import { AesGcmKey } from './keys.js';
export interface EncryptInput {
    key: AesGcmKey;
    plaintext: Uint8Array;
    /** Additional Authenticated Data (not encrypted, but bound to the tag). */
    aad?: Uint8Array;
    /** Optional explicit IV (12 bytes). Generated randomly when omitted. */
    iv?: Uint8Array;
}
export interface EncryptOutput {
    ciphertext: Uint8Array;
    iv: Uint8Array;
    /** 16-byte GCM authentication tag. Stored separately for clarity. */
    tag: Uint8Array;
}
/**
 * AES-256-GCM encrypt. Output `ciphertext` is the raw encrypted payload (no
 * tag suffix); the `tag` is returned separately.
 */
export declare function encryptAesGcm(input: EncryptInput): Promise<EncryptOutput>;
export interface DecryptInput {
    key: AesGcmKey;
    ciphertext: Uint8Array;
    iv: Uint8Array;
    tag: Uint8Array;
    aad?: Uint8Array;
}
/** AES-256-GCM decrypt. Throws `CryptoError(decrypt-failed)` on tag mismatch. */
export declare function decryptAesGcm(input: DecryptInput): Promise<Uint8Array>;
//# sourceMappingURL=aead.d.ts.map