U2      !" # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E FGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[ \ ]!^!_!`"a"b"c"d"e"f"g"h"i#j#k#l#m#n#o#p#q#r#s#t#u#v#w#x$y$z${%|%}%~&&&&&&&&&''''''''''''(((((((((()))))))))))))))))))))))))))))))))))))))))))))))))))))*****+,----...................../////////000]1 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknown Safe-Inferred2 BSD-style#Vincent Hanquez <vincent@snarc.org>stableCompatNone;$byteswap Word# to or from Big Endian0on a big endian machine, this function is a nop.'byteswap Word# to or from Little Endian3on a little endian machine, this function is a nop.VSimple compatibility for byteswap the lower 32 bits of a Word# at the primitive level<combine 4 word8 [a,b,c,d] to a word32 representing [a,b,c,d]pSimple wrapper to handle pre 7.8 and future, where most comparaison functions don't returns a boolean anymore.3 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGood Safe-InferredRA handle to an entropy maker, either a system capability or a hardware generator.%try to open an handle for this sourcebtry to gather a number of entropy bytes into a buffer. return the number of actual bytes gatheredClose an open handle4 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGood Safe-Inferred 3fake handle to Intel RDRand entropy cpu instruction           5 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGood Safe-InferredMEntropy device devurandom on unix system Entropy device devrandom on unix system  6 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknown Safe-InferredSplit a  into the highest and lowest  Reconstruct a  from two  !"  7 BSD-style#Vincent Hanquez <vincent@snarc.org>stablegood Safe-Inferred:MAny Entropy BackendAll supported backends #Open a backend handle%Gather randomness from an open handle$#An open Entropy BackendPointer to a buffer to write tonumber of bytes to write+return the number of bytes actually written$# BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGood Safe-InferredRefill the entropy in a bufferGcall each entropy backend in turn until the buffer has been replenish.YIf the buffer cannot be refill after 3 loopings, this will raise an User Error exception8 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGood Safe-Inferred%This is a strict version of and&This is a strict version of &&.%&%&%&9 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone; 'GMP Supported / Unsupported(DSimple combinator in case the operation is not supported through GMP)-Compute the GCDE of a two integer through GMP*6Compute the binary logarithm of an integer through GMP+XCompute the power modulus using extra security to remain constant time wise through GMP,%Compute the power modulus through GMP-'Inverse modulus of a number through GMP.4Get the next prime from a specific value through GMP/,Test if a number is prime using Miller Rabin0%Return the size in bytes of a integer1Export an integer to a memory2Import an integer from a memory'34()*+,-./0512'34()*+,-./0512 '43()*+,-./0512 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNonesqrti returns two integer (l,b) so that l <= sqrt i <= b the implementation is quite naive, use an approximation for the first number and use a dichotomy algorithm to compute the bound relatively efficiently.8get the extended GCD of two integer using integer divModgcde a b& find (x,y,gcd(a,b)) where ax + by = d'check if a list of integer are all even)Compute the binary logarithm of a integer)Compute the number of bits for an integer *Compute the number of bytes for an integer     BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone+6@Raised when two numbers are supposed to be coprimes but are not. zCompute the modular exponentiation of base^exponant using algorithms design to avoid side channels and timing measurementPModulo need to be odd otherwise the normal fast modular exponentiation is used.When used with integer-simple, this function is not different from expFast, and thus provide the same unstudied and dubious timing and side channels claims.with GHC 7.10, the powModSecInteger is missing from integer-gmp (which is now integer-gmp2), so is has the same security as old ghc version. Compute the modular exponentiation of base^exponant using the fastest algorithm without any consideration for hiding parameters.AUse this function when all the parameters are public, otherwise   should be prefered.7Wexponentiation computes modular exponentiation as b^e mod m using repetitive squaring. 7inverse computes the modular inverse as in g^(-1) mod m |Compute the modular inverse of 2 coprime numbers. This is equivalent to inverse except that the result is known to exists.^if the numbers are not defined as coprime, this function will raise a CoprimesAssertionError.68 baseexponantmoduloresult baseexponantmoduloresult7 9  68 7 9 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneFfill a pointer with the big endian binary representation of an integerif the room available @ptrSz is less than the number of bytes needed, 0 is returned. Likewise if a parameter is invalid, 0 is returned.#returns the number of bytes written Similar to 3, except it will pad any remaining space with zero.etransform a big endian binary integer representation pointed by a pointer and a size into an integer::: BSD-style Safe-Inferred24;a DES block (64 bits)<Basic DES encryption which takes a key and a block of plaintext and returns the encrypted block of ciphertext according to the standard.=Basic DES decryption which takes a key and a block of ciphertext and returns the decrypted block of plaintext according to the standard.'>?@ABCDE;FGHIJKLMNOPQRSTUVWXYZ[\]^_`a<=;FG<=%>?@ABCDE;FGHIJKLMNOPQRSTUVWXYZ[\]^_`a<=; BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNonebperform io for hashes that do allocation and ffi. unsafeDupablePerformIO is used when possible as the computation is pure and the output is directly linked to the input. we also do not modify anything after it has been returned to the user.bcdbb< BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNone;eArray of mutable Word32fArray of Word64gArray of Word32hArray of Word8i*Create an array of Word8 aliasing an Addr#j@Create an Array of Word32 of specific size from a list of Word32k@Create an Array of Word64 of specific size from a list of Word64lGCreate a Mutable Array of Word32 of specific size from a list of Word32m4Create a Mutable Array of BE Word32 aliasing an AddrnAfreeze a Mutable Array of Word32 into a immutable Array of Word32oRead a Word8 from an ArraypRead a Word32 from an ArrayqRead a Word64 from an Arrayr,Read a Word32 from a Mutable Array of Word32s-Write a Word32 from a Mutable Array of Word32tdWrite into the Mutable Array of Word32 by combining through xor the current value and the new value. x[i] = x[i] xor valueeufvgwhxijklmnopqrstefghijklmnopqrsteufvgwhxijklmnopqrst= BSD-style experimentalGoodNone;yLCreate a key schedule mutable array of the pbox followed by all the sboxes.yyy> BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNone0z{|}~ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneB Poly1305 AuthPoly1305 Contextinitialize a Poly1305 context"update a context with a bytestring+updates a context with multiples bytestring-finalize the context into a digest bytestringOne-pass authorization creation   BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone4os2ip converts a byte string into a positive integer4i2osp converts a positive integer into a byte stringXfirst byte is MSB (most significant byte), last byte is the LSB (least significant byte)[just like i2osp, but take an extra parameter for size. if the number is too big to fit in Qlen bytes, nothing is returned otherwise the number is padded with 0 to fit the  len required.|just like i2ospOf except that it doesn't expect a failure: i.e. an integer larger than the number of output bytes requestedhfor example if you just took a modulo of the number that represent the size (example the RSA modulo n). BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone2Get some entropy from the system source of entropy BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNonefPool of Entropy. contains a self mutating pool of entropy, that is always guarantee to contains data.,Create a new entropy pool of a specific sizeeWhile you can create as many entropy pool as you want, the pool can be shared between multiples RNGs. .Create a new entropy pool with a default size.eWhile you can create as many entropy pool as you want, the pool can be shared between multiples RNGs.-Put a chunk of the entropy pool into a buffer!.Grab a chunk of entropy from the entropy pool. ! ! ! !? BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNone=Chunk some input byte array into @sz byte list of byte array.@ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknown Safe-Inferred,c  BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneB"<ChaCha context for DRG purpose (see Crypto.Random.ChaChaDRG)#ChaCha context$]Initialize a new ChaCha context with the number of rounds, the key and the nonce associated.%Initialize simple ChaCha State&qCombine the chacha output and an arbitrary message with a xor, and return the combined output and the new state.':Generate a number of bytes from the ChaCha output directly( similar to ' but assume certains values"#$number of rounds (8,12,20)the key (128 or 256 bits)the nonce (64 or 96 bits)the initial ChaCha state%a 40 bytes long seed&the current ChaCha state$the source to xor with the generator'the current ChaCha statethe length of data to generate("#$%&'($&'#%(" "#$%&'(  BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNoneB)The encryption state for RC4%C Call for initializing the encryptor*RC4 context initialization.gseed the context with an initial key. the key size need to be adequate otherwise security takes a hit.+Pgenerate the next len bytes of the rc4 stream without combining it to anything.,3RC4 xor combination of the rc4 stream with an input)Pointer to the permutationPointer to the clear textLength of the clear text Output buffer The rc4 keyThe key length The context*The key%The RC4 context with the key mixed in+, rc4 contextinputnew rc4 context, and the output)*+,*,+))*+,  BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneB- Salsa context.\Initialize a new Salsa context with the number of rounds, the key and the nonce associated./pCombine the salsa output and an arbitrary message with a xor, and return the combined output and the new state.09Generate a number of bytes from the Salsa output directly-.number of rounds (8,12,20)the key (128 or 256 bits)the nonce (64 or 96 bits)the initial Salsa state/the current Salsa state$the source to xor with the generator0the current Salsa statethe length of data to generate-./0./0--./0  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone1OA simple Monad class very similar to a State Monad with the state being a DRG.2,A Deterministic Random Generator (DRG) class3)Generate N bytes of randomness from a DRG47A monad constraint that allows to generate random bytes6ERun a pure computation with a Deterministic Random Generator in the 1 123456123456451236 123456A BSD-style#Vincent Hanquez <vincent@snarc.org>stableGood Safe-Inferred+7BA simple Either like type to represent a computation that can fail2 possibles values are:9H : The computation succeeded, and contains the result of the computation8J : The computation failed, and contains the cryptographic error associated:DEnumeration of all possible errors that can be found in this libraryA^Throw an CryptoError as exception on CryptoFailed result, otherwise return the computed valueBSame as A$ but throw the error asynchronously.CSimple ( like combinator for CryptoFailable typeD'Transform a CryptoFailable to an EitherE%Transform a CryptoFailable to a Maybe789:;<=>?@ABCDE789:;<=>?@ABCDE 798:@?>=<;ABCDE BSD-style"Danny Navarro <j@dannynavarro.net> experimentalGoodNoneF+Binary Polynomial represented by an integerG.Addition over F m. This is just a synonym of .HABinary polynomial reduction modulo using long division algorithm.IMultiplication over F m.n1 * n2 (in F(2^m))J4Squaring over F m. TODO: This is still slower than mulF2m.K<Inversion of @n over F m using extended Euclidean algorithm.3If @n doesn't have an inverse, Nothing is returned.LGDivision over F m. If the dividend doesn't have an inverse it returns .Compute n1 / n2FGHIrreducible binary polynomialIIrreducible binary polynomialJIrreducible binary polynomialKIrreducible binary polynomialLIrreducible binary polynomialDividendQuotientFGHIJKLFGIJHKLFGHIJKL BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneM(Top bits policy when generating a numberNset the two highest bitOset the highest bitPUGenerate a number for a specific size of bits, and optionaly set bottom and top bitsIf the top bit policy is T, then nothing is done on the highest bit (it's whatever the random generator set).If @generateOdd is set to `, then the number generated is guaranteed to be odd. Otherwise it will be whatever is generatedQ2Generate a positive integer x, s.t. 0 <= x < rangeR9generate a number between the inclusive bound [low,high].MNOPnumber of bitstop bit policyforce the number to be oddQrangeRMNOPQRMONPQRMONPQRB BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneB S.Represent a digest for a given hash algorithm.T/Represent a context for a given hash algorithm.U&Class representing hashing algorithms.The interface presented here is update in place and lowlevel. the Hash module takes care of hidding the mutable interface properly.V&Get the block size of a hash algorithmW'Get the digest size of a hash algorithmX5Get the size of the context used for a hash algorithmYEInitialize a context pointer to the initial state of a hash algorithmZ%Update the context with some raw data[EFinalize the context and set the digest raw memory to the right value STUVWXYZ[ STUVWXYZ[STUVWXYZ[ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneB\A Mutable hash context]"Create a new mutable hash context.Jthe algorithm used is automatically determined from the return constraint.^"Create a new mutable hash context.0The algorithm is explicitely passed as parameter_&Update a mutable hash context in place`4Finalize a mutable hash context and compute a digesta:Reset the mutable context to the initial state of the hash\]^_`a UVWXYZ[\]^_`a UVWXYZ[\]^_`a\]^_`aC BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneb MD2 cryptographic hash algorithmbcbcbcD BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoned MD4 cryptographic hash algorithmdededeE BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonef MD5 cryptographic hash algorithmfg fgfg F BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneh!SHA1 cryptographic hash algorithmhi    hihi    G BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonej#SHA224 cryptographic hash algorithmjkjkjkH BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonel#SHA256 cryptographic hash algorithmlmlmlmI BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonen#SHA384 cryptographic hash algorithmnononoJ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonep#SHA512 cryptographic hash algorithmpqpqpqK BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoner/SHA512t (256 bits) cryptographic hash algorithmt/SHA512t (224 bits) cryptographic hash algorithm rstu !"rsturstu !"L BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonev,SHA3 (512 bits) cryptographic hash algorithmx,SHA3 (384 bits) cryptographic hash algorithmz,SHA3 (256 bits) cryptographic hash algorithm|,SHA3 (224 bits) cryptographic hash algorithmvwxyz{|}#$%&'()vwxyz{|} vwxyz{|}#$%&'()M BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone~.Kekkak (512 bits) cryptographic hash algorithm.Kekkak (384 bits) cryptographic hash algorithm.Kekkak (256 bits) cryptographic hash algorithm.Kekkak (224 bits) cryptographic hash algorithm~*+,-./0~ ~*+,-./0N BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone&RIPEMD160 cryptographic hash algorithm12341234O BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone"Tiger cryptographic hash algorithm56785678P BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone0Skein256 (256 bits) cryptographic hash algorithm0Skein256 (224 bits) cryptographic hash algorithm 9:;<=9:;<=Q BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone0Skein512 (512 bits) cryptographic hash algorithm0Skein512 (384 bits) cryptographic hash algorithm0Skein512 (256 bits) cryptographic hash algorithm0Skein512 (224 bits) cryptographic hash algorithm>?@ABCD >?@ABCDR BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone&Whirlpool cryptographic hash algorithmEFGHEFGH BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone7Ubcdefghijklmnopqrstuvwxyz{|}~7Ubcdefghijklmnopqturs~|}z{xyvw BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone 'Hash a strict bytestring into a digest.%Hash a lazy bytestring into a digest.0Initialize a new context for this hash algorithmHrun hashUpdates on one single bytestring and return the updated context.`Update the context with a list of strict bytestring, and return a new context with the updates.'Finalize a context and return a digest.7Initialize a new context for a specified hash algorithmRun the 8 function but takes an explicit hash algorithm parameterATry to transform a bytearray into a Digest of specific algorithm.[If the digest is not the right size for the algorithm specified, then Nothing is returned. DSTUVWbcdefghijklmnopqrstuvwxyz{|}~ TS  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneMMSplit data to diffused data, using a random generator and an hash algorithm.the diffused data will consist of random data for (expandTimes-1) then the last block will be xor of the accumulated random data diffused by the hash algorithm. ---------orig - ---------#--------- ---------- --------------"rand1 - - rand2 - - orig ^ acc -#--------- ---------- --------------9where acc is : acc(n+1) = hash (n ++ rand(n)) ^ acc(n)9Merge previously diffused data back to the original data.I%inplace Xor with an input dst = src  dst!Hash algorithm to use as diffuserRandom generator to use$Number of times to diffuse the data.original data to diffuse.The diffused dataHash algorithm used as diffuser&Number of times to un-diffuse the data Diffused data Original dataIJ Hash function to use as diffuser"buffer to diffuse, modify in placelength of buffer to diffuseIJ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneB;Represent an ongoing HMAC state, that can be appended with  and finalize to an HMAC with  hmacFinalizeORepresent an HMAC that is a phantom type with the hash used to produce the mac.!The Eq instance is constant time.1compute a MAC using the supplied hashing function)Initialize a new incremental HMAC context#Incrementally update a HMAC context9Increamentally update a HMAC context with multiple inputs,Finalize a HMAC context and return the HMAC.  Secret keyMessage to MAC Secret keyCurrent HMAC contextMessage to append to the MACUpdated HMAC contextCurrent HMAC contextMessages to append to the MACUpdated HMAC contextK K BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneParameters for PBKDF2Nthe number of user-defined iterations for the algorithms. e.g. WPA2 uses 4000.-the number of bytes to generate out of PBKDF2The PRF used for PBKDF2>PRF for PBKDF2 using HMAC with the hash algorithm as parameter;generate the pbkdf2 key derivation function from the outputthe password parameters the contentprf(password,content) BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneParameters for ScryptLCpu/Memory cost ratio. must be a power of 2 greater than 1. also known as N.Must satisfy r * p < 2^30Must satisfy r * p < 2^30-the number of bytes to generate out of Scrypt'Generate the scrypt key derivation dataLL BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone 3A hash methods to generate a ASN.1 structure digest;Run the digest function on some input and get the raw bytes"Describe the MD2 hashing algorithm"Describe the MD5 hashing algorithm#Describe the SHA1 hashing algorithm%Describe the SHA224 hashing algorithm%Describe the SHA256 hashing algorithm%Describe the SHA384 hashing algorithm%Describe the SHA512 hashing algorithm(Describe the RIPEMD160 hashing algorithm MNOhash algorithm to useZthe raw DER encoded ASN1 description of hash algorithm followed by the digest to be filled MNO BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone%Represent a mask generation algorithmMask generation algorithm MGF1seedlength to generate BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone;BMA Curve25519 Diffie Hellman secret related to a public key and a secret key.A Curve25519 public keyA Curve25519 Secret key*Try to build a public key from a bytearray*Try to build a secret key from a bytearray)Create a DhSecret from a bytearray objectDCompute the Diffie Hellman secret from a public key and a secret key%Create a public key from a secret key PQRSpublicsecret basepoint PQRS BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone+Represent a DSA key pairRepresent a DSA private key.VOnly x need to be secret. the DSA parameters are publicly shared with the other side.DSA parameters DSA private XRepresent a DSA public key.DSA parameters DSA public Y)Represent a DSA signature namely R and S.DSA rDSA s,Represent DSA parameters namely P, G, and Q.DSA pDSA gDSA q7DSA Private Number, usually embedded in DSA Private Key5DSA Public Number, usually embedded in DSA Public KeyPublic key of a DSA Key pairPrivate key of a DSA Key pairagenerate a private number with no specific property this number is usually called X in DSA text.CCalculate the public number from the parameters and the private key<sign message using the private key and an explicit k number.#sign message using the private key.)verify a bytestring using the public key.!k random number private key hash functionmessage to signTUVWXTUVWX BSD-style#Vincent Hanquez <vincent@snarc.org> Experimental Excellent Safe-Inferred+*Define names for known recommended curves. PDefine common parameters in a curve definition of the form: y^2 = x^3 + ax + b.curve parameter acurve parameter b base point order of GcofactorIDefine an elliptic curve in =p. The first parameter is the Prime Number.zDefine an elliptic curve in =(2^m). The firt parameter is the Integer representatioin of the irreducible polynomial f(x).Define a point on a curve.Point at InfinityECC Private NumberECC Public Point.Define either a binary curve or a prime curve.=p=(2^m) 5Parameters in common between binary and prime curves.!HIrreducible polynomial representing the characteristic of a CurveBinary."=Prime number representing the characteristic of a CurvePrime.#HGet the curve definition associated with a recommended known curve name.;      !"#YZ9      !"#9 !"     #!      !"#YZNone$Elliptic Curve point addition.WARNING: Vulnerable to timing attacks.%Elliptic Curve point doubling.WARNING: Vulnerable to timing attacks.This perform the following calculation: > lambda = (3 * xp ^ 2 + a) / 2 yp > xr = lambda ^ 2 - 2 xp > yr = lambda (xp - xr) - ypWith binary curve: > xp == 0 => P = O > otherwise => > s = xp + (yp / xp) > xr = s ^ 2 + s + a > yr = xp ^ 2 + (s+1) * xr&?Elliptic curve point multiplication (double and add algorithm).WARNING: Vulnerable to timing attacks.'*Check if a point is the point at infinity.(%check if a point is on specific curveThis perform three checks:x is not out of rangey is not out of range the equation y^2 = x^3 + a*x + b (mod p) holds[ div and mod$%&'([$%&'($%&'($%&'([None+ )ECDSA Key Pair.+ECDSA Public Key./ECDSA Private Key.3+Represent a ECDSA signature namely R and S.5ECDSA r6ECDSA s7Public key of a ECDSA Key pair.8 Private key of a ECDSA Key pair.9<Sign message using the private key and an explicit k number.WARNING: Vulnerable to timing attacks.:#Sign message using the private key.WARNING: Vulnerable to timing attacks.;)Verify a bytestring using the public key.\Truncate and hash.)*+,-./0123456789k random number private key hash functionmessage to sign:;\)*+,-./0123456789:;3456+,-./012)*789:; )*+,-./0123456789:;\None<Generate Q given d.WARNING: Vulnerable to timing attacks.=)Generate a pair of (private, public) key.WARNING: Vulnerable to timing attacks.<=Elliptic Curve<=<=<= BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone+B>Represent RSA KeyPairRnote the RSA private key contains already an instance of public key for efficiency@Represent a RSA private key.-Only the pub, d fields are mandatory to fill.p, q, dP, dQ, qinv are by-product during RSA generation, but are useful to record here to speed up massively the decrypt and sign operation./implementations can leave optional fields to 0.B,public part of a private key (size, n and e)Cprivate exponant dDp prime numberEq prime numberF d mod (p-1)G d mod (q-1)H q^(-1) mod pIRepresent a RSA public keyKsize of key in bytesL public p*qMpublic exponant eN8error possible during encryption, decryption or signing.O-some parameters lead to breaking assumptions.P the message's digest is too longQDthe message decrypted doesn't have a PKCS15 structure (0 2 .. 0 msg)R"the message to encrypt is too longSNthe message to decrypt is not of the correct size (need to be == private_size)TlBlinder which is used to obfuscate the timing of the decryption primitive (used by decryption and signing).V(get the size in bytes from a private keyWget n from a private keyXget e from a private keyYPublic key of a RSA KeyPairZPrivate key of a RSA KeyPair>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ]^>?@ABCDEFGHIJKLMNOPQRSTUVWXYZNSRQPOTUIJKLM@ABCDEFGH>?YZVWX >?@ABCDEFGHIJKLMNSRQPOTUVWXYZ]^  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone[Compute the RSA decrypt primitive. if the p and q numbers are available, then dpFast is used otherwise, we use dpSlow which only need d and n.\!Compute the RSA encrypt primitive_Kmultiply 2 integers in Zm only performing the modulo operation if necessary`ab[\_[\[\`ab[\_S BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneB]%ChaCha Deterministic Random Generatorc]Initialize a new ChaCha context with the number of rounds, the key and the nonce associated.dInitialize a new ChaCha context from 5-tuple of words64. This interface is useful when creating a RNG out of tests generators (e.g. QuickCheck).]ec40 bytes of seedthe initial ChaCha statedfg]cd]ecdfg! BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNone^$Create a new DRG from system entropy_Create a new DRG from 5 Word64._This is a convenient interface to create deterministic interface for quickcheck style testing._It can also be used in other contexts provided the input has been properly randomly generated.^_ 123456]^_ ]^_623451^_T BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNonehThis create a random number generator out of thin air with the system entropy; don't generally use as the IO is not exposed this can have unexpected random for.This is useful for probabilistic algorithm like Miller Rabin probably prime algorithm, given appropriate choice of the heuristic0Generally, it's advise not to use this function.hhh" BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone `returns if the number is probably prime. first a list of small primes are implicitely tested for divisibility, then a fermat primality test is used with arbitrary numbers and then the Miller Rabin algorithm is used with an accuracy of 30 recursionsa/generate a prime number of the required bitsizeb|generate a prime number of the form 2p+1 where p is also prime. it is also knowed as a Sophie Germaine prime or safe prime.The number of safe prime is significantly smaller to the number of prime, as such it shouldn't be used if this number is supposed to be kept safe.c;find a prime from a starting point where the property hold.d=find a prime from a starting point with no specific property.eMiller Rabin algorithm return if the number is probably prime or composite. the tries parameter is the number of recursion, that determines the accuracy of the test.fProbabilitic Test using Fermat primility test. Beware of Carmichael numbers that are Fermat liars, i.e. this test is useless for them. always combines with some other test.geTest naively is integer is prime. while naive, we skip even number and stop iteration at i > sqrt(n)h-Test is two integer are coprime to each otheri$list of the first primes till 2903.. `abcdef%number of iterations of the algorithm starting anumber to test for primalityghij `abcdefgh ab`dcegfh `abcdefghij# BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone+B i'Represent Diffie Hellman shared secret.k*Represent Diffie Hellman private number X.m)Represent Diffie Hellman public number Y.oHRepresent Diffie Hellman parameters namely P (prime), and G (generator).sgenerate params from a specific generator (2 or 5 are common values) we generate a safe prime (a prime number of the form 2p+1 where p is also prime)t`generate a private number with no specific property this number is usually called X in DH text.upcalculate the public number from the parameters and the private key this number is usually called Y in DH text.vpcalculate the public number from the parameters and the private key this number is usually called Y in DH text.DEPRECATED use calculatePublicwPgenerate a shared key using our private number and the other party public numberijklmnopqrstuvwijklmnopqrstuvwopqrmnklijstuvw ijklmnopqrstuvw$ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonexGenerating a private number d.yGenerating a public point Q.zUGenerating a shared key using our private number and the other party public point.xyzijxyzijxyzxyz% BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone{"Generate a key pair given p and q.*p and q need to be distinct prime numbers.e need to be coprime to phi=(p-1)*(q-1). If that's not the case, the function will not return a key pair. A small hamming weight results in better performance.e=0x10001 is a popular choiceFe=3 is popular as well, but proven to not be as secure for some cases.|:generate a pair of (private, public) key of size in bytes.}?Generate a blinder to use with decryption and signing operationWthe unique parameter apart from the random number generator is the public key value N.{chosen distinct primes p and q size in bytesRSA public exponant e| size in bytesRSA public exponant e}RSA public N parameter.@ABCDEFGHIJKLMNOPQRSTU{|}NSRQPOIJKLM@ABCDEFGHTU{|}{|}& BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone ~6This produce a standard PKCS1.5 padding for encryption0Produce a standard PKCS1.5 padding for signature4Try to remove a standard PKCS1.5 encryption padding.&decrypt message using the private key.When the decryption is not in a context where an attacker could gain information from the timing of the operation, the blinder can be set to None.2If unsure always set a blinder or use decryptSaferPdecrypt message using the private key and by automatically generating a blinder.Fencrypt a bytestring using the public key and a CPRG random generator.5the message need to be smaller than the key size - 11?sign message using private key, a hash and its ASN1 descriptionWhen the signature is not in a context where an attacker could gain information from the timing of the operation, the blinder can be set to None./If unsure always set a blinder or use signSaferMsign message using the private key and by automatically generating a blinder.&verify message with the signed messagekmake signature digest, used in  and  ~optional blinderRSA private key cipher textRSA private key cipher textoptional blinderhash descriptor private keymessage to signHash descriptor private keymessage to signk ~ ~ ~k' BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone *Parameters for PSS signature/verification.Hash function to useMask Gen algorithm to use&Length of salt. need to be <= to hLen.Trailer field, usually 0xbc-Default Params with a specified hash function$Default Params using SHA1 algorithm.LSign using the PSS parameters and the salt explicitely passed as parameters.6the function ignore SaltLength from the PSS ParametersSign using the PSS ParametersESign using the PSS Parameters and an automatically generated blinder.+Verify a signature using the PSS Parameters  Salt to useoptional blinder to usePSS Parameters to useRSA Private KeyMessage to signoptional blinder to usePSS Parameters to useRSA Private KeyMessage to signPSS Parameters to use private keymessage to sign\PSS Parameters to use to verify, this need to be identical to the parameters when signingRSA Public KeyMessage to verify Signaturel  l( BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone )Parameters for OAEP encryption/decryptionHash function to use.Mask Gen algorithm to use.$Optional label prepended to message.-Default Params with a specified hash function4Encrypt a message using OAEP with a predefined seed.Encrypt a message using OAEPmun-pad a OAEP encoded message.-It doesn't apply the RSA decryption primitiveDecrypt a ciphertext using OAEPWhen the signature is not in a context where an attacker could gain information from the timing of the operation, the blinder can be set to None.2If unsure always set a blinder or use decryptSaferJDecrypt a ciphertext using OAEP and by automatically generating a blinder. Seed!OAEP params to use for encryption Public key.Message to encrypt"OAEP params to use for encryption. Public key.Message to encryptmOAEP params to usesize of the key in bytesencoded message (not encrypted)Optional blinder!OAEP params to use for decryption Private key Cipher text!OAEP params to use for decryption Private key Cipher text  mU BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNonen)Compute the gfmul with the XTS polynomialblock size need to be 128 bits."FIXME: add support for big endian.nnnV BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneB o1ElGamal Ephemeral key. also called Temporary key.pElGamal Signatureqgenerate a private number with no specific property this number is usually called a and need to be between 0 and q (order of the group G).r~generate an ephemeral key which is a number with no specific property, and need to be between 0 and q (order of the group G).scgenerate a public number that is for the other party benefits. this number is usually called h=g^atCencrypt with a specified ephemeral key do not reuse ephemeral key.uZencrypt a message using params and public keys will generate b (called the ephemeral key)vdecrypt messagew(sign a message with an explicit k number7if k is not appropriate, then no signature is returned.with some appropriate value of k, the signature generation can fail, and no signature is returned. User of this function need to retry with a different k value.x sign messageThis function will generate a random number, however as the signature might fail, the function will automatically retry until a proper signature has been created.yverify a signature ozp{qrstuvw3random number k, between 0 and p-1 and gcd(k,p-1)=1DH params (p,g)DH private key"collision resistant hash algorithmmessage to signxDH params (p,g)DH private key"collision resistant hash algorithmmessage to signyikmoozpqstuvwxy ozp{qrstuvwxy  BSD-style#Vincent Hanquez <vincent@snarc.org>Stable Excellent Safe-Inferred789:;<=>?@ABCDE:@?>=<;798ABCDEW BSD-style experimentalGoodNone|variable keyed blowfish state}Encrypt blocks&Input need to be a multiple of 8 bytes~Decrypt blocks&Input need to be a multiple of 8 bytes-Initialize a new Blowfish context from a key.%key need to be between 0 to 448 bits. |}~|}~ |}~X BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone;Camellia contextInitialize a 128-bit key`Return the initialized key or a error message if the given keyseed was not 16-bytes in length.1Encrypts the given ByteString using the given Key1Decrypts the given ByteString using the given Key%&The key to create the camellia contextThe key to useThe data to encryptThe key to useThe data to decryptY BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNone:BM Symmetric cipher class.&Initialize a cipher context from a key Cipher nameYreturn the size of the key required for this cipher. Some cipher accept any size for key AEAD Mode'Authentification Tag for AE cipher mode7Offset inside an XTS data unit, measured in block size.)Different specifier for key size in bytesa specific sizeone of the specified valuesin the range [min,max]Z BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNone:HM8Authenticated Encryption with Associated Data algorithmsAEAD Implementation1Append some header information to an AEAD context-Encrypt some data and update the AEAD context-Decrypt some data and update the AEAD context;Finalize the AEAD context and return the authentication tagSimple AEAD encryptionSimple AEAD decryptionA new AEAD ContextOptional Authentified HeaderOptional Plaintext Tag length#Authentification tag and ciphertextA new AEAD ContextOptional Authentified HeaderOptional Plaintext Tag length Plaintext[ BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNone 6:HM0class of block cipher with a 128 bits block sizeencrypt using the XTS mode.ainput need to be a multiple of the blocksize, and the cipher need to process 128 bits block onlydecrypt using the XTS mode.ainput need to be a multiple of the blocksize, and the cipher need to process 128 bits block onlySymmetric block cipher class7Return the size of block required for this block cipherEncrypt blocks6the input string need to be multiple of the block sizeDecrypt blocks6the input string need to be multiple of the block sizeencrypt using the CBC mode.,input need to be a multiple of the blocksizedecrypt using the CBC mode.,input need to be a multiple of the blocksizeencrypt using the CFB mode.,input need to be a multiple of the blocksizedecrypt using the CFB mode.,input need to be a multiple of the blocksizecombine using the CTR mode.hCTR mode produce a stream of randomized data that is combined (by XOR operation) with the input stream.1encryption and decryption are the same operation.input can be of any sizeInitialize a new AEAD State:When Nothing is returns, it means the mode is not handled. XTS callback an IV parametrized by the cipher)Create an IV for a specified block cipher:Create an IV that is effectively representing the number 0Increment an IV by a number.&Assume the IV is in Big Endian format.2Usually represent the Data Unit (e.g. disk sector)+Offset in the data unit in number of blocks Plaintext Ciphertext2Usually represent the Data Unit (e.g. disk sector)+Offset in the data unit in number of blocks Ciphertext Plaintext2Usually represent the Data Unit (e.g. disk sector)+Offset in the data unit in number of blocksDataProcessed Data! \ BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNoneSymmetric stream cipher classCombine using the stream cipher) BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNone+55] BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNone B AESOCB State AESGCM StateAES Context (pre-processed key))Create an AES AEAD implementation for GCM)Create an AES AEAD implementation for OCB#Initialize a new context with a key[Key need to be of length 16, 24 or 32 bytes. any other values will cause undefined behavior(encrypt using Electronic Code Book (ECB))encrypt using Cipher Block Chaining (CBC)vgenerate a counter mode pad. this is generally xor-ed to an input to make the standard counter mode block operations.if the length requested is not a multiple of the block cipher size, more data will be returned, so that the returned bytestring is a multiple of the block cipher size.vgenerate a counter mode pad. this is generally xor-ed to an input to make the standard counter mode block operations.if the length requested is not a multiple of the block cipher size, more data will be returned, so that the returned bytestring is a multiple of the block cipher size. Similiar to - but also return the next IV for continuation encrypt using Counter mode (CTR)<in CTR mode encryption and decryption is the same operation._encrypt using Galois counter mode (GCM) return the encrypted bytestring and the tag associatedVnote: encrypted data is identical to CTR mode in GCM, however a tag is also computed.Lencrypt using OCB v3 return the encrypted bytestring and the tag associatedencrypt using XTSdthe first key is the normal block encryption key the second key is used for the initial block tweak(decrypt using Electronic Code Book (ECB))decrypt using Cipher block chaining (CBC)!decrypt using Counter mode (CTR).<in CTR mode encryption and decryption is the same operation.decrypt using XTS'decrypt using Galois Counter Mode (GCM)(decrypt using Offset Codebook Mode (OCB)initialize a gcm contextFappend data which is going to just be authentified to the GCM context.Tneed to happen after initialization and before appending encryption/decryption data.4append data to encrypt and append to the GCM contextbytestring need to be multiple of AES block size, unless it's the last call to this function. need to happen after AAD appending, or after initialization if no AAD data.4append data to decrypt and append to the GCM contextbytestring need to be multiple of AES block size, unless it's the last call to this function. need to happen after AAD appending, or after initialization if no AAD data.!Generate the Tag from GCM contextinitialize an ocb contextFappend data which is going to just be authentified to the OCB context.Tneed to happen after initialization and before appending encryption/decryption data.4append data to encrypt and append to the OCB contextbytestring need to be multiple of AES block size, unless it's the last call to this function. need to happen after AAD appending, or after initialization if no AAD data.4append data to decrypt and append to the OCB contextbytestring need to be multiple of AES block size, unless it's the last call to this function. need to happen after AAD appending, or after initialization if no AAD data.!Generate the Tag from OCB contextG AES Context Initial vector of AES block size plaintext ciphertext Cipher Key.usually a 128 bit integer.length of bytes required. AES ContextIinitial vector of AES block size (usually representing a 128 bit integer)plaintext inputciphertext output AES ContextIV initial vector of any sizedata to authenticate (AAD)data to encryptciphertext and tag AES ContextIV initial vector of any sizedata to authenticate (AAD)data to encryptciphertext and tagAES cipher and tweak context:a 128 bits IV, typically a sector or a block offset in XTSLnumber of rounds to skip, also seen a 16 byte offset in the sector or block.input to encryptoutput encrypted AES Context6initial vector, usually representing a 128 bit integerciphertext inputplaintext outputAES cipher and tweak context:a 128 bits IV, typically a sector or a block offset in XTSLnumber of rounds to skip, also seen a 16 byte offset in the sector or block.input to decryptoutput decryptedKeyIV initial vector of any sizedata to authenticate (AAD)data to decryptplaintext and tagKeyIV initial vector of any sizedata to authenticate (AAD)data to decryptplaintext and tagD* BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneB448 bit keyed blowfish state256 bit keyed blowfish state128 bit keyed blowfish state64 bit keyed blowfish statevariable keyed blowfish state          + BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone&Camellia block cipher with 128 bit key, BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNone DES Context- BSD-style experimental???NoneL3DES where the first and third keys are equal, used in alternative directionI3DES where the first and third keys are equal, used in the same direction83DES with 3 different keys used in alternative direction93DES with 3 different keys used all in the same direction !" !". BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneB A P256 point A P256 scalarLift to curve a scalar0Using the curve generator as base point compute:  scalar * GAdd a point to another pointMultiply a point by a scalarwarning: variable timemultiply the point p with &n2 and add a lifted to curve value @n1 n1 * G + n2 * pwarning: variable time Check if a  is validThe scalar representing 0$Perform addition between two scalars a + b'Perform subtraction between two scalars a - bGive the inverse of the scalar 1 / awarning: variable timeCompare 2 Scalarconvert a scalar from binaryconvert a scalar to binary:#$%&'()*+,-./0123456789:;<=>?@ABCDEFG8#$%&'()*+,-./0123456789:;<=>?@ABCDEFG/ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneB An Ed25519 signatureAn Ed25519 public keyAn Ed25519 Secret key*Try to build a public key from a bytearray*Try to build a secret key from a bytearray)Try to build a signature from a bytearray%Create a public key from a secret key!Sign a message using the key pairVerify a messageHIJKLMNOP  HIJKLMNOP0 BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneBAES with 256 bit keyAES with 192 bit keyAES with 128 bit keyQRSTUVWXYZ[\ QRSTUVWXYZ[\]7^7_7`abcdefghijklmnoopqrstunlmvwxyz{ | } q ~  } q  } q     AAAAAAAAAAAAAAABBBBBBBBBCCDDEEFFGGHHIIJJKKKKLLLLLLLLMMMMMMMMNNOOPPPPQQQQQQQQRRqrst      !"#$%&'()*+,-./00123456677898:;<=>?@ABCDEFGHIJ   KLJMNOPQRSTUVWXYZ[[\]^ _ `Sa!b!c"d"e"f"g"h"i"j"k"l#m#m########## # #n#o$ $ $o%p%%q&r&s&t&u&v&w& &x& 'y'y'z'{'|'}'~''' 'x' ((((((((w(u(vYYYYYYYYYYYYYYYYYYZZZZZZZZZZZZZZZZ[[[[[[[[[[[[[[[[[\\*****+,----.8...B.D................//////// / 000222223333444444455555555555556677^88999999 9 9 9 9 99999::w:u::::::::::: :!:":#:$:%:&:':(:):*:+:,:-:.:/:0:1:2:3:4:5:6:7:8:9;:;<=<><?<@<A<B<C<D<E<F<G<H<I<J<K<L<M<><?<@<A=NOPOQOROSTUTVTWTXTYTZ[\[][^[_`a`b`c`d`e`f`g`h`i`j`k`l`m`n`o`p`q`r`s`t`u`v`w`x`yz{z{|}~px?u | }       }  }          AAAAAA<pBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKKLLLLLLLMMMMMMMNN N N O O OOPPPPPQQQQQQQRRRR !"#$%&'()*+,-./() 0 1 2 3SqS4SaSS5T6"7"8&9':(tU;V<VV V=VnV>VwVuV V V V<VWWwWuW?W@WAWBWCWDWEXFXGXwXuXFXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfXgYh[i[[j[k[l[m[n[o[p[q[r[s]t]u]v]w]x]y]z]{]|]}]~]]]]]]]]]]]]]]]]]]]]t]u]v]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]***************+++,,,,--------------.....8................................/////////000000000000cryptonite-0.2Crypto.Random.Entropy.UnsafeCrypto.Number.BasicCrypto.Number.ModArithmetic Crypto.Number.Serialize.InternalCrypto.MAC.Poly1305Crypto.Number.SerializeCrypto.Random.EntropyCrypto.Random.EntropyPoolCrypto.Cipher.ChaChaCrypto.Cipher.RC4Crypto.Cipher.SalsaCrypto.Random.Types Crypto.ErrorCrypto.Number.F2mCrypto.Number.Generate Crypto.HashCrypto.Hash.IOCrypto.Hash.AlgorithmsCrypto.Data.AFISCrypto.MAC.HMACCrypto.KDF.PBKDF2Crypto.KDF.ScryptCrypto.PubKey.HashDescrCrypto.PubKey.MaskGenFunctionCrypto.PubKey.Curve25519Crypto.PubKey.DSACrypto.PubKey.ECC.TypesCrypto.PubKey.ECC.PrimCrypto.PubKey.ECC.ECDSACrypto.PubKey.ECC.GenerateCrypto.PubKey.RSA.TypesCrypto.PubKey.RSA.Prim Crypto.RandomCrypto.Number.PrimeCrypto.PubKey.DHCrypto.PubKey.ECC.DHCrypto.PubKey.RSACrypto.PubKey.RSA.PKCS15Crypto.PubKey.RSA.PSSCrypto.PubKey.RSA.OAEPCrypto.Cipher.TypesCrypto.Cipher.BlowfishCrypto.Cipher.CamelliaCrypto.Cipher.DESCrypto.Cipher.TripleDESCrypto.PubKey.ECC.P256Crypto.PubKey.Ed25519Crypto.Cipher.AESCrypto.Internal.DeepSeqCrypto.Internal.CompatPrimCrypto.Random.Entropy.SourceCrypto.Random.Entropy.RDRandCrypto.Random.Entropy.UnixCrypto.Internal.WordsCrypto.Random.Entropy.BackendCrypto.PubKey.InternalCrypto.Number.CompatCrypto.Cipher.DES.PrimitiveCrypto.Internal.CompatCrypto.Internal.WordArrayCrypto.Cipher.Blowfish.BoxCrypto.Internal.ByteArrayCrypto.Cipher.Types.UtilsCrypto.Internal.ImportsCrypto.Error.TypesCrypto.Hash.TypesCrypto.Hash.MD2Crypto.Hash.MD4Crypto.Hash.MD5Crypto.Hash.SHA1Crypto.Hash.SHA224Crypto.Hash.SHA256Crypto.Hash.SHA384Crypto.Hash.SHA512Crypto.Hash.SHA512tCrypto.Hash.SHA3Crypto.Hash.KekkakCrypto.Hash.RIPEMD160Crypto.Hash.TigerCrypto.Hash.Skein256Crypto.Hash.Skein512Crypto.Hash.WhirlpoolCrypto.Random.ChaChaDRGCrypto.Random.ProbabilisticCrypto.Cipher.Types.GFCrypto.PubKey.ElGamal Crypto.Cipher.Blowfish.Primitive Crypto.Cipher.Camellia.PrimitiveCrypto.Cipher.Types.BaseCrypto.Cipher.Types.AEADCrypto.Cipher.Types.BlockCrypto.Cipher.Types.StreamCrypto.Cipher.AES.PrimitiveEntropyBackendsupportedBackends gatherBackend replenishsqrtigcdeareEvenlog2numBitsnumBytesexpSafeexpFastinverseinverseCoprimesi2ospi2ospOfos2ipAuthCtx initializeupdateupdatesfinalizeauthi2ospOf_ getEntropy EntropyPoolcreateEntropyPoolWithcreateEntropyPoolgetEntropyFrom StateSimpleStateinitializeSimplecombinegenerategenerateSimpleMonadPseudoRandomDRGrandomBytesGenerate MonadRandomgetRandomByteswithDRGCryptoFailable CryptoFailed CryptoPassed CryptoError CryptoError_PublicKeySizeInvalid%CryptoError_SecretKeyStructureInvalid CryptoError_SecretKeySizeInvalid CryptoError_AEADModeNotSupportedCryptoError_IvSizeInvalidCryptoError_KeySizeInvalidthrowCryptoErrorIOthrowCryptoErroronCryptoFailureeitherCryptoErrormaybeCryptoErrorBinaryPolynomialaddF2mmodF2mmulF2m squareF2minvF2mdivF2m GenTopPolicy SetTwoHighest SetHighestgenerateParams generateMaxgenerateBetweenDigestContext HashAlgorithm hashBlockSizehashDigestSizehashInternalContextSizehashInternalInithashInternalUpdatehashInternalFinalizeMutableContexthashMutableInithashMutableInitWithhashMutableUpdatehashMutableFinalizehashMutableResetMD2MD4MD5SHA1SHA224SHA256SHA384SHA512 SHA512t_256 SHA512t_224SHA3_512SHA3_384SHA3_256SHA3_224 Kekkak_512 Kekkak_384 Kekkak_256 Kekkak_224 RIPEMD160Tiger Skein256_256 Skein256_224 Skein512_512 Skein512_384 Skein512_256 Skein512_224 WhirlpoolhashhashlazyhashInit hashUpdate hashUpdates hashFinalize hashInitWithhashWithdigestFromByteStringsplitmergeHMAC hmacGetDigesthmac Parameters iterCounts outputLengthPRFprfHMACnrp HashDescr runHashDescr hashDescrMD2 hashDescrMD5 hashDescrSHA1hashDescrSHA224hashDescrSHA256hashDescrSHA384hashDescrSHA512hashDescrRIPEMD160MaskGenAlgorithmmgf1DhSecret PublicKey SecretKey publicKey secretKeydhSecretdhtoPublicKeyPair PrivateKeyprivate_params private_x public_paramspublic_y Signaturesign_rsign_sParamsparams_pparams_gparams_q PrivateNumber PublicNumber toPublicKey toPrivateKeygeneratePrivatecalculatePublicsignWithsignverify CurveName SEC_t571r1 SEC_t571k1 SEC_t409r1 SEC_t409k1 SEC_t283r1 SEC_t283k1 SEC_t239k1 SEC_t233r1 SEC_t233k1 SEC_t193r2 SEC_t193r1 SEC_t163r2 SEC_t163r1 SEC_t163k1 SEC_t131r2 SEC_t131r1 SEC_t113r2 SEC_t113r1 SEC_p521r1 SEC_p384r1 SEC_p256r1 SEC_p256k1 SEC_p224r1 SEC_p224k1 SEC_p192r1 SEC_p192k1 SEC_p160r2 SEC_p160r1 SEC_p160k1 SEC_p128r2 SEC_p128r1 SEC_p112r2 SEC_p112r1 CurveCommonecc_aecc_becc_gecc_necc_h CurvePrime CurveBinaryPointPointO PublicPointCurveCurveFPCurveF2m common_curveecc_fxecc_pgetCurveByNamepointAdd pointDoublepointMulisPointAtInfinity isPointValid public_curvepublic_q private_curve private_d generateQ private_pub private_p private_q private_dP private_dQ private_qinv public_sizepublic_npublic_eErrorInvalidParametersSignatureTooLongMessageNotRecognizedMessageTooLongMessageSizeIncorrectBlinder private_size private_n private_edpep ChaChaDRGdrgNew drgNewTestisProbablyPrime generatePrimegenerateSafePrimefindPrimeFromWith findPrimeFromprimalityTestMillerRabinprimalityTestFermatprimalityTestNaive isCoprime SharedKeygeneratePublic getShared generateWithgenerateBlinderpad padSignatureunpaddecrypt decryptSaferencrypt signSafer PSSParamspssHash pssMaskGenAlg pssSaltLengthpssTrailerFielddefaultPSSParamsdefaultPSSParamsSHA1 signWithSalt OAEPParamsoaepHashoaepMaskGenAlg oaepLabeldefaultOAEPParamsencryptWithSeedCipher cipherInit cipherName cipherKeySizeAEADModeAEAD_GCMAEAD_CWCAEAD_EAXAEAD_CCMAEAD_OCBAuthTag unAuthTagDataUnitOffsetKeySizeSpecifier KeySizeFixed KeySizeEnum KeySizeRangeAEAD aeadModeImpl aeadState AEADModeImplaeadImplAppendHeaderaeadImplEncryptaeadImplDecryptaeadImplFinalizeaeadAppendHeader aeadEncrypt aeadDecrypt aeadFinalizeaeadSimpleEncryptaeadSimpleDecryptBlockCipher128 xtsEncrypt xtsDecrypt BlockCipher blockSize ecbEncrypt ecbDecrypt cbcEncrypt cbcDecrypt cfbEncrypt cfbDecrypt ctrCombineaeadInitIVmakeIVnullIVivAdd StreamCipher streamCombine Blowfish448 Blowfish256 Blowfish128 Blowfish64Blowfish Camellia128DESDES_EDE2DES_EEE2DES_EDE3DES_EEE3ScalartoPointpointsMulVarTime pointIsValidpointToIntegerspointFromIntegers pointToBinarypointFromBinary scalarZero scalarIsZero scalarAdd scalarSub scalarInv scalarCmpscalarFromBinaryscalarToBinaryscalarFromIntegerscalarToInteger signatureAES256AES192AES128deepseq-1.3.0.2Control.DeepSeqrnfNFDatabe32Primle32Primbyteswap32Prim convert4To32 booleanPrim EntropySource entropyOpen entropyGather entropyCloseRDRandc_get_rand_bytesc_cpu_has_rdrand rdrandGrabrdrandGetBytes$fEntropySourceRDRand DevURandom DevRandom DeviceNameHtestOpenopenDevwithDevcloseDevgatherDevEntropy$fEntropySourceDevURandom$fEntropySourceDevRandomw64to32baseGHC.WordWord64Word32w32to64 memory-0.7Data.Memory.ExtendedWordsWord128 openBackendand'&&! GmpSupportedonGmpUnsupportedgmpGcdegmpLog2gmpPowModSecIntegergmpPowModInteger gmpInverse gmpNextPrimegmpTestPrimeMillerRabingmpSizeInBytesgmpExportIntegergmpImportIntegerGmpUnsupported gmpSizeInBitsCoprimesAssertionErrorexponentiation!$fExceptionCoprimesAssertionErrorfillPtrBlockBits64Bits56Bits48Bits32Bits6Bits4KeyRotationunBlockdesXor desRotatebitifyunbitifyinitial_permutationkey_transformationdes_encdes_decdo_desdes_workdo_roundget_keycompression_permutationexpansion_permutations_boxs_box_1s_box_2s_box_3s_box_4s_box_5s_box_6s_box_7s_box_8p_box final_permtakeDrop unsafeDoIO byteSwap64 Data.BitspopCountMutableArray32Array64Array32Array8array8array32array64mutableArray32mutableArray32FromAddrBEmutableArray32Freeze arrayRead8 arrayRead32 arrayRead64mutableArrayRead32mutableArrayWrite32mutableArrayWriteXor32createKeyScheduleData.ByteArray.Mapping mapAsWord64 mapAsWord128toW64LEtoW64BEData.ByteArray.EncodingconvertFromBase convertToBaseBase16Base32Base64BaseData.ByteArray.ViewdropViewtakeViewviewViewData.ByteArray.MethodsconvertconstEqeqzero replicate copyAndFreezecopyRetcopyappendconcatspandroptakesplitAtindexxorunconsunpackpacknullempty unsafeCreateallocAndFreezecreateallocData.ByteArray.MemViewMemViewData.ByteArray.ScrubbedBytes ScrubbedBytesData.ByteArray.BytesBytesData.ByteArray.Types withByteArraylengthByteArrayAccessallocRet ByteArrayc_poly1305_finalizec_poly1305_updatec_poly1305_init$fEqAuth getEntropyPtrdefaultPoolSizechunk Control.ArrowfirstControl.Applicative<*>pure Alternative Applicativeghc-prim GHC.TypesWordWord8Word16optionalliftA3liftA2liftA<**><**>manysome<|>getConstConst unwrapMonad WrapMonad WrappedMonad unwrapArrow WrapArrow WrappedArrow getZipListZipListsecond Data.Functor<$> byteSwap32 byteSwap16 Control.MonadvoidforM_forMGHC.Base<$ccryptonite_chacha_randomccryptonite_chacha_generateccryptonite_chacha_combineccryptonite_chacha_initccryptonite_chacha_init_core c_rc4_init c_rc4_combineccryptonite_salsa_generateccryptonite_salsa_combineccryptonite_salsa_initrunPseudoRandom$fMonadRandomMonadPseudoRandom$fMonadMonadPseudoRandom$fApplicativeMonadPseudoRandom$fFunctorMonadPseudoRandom$fMonadRandomIO Data.Eithereither$fMonadCryptoFailable$fApplicativeCryptoFailable$fFunctorCryptoFailable$fEqCryptoFailable$fShowCryptoFailable$fExceptionCryptoError Data.MaybeNothingsquareTrue $fShowDigestc_md2_finalize c_md2_update c_md2_init$fHashAlgorithmMD2c_md4_finalize c_md4_update c_md4_init$fHashAlgorithmMD4c_md5_finalize c_md5_update c_md5_init$fHashAlgorithmMD5c_sha1_finalize c_sha1_update c_sha1_init$fHashAlgorithmSHA1c_sha224_finalizec_sha224_update c_sha224_init$fHashAlgorithmSHA224c_sha256_finalizec_sha256_update c_sha256_init$fHashAlgorithmSHA256c_sha384_finalizec_sha384_update c_sha384_init$fHashAlgorithmSHA384c_sha512_finalizec_sha512_update c_sha512_init$fHashAlgorithmSHA512c_sha512t_finalizec_sha512t_updatec_sha512t_init$fHashAlgorithmSHA512t_256$fHashAlgorithmSHA512t_224c_sha3_finalize c_sha3_update c_sha3_init$fHashAlgorithmSHA3_512$fHashAlgorithmSHA3_384$fHashAlgorithmSHA3_256$fHashAlgorithmSHA3_224c_kekkak_finalizec_kekkak_update c_kekkak_init$fHashAlgorithmKekkak_512$fHashAlgorithmKekkak_384$fHashAlgorithmKekkak_256$fHashAlgorithmKekkak_224c_ripemd160_finalizec_ripemd160_updatec_ripemd160_init$fHashAlgorithmRIPEMD160c_tiger_finalizec_tiger_update c_tiger_init$fHashAlgorithmTigerc_skein256_finalizec_skein256_updatec_skein256_init$fHashAlgorithmSkein256_256$fHashAlgorithmSkein256_224c_skein512_finalizec_skein512_updatec_skein512_init$fHashAlgorithmSkein512_512$fHashAlgorithmSkein512_384$fHashAlgorithmSkein512_256$fHashAlgorithmSkein512_224c_whirlpool_finalizec_whirlpool_updatec_whirlpool_init$fHashAlgorithmWhirlpoolxorMemdiffuse$fEqHMACccryptonite_scrypt_smix unHashDescr hashDescrccryptonite_curve25519$fNFDataKeyPair$fNFDataPrivateKey$fNFDataPublicKey$fNFDataSignature$fNFDataParams$fNFDataCurveBinary $fNFDataPointdivmodtHashmultiplicationdpSlowdpFastdpFastNoBlinderinitializeWords$fDRGChaChaDRG probabilistic firstPrimesdivides makeSignaturenormalizeToKeySizextsGFMul EphemeralKeygenerateEphemeral encryptWith initBlowfishBFdecryptContextcipher coreCryptomakeKeySchedule$fNFDataContextCamellia initCamelliakkwkeModeEncryptDecrypt w64tow128w64tow8w8tow64sboxsbox1sbox2sbox3sbox4sigma1sigma2sigma3sigma4sigma5sigma6rotl128 setKeyInterimfeistelflflinvgetKeyKgetKeyKegetKeyKw doBlockRounddoBlock encryptBlock decryptBlock $fEqAuthTagXTScbcEncryptGenericcbcDecryptGenericcfbEncryptGenericcfbDecryptGenericctrCombineGenericxtsEncryptGenericxtsDecryptGeneric xtsGeneric$fEqIV$fByteArrayAccessIVAESOCBAESGCMAESgcmModeocbModeinitAES encryptECB encryptCBCgenCTR genCounter encryptCTR encryptGCM encryptOCB encryptXTS decryptECB decryptCBC decryptCTR decryptXTS decryptGCM decryptOCBgcmInit gcmAppendAADgcmAppendEncryptgcmAppendDecrypt gcmFinishocbInit ocbAppendAADocbAppendEncryptocbAppendDecrypt ocbFinishc_aes_ocb_finishc_aes_ocb_decryptc_aes_ocb_encrypt c_aes_ocb_aadc_aes_ocb_initc_aes_gcm_finishc_aes_gcm_decryptc_aes_gcm_encrypt c_aes_gcm_aadc_aes_gcm_initc_aes_encrypt_ctrc_aes_gen_ctr_cont c_aes_gen_ctrc_aes_decrypt_xtsc_aes_encrypt_xtsc_aes_decrypt_cbcc_aes_encrypt_cbcc_aes_decrypt_ecbc_aes_encrypt_ecb c_aes_initsizeGCMsizeOCBkeyToPtrivToPtr ivCopyPtr withKeyAndIV withKey2AndIVwithGCMKeyAndCopySt withNewGCMStwithOCBKeyAndCopyStdoECBdoCBCdoXTSdoGCMdoOCB$fBlockCipher128AES$fBlockCipherAES $fCipherAES$fBlockCipherBlowfish448$fCipherBlowfish448$fBlockCipherBlowfish256$fCipherBlowfish256$fBlockCipherBlowfish128$fCipherBlowfish128$fBlockCipherBlowfish64$fCipherBlowfish64$fBlockCipherBlowfish$fCipherBlowfish$fBlockCipherCamellia128$fCipherCamellia128initDES$fBlockCipherDES $fCipherDESinit3DESinit2DES$fBlockCipherDES_EDE2$fBlockCipherDES_EEE2$fBlockCipherDES_EDE3$fBlockCipherDES_EEE3$fCipherDES_EEE2$fCipherDES_EDE2$fCipherDES_EDE3$fCipherDES_EEE3P256XP256Y P256Scalar P256Digitccryptonite_p256_from_binccryptonite_p256_to_binccryptonite_p256_is_valid_point#ccryptonite_p256_points_mul_vartimeccryptonite_p256e_point_addccryptonite_p256_basepoint_mulccryptonite_p256_modinv_vartimeccryptonite_p256_modmulccryptonite_p256_modccryptonite_p256_cmpccryptonite_p256_subccryptonite_p256_add_dccryptonite_p256_addccryptonite_p256_clearccryptonite_p256_is_zeroccryptonite_p256_initccryptonite_SECP256r1_bccryptonite_SECP256r1_pccryptonite_SECP256r1_n scalarSize pointSizescalarNeedReducing withNewPoint withPointpxToPywithNewScalarFreezewithTempScalar withScalarwithScalarZero allocTempallocTempScrubbedccryptonite_ed25519_signccryptonite_ed25519_sign_openccryptonite_ed25519_publickey publicKeySize secretKeySize signatureSize$fBlockCipher128AES256$fBlockCipherAES256$fBlockCipher128AES192$fBlockCipherAES192$fBlockCipher128AES128$fBlockCipherAES128$fCipherAES256$fCipherAES192$fCipherAES128