leviathan-crypto 1.0.0

package/dist/serpent/stream-pool.js

@@ -0,0 +1,285 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/serpent/stream-pool.ts
+//
+// SerpentStreamPool — parallel worker pool for SerpentStream.
+// Dispatches chunk-level seal/open jobs across Web Workers, each
+// with its own serpent.wasm and sha2.wasm instances.
+import { isInitialized } from '../init.js';
+import { HKDF_SHA256 } from '../sha2/index.js';
+import { u32be, u64be, deriveChunkKeys } from './stream.js';
+// ── Constants ─────────────────────────────────────────────────────────────────
+const CHUNK_MIN = 1024;
+const CHUNK_MAX = 65536;
+const CHUNK_DEF = 65536;
+// ── Module-private base64 decoder ─────────────────────────────────────────────
+function base64ToBytes(b64) {
+    if (typeof atob === 'function') {
+        const raw = atob(b64);
+        const out = new Uint8Array(raw.length);
+        for (let i = 0; i < raw.length; i++)
+            out[i] = raw.charCodeAt(i);
+        return out;
+    }
+    return new Uint8Array(Buffer.from(b64, 'base64'));
+}
+// ── WASM module singletons ──────────────────────────────────────────────────
+let _serpentModule;
+let _sha2Module;
+async function getSerpentModule() {
+    if (_serpentModule)
+        return _serpentModule;
+    const { WASM_BASE64 } = await import('../embedded/serpent.js');
+    const bytes = base64ToBytes(WASM_BASE64);
+    _serpentModule = await WebAssembly.compile(bytes.buffer);
+    return _serpentModule;
+}
+async function getSha2Module() {
+    if (_sha2Module)
+        return _sha2Module;
+    const { WASM_BASE64 } = await import('../embedded/sha2.js');
+    const bytes = base64ToBytes(WASM_BASE64);
+    _sha2Module = await WebAssembly.compile(bytes.buffer);
+    return _sha2Module;
+}
+// ── Worker spawning ──────────────────────────────────────────────────────────
+function spawnWorker(serpentMod, sha2Mod) {
+    return new Promise((resolve, reject) => {
+        const worker = new Worker(new URL('./stream.worker.js', import.meta.url), { type: 'module' });
+        const onMessage = (e) => {
+            cleanup();
+            if (e.data.type === 'ready') {
+                resolve(worker);
+            }
+            else {
+                worker.terminate();
+                reject(new Error(`leviathan-crypto: worker init failed: ${e.data.message}`));
+            }
+        };
+        const onError = (e) => {
+            cleanup();
+            worker.terminate();
+            reject(new Error(`leviathan-crypto: worker init failed: ${e.message}`));
+        };
+        const cleanup = () => {
+            worker.removeEventListener('message', onMessage);
+            worker.removeEventListener('error', onError);
+        };
+        worker.addEventListener('message', onMessage);
+        worker.addEventListener('error', onError);
+        worker.postMessage({ type: 'init', serpentModule: serpentMod, sha2Module: sha2Mod });
+    });
+}
+// ── Pool class ───────────────────────────────────────────────────────────────
+/**
+ * Parallel worker pool for SerpentStream chunked authenticated encryption.
+ *
+ * Each worker owns its own `serpent.wasm` and `sha2.wasm` instances with
+ * isolated linear memory. Key derivation happens on the main thread; workers
+ * receive pre-derived encKey/macKey per chunk.
+ *
+ * Produces the same wire format as `SerpentStream` -- either can decrypt
+ * the other's output.
+ */
+export class SerpentStreamPool {
+    _workers;
+    _idle;
+    _queue;
+    _pending;
+    _hkdf;
+    _nextId;
+    _disposed;
+    constructor(workers, hkdf) {
+        this._workers = workers;
+        this._idle = [...workers];
+        this._queue = [];
+        this._pending = new Map();
+        this._hkdf = hkdf;
+        this._nextId = 0;
+        this._disposed = false;
+        for (const w of workers) {
+            w.onmessage = (e) => this._onMessage(w, e);
+        }
+    }
+    /**
+     * Create a new pool. Requires `init(['serpent', 'sha2'])` to have been called.
+     * Compiles both WASM modules once and distributes them to all workers.
+     */
+    static async create(opts) {
+        if (!isInitialized('serpent') || !isInitialized('sha2'))
+            throw new Error('leviathan-crypto: call init([\'serpent\', \'sha2\']) before using SerpentStreamPool');
+        const n = opts?.workers ?? (typeof navigator !== 'undefined' ? navigator.hardwareConcurrency : undefined) ?? 4;
+        const [serpentMod, sha2Mod] = await Promise.all([getSerpentModule(), getSha2Module()]);
+        // Sequential spawn — compatible with inline-worker test environments
+        const workers = [];
+        for (let i = 0; i < n; i++)
+            workers.push(await spawnWorker(serpentMod, sha2Mod));
+        const hkdf = new HKDF_SHA256();
+        return new SerpentStreamPool(workers, hkdf);
+    }
+    /**
+     * Encrypt plaintext with SerpentStream chunked authenticated encryption.
+     * Returns the complete wire format (header + encrypted chunks).
+     */
+    async seal(key, plaintext, chunkSize) {
+        if (this._disposed)
+            throw new Error('leviathan-crypto: pool is disposed');
+        if (key.length !== 32)
+            throw new RangeError(`SerpentStream key must be 32 bytes (got ${key.length})`);
+        const cs = chunkSize ?? CHUNK_DEF;
+        if (cs < CHUNK_MIN || cs > CHUNK_MAX)
+            throw new RangeError(`SerpentStream chunkSize must be ${CHUNK_MIN}..${CHUNK_MAX} (got ${cs})`);
+        const streamNonce = new Uint8Array(16);
+        crypto.getRandomValues(streamNonce);
+        const chunkCount = plaintext.length === 0 ? 1 : Math.ceil(plaintext.length / cs);
+        // Dispatch all chunk jobs in parallel
+        const chunkPromises = [];
+        for (let i = 0; i < chunkCount; i++) {
+            const start = i * cs;
+            const end = Math.min(start + cs, plaintext.length);
+            const slice = plaintext.slice(start, end);
+            const isLast = i === chunkCount - 1;
+            const { encKey, macKey } = deriveChunkKeys(this._hkdf, key, streamNonce, cs, chunkCount, i, isLast);
+            chunkPromises.push(this._dispatch('seal', encKey, macKey, slice));
+        }
+        const chunkResults = await Promise.all(chunkPromises);
+        // Compute total output size
+        let totalWire = 28;
+        for (const c of chunkResults)
+            totalWire += c.length;
+        const out = new Uint8Array(totalWire);
+        // Write header
+        out.set(streamNonce, 0);
+        out.set(u32be(cs), 16);
+        out.set(u64be(chunkCount), 20);
+        let pos = 28;
+        for (const c of chunkResults) {
+            out.set(c, pos);
+            pos += c.length;
+        }
+        return out;
+    }
+    /**
+     * Decrypt SerpentStream wire format.
+     * If any chunk fails authentication, rejects immediately -- no partial plaintext.
+     */
+    async open(key, ciphertext) {
+        if (this._disposed)
+            throw new Error('leviathan-crypto: pool is disposed');
+        if (key.length !== 32)
+            throw new RangeError(`SerpentStream key must be 32 bytes (got ${key.length})`);
+        if (ciphertext.length < 28 + 32)
+            throw new RangeError('SerpentStream: ciphertext too short');
+        // Parse header
+        const streamNonce = ciphertext.subarray(0, 16);
+        const csView = ciphertext.subarray(16, 20);
+        const cs = (csView[0] << 24) | (csView[1] << 16) | (csView[2] << 8) | csView[3];
+        const ccView = ciphertext.subarray(20, 28);
+        let chunkCount = 0;
+        for (let i = 0; i < 8; i++)
+            chunkCount = chunkCount * 256 + ccView[i];
+        // Dispatch all chunk jobs
+        const chunkPromises = [];
+        let pos = 28;
+        for (let i = 0; i < chunkCount; i++) {
+            const isLast = i === chunkCount - 1;
+            const wireLen = isLast ? ciphertext.length - pos : cs + 32;
+            const wireSlice = ciphertext.slice(pos, pos + wireLen);
+            const { encKey, macKey } = deriveChunkKeys(this._hkdf, key, streamNonce, cs, chunkCount, i, isLast);
+            chunkPromises.push(this._dispatch('open', encKey, macKey, wireSlice));
+            pos += wireLen;
+        }
+        // Await all — Promise.all rejects on first failure
+        const results = await Promise.all(chunkPromises);
+        // Reassemble plaintext
+        let totalPt = 0;
+        for (const r of results)
+            totalPt += r.length;
+        const plaintext = new Uint8Array(totalPt);
+        let ptPos = 0;
+        for (const r of results) {
+            plaintext.set(r, ptPos);
+            ptPos += r.length;
+        }
+        return plaintext;
+    }
+    /** Terminates all workers. Rejects all pending and queued jobs. */
+    dispose() {
+        if (this._disposed)
+            return;
+        this._disposed = true;
+        for (const w of this._workers)
+            w.terminate();
+        const err = new Error('leviathan-crypto: pool disposed');
+        for (const { reject } of this._pending.values())
+            reject(err);
+        for (const job of this._queue)
+            this._pending.get(job.id)?.reject(err);
+        this._pending.clear();
+        this._queue.length = 0;
+        this._hkdf.dispose();
+    }
+    /** Number of workers in the pool. */
+    get size() {
+        return this._workers.length;
+    }
+    /** Number of jobs currently queued (waiting for a free worker). */
+    get queueDepth() {
+        return this._queue.length;
+    }
+    // ── Internals ────────────────────────────────────────────────────────────
+    _dispatch(op, encKey, macKey, data) {
+        return new Promise((resolve, reject) => {
+            const id = this._nextId++;
+            const job = { id, op, encKey, macKey, data };
+            this._pending.set(id, { resolve, reject });
+            const worker = this._idle.pop();
+            if (worker)
+                this._send(worker, job);
+            else
+                this._queue.push(job);
+        });
+    }
+    _send(worker, job) {
+        // No transfer list: @vitest/web-worker (same-thread fake worker used in
+        // Vitest test environment) silently drops postMessage calls that include a
+        // non-empty Transferable array. encKey/macKey/data are already .slice()
+        // copies — neutering was never part of SerpentStreamPool's public contract.
+        worker.postMessage({ type: 'job', ...job });
+    }
+    _onMessage(worker, e) {
+        const msg = e.data;
+        const job = this._pending.get(msg.id);
+        if (!job)
+            return;
+        this._pending.delete(msg.id);
+        if (msg.type === 'result')
+            job.resolve(msg.data);
+        else
+            job.reject(new Error(msg.message));
+        const next = this._queue.shift();
+        if (next)
+            this._send(worker, next);
+        else
+            this._idle.push(worker);
+    }
+}

package/dist/serpent/stream-sealer.d.ts

@@ -0,0 +1,34 @@
+export declare class SerpentStreamSealer {
+    private readonly _key;
+    private readonly _cs;
+    private readonly _nonce;
+    private readonly _cbc;
+    private readonly _hmac;
+    private readonly _hkdf;
+    private readonly _ivs;
+    private _ivIdx;
+    private _index;
+    private _state;
+    constructor(key: Uint8Array, chunkSize?: number, _nonce?: Uint8Array, _ivs?: Uint8Array[]);
+    header(): Uint8Array;
+    seal(plaintext: Uint8Array): Uint8Array;
+    final(plaintext: Uint8Array): Uint8Array;
+    private _sealChunk;
+    private _wipe;
+    dispose(): void;
+}
+export declare class SerpentStreamOpener {
+    private readonly _key;
+    private readonly _cs;
+    private readonly _nonce;
+    private readonly _cbc;
+    private readonly _hmac;
+    private readonly _hkdf;
+    private _index;
+    private _dead;
+    constructor(key: Uint8Array, header: Uint8Array);
+    get closed(): boolean;
+    open(chunk: Uint8Array): Uint8Array;
+    private _wipe;
+    dispose(): void;
+}

package/dist/serpent/stream-sealer.js

@@ -0,0 +1,223 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/serpent/stream-sealer.ts
+//
+// Tier 2 pure-TS composition: SerpentCbc + HMAC_SHA256 + HKDF_SHA256.
+// Incremental streaming AEAD — seal/open one chunk at a time.
+// Wire format: header (20) | chunks: IV(16) || ct(padded) || HMAC(32)
+import { SerpentCbc, _serpentReady } from './index.js';
+import { HMAC_SHA256, HKDF_SHA256, _sha2Ready } from '../sha2/index.js';
+import { concat, constantTimeEqual, wipe } from '../utils.js';
+import { u32be, u64be } from './stream.js';
+const DOMAIN = 'serpent-sealstream-v1';
+const DOMAIN_BYTES = new TextEncoder().encode(DOMAIN); // 21 bytes
+const CHUNK_MIN = 1024;
+const CHUNK_MAX = 65536;
+const CHUNK_DEF = 65536;
+function chunkInfo(streamNonce, chunkSize, index, isLast) {
+    // 21 + 16 + 4 + 8 + 1 = 50 bytes
+    const info = new Uint8Array(50);
+    let off = 0;
+    info.set(DOMAIN_BYTES, off);
+    off += 21;
+    info.set(streamNonce, off);
+    off += 16;
+    info.set(u32be(chunkSize), off);
+    off += 4;
+    info.set(u64be(index), off);
+    off += 8;
+    info[off] = isLast ? 0x01 : 0x00;
+    return info;
+}
+function deriveChunkKeys(hkdf, key, streamNonce, chunkSize, index, isLast) {
+    const info = chunkInfo(streamNonce, chunkSize, index, isLast);
+    const derived = hkdf.derive(key, new Uint8Array(0), info, 64);
+    return {
+        encKey: derived.subarray(0, 32),
+        macKey: derived.subarray(32, 64),
+    };
+}
+export class SerpentStreamSealer {
+    _key;
+    _cs; // chunk size
+    _nonce; // stream nonce (16 bytes)
+    _cbc;
+    _hmac;
+    _hkdf;
+    _ivs; // test seam: fixed IVs
+    _ivIdx;
+    _index;
+    _state;
+    // _nonce, _ivs: test seams — inject fixed nonce/IVs for deterministic KAT vectors
+    constructor(key, chunkSize, _nonce, _ivs) {
+        if (!_serpentReady())
+            throw new Error('leviathan-crypto: call init([\'serpent\']) before using SerpentStreamSealer');
+        if (!_sha2Ready())
+            throw new Error('leviathan-crypto: call init([\'sha2\']) before using SerpentStreamSealer');
+        if (key.length !== 64)
+            throw new RangeError(`SerpentStreamSealer key must be 64 bytes (got ${key.length})`);
+        const cs = chunkSize ?? CHUNK_DEF;
+        if (cs < CHUNK_MIN || cs > CHUNK_MAX)
+            throw new RangeError(`SerpentStreamSealer chunkSize must be ${CHUNK_MIN}..${CHUNK_MAX} (got ${cs})`);
+        this._key = key.slice();
+        this._cs = cs;
+        this._nonce = new Uint8Array(16);
+        if (_nonce && _nonce.length === 16) {
+            this._nonce.set(_nonce);
+        }
+        else {
+            crypto.getRandomValues(this._nonce);
+        }
+        this._cbc = new SerpentCbc({ dangerUnauthenticated: true });
+        this._hmac = new HMAC_SHA256();
+        this._hkdf = new HKDF_SHA256();
+        this._ivs = _ivs;
+        this._ivIdx = 0;
+        this._index = 0;
+        this._state = 'fresh';
+    }
+    header() {
+        if (this._state === 'sealing')
+            throw new Error('SerpentStreamSealer: header() already called');
+        if (this._state === 'dead')
+            throw new Error('SerpentStreamSealer: stream is closed');
+        this._state = 'sealing';
+        const hdr = new Uint8Array(20);
+        hdr.set(this._nonce, 0);
+        hdr.set(u32be(this._cs), 16);
+        return hdr;
+    }
+    seal(plaintext) {
+        if (this._state === 'fresh')
+            throw new Error('SerpentStreamSealer: call header() first');
+        if (this._state === 'dead')
+            throw new Error('SerpentStreamSealer: stream is closed');
+        if (plaintext.length !== this._cs)
+            throw new RangeError(`SerpentStreamSealer: seal() requires exactly ${this._cs} bytes (got ${plaintext.length})`);
+        return this._sealChunk(plaintext, false);
+    }
+    final(plaintext) {
+        if (this._state === 'fresh')
+            throw new Error('SerpentStreamSealer: call header() first');
+        if (this._state === 'dead')
+            throw new Error('SerpentStreamSealer: stream is closed');
+        if (plaintext.length > this._cs)
+            throw new RangeError(`SerpentStreamSealer: final() plaintext exceeds chunkSize (got ${plaintext.length})`);
+        const out = this._sealChunk(plaintext, true);
+        this._wipe();
+        return out;
+    }
+    _sealChunk(plaintext, isLast) {
+        const { encKey, macKey } = deriveChunkKeys(this._hkdf, this._key, this._nonce, this._cs, this._index, isLast);
+        const iv = new Uint8Array(16);
+        if (this._ivs && this._ivIdx < this._ivs.length) {
+            iv.set(this._ivs[this._ivIdx++]);
+        }
+        else {
+            crypto.getRandomValues(iv);
+        }
+        const ciphertext = this._cbc.encrypt(encKey, iv, plaintext);
+        const tag = this._hmac.hash(macKey, concat(iv, ciphertext));
+        this._index++;
+        return concat(concat(iv, ciphertext), tag);
+    }
+    _wipe() {
+        wipe(this._key);
+        wipe(this._nonce);
+        this._cbc.dispose();
+        this._hmac.dispose();
+        this._hkdf.dispose();
+        this._state = 'dead';
+    }
+    dispose() {
+        if (this._state !== 'dead')
+            this._wipe();
+    }
+}
+export class SerpentStreamOpener {
+    _key;
+    _cs;
+    _nonce;
+    _cbc;
+    _hmac;
+    _hkdf;
+    _index;
+    _dead;
+    constructor(key, header) {
+        if (!_serpentReady())
+            throw new Error('leviathan-crypto: call init([\'serpent\']) before using SerpentStreamOpener');
+        if (!_sha2Ready())
+            throw new Error('leviathan-crypto: call init([\'sha2\']) before using SerpentStreamOpener');
+        if (key.length !== 64)
+            throw new RangeError(`SerpentStreamOpener key must be 64 bytes (got ${key.length})`);
+        if (header.length !== 20)
+            throw new RangeError(`SerpentStreamOpener header must be 20 bytes (got ${header.length})`);
+        this._key = key.slice();
+        this._nonce = header.slice(0, 16);
+        this._cs = (header[16] << 24 | header[17] << 16 | header[18] << 8 | header[19]) >>> 0;
+        this._cbc = new SerpentCbc({ dangerUnauthenticated: true });
+        this._hmac = new HMAC_SHA256();
+        this._hkdf = new HKDF_SHA256();
+        this._index = 0;
+        this._dead = false;
+    }
+    get closed() {
+        return this._dead;
+    }
+    open(chunk) {
+        if (this._dead)
+            throw new Error('SerpentStreamOpener: stream is closed');
+        // Try isLast = true first, then false.
+        // Whichever passes auth is the correct interpretation.
+        for (const isLast of [true, false]) {
+            const { encKey, macKey } = deriveChunkKeys(this._hkdf, this._key, this._nonce, this._cs, this._index, isLast);
+            // chunk = IV (16) || ciphertext || HMAC (32)
+            if (chunk.length < 16 + 16 + 32)
+                continue; // too short to be valid
+            const iv = chunk.subarray(0, 16);
+            const ciphertext = chunk.subarray(16, chunk.length - 32);
+            const tag = chunk.subarray(chunk.length - 32);
+            const expectedTag = this._hmac.hash(macKey, concat(iv, ciphertext));
+            if (!constantTimeEqual(tag, expectedTag))
+                continue;
+            const plaintext = this._cbc.decrypt(encKey, iv, ciphertext);
+            this._index++;
+            if (isLast) {
+                this._wipe();
+            }
+            return plaintext;
+        }
+        throw new Error('SerpentStreamOpener: authentication failed');
+    }
+    _wipe() {
+        wipe(this._key);
+        wipe(this._nonce);
+        this._cbc.dispose();
+        this._hmac.dispose();
+        this._hkdf.dispose();
+        this._dead = true;
+    }
+    dispose() {
+        if (!this._dead)
+            this._wipe();
+    }
+}

package/dist/serpent/stream.d.ts

@@ -0,0 +1,28 @@
+import { SerpentCtr } from './index.js';
+import { HMAC_SHA256, HKDF_SHA256 } from '../sha2/index.js';
+export declare function u32be(n: number): Uint8Array;
+export declare function u64be(n: number): Uint8Array;
+export declare function chunkInfo(streamNonce: Uint8Array, chunkSize: number, chunkCount: number, index: number, isLast: boolean): Uint8Array;
+export declare function deriveChunkKeys(hkdf: HKDF_SHA256, masterKey: Uint8Array, streamNonce: Uint8Array, chunkSize: number, chunkCount: number, index: number, isLast: boolean): {
+    encKey: Uint8Array;
+    macKey: Uint8Array;
+};
+/**
+ * Encrypt one chunk. Returns ciphertext || hmac_tag (32 bytes).
+ * Does not generate keys -- caller provides encKey and macKey.
+ */
+export declare function sealChunk(ctr: SerpentCtr, hmac: HMAC_SHA256, encKey: Uint8Array, macKey: Uint8Array, chunk: Uint8Array): Uint8Array;
+/**
+ * Decrypt one chunk. Throws 'SerpentStream: authentication failed' on bad tag.
+ * Returns plaintext.
+ */
+export declare function openChunk(ctr: SerpentCtr, hmac: HMAC_SHA256, encKey: Uint8Array, macKey: Uint8Array, wire: Uint8Array): Uint8Array;
+export declare class SerpentStream {
+    private readonly _ctr;
+    private readonly _hmac;
+    private readonly _hkdf;
+    constructor();
+    seal(key: Uint8Array, plaintext: Uint8Array, chunkSize?: number, _nonce?: Uint8Array): Uint8Array;
+    open(key: Uint8Array, ciphertext: Uint8Array): Uint8Array;
+    dispose(): void;
+}