aegis-aead 0.1.0 → 0.2.0

package/README.md

@@ -3,9 +3,9 @@
 [![npm](https://img.shields.io/npm/v/aegis-aead)](https://www.npmjs.com/package/aegis-aead)
 [![CI](https://github.com/jedisct1/js-aegis-aead/actions/workflows/ci.yml/badge.svg)](https://github.com/jedisct1/js-aegis-aead/actions/workflows/ci.yml)
 
-JavaScript / TypeScript implementation of the [AEGIS authenticated encryption algorithms](https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/).
+A compact, zero-dependency JavaScript/TypeScript implementation of [AEGIS](https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/), a family of fast, secure authenticated encryption algorithms.
 
-AEGIS is a family of fast authenticated encryption algorithms built on AES round functions. It provides both encryption with authentication and standalone MAC functionality.
+AEGIS provides both encryption with authentication and standalone MAC functionality, with a simple API that makes it hard to misuse.
 
 ## Installation
 
@@ -20,48 +20,100 @@ npm install aegis-aead
 ### Encryption and Decryption
 
 ```typescript
-import { aegis128LEncrypt, aegis128LDecrypt } from "aegis-aead";
+import {
+  aegis128LCreateKey,
+  aegis128LEncrypt,
+  aegis128LDecrypt
+} from "aegis-aead";
 
-const key = crypto.getRandomValues(new Uint8Array(16));
-const nonce = crypto.getRandomValues(new Uint8Array(16));
+const key = aegis128LCreateKey(); // 16 random bytes
 const message = new TextEncoder().encode("Hello, world!");
 const associatedData = new TextEncoder().encode("metadata");
 
-// Encrypt
-const { ciphertext, tag } = aegis128LEncrypt(message, associatedData, key, nonce);
+// Encrypt - returns nonce || ciphertext || tag
+// A random nonce is generated automatically
+const sealed = aegis128LEncrypt(message, associatedData, key);
 
 // Decrypt (returns null if authentication fails)
-const decrypted = aegis128LDecrypt(ciphertext, tag, associatedData, key, nonce);
+const decrypted = aegis128LDecrypt(sealed, associatedData, key);
+```
+
+### Detached Mode
+
+For applications that need separate access to the ciphertext and tag:
+
+```typescript
+import {
+  aegis128LCreateKey,
+  aegis128LCreateNonce,
+  aegis128LEncryptDetached,
+  aegis128LDecryptDetached
+} from "aegis-aead";
+
+const key = aegis128LCreateKey();
+const nonce = aegis128LCreateNonce();
+const message = new TextEncoder().encode("Hello, world!");
+const associatedData = new TextEncoder().encode("metadata");
+
+// Encrypt - returns ciphertext and tag separately
+const { ciphertext, tag } = aegis128LEncryptDetached(message, associatedData, key, nonce);
+
+// Decrypt
+const decrypted = aegis128LDecryptDetached(ciphertext, tag, associatedData, key, nonce);
 ```
 
 ### MAC (Message Authentication Code)
 
 ```typescript
-import { aegis128LMac, aegis128LMacVerify } from "aegis-aead";
+import {
+  aegis128LCreateKey,
+  aegis128LMac,
+  aegis128LMacVerify
+} from "aegis-aead";
 
-const key = crypto.getRandomValues(new Uint8Array(16));
-const nonce = crypto.getRandomValues(new Uint8Array(16));
+const key = aegis128LCreateKey();
 const data = new TextEncoder().encode("data to authenticate");
 
-// Generate MAC
-const tag = aegis128LMac(data, key, nonce);
+// Generate MAC (nonce defaults to zero if not provided)
+const tag = aegis128LMac(data, key);
 
 // Verify MAC
-const valid = aegis128LMacVerify(data, tag, key, nonce);
+const valid = aegis128LMacVerify(data, tag, key);
 ```
 
 ## Algorithms
 
-| Algorithm  | Key Size | Nonce Size | Block Size | Use Case                           |
-| ---------- | -------- | ---------- | ---------- | ---------------------------------- |
-| AEGIS-128L | 16 bytes | 16 bytes   | 32 bytes   | High throughput on 64-bit CPUs     |
-| AEGIS-256  | 32 bytes | 32 bytes   | 16 bytes   | 256-bit security level             |
-| AEGIS-128X | 16 bytes | 16 bytes   | 32×D bytes | Multi-lane AEGIS-128L (D = degree) |
-| AEGIS-256X | 32 bytes | 32 bytes   | 16×D bytes | Multi-lane AEGIS-256 (D = degree)  |
+| Algorithm     | Key Size | Nonce Size | Block Size | Use Case                           |
+| ------------- | -------- | ---------- | ---------- | ---------------------------------- |
+| AEGIS-128L    | 16 bytes | 16 bytes   | 32 bytes   | High throughput on 64-bit CPUs     |
+| AEGIS-256     | 32 bytes | 32 bytes   | 16 bytes   | 256-bit security level             |
+| AEGIS-128X    | 16 bytes | 16 bytes   | 32×D bytes | Multi-lane AEGIS-128L (D = degree) |
+| AEGIS-256X    | 32 bytes | 32 bytes   | 16×D bytes | Multi-lane AEGIS-256 (D = degree)  |
+| AEGIS-128L-BS | 16 bytes | 16 bytes   | 32 bytes   | Bitsliced                          |
+| AEGIS-256-BS  | 32 bytes | 32 bytes   | 16 bytes   | Bitsliced                          |
+
+### Bitsliced Variants
+
+The `-BS` (bitsliced) variants provide protection against cache-timing side-channel attacks at the cost of ~20% performance overhead. They process AES operations without lookup tables, making execution time independent of the key and data values.
+
+Use the bitsliced variants when:
+- Adversaries may be able to observe timing information (shared hosting, cloud VMs)
+- The key holder may encrypt or decrypt attacker-controlled data
+- Maximum side-channel resistance is required
+
+For most use cases, the standard implementations are safe since AEGIS's continuous state mixing makes practical timing attacks extremely difficult.
+
+### Random Nonces
+
+When using random nonces (the default for combined-mode functions):
+
+- AEGIS-128L/128X: Safe for up to 2^48 messages per key, regardless of their size
+- AEGIS-256/256X: No practical limits on the number of messages per key
 
 ### Tag Lengths
 
 All algorithms support two tag lengths:
+
 - 16 bytes (128-bit) - default
 - 32 bytes (256-bit) - pass `32` as the last parameter to encrypt/MAC functions
 
@@ -70,19 +122,49 @@ All algorithms support two tag lengths:
 ### AEGIS-128L
 
 ```typescript
-aegis128LEncrypt(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
-aegis128LDecrypt(ciphertext, tag, ad, key, nonce): Uint8Array | null
-aegis128LMac(data, key, nonce, tagLen?): Uint8Array
-aegis128LMacVerify(data, tag, key, nonce): boolean
+// Key/Nonce generation
+aegis128LCreateKey(): Uint8Array   // 16 random bytes
+aegis128LCreateNonce(): Uint8Array // 16 random bytes
+
+// Combined (nonce || ciphertext || tag)
+aegis128LEncrypt(msg, ad, key, nonce?, tagLen?): Uint8Array
+aegis128LDecrypt(sealed, ad, key, tagLen?): Uint8Array | null
+
+// Detached (separate ciphertext and tag)
+aegis128LEncryptDetached(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
+aegis128LDecryptDetached(ciphertext, tag, ad, key, nonce): Uint8Array | null
+
+// MAC (nonce is optional, defaults to zero)
+aegis128LMac(data, key, nonce?, tagLen?): Uint8Array
+aegis128LMacVerify(data, tag, key, nonce?): boolean
+
+// Constants
+AEGIS_128L_KEY_SIZE   // 16
+AEGIS_128L_NONCE_SIZE // 16
 ```
 
 ### AEGIS-256
 
 ```typescript
-aegis256Encrypt(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
-aegis256Decrypt(ciphertext, tag, ad, key, nonce): Uint8Array | null
-aegis256Mac(data, key, nonce, tagLen?): Uint8Array
-aegis256MacVerify(data, tag, key, nonce): boolean
+// Key/Nonce generation
+aegis256CreateKey(): Uint8Array   // 32 random bytes
+aegis256CreateNonce(): Uint8Array // 32 random bytes
+
+// Combined (nonce || ciphertext || tag)
+aegis256Encrypt(msg, ad, key, nonce?, tagLen?): Uint8Array
+aegis256Decrypt(sealed, ad, key, tagLen?): Uint8Array | null
+
+// Detached (separate ciphertext and tag)
+aegis256EncryptDetached(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
+aegis256DecryptDetached(ciphertext, tag, ad, key, nonce): Uint8Array | null
+
+// MAC (nonce is optional, defaults to zero)
+aegis256Mac(data, key, nonce?, tagLen?): Uint8Array
+aegis256MacVerify(data, tag, key, nonce?): boolean
+
+// Constants
+AEGIS_256_KEY_SIZE   // 32
+AEGIS_256_NONCE_SIZE // 32
 ```
 
 ### AEGIS-128X
@@ -90,23 +172,43 @@ aegis256MacVerify(data, tag, key, nonce): boolean
 Pre-configured variants for degree 2 and 4:
 
 ```typescript
-// Degree 2
-aegis128X2Encrypt(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
-aegis128X2Decrypt(ciphertext, tag, ad, key, nonce): Uint8Array | null
-aegis128X2Mac(data, key, nonce, tagLen?): Uint8Array
-aegis128X2MacVerify(data, tag, key, nonce): boolean
-
-// Degree 4
-aegis128X4Encrypt(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
-aegis128X4Decrypt(ciphertext, tag, ad, key, nonce): Uint8Array | null
-aegis128X4Mac(data, key, nonce, tagLen?): Uint8Array
-aegis128X4MacVerify(data, tag, key, nonce): boolean
+// Key/Nonce generation
+aegis128XCreateKey(): Uint8Array   // 16 random bytes
+aegis128XCreateNonce(): Uint8Array // 16 random bytes
+aegis128X2CreateKey(): Uint8Array  // alias
+aegis128X2CreateNonce(): Uint8Array
+aegis128X4CreateKey(): Uint8Array  // alias
+aegis128X4CreateNonce(): Uint8Array
+
+// Combined (nonce || ciphertext || tag)
+aegis128X2Encrypt(msg, ad, key, nonce?, tagLen?): Uint8Array
+aegis128X2Decrypt(sealed, ad, key, tagLen?): Uint8Array | null
+aegis128X4Encrypt(msg, ad, key, nonce?, tagLen?): Uint8Array
+aegis128X4Decrypt(sealed, ad, key, tagLen?): Uint8Array | null
+
+// Detached (separate ciphertext and tag)
+aegis128X2EncryptDetached(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
+aegis128X2DecryptDetached(ciphertext, tag, ad, key, nonce): Uint8Array | null
+aegis128X4EncryptDetached(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
+aegis128X4DecryptDetached(ciphertext, tag, ad, key, nonce): Uint8Array | null
+
+// MAC (nonce is optional, defaults to zero)
+aegis128X2Mac(data, key, nonce?, tagLen?): Uint8Array
+aegis128X2MacVerify(data, tag, key, nonce?): boolean
+aegis128X4Mac(data, key, nonce?, tagLen?): Uint8Array
+aegis128X4MacVerify(data, tag, key, nonce?): boolean
 
 // Custom degree
-aegis128XEncrypt(msg, ad, key, nonce, tagLen?, degree?): { ciphertext, tag }
-aegis128XDecrypt(ciphertext, tag, ad, key, nonce, degree?): Uint8Array | null
-aegis128XMac(data, key, nonce, tagLen?, degree?): Uint8Array
-aegis128XMacVerify(data, tag, key, nonce, degree?): boolean
+aegis128XEncrypt(msg, ad, key, nonce?, tagLen?, degree?): Uint8Array
+aegis128XDecrypt(sealed, ad, key, tagLen?, degree?): Uint8Array | null
+aegis128XEncryptDetached(msg, ad, key, nonce, tagLen?, degree?): { ciphertext, tag }
+aegis128XDecryptDetached(ciphertext, tag, ad, key, nonce, degree?): Uint8Array | null
+aegis128XMac(data, key, nonce?, tagLen?, degree?): Uint8Array
+aegis128XMacVerify(data, tag, key, nonce?, degree?): boolean
+
+// Constants
+AEGIS_128X_KEY_SIZE   // 16
+AEGIS_128X_NONCE_SIZE // 16
 ```
 
 ### AEGIS-256X
@@ -114,23 +216,91 @@ aegis128XMacVerify(data, tag, key, nonce, degree?): boolean
 Pre-configured variants for degree 2 and 4:
 
 ```typescript
-// Degree 2
-aegis256X2Encrypt(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
-aegis256X2Decrypt(ciphertext, tag, ad, key, nonce): Uint8Array | null
-aegis256X2Mac(data, key, nonce, tagLen?): Uint8Array
-aegis256X2MacVerify(data, tag, key, nonce): boolean
-
-// Degree 4
-aegis256X4Encrypt(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
-aegis256X4Decrypt(ciphertext, tag, ad, key, nonce): Uint8Array | null
-aegis256X4Mac(data, key, nonce, tagLen?): Uint8Array
-aegis256X4MacVerify(data, tag, key, nonce): boolean
+// Key/Nonce generation
+aegis256XCreateKey(): Uint8Array   // 32 random bytes
+aegis256XCreateNonce(): Uint8Array // 32 random bytes
+aegis256X2CreateKey(): Uint8Array  // alias
+aegis256X2CreateNonce(): Uint8Array
+aegis256X4CreateKey(): Uint8Array  // alias
+aegis256X4CreateNonce(): Uint8Array
+
+// Combined (nonce || ciphertext || tag)
+aegis256X2Encrypt(msg, ad, key, nonce?, tagLen?): Uint8Array
+aegis256X2Decrypt(sealed, ad, key, tagLen?): Uint8Array | null
+aegis256X4Encrypt(msg, ad, key, nonce?, tagLen?): Uint8Array
+aegis256X4Decrypt(sealed, ad, key, tagLen?): Uint8Array | null
+
+// Detached (separate ciphertext and tag)
+aegis256X2EncryptDetached(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
+aegis256X2DecryptDetached(ciphertext, tag, ad, key, nonce): Uint8Array | null
+aegis256X4EncryptDetached(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
+aegis256X4DecryptDetached(ciphertext, tag, ad, key, nonce): Uint8Array | null
+
+// MAC (nonce is optional, defaults to zero)
+aegis256X2Mac(data, key, nonce?, tagLen?): Uint8Array
+aegis256X2MacVerify(data, tag, key, nonce?): boolean
+aegis256X4Mac(data, key, nonce?, tagLen?): Uint8Array
+aegis256X4MacVerify(data, tag, key, nonce?): boolean
 
 // Custom degree
-aegis256XEncrypt(msg, ad, key, nonce, tagLen?, degree?): { ciphertext, tag }
-aegis256XDecrypt(ciphertext, tag, ad, key, nonce, degree?): Uint8Array | null
-aegis256XMac(data, key, nonce, tagLen?, degree?): Uint8Array
-aegis256XMacVerify(data, tag, key, nonce, degree?): boolean
+aegis256XEncrypt(msg, ad, key, nonce?, tagLen?, degree?): Uint8Array
+aegis256XDecrypt(sealed, ad, key, tagLen?, degree?): Uint8Array | null
+aegis256XEncryptDetached(msg, ad, key, nonce, tagLen?, degree?): { ciphertext, tag }
+aegis256XDecryptDetached(ciphertext, tag, ad, key, nonce, degree?): Uint8Array | null
+aegis256XMac(data, key, nonce?, tagLen?, degree?): Uint8Array
+aegis256XMacVerify(data, tag, key, nonce?, degree?): boolean
+
+// Constants
+AEGIS_256X_KEY_SIZE   // 32
+AEGIS_256X_NONCE_SIZE // 32
+```
+
+### AEGIS-128L-BS (Bitsliced)
+
+```typescript
+// Key/Nonce generation
+aegis128LBsCreateKey(): Uint8Array   // 16 random bytes
+aegis128LBsCreateNonce(): Uint8Array // 16 random bytes
+
+// Combined (nonce || ciphertext || tag)
+aegis128LBsEncrypt(msg, ad, key, nonce?, tagLen?): Uint8Array
+aegis128LBsDecrypt(sealed, ad, key, tagLen?): Uint8Array | null
+
+// Detached (separate ciphertext and tag)
+aegis128LBsEncryptDetached(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
+aegis128LBsDecryptDetached(ciphertext, tag, ad, key, nonce): Uint8Array | null
+
+// MAC (nonce is optional, defaults to zero)
+aegis128LBsMac(data, key, nonce?, tagLen?): Uint8Array
+aegis128LBsMacVerify(data, tag, key, nonce?): boolean
+
+// Constants
+AEGIS_128L_BS_KEY_SIZE   // 16
+AEGIS_128L_BS_NONCE_SIZE // 16
+```
+
+### AEGIS-256-BS (Bitsliced)
+
+```typescript
+// Key/Nonce generation
+aegis256BsCreateKey(): Uint8Array   // 32 random bytes
+aegis256BsCreateNonce(): Uint8Array // 32 random bytes
+
+// Combined (nonce || ciphertext || tag)
+aegis256BsEncrypt(msg, ad, key, nonce?, tagLen?): Uint8Array
+aegis256BsDecrypt(sealed, ad, key, tagLen?): Uint8Array | null
+
+// Detached (separate ciphertext and tag)
+aegis256BsEncryptDetached(msg, ad, key, nonce, tagLen?): { ciphertext, tag }
+aegis256BsDecryptDetached(ciphertext, tag, ad, key, nonce): Uint8Array | null
+
+// MAC (nonce is optional, defaults to zero)
+aegis256BsMac(data, key, nonce?, tagLen?): Uint8Array
+aegis256BsMacVerify(data, tag, key, nonce?): boolean
+
+// Constants
+AEGIS_256_BS_KEY_SIZE   // 32
+AEGIS_256_BS_NONCE_SIZE // 32
 ```
 
 ## Browser Example
@@ -144,12 +314,17 @@ open examples/index.html
 
 The example demonstrates encryption/decryption with a simple UI where you can enter a message, encrypt it, and decrypt it back.
 
-## Security Notes
+## Compatibility
+
+The key/nonce generation functions use the Web Crypto API (`globalThis.crypto.getRandomValues`) which is available in:
+
+- All modern browsers
+- Node.js 18+
+- Deno
+- Bun
 
-- Never reuse a nonce with the same key
-- Decryption returns `null` on authentication failure; do not use any partial output
-- Tag verification uses constant-time comparison
+## Interoperability
 
-## License
+This library follows the [AEGIS IETF draft specification](https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/) and can exchange encrypted messages with any compliant implementation, including native libraries in C, Rust, Go, Zig, and more.
 
-MIT
+See the [full list of AEGIS implementations](https://github.com/cfrg/draft-irtf-cfrg-aegis-aead?tab=readme-ov-file#known-implementations).

package/dist/aegis128l-bs.d.ts

@@ -0,0 +1,162 @@
+/**
+ * Bitsliced AEGIS-128L implementation.
+ * Provides constant-time operation by processing all 8 state blocks simultaneously.
+ */
+/**
+ * Bitsliced AEGIS-128L cipher state.
+ * Uses 8 AES blocks (128 bytes) stored in bitsliced form (32 uint32 words).
+ */
+export declare class Aegis128LBsState {
+    private st;
+    private st1;
+    private tmp0;
+    private tmp1;
+    private z0;
+    private z1;
+    constructor();
+    /**
+     * AEGIS round function: applies AES round to all blocks and rotates.
+     * st[i] = AES(st[i]) ^ st[(i-1) mod 8]
+     */
+    private aegisRound;
+    /**
+     * AEGIS round function with constant input (used in packed mode).
+     */
+    private aegisRoundPacked;
+    /**
+     * Pack constant input for blocks 0 and 4.
+     */
+    private packConstantInput;
+    /**
+     * Absorb rate: XOR message blocks into state positions 0 and 4.
+     */
+    private absorbRate;
+    /**
+     * Update state with two message blocks.
+     */
+    private update;
+    /**
+     * Initializes the state with a key and nonce.
+     * @param key - 16-byte encryption key
+     * @param nonce - 16-byte nonce (must be unique per message)
+     */
+    init(key: Uint8Array, nonce: Uint8Array): void;
+    /**
+     * Absorbs a 32-byte associated data block into the state.
+     * @param ai - 32-byte associated data block
+     */
+    absorb(ai: Uint8Array): void;
+    /**
+     * Encrypts a 32-byte plaintext block and writes to output buffer.
+     * @param xi - 32-byte plaintext block
+     * @param out - 32-byte output buffer
+     */
+    encTo(xi: Uint8Array, out: Uint8Array): void;
+    /**
+     * Encrypts a 32-byte plaintext block.
+     * @param xi - 32-byte plaintext block
+     * @returns 32-byte ciphertext block
+     */
+    enc(xi: Uint8Array): Uint8Array;
+    /**
+     * Decrypts a 32-byte ciphertext block and writes to output buffer.
+     * @param ci - 32-byte ciphertext block
+     * @param out - 32-byte output buffer
+     */
+    decTo(ci: Uint8Array, out: Uint8Array): void;
+    /**
+     * Decrypts a 32-byte ciphertext block.
+     * @param ci - 32-byte ciphertext block
+     * @returns 32-byte plaintext block
+     */
+    dec(ci: Uint8Array): Uint8Array;
+    /**
+     * Decrypts a partial (final) ciphertext block smaller than 32 bytes.
+     * @param cn - Partial ciphertext block (1-31 bytes)
+     * @returns Decrypted plaintext of the same length
+     */
+    decPartial(cn: Uint8Array): Uint8Array;
+    /**
+     * Finalizes encryption/decryption and produces an authentication tag.
+     * @param adLen - Associated data length in bytes
+     * @param msgLen - Message length in bytes
+     * @param tagLen - Tag length (16 or 32 bytes)
+     * @returns Authentication tag
+     */
+    finalize(adLen: number, msgLen: number, tagLen?: 16 | 32): Uint8Array;
+}
+/**
+ * Encrypts a message using bitsliced AEGIS-128L (detached mode).
+ * @param msg - Plaintext message
+ * @param ad - Associated data (authenticated but not encrypted)
+ * @param key - 16-byte encryption key
+ * @param nonce - 16-byte nonce (must be unique per message with the same key)
+ * @param tagLen - Authentication tag length: 16 or 32 bytes (default: 16)
+ * @returns Object containing ciphertext and authentication tag separately
+ */
+export declare function aegis128LBsEncryptDetached(msg: Uint8Array, ad: Uint8Array, key: Uint8Array, nonce: Uint8Array, tagLen?: 16 | 32): {
+    ciphertext: Uint8Array;
+    tag: Uint8Array;
+};
+/**
+ * Decrypts a message using bitsliced AEGIS-128L (detached mode).
+ * @param ct - Ciphertext
+ * @param tag - Authentication tag (16 or 32 bytes)
+ * @param ad - Associated data (must match what was used during encryption)
+ * @param key - 16-byte encryption key
+ * @param nonce - 16-byte nonce (must match what was used during encryption)
+ * @returns Decrypted plaintext, or null if authentication fails
+ */
+export declare function aegis128LBsDecryptDetached(ct: Uint8Array, tag: Uint8Array, ad: Uint8Array, key: Uint8Array, nonce: Uint8Array): Uint8Array | null;
+export declare const AEGIS_128L_BS_NONCE_SIZE = 16;
+export declare const AEGIS_128L_BS_KEY_SIZE = 16;
+/**
+ * Encrypts a message using bitsliced AEGIS-128L.
+ * Returns a single buffer containing nonce || ciphertext || tag.
+ * @param msg - Plaintext message
+ * @param ad - Associated data (authenticated but not encrypted)
+ * @param key - 16-byte encryption key
+ * @param nonce - 16-byte nonce (optional, generates random nonce if not provided)
+ * @param tagLen - Authentication tag length: 16 or 32 bytes (default: 16)
+ * @returns Concatenated nonce || ciphertext || tag
+ */
+export declare function aegis128LBsEncrypt(msg: Uint8Array, ad: Uint8Array, key: Uint8Array, nonce?: Uint8Array | null, tagLen?: 16 | 32): Uint8Array;
+/**
+ * Decrypts a message using bitsliced AEGIS-128L.
+ * Expects input as nonce || ciphertext || tag.
+ * @param sealed - Concatenated nonce || ciphertext || tag
+ * @param ad - Associated data (must match what was used during encryption)
+ * @param key - 16-byte encryption key
+ * @param tagLen - Authentication tag length: 16 or 32 bytes (default: 16)
+ * @returns Decrypted plaintext, or null if authentication fails
+ */
+export declare function aegis128LBsDecrypt(sealed: Uint8Array, ad: Uint8Array, key: Uint8Array, tagLen?: 16 | 32): Uint8Array | null;
+/**
+ * Computes a MAC (Message Authentication Code) using bitsliced AEGIS-128L.
+ * @param data - Data to authenticate
+ * @param key - 16-byte key
+ * @param nonce - 16-byte nonce (optional, uses zero nonce if null)
+ * @param tagLen - Tag length: 16 or 32 bytes (default: 16)
+ * @returns Authentication tag
+ */
+export declare function aegis128LBsMac(data: Uint8Array, key: Uint8Array, nonce?: Uint8Array | null, tagLen?: 16 | 32): Uint8Array;
+/**
+ * Verifies a MAC computed using bitsliced AEGIS-128L.
+ * @param data - Data to verify
+ * @param tag - Expected authentication tag (16 or 32 bytes)
+ * @param key - 16-byte key
+ * @param nonce - 16-byte nonce (optional, uses zero nonce if null)
+ * @returns True if the tag is valid, false otherwise
+ */
+export declare function aegis128LBsMacVerify(data: Uint8Array, tag: Uint8Array, key: Uint8Array, nonce?: Uint8Array | null): boolean;
+/**
+ * Generates a random 16-byte key for bitsliced AEGIS-128L.
+ * @returns 16-byte encryption key
+ */
+export declare function aegis128LBsCreateKey(): Uint8Array;
+/**
+ * Generates a random 16-byte nonce for bitsliced AEGIS-128L.
+ * @returns 16-byte nonce
+ */
+export declare function aegis128LBsCreateNonce(): Uint8Array;
+//# sourceMappingURL=aegis128l-bs.d.ts.map

package/dist/aegis128l-bs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aegis128l-bs.d.ts","sourceRoot":"","sources":["../src/aegis128l-bs.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA+BH;;;GAGG;AACH,qBAAa,gBAAgB;IAC5B,OAAO,CAAC,EAAE,CAAY;IACtB,OAAO,CAAC,GAAG,CAAY;IACvB,OAAO,CAAC,IAAI,CAAW;IACvB,OAAO,CAAC,IAAI,CAAW;IACvB,OAAO,CAAC,EAAE,CAAW;IACrB,OAAO,CAAC,EAAE,CAAW;;IAWrB;;;OAGG;IACH,OAAO,CAAC,UAAU;IAkBlB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAWxB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAOzB;;OAEG;IACH,OAAO,CAAC,UAAU;IAalB;;OAEG;IACH,OAAO,CAAC,MAAM;IAKd;;;;OAIG;IACH,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,GAAG,IAAI;IA+B9C;;;OAGG;IACH,MAAM,CAAC,EAAE,EAAE,UAAU,GAAG,IAAI;IAQ5B;;;;OAIG;IACH,KAAK,CAAC,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,GAAG,IAAI;IAoC5C;;;;OAIG;IACH,GAAG,CAAC,EAAE,EAAE,UAAU,GAAG,UAAU;IAM/B;;;;OAIG;IACH,KAAK,CAAC,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,GAAG,IAAI;IA+B5C;;;;OAIG;IACH,GAAG,CAAC,EAAE,EAAE,UAAU,GAAG,UAAU;IAM/B;;;;OAIG;IACH,UAAU,CAAC,EAAE,EAAE,UAAU,GAAG,UAAU;IA0CtC;;;;;;OAMG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAE,EAAE,GAAG,EAAO,GAAG,UAAU;CA+DzE;AAED;;;;;;;;GAQG;AACH,wBAAgB,0BAA0B,CACzC,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,EACd,GAAG,EAAE,UAAU,EACf,KAAK,EAAE,UAAU,EACjB,MAAM,GAAE,EAAE,GAAG,EAAO,GAClB;IAAE,UAAU,EAAE,UAAU,CAAC;IAAC,GAAG,EAAE,UAAU,CAAA;CAAE,CAyB7C;AAED;;;;;;;;GAQG;AACH,wBAAgB,0BAA0B,CACzC,EAAE,EAAE,UAAU,EACd,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,EACd,GAAG,EAAE,UAAU,EACf,KAAK,EAAE,UAAU,GACf,UAAU,GAAG,IAAI,CA6BnB;AAED,eAAO,MAAM,wBAAwB,KAAK,CAAC;AAC3C,eAAO,MAAM,sBAAsB,KAAK,CAAC;AAEzC;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CACjC,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,EACd,GAAG,EAAE,UAAU,EACf,KAAK,GAAE,UAAU,GAAG,IAAW,EAC/B,MAAM,GAAE,EAAE,GAAG,EAAO,GAClB,UAAU,CAkBZ;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CACjC,MAAM,EAAE,UAAU,EAClB,EAAE,EAAE,UAAU,EACd,GAAG,EAAE,UAAU,EACf,MAAM,GAAE,EAAE,GAAG,EAAO,GAClB,UAAU,GAAG,IAAI,CASnB;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC7B,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,UAAU,EACf,KAAK,GAAE,UAAU,GAAG,IAAW,EAC/B,MAAM,GAAE,EAAE,GAAG,EAAO,GAClB,UAAU,CAUZ;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CACnC,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE,UAAU,EACf,GAAG,EAAE,UAAU,EACf,KAAK,GAAE,UAAU,GAAG,IAAW,GAC7B,OAAO,CAIT;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,UAAU,CAEjD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI,UAAU,CAEnD"}