/**
 * Key Management and Derivation
 * High-performance Go-backed operations
 */
import { KeyDerivationOptions } from "../types";
export declare class Keys {
    /**
     * Derives a cryptographically strong key from an input secret.
     * Supports complex derivation paths including Argon2id, PBKDF2, and HKDF.
     *
     * @param input - The base secret or password to derive from.
     * @param options - Detailed configuration for the derivation process.
     * @returns A Promise resolving to the derived key (hex format for PBKDF2/HKDF, signed for others).
     */
    static deriveKey(input: string | Uint8Array, options?: KeyDerivationOptions): Promise<string>;
    /**
     * Generates a new RSA key pair in JSON format.
     * @returns A Promise resolving to an object containing publicKey and privateKey.
     */
    static generateRSAKeyPair(): Promise<{
        publicKey: string;
        privateKey: string;
    }>;
    /**
     * Signs data using RSA-PSS.
     * @param privateKey - The PEM-encoded RSA private key.
     * @param data - The data to sign.
     * @returns The signature in hex format.
     */
    static rsaSign(privateKey: string, data: string): Promise<string>;
    /**
     * Verifies an RSA-PSS signature.
     * @param publicKey - The PEM-encoded RSA public key.
     * @param data - The original data.
     * @param signature - The hex-encoded signature.
     * @returns True if the signature is valid.
     */
    static rsaVerify(publicKey: string, data: string, signature: string): Promise<boolean>;
    /**
     * Encrypts data using RSA-OAEP.
     * @param publicKey - The PEM-encoded RSA public key.
     * @param data - The data to encrypt.
     * @returns The encrypted data in hex format.
     */
    static rsaEncrypt(publicKey: string, data: string): Promise<string>;
    /**
     * Decrypts RSA-OAEP encrypted data.
     * @param privateKey - The PEM-encoded RSA private key.
     * @param encryptedHex - The hex-encoded encrypted data.
     * @returns The decrypted plaintext.
     */
    static rsaDecrypt(privateKey: string, encryptedHex: string): Promise<string>;
    /**
     * Verifies an Ed25519 signature.
     * @param publicKey - The public key (hex or Uint8Array).
     * @param data - The data that was signed (string or Uint8Array).
     * @param signature - The signature (base64 or Uint8Array).
     * @returns True if valid.
     */
    static ed25519Verify(publicKey: string | Uint8Array, data: string | Uint8Array, signature: string | Uint8Array): boolean;
    /**
     * Encrypts a large file using high-performance, hardware-accelerated chunking.
     *
     * @description
     * Processes files via a native encryption bridge using derived keys (PBKDF2).
     * Implements a staging strategy to ensure data integrity: ciphertext is
     * finalized with a 32-byte salt header before an atomic move to the target path.
     *
     * @param {string} inputPath - Absolute path to the source file.
     * @param {string} outputPath - Target destination for the encrypted data.
     * @param {string} key - Raw passphrase for cryptographic derivation.
     * @param {object} [options={}] - Encryption parameters.
     * @param {string} [options.algorithm="aes-256-gcm"] - Selection of the cipher suite.
     * @param {number} [options.keyDerivationIterations=100000] - Cost factor for PBKDF2.
     * @param {boolean} [options.quantumSafe=false] - If true, enforces Post-Quantum resistant ciphers.
     *
     * @throws {Error | SystemError} On bridge failure, I/O exhaustion, or permission issues.
     * @returns {Promise<void>}
     *
     * @example
     * await Cipher.crypto.encryptFile('./data.zip', './data.vault', 'secret-key');
     */
    static encryptFile(inputPath: string, outputPath: string, key: string, options?: any): Promise<void>;
    /**
     * Decrypts a large file using PBKDF2 key derivation and a secure bridge.
     *
     * @description
     * This method extracts a 32-byte salt from the input file header, derives a 256-bit key
     * (100,000 iterations), and performs decryption via temporary staging files to
     * ensure data integrity. The final output is moved atomically.
     *
     * @param {string} inputPath - Absolute path to the encrypted source file.
     * @param {string} outputPath - Destination path for the decrypted plaintext.
     * @param {string} key - The raw passphrase used for key derivation.
     *
     * @throws {Error} If the salt extraction fails or the decryption bridge returns an error.
     * @throws {SystemError} If disk space is insufficient for temp files or if file moves fail.
     *
     * @returns {Promise<void>} Resolves once the file is successfully decrypted and moved to `outputPath`.
     *
     * @example
     * await Cipher.crypto.decryptFile('./vault.enc', './vault.txt', 'super-secret-key');
     */
    static decryptFile(inputPath: string, outputPath: string, key: string): Promise<void>;
    /**
     * Moves a file atomically from src to dest.
     * Handles EXDEV errors for cross-partition moves.
     */
    private static moveFileAtomic;
}
/**
 * Generates a high-entropy 4096-bit RSA key pair.
 *
 * @returns A promise resolving to an object containing PEM-encoded publicKey and privateKey.
 */
export declare const generateRSAKeyPair: typeof Keys.generateRSAKeyPair;
/**
 * Signs data using RSA-PSS with SHA-256.
 *
 * @param privateKey - The PEM-encoded RSA private key.
 * @param data - The data string to sign.
 * @returns A promise resolving to the hex-encoded signature.
 */
export declare const rsaSign: typeof Keys.rsaSign;
/**
 * Verifies an RSA-PSS signature.
 *
 * @param publicKey - The PEM-encoded RSA public key.
 * @param data - The original data string that was signed.
 * @param signature - The hex-encoded signature to verify.
 * @returns A promise resolving to true if valid, false otherwise.
 */
export declare const rsaVerify: typeof Keys.rsaVerify;
/**
 * Encrypts data using RSA-OAEP with SHA-256.
 *
 * @param publicKey - The PEM-encoded RSA public key.
 * @param data - The plaintext data string to encrypt.
 * @returns A promise resolving to the hex-encoded ciphertext.
 */
export declare const rsaEncrypt: typeof Keys.rsaEncrypt;
/**
 * Decrypts data using RSA-OAEP with SHA-256.
 *
 * @param privateKey - The PEM-encoded RSA private key.
 * @param encryptedHex - The hex-encoded ciphertext to decrypt.
 * @returns A promise resolving to the decrypted plaintext string.
 */
export declare const rsaDecrypt: typeof Keys.rsaDecrypt;
/**
 * Verifies an Ed25519 signature.
 *
 * @param publicKey - Public key (hex or Uint8Array).
 * @param data - Original data.
 * @param signature - Signature (base64 or Uint8Array).
 * @returns True if valid.
 */
export declare const ed25519Verify: typeof Keys.ed25519Verify;
/**
 * Derives a cryptographically strong key from an input secret.
 * Supports multiple algorithms including Argon2id, PBKDF2, and HKDF.
 *
 * @param input - The base secret or password.
 * @param options - Configuration for the derivation process.
 * @returns A promise resolving to the derived key.
 */
export declare const deriveKey: typeof Keys.deriveKey;
//# sourceMappingURL=keys.d.ts.map