);
+}
+/** Asserts something is hash */
+function ahash(h) {
+    if (typeof h !== 'function' || typeof h.create !== 'function')
+        throw new Error('Hash should be wrapped by utils.createHasher');
+    anumber(h.outputLen);
+    anumber(h.blockLen);
+}
+/** Asserts a hash instance has not been destroyed / finished */
+function aexists(instance, checkFinished = true) {
+    if (instance.destroyed)
+        throw new Error('Hash instance has been destroyed');
+    if (checkFinished && instance.finished)
+        throw new Error('Hash#digest() has already been called');
+}
+/** Asserts output is properly-sized byte array */
+function aoutput(out, instance) {
+    abytes(out);
+    const min = instance.outputLen;
+    if (out.length < min) {
+        throw new Error('digestInto() expects output buffer of length at least ' + min);
+    }
+}
+/** Zeroize a byte array. Warning: JS provides no guarantees. */
+function clean(...arrays) {
+    for (let i = 0; i < arrays.length; i++) {
+        arrays[i].fill(0);
+    }
+}
+/** Create DataView of an array for easy byte-level manipulation. */
+function createView$1(arr) {
+    return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+/**
+ * There is no setImmediate in browser and setTimeout is slow.
+ * Call of async fn will return Promise, which will be fullfiled only on
+ * next scheduler queue processing step and this is exactly what we need.
+ */
+const nextTick = async () => { };
+/** Returns control to thread each 'tick' ms to avoid blocking. */
+async function asyncLoop(iters, tick, cb) {
+    let ts = Date.now();
+    for (let i = 0; i < iters; i++) {
+        cb(i);
+        // Date.now() is not monotonic, so in case if clock goes backwards we return return control too
+        const diff = Date.now() - ts;
+        if (diff >= 0 && diff < tick)
+            continue;
+        await nextTick();
+        ts += diff;
+    }
+}
+/**
+ * Converts string to bytes using UTF8 encoding.
+ * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])
+ */
+function utf8ToBytes$1(str) {
+    if (typeof str !== 'string')
+        throw new Error('string expected');
+    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
+}
+/**
+ * Normalizes (non-hex) string or Uint8Array to Uint8Array.
+ * Warning: when Uint8Array is passed, it would NOT get copied.
+ * Keep in mind for future mutable operations.
+ */
+function toBytes$1(data) {
+    if (typeof data === 'string')
+        data = utf8ToBytes$1(data);
+    abytes(data);
+    return data;
+}
+/**
+ * Helper for KDFs: consumes uint8array or string.
+ * When string is passed, does utf8 decoding, using TextDecoder.
+ */
+function kdfInputToBytes(data) {
+    if (typeof data === 'string')
+        data = utf8ToBytes$1(data);
+    abytes(data);
+    return data;
+}
+function checkOpts(defaults, opts) {
+    if (opts !== undefined && {}.toString.call(opts) !== '[object Object]')
+        throw new Error('options should be object or undefined');
+    const merged = Object.assign(defaults, opts);
+    return merged;
+}
+/** For runtime check if class implements interface */
+class Hash {
+}
+/** Wraps hash function, creating an interface on top of it */
+function createHasher(hashCons) {
+    const hashC = (msg) => hashCons().update(toBytes$1(msg)).digest();
+    const tmp = hashCons();
+    hashC.outputLen = tmp.outputLen;
+    hashC.blockLen = tmp.blockLen;
+    hashC.create = () => hashCons();
+    return hashC;
+}
+/** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */
+function randomBytes(bytesLength = 32) {
+    if (crypto && typeof crypto.getRandomValues === 'function') {
+        return crypto.getRandomValues(new Uint8Array(bytesLength));
+    }
+    // Legacy Node.js compatibility
+    if (crypto && typeof crypto.randomBytes === 'function') {
+        return Uint8Array.from(crypto.randomBytes(bytesLength));
+    }
+    throw new Error('crypto.getRandomValues must be defined');
+}
+
+/**
+ * HMAC: RFC2104 message authentication code.
+ * @module
+ */
+class HMAC extends Hash {
+    constructor(hash, _key) {
+        super();
+        this.finished = false;
+        this.destroyed = false;
+        ahash(hash);
+        const key = toBytes$1(_key);
+        this.iHash = hash.create();
+        if (typeof this.iHash.update !== 'function')
+            throw new Error('Expected instance of class which extends utils.Hash');
+        this.blockLen = this.iHash.blockLen;
+        this.outputLen = this.iHash.outputLen;
+        const blockLen = this.blockLen;
+        const pad = new Uint8Array(blockLen);
+        // blockLen can be bigger than outputLen
+        pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
+        for (let i = 0; i < pad.length; i++)
+            pad[i] ^= 0x36;
+        this.iHash.update(pad);
+        // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
+        this.oHash = hash.create();
+        // Undo internal XOR && apply outer XOR
+        for (let i = 0; i < pad.length; i++)
+            pad[i] ^= 0x36 ^ 0x5c;
+        this.oHash.update(pad);
+        clean(pad);
+    }
+    update(buf) {
+        aexists(this);
+        this.iHash.update(buf);
+        return this;
+    }
+    digestInto(out) {
+        aexists(this);
+        abytes(out, this.outputLen);
+        this.finished = true;
+        this.iHash.digestInto(out);
+        this.oHash.update(out);
+        this.oHash.digestInto(out);
+        this.destroy();
+    }
+    digest() {
+        const out = new Uint8Array(this.oHash.outputLen);
+        this.digestInto(out);
+        return out;
+    }
+    _cloneInto(to) {
+        // Create new instance without calling constructor since key already in state and we don't know it.
+        to || (to = Object.create(Object.getPrototypeOf(this), {}));
+        const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
+        to = to;
+        to.finished = finished;
+        to.destroyed = destroyed;
+        to.blockLen = blockLen;
+        to.outputLen = outputLen;
+        to.oHash = oHash._cloneInto(to.oHash);
+        to.iHash = iHash._cloneInto(to.iHash);
+        return to;
+    }
+    clone() {
+        return this._cloneInto();
+    }
+    destroy() {
+        this.destroyed = true;
+        this.oHash.destroy();
+        this.iHash.destroy();
+    }
+}
+/**
+ * HMAC: RFC2104 message authentication code.
+ * @param hash - function that would be used e.g. sha256
+ * @param key - message key
+ * @param message - message data
+ * @example
+ * import { hmac } from '@noble/hashes/hmac';
+ * import { sha256 } from '@noble/hashes/sha2';
+ * const mac1 = hmac(sha256, 'key', 'message');
+ */
+const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
+hmac.create = (hash, key) => new HMAC(hash, key);
+
+/**
+ * PBKDF (RFC 2898). Can be used to create a key from password and salt.
+ * @module
+ */
+// Common prologue and epilogue for sync/async functions
+function pbkdf2Init(hash, _password, _salt, _opts) {
+    ahash(hash);
+    const opts = checkOpts({ dkLen: 32, asyncTick: 10 }, _opts);
+    const { c, dkLen, asyncTick } = opts;
+    anumber(c);
+    anumber(dkLen);
+    anumber(asyncTick);
+    if (c < 1)
+        throw new Error('iterations (c) should be >= 1');
+    const password = kdfInputToBytes(_password);
+    const salt = kdfInputToBytes(_salt);
+    // DK = PBKDF2(PRF, Password, Salt, c, dkLen);
+    const DK = new Uint8Array(dkLen);
+    // U1 = PRF(Password, Salt + INT_32_BE(i))
+    const PRF = hmac.create(hash, password);
+    const PRFSalt = PRF._cloneInto().update(salt);
+    return { c, dkLen, asyncTick, DK, PRF, PRFSalt };
+}
+function pbkdf2Output(PRF, PRFSalt, DK, prfW, u) {
+    PRF.destroy();
+    PRFSalt.destroy();
+    if (prfW)
+        prfW.destroy();
+    clean(u);
+    return DK;
+}
+/**
+ * PBKDF2-HMAC: RFC 2898 key derivation function. Async version.
+ * @example
+ * await pbkdf2Async(sha256, 'password', 'salt', { dkLen: 32, c: 500_000 });
+ */
+async function pbkdf2Async(hash, password, salt, opts) {
+    const { c, dkLen, asyncTick, DK, PRF, PRFSalt } = pbkdf2Init(hash, password, salt, opts);
+    let prfW; // Working copy
+    const arr = new Uint8Array(4);
+    const view = createView$1(arr);
+    const u = new Uint8Array(PRF.outputLen);
+    // DK = T1 + T2 + ⋯ + Tdklen/hlen
+    for (let ti = 1, pos = 0; pos < dkLen; ti++, pos += PRF.outputLen) {
+        // Ti = F(Password, Salt, c, i)
+        const Ti = DK.subarray(pos, pos + PRF.outputLen);
+        view.setInt32(0, ti, false);
+        // F(Password, Salt, c, i) = U1 ^ U2 ^ ⋯ ^ Uc
+        // U1 = PRF(Password, Salt + INT_32_BE(i))
+        (prfW = PRFSalt._cloneInto(prfW)).update(arr).digestInto(u);
+        Ti.set(u.subarray(0, Ti.length));
+        await asyncLoop(c - 1, asyncTick, () => {
+            // Uc = PRF(Password, Uc−1)
+            PRF._cloneInto(prfW).update(u).digestInto(u);
+            for (let i = 0; i < Ti.length; i++)
+                Ti[i] ^= u[i];
+        });
+    }
+    return pbkdf2Output(PRF, PRFSalt, DK, prfW, u);
+}
+
+/**
+ * Internal Merkle-Damgard hash utils.
+ * @module
+ */
+/** Polyfill for Safari 14. https://caniuse.com/mdn-javascript_builtins_dataview_setbiguint64 */
+function setBigUint64$1(view, byteOffset, value, isLE) {
+    if (typeof view.setBigUint64 === 'function')
+        return view.setBigUint64(byteOffset, value, isLE);
+    const _32n = BigInt(32);
+    const _u32_max = BigInt(0xffffffff);
+    const wh = Number((value >> _32n) & _u32_max);
+    const wl = Number(value & _u32_max);
+    const h = isLE ? 4 : 0;
+    const l = isLE ? 0 : 4;
+    view.setUint32(byteOffset + h, wh, isLE);
+    view.setUint32(byteOffset + l, wl, isLE);
+}
+/**
+ * Merkle-Damgard hash construction base class.
+ * Could be used to create MD5, RIPEMD, SHA1, SHA2.
+ */
+class HashMD extends Hash {
+    constructor(blockLen, outputLen, padOffset, isLE) {
+        super();
+        this.finished = false;
+        this.length = 0;
+        this.pos = 0;
+        this.destroyed = false;
+        this.blockLen = blockLen;
+        this.outputLen = outputLen;
+        this.padOffset = padOffset;
+        this.isLE = isLE;
+        this.buffer = new Uint8Array(blockLen);
+        this.view = createView$1(this.buffer);
+    }
+    update(data) {
+        aexists(this);
+        data = toBytes$1(data);
+        abytes(data);
+        const { view, buffer, blockLen } = this;
+        const len = data.length;
+        for (let pos = 0; pos < len;) {
+            const take = Math.min(blockLen - this.pos, len - pos);
+            // Fast path: we have at least one block in input, cast it to view and process
+            if (take === blockLen) {
+                const dataView = createView$1(data);
+                for (; blockLen <= len - pos; pos += blockLen)
+                    this.process(dataView, pos);
+                continue;
+            }
+            buffer.set(data.subarray(pos, pos + take), this.pos);
+            this.pos += take;
+            pos += take;
+            if (this.pos === blockLen) {
+                this.process(view, 0);
+                this.pos = 0;
+            }
+        }
+        this.length += data.length;
+        this.roundClean();
+        return this;
+    }
+    digestInto(out) {
+        aexists(this);
+        aoutput(out, this);
+        this.finished = true;
+        // Padding
+        // We can avoid allocation of buffer for padding completely if it
+        // was previously not allocated here. But it won't change performance.
+        const { buffer, view, blockLen, isLE } = this;
+        let { pos } = this;
+        // append the bit '1' to the message
+        buffer[pos++] = 0b10000000;
+        clean(this.buffer.subarray(pos));
+        // we have less than padOffset left in buffer, so we cannot put length in
+        // current block, need process it and pad again
+        if (this.padOffset > blockLen - pos) {
+            this.process(view, 0);
+            pos = 0;
+        }
+        // Pad until full block byte with zeros
+        for (let i = pos; i < blockLen; i++)
+            buffer[i] = 0;
+        // Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that
+        // You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen.
+        // So we just write lowest 64 bits of that value.
+        setBigUint64$1(view, blockLen - 8, BigInt(this.length * 8), isLE);
+        this.process(view, 0);
+        const oview = createView$1(out);
+        const len = this.outputLen;
+        // NOTE: we do division by 4 later, which should be fused in single op with modulo by JIT
+        if (len % 4)
+            throw new Error('_sha2: outputLen should be aligned to 32bit');
+        const outLen = len / 4;
+        const state = this.get();
+        if (outLen > state.length)
+            throw new Error('_sha2: outputLen bigger than state');
+        for (let i = 0; i < outLen; i++)
+            oview.setUint32(4 * i, state[i], isLE);
+    }
+    digest() {
+        const { buffer, outputLen } = this;
+        this.digestInto(buffer);
+        const res = buffer.slice(0, outputLen);
+        this.destroy();
+        return res;
+    }
+    _cloneInto(to) {
+        to || (to = new this.constructor());
+        to.set(...this.get());
+        const { blockLen, buffer, length, finished, destroyed, pos } = this;
+        to.destroyed = destroyed;
+        to.finished = finished;
+        to.length = length;
+        to.pos = pos;
+        if (length % blockLen)
+            to.buffer.set(buffer);
+        return to;
+    }
+    clone() {
+        return this._cloneInto();
+    }
+}
+/** Initial SHA512 state. Bits 0..64 of frac part of sqrt of primes 2..19 */
+const SHA512_IV = /* @__PURE__ */ Uint32Array.from([
+    0x6a09e667, 0xf3bcc908, 0xbb67ae85, 0x84caa73b, 0x3c6ef372, 0xfe94f82b, 0xa54ff53a, 0x5f1d36f1,
+    0x510e527f, 0xade682d1, 0x9b05688c, 0x2b3e6c1f, 0x1f83d9ab, 0xfb41bd6b, 0x5be0cd19, 0x137e2179,
+]);
+
+/**
+ * Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.
+ * @todo re-check https://issues.chromium.org/issues/42212588
+ * @module
+ */
+const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
+const _32n = /* @__PURE__ */ BigInt(32);
+function fromBig(n, le = false) {
+    if (le)
+        return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };
+    return { h: Number((n >> _32n) & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
+}
+function split(lst, le = false) {
+    const len = lst.length;
+    let Ah = new Uint32Array(len);
+    let Al = new Uint32Array(len);
+    for (let i = 0; i < len; i++) {
+        const { h, l } = fromBig(lst[i], le);
+        [Ah[i], Al[i]] = [h, l];
+    }
+    return [Ah, Al];
+}
+// for Shift in [0, 32)
+const shrSH = (h, _l, s) => h >>> s;
+const shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
+// Right rotate for Shift in [1, 32)
+const rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));
+const rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
+// Right rotate for Shift in (32, 64), NOTE: 32 is special case.
+const rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));
+const rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));
+// JS uses 32-bit signed integers for bitwise operations which means we cannot
+// simple take carry out of low bit sum by shift, we need to use division.
+function add(Ah, Al, Bh, Bl) {
+    const l = (Al >>> 0) + (Bl >>> 0);
+    return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };
+}
+// Addition with more than 2 elements
+const add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
+const add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;
+const add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
+const add4H = (low, Ah, Bh, Ch, Dh) => (Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;
+const add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
+const add5H = (low, Ah, Bh, Ch, Dh, Eh) => (Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;
+
+/**
+ * SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256.
+ * SHA256 is the fastest hash implementable in JS, even faster than Blake3.
+ * Check out [RFC 4634](https://datatracker.ietf.org/doc/html/rfc4634) and
+ * [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
+ * @module
+ */
+// SHA2-512 is slower than sha256 in js because u64 operations are slow.
+// Round contants
+// First 32 bits of the fractional parts of the cube roots of the first 80 primes 2..409
+// prettier-ignore
+const K512 = /* @__PURE__ */ (() => split([
+    '0x428a2f98d728ae22', '0x7137449123ef65cd', '0xb5c0fbcfec4d3b2f', '0xe9b5dba58189dbbc',
+    '0x3956c25bf348b538', '0x59f111f1b605d019', '0x923f82a4af194f9b', '0xab1c5ed5da6d8118',
+    '0xd807aa98a3030242', '0x12835b0145706fbe', '0x243185be4ee4b28c', '0x550c7dc3d5ffb4e2',
+    '0x72be5d74f27b896f', '0x80deb1fe3b1696b1', '0x9bdc06a725c71235', '0xc19bf174cf692694',
+    '0xe49b69c19ef14ad2', '0xefbe4786384f25e3', '0x0fc19dc68b8cd5b5', '0x240ca1cc77ac9c65',
+    '0x2de92c6f592b0275', '0x4a7484aa6ea6e483', '0x5cb0a9dcbd41fbd4', '0x76f988da831153b5',
+    '0x983e5152ee66dfab', '0xa831c66d2db43210', '0xb00327c898fb213f', '0xbf597fc7beef0ee4',
+    '0xc6e00bf33da88fc2', '0xd5a79147930aa725', '0x06ca6351e003826f', '0x142929670a0e6e70',
+    '0x27b70a8546d22ffc', '0x2e1b21385c26c926', '0x4d2c6dfc5ac42aed', '0x53380d139d95b3df',
+    '0x650a73548baf63de', '0x766a0abb3c77b2a8', '0x81c2c92e47edaee6', '0x92722c851482353b',
+    '0xa2bfe8a14cf10364', '0xa81a664bbc423001', '0xc24b8b70d0f89791', '0xc76c51a30654be30',
+    '0xd192e819d6ef5218', '0xd69906245565a910', '0xf40e35855771202a', '0x106aa07032bbd1b8',
+    '0x19a4c116b8d2d0c8', '0x1e376c085141ab53', '0x2748774cdf8eeb99', '0x34b0bcb5e19b48a8',
+    '0x391c0cb3c5c95a63', '0x4ed8aa4ae3418acb', '0x5b9cca4f7763e373', '0x682e6ff3d6b2b8a3',
+    '0x748f82ee5defb2fc', '0x78a5636f43172f60', '0x84c87814a1f0ab72', '0x8cc702081a6439ec',
+    '0x90befffa23631e28', '0xa4506cebde82bde9', '0xbef9a3f7b2c67915', '0xc67178f2e372532b',
+    '0xca273eceea26619c', '0xd186b8c721c0c207', '0xeada7dd6cde0eb1e', '0xf57d4f7fee6ed178',
+    '0x06f067aa72176fba', '0x0a637dc5a2c898a6', '0x113f9804bef90dae', '0x1b710b35131c471b',
+    '0x28db77f523047d84', '0x32caab7b40c72493', '0x3c9ebe0a15c9bebc', '0x431d67c49c100d4c',
+    '0x4cc5d4becb3e42b6', '0x597f299cfc657e2a', '0x5fcb6fab3ad6faec', '0x6c44198c4a475817'
+].map(n => BigInt(n))))();
+const SHA512_Kh = /* @__PURE__ */ (() => K512[0])();
+const SHA512_Kl = /* @__PURE__ */ (() => K512[1])();
+// Reusable temporary buffers
+const SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
+const SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
+class SHA512 extends HashMD {
+    constructor(outputLen = 64) {
+        super(128, outputLen, 16, false);
+        // We cannot use array here since array allows indexing by variable
+        // which means optimizer/compiler cannot use registers.
+        // h -- high 32 bits, l -- low 32 bits
+        this.Ah = SHA512_IV[0] | 0;
+        this.Al = SHA512_IV[1] | 0;
+        this.Bh = SHA512_IV[2] | 0;
+        this.Bl = SHA512_IV[3] | 0;
+        this.Ch = SHA512_IV[4] | 0;
+        this.Cl = SHA512_IV[5] | 0;
+        this.Dh = SHA512_IV[6] | 0;
+        this.Dl = SHA512_IV[7] | 0;
+        this.Eh = SHA512_IV[8] | 0;
+        this.El = SHA512_IV[9] | 0;
+        this.Fh = SHA512_IV[10] | 0;
+        this.Fl = SHA512_IV[11] | 0;
+        this.Gh = SHA512_IV[12] | 0;
+        this.Gl = SHA512_IV[13] | 0;
+        this.Hh = SHA512_IV[14] | 0;
+        this.Hl = SHA512_IV[15] | 0;
+    }
+    // prettier-ignore
+    get() {
+        const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
+        return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];
+    }
+    // prettier-ignore
+    set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {
+        this.Ah = Ah | 0;
+        this.Al = Al | 0;
+        this.Bh = Bh | 0;
+        this.Bl = Bl | 0;
+        this.Ch = Ch | 0;
+        this.Cl = Cl | 0;
+        this.Dh = Dh | 0;
+        this.Dl = Dl | 0;
+        this.Eh = Eh | 0;
+        this.El = El | 0;
+        this.Fh = Fh | 0;
+        this.Fl = Fl | 0;
+        this.Gh = Gh | 0;
+        this.Gl = Gl | 0;
+        this.Hh = Hh | 0;
+        this.Hl = Hl | 0;
+    }
+    process(view, offset) {
+        // Extend the first 16 words into the remaining 64 words w[16..79] of the message schedule array
+        for (let i = 0; i < 16; i++, offset += 4) {
+            SHA512_W_H[i] = view.getUint32(offset);
+            SHA512_W_L[i] = view.getUint32((offset += 4));
+        }
+        for (let i = 16; i < 80; i++) {
+            // s0 := (w[i-15] rightrotate 1) xor (w[i-15] rightrotate 8) xor (w[i-15] rightshift 7)
+            const W15h = SHA512_W_H[i - 15] | 0;
+            const W15l = SHA512_W_L[i - 15] | 0;
+            const s0h = rotrSH(W15h, W15l, 1) ^ rotrSH(W15h, W15l, 8) ^ shrSH(W15h, W15l, 7);
+            const s0l = rotrSL(W15h, W15l, 1) ^ rotrSL(W15h, W15l, 8) ^ shrSL(W15h, W15l, 7);
+            // s1 := (w[i-2] rightrotate 19) xor (w[i-2] rightrotate 61) xor (w[i-2] rightshift 6)
+            const W2h = SHA512_W_H[i - 2] | 0;
+            const W2l = SHA512_W_L[i - 2] | 0;
+            const s1h = rotrSH(W2h, W2l, 19) ^ rotrBH(W2h, W2l, 61) ^ shrSH(W2h, W2l, 6);
+            const s1l = rotrSL(W2h, W2l, 19) ^ rotrBL(W2h, W2l, 61) ^ shrSL(W2h, W2l, 6);
+            // SHA256_W[i] = s0 + s1 + SHA256_W[i - 7] + SHA256_W[i - 16];
+            const SUMl = add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);
+            const SUMh = add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]);
+            SHA512_W_H[i] = SUMh | 0;
+            SHA512_W_L[i] = SUMl | 0;
+        }
+        let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
+        // Compression function main loop, 80 rounds
+        for (let i = 0; i < 80; i++) {
+            // S1 := (e rightrotate 14) xor (e rightrotate 18) xor (e rightrotate 41)
+            const sigma1h = rotrSH(Eh, El, 14) ^ rotrSH(Eh, El, 18) ^ rotrBH(Eh, El, 41);
+            const sigma1l = rotrSL(Eh, El, 14) ^ rotrSL(Eh, El, 18) ^ rotrBL(Eh, El, 41);
+            //const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;
+            const CHIh = (Eh & Fh) ^ (~Eh & Gh);
+            const CHIl = (El & Fl) ^ (~El & Gl);
+            // T1 = H + sigma1 + Chi(E, F, G) + SHA512_K[i] + SHA512_W[i]
+            // prettier-ignore
+            const T1ll = add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]);
+            const T1h = add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]);
+            const T1l = T1ll | 0;
+            // S0 := (a rightrotate 28) xor (a rightrotate 34) xor (a rightrotate 39)
+            const sigma0h = rotrSH(Ah, Al, 28) ^ rotrBH(Ah, Al, 34) ^ rotrBH(Ah, Al, 39);
+            const sigma0l = rotrSL(Ah, Al, 28) ^ rotrBL(Ah, Al, 34) ^ rotrBL(Ah, Al, 39);
+            const MAJh = (Ah & Bh) ^ (Ah & Ch) ^ (Bh & Ch);
+            const MAJl = (Al & Bl) ^ (Al & Cl) ^ (Bl & Cl);
+            Hh = Gh | 0;
+            Hl = Gl | 0;
+            Gh = Fh | 0;
+            Gl = Fl | 0;
+            Fh = Eh | 0;
+            Fl = El | 0;
+            ({ h: Eh, l: El } = add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));
+            Dh = Ch | 0;
+            Dl = Cl | 0;
+            Ch = Bh | 0;
+            Cl = Bl | 0;
+            Bh = Ah | 0;
+            Bl = Al | 0;
+            const All = add3L(T1l, sigma0l, MAJl);
+            Ah = add3H(All, T1h, sigma0h, MAJh);
+            Al = All | 0;
+        }
+        // Add the compressed chunk to the current hash value
+        ({ h: Ah, l: Al } = add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));
+        ({ h: Bh, l: Bl } = add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));
+        ({ h: Ch, l: Cl } = add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));
+        ({ h: Dh, l: Dl } = add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));
+        ({ h: Eh, l: El } = add(this.Eh | 0, this.El | 0, Eh | 0, El | 0));
+        ({ h: Fh, l: Fl } = add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));
+        ({ h: Gh, l: Gl } = add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));
+        ({ h: Hh, l: Hl } = add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));
+        this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);
+    }
+    roundClean() {
+        clean(SHA512_W_H, SHA512_W_L);
+    }
+    destroy() {
+        clean(this.buffer);
+        this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+    }
+}
+/** SHA2-512 hash function from RFC 4634. */
+const sha512$1 = /* @__PURE__ */ createHasher(() => new SHA512());
+
+/**
+ * SHA2-512 a.k.a. sha512 and sha384. It is slower than sha256 in js because u64 operations are slow.
+ *
+ * Check out [RFC 4634](https://datatracker.ietf.org/doc/html/rfc4634) and
+ * [the paper on truncated SHA512/256](https://eprint.iacr.org/2010/548.pdf).
+ * @module
+ * @deprecated
+ */
+/** @deprecated Use import from `noble/hashes/sha2` module */
+const sha512 = sha512$1;
+
+/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
+// Cast array to different type
+const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);
+const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
+function isBytes$1(a) {
+    return (a instanceof Uint8Array ||
+        (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));
+}
+// Cast array to view
+const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+// big-endian hardware is rare. Just in case someone still decides to run ciphers:
+// early-throw an error because we don't support BE yet.
+const isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44;
+if (!isLE)
+    throw new Error('Non little-endian hardware is not supported');
+/**
+ * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
+ */
+function utf8ToBytes(str) {
+    if (typeof str !== 'string')
+        throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
+    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
+}
+/**
+ * Normalizes (non-hex) string or Uint8Array to Uint8Array.
+ * Warning: when Uint8Array is passed, it would NOT get copied.
+ * Keep in mind for future mutable operations.
+ */
+function toBytes(data) {
+    if (typeof data === 'string')
+        data = utf8ToBytes(data);
+    else if (isBytes$1(data))
+        data = data.slice();
+    else
+        throw new Error(`expected Uint8Array, got ${typeof data}`);
+    return data;
+}
+function ensureBytes(b, len) {
+    if (!isBytes$1(b))
+        throw new Error('Uint8Array expected');
+    if (typeof len === 'number')
+        if (b.length !== len)
+            throw new Error(`Uint8Array length ${len} expected`);
+}
+// Compares 2 u8a-s in kinda constant time
+function equalBytes(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a[i] ^ b[i];
+    return diff === 0;
+}
+const wrapCipher = (params, c) => {
+    Object.assign(c, params);
+    return c;
+};
+// Polyfill for Safari 14
+function setBigUint64(view, byteOffset, value, isLE) {
+    if (typeof view.setBigUint64 === 'function')
+        return view.setBigUint64(byteOffset, value, isLE);
+    const _32n = BigInt(32);
+    const _u32_max = BigInt(0xffffffff);
+    const wh = Number((value >> _32n) & _u32_max);
+    const wl = Number(value & _u32_max);
+    const h = isLE ? 4 : 0;
+    const l = isLE ? 0 : 4;
+    view.setUint32(byteOffset + h, wh, isLE);
+    view.setUint32(byteOffset + l, wl, isLE);
+}
+
+// TODO: merge with utils
+function isBytes(a) {
+    return (a != null &&
+        typeof a === 'object' &&
+        (a instanceof Uint8Array || a.constructor.name === 'Uint8Array'));
+}
+function bytes(b, ...lengths) {
+    if (!isBytes(b))
+        throw new Error('Uint8Array expected');
+    if (lengths.length > 0 && !lengths.includes(b.length))
+        throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`);
+}
+function exists(instance, checkFinished = true) {
+    if (instance.destroyed)
+        throw new Error('Hash instance has been destroyed');
+    if (checkFinished && instance.finished)
+        throw new Error('Hash#digest() has already been called');
+}
+function output(out, instance) {
+    bytes(out);
+    const min = instance.outputLen;
+    if (out.length < min) {
+        throw new Error(`digestInto() expects output buffer of length at least ${min}`);
+    }
+}
+
+// GHash from AES-GCM and its little-endian "mirror image" Polyval from AES-SIV.
+// Implemented in terms of GHash with conversion function for keys
+// GCM GHASH from NIST SP800-38d, SIV from RFC 8452.
+// https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
+// GHASH   modulo: x^128 + x^7   + x^2   + x     + 1
+// POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1
+const BLOCK_SIZE$1 = 16;
+// TODO: rewrite
+// temporary padding buffer
+const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
+const ZEROS32 = u32(ZEROS16);
+const POLY$1 = 0xe1; // v = 2*v % POLY
+// v = 2*v % POLY
+// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x
+// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor)
+const mul2$1 = (s0, s1, s2, s3) => {
+    const hiBit = s3 & 1;
+    return {
+        s3: (s2 << 31) | (s3 >>> 1),
+        s2: (s1 << 31) | (s2 >>> 1),
+        s1: (s0 << 31) | (s1 >>> 1),
+        s0: (s0 >>> 1) ^ ((POLY$1 << 24) & -(hiBit & 1)), // reduce % poly
+    };
+};
+const swapLE = (n) => (((n >>> 0) & 0xff) << 24) |
+    (((n >>> 8) & 0xff) << 16) |
+    (((n >>> 16) & 0xff) << 8) |
+    ((n >>> 24) & 0xff) |
+    0;
+/**
+ * `mulX_POLYVAL(ByteReverse(H))` from spec
+ * @param k mutated in place
+ */
+function _toGHASHKey(k) {
+    k.reverse();
+    const hiBit = k[15] & 1;
+    // k >>= 1
+    let carry = 0;
+    for (let i = 0; i < k.length; i++) {
+        const t = k[i];
+        k[i] = (t >>> 1) | carry;
+        carry = (t & 1) << 7;
+    }
+    k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000;
+    return k;
+}
+const estimateWindow = (bytes) => {
+    if (bytes > 64 * 1024)
+        return 8;
+    if (bytes > 1024)
+        return 4;
+    return 2;
+};
+class GHASH {
+    // We select bits per window adaptively based on expectedLength
+    constructor(key, expectedLength) {
+        this.blockLen = BLOCK_SIZE$1;
+        this.outputLen = BLOCK_SIZE$1;
+        this.s0 = 0;
+        this.s1 = 0;
+        this.s2 = 0;
+        this.s3 = 0;
+        this.finished = false;
+        key = toBytes(key);
+        ensureBytes(key, 16);
+        const kView = createView(key);
+        let k0 = kView.getUint32(0, false);
+        let k1 = kView.getUint32(4, false);
+        let k2 = kView.getUint32(8, false);
+        let k3 = kView.getUint32(12, false);
+        // generate table of doubled keys (half of montgomery ladder)
+        const doubles = [];
+        for (let i = 0; i < 128; i++) {
+            doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) });
+            ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2$1(k0, k1, k2, k3));
+        }
+        const W = estimateWindow(expectedLength || 1024);
+        if (![1, 2, 4, 8].includes(W))
+            throw new Error(`ghash: wrong window size=${W}, should be 2, 4 or 8`);
+        this.W = W;
+        const bits = 128; // always 128 bits;
+        const windows = bits / W;
+        const windowSize = (this.windowSize = 2 ** W);
+        const items = [];
+        // Create precompute table for window of W bits
+        for (let w = 0; w < windows; w++) {
+            // truth table: 00, 01, 10, 11
+            for (let byte = 0; byte < windowSize; byte++) {
+                // prettier-ignore
+                let s0 = 0, s1 = 0, s2 = 0, s3 = 0;
+                for (let j = 0; j < W; j++) {
+                    const bit = (byte >>> (W - j - 1)) & 1;
+                    if (!bit)
+                        continue;
+                    const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j];
+                    (s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3);
+                }
+                items.push({ s0, s1, s2, s3 });
+            }
+        }
+        this.t = items;
+    }
+    _updateBlock(s0, s1, s2, s3) {
+        (s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3);
+        const { W, t, windowSize } = this;
+        // prettier-ignore
+        let o0 = 0, o1 = 0, o2 = 0, o3 = 0;
+        const mask = (1 << W) - 1; // 2**W will kill performance.
+        let w = 0;
+        for (const num of [s0, s1, s2, s3]) {
+            for (let bytePos = 0; bytePos < 4; bytePos++) {
+                const byte = (num >>> (8 * bytePos)) & 0xff;
+                for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) {
+                    const bit = (byte >>> (W * bitPos)) & mask;
+                    const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit];
+                    (o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3);
+                    w += 1;
+                }
+            }
+        }
+        this.s0 = o0;
+        this.s1 = o1;
+        this.s2 = o2;
+        this.s3 = o3;
+    }
+    update(data) {
+        data = toBytes(data);
+        exists(this);
+        const b32 = u32(data);
+        const blocks = Math.floor(data.length / BLOCK_SIZE$1);
+        const left = data.length % BLOCK_SIZE$1;
+        for (let i = 0; i < blocks; i++) {
+            this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]);
+        }
+        if (left) {
+            ZEROS16.set(data.subarray(blocks * BLOCK_SIZE$1));
+            this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]);
+            ZEROS32.fill(0); // clean tmp buffer
+        }
+        return this;
+    }
+    destroy() {
+        const { t } = this;
+        // clean precompute table
+        for (const elm of t) {
+            (elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0);
+        }
+    }
+    digestInto(out) {
+        exists(this);
+        output(out, this);
+        this.finished = true;
+        const { s0, s1, s2, s3 } = this;
+        const o32 = u32(out);
+        o32[0] = s0;
+        o32[1] = s1;
+        o32[2] = s2;
+        o32[3] = s3;
+        return out;
+    }
+    digest() {
+        const res = new Uint8Array(BLOCK_SIZE$1);
+        this.digestInto(res);
+        this.destroy();
+        return res;
+    }
+}
+class Polyval extends GHASH {
+    constructor(key, expectedLength) {
+        key = toBytes(key);
+        const ghKey = _toGHASHKey(key.slice());
+        super(ghKey, expectedLength);
+        ghKey.fill(0);
+    }
+    update(data) {
+        data = toBytes(data);
+        exists(this);
+        const b32 = u32(data);
+        const left = data.length % BLOCK_SIZE$1;
+        const blocks = Math.floor(data.length / BLOCK_SIZE$1);
+        for (let i = 0; i < blocks; i++) {
+            this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0]));
+        }
+        if (left) {
+            ZEROS16.set(data.subarray(blocks * BLOCK_SIZE$1));
+            this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0]));
+            ZEROS32.fill(0); // clean tmp buffer
+        }
+        return this;
+    }
+    digestInto(out) {
+        exists(this);
+        output(out, this);
+        this.finished = true;
+        // tmp ugly hack
+        const { s0, s1, s2, s3 } = this;
+        const o32 = u32(out);
+        o32[0] = s0;
+        o32[1] = s1;
+        o32[2] = s2;
+        o32[3] = s3;
+        return out.reverse();
+    }
+}
+function wrapConstructorWithKey(hashCons) {
+    const hashC = (msg, key) => hashCons(key, msg.length).update(toBytes(msg)).digest();
+    const tmp = hashCons(new Uint8Array(16), 0);
+    hashC.outputLen = tmp.outputLen;
+    hashC.blockLen = tmp.blockLen;
+    hashC.create = (key, expectedLength) => hashCons(key, expectedLength);
+    return hashC;
+}
+const ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength));
+const polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength));
+
+// AES (Advanced Encryption Standard) aka Rijndael block cipher.
+//
+// Data is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256bit). Every round:
+// 1. **S-box**, table substitution
+// 2. **Shift rows**, cyclic shift left of all rows of data array
+// 3. **Mix columns**, multiplying every column by fixed polynomial
+// 4. **Add round key**, round_key xor i-th column of array
+//
+// Resources:
+// - FIPS-197 https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf
+// - Original proposal: https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf
+const BLOCK_SIZE = 16;
+const BLOCK_SIZE32 = 4;
+const EMPTY_BLOCK = new Uint8Array(BLOCK_SIZE);
+const POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8
+// TODO: remove multiplication, binary ops only
+function mul2(n) {
+    return (n << 1) ^ (POLY & -(n >> 7));
+}
+function mul(a, b) {
+    let res = 0;
+    for (; b > 0; b >>= 1) {
+        // Montgomery ladder
+        res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time).
+        a = mul2(a); // a = 2*a
+    }
+    return res;
+}
+// AES S-box is generated using finite field inversion,
+// an affine transform, and xor of a constant 0x63.
+const _sbox = /* @__PURE__ */ (() => {
+    let t = new Uint8Array(256);
+    for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x))
+        t[i] = x;
+    const sbox = new Uint8Array(256);
+    sbox[0] = 0x63; // first elm
+    for (let i = 0; i < 255; i++) {
+        let x = t[255 - i];
+        x |= x << 8;
+        sbox[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff;
+    }
+    return sbox;
+})();
+// Inverted S-box
+const _inv_sbox = /* @__PURE__ */ _sbox.map((_, j) => _sbox.indexOf(j));
+// Rotate u32 by 8
+const rotr32_8 = (n) => (n << 24) | (n >>> 8);
+const rotl32_8 = (n) => (n << 8) | (n >>> 24);
+// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes:
+// - LE instead of BE
+// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23;
+//   so index is u16, instead of u8. This speeds up things, unexpectedly
+function genTtable(sbox, fn) {
+    if (sbox.length !== 256)
+        throw new Error('Wrong sbox length');
+    const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j]));
+    const T1 = T0.map(rotl32_8);
+    const T2 = T1.map(rotl32_8);
+    const T3 = T2.map(rotl32_8);
+    const T01 = new Uint32Array(256 * 256);
+    const T23 = new Uint32Array(256 * 256);
+    const sbox2 = new Uint16Array(256 * 256);
+    for (let i = 0; i < 256; i++) {
+        for (let j = 0; j < 256; j++) {
+            const idx = i * 256 + j;
+            T01[idx] = T0[i] ^ T1[j];
+            T23[idx] = T2[i] ^ T3[j];
+            sbox2[idx] = (sbox[i] << 8) | sbox[j];
+        }
+    }
+    return { sbox, sbox2, T0, T1, T2, T3, T01, T23 };
+}
+const TABLE_ENC = /* @__PURE__ */ genTtable(_sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2));
+const TABLE_DEC = /* @__PURE__ */ genTtable(_inv_sbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14));
+const POWX = /* @__PURE__ */ (() => {
+    const p = new Uint8Array(16);
+    for (let i = 0, x = 1; i < 16; i++, x = mul2(x))
+        p[i] = x;
+    return p;
+})();
+function expandKeyLE(key) {
+    ensureBytes(key);
+    const len = key.length;
+    if (![16, 24, 32].includes(len))
+        throw new Error(`aes: wrong key size: should be 16, 24 or 32, got: ${len}`);
+    const { sbox2 } = TABLE_ENC;
+    const k32 = u32(key);
+    const Nk = k32.length;
+    const subByte = (n) => applySbox(sbox2, n, n, n, n);
+    const xk = new Uint32Array(len + 28); // expanded key
+    xk.set(k32);
+    // 4.3.1 Key expansion
+    for (let i = Nk; i < xk.length; i++) {
+        let t = xk[i - 1];
+        if (i % Nk === 0)
+            t = subByte(rotr32_8(t)) ^ POWX[i / Nk - 1];
+        else if (Nk > 6 && i % Nk === 4)
+            t = subByte(t);
+        xk[i] = xk[i - Nk] ^ t;
+    }
+    return xk;
+}
+function expandKeyDecLE(key) {
+    const encKey = expandKeyLE(key);
+    const xk = encKey.slice();
+    const Nk = encKey.length;
+    const { sbox2 } = TABLE_ENC;
+    const { T0, T1, T2, T3 } = TABLE_DEC;
+    // Inverse key by chunks of 4 (rounds)
+    for (let i = 0; i < Nk; i += 4) {
+        for (let j = 0; j < 4; j++)
+            xk[i + j] = encKey[Nk - i - 4 + j];
+    }
+    encKey.fill(0);
+    // apply InvMixColumn except first & last round
+    for (let i = 4; i < Nk - 4; i++) {
+        const x = xk[i];
+        const w = applySbox(sbox2, x, x, x, x);
+        xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24];
+    }
+    return xk;
+}
+// Apply tables
+function apply0123(T01, T23, s0, s1, s2, s3) {
+    return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^
+        T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]);
+}
+function applySbox(sbox2, s0, s1, s2, s3) {
+    return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] |
+        (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16));
+}
+function encrypt(xk, s0, s1, s2, s3) {
+    const { sbox2, T01, T23 } = TABLE_ENC;
+    let k = 0;
+    (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);
+    const rounds = xk.length / 4 - 2;
+    for (let i = 0; i < rounds; i++) {
+        const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3);
+        const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0);
+        const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1);
+        const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2);
+        (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3);
+    }
+    // last round (without mixcolumns, so using SBOX2 table)
+    const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3);
+    const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0);
+    const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1);
+    const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2);
+    return { s0: t0, s1: t1, s2: t2, s3: t3 };
+}
+function decrypt(xk, s0, s1, s2, s3) {
+    const { sbox2, T01, T23 } = TABLE_DEC;
+    let k = 0;
+    (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);
+    const rounds = xk.length / 4 - 2;
+    for (let i = 0; i < rounds; i++) {
+        const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1);
+        const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2);
+        const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3);
+        const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0);
+        (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3);
+    }
+    // Last round
+    const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1);
+    const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2);
+    const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3);
+    const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0);
+    return { s0: t0, s1: t1, s2: t2, s3: t3 };
+}
+function getDst(len, dst) {
+    if (!dst)
+        return new Uint8Array(len);
+    ensureBytes(dst);
+    if (dst.length < len)
+        throw new Error(`aes: wrong destination length, expected at least ${len}, got: ${dst.length}`);
+    return dst;
+}
+// TODO: investigate merging with ctr32
+function ctrCounter(xk, nonce, src, dst) {
+    ensureBytes(nonce, BLOCK_SIZE);
+    ensureBytes(src);
+    const srcLen = src.length;
+    dst = getDst(srcLen, dst);
+    const ctr = nonce;
+    const c32 = u32(ctr);
+    // Fill block (empty, ctr=0)
+    let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]);
+    const src32 = u32(src);
+    const dst32 = u32(dst);
+    // process blocks
+    for (let i = 0; i + 4 <= src32.length; i += 4) {
+        dst32[i + 0] = src32[i + 0] ^ s0;
+        dst32[i + 1] = src32[i + 1] ^ s1;
+        dst32[i + 2] = src32[i + 2] ^ s2;
+        dst32[i + 3] = src32[i + 3] ^ s3;
+        // Full 128 bit counter with wrap around
+        let carry = 1;
+        for (let i = ctr.length - 1; i >= 0; i--) {
+            carry = (carry + (ctr[i] & 0xff)) | 0;
+            ctr[i] = carry & 0xff;
+            carry >>>= 8;
+        }
+        ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]));
+    }
+    // leftovers (less than block)
+    // It's possible to handle > u32 fast, but is it worth it?
+    const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
+    if (start < srcLen) {
+        const b32 = new Uint32Array([s0, s1, s2, s3]);
+        const buf = u8(b32);
+        for (let i = start, pos = 0; i < srcLen; i++, pos++)
+            dst[i] = src[i] ^ buf[pos];
+    }
+    return dst;
+}
+// AES CTR with overflowing 32 bit counter
+// It's possible to do 32le significantly simpler (and probably faster) by using u32.
+// But, we need both, and perf bottleneck is in ghash anyway.
+function ctr32(xk, isLE, nonce, src, dst) {
+    ensureBytes(nonce, BLOCK_SIZE);
+    ensureBytes(src);
+    dst = getDst(src.length, dst);
+    const ctr = nonce; // write new value to nonce, so it can be re-used
+    const c32 = u32(ctr);
+    const view = createView(ctr);
+    const src32 = u32(src);
+    const dst32 = u32(dst);
+    const ctrPos = isLE ? 0 : 12;
+    const srcLen = src.length;
+    // Fill block (empty, ctr=0)
+    let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value
+    let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]);
+    // process blocks
+    for (let i = 0; i + 4 <= src32.length; i += 4) {
+        dst32[i + 0] = src32[i + 0] ^ s0;
+        dst32[i + 1] = src32[i + 1] ^ s1;
+        dst32[i + 2] = src32[i + 2] ^ s2;
+        dst32[i + 3] = src32[i + 3] ^ s3;
+        ctrNum = (ctrNum + 1) >>> 0; // u32 wrap
+        view.setUint32(ctrPos, ctrNum, isLE);
+        ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]));
+    }
+    // leftovers (less than a block)
+    const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
+    if (start < srcLen) {
+        const b32 = new Uint32Array([s0, s1, s2, s3]);
+        const buf = u8(b32);
+        for (let i = start, pos = 0; i < srcLen; i++, pos++)
+            dst[i] = src[i] ^ buf[pos];
+    }
+    return dst;
+}
+/**
+ * CTR: counter mode. Creates stream cipher.
+ * Requires good IV. Parallelizable. OK, but no MAC.
+ */
+wrapCipher({ blockSize: 16, nonceLength: 16 }, function ctr(key, nonce) {
+    ensureBytes(key);
+    ensureBytes(nonce, BLOCK_SIZE);
+    function processCtr(buf, dst) {
+        const xk = expandKeyLE(key);
+        const n = nonce.slice();
+        const out = ctrCounter(xk, n, buf, dst);
+        xk.fill(0);
+        n.fill(0);
+        return out;
+    }
+    return {
+        encrypt: (plaintext, dst) => processCtr(plaintext, dst),
+        decrypt: (ciphertext, dst) => processCtr(ciphertext, dst),
+    };
+});
+function validateBlockDecrypt(data) {
+    ensureBytes(data);
+    if (data.length % BLOCK_SIZE !== 0) {
+        throw new Error(`aes/(cbc-ecb).decrypt ciphertext should consist of blocks with size ${BLOCK_SIZE}`);
+    }
+}
+function validateBlockEncrypt(plaintext, pcks5, dst) {
+    let outLen = plaintext.length;
+    const remaining = outLen % BLOCK_SIZE;
+    if (!pcks5 && remaining !== 0)
+        throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding');
+    const b = u32(plaintext);
+    if (pcks5) {
+        let left = BLOCK_SIZE - remaining;
+        if (!left)
+            left = BLOCK_SIZE; // if no bytes left, create empty padding block
+        outLen = outLen + left;
+    }
+    const out = getDst(outLen, dst);
+    const o = u32(out);
+    return { b, o, out };
+}
+function validatePCKS(data, pcks5) {
+    if (!pcks5)
+        return data;
+    const len = data.length;
+    if (!len)
+        throw new Error(`aes/pcks5: empty ciphertext not allowed`);
+    const lastByte = data[len - 1];
+    if (lastByte <= 0 || lastByte > 16)
+        throw new Error(`aes/pcks5: wrong padding byte: ${lastByte}`);
+    const out = data.subarray(0, -lastByte);
+    for (let i = 0; i < lastByte; i++)
+        if (data[len - i - 1] !== lastByte)
+            throw new Error(`aes/pcks5: wrong padding`);
+    return out;
+}
+function padPCKS(left) {
+    const tmp = new Uint8Array(16);
+    const tmp32 = u32(tmp);
+    tmp.set(left);
+    const paddingByte = BLOCK_SIZE - left.length;
+    for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++)
+        tmp[i] = paddingByte;
+    return tmp32;
+}
+/**
+ * ECB: Electronic CodeBook. Simple deterministic replacement.
+ * Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/).
+ */
+wrapCipher({ blockSize: 16 }, function ecb(key, opts = {}) {
+    ensureBytes(key);
+    const pcks5 = !opts.disablePadding;
+    return {
+        encrypt: (plaintext, dst) => {
+            ensureBytes(plaintext);
+            const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst);
+            const xk = expandKeyLE(key);
+            let i = 0;
+            for (; i + 4 <= b.length;) {
+                const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]);
+                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
+            }
+            if (pcks5) {
+                const tmp32 = padPCKS(plaintext.subarray(i * 4));
+                const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]);
+                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
+            }
+            xk.fill(0);
+            return _out;
+        },
+        decrypt: (ciphertext, dst) => {
+            validateBlockDecrypt(ciphertext);
+            const xk = expandKeyDecLE(key);
+            const out = getDst(ciphertext.length, dst);
+            const b = u32(ciphertext);
+            const o = u32(out);
+            for (let i = 0; i + 4 <= b.length;) {
+                const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]);
+                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
+            }
+            xk.fill(0);
+            return validatePCKS(out, pcks5);
+        },
+    };
+});
+/**
+ * CBC: Cipher-Block-Chaining. Key is previous round’s block.
+ * Fragile: needs proper padding. Unauthenticated: needs MAC.
+ */
+wrapCipher({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv, opts = {}) {
+    ensureBytes(key);
+    ensureBytes(iv, 16);
+    const pcks5 = !opts.disablePadding;
+    return {
+        encrypt: (plaintext, dst) => {
+            const xk = expandKeyLE(key);
+            const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst);
+            const n32 = u32(iv);
+            // prettier-ignore
+            let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];
+            let i = 0;
+            for (; i + 4 <= b.length;) {
+                (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]);
+                ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));
+                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
+            }
+            if (pcks5) {
+                const tmp32 = padPCKS(plaintext.subarray(i * 4));
+                (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]);
+                ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));
+                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);
+            }
+            xk.fill(0);
+            return _out;
+        },
+        decrypt: (ciphertext, dst) => {
+            validateBlockDecrypt(ciphertext);
+            const xk = expandKeyDecLE(key);
+            const n32 = u32(iv);
+            const out = getDst(ciphertext.length, dst);
+            const b = u32(ciphertext);
+            const o = u32(out);
+            // prettier-ignore
+            let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];
+            for (let i = 0; i + 4 <= b.length;) {
+                // prettier-ignore
+                const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3;
+                (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]);
+                const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3);
+                (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3);
+            }
+            xk.fill(0);
+            return validatePCKS(out, pcks5);
+        },
+    };
+});
+// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen
+function computeTag(fn, isLE, key, data, AAD) {
+    const h = fn.create(key, data.length + (AAD?.length || 0));
+    if (AAD)
+        h.update(AAD);
+    h.update(data);
+    const num = new Uint8Array(16);
+    const view = createView(num);
+    if (AAD)
+        setBigUint64(view, 0, BigInt(AAD.length * 8), isLE);
+    setBigUint64(view, 8, BigInt(data.length * 8), isLE);
+    h.update(num);
+    return h.digest();
+}
+/**
+ * GCM: Galois/Counter Mode.
+ * Good, modern version of CTR, parallel, with MAC.
+ * Be careful: MACs can be forged.
+ */
+const gcm = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) {
+    ensureBytes(nonce);
+    // Nonce can be pretty much anything (even 1 byte). But smaller nonces less secure.
+    if (nonce.length === 0)
+        throw new Error('aes/gcm: empty nonce');
+    const tagLength = 16;
+    function _computeTag(authKey, tagMask, data) {
+        const tag = computeTag(ghash, false, authKey, data, AAD);
+        for (let i = 0; i < tagMask.length; i++)
+            tag[i] ^= tagMask[i];
+        return tag;
+    }
+    function deriveKeys() {
+        const xk = expandKeyLE(key);
+        const authKey = EMPTY_BLOCK.slice();
+        const counter = EMPTY_BLOCK.slice();
+        ctr32(xk, false, counter, counter, authKey);
+        if (nonce.length === 12) {
+            counter.set(nonce);
+        }
+        else {
+            // Spec (NIST 800-38d) supports variable size nonce.
+            // Not supported for now, but can be useful.
+            const nonceLen = EMPTY_BLOCK.slice();
+            const view = createView(nonceLen);
+            setBigUint64(view, 8, BigInt(nonce.length * 8), false);
+            // ghash(nonce || u64be(0) || u64be(nonceLen*8))
+            ghash.create(authKey).update(nonce).update(nonceLen).digestInto(counter);
+        }
+        const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK);
+        return { xk, authKey, counter, tagMask };
+    }
+    return {
+        encrypt: (plaintext) => {
+            ensureBytes(plaintext);
+            const { xk, authKey, counter, tagMask } = deriveKeys();
+            const out = new Uint8Array(plaintext.length + tagLength);
+            ctr32(xk, false, counter, plaintext, out);
+            const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength));
+            out.set(tag, plaintext.length);
+            xk.fill(0);
+            return out;
+        },
+        decrypt: (ciphertext) => {
+            ensureBytes(ciphertext);
+            if (ciphertext.length < tagLength)
+                throw new Error(`aes/gcm: ciphertext less than tagLen (${tagLength})`);
+            const { xk, authKey, counter, tagMask } = deriveKeys();
+            const data = ciphertext.subarray(0, -tagLength);
+            const passedTag = ciphertext.subarray(-tagLength);
+            const tag = _computeTag(authKey, tagMask, data);
+            if (!equalBytes(tag, passedTag))
+                throw new Error('aes/gcm: invalid ghash tag');
+            const out = ctr32(xk, false, counter, data);
+            authKey.fill(0);
+            tagMask.fill(0);
+            xk.fill(0);
+            return out;
+        },
+    };
+});
+const limit = (name, min, max) => (value) => {
+    if (!Number.isSafeInteger(value) || min > value || value > max)
+        throw new Error(`${name}: invalid value=${value}, must be [${min}..${max}]`);
+};
+/**
+ * AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance.
+ * Guarantees that, when a nonce is repeated, the only security loss is that identical
+ * plaintexts will produce identical ciphertexts.
+ * RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452
+ */
+wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function siv(key, nonce, AAD) {
+    const tagLength = 16;
+    // From RFC 8452: Section 6
+    const AAD_LIMIT = limit('AAD', 0, 2 ** 36);
+    const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36);
+    const NONCE_LIMIT = limit('nonce', 12, 12);
+    const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16);
+    ensureBytes(nonce);
+    NONCE_LIMIT(nonce.length);
+    if (AAD) {
+        ensureBytes(AAD);
+        AAD_LIMIT(AAD.length);
+    }
+    function deriveKeys() {
+        const len = key.length;
+        if (len !== 16 && len !== 24 && len !== 32)
+            throw new Error(`key length must be 16, 24 or 32 bytes, got: ${len} bytes`);
+        const xk = expandKeyLE(key);
+        const encKey = new Uint8Array(len);
+        const authKey = new Uint8Array(16);
+        const n32 = u32(nonce);
+        // prettier-ignore
+        let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2];
+        let counter = 0;
+        for (const derivedKey of [authKey, encKey].map(u32)) {
+            const d32 = u32(derivedKey);
+            for (let i = 0; i < d32.length; i += 2) {
+                // aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ...
+                const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3);
+                d32[i + 0] = o0;
+                d32[i + 1] = o1;
+                s0 = ++counter; // increment counter inside state
+            }
+        }
+        xk.fill(0);
+        return { authKey, encKey: expandKeyLE(encKey) };
+    }
+    function _computeTag(encKey, authKey, data) {
+        const tag = computeTag(polyval, true, authKey, data, AAD);
+        // Compute the expected tag by XORing S_s and the nonce, clearing the
+        // most significant bit of the last byte and encrypting with the
+        // message-encryption key.
+        for (let i = 0; i < 12; i++)
+            tag[i] ^= nonce[i];
+        tag[15] &= 0x7f; // Clear the highest bit
+        // encrypt tag as block
+        const t32 = u32(tag);
+        // prettier-ignore
+        let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3];
+        ({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3));
+        (t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3);
+        return tag;
+    }
+    // actual decrypt/encrypt of message.
+    function processSiv(encKey, tag, input) {
+        let block = tag.slice();
+        block[15] |= 0x80; // Force highest bit
+        return ctr32(encKey, true, block, input);
+    }
+    return {
+        encrypt: (plaintext) => {
+            ensureBytes(plaintext);
+            PLAIN_LIMIT(plaintext.length);
+            const { encKey, authKey } = deriveKeys();
+            const tag = _computeTag(encKey, authKey, plaintext);
+            const out = new Uint8Array(plaintext.length + tagLength);
+            out.set(tag, plaintext.length);
+            out.set(processSiv(encKey, tag, plaintext));
+            encKey.fill(0);
+            authKey.fill(0);
+            return out;
+        },
+        decrypt: (ciphertext) => {
+            ensureBytes(ciphertext);
+            CIPHER_LIMIT(ciphertext.length);
+            const tag = ciphertext.subarray(-tagLength);
+            const { encKey, authKey } = deriveKeys();
+            const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength));
+            const expectedTag = _computeTag(encKey, authKey, plaintext);
+            encKey.fill(0);
+            authKey.fill(0);
+            if (!equalBytes(tag, expectedTag))
+                throw new Error('invalid polyval tag');
+            return plaintext;
+        },
+    };
+});
+
+const ENC_ITER_DEFAULT = 100_000;
+const IV_LEN = 12;
+const SALT_LEN = 16;
+function getIterations() {
+    if (typeof process !== 'undefined' && process.env?.PBKDF2_ITERATIONS) {
+        const parsed = parseInt(process.env.PBKDF2_ITERATIONS, 10);
+        if (!isNaN(parsed) && parsed > 0) {
+            return parsed;
+        }
+    }
+    return ENC_ITER_DEFAULT;
+}
+async function encryptWithPassphrase(plaintext, pass) {
+    const salt = randomBytes(SALT_LEN);
+    const iv = randomBytes(IV_LEN);
+    const key = await deriveKey(pass, salt);
+    const cipher = gcm(key, iv);
+    const ct = cipher.encrypt(new TextEncoder().encode(plaintext));
+    return { salt: b64(salt), iv: b64(iv), data: b64(ct) };
+}
+async function decryptWithPassphrase(blob, pass) {
+    const salt = ub64(blob.salt);
+    const iv = ub64(blob.iv);
+    const data = ub64(blob.data);
+    const key = await deriveKey(pass, salt);
+    const cipher = gcm(key, iv);
+    const pt = cipher.decrypt(data);
+    return new TextDecoder().decode(pt);
+}
+const b64 = (buf) => {
+    return Buffer.from(buf).toString('base64');
+};
+const ub64 = (b64) => {
+    return new Uint8Array(Buffer.from(b64, 'base64'));
+};
+async function deriveKey(pass, salt) {
+    const enc = new TextEncoder();
+    return pbkdf2Async(sha512, enc.encode(pass), salt, { c: getIterations(), dkLen: 32 });
+}
+
 function hexToBase64url(hex) {
     const bytes = Buffer.from(hex, 'hex');
     return base64url.baseEncode(bytes);
@@ -1119,6 +2694,11 @@ exports.NoticeTags = void 0;
     NoticeTags["POLL"] = "poll";
     NoticeTags["CREDENTIAL"] = "credential";
 })(exports.NoticeTags || (exports.NoticeTags = {}));
+exports.PollItems = void 0;
+(function (PollItems) {
+    PollItems["POLL"] = "poll";
+    PollItems["RESULTS"] = "results";
+})(exports.PollItems || (exports.PollItems = {}));
 class Keymaster {
     passphrase;
     gatekeeper;
@@ -1206,7 +2786,7 @@ class Keymaster {
         catch (error) {
             throw new InvalidParameterError('mnemonic');
         }
-        const mnemonicEnc = await encryption.encMnemonic(mnemonic, this.passphrase);
+        const mnemonicEnc = await encryptWithPassphrase(mnemonic, this.passphrase);
         const wallet = {
             version: 2,
             seed: { mnemonicEnc },
@@ -1224,7 +2804,7 @@ class Keymaster {
         return this.getMnemonicForDerivation(wallet);
     }
     async getMnemonicForDerivation(wallet) {
-        return encryption.decMnemonic(wallet.seed.mnemonicEnc, this.passphrase);
+        return decryptWithPassphrase(wallet.seed.mnemonicEnc, this.passphrase);
     }
     async checkWallet() {
         const wallet = await this.loadWallet();
@@ -1436,7 +3016,7 @@ class Keymaster {
         const keypair = await this.hdKeyPair();
         const seedBank = await this.resolveSeedBank();
         const msg = JSON.stringify(wallet);
-        const backup = this.cipher.encryptMessage(keypair.publicJwk, keypair.privateJwk, msg);
+        const backup = this.cipher.encryptMessage(keypair.publicJwk, msg);
         const operation = {
             type: "create",
             created: new Date().toISOString(),
@@ -1489,12 +3069,12 @@ class Keymaster {
             if (typeof castData.backup !== 'string') {
                 throw new InvalidParameterError('Asset "backup" is missing or not a string');
             }
-            const backup = this.cipher.decryptMessage(keypair.publicJwk, keypair.privateJwk, castData.backup);
+            const backup = this.cipher.decryptMessage(keypair.privateJwk, castData.backup, keypair.publicJwk);
             let wallet = JSON.parse(backup);
             if (db_typeGuards.isWalletFile(wallet)) {
                 const mnemonic = await this.decryptMnemonic();
                 // Backup might have a different mnemonic passphase so re-encrypt
-                wallet.seed.mnemonicEnc = await encryption.encMnemonic(mnemonic, this.passphrase);
+                wallet.seed.mnemonicEnc = await encryptWithPassphrase(mnemonic, this.passphrase);
             }
             await this.mutateWallet(async (current) => {
                 // Clear all existing properties from the current wallet
@@ -1774,19 +3354,16 @@ class Keymaster {
     }
     async encryptMessage(msg, receiver, options = {}) {
         const { encryptForSender = true, includeHash = false, } = options;
-        const id = await this.fetchIdInfo();
         const senderKeypair = await this.fetchKeyPair();
         if (!senderKeypair) {
             throw new KeymasterError('No valid sender keypair');
         }
         const doc = await this.resolveDID(receiver, { confirm: true });
         const receivePublicJwk = this.getPublicKeyJwk(doc);
-        const cipher_sender = encryptForSender ? this.cipher.encryptMessage(senderKeypair.publicJwk, senderKeypair.privateJwk, msg) : null;
-        const cipher_receiver = this.cipher.encryptMessage(receivePublicJwk, senderKeypair.privateJwk, msg);
+        const cipher_sender = encryptForSender ? this.cipher.encryptMessage(senderKeypair.publicJwk, msg) : null;
+        const cipher_receiver = this.cipher.encryptMessage(receivePublicJwk, msg);
         const cipher_hash = includeHash ? this.cipher.hashMessage(msg) : null;
         const encrypted = {
-            sender: id.did,
-            created: new Date().toISOString(),
             cipher_hash,
             cipher_sender,
             cipher_receiver,
@@ -1802,7 +3379,7 @@ class Keymaster {
             const didkey = hdkey.derive(path);
             const receiverKeypair = this.cipher.generateJwk(didkey.privateKey);
             try {
-                return this.cipher.decryptMessage(senderPublicJwk, receiverKeypair.privateJwk, ciphertext);
+                return this.cipher.decryptMessage(receiverKeypair.privateJwk, ciphertext, senderPublicJwk);
             }
             catch (error) {
                 index -= 1;
@@ -1813,7 +3390,8 @@ class Keymaster {
     async decryptMessage(did) {
         const wallet = await this.loadWallet();
         const id = await this.fetchIdInfo();
-        const asset = await this.resolveAsset(did);
+        const msgDoc = await this.resolveDID(did);
+        const asset = msgDoc.didDocumentData;
         if (!asset) {
             throw new InvalidParameterError('did not encrypted');
         }
@@ -1822,9 +3400,16 @@ class Keymaster {
             throw new InvalidParameterError('did not encrypted');
         }
         const crypt = (castAsset.encrypted ? castAsset.encrypted : castAsset);
-        const doc = await this.resolveDID(crypt.sender, { confirm: true, versionTime: crypt.created });
-        const senderPublicJwk = this.getPublicKeyJwk(doc);
-        const ciphertext = (crypt.sender === id.did && crypt.cipher_sender) ? crypt.cipher_sender : crypt.cipher_receiver;
+        // Derive sender and created from the message DID document,
+        // falling back to fields in the asset for legacy messages
+        const sender = crypt.sender || msgDoc.didDocument?.controller;
+        const created = crypt.created || msgDoc.didDocumentMetadata?.created;
+        if (!sender) {
+            throw new InvalidParameterError('Sender DID could not be determined from message or DID document');
+        }
+        const senderDoc = await this.resolveDID(sender, { confirm: true, versionTime: created });
+        const senderPublicJwk = this.getPublicKeyJwk(senderDoc);
+        const ciphertext = (sender === id.did && crypt.cipher_sender) ? crypt.cipher_sender : crypt.cipher_receiver;
         return await this.decryptWithDerivedKeys(wallet, id, senderPublicJwk, ciphertext);
     }
     async encryptJSON(json, did, options = {}) {
@@ -2205,7 +3790,7 @@ class Keymaster {
             id: idInfo,
         };
         const msg = JSON.stringify(data);
-        const backup = this.cipher.encryptMessage(keypair.publicJwk, keypair.privateJwk, msg);
+        const backup = this.cipher.encryptMessage(keypair.publicJwk, msg);
         const doc = await this.resolveDID(idInfo.did);
         const registry = doc.didDocumentRegistration?.registry;
         if (!registry) {
@@ -2231,7 +3816,7 @@ class Keymaster {
             if (typeof backupStore.backup !== 'string') {
                 throw new InvalidDIDError('backup not found in backupStore');
             }
-            const backup = this.cipher.decryptMessage(keypair.publicJwk, keypair.privateJwk, backupStore.backup);
+            const backup = this.cipher.decryptMessage(keypair.privateJwk, backupStore.backup, keypair.publicJwk);
             const data = JSON.parse(backup);
             await this.mutateWallet((wallet) => {
                 if (wallet.ids[data.name]) {
@@ -2332,7 +3917,13 @@ class Keymaster {
             validFrom = new Date().toISOString();
         }
         const id = await this.fetchIdInfo();
-        const subjectDID = await this.lookupDID(subjectId);
+        let subjectURI;
+        try {
+            subjectURI = await this.lookupDID(subjectId);
+        }
+        catch {
+            subjectURI = subjectId;
+        }
         const vc = {
             "@context": [
                 "https://www.w3.org/ns/credentials/v2",
@@ -2343,7 +3934,7 @@ class Keymaster {
             validFrom,
             validUntil,
             credentialSubject: {
-                id: subjectDID,
+                id: subjectURI,
             },
         };
         // If schema provided, add credentialSchema and generate claims from schema
@@ -2368,7 +3959,7 @@ class Keymaster {
         }
         if (claims && Object.keys(claims).length) {
             vc.credentialSubject = {
-                id: subjectDID,
+                id: subjectURI,
                 ...claims,
             };
         }
@@ -2383,21 +3974,32 @@ class Keymaster {
             throw new InvalidParameterError('credential.issuer');
         }
         const signed = await this.addProof(credential);
-        return this.encryptJSON(signed, credential.credentialSubject.id, { ...options, includeHash: true });
+        const subjectId = credential.credentialSubject.id;
+        if (this.isManagedDID(subjectId)) {
+            return this.encryptJSON(signed, subjectId, { ...options, includeHash: true });
+        }
+        return this.encryptJSON(signed, id.did, { ...options, includeHash: true, encryptForSender: false });
     }
     async sendCredential(did, options = {}) {
         const vc = await this.getCredential(did);
         if (!vc) {
             return null;
         }
+        const subjectId = vc.credentialSubject.id;
+        if (!this.isManagedDID(subjectId)) {
+            return null;
+        }
         const registry = this.ephemeralRegistry;
         const validUntil = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(); // Default to 7 days
         const message = {
-            to: [vc.credentialSubject.id],
+            to: [subjectId],
             dids: [did],
         };
         return this.createNotice(message, { registry, validUntil, ...options });
     }
+    isManagedDID(value) {
+        return value.startsWith('did:cid:');
+    }
     isVerifiableCredential(obj) {
         if (typeof obj !== 'object' || !obj) {
             return false;
@@ -2419,24 +4021,29 @@ class Keymaster {
         delete credential.proof;
         const signed = await this.addProof(credential);
         const msg = JSON.stringify(signed);
-        const id = await this.fetchIdInfo();
         const senderKeypair = await this.fetchKeyPair();
         if (!senderKeypair) {
             throw new KeymasterError('No valid sender keypair');
         }
         const holder = credential.credentialSubject.id;
-        const holderDoc = await this.resolveDID(holder, { confirm: true });
-        const receivePublicJwk = this.getPublicKeyJwk(holderDoc);
-        const cipher_sender = this.cipher.encryptMessage(senderKeypair.publicJwk, senderKeypair.privateJwk, msg);
-        const cipher_receiver = this.cipher.encryptMessage(receivePublicJwk, senderKeypair.privateJwk, msg);
         const msgHash = this.cipher.hashMessage(msg);
-        const encrypted = {
-            sender: id.did,
-            created: new Date().toISOString(),
-            cipher_hash: msgHash,
-            cipher_sender: cipher_sender,
-            cipher_receiver: cipher_receiver,
-        };
+        let encrypted;
+        if (this.isManagedDID(holder)) {
+            const holderDoc = await this.resolveDID(holder, { confirm: true });
+            const receivePublicJwk = this.getPublicKeyJwk(holderDoc);
+            encrypted = {
+                cipher_hash: msgHash,
+                cipher_sender: this.cipher.encryptMessage(senderKeypair.publicJwk, msg),
+                cipher_receiver: this.cipher.encryptMessage(receivePublicJwk, msg),
+            };
+        }
+        else {
+            encrypted = {
+                cipher_hash: msgHash,
+                cipher_sender: null,
+                cipher_receiver: this.cipher.encryptMessage(senderKeypair.publicJwk, msg),
+            };
+        }
         return this.updateDID(did, { didDocumentData: { encrypted } });
     }
     async revokeCredential(credential) {
@@ -2932,72 +4539,64 @@ class Keymaster {
         const nextWeek = new Date();
         nextWeek.setDate(now.getDate() + 7);
         return {
-            type: 'poll',
-            version: 1,
+            version: 2,
+            name: 'poll-name',
             description: 'What is this poll about?',
-            roster: 'DID of the eligible voter group',
             options: ['yes', 'no', 'abstain'],
             deadline: nextWeek.toISOString(),
         };
     }
-    async createPoll(poll, options = {}) {
-        if (poll.type !== 'poll') {
-            throw new InvalidParameterError('poll');
-        }
-        if (poll.version !== 1) {
+    async createPoll(config, options = {}) {
+        if (config.version !== 2) {
             throw new InvalidParameterError('poll.version');
         }
-        if (!poll.description) {
+        if (!config.name) {
+            throw new InvalidParameterError('poll.name');
+        }
+        if (!config.description) {
             throw new InvalidParameterError('poll.description');
         }
-        if (!poll.options || !Array.isArray(poll.options) || poll.options.length < 2 || poll.options.length > 10) {
+        if (!config.options || !Array.isArray(config.options) || config.options.length < 2 || config.options.length > 10) {
             throw new InvalidParameterError('poll.options');
         }
-        if (!poll.roster) {
-            // eslint-disable-next-line
-            throw new InvalidParameterError('poll.roster');
-        }
-        try {
-            const isValidGroup = await this.testGroup(poll.roster);
-            if (!isValidGroup) {
-                throw new InvalidParameterError('poll.roster');
-            }
-        }
-        catch {
-            throw new InvalidParameterError('poll.roster');
-        }
-        if (!poll.deadline) {
-            // eslint-disable-next-line
+        if (!config.deadline) {
             throw new InvalidParameterError('poll.deadline');
         }
-        const deadline = new Date(poll.deadline);
+        const deadline = new Date(config.deadline);
         if (isNaN(deadline.getTime())) {
             throw new InvalidParameterError('poll.deadline');
         }
         if (deadline < new Date()) {
             throw new InvalidParameterError('poll.deadline');
         }
-        return this.createAsset({ poll }, options);
+        const vaultDid = await this.createVault(options);
+        const buffer = Buffer.from(JSON.stringify(config), 'utf-8');
+        await this.addVaultItem(vaultDid, exports.PollItems.POLL, buffer);
+        return vaultDid;
     }
     async getPoll(id) {
-        const asset = await this.resolveAsset(id);
-        // TEMP during did:cid, return old version poll
-        const castOldAsset = asset;
-        if (castOldAsset.options) {
-            return castOldAsset;
+        const isVault = await this.testVault(id);
+        if (!isVault) {
+            return null;
         }
-        const castAsset = asset;
-        if (!castAsset.poll) {
+        try {
+            const buffer = await this.getVaultItem(id, exports.PollItems.POLL);
+            if (!buffer) {
+                return null;
+            }
+            const config = JSON.parse(buffer.toString('utf-8'));
+            return config;
+        }
+        catch {
             return null;
         }
-        return castAsset.poll;
     }
     async testPoll(id) {
         try {
-            const poll = await this.getPoll(id);
-            return poll !== null;
+            const config = await this.getPoll(id);
+            return config !== null;
         }
-        catch (error) {
+        catch {
             return false;
         }
     }
@@ -3012,113 +4611,243 @@ class Keymaster {
         }
         return polls;
     }
+    async addPollVoter(pollId, memberId) {
+        const config = await this.getPoll(pollId);
+        if (!config) {
+            throw new InvalidParameterError('pollId');
+        }
+        return this.addVaultMember(pollId, memberId);
+    }
+    async removePollVoter(pollId, memberId) {
+        const config = await this.getPoll(pollId);
+        if (!config) {
+            throw new InvalidParameterError('pollId');
+        }
+        return this.removeVaultMember(pollId, memberId);
+    }
+    async listPollVoters(pollId) {
+        const config = await this.getPoll(pollId);
+        if (!config) {
+            throw new InvalidParameterError('pollId');
+        }
+        return this.listVaultMembers(pollId);
+    }
     async viewPoll(pollId) {
         const id = await this.fetchIdInfo();
-        const poll = await this.getPoll(pollId);
-        if (!poll) {
+        const config = await this.getPoll(pollId);
+        if (!config) {
             throw new InvalidParameterError('pollId');
         }
+        const doc = await this.resolveDID(pollId);
+        const isOwner = (doc.didDocument?.controller === id.did);
+        const voteExpired = Date.now() > new Date(config.deadline).getTime();
+        let isEligible = false;
         let hasVoted = false;
-        if (poll.ballots) {
-            hasVoted = !!poll.ballots[id.did];
+        const ballots = [];
+        try {
+            const vault = await this.getVault(pollId);
+            const members = await this.listVaultMembers(pollId);
+            isEligible = isOwner || !!members[id.did];
+            const items = await this.listVaultItems(pollId);
+            for (const itemName of Object.keys(items)) {
+                if (itemName !== exports.PollItems.POLL && itemName !== exports.PollItems.RESULTS) {
+                    ballots.push(itemName);
+                }
+            }
+            const myBallotKey = this.generateBallotKey(vault, id.did);
+            hasVoted = ballots.includes(myBallotKey);
+        }
+        catch {
+            isEligible = false;
         }
-        const voteExpired = Date.now() > new Date(poll.deadline).getTime();
-        const isEligible = await this.testGroup(poll.roster, id.did);
-        const doc = await this.resolveDID(pollId);
         const view = {
-            description: poll.description,
-            options: poll.options,
-            deadline: poll.deadline,
-            isOwner: (doc.didDocument?.controller === id.did),
-            isEligible: isEligible,
-            voteExpired: voteExpired,
-            hasVoted: hasVoted,
+            description: config.description,
+            options: config.options,
+            deadline: config.deadline,
+            isOwner,
+            isEligible,
+            voteExpired,
+            hasVoted,
+            ballots,
         };
-        if (id.did === doc.didDocument?.controller) {
-            let voted = 0;
-            const results = {
-                tally: [],
-                ballots: [],
-            };
-            results.tally.push({
-                vote: 0,
-                option: 'spoil',
-                count: 0,
-            });
-            for (let i = 0; i < poll.options.length; i++) {
-                results.tally.push({
-                    vote: i + 1,
-                    option: poll.options[i],
-                    count: 0,
+        if (isOwner) {
+            view.results = await this.computePollResults(pollId, config);
+        }
+        else {
+            try {
+                const resultsBuffer = await this.getVaultItem(pollId, exports.PollItems.RESULTS);
+                if (resultsBuffer) {
+                    view.results = JSON.parse(resultsBuffer.toString('utf-8'));
+                }
+            }
+            catch { }
+        }
+        return view;
+    }
+    async computePollResults(pollId, config) {
+        const vault = await this.getVault(pollId);
+        const members = await this.listVaultMembers(pollId);
+        const items = await this.listVaultItems(pollId);
+        const results = {
+            tally: [],
+            ballots: [],
+        };
+        results.tally.push({ vote: 0, option: 'spoil', count: 0 });
+        for (let i = 0; i < config.options.length; i++) {
+            results.tally.push({ vote: i + 1, option: config.options[i], count: 0 });
+        }
+        // Build ballotKey → memberDID mapping
+        const keyToMember = {};
+        for (const memberDID of Object.keys(members)) {
+            const ballotKey = this.generateBallotKey(vault, memberDID);
+            keyToMember[ballotKey] = memberDID;
+        }
+        // Include owner in mapping
+        const id = await this.fetchIdInfo();
+        const ownerKey = this.generateBallotKey(vault, id.did);
+        keyToMember[ownerKey] = id.did;
+        let voted = 0;
+        for (const [itemName, itemMeta] of Object.entries(items)) {
+            if (itemName === exports.PollItems.POLL || itemName === exports.PollItems.RESULTS) {
+                continue;
+            }
+            const ballotBuffer = await this.getVaultItem(pollId, itemName);
+            if (!ballotBuffer) {
+                continue;
+            }
+            const ballotDid = ballotBuffer.toString('utf-8');
+            const decrypted = await this.decryptJSON(ballotDid);
+            const vote = decrypted.vote;
+            const voterDID = keyToMember[itemName] || itemName;
+            if (results.ballots) {
+                results.ballots.push({
+                    voter: voterDID,
+                    vote,
+                    option: vote === 0 ? 'spoil' : config.options[vote - 1],
+                    received: itemMeta.added || '',
                 });
             }
-            for (let voter in poll.ballots) {
-                const ballot = poll.ballots[voter];
-                const decrypted = await this.decryptJSON(ballot.ballot);
-                const vote = decrypted.vote;
-                if (results.ballots) {
-                    results.ballots.push({
-                        ...ballot,
-                        voter,
-                        vote,
-                        option: poll.options[vote - 1],
-                    });
-                }
-                voted += 1;
+            voted += 1;
+            if (vote >= 0 && vote < results.tally.length) {
                 results.tally[vote].count += 1;
             }
-            const roster = await this.getGroup(poll.roster);
-            const total = roster.members.length;
-            results.votes = {
-                eligible: total,
-                received: voted,
-                pending: total - voted,
-            };
-            results.final = voteExpired || (voted === total);
-            view.results = results;
         }
-        return view;
+        const total = Object.keys(members).length + 1; // +1 for owner
+        const voteExpired = Date.now() > new Date(config.deadline).getTime();
+        results.votes = {
+            eligible: total,
+            received: voted,
+            pending: total - voted,
+        };
+        results.final = voteExpired || (voted === total);
+        return results;
     }
     async votePoll(pollId, vote, options = {}) {
-        const { spoil = false } = options;
         const id = await this.fetchIdInfo();
         const didPoll = await this.lookupDID(pollId);
         const doc = await this.resolveDID(didPoll);
-        const poll = await this.getPoll(pollId);
-        if (!poll) {
+        const config = await this.getPoll(pollId);
+        if (!config) {
             throw new InvalidParameterError('pollId');
         }
-        const eligible = await this.testGroup(poll.roster, id.did);
-        const expired = Date.now() > new Date(poll.deadline).getTime();
         const owner = doc.didDocument?.controller;
         if (!owner) {
-            throw new KeymasterError('owner mising from poll');
+            throw new KeymasterError('owner missing from poll');
+        }
+        // Check vault membership
+        let isEligible = false;
+        if (id.did === owner) {
+            isEligible = true;
+        }
+        else {
+            try {
+                const vault = await this.getVault(didPoll);
+                await this.decryptVault(vault);
+                isEligible = true;
+            }
+            catch {
+                isEligible = false;
+            }
         }
-        if (!eligible) {
-            throw new InvalidParameterError('voter not in roster');
+        if (!isEligible) {
+            throw new InvalidParameterError('voter is not a poll member');
         }
+        const expired = Date.now() > new Date(config.deadline).getTime();
         if (expired) {
             throw new InvalidParameterError('poll has expired');
         }
-        let ballot;
-        if (spoil) {
-            ballot = {
-                poll: didPoll,
-                vote: 0,
-            };
+        const max = config.options.length;
+        if (!Number.isInteger(vote) || vote < 0 || vote > max) {
+            throw new InvalidParameterError('vote');
         }
-        else {
-            const max = poll.options.length;
-            if (!Number.isInteger(vote) || vote < 1 || vote > max) {
-                throw new InvalidParameterError('vote');
+        const ballot = {
+            poll: didPoll,
+            vote: vote,
+        };
+        // Encrypt for owner and sender (voter can view their own ballot)
+        return await this.encryptJSON(ballot, owner, options);
+    }
+    async sendPoll(pollId) {
+        const didPoll = await this.lookupDID(pollId);
+        const config = await this.getPoll(didPoll);
+        if (!config) {
+            throw new InvalidParameterError('pollId');
+        }
+        const members = await this.listVaultMembers(didPoll);
+        const voters = Object.keys(members);
+        if (voters.length === 0) {
+            throw new KeymasterError('No poll voters found');
+        }
+        const registry = this.ephemeralRegistry;
+        const validUntil = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString();
+        const message = {
+            to: voters,
+            dids: [didPoll],
+        };
+        return this.createNotice(message, { registry, validUntil });
+    }
+    async sendBallot(ballotDid, pollId) {
+        const didPoll = await this.lookupDID(pollId);
+        const config = await this.getPoll(didPoll);
+        if (!config) {
+            throw new InvalidParameterError('pollId is not a valid poll');
+        }
+        const pollDoc = await this.resolveDID(didPoll);
+        const ownerDid = pollDoc.didDocument?.controller;
+        if (!ownerDid) {
+            throw new KeymasterError('poll owner not found');
+        }
+        const registry = this.ephemeralRegistry;
+        const validUntil = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString();
+        const message = {
+            to: [ownerDid],
+            dids: [ballotDid],
+        };
+        return this.createNotice(message, { registry, validUntil });
+    }
+    async viewBallot(ballotDid) {
+        const docBallot = await this.resolveDID(ballotDid);
+        const voter = docBallot.didDocument?.controller;
+        const result = {
+            poll: '',
+            voter: voter || undefined,
+        };
+        try {
+            const data = await this.decryptJSON(ballotDid);
+            result.poll = data.poll;
+            result.vote = data.vote;
+            const config = await this.getPoll(data.poll);
+            if (config && data.vote > 0 && data.vote <= config.options.length) {
+                result.option = config.options[data.vote - 1];
             }
-            ballot = {
-                poll: didPoll,
-                vote: vote,
-            };
+            else if (data.vote === 0) {
+                result.option = 'spoil';
+            }
+        }
+        catch {
+            // Caller cannot decrypt (not the owner) — return limited info
         }
-        // Encrypt for receiver only
-        return await this.encryptJSON(ballot, owner, { ...options, encryptForSender: false });
+        return result;
     }
     async updatePoll(ballot) {
         const id = await this.fetchIdInfo();
@@ -3128,7 +4857,7 @@ class Keymaster {
         let dataBallot;
         try {
             dataBallot = await this.decryptJSON(didBallot);
-            if (!dataBallot.poll || !dataBallot.vote) {
+            if (!dataBallot.poll || dataBallot.vote === undefined) {
                 throw new InvalidParameterError('ballot');
             }
         }
@@ -3138,34 +4867,34 @@ class Keymaster {
         const didPoll = dataBallot.poll;
         const docPoll = await this.resolveDID(didPoll);
         const didOwner = docPoll.didDocument.controller;
-        const poll = await this.getPoll(didPoll);
-        if (!poll) {
+        const config = await this.getPoll(didPoll);
+        if (!config) {
             throw new KeymasterError('Cannot find poll related to ballot');
         }
         if (id.did !== didOwner) {
             throw new InvalidParameterError('only owner can update a poll');
         }
-        const eligible = await this.testGroup(poll.roster, didVoter);
-        if (!eligible) {
-            throw new InvalidParameterError('voter not in roster');
+        // Check voter is a vault member
+        const vault = await this.getVault(didPoll);
+        const voterBallotKey = this.generateBallotKey(vault, didVoter);
+        const members = await this.listVaultMembers(didPoll);
+        const isMember = !!members[didVoter] || didVoter === id.did;
+        if (!isMember) {
+            throw new InvalidParameterError('voter is not a poll member');
         }
-        const expired = Date.now() > new Date(poll.deadline).getTime();
+        const expired = Date.now() > new Date(config.deadline).getTime();
         if (expired) {
             throw new InvalidParameterError('poll has expired');
         }
-        const max = poll.options.length;
+        const max = config.options.length;
         const vote = dataBallot.vote;
-        if (!vote || vote < 0 || vote > max) {
+        if (vote < 0 || vote > max) {
             throw new InvalidParameterError('ballot.vote');
         }
-        if (!poll.ballots) {
-            poll.ballots = {};
-        }
-        poll.ballots[didVoter] = {
-            ballot: didBallot,
-            received: new Date().toISOString(),
-        };
-        return this.mergeData(didPoll, { poll });
+        // Store ballot DID as vault item keyed by voter's ballot key
+        const buffer = Buffer.from(didBallot, 'utf-8');
+        await this.addVaultItem(didPoll, voterBallotKey, buffer);
+        return true;
     }
     async publishPoll(pollId, options = {}) {
         const { reveal = false } = options;
@@ -3175,19 +4904,20 @@ class Keymaster {
         if (id.did !== owner) {
             throw new InvalidParameterError('only owner can publish a poll');
         }
-        const view = await this.viewPoll(pollId);
-        if (!view.results?.final) {
-            throw new InvalidParameterError('poll not final');
+        const config = await this.getPoll(pollId);
+        if (!config) {
+            throw new InvalidParameterError(pollId);
         }
-        if (!reveal && view.results.ballots) {
-            delete view.results.ballots;
+        const results = await this.computePollResults(pollId, config);
+        if (!results.final) {
+            throw new InvalidParameterError('poll not final');
         }
-        const poll = await this.getPoll(pollId);
-        if (!poll) {
-            throw new InvalidParameterError(pollId);
+        if (!reveal) {
+            delete results.ballots;
         }
-        poll.results = view.results;
-        return this.mergeData(pollId, { poll });
+        const buffer = Buffer.from(JSON.stringify(results), 'utf-8');
+        await this.addVaultItem(pollId, exports.PollItems.RESULTS, buffer);
+        return true;
     }
     async unpublishPoll(pollId) {
         const id = await this.fetchIdInfo();
@@ -3196,12 +4926,11 @@ class Keymaster {
         if (id.did !== owner) {
             throw new InvalidParameterError(pollId);
         }
-        const poll = await this.getPoll(pollId);
-        if (!poll) {
+        const config = await this.getPoll(pollId);
+        if (!config) {
             throw new InvalidParameterError(pollId);
         }
-        delete poll.results;
-        return this.mergeData(pollId, { poll });
+        return this.removeVaultItem(pollId, exports.PollItems.RESULTS);
     }
     async createVault(options = {}) {
         const id = await this.fetchIdInfo();
@@ -3213,10 +4942,10 @@ class Keymaster {
         const salt = this.cipher.generateRandomSalt();
         const vaultKeypair = this.cipher.generateRandomJwk();
         const keys = {};
-        const config = this.cipher.encryptMessage(idKeypair.publicJwk, vaultKeypair.privateJwk, JSON.stringify(options));
+        const config = this.cipher.encryptMessage(idKeypair.publicJwk, JSON.stringify(options));
         const publicJwk = options.secretMembers ? idKeypair.publicJwk : vaultKeypair.publicJwk; // If secret, encrypt for the owner only
-        const members = this.cipher.encryptMessage(publicJwk, vaultKeypair.privateJwk, JSON.stringify({}));
-        const items = this.cipher.encryptMessage(vaultKeypair.publicJwk, vaultKeypair.privateJwk, JSON.stringify({}));
+        const members = this.cipher.encryptMessage(publicJwk, JSON.stringify({}));
+        const items = this.cipher.encryptMessage(vaultKeypair.publicJwk, JSON.stringify({}));
         const sha256 = this.cipher.hashJSON({});
         const vault = {
             version,
@@ -3247,6 +4976,9 @@ class Keymaster {
             return false;
         }
     }
+    generateBallotKey(vault, memberDID) {
+        return this.generateSaltedId(vault, memberDID).slice(0, this.maxAliasLength);
+    }
     generateSaltedId(vault, memberDID) {
         if (!vault.version) {
             return this.cipher.hashMessage(vault.salt + memberDID);
@@ -3285,13 +5017,13 @@ class Keymaster {
         }
         else {
             try {
-                const membersJSON = this.cipher.decryptMessage(vault.publicJwk, privateJwk, vault.members);
+                const membersJSON = this.cipher.decryptMessage(privateJwk, vault.members, vault.publicJwk);
                 members = JSON.parse(membersJSON);
             }
             catch (error) {
             }
         }
-        const itemsJSON = this.cipher.decryptMessage(vault.publicJwk, privateJwk, vault.items);
+        const itemsJSON = this.cipher.decryptMessage(privateJwk, vault.items, vault.publicJwk);
         const items = JSON.parse(itemsJSON);
         return {
             isOwner,
@@ -3313,7 +5045,7 @@ class Keymaster {
     async addMemberKey(vault, memberDID, privateJwk) {
         const memberDoc = await this.resolveDID(memberDID, { confirm: true });
         const memberPublicJwk = this.getPublicKeyJwk(memberDoc);
-        const memberKey = this.cipher.encryptMessage(memberPublicJwk, privateJwk, JSON.stringify(privateJwk));
+        const memberKey = this.cipher.encryptMessage(memberPublicJwk, JSON.stringify(privateJwk));
         const memberKeyId = this.generateSaltedId(vault, memberDID);
         vault.keys[memberKeyId] = memberKey;
     }
@@ -3358,7 +5090,7 @@ class Keymaster {
         }
         members[memberDID] = { added: new Date().toISOString() };
         const publicJwk = config.secretMembers ? idKeypair.publicJwk : vault.publicJwk;
-        vault.members = this.cipher.encryptMessage(publicJwk, privateJwk, JSON.stringify(members));
+        vault.members = this.cipher.encryptMessage(publicJwk, JSON.stringify(members));
         await this.addMemberKey(vault, memberDID, privateJwk);
         return this.mergeData(vaultId, { vault });
     }
@@ -3366,7 +5098,7 @@ class Keymaster {
         const owner = await this.checkVaultOwner(vaultId);
         const idKeypair = await this.fetchKeyPair();
         const vault = await this.getVault(vaultId);
-        const { privateJwk, config, members } = await this.decryptVault(vault);
+        const { config, members } = await this.decryptVault(vault);
         const memberDoc = await this.resolveDID(memberId, { confirm: true });
         const memberDID = this.getAgentDID(memberDoc);
         // Don't allow removing the vault owner
@@ -3375,7 +5107,7 @@ class Keymaster {
         }
         delete members[memberDID];
         const publicJwk = config.secretMembers ? idKeypair.publicJwk : vault.publicJwk;
-        vault.members = this.cipher.encryptMessage(publicJwk, privateJwk, JSON.stringify(members));
+        vault.members = this.cipher.encryptMessage(publicJwk, JSON.stringify(members));
         const memberKeyId = this.generateSaltedId(vault, memberDID);
         delete vault.keys[memberKeyId];
         return this.mergeData(vaultId, { vault });
@@ -3391,9 +5123,9 @@ class Keymaster {
     async addVaultItem(vaultId, name, buffer) {
         await this.checkVaultOwner(vaultId);
         const vault = await this.getVault(vaultId);
-        const { privateJwk, items } = await this.decryptVault(vault);
+        const { items } = await this.decryptVault(vault);
         const validName = this.validateAlias(name);
-        const encryptedData = this.cipher.encryptBytes(vault.publicJwk, privateJwk, buffer);
+        const encryptedData = this.cipher.encryptBytes(vault.publicJwk, buffer);
         const cid = await this.gatekeeper.addText(encryptedData);
         const sha256 = this.cipher.hashMessage(buffer);
         const type = await this.getMimeType(buffer);
@@ -3406,16 +5138,16 @@ class Keymaster {
             added: new Date().toISOString(),
             data,
         };
-        vault.items = this.cipher.encryptMessage(vault.publicJwk, privateJwk, JSON.stringify(items));
+        vault.items = this.cipher.encryptMessage(vault.publicJwk, JSON.stringify(items));
         vault.sha256 = this.cipher.hashJSON(items);
         return this.mergeData(vaultId, { vault });
     }
     async removeVaultItem(vaultId, name) {
         await this.checkVaultOwner(vaultId);
         const vault = await this.getVault(vaultId);
-        const { privateJwk, items } = await this.decryptVault(vault);
+        const { items } = await this.decryptVault(vault);
         delete items[name];
-        vault.items = this.cipher.encryptMessage(vault.publicJwk, privateJwk, JSON.stringify(items));
+        vault.items = this.cipher.encryptMessage(vault.publicJwk, JSON.stringify(items));
         vault.sha256 = this.cipher.hashJSON(items);
         return this.mergeData(vaultId, { vault });
     }
@@ -3434,7 +5166,7 @@ class Keymaster {
         if (!encryptedData) {
             throw new KeymasterError(`Failed to retrieve data for item '${name}' (CID: ${items[name].cid})`);
         }
-        const bytes = this.cipher.decryptBytes(vault.publicJwk, privateJwk, encryptedData);
+        const bytes = this.cipher.decryptBytes(privateJwk, encryptedData, vault.publicJwk);
         return Buffer.from(bytes);
     }
     async listDmail() {
@@ -3718,7 +5450,7 @@ class Keymaster {
             if (poll) {
                 const names = await this.listAliases();
                 if (!Object.values(names).includes(noticeDID)) {
-                    await this.addUnaliasedPoll(noticeDID);
+                    await this.addUnaliasedPoll(noticeDID, poll.name);
                 }
                 await this.addToNotices(did, [exports.NoticeTags.POLL]);
                 continue;
@@ -3802,10 +5534,20 @@ class Keymaster {
         }
         return payload && typeof payload.poll === "string" && typeof payload.vote === "number";
     }
-    async addUnaliasedPoll(did) {
-        const fallbackName = did.slice(-32);
+    async addUnaliasedPoll(did, name) {
+        const baseName = name || did.slice(-32);
+        const aliases = await this.listAliases();
+        let candidate = baseName;
+        let suffix = 2;
+        while (candidate in aliases) {
+            if (aliases[candidate] === did) {
+                return; // Already aliased to this DID
+            }
+            candidate = `${baseName}-${suffix}`;
+            suffix++;
+        }
         try {
-            await this.addAlias(fallbackName, did);
+            await this.addAlias(candidate, did);
         }
         catch { }
     }
@@ -3821,26 +5563,27 @@ class Keymaster {
         const { version, seed, ...rest } = decrypted;
         const safeSeed = { mnemonicEnc: seed.mnemonicEnc };
         const hdkey = await this.getHDKeyFromCacheOrMnemonic(decrypted);
-        const { publicJwk, privateJwk } = this.cipher.generateJwk(hdkey.privateKey);
+        const { publicJwk } = this.cipher.generateJwk(hdkey.privateKey);
         const plaintext = JSON.stringify(rest);
-        const enc = this.cipher.encryptMessage(publicJwk, privateJwk, plaintext);
+        const enc = this.cipher.encryptMessage(publicJwk, plaintext);
         return { version: version, seed: safeSeed, enc };
     }
     async decryptWalletFromStorage(stored) {
         let mnemonic;
         try {
-            mnemonic = await encryption.decMnemonic(stored.seed.mnemonicEnc, this.passphrase);
+            mnemonic = await decryptWithPassphrase(stored.seed.mnemonicEnc, this.passphrase);
         }
         catch (error) {
-            // OperationError is thrown by crypto.subtle.decrypt when the passphrase is wrong
-            if (error?.name === 'OperationError') {
+            const msg = error?.message || '';
+            // OperationError: Web Crypto API (legacy); 'invalid ghash tag': @noble/ciphers
+            if (error?.name === 'OperationError' || msg.includes('invalid ghash tag')) {
                 throw new KeymasterError('Incorrect passphrase.');
             }
             throw error;
         }
         this._hdkeyCache = this.cipher.generateHDKey(mnemonic);
         const { publicJwk, privateJwk } = this.cipher.generateJwk(this._hdkeyCache.privateKey);
-        const plaintext = this.cipher.decryptMessage(publicJwk, privateJwk, stored.enc);
+        const plaintext = this.cipher.decryptMessage(privateJwk, stored.enc, publicJwk);
         const data = JSON.parse(plaintext);
         const wallet = { version: stored.version, seed: stored.seed, ...data };
         return wallet;