y      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~       !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./012345678 9 : ; < =!>!?!@!A!B"C"D"E"F"G"H"I"J"K#L#M#N#O#P#Q$R%S%T%U%V%W%X&Y&Z&[&\&]&^&_&`&a&b&c&d&e&f&g&h'i'j'k'l(m(n(o(p(q(r(s(t(u)v)w)x)y)z){)|)})~)))*********************+++++++++++++++++++++,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,----------------------------------------------------- - - . . ......///////////// /!/"/#/$/%/&/'/(/)/*/+/,/-/.///0/1/2/3/4/5/60708191:2;2<2=2>2?2@2A2B2C2D2E2F2G2H2I2J2K2L2M2N2O2P2Q2R2S3T3U3V3W3X3Y3Z3[3\3]3^3_3`3a3b3c3d3e3f3g3h3i3j3k3l4m4n4o4p4q4r4s4t4u5v5w5x5y5z5{5|5}5~5555555555555555555555555555666777888888888899999999999999999999::::::::::::::::;;;<<<<====================>>>>>>>>>>>>>>>x?Safe@ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodSafeRA handle to an entropy maker, either a system capability or a hardware generator.%try to open an handle for this sourcebtry to gather a number of entropy bytes into a buffer. return the number of actual bytes gatheredClose an open handleA BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodSafeTEntropy device devurandom on unix system Entropy device devrandom on unix system    B BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodSafe 3fake handle to Intel RDRand entropy cpu instruction         C BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodSafeATAny Entropy BackendAll supported backends Open a backend handle%Gather randomness from an open handleAn open Entropy BackendPointer to a buffer to write tonumber of bytes to write+return the number of bytes actually written BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodSafeRefill the entropy in a bufferGcall each entropy backend in turn until the buffer has been replenish.YIf the buffer cannot be refill after 3 loopings, this will raise an User Error exceptionD BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodSafeThis is a strict version of andThis is a strict version of &&.E BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneB GMP Supported / UnsupportedDSimple combinator in case the operation is not supported through GMP-Compute the GCDE of a two integer through GMP6Compute the binary logarithm of an integer through GMPXCompute the power modulus using extra security to remain constant time wise through GMP%Compute the power modulus through GMP'Inverse modulus of a number through GMP4Get the next prime from a specific value through GMP,Test if a number is prime using Miller Rabin&Return the size in bytes of an integer%Return the size in bits of an integer Export an integer to a memory!Import an integer from a memory"# !"# ! "# ! BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNonesqrti returns two integer (l,b) so that l <= sqrt i <= b the implementation is quite naive, use an approximation for the first number and use a dichotomy algorithm to compute the bound relatively efficiently.8get the extended GCD of two integer using integer divModgcde a b& find (x,y,gcd(a,b)) where ax + by = d'check if a list of integer are all even)Compute the binary logarithm of a integer)Compute the number of bits for an integer *Compute the number of bytes for an integer     BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone0$@Raised when two numbers are supposed to be coprimes but are not. zCompute the modular exponentiation of base^exponant using algorithms design to avoid side channels and timing measurementPModulo need to be odd otherwise the normal fast modular exponentiation is used.When used with integer-simple, this function is not different from expFast, and thus provide the same unstudied and dubious timing and side channels claims.with GHC 7.10, the powModSecInteger is missing from integer-gmp (which is now integer-gmp2), so is has the same security as old ghc version. Compute the modular exponentiation of base^exponant using the fastest algorithm without any consideration for hiding parameters.AUse this function when all the parameters are public, otherwise   should be prefered.%Wexponentiation computes modular exponentiation as b^e mod m using repetitive squaring. 7inverse computes the modular inverse as in g^(-1) mod m |Compute the modular inverse of 2 coprime numbers. This is equivalent to inverse except that the result is known to exists.^if the numbers are not defined as coprime, this function will raise a CoprimesAssertionError.$& baseexponantmoduloresult baseexponantmoduloresult%   $& %  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneFfill a pointer with the big endian binary representation of an integerif the room available @ptrSz is less than the number of bytes needed, 0 is returned. Likewise if a parameter is invalid, 0 is returned.#returns the number of bytes written Similar to 3, except it will pad any remaining space with zero.etransform a big endian binary integer representation pointed by a pointer and a size into an integer''F BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownSafe(Split a ) into the highest and lowest *+Reconstruct a ) from two *(+,-(+(+G BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodSafe.A type witness for a as phantom type./././HSafe *,DQR0ensure the given bitlen is greater or equal to n1ensure the given bitlen is lesser or equal to n 23450617892350189 2345061789I BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownSafe:;J BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownSafe,<=>?@ABCD*)EFGHIJKLMNOPQRSTUVWXYZ[\]^_`abc:; BSD-style"Danny Navarro <j@dannynavarro.net> experimentalGoodNone +Binary Polynomial represented by an integer-Addition over F m. This is just a synonym of d.Reduction by modulo over F m.This function is undefined for negative arguments, because their bit representation is platform-dependent. Zero modulus is also prohibited.Multiplication over F m.This function is undefined for negative arguments, because their bit representation is platform-dependent. Zero modulus is also prohibited.Squaring over F m.This function is undefined for negative arguments, because their bit representation is platform-dependent. Zero modulus is also prohibited..Squaring over F m without reduction by modulo.The implementation utilizes the fact that for binary polynomial S(x) we have S(x)^2 = S(x^2). In other words, insert a zero bit between every bits of argument: 1101 -> 1010001.kThis function is undefined for negative arguments, because their bit representation is platform-dependent.e,Extended GCD algorithm for polynomials. For a and b returns  (g, u, v) such that a * u + b * v == g. Reference: thttps://en.wikipedia.org/wiki/Polynomial_greatest_common_divisor#B.C3.A9zout.27s_identity_and_extended_GCD_algorithm Modular inversion over F m. If n doesn't have an inverse, f is returned.This function is undefined for negative arguments, because their bit representation is platform-dependent. Zero modulus is also prohibited.GDivision over F m. If the dividend doesn't have an inverse it returns f.This function is undefined for negative arguments, because their bit representation is platform-dependent. Zero modulus is also prohibited. ModulusModulusModuluseModulusModulusDividendDivisorQuotient e BSD-style#Vincent Hanquez <vincent@snarc.org> Experimental ExcellentNone0*Define names for known recommended curves.=PDefine common parameters in a curve definition of the form: y^2 = x^3 + ax + b.?curve parameter a@curve parameter bA base pointB order of GCcofactorDIDefine an elliptic curve in =p. The first parameter is the Prime Number.FzDefine an elliptic curve in =(2^m). The firt parameter is the Integer representatioin of the irreducible polynomial f(x).HDefine a point on a curve.JPoint at InfinityKECC Private NumberLECC Public PointM.Define either a binary curve or a prime curve.N=(2^m)O=pP5Parameters in common between binary and prime curves.QHIrreducible polynomial representing the characteristic of a CurveBinary.R=Prime number representing the characteristic of a CurvePrime.S!get the size of the curve in bitsTHGet the curve definition associated with a recommended known curve name.< !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUV: !"#$%&'()*+,-./0123456789:;<=>BA?@CDEFGHIJKLMNOPQRST:MNOHIJLKFGDEPSQR=>?@ABC !"#$%&'()*+,-./0123456789:;<T! !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUV BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone0IrRepresent RSA KeyPairRnote the RSA private key contains already an instance of public key for efficiencytRepresent a RSA private key.-Only the pub, d fields are mandatory to fill.p, q, dP, dQ, qinv are by-product during RSA generation, but are useful to record here to speed up massively the decrypt and sign operation./implementations can leave optional fields to 0.v,public part of a private key (size, n and e)wprivate exponant dxp prime numberyq prime numberz d mod (p-1){ d mod (q-1)| q^(-1) mod p}Represent a RSA public keysize of key in bytes public p*qpublic exponant e8error possible during encryption, decryption or signing.Nthe message to decrypt is not of the correct size (need to be == private_size)"the message to encrypt is too longDthe message decrypted doesn't have a PKCS15 structure (0 2 .. 0 msg) the message's digest is too long-some parameters lead to breaking assumptions.lBlinder which is used to obfuscate the timing of the decryption primitive (used by decryption and signing).(get the size in bytes from a private keyget n from a private keyget e from a private keyPublic key of a RSA KeyPairPrivate key of a RSA KeyPairrstuvwxyz{|}~rstuvwxyz{|}~}~tuvwxyz{|rs rstuvwxyz{|}~K BSD-style#Vincent Hanquez <vincent@snarc.org>stableCompatNoneBg$byteswap Word# to or from Big Endian0on a big endian machine, this function is a nop.h'byteswap Word# to or from Little Endian3on a little endian machine, this function is a nop.iVSimple compatibility for byteswap the lower 32 bits of a Word# at the primitive levelj<combine 4 word8 [a,b,c,d] to a word32 representing [a,b,c,d]kpSimple wrapper to handle pre 7.8 and future, where most comparaison functions don't returns a boolean anymore.ghijkghijkghijkL BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNonelperform io for hashes that do allocation and ffi. unsafeDupablePerformIO is used when possible as the computation is pure and the output is directly linked to the input. we also do not modify anything after it has been returned to the user.lVmllM BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNoneBnArray of mutable Word32oArray of Word64pArray of Word32qArray of Word8r*Create an array of Word8 aliasing an Addr#s@Create an Array of Word32 of specific size from a list of Word32t@Create an Array of Word64 of specific size from a list of Word64uGCreate a Mutable Array of Word32 of specific size from a list of Word32v4Create a Mutable Array of BE Word32 aliasing an AddrwAfreeze a Mutable Array of Word32 into a immutable Array of Word32xRead a Word8 from an ArrayyRead a Word32 from an ArrayzRead a Word64 from an Array{,Read a Word32 from a Mutable Array of Word32|-Write a Word32 from a Mutable Array of Word32}dWrite into the Mutable Array of Word32 by combining through xor the current value and the new value. x[i] = x[i] xor valuen~opqrstuvwxyz{|}nopqrstuvwxyz{|}n~opqrstuvwxyz{|}N BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNone9 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone4os2ip converts a byte string into a positive integer4i2osp converts a positive integer into a byte stringXfirst byte is MSB (most significant byte), last byte is the LSB (least significant byte)[just like i2osp, but take an extra parameter for size. if the number is too big to fit in len bytes, f? is returned otherwise the number is padded with 0 to fit the len required.|just like i2ospOf except that it doesn't expect a failure: i.e. an integer larger than the number of output bytes requestedhfor example if you just took a modulo of the number that represent the size (example the RSA modulo n).  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneCompute the RSA decrypt primitive. if the p and q numbers are available, then dpFast is used otherwise, we use dpSlow which only need d and n.!Compute the RSA encrypt primitiveKmultiply 2 integers in Zm only performing the modulo operation if necessary  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone2Get some entropy from the system source of entropy  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNonefPool of Entropy. Contains a self-mutating pool of entropy, that is always guaranteed to contain data.,Create a new entropy pool of a specific sizegWhile you can create as many entropy pools as you want, the pool can be shared between multiples RNGs..Create a new entropy pool with a default size.gWhile you can create as many entropy pools as you want, the pool can be shared between multiples RNGs.-Put a chunk of the entropy pool into a buffer.Grab a chunk of entropy from the entropy pool.  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneOA simple Monad class very similar to a State Monad with the state being a DRG.,A Deterministic Random Generator (DRG) class)Generate N bytes of randomness from a DRG7A monad constraint that allows to generate random bytesERun a pure computation with a Deterministic Random Generator in the     BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone(Top bits policy when generating a numberset the highest bitset the two highest bitUGenerate a number for a specific size of bits, and optionaly set bottom and top bitsIf the top bit policy is fT, then nothing is done on the highest bit (it's whatever the random generator set).If @generateOdd is set to `, then the number generated is guaranteed to be odd. Otherwise it will be whatever is generated2Generate a positive integer x, s.t. 0 <= x < range9generate a number between the inclusive bound [low,high].number of bitstop bit policyforce the number to be oddrangeO BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone]A referentially transparent System representation of the random evaluated out of the system.fHolding onto a specific DRG means that all the already evaluated bytes will be consistently replayed.NThere's no need to reseed this DRG, as only pure entropy is represented here.#Grab one instance of the System DRGP BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,DIR .Represent a digest for a given hash algorithm./Represent a context for a given hash algorithm.&Class representing hashing algorithms.The interface presented here is update in place and lowlevel. the Hash module takes care of hidding the mutable interface properly.8Associated type for the block size of the hash algorithm9Associated type for the digest size of the hash algorithmCAssociated type for the internal context size of the hash algorithm&Get the block size of a hash algorithm'Get the digest size of a hash algorithm5Get the size of the context used for a hash algorithmEInitialize a context pointer to the initial state of a hash algorithm%Update the context with some raw dataEFinalize the context and set the digest raw memory to the right value Q BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR&Whirlpool cryptographic hash algorithmR BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR"Tiger cryptographic hash algorithmS BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR0Skein512 (512 bits) cryptographic hash algorithm0Skein512 (384 bits) cryptographic hash algorithm0Skein512 (256 bits) cryptographic hash algorithm0Skein512 (224 bits) cryptographic hash algorithm T BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR0Skein256 (256 bits) cryptographic hash algorithm0Skein256 (224 bits) cryptographic hash algorithm U BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone *,0DQRTSHAKE256 (256 bits) extendable output function. Supports an arbitrary digest size (multiple of 8 bits), to be specified as a type parameter of kind .Note: outputs from  n and  mb for the same input are correlated (one being a prefix of the other). Results are unrelated to  results.SHAKE128 (128 bits) extendable output function. Supports an arbitrary digest size (multiple of 8 bits), to be specified as a type parameter of kind .Note: outputs from  n and  mb for the same input are correlated (one being a prefix of the other). Results are unrelated to  results.  V BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR/SHA512t (256 bits) cryptographic hash algorithm/SHA512t (224 bits) cryptographic hash algorithm W BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR#SHA512 cryptographic hash algorithmX BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR#SHA384 cryptographic hash algorithmY BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR,SHA3 (512 bits) cryptographic hash algorithm,SHA3 (384 bits) cryptographic hash algorithm,SHA3 (256 bits) cryptographic hash algorithm,SHA3 (224 bits) cryptographic hash algorithm Z BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR#SHA256 cryptographic hash algorithm[ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR#SHA224 cryptographic hash algorithm\ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR!SHA1 cryptographic hash algorithm] BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR&RIPEMD160 cryptographic hash algorithm        ^ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR MD5 cryptographic hash algorithm  _ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR MD4 cryptographic hash algorithm` BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR MD2 cryptographic hash algorithma BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR.Keccak (512 bits) cryptographic hash algorithm.Keccak (384 bits) cryptographic hash algorithm.Keccak (256 bits) cryptographic hash algorithm.Keccak (224 bits) cryptographic hash algorithm  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneITA Mutable hash context "Create a new mutable hash context.Jthe algorithm used is automatically determined from the return constraint. "Create a new mutable hash context.0The algorithm is explicitely passed as parameter &Update a mutable hash context in place 4Finalize a mutable hash context and compute a digest :Reset the mutable context to the initial state of the hash                      b BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR0Blake2sp (256 bits) cryptographic hash algorithm0Blake2sp (224 bits) cryptographic hash algorithm !"#$%!"#$%c BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR/Blake2s (256 bits) cryptographic hash algorithm/Blake2s (224 bits) cryptographic hash algorithm/Blake2s (160 bits) cryptographic hash algorithm &'()*+ &'()*+d BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR0Blake2bp (512 bits) cryptographic hash algorithm,-./,-./e BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,0DR/Blake2b (512 bits) cryptographic hash algorithm/Blake2b (384 bits) cryptographic hash algorithm/Blake2b (256 bits) cryptographic hash algorithm!/Blake2b (224 bits) cryptographic hash algorithm#/Blake2b (160 bits) cryptographic hash algorithm !"#$01234567  !"#$  !"#$01234567f BSD-style*Nicolas Di Prima <nicolas@primetype.co.uk> experimentalunknownNone,0DRT)Fast cryptographic hash.6It is especially known to target 64bits architectures.Known supported digest sizes: Blake2b 160 Blake2b 224 Blake2b 256 Blake2b 384 Blake2b 512+1Fast and secure alternative to SHA1 and HMAC-SHA16It is espacially known to target 32bits architectures.known supported digest sizes: Blake2s 160 Blake2s 224 Blake2s 256%&'()*+,89:;<=>?@ABCDEFG%&'()*+,%&'()*+,89:;<=>?@ABCDEFG BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneY !"#$%&'()*+,Y#$!" )*%&+,'( BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneT -'Hash a strict bytestring into a digest..%Hash a lazy bytestring into a digest./0Initialize a new context for this hash algorithm0Hrun hashUpdates on one single bytestring and return the updated context.1`Update the context with a list of strict bytestring, and return a new context with the updates.2'Finalize a context and return a digest.37Initialize a new context for a specified hash algorithm4Run the -8 function but takes an explicit hash algorithm parameter5ATry to transform a bytearray into a Digest of specific algorithm.[If the digest is not the right size for the algorithm specified, then Nothing is returned. -./012345f !"#$%&'()*+,-./012345 534/102-. -./012345 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneI6;Represent an ongoing HMAC state, that can be appended with = and finalize to an HMAC with  hmacFinalize8ORepresent an HMAC that is a phantom type with the hash used to produce the mac.!The Eq instance is constant time.;1compute a MAC using the supplied hashing function<)Initialize a new incremental HMAC context=#Incrementally update a HMAC context>9Increamentally update a HMAC context with multiple inputs?,Finalize a HMAC context and return the HMAC. 6789:; Secret keyMessage to MAC< Secret key=Current HMAC contextMessage to append to the MACUpdated HMAC context>Current HMAC contextMessages to append to the MACUpdated HMAC context?@ 6789:;<=>? ;89:67<=>?6789:;<=>?@ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneBPseudo Random KeyCRExtract a Pseudo Random Key using the parameter and the underlaying hash mechanismD2Create a PRK directly from the input key material.Only use when guaranteed to have a good quality and random data to use directly as key. This effectively skip a HMAC with key=salt and data=key.E<Expand key material of specific length out of the parametersBHICSaltInput Keying MaterialPseudo random keyDEPseudo Random Key5Optional context and application specific informationOutput length in bytes Output dataFBCDEBCDEBHICDEF BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneHParameters for PBKDF2JNthe number of user-defined iterations for the algorithms. e.g. WPA2 uses 4000.K-the number of bytes to generate out of PBKDF2LThe PRF used for PBKDF2M>PRF for PBKDF2 using HMAC with the hash algorithm as parameterN;generate the pbkdf2 key derivation function from the output HIJKLthe password parameters the contentprf(password,content)JKLMNOPQ HIKJLMNOPQ LMHIJKNOPQ HIJKLJKLMNOPQ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneRParameters for ScryptTLCpu/Memory cost ratio. must be a power of 2 greater than 1. also known as N.UMust satisfy r * p < 2^30VMust satisfy r * p < 2^30W-the number of bytes to generate out of ScryptX'Generate the scrypt key derivation dataRSTUVWMXRSUTVWXRSTUVWXRSTUVWMXNoneT`"An integral time value in seconds.aqThe strength of the calculated HOTP value, namely the number of digits (between 4 and 9) in the extracted value.h9A one-time password which is a sequence of 4 to 9 digits.jfAttempt to resynchronize the server's counter value with the client, given a sequence of HOTP values.kThe default TOTP configuration.l7Create a TOTP configuration with customized parameters.m*Calculate a totp value for the given time.njCheck a supplied TOTP value is valid for the given time, within the window defined by the skew parameter.YZ[\]^_N`abcdefghiENumber of digits in the HOTP value extracted from the calculated HMAC+Shared secret between the client and server8Counter value synchronized between the client and serverThe HOTP valuejThe look-ahead window parameter. Up to this many values will be calculated and checked against the value(s) submitted by the clientThe shared secret The current server counter valuedThe first OTP submitted by the client and a list of additional sequential OTPs (which may be empty)The new counter value, synchronized with the client's current counter or Nothing if the submitted OTP values didn't match anywhere within the windowOklThe T0 parameter in seconds. This is the Unix time from which to start counting steps (default 0). Must be before the current time.FThe time step parameter X in seconds (default 30, maximum allowed 300)0Number of required digits in the OTP (default 6)The number of time steps to check either side of the current value to allow for clock skew between client and server and or delay in submitting the value. The default is two time steps.mThe shared secretbThe time for which the OTP should be calculated. This is usually the current time as returned by "Data.Time.Clock.POSIX.getPOSIXTimenPYZ[\]^_`abcdefghijklmnhabcdefg`ijmn_YZ[\]^kl YZ[\]^_N`abcdefghijOklmnP BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone0sRepresent a DSA key pairuRepresent a DSA private key.VOnly x need to be secret. the DSA parameters are publicly shared with the other side.wDSA parametersx DSA private XyRepresent a DSA public key.{DSA parameters| DSA public Y})Represent a DSA signature namely R and S.DSA rDSA s,Represent DSA parameters namely P, G, and Q.DSA pDSA gDSA q7DSA Private Number, usually embedded in DSA Private Key5DSA Public Number, usually embedded in DSA Public KeyPublic key of a DSA Key pairPrivate key of a DSA Key pairagenerate a private number with no specific property this number is usually called X in DSA text.CCalculate the public number from the parameters and the private key<sign message using the private key and an explicit k number.#sign message using the private key.)verify a bytestring using the public key.!stuvwxyz{|}~k random number private key hash functionmessage to signstuvwxyz{|}~}~yz{|uvwxststuvwxyz{|}~ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone%Represent a mask generation algorithmMask generation algorithm MGF1seedlength to generateg BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodSafe0BA simple Either like type to represent a computation that can fail2 possibles values are:H : The computation succeeded, and contains the result of the computationJ : The computation failed, and contains the cryptographic error associatedDEnumeration of all possible errors that can be found in this library^Throw an CryptoError as exception on CryptoFailed result, otherwise return the computed valueSame as $ but throw the error asynchronously.Simple Q( like combinator for CryptoFailable type'Transform a CryptoFailable to an Either%Transform a CryptoFailable to a Maybe"RSTUV RSTUV BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentSafe BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone RParameters that can be adjusted to change the runtime performance of the hashing.Which variant of Argon2 to use.Which version of Argon2 to use.DThe memory cost, which defines the memory usage, given in kibibytes.max hi (8 * hashParallelism) <=  hashMemory <= hjThe time cost, which defines the amount of computation realized and therefore the execution time, given in number of iterations.hk <= hashIterations <= hlWhich version of Argon2 to usexWhich variant of Argon2 to use. You should choose the variant that is most applicable to your intention to hash inputs.Argon2d is faster than Argon2i and uses data-depending memory access, which makes it suitable for cryptocurrencies and applications with no threats from side-channel timing attacks.Argon2i uses data-independent memory access, which is preferred for password hashing and password-based key derivation. Argon2i is slower as it makes more passes over the memory to protect from tradeoff attacks.Argon2id is a hybrid of Argon2i and Argon2d, using a combination of data-depending and data-independent memory accesses, which gives some of Argon2i's resistance to side-channel cache timing attacks and much of Argon2d's resistance to GPU cracking attacksWXYZ[\]^_`abWXYZ[\]^_`ab BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneI Poly1305 Auth(Poly1305 State. use State instead of CtxPoly1305 Stateinitialize a Poly1305 context"update a context with a bytestring+updates a context with multiples bytestring-finalize the context into a digest bytestringOne-pass authorization creationcdef   cdefm BSD-style#Vincent Hanquez <vincent@snarc.org> Experimental ExcellentNone0 gDefine a point on a curve.hPoint at InfinityiECC Private NumberjPDefine common parameters in a curve definition of the form: y^2 = x^3 + ax + b.kcurve parameter alcurve parameter bm base pointn order of Gocofactorp!get the size of the curve in bitsq"get the size of the curve in bytesr*Define names for known recommended curves.stuvwxyz{|}~ghijklmnopq      !"#r$Zstuvwxyz{|}~ghijklmnopqstuvwxyz{|}~ghijklmnopq      !"#r$ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneFormat of padding%PKCS5: PKCS7 with hardcoded size of 8)PKCS7 with padding size between 1 and 255zero padding with block sizeApply some pad to a bytearray,Try to remove some padding from a bytearray. BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneTMSplit data to diffused data, using a random generator and an hash algorithm.the diffused data will consist of random data for (expandTimes-1) then the last block will be xor of the accumulated random data diffused by the hash algorithm. ---------orig - ---------#--------- ---------- --------------"rand1 - - rand2 - - orig ^ acc -#--------- ---------- --------------9where acc is : acc(n+1) = hash (n ++ rand(n)) ^ acc(n)9Merge previously diffused data back to the original data.%%inplace Xor with an input dst = src d dst!Hash algorithm to use as diffuserRandom generator to use$Number of times to diffuse the data.original data to diffuse.The diffused dataHash algorithm used as diffuser&Number of times to un-diffuse the data Diffused data Original data%& Hash function to use as diffuser"buffer to diffuse, modify in placelength of buffer to diffuse%&n BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNone'=Chunk some input byte array into @sz byte list of byte array.'''o BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNone()Compute the gfmul with the XTS polynomialblock size need to be 128 bits."FIXME: add support for big endian.(((p BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNoneAIT Symmetric cipher class.&Initialize a cipher context from a key Cipher nameYreturn the size of the key required for this cipher. Some cipher accept any size for key AEAD Mode %Authentication Tag for AE cipher mode7Offset inside an XTS data unit, measured in block size.)Different specifier for key size in bytesin the range [min,max]one of the specified valuesa specific size     )          )q BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNoneSymmetric stream cipher classCombine using the stream cipherr BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNoneAOT8Authenticated Encryption with Associated Data algorithmsAEAD Implementation 1Append some header information to an AEAD context!-Encrypt some data and update the AEAD context"-Decrypt some data and update the AEAD context#;Finalize the AEAD context and return the authentication tag$Simple AEAD encryption%Simple AEAD decryption !"#$A new AEAD Context#Optional Authentication data headerOptional Plaintext Tag length!Authentication tag and ciphertext%A new AEAD Context#Optional Authentication data header CiphertextThe authentication tag Plaintext !"#$% !"#$%s BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNone$<=AOT&0class of block cipher with a 128 bits block size'encrypt using the XTS mode.ainput need to be a multiple of the blocksize, and the cipher need to process 128 bits block only(decrypt using the XTS mode.ainput need to be a multiple of the blocksize, and the cipher need to process 128 bits block only)Symmetric block cipher class*7Return the size of block required for this block cipher+Encrypt blocks6the input string need to be multiple of the block size,Decrypt blocks6the input string need to be multiple of the block size-encrypt using the CBC mode.,input need to be a multiple of the blocksize.decrypt using the CBC mode.,input need to be a multiple of the blocksize/encrypt using the CFB mode.,input need to be a multiple of the blocksize0decrypt using the CFB mode.,input need to be a multiple of the blocksize1combine using the CTR mode.hCTR mode produce a stream of randomized data that is combined (by XOR operation) with the input stream.1encryption and decryption are the same operation.input can be of any size2Initialize a new AEAD State:When Nothing is returns, it means the mode is not handled.* XTS callback3 an IV parametrized by the cipher4)Create an IV for a specified block cipher5:Create an IV that is effectively representing the number 06Increment an IV by a number.&Assume the IV is in Big Endian format.&'()*+,-./012*2Usually represent the Data Unit (e.g. disk sector)+Offset in the data unit in number of blocksDataProcessed Data3+456,-./012345! !"#&'()*+,-./012*3+456&'() *+,-./012*3+456,-./012345 BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNone05      !"#$%&'()*+,-./01234565)*+,-./012&'(    !"#$%3456  None7777  BSD-style"Kei Hibino <ex8k.hibino@gmail.com> experimentalunknownNoneI9KCompute Miyaguchi-Preneel one way compress using the supplied block cipher.:{Compute Miyaguchi-Preneel one way compress using the infered block cipher. Only safe when KEY-SIZE equals to BLOCK-SIZE. Simple usage "mp' msg :: MiyaguchiPreneel AES1286%computation step of Miyaguchi-Preneel879Skey build function to compute Miyaguchi-Preneel. care about block-size and key-size input message output tag: input message output tag68;89::98879:68;! BSD-style"Kei Hibino <ex8k.hibino@gmail.com> experimentalunknownNoneI=Authentication code>'compute a MAC using the supplied cipher?make sub-keys used in CMAC9:=;>key to compute CMAC with input message output tag<?key to compute CMAC withsub-keys to compute CMAC=>?@ABCD width in byte(irreducible binary polynomial definitionresult bit pattern@=>?>=?9:=;><?=>?@ABCD@tNoneBE-Initialize a 128-bit, 192-bit, or 256-bit key_Return the initialized key or a error message if the given keyseed was not 16-bytes in length.F1Encrypts the given ByteString using the given KeyG1Decrypts the given ByteString using the given Key(HIJKLMNOPQRSTUVWXYZ[\E%The key to create the twofish context]FThe key to useThe data to encrypt^_GThe key to useThe data to decrypt`abcdefghijklUEFGHIJKLMNOPQRSTUVWXYZ[\E]F^_G`abcdefghijkl"None BmCnDoEFGHIJBCDDCB BmCnDoEFGHIJ# BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneIK Salsa contextM\Initialize a new Salsa context with the number of rounds, the key and the nonce associated.NpCombine the salsa output and an arbitrary message with a xor, and return the combined output and the new state.O9Generate a number of bytes from the Salsa output directlyKLpqrMnumber of rounds (8,12,20)the key (128 or 256 bits)the nonce (64 or 96 bits)the initial Salsa stateNthe current Salsa state$the source to xor with the generatorOthe current Salsa statethe length of data to generateKLMNOMNOKLKLpqrMNO$ BSD-style-Brandon Hamilton <brandon.hamilton@gmail.com>stablegoodNoneQ]Initialize a new XSalsa context with the number of rounds, the key and the nonce associated.sQnumber of rounds (8,12,20)the key (256 bits)the nonce (192 bits)the initial XSalsa stateKNOQQNOKsQ% BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNoneIRThe encryption state for RC4t%C Call for initializing the encryptorSRC4 context initialization.gseed the context with an initial key. the key size need to be adequate otherwise security takes a hit.TPgenerate the next len bytes of the rc4 stream without combining it to anything.U3RC4 xor combination of the rc4 stream with an inputRuvPointer to the permutationPointer to the clear textLength of the clear text Output buffert The rc4 keyThe key length The contextSThe key%The RC4 context with the key mixed inTU rc4 contextinputnew rc4 context, and the outputRSTUSUTRRuvtSTUu BSD-styleSafe9;wa DES block (64 bits)xBasic DES encryption which takes a key and a block of plaintext and returns the encrypted block of ciphertext according to the standard.yBasic DES decryption which takes a key and a block of ciphertext and returns the decrypted block of plaintext according to the standard.'z{|}~wxywxy%z{|}~wxy& BSD-style experimental???NoneXL3DES where the first and third keys are equal, used in alternative directionYI3DES where the first and third keys are equal, used in the same directionZ83DES with 3 different keys used in alternative direction[93DES with 3 different keys used all in the same directionXYZ[\]^_`abcXYZ[[ZYXXYZ[\]^_`abc' BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneh DES Contexthijhhhij( BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneIl<ChaCha context for DRG purpose (see Crypto.Random.ChaChaDRG)mChaCha contextn]Initialize a new ChaCha context with the number of rounds, the key and the nonce associated.oInitialize simple ChaCha State*The seed need to be at least 40 bytes longpqCombine the chacha output and an arbitrary message with a xor, and return the combined output and the new state.q:Generate a number of bytes from the ChaCha output directlyr similar to q but assume certains valueslmnnumber of rounds (8,12,20)the key (128 or 256 bits)the nonce (64 or 96 bits)the initial ChaCha stateoa 40 bytes long seedpthe current ChaCha state$the source to xor with the generatorqthe current ChaCha statethe length of data to generaterlmnopqrnpqmorl lmnopqr) BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNone uValid Nonce for ChaChaPoly1305.It can be created with x or wvA ChaChaPoly1305 State.9The state is immutable, and only new state can be createdw6Nonce smart constructor 12 bytes IV, nonce constructorx8 bytes IV, nonce constructoryIncrement a noncez%Initialize a new ChaChaPoly1305 StateIThe key length need to be 256 bits, and the nonce procured using either x or w{JAppend Authenticated Data to the State and return the new modified State.MOnce no further call to this function need to be make, the user should call ||>Finalize the Authenticated Data and return the finalized State}NEncrypt a piece of data and returns the encrypted Data and the updated State.~NDecrypt a piece of data and returns the decrypted Data and the updated State..Generate an authentication tag from the State.uvwx4 bytes constant 8 bytes IVyz{|}~ uvwxyz{|}~ vuwxyz{|}~uvwxyz{|}~v BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneI%ChaCha Deterministic Random Generator]Initialize a new ChaCha context with the number of rounds, the key and the nonce associated.Initialize a new ChaCha context from 5-tuple of words64. This interface is useful when creating a RNG out of tests generators (e.g. QuickCheck).40 bytes of seedthe initial ChaCha state BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneI%Create a new Seed from system entropyConvert a Seed to an integerConvert an integer to a SeedConvert a binary to a seed$Create a new DRG from system entropyCreate a new DRG from a seedCreate a new DRG from 5 Word64._This is a convenient interface to create deterministic interface for quickcheck style testing._It can also be used in other contexts provided the input has been properly randomly generated. Generate 6len random bytes and mapped the bytes to the function f.(This is equivalent to use Control.Arrow P with   wNoneT ,Generate a valid scalar for a specific Curve Elliptic Curve point negation:  pointNegate p returns point q such that pointAdd p q == PointO.Elliptic Curve point addition.WARNING: Vulnerable to timing attacks.Elliptic Curve point doubling.WARNING: Vulnerable to timing attacks.This perform the following calculation: > lambda = (3 * xp ^ 2 + a) / 2 yp > xr = lambda ^ 2 - 2 xp > yr = lambda (xp - xr) - ypWith binary curve: > xp == 0 => P = O > otherwise => > s = xp + (yp / xp) > xr = s ^ 2 + s + a > yr = xp ^ 2 + (s+1) * xr2Elliptic curve point multiplication using the baseWARNING: Vulnerable to timing attacks.?Elliptic curve point multiplication (double and add algorithm).WARNING: Vulnerable to timing attacks.BElliptic curve double-scalar multiplication (uses Shamir's trick). qpointAddTwoMuls n1 p1 n2 p2 == pointAdd (pointMul n1 p1) (pointMul n2 p2)WARNING: Vulnerable to timing attacks.*Check if a point is the point at infinity.5Make a point on a curve from integer (x,y) coordinate\if the point is not valid related to the curve then an error is returned instead of a point%check if a point is on specific curveThis perform three checks:x is not out of rangey is not out of range the equation y^2 = x^3 + a*x + b (mod p) holds div and mod   * BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneBIT MA Curve25519 Diffie Hellman secret related to a public key and a secret key.A Curve25519 public keyA Curve25519 Secret key*Try to build a public key from a bytearray*Try to build a secret key from a bytearray)Create a DhSecret from a bytearray objectECompute the Diffie Hellman secret from a public key and a secret key.YThis implementation may return an all-zero value as it does not check for the condition.%Create a public key from a secret keyGenerate a secret key. publicsecret basepoint   + BSD-style John Galt <jgalt@centromere.net> experimentalunknownNoneBI KA Curve448 Diffie Hellman secret related to a public key and a secret key.A Curve448 public keyA Curve448 Secret key*Try to build a public key from a bytearray*Try to build a secret key from a bytearray)Create a DhSecret from a bytearray objectECompute the Diffie Hellman secret from a public key and a secret key.YThis implementation may return an all-zero value as it does not check for the condition.%Create a public key from a secret keyGenerate a secret key.publicsecretpublic basepointsecret   , BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneI A P256 point A P256 scalar%Get the base point for the P256 CurveLift to curve a scalar0Using the curve generator as base point compute:  scalar * GAdd a point to another pointMultiply a point by a scalarwarning: variable time Similar to i, serializing the x coordinate as binary. When scalar is multiple of point order the result is all zero.multiply the point p with &n2 and add a lifted to curve value @n1 n1 * G + n2 * pwarning: variable time Check if a  is valid!Convert a point to (x,y) Integers&Convert from (x,y) Integers to a point*Convert a point to a binary representation$Convert from binary to a valid point0Convert from binary to a point, possibly invalid(Generate a randomly generated new scalarThe scalar representing 0Check if the scalar is 0$Perform addition between two scalars a + b'Perform subtraction between two scalars a - bGive the inverse of the scalar 1 / awarning: variable timeCompare 2 Scalarconvert a scalar from binaryconvert a scalar to binary(Convert from an Integer to a P256 Scalar(Convert from a P256 Scalar to an Integer?=- BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone0DIRT  P256 Curvealso known as P256Add points on a curve Scalar Multiplication on a curve'Generate a Diffie hellman secret value.UThis is generally just the .x coordinate of the resulting point, that is not hashed.use $ to keep the result in Point format.WARNING: Curve implementations may return a special value or an exception when the public point lies in a subgroup of small order. This function is adequate when the scalar is in expected range and contributory behaviour is not needed. Otherwise use .`Generate a Diffie hellman secret value and verify that the result is not the point at infinity.9This additional test avoids risks existing with function #. Implementations always return a - instead of a special value or an exception.Point on an Elliptic Curve#Scalar in the Elliptic Curve domainGenerate a new random scalar on the curve. The scalar will represent a number between 1 and the order of the curve non includedGenerate a new random keypairGet the curve size in bits.Encode a elliptic curve point into binary form8Try to decode the binary form of an elliptic curve point^An elliptic curve key pair composed of the private part (a scalar), and the associated point./.None  ,Generate a valid scalar for a specific Curve Elliptic Curve point negation: pointNegate c p returns point q such that pointAdd c p q == PointO. Elliptic Curve point addition.WARNING: Vulnerable to timing attacks. Elliptic Curve point doubling.WARNING: Vulnerable to timing attacks.This perform the following calculation: > lambda = (3 * xp ^ 2 + a) / 2 yp > xr = lambda ^ 2 - 2 xp > yr = lambda (xp - xr) - ypWith binary curve: > xp == 0 => P = O > otherwise => > s = xp + (yp / xp) > xr = s ^ 2 + s + a > yr = xp ^ 2 + (s+1) * xr2Elliptic curve point multiplication using the baseWARNING: Vulnerable to timing attacks.?Elliptic curve point multiplication (double and add algorithm).WARNING: Vulnerable to timing attacks.BElliptic curve double-scalar multiplication (uses Shamir's trick). }pointAddTwoMuls c n1 p1 n2 p2 == pointAdd c (pointMul c n1 p1) (pointMul c n2 p2)WARNING: Vulnerable to timing attacks.*Check if a point is the point at infinity.%check if a point is on specific curveThis perform three checks:x is not out of rangey is not out of range the equation y^2 = x^3 + a*x + b (mod p) holds div and mod              /None0 ECDSA Key Pair.ECDSA Public Key.ECDSA Private Key.+Represent a ECDSA signature namely R and S.ECDSA r ECDSA s!Public key of a ECDSA Key pair." Private key of a ECDSA Key pair.#<Sign message using the private key and an explicit k number.WARNING: Vulnerable to timing attacks.$#Sign message using the private key.WARNING: Vulnerable to timing attacks.%)Verify a bytestring using the public key.Truncate and hash. !"#k random number private key hash functionmessage to sign$%KL !"#$% LK!"#$%  !"#$%0None6Generate Q given d.WARNING: Vulnerable to timing attacks.7)Generate a pair of (private, public) key.WARNING: Vulnerable to timing attacks.67Elliptic Curve6767671 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone8\Generate random a new Shared secret and the associated point to do a ECIES style encryption9NDerive the shared secret with the receiver key and the R point of the scheme.8representation of the curvethe public key of the receiver9representation of the curveCThe received R (supposedly, randomly generated on the encrypt side)The secret key of the receiver8989892 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneI :An Ed25519 signature;An Ed25519 public key<An Ed25519 Secret key=*Try to build a public key from a bytearray>*Try to build a secret key from a bytearray?)Try to build a signature from a bytearray@%Create a public key from a secret keyA!Sign a message using the key pairBVerify a messageCGenerate a secret keyDA public key is 32 bytesEA secret key is 32 bytesFA signature is 64 bytes:;<=>?@ABCDEF :;<=>?@ABCDEF <;:DEF?=>@ABC:;<=>?@ABCDEF3 BSD-style)Olivier Chron <olivier.cheron@gmail.com> experimentalunknownNoneI SAn Ed448 signatureTAn Ed448 public keyUAn Ed448 Secret keyV*Try to build a public key from a bytearrayW*Try to build a secret key from a bytearrayX)Try to build a signature from a bytearrayY%Create a public key from a secret keyZ!Sign a message using the key pair[Verify a message\Generate a secret key]A public key is 57 bytes^A secret key is 57 bytes_A signature is 114 bytesSTUVWXYZ[\]^_ STUVWXYZ[\]^_ UTS]^_XVWYZ[\STUVWXYZ[\]^_ x BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone This create a random number generator out of thin air with the system entropy; don't generally use as the IO is not exposed this can have unexpected random for.This is useful for probabilistic algorithm like Miller Rabin probably prime algorithm, given appropriate choice of the heuristic0Generally, it's advise not to use this function.   4 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone lreturns if the number is probably prime. first a list of small primes are implicitely tested for divisibility, then a fermat primality test is used with arbitrary numbers and then the Miller Rabin algorithm is used with an accuracy of 30 recursionsm^generate a prime number of the required bitsize (i.e. in the range [2^(b-1)+2^(b-2), 2^b)).6May throw a CryptoError_PrimeSizeInvalid if the requested size is less than 5 bits, as the smallest prime meeting these conditions is 29. This function requires that the two highest bits are set, so that when multiplied with another prime to create a key, it is guaranteed to be of the proper size.n|generate a prime number of the form 2p+1 where p is also prime. it is also knowed as a Sophie Germaine prime or safe prime.The number of safe prime is significantly smaller to the number of prime, as such it shouldn't be used if this number is supposed to be kept safe.May throw a CryptoError_PrimeSizeInvalid if the requested size is less than 6 bits, as the smallest safe prime with the two highest bits set is 59.o;find a prime from a starting point where the property hold.p=find a prime from a starting point with no specific property.qMiller Rabin algorithm return if the number is probably prime or composite. the tries parameter is the number of recursion, that determines the accuracy of the test.rProbabilitic Test using Fermat primility test. Beware of Carmichael numbers that are Fermat liars, i.e. this test is useless for them. always combines with some other test.seTest naively is integer is prime. while naive, we skip even number and stop iteration at i > sqrt(n)t-Test is two integer are coprime to each other $list of the first primes till 2903.. lmnopqr%number of iterations of the algorithm starting anumber to test for primalityst  lmnopqrst mnlpoqsrt lmnopqrst  5 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone0I u'Represent Diffie Hellman shared secret.w*Represent Diffie Hellman private number X.y)Represent Diffie Hellman public number Y.{HRepresent Diffie Hellman parameters namely P (prime), and G (generator).generate params from a specific generator (2 or 5 are common values) we generate a safe prime (a prime number of the form 2p+1 where p is also prime)`generate a private number with no specific property this number is usually called X in DH text.pcalculate the public number from the parameters and the private key this number is usually called Y in DH text.pcalculate the public number from the parameters and the private key this number is usually called Y in DH text.DEPRECATED use calculatePublicPgenerate a shared key using our private number and the other party public numberuvwxyz{|}~number of bits generatoruvwxyz{|}~{|}~yzwxuv uvwxyz{|}~6 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneGenerating a private number d.Generating a public point Q.UGenerating a shared key using our private number and the other party public point.KLMuvMLKuvy BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneI  1ElGamal Ephemeral key. also called Temporary key.ElGamal Signaturegenerate a private number with no specific property this number is usually called a and need to be between 0 and q (order of the group G).~generate an ephemeral key which is a number with no specific property, and need to be between 0 and q (order of the group G).cgenerate a public number that is for the other party benefits. this number is usually called h=g^aCencrypt with a specified ephemeral key do not reuse ephemeral key.Zencrypt a message using params and public keys will generate b (called the ephemeral key)decrypt message(sign a message with an explicit k number7if k is not appropriate, then no signature is returned.with some appropriate value of k, the signature generation can fail, and no signature is returned. User of this function need to retry with a different k value. sign messageThis function will generate a random number, however as the signature might fail, the function will automatically retry until a proper signature has been created.verify a signature  3random number k, between 0 and p-1 and gcd(k,p-1)=1DH params (p,g)DH private key"collision resistant hash algorithmmessage to signDH params (p,g)DH private key"collision resistant hash algorithmmessage to signuwy{   7 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone"Generate a key pair given p and q.*p and q need to be distinct prime numbers.e need to be coprime to phi=(p-1)*(q-1). If that's not the case, the function will not return a key pair. A small hamming weight results in better performance.e=0x10001 is a popular choiceFe=3 is popular as well, but proven to not be as secure for some cases.:generate a pair of (private, public) key of size in bytes.?Generate a blinder to use with decryption and signing operationWthe unique parameter apart from the random number generator is the public key value N.chosen distinct primes p and q size in bytesRSA public exponant e size in bytesRSA public exponant eRSA public N parameter.tuvwxyz{|}~}~tuvwxyz{|8 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone )Parameters for OAEP encryption/decryptionHash function to use.Mask Gen algorithm to use.$Optional label prepended to message.-Default Params with a specified hash function4Encrypt a message using OAEP with a predefined seed.Encrypt a message using OAEPun-pad a OAEP encoded message.-It doesn't apply the RSA decryption primitiveDecrypt a ciphertext using OAEPWhen the signature is not in a context where an attacker could gain information from the timing of the operation, the blinder can be set to None.2If unsure always set a blinder or use decryptSaferJDecrypt a ciphertext using OAEP and by automatically generating a blinder. Seed!OAEP params to use for encryption Public key.Message to encrypt"OAEP params to use for encryption. Public key.Message to encryptOAEP params to usesize of the key in bytesencoded message (not encrypted)Optional blinder!OAEP params to use for decryption Private key Cipher text!OAEP params to use for decryption Private key Cipher text  9 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone A specialized class for hash algorithm that can product a ASN1 wrapped description the algorithm plus the content of the digest.;Convert a Digest into an ASN1 wrapped descriptive ByteArray6This produce a standard PKCS1.5 padding for encryption0Produce a standard PKCS1.5 padding for signature4Try to remove a standard PKCS1.5 encryption padding.&decrypt message using the private key.When the decryption is not in a context where an attacker could gain information from the timing of the operation, the blinder can be set to None.2If unsure always set a blinder or use decryptSafer"The message is returned un-padded.Pdecrypt message using the private key and by automatically generating a blinder.*encrypt a bytestring using the public key.ZThe message needs to be smaller than the key size - 11. The message should not be padded.?sign message using private key, a hash and its ASN1 descriptionWhen the signature is not in a context where an attacker could gain information from the timing of the operation, the blinder can be set to None./If unsure always set a blinder or use signSaferMsign message using the private key and by automatically generating a blinder.&verify message with the signed messagemake signature digest, used in  and optional blinderRSA private key cipher textRSA private key cipher textoptional blinderhash algorithm private keymessage to signHash algorithm private keymessage to signoptional hashing algorithm  : BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone*Parameters for PSS signature/verification.Hash function to useMask Gen algorithm to use&Length of salt. need to be <= to hLen.Trailer field, usually 0xbc-Default Params with a specified hash function$Default Params using SHA1 algorithm.LSign using the PSS parameters and the salt explicitely passed as parameters.6the function ignore SaltLength from the PSS ParametersLSign using the PSS parameters and the salt explicitely passed as parameters.6the function ignore SaltLength from the PSS ParametersSign using the PSS ParametersSign using the PSS ParametersESign using the PSS Parameters and an automatically generated blinder.ESign using the PSS Parameters and an automatically generated blinder.+Verify a signature using the PSS Parameters+Verify a signature using the PSS Parameters Salt to useoptional blinder to usePSS Parameters to useRSA Private KeyMessage digest Salt to useoptional blinder to usePSS Parameters to useRSA Private KeyMessage to signoptional blinder to usePSS Parameters to useRSA Private KeyMessage to signoptional blinder to usePSS Parameters to useRSA Private KeyMessage digestPSS Parameters to use private keymessage to signPSS Parameters to use private key message digst\PSS Parameters to use to verify, this need to be identical to the parameters when signingRSA Public KeyMessage to verify Signature\PSS Parameters to use to verify, this need to be identical to the parameters when signingRSA Public KeyDigest to verify Signature z BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneBCamellia context Initialize a 128-bit key`Return the initialized key or a error message if the given keyseed was not 16-bytes in length.!1Encrypts the given ByteString using the given Key"1Decrypts the given ByteString using the given Key%#$%&'()*+,-./0123456789 &The key to create the camellia context:;<=>?@ABC!The key to useThe data to encrypt"The key to useThe data to decrypt !"#$%&'()*+,-./0123456789 :;<=>?@ABC!"; BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone&Camellia block cipher with 128 bit keyDD{ BSD-style experimentalGoodNoneBELCreate a key schedule mutable array of the pbox followed by all the sboxes.EEE| BSD-style experimentalGoodNoneFvariable keyed blowfish stateGEncrypt blocks&Input need to be a multiple of 8 bytesHDecrypt blocks&Input need to be a multiple of 8 bytesI-Initialize a new Blowfish context from a key.'key needs to be between 0 and 448 bits.J8The BCrypt "expensive key schedule" version of blowfish.DSalt must be 128 bits Cost must be between 4 and 31 inclusive See jhttps://www.usenix.org/conference/1999-usenix-annual-technical-conference/future-adaptable-password-schemeK>Create a key schedule for either plain Blowfish or the BCrypt EKSo version For the expensive version, the salt and cost factor are supplied. Salt must be a 128-bit byte array.KThe standard case is just a single key expansion with the salt set to zero. FLGHMNIJOKPThe key scheduleFirst word of the saltSecond word of the saltThe keyQFGHIJ FLGHMNIJOKPQ<NoneCreate a bcrypt hash for a password with a provided cost value. Typically used to create a hash when a new user account is registered or when a user changes their password.{Each increment of the cost approximately doubles the time taken. The 16 bytes of random salt will be generated internally.HCreate a bcrypt hash for a password with a provided cost value and salt.OCost value under 4 will be automatically adjusted back to 10 for safety reason.ICheck a password against a stored bcrypt hash when authenticating a user.Returns False^ if the password doesn't match the hash, or if the hash is invalid or an unsupported version.&Check a password against a bcrypt hashAs for validatePasswordV but will provide error information if the hash is invalid or an unsupported version.RS~The cost parameter. Should be between 4 and 31 (inclusive). Values which lie outside this range will be adjusted accordingly.EThe password. Should be the UTF-8 encoded bytes of the password text.#The bcrypt hash in standard format.~The cost parameter. Should be between 4 and 31 (inclusive). Values which lie outside this range will be adjusted accordingly.@The salt. Must be 16 bytes in length or an error will be raised.EThe password. Should be the UTF-8 encoded bytes of the password text.#The bcrypt hash in standard format.TURSTU= BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneI448 bit keyed blowfish state256 bit keyed blowfish state128 bit keyed blowfish state64 bit keyed blowfish statevariable keyed blowfish stateVWXYZVWXYZ} BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNone$I[ AESOCB State\ AESGCM State]AES Context (pre-processed key)^)Create an AES AEAD implementation for GCM_)Create an AES AEAD implementation for OCB`#Initialize a new context with a keyRKey needs to be of length 16, 24 or 32 bytes. Any other values will return failurea(encrypt using Electronic Code Book (ECB)b)encrypt using Cipher Block Chaining (CBC)cvgenerate a counter mode pad. this is generally xor-ed to an input to make the standard counter mode block operations.if the length requested is not a multiple of the block cipher size, more data will be returned, so that the returned bytearray is a multiple of the block cipher size.dvgenerate a counter mode pad. this is generally xor-ed to an input to make the standard counter mode block operations.if the length requested is not a multiple of the block cipher size, more data will be returned, so that the returned bytearray is a multiple of the block cipher size. Similiar to c- but also return the next IV for continuatione encrypt using Counter mode (CTR)<in CTR mode encryption and decryption is the same operation.fencrypt using XTSdthe first key is the normal block encryption key the second key is used for the initial block tweakg(decrypt using Electronic Code Book (ECB)h)decrypt using Cipher block chaining (CBC)i!decrypt using Counter mode (CTR).<in CTR mode encryption and decryption is the same operation.jdecrypt using XTSkinitialize a gcm contextlGappend data which is only going to be authenticated to the GCM context.Uneeds to happen after initialization and before appending encryption/decryption data.m4append data to encrypt and append to the GCM contextthe bytearray needs to be a multiple of AES block size, unless it's the last call to this function. needs to happen after AAD appending, or after initialization if no AAD data.n4append data to decrypt and append to the GCM contextthe bytearray needs to be a multiple of AES block size, unless it's the last call to this function. needs to happen after AAD appending, or after initialization if no AAD data.o!Generate the Tag from GCM contextpinitialize an ocb contextqGappend data which is going to just be authenticated to the OCB context.Tneed to happen after initialization and before appending encryption/decryption data.r4append data to encrypt and append to the OCB contextthe bytearray needs to be a multiple of the AES block size, unless it's the last call to this function. need to happen after AAD appending, or after initialization if no AAD data.s4append data to decrypt and append to the OCB contextthe bytearray needs to be a multiple of the AES block size, unless it's the last call to this function. need to happen after AAD appending, or after initialization if no AAD data.t!Generate the Tag from OCB contextA[u\v]wxyz{|}~^_`ab AES Context Initial vector of AES block size plaintext ciphertextc Cipher Key.usually a 128 bit integer.length of bytes required.de AES ContextIinitial vector of AES block size (usually representing a 128 bit integer)plaintext inputciphertext outputfAES cipher and tweak context:a 128 bits IV, typically a sector or a block offset in XTSLnumber of rounds to skip, also seen a 16 byte offset in the sector or block.input to encryptoutput encryptedghi AES Context6initial vector, usually representing a 128 bit integerciphertext inputplaintext outputjAES cipher and tweak context:a 128 bits IV, typically a sector or a block offset in XTSLnumber of rounds to skip, also seen a 16 byte offset in the sector or block.input to decryptoutput decryptedklmnopqrst[\]^_`abcdefghijkp>[u\v]wxyz{|}~^_`abcdefghijklmnopqrst> BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneIAES with 256 bit keyAES with 192 bit keyAES with 128 bit key C~CC              ! " # $ % & ' ( ) * + , - . / 0 1 2O3O4P5P6P7P8P9P:P;P<P=P>P?P@QAQARBRBSCSCSDSDSESESFSFTGTGTHTHUIUIUJUJVKVKVLVLWMWMXNXNYOYOYPYPYQYQYRYRZSZS[T[T\U\U]V]V^W^W_X_X`Y`YaZaZa[a[a\a\a]a]^_`abcdbebebfbfcgcgchchcicidjdjekekelelememeneneoeofpfpfqfqfrfrfsfstuvwxyz{|66}}~   gggggggggggggggggggggggggggggt      p p!p"p#p$p%p&p'p(p)p*p*p+p,p-p.p/p0q1q2r3r3r4r5r6r6r7r8r9r:r;r<r=r>r?r@sAsBsCsDsEsFsGsHsIsJsKsLsMsNsOsPsQR S T U V W!X!Y!Z![!\"]"^"_"`"a"b"c"d"e####f##g$%%%%f%%g&h&i&j&k&l&m&n&o&p&q&r&s&t&u&v&w'x'y'z'{(|(((}(f((~(g())))))))))))v************** * ******++++++++++++++ + ++++++,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-------------------------------------------------------........//////////////////////////// / / /////0011222222222222222222 2 222222333333333333333333 3 333333444444444555555555555.5555555555 5 5 5 5 555555555556667778888888 888!9"99#999!999$99%9&9'9(9)9*9+9,9-9.:/:/:0:1:2:3:4:5:6:7::8:$:9:::;;;<;=<><?<@<A=B=C=D=E=F=G=H=I=J=K=L=M=N=O=P=Q=R=S=T=U>V>W>X>Y>Z>[>\>]>^>_>`>a>b>c>d@e@f@g@hAiAjAiAjAkAlAmAnAoApAqArAsAtBuBuBvBwBxByBzC{C~D|D}E~EEEEEEEEEEEEE~EFFGGHHHHHHHHHHKKKKKLMMMMMMMMMMMMMMMMMMMMN                             ! "  # $ % &'()*)+),)-). / 0 1 2 3  4  56O3O7OO8P5P6P9P:Q;Q<Q=Q>R?R@RARBSCSDSESFSGSHSITJTKTLTMTNOUPUQURUSUTUUUVVWVXVYVZV[W\W]W^W_X`XaXbXcYdYRYSYeYfYgYhZiZjZkZl[m[n[o[p\q\r\s\t]u]v]w]x^y^z^{^|_}_~__````aaaaaaa^bbbbbccccccddddeeeeeeeeffffffffffffffffgggggmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm m m m m mmmmmmmmmmmmmmmmmmm m!m"m#m$m%m&m'm(m)m*m+m,m-m.m/m0m1m2m3m45n6o7p8s9sNs:s;s<s=s>s?s@sAsBsC D E F!G!H!X!I!J!K!L!F!M!N!O!PtQtttRtStTtUtVtWtWtXtYtZt[t\t]t^t^t_t`tEtatbtctdtetftgthtitjtktltmtntotptqtrts"]"^"_#t#u#v$w%x%%yuzuuu{u|u}u~uuuuuzuuuuuuuuuuuuuuuuuuuuuuuuuuu&h&i&j&k&&'x'(|(((((())))))vvvvvwwwwwwwwwwww****++++++,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,----../2222223333333x44yyyyyyyyyyyyy8999:zzzzzz`zzzzzzzzzzizzzzzzzzzzzzzzzzz z z zezg;;{ |6||| ||||||||<<<<=B=C=D=E=F}}}}}}} }!}"}#}$}%}&}'}(})}*}+},}-}.}/}0}1}2}3}}}}4}5}6}7}8}9}:};}<}=}>}?}@}A}B}C}D}E}F}G}H}I}J}K}L}M}N}O}P}Q}R}S}T}U}V}W>V>W>XX&cryptonite-0.24-AlnyGsEoJtpA6nNQ38UIyGCrypto.Random.Entropy.UnsafeCrypto.Number.BasicCrypto.Number.ModArithmetic Crypto.Number.Serialize.InternalCrypto.Number.F2mCrypto.PubKey.ECC.TypesCrypto.PubKey.RSA.TypesCrypto.Number.SerializeCrypto.PubKey.RSA.PrimCrypto.Random.EntropyCrypto.Random.EntropyPoolCrypto.Random.TypesCrypto.Number.Generate Crypto.Random Crypto.HashCrypto.Hash.IOCrypto.Hash.AlgorithmsCrypto.MAC.HMACCrypto.KDF.HKDFCrypto.KDF.PBKDF2Crypto.KDF.Scrypt Crypto.OTPCrypto.PubKey.DSACrypto.PubKey.MaskGenFunction Crypto.ErrorCrypto.KDF.Argon2Crypto.MAC.Poly1305Crypto.Data.PaddingCrypto.Data.AFISCrypto.Cipher.TypesCrypto.Cipher.Utils%Crypto.ConstructHash.MiyaguchiPreneelCrypto.MAC.CMACCrypto.Cipher.TwofishCrypto.Cipher.SalsaCrypto.Cipher.XSalsaCrypto.Cipher.RC4Crypto.Cipher.TripleDESCrypto.Cipher.DESCrypto.Cipher.ChaChaCrypto.Cipher.ChaChaPoly1305Crypto.PubKey.Curve25519Crypto.PubKey.Curve448Crypto.PubKey.ECC.P256 Crypto.ECCCrypto.PubKey.ECC.PrimCrypto.PubKey.ECC.ECDSACrypto.PubKey.ECC.GenerateCrypto.PubKey.ECIESCrypto.PubKey.Ed25519Crypto.PubKey.Ed448Crypto.Number.PrimeCrypto.PubKey.DHCrypto.PubKey.ECC.DHCrypto.PubKey.RSACrypto.PubKey.RSA.OAEPCrypto.PubKey.RSA.PKCS15Crypto.PubKey.RSA.PSSCrypto.Cipher.CamelliaCrypto.KDF.BCryptCrypto.Cipher.BlowfishCrypto.Cipher.AESCrypto.TutorialCrypto.Random.Entropy.SourceCrypto.Random.Entropy.UnixCrypto.Random.Entropy.RDRandCrypto.Random.Entropy.BackendCrypto.PubKey.InternalCrypto.Number.CompatCrypto.Internal.WordsCrypto.Internal.ProxyCrypto.Internal.NatCrypto.Internal.DeepSeqCrypto.Internal.ImportsCrypto.Internal.CompatPrimCrypto.Internal.CompatCrypto.Internal.WordArrayCrypto.Internal.ByteArrayCrypto.Random.SystemDRGCrypto.Hash.TypesCrypto.Hash.WhirlpoolCrypto.Hash.TigerCrypto.Hash.Skein512Crypto.Hash.Skein256Crypto.Hash.SHAKECrypto.Hash.SHA512tCrypto.Hash.SHA512Crypto.Hash.SHA384Crypto.Hash.SHA3Crypto.Hash.SHA256Crypto.Hash.SHA224Crypto.Hash.SHA1Crypto.Hash.RIPEMD160Crypto.Hash.MD5Crypto.Hash.MD4Crypto.Hash.MD2Crypto.Hash.KeccakCrypto.Hash.Blake2spCrypto.Hash.Blake2sCrypto.Hash.Blake2bpCrypto.Hash.Blake2bCrypto.Hash.Blake2Crypto.Error.TypesFFIARGON2_MIN_MEMORYARGON2_MAX_MEMORYARGON2_MIN_TIMEARGON2_MAX_TIMECrypto.ECC.Simple.TypesCrypto.Cipher.Types.UtilsCrypto.Cipher.Types.GFCrypto.Cipher.Types.BaseCrypto.Cipher.Types.StreamCrypto.Cipher.Types.AEADCrypto.Cipher.Types.BlockCrypto.Cipher.Twofish.PrimitiveCrypto.Cipher.DES.PrimitiveCrypto.Random.ChaChaDRGCrypto.ECC.Simple.PrimCrypto.Random.ProbabilisticCrypto.PubKey.ElGamal Crypto.Cipher.Camellia.PrimitiveCrypto.Cipher.Blowfish.Box Crypto.Cipher.Blowfish.PrimitiveCrypto.Cipher.AES.PrimitiveEntropyBackendsupportedBackends gatherBackend replenishsqrtigcdeareEvenlog2numBitsnumBytesexpSafeexpFastinverseinverseCoprimes!$fExceptionCoprimesAssertionError$fShowCoprimesAssertionErrori2ospi2ospOfos2ipBinaryPolynomialaddF2mmodF2mmulF2m squareF2m squareF2m'invF2mdivF2m CurveName SEC_p112r1 SEC_p112r2 SEC_p128r1 SEC_p128r2 SEC_p160k1 SEC_p160r1 SEC_p160r2 SEC_p192k1 SEC_p192r1 SEC_p224k1 SEC_p224r1 SEC_p256k1 SEC_p256r1 SEC_p384r1 SEC_p521r1 SEC_t113r1 SEC_t113r2 SEC_t131r1 SEC_t131r2 SEC_t163k1 SEC_t163r1 SEC_t163r2 SEC_t193r1 SEC_t193r2 SEC_t233k1 SEC_t233r1 SEC_t239k1 SEC_t283k1 SEC_t283r1 SEC_t409k1 SEC_t409r1 SEC_t571k1 SEC_t571r1 CurveCommonecc_aecc_becc_gecc_necc_h CurvePrime CurveBinaryPointPointO PrivateNumber PublicPointCurveCurveF2mCurveFP common_curveecc_fxecc_p curveSizeBitsgetCurveByName$fNFDataCurveBinary $fNFDataPoint $fShowPoint $fReadPoint $fEqPoint $fDataPoint$fShowCurveCommon$fReadCurveCommon$fEqCurveCommon$fDataCurveCommon$fShowCurvePrime$fReadCurvePrime$fEqCurvePrime$fDataCurvePrime$fShowCurveBinary$fReadCurveBinary$fEqCurveBinary$fDataCurveBinary $fShowCurve $fReadCurve $fEqCurve $fDataCurve$fShowCurveName$fReadCurveName $fEqCurveName$fOrdCurveName$fEnumCurveName$fBoundedCurveName$fDataCurveNameKeyPair PrivateKey private_pub private_d private_p private_q private_dP private_dQ private_qinv PublicKey public_sizepublic_npublic_eErrorMessageSizeIncorrectMessageTooLongMessageNotRecognizedSignatureTooLongInvalidParametersBlinder private_size private_n private_e toPublicKey toPrivateKey$fNFDataPrivateKey$fNFDataPublicKey $fShowBlinder $fEqBlinder $fShowError $fEqError$fShowPublicKey$fReadPublicKey $fEqPublicKey$fDataPublicKey$fShowPrivateKey$fReadPrivateKey$fEqPrivateKey$fDataPrivateKey $fShowKeyPair $fReadKeyPair $fEqKeyPair $fDataKeyPair$fNFDataKeyPairi2ospOf_dpep getEntropy EntropyPoolcreateEntropyPoolWithcreateEntropyPoolgetEntropyFromMonadPseudoRandomDRGrandomBytesGenerate MonadRandomgetRandomByteswithDRG$fMonadRandomMonadPseudoRandom$fMonadMonadPseudoRandom$fApplicativeMonadPseudoRandom$fFunctorMonadPseudoRandom$fMonadRandomIO GenTopPolicy SetHighest SetTwoHighestgenerateParams generateMaxgenerateBetween$fShowGenTopPolicy$fEqGenTopPolicy SystemDRG getSystemDRGDigestContext HashAlgorithm HashBlockSizeHashDigestSizeHashInternalContextSize hashBlockSizehashDigestSizehashInternalContextSizehashInternalInithashInternalUpdatehashInternalFinalize WhirlpoolTiger Skein512_512 Skein512_384 Skein512_256 Skein512_224 Skein256_256 Skein256_224SHAKE256SHAKE128 SHA512t_256 SHA512t_224SHA512SHA384SHA3_512SHA3_384SHA3_256SHA3_224SHA256SHA224SHA1 RIPEMD160MD5MD4MD2 Keccak_512 Keccak_384 Keccak_256 Keccak_224MutableContexthashMutableInithashMutableInitWithhashMutableUpdatehashMutableFinalizehashMutableReset$fByteArrayAccessMutableContext Blake2sp_256 Blake2sp_224 Blake2s_256 Blake2s_224 Blake2s_160 Blake2bp_512 Blake2b_512 Blake2b_384 Blake2b_256 Blake2b_224 Blake2b_160Blake2bpBlake2spBlake2bBlake2shashhashlazyhashInit hashUpdate hashUpdates hashFinalize hashInitWithhashWithdigestFromByteStringHMAC hmacGetDigesthmac initializeupdateupdatesfinalize$fEqHMAC$fByteArrayAccessHMACPRKextract extractSkipexpand$fByteArrayAccessPRK$fEqPRK Parameters iterCounts outputLengthPRFprfHMACgeneratefastPBKDF2_SHA1fastPBKDF2_SHA256fastPBKDF2_SHA512nrp ClockSkewNoSkewOneStepTwoSteps ThreeSteps FourSteps TOTPParamsOTPTime OTPDigitsOTP4OTP5OTP6OTP7OTP8OTP9OTPhotp resynchronizedefaultTOTPParams mkTOTPParamstotp totpVerify$fShowOTPDigits$fEnumClockSkew$fShowClockSkew$fShowTOTPParamsprivate_params private_x public_paramspublic_y Signaturesign_rsign_sParamsparams_pparams_gparams_q PublicNumbergeneratePrivatecalculatePublicsignWithsignverify$fNFDataSignature$fNFDataParams $fShowParams $fReadParams $fEqParams $fDataParams$fShowSignature$fReadSignature $fEqSignature$fDataSignatureMaskGenAlgorithmmgf1CryptoFailable CryptoPassed CryptoFailed CryptoErrorCryptoError_KeySizeInvalidCryptoError_IvSizeInvalidCryptoError_SeedSizeInvalid CryptoError_AEADModeNotSupported CryptoError_SecretKeySizeInvalid%CryptoError_SecretKeyStructureInvalid CryptoError_PublicKeySizeInvalid#CryptoError_SharedSecretSizeInvalidCryptoError_EcScalarOutOfBoundsCryptoError_PointSizeInvalidCryptoError_PointFormatInvalid"CryptoError_PointFormatUnsupported#CryptoError_PointCoordinatesInvalid'CryptoError_ScalarMultiplicationInvalidCryptoError_MacKeyInvalid(CryptoError_AuthenticationTagSizeInvalidCryptoError_PrimeSizeInvalidCryptoError_SaltTooSmall CryptoError_OutputLengthTooSmallCryptoError_OutputLengthTooBigthrowCryptoErrorIOthrowCryptoErroronCryptoFailureeitherCryptoErrormaybeCryptoErrorOptions iterationsmemory parallelismvariantversion Parallelism MemoryCostTimeCostVersion Version10 Version13VariantArgon2dArgon2iArgon2iddefaultOptions $fEqVariant $fOrdVariant $fReadVariant $fShowVariant $fEnumVariant$fBoundedVariant $fEqVersion $fOrdVersion $fReadVersion $fShowVersion $fEnumVersion$fBoundedVersion $fEqOptions $fOrdOptions $fReadOptions $fShowOptionsAuthCtxStateauthTagauth$fEqAuth$fByteArrayAccessState$fByteArrayAccessAuth $fNFDataAuthFormatPKCS5PKCS7ZEROpadunpad $fShowFormat $fEqFormatsplitmergeCipher cipherInit cipherName cipherKeySizeAEADModeAEAD_OCBAEAD_CCMAEAD_EAXAEAD_CWCAEAD_GCMAuthTag unAuthTagDataUnitOffsetKeySizeSpecifier KeySizeRange KeySizeEnum KeySizeFixed StreamCipher streamCombineAEAD aeadModeImpl aeadState AEADModeImplaeadImplAppendHeaderaeadImplEncryptaeadImplDecryptaeadImplFinalizeaeadAppendHeader aeadEncrypt aeadDecrypt aeadFinalizeaeadSimpleEncryptaeadSimpleDecryptBlockCipher128 xtsEncrypt xtsDecrypt BlockCipher blockSize ecbEncrypt ecbDecrypt cbcEncrypt cbcDecrypt cfbEncrypt cfbDecrypt ctrCombineaeadInitIVmakeIVnullIVivAddvalidateKeySizeMiyaguchiPreneelcompute'compute$fEqMiyaguchiPreneel!$fByteArrayAccessMiyaguchiPreneelCMACcmacsubKeys$fEqCMAC$fByteArrayAccessCMAC Twofish256 Twofish192 Twofish128$fBlockCipherTwofish256$fCipherTwofish256$fBlockCipherTwofish192$fCipherTwofish192$fBlockCipherTwofish128$fCipherTwofish128combine $fNFDataStateDES_EDE2DES_EEE2DES_EDE3DES_EEE3$fBlockCipherDES_EDE2$fBlockCipherDES_EEE2$fBlockCipherDES_EDE3$fBlockCipherDES_EEE3$fCipherDES_EEE2$fCipherDES_EDE2$fCipherDES_EDE3$fCipherDES_EEE3 $fEqDES_EEE3 $fEqDES_EDE3 $fEqDES_EEE2 $fEqDES_EDE2DES$fBlockCipherDES $fCipherDES$fEqDES StateSimpleinitializeSimplegenerateSimple$fNFDataStateSimpleNoncenonce12nonce8incrementNonce appendAAD finalizeAADencryptdecrypt$fByteArrayAccessNonce ChaChaDRGSeedseedNew seedToIntegerseedFromIntegerseedFromBinarydrgNew drgNewSeed drgNewTestwithRandomBytes$fByteArrayAccessSeedDhSecret SecretKey publicKey secretKeydhSecretdhtoPublicgenerateSecretKey$fShowSecretKey $fEqSecretKey$fByteArrayAccessSecretKey$fNFDataSecretKey$fByteArrayAccessPublicKey$fShowDhSecret $fEqDhSecret$fByteArrayAccessDhSecret$fNFDataDhSecretScalar pointBasetoPointpointAddpointMulpointDhpointsMulVarTime pointIsValidpointToIntegerspointFromIntegers pointToBinarypointFromBinaryunsafePointFromBinaryscalarGenerate scalarZero scalarIsZero scalarAdd scalarSub scalarInv scalarCmpscalarFromBinaryscalarToBinaryscalarFromIntegerscalarToInteger $fShowScalar $fEqScalar$fByteArrayAccessScalar Curve_X448 Curve_X25519 Curve_P521R1 Curve_P384R1 Curve_P256R1EllipticCurveArith pointSmulEllipticCurveDHecdhRawecdh EllipticCurvecurveGenerateScalarcurveGenerateKeyPair encodePoint decodePoint SharedSecretkeypairGetPublickeypairGetPrivate$fEllipticCurveDHCurve_X448$fEllipticCurveCurve_X448$fEllipticCurveDHCurve_X25519$fEllipticCurveCurve_X25519$fEllipticCurveDHCurve_P521R1 $fEllipticCurveArithCurve_P521R1$fEllipticCurveCurve_P521R1$fEllipticCurveDHCurve_P384R1 $fEllipticCurveArithCurve_P384R1$fEllipticCurveCurve_P384R1$fEllipticCurveDHCurve_P256R1 $fEllipticCurveArithCurve_P256R1$fEllipticCurveCurve_P256R1$fEqSharedSecret$fByteArrayAccessSharedSecret$fShowCurve_P256R1$fDataCurve_P256R1$fShowCurve_P384R1$fDataCurve_P384R1$fShowCurve_P521R1$fDataCurve_P521R1$fShowCurve_X25519$fDataCurve_X25519$fShowCurve_X448$fDataCurve_X448 pointDouble pointBaseMulpointAddTwoMulsisPointAtInfinity isPointValid public_curvepublic_q private_curve generateQ deriveEncrypt deriveDecrypt signature publicKeySize secretKeySize signatureSize$fByteArrayAccessSignatureisProbablyPrime generatePrimegenerateSafePrimefindPrimeFromWith findPrimeFromprimalityTestMillerRabinprimalityTestFermatprimalityTestNaive isCoprime SharedKey params_bitsgeneratePublic getShared$fShowPublicNumber$fReadPublicNumber$fEqPublicNumber$fEnumPublicNumber$fRealPublicNumber$fNumPublicNumber$fOrdPublicNumber$fShowPrivateNumber$fReadPrivateNumber$fEqPrivateNumber$fEnumPrivateNumber$fRealPrivateNumber$fNumPrivateNumber$fOrdPrivateNumber$fShowSharedKey $fEqSharedKey$fByteArrayAccessSharedKey generateWithgenerateBlinder OAEPParamsoaepHashoaepMaskGenAlg oaepLabeldefaultOAEPParamsencryptWithSeed decryptSaferHashAlgorithmASN1 padSignature signSafer$fHashAlgorithmASN1RIPEMD160$fHashAlgorithmASN1SHA512t_256$fHashAlgorithmASN1SHA512t_224$fHashAlgorithmASN1SHA512$fHashAlgorithmASN1SHA384$fHashAlgorithmASN1SHA256$fHashAlgorithmASN1SHA224$fHashAlgorithmASN1SHA1$fHashAlgorithmASN1MD5$fHashAlgorithmASN1MD2 PSSParamspssHash pssMaskGenAlg pssSaltLengthpssTrailerFielddefaultPSSParamsdefaultPSSParamsSHA1signDigestWithSalt signWithSalt signDigestsignDigestSafer verifyDigest Camellia128$fBlockCipherCamellia128$fCipherCamellia128 hashPasswordbcryptvalidatePasswordvalidatePasswordEither Blowfish448 Blowfish256 Blowfish128 Blowfish64Blowfish$fBlockCipherBlowfish448$fCipherBlowfish448$fBlockCipherBlowfish256$fCipherBlowfish256$fBlockCipherBlowfish128$fCipherBlowfish128$fBlockCipherBlowfish64$fCipherBlowfish64$fBlockCipherBlowfish$fCipherBlowfish$fNFDataBlowfish$fNFDataBlowfish64$fNFDataBlowfish128$fNFDataBlowfish256$fNFDataBlowfish448AES256AES192AES128$fBlockCipher128AES256$fBlockCipherAES256$fBlockCipher128AES192$fBlockCipherAES192$fBlockCipher128AES128$fBlockCipherAES128$fCipherAES256$fCipherAES192$fCipherAES128$fNFDataAES128$fNFDataAES192$fNFDataAES256 EntropySource entropyOpen entropyGather entropyClose DevURandom DevRandom DeviceNameHtestOpenopenDevwithDevcloseDevgatherDevEntropygatherDevEntropyNonBlock$fEntropySourceDevURandom$fEntropySourceDevRandomRDRandc_get_rand_bytesc_cpu_has_rdrand rdrandGrabrdrandGetBytes$fEntropySourceRDRand openBackendand'&&! GmpSupportedonGmpUnsupportedgmpGcdegmpLog2gmpPowModSecIntegergmpPowModInteger gmpInverse gmpNextPrimegmpTestPrimeMillerRabingmpSizeInBytes gmpSizeInBitsgmpExportIntegergmpImportIntegerGmpUnsupportedCoprimesAssertionErrorexponentiationfillPtrw64to32baseGHC.WordWord64Word32w32to64$memory-0.14.6-B1KGj1d40t7G5FXEHg9awwData.Memory.ExtendedWordsWord128Proxy IsAtLeastIsAtMostIsDivisibleBy8Mod8IsDiv8Div8IsGEIsLEbyteLenintegralNatValdeepseq-1.4.2.0Control.DeepSeqNFDatarnfGHC.Base<$ Applicativepure<*>*><*ghc-prim GHC.TypesWordWord8Word16Data.TraversableforMControl.Applicativeoptional WrappedMonad WrapMonad unwrapMonad WrappedArrow WrapArrow unwrapArrowZipList getZipList Control.ArrowfirstsecondData.Functor.ConstConstgetConst Data.FoldableforM_ byteSwap64 byteSwap32 byteSwap16 Data.Functorvoid<$>liftA3liftA2liftA<**> Alternativeempty<|>somemany Data.BitsxorgcdF2mNothingbe32Primle32Primbyteswap32Prim convert4To32 booleanPrim unsafeDoIOpopCountMutableArray32Array64Array32Array8array8array32array64mutableArray32mutableArray32FromAddrBEmutableArray32Freeze arrayRead8 arrayRead32 arrayRead64mutableArrayRead32mutableArrayWrite32mutableArrayWriteXor32 constAllZeroData.ByteArray.BytesBytesData.ByteArray.EncodingconvertFromBase convertToBaseBaseBase16Base32Base64Base64URLUnpadded Base64OpenBSDData.ByteArray.Mapping mapAsWord64 mapAsWord128 fromW64BEtoW64LEtoW64BEData.ByteArray.MemViewMemViewData.ByteArray.ViewdropViewtakeViewviewViewData.ByteArray.MethodsconvertallanyconstEqeqzero replicate copyAndFreezecopyRetcopyappendconcatspandroptakesplitAtindexsnoccons singletonunconsunpackpacknull unsafeCreateallocAndFreezecreateallocData.ByteArray.ScrubbedBytes ScrubbedBytesData.ByteArray.TypesByteArrayAccesslength withByteArray ByteArrayallocRetmultiplicationdpSlowdpFastdpFastNoBlinder getEntropyPtrdefaultPoolSizerunPseudoRandomTruesystemChunkSize$fDRGSystemDRG $fShowDigest$fNFDataDigestc_whirlpool_finalizec_whirlpool_updatec_whirlpool_init$fHashAlgorithmWhirlpoolc_tiger_finalizec_tiger_update c_tiger_init$fHashAlgorithmTigerc_skein512_finalizec_skein512_updatec_skein512_init$fHashAlgorithmSkein512_512$fHashAlgorithmSkein512_384$fHashAlgorithmSkein512_256$fHashAlgorithmSkein512_224c_skein256_finalizec_skein256_updatec_skein256_init$fHashAlgorithmSkein256_256$fHashAlgorithmSkein256_224Nat c_sha3_outputc_sha3_finalize_shake c_sha3_update c_sha3_initshakeFinalizeOutput$fHashAlgorithmSHAKE256$fHashAlgorithmSHAKE128c_sha512t_finalizec_sha512t_updatec_sha512t_init$fHashAlgorithmSHA512t_256$fHashAlgorithmSHA512t_224c_sha512_finalizec_sha512_update c_sha512_init$fHashAlgorithmSHA512c_sha384_finalizec_sha384_update c_sha384_init$fHashAlgorithmSHA384c_sha3_finalize$fHashAlgorithmSHA3_512$fHashAlgorithmSHA3_384$fHashAlgorithmSHA3_256$fHashAlgorithmSHA3_224c_sha256_finalizec_sha256_update c_sha256_init$fHashAlgorithmSHA256c_sha224_finalizec_sha224_update c_sha224_init$fHashAlgorithmSHA224c_sha1_finalize c_sha1_update c_sha1_init$fHashAlgorithmSHA1c_ripemd160_finalizec_ripemd160_updatec_ripemd160_init$fHashAlgorithmRIPEMD160c_md5_finalize c_md5_update c_md5_init$fHashAlgorithmMD5c_md4_finalize c_md4_update c_md4_init$fHashAlgorithmMD4c_md2_finalize c_md2_update c_md2_init$fHashAlgorithmMD2c_keccak_finalizec_keccak_update c_keccak_init$fHashAlgorithmKeccak_512$fHashAlgorithmKeccak_384$fHashAlgorithmKeccak_256$fHashAlgorithmKeccak_224c_blake2sp_finalizec_blake2sp_updatec_blake2sp_init$fHashAlgorithmBlake2sp_256$fHashAlgorithmBlake2sp_224c_blake2s_finalizec_blake2s_updatec_blake2s_init$fHashAlgorithmBlake2s_256$fHashAlgorithmBlake2s_224$fHashAlgorithmBlake2s_160$fHashAlgorithmBlake2bp_512c_blake2b_finalizec_blake2b_updatec_blake2b_init$fHashAlgorithmBlake2b_512$fHashAlgorithmBlake2b_384$fHashAlgorithmBlake2b_256$fHashAlgorithmBlake2b_224$fHashAlgorithmBlake2b_160c_blake2bp_finalizec_blake2bp_updatec_blake2bp_init$fHashAlgorithmBlake2bp$fHashAlgorithmBlake2sp$fHashAlgorithmBlake2b$fHashAlgorithmBlake2s PRK_NoExpand#c_cryptonite_fastpbkdf2_hmac_sha512#c_cryptonite_fastpbkdf2_hmac_sha256!c_cryptonite_fastpbkdf2_hmac_sha1ccryptonite_scrypt_smixTP digitsPower timeToCounter Data.Eithereither$fMonadCryptoFailable$fApplicativeCryptoFailable$fFunctorCryptoFailable$fEqCryptoFailable$fExceptionCryptoErrorCVersionCVariantHashOutSaltPass argon2_hash saltMinLengthoutputMinLengthoutputMaxLength cOfVersion cOfVariant csizeOfIntc_poly1305_finalizec_poly1305_updatec_poly1305_initCurveParameters curveEccA curveEccB curveEccG curveEccN curveEccHcurveSizeBytes$fCurveSEC_p112r1 CurveTypeCurvePrimeParamCurveBinaryParamcurveParameters curveTypetypeSEC_p112r1paramSEC_p112r1typeSEC_p112r2paramSEC_p112r2typeSEC_p128r1paramSEC_p128r1typeSEC_p128r2paramSEC_p128r2typeSEC_p160k1paramSEC_p160k1typeSEC_p160r1paramSEC_p160r1typeSEC_p160r2paramSEC_p160r2typeSEC_p192k1paramSEC_p192k1typeSEC_p192r1paramSEC_p192r1typeSEC_p224k1paramSEC_p224k1typeSEC_p224r1paramSEC_p224r1typeSEC_p256k1paramSEC_p256k1typeSEC_p256r1paramSEC_p256r1typeSEC_p384r1paramSEC_p384r1typeSEC_p521r1paramSEC_p521r1typeSEC_t113r1paramSEC_t113r1typeSEC_t113r2paramSEC_t113r2typeSEC_t131r1paramSEC_t131r1typeSEC_t131r2paramSEC_t131r2typeSEC_t163k1paramSEC_t163k1typeSEC_t163r1paramSEC_t163r1typeSEC_t163r2paramSEC_t163r2typeSEC_t193r1paramSEC_t193r1typeSEC_t193r2paramSEC_t193r2typeSEC_t233k1paramSEC_t233k1typeSEC_t233r1paramSEC_t233r1typeSEC_t239k1paramSEC_t239k1typeSEC_t283k1paramSEC_t283k1typeSEC_t283r1paramSEC_t283r1typeSEC_t409k1paramSEC_t409k1typeSEC_t409r1paramSEC_t409r1typeSEC_t571k1paramSEC_t571k1typeSEC_t571r1paramSEC_t571r1$fCurveSEC_t571r1$fCurveSEC_t571k1$fCurveSEC_t409r1$fCurveSEC_t409k1$fCurveSEC_t283r1$fCurveSEC_t283k1$fCurveSEC_t239k1$fCurveSEC_t233r1$fCurveSEC_t233k1$fCurveSEC_t193r2$fCurveSEC_t193r1$fCurveSEC_t163r2$fCurveSEC_t163r1$fCurveSEC_t163k1$fCurveSEC_t131r2$fCurveSEC_t131r1$fCurveSEC_t113r2$fCurveSEC_t113r1$fCurveSEC_p521r1$fCurveSEC_p384r1$fCurveSEC_p256r1$fCurveSEC_p256k1$fCurveSEC_p224r1$fCurveSEC_p224k1$fCurveSEC_p192r1$fCurveSEC_p192k1$fCurveSEC_p160r2$fCurveSEC_p160r1$fCurveSEC_p160k1$fCurveSEC_p128r2$fCurveSEC_p128r1$fCurveSEC_p112r2xorMemdiffusechunkxtsGFMul $fEqAuthTagXTScbcEncryptGenericcbcDecryptGenericcfbEncryptGenericcfbDecryptGenericctrCombineGenericxtsEncryptGenericxtsDecryptGeneric xtsGeneric$fEqIV$fByteArrayAccessIVstepMPbxor IPolynomialQ cmacChunkssubKeyshiftL1shiftL1W cipherIPT iPolynomial expandIPT expandIPT' initTwofishColumnZeroOneTwoThree KeyPackage rawKeyBytesbyteSizeByteSizeBytes16Bytes24Bytes32Twofishsk mdsPolynomial rsPolynomial buildPackage mapBlocks encryptBlock byteIndex decryptBlocksbox0sbox1rsload32ls store32lssWords genSboxesgenKh mdsColumnMulttupIndgfMultccryptonite_salsa_generateccryptonite_salsa_combineccryptonite_salsa_initccryptonite_xsalsa_init c_rc4_init c_rc4_combineBlockBits64Bits56Bits48Bits32Bits6Bits4KeyRotationunBlockdesXor desRotatebitifyunbitifyinitial_permutationkey_transformationdes_encdes_decdo_desdes_workdo_roundget_keycompression_permutationexpansion_permutations_boxs_box_1s_box_2s_box_3s_box_4s_box_5s_box_6s_box_7s_box_8p_box final_permtakeDropinit3DESinit2DESinitDESccryptonite_chacha_randomccryptonite_chacha_generateccryptonite_chacha_combineccryptonite_chacha_initccryptonite_chacha_init_coreNonce8Nonce12pad16incrementNonce' initialize'initializeWords$fDRGChaChaDRG seedLength pointNegatedivmodccryptonite_curve25519decaf_x448_derive_public_key decaf_x448 x448_bytesP256XP256Y P256Scalar P256Digitccryptonite_p256_from_binccryptonite_p256_to_binccryptonite_p256_is_valid_point#ccryptonite_p256_points_mul_vartimeccryptonite_p256e_point_addccryptonite_p256_basepoint_mulccryptonite_p256_modinv_vartimeccryptonite_p256_modmulccryptonite_p256_modccryptonite_p256_cmpccryptonite_p256_subccryptonite_p256_add_dccryptonite_p256_addccryptonite_p256_clearccryptonite_p256_is_zeroccryptonite_p256_initccryptonite_SECP256r1_bccryptonite_SECP256r1_pccryptonite_SECP256r1_n scalarSize pointSizescalarNeedReducing withNewPoint withPointpxToPywithNewScalarFreeze withTempPointwithTempScalar withScalarwithScalarZero allocTempallocTempScrubbedcheckNonZeroDHencodeECShared encodeECPoint decodeECPointtHashccryptonite_ed25519_signccryptonite_ed25519_sign_openccryptonite_ed25519_publickeydecaf_ed448_verifydecaf_ed448_signdecaf_ed448_derive_public_key no_context probabilistic firstPrimesdivides EphemeralKeygenerateEphemeral encryptWithhashDigestASN1 makeSignatureaddDigestPrefixnormalizeToKeySizeCamellia initCamelliakwkeModeDecryptEncrypt w64tow128w64tow8w8tow64sboxsbox2sbox3sbox4sigma1sigma2sigma3sigma4sigma5sigma6rotl128 setKeyInterimfeistelflflinvgetKeyKgetKeyKegetKeyKw doBlockRounddoBlockcreateKeySchedule initBlowfish eksBlowfishmakeKeyScheduleBFdecryptContextcipher coreCrypto expandKey$fNFDataContext BCryptHashBCHrawHashparseBCryptHashAESOCBAESGCMAESgcmModeocbModeinitAES encryptECB encryptCBCgenCTR genCounter encryptCTR encryptXTS decryptECB decryptCBC decryptCTR decryptXTSgcmInit gcmAppendAADgcmAppendEncryptgcmAppendDecrypt gcmFinishocbInit ocbAppendAADocbAppendEncryptocbAppendDecrypt ocbFinishc_aes_ocb_finishc_aes_ocb_decryptc_aes_ocb_encrypt c_aes_ocb_aadc_aes_ocb_initc_aes_gcm_finishc_aes_gcm_decryptc_aes_gcm_encrypt c_aes_gcm_aadc_aes_gcm_initc_aes_encrypt_ctrc_aes_gen_ctr_cont c_aes_gen_ctrc_aes_decrypt_xtsc_aes_encrypt_xtsc_aes_decrypt_cbcc_aes_encrypt_cbcc_aes_decrypt_ecbc_aes_encrypt_ecb c_aes_initsizeGCMsizeOCBkeyToPtrivToPtr ivCopyPtr withKeyAndIV withKey2AndIVwithGCMKeyAndCopySt withNewGCMStwithOCBKeyAndCopyStdoECBdoCBCdoXTS$fBlockCipher128AES$fBlockCipherAES $fCipherAES