/**
 * HPKE Service for Vaults
 *
 * Implements RFC 9180 HPKE for sealing ML-KEM public keys during key exchange.
 *
 * Uses:
 * - KEM: DHKEM(P-256, HKDF-SHA256)
 * - KDF: HKDF-SHA256
 * - AEAD: AES-256-GCM
 */
/**
 * HPKE encryption result
 */
export interface HPKEEncryptResult {
    /** Encrypted payload */
    ciphertext: Uint8Array;
    /** Ephemeral public key */
    ephemeralPublicKey: Uint8Array;
}
/**
 * HPKE decryption result
 */
export interface HPKEDecryptResult {
    /** Decrypted payload */
    plaintext: Uint8Array;
}
export declare class HPKEService {
    /**
     * Get CipherSuite for HPKE operations
     */
    private getCipherSuite;
    /**
     * Encrypt payload with HPKE
     *
     * @param recipientPublicKey - Recipient's P-256 public key (raw bytes)
     * @param plaintext - Payload to encrypt
     * @param aad - Additional authenticated data (optional)
     * @returns Encryption result with ciphertext and ephemeral key
     */
    encrypt(recipientPublicKey: Uint8Array, plaintext: Uint8Array, aad?: Uint8Array): Promise<HPKEEncryptResult>;
    /**
     * Decrypt payload with HPKE
     *
     * @param recipientPrivateKey - Recipient's P-256 private key (raw bytes)
     * @param ciphertext - Encrypted payload
     * @param ephemeralPublicKey - Ephemeral public key from encryption
     * @param aad - Additional authenticated data (must match encryption)
     * @returns Decryption result with plaintext
     */
    decrypt(recipientPrivateKey: Uint8Array, ciphertext: Uint8Array, ephemeralPublicKey: Uint8Array, aad?: Uint8Array): Promise<HPKEDecryptResult>;
    /**
     * Generate key pair for HPKE (P-256)
     *
     * @returns Object with public and private keys
     */
    generateKeyPair(): Promise<{
        publicKey: Uint8Array;
        privateKey: Uint8Array;
    }>;
    /**
     * Compute digest for AAD binding
     *
     * @param data - Data to hash
     * @returns SHA-256 hash
     */
    computeDigest(data: Uint8Array): Uint8Array;
}