!{c 1      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~       !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~          !!!!!!!!!!!"""####$$$%%%%&&&&&&&&&&&&&&&&&&&&&&&&&&'''''''' ' ' ' ' ''''''''''''''''''' '!'"'#'$'%'&'''(')'*'+','-'.'/'0'1'2'3'4'5'6'7'8'9':';'<'='>'?'@'A'B'C'D'E'F'G'H'I'J'K'L'M'N'O'P'Q'R'S'T'U'V'W'X(Y(Z)[)\)])^)_)`)a)b)c)d)e)f)g)h)i)j)k)l)m)n)o)p)q)r)s)t)u)v)w)x)y)z){)|)})~))))))))))))**++++,----.........../////////////00000000000000000000000001111111111111111111111111222222222222222222222222222222222222223333 3 3 3 3 3333333333333444444 4!4"4#4$4%4&4'4(4)4*4+4,4-4.4/505152536465666768696:6;6<6=6>6?6@6A6B6C6D6E6F6G6H6I6J7K7L7M7N7O7P7Q7R8S8T8U8V8W8X8Y8Z9[9\9]9^9_9`9a9b9c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:w:x:y:z:{:|:}:~:::::::::::;;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<=========>>>>>>>????????@@@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBB B B B B BBBBBBBBBBBBBBBBBBB B!B"B#B$B%C&C'C(D)D*D+D,D-D.D/D0D1D2D3D4D5D6D7D8E9E:E;E<E=E>E?E@EAEBECEDEEEFEGEHEIEJEKELFMFNFOFPFQFRFSFTFUFVGWGXGYGZG[G\G]G^G_G`GaGbGcGdGeGfGgGhGiGjGkGlGmGnGoGpGqGrGsGtGuGvGwGxGyGzG{G|G}G~GHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKLLMMMMMMMMMN BSD-styleSafe=?F_ cryptonitea DES block (64 bits) cryptoniteBasic DES encryption which takes a key and a block of plaintext and returns the encrypted block of ciphertext according to the standard. cryptoniteBasic DES decryption which takes a key and a block of ciphertext and returns the decrypted block of plaintext according to the standard. BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneK cryptoniteFormat of padding cryptonite%PKCS5: PKCS7 with hardcoded size of 8 cryptonite)PKCS7 with padding size between 1 and 255 cryptonitezero padding with block size cryptoniteApply some pad to a bytearray cryptonite,Try to remove some padding from a bytearray.O BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNone2HVW cryptoniteBA simple Either like type to represent a computation that can fail2 possibles values are: H : The computation succeeded, and contains the result of the computation J : The computation failed, and contains the cryptographic error associated  cryptoniteDEnumeration of all possible errors that can be found in this library  cryptonite^Throw an CryptoError as exception on CryptoFailed result, otherwise return the computed value! cryptoniteSame as  $ but throw the error asynchronously." cryptoniteSimple ( like combinator for CryptoFailable type# cryptonite'Transform a CryptoFailable to an Either$ cryptonite%Transform a CryptoFailable to a Maybe  !"#$ BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNoneYD  !"#$  !"#$P BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNone^ cryptonite3Perform io for hashes that do allocation and FFI.  is used when possible as the computation is pure and the output is directly linked to the input. We also do not modify anything after it has been returned to the user.Q BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNone` ;      !"#$%&'()*+,-./0123456789:;<=>R BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNonecZ? cryptonite=Chunk some input byte array into @sz byte list of byte array.?S BSD-style#Vincent Hanquez <vincent@snarc.org>stableCompatNoneFl[@ cryptonite$Byteswap Word# to or from Big Endian0On a big endian machine, this function is a nop.A cryptonite'Byteswap Word# to or from Little Endian3On a little endian machine, this function is a nop.B cryptoniteVSimple compatibility for byteswap the lower 32 bits of a Word# at the primitive levelC cryptonite<Combine 4 word8 [a,b,c,d] to a word32 representing [a,b,c,d]D cryptonitepSimple wrapper to handle pre 7.8 and future, where most comparaison functions don't returns a boolean anymore.@ABCDT BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownSafemEFU BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNoneEMXv % cryptoniteSymmetric cipher class.& cryptonite&Initialize a cipher context from a key' cryptonite Cipher name( cryptoniteYreturn the size of the key required for this cipher. Some cipher accept any size for key) cryptonite AEAD Mode; cryptonite%Authentication Tag for AE cipher mode> cryptonite7Offset inside an XTS data unit, measured in block size.? cryptonite)Different specifier for key size in bytes@ cryptonitein the range [min,max]A cryptoniteone of the specified valuesB cryptonitea specific size%&'()*+,-./0123456789:;<=>?@ABV BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNoneyC cryptoniteSymmetric stream cipher classD cryptoniteCombine using the stream cipherCDW BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownSafe{ ,GHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnoEFX BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone .2HMVX E cryptonite.Represent a digest for a given hash algorithm.This type is an instance of 8 from package  *https://hackage.haskell.org/package/memorymemory . Module Data.ByteArrayY provides many primitives to work with those values including conversion to other types.CCreating a digest from a bytearray is also possible with function Y.F cryptonite/Represent a context for a given hash algorithm.G cryptonite&Class representing hashing algorithms.The interface presented here is update in place and lowlevel. the Hash module takes care of hidding the mutable interface properly.H cryptonite8Associated type for the block size of the hash algorithmI cryptonite9Associated type for the digest size of the hash algorithmJ cryptoniteCAssociated type for the internal context size of the hash algorithmK cryptonite&Get the block size of a hash algorithmL cryptonite'Get the digest size of a hash algorithmM cryptonite5Get the size of the context used for a hash algorithmN cryptoniteEInitialize a context pointer to the initial state of a hash algorithmO cryptonite%Update the context with some raw dataP cryptoniteEFinalize the context and set the digest raw memory to the right valueEpFqGHIJLMPNOKZ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HVQ cryptonite&Whirlpool cryptographic hash algorithmQR[ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HVGS cryptonite"Tiger cryptographic hash algorithmST\ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HV~U cryptonite0Skein512 (512 bits) cryptographic hash algorithmW cryptonite0Skein512 (384 bits) cryptographic hash algorithmY cryptonite0Skein512 (256 bits) cryptographic hash algorithm[ cryptonite0Skein512 (224 bits) cryptographic hash algorithmUVWXYZ[\] BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HV] cryptonite0Skein256 (256 bits) cryptographic hash algorithm_ cryptonite0Skein256 (224 bits) cryptographic hash algorithm]^_`^ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HV<a cryptonite/SHA512t (256 bits) cryptographic hash algorithmc cryptonite/SHA512t (224 bits) cryptographic hash algorithmabcd_ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HVqe cryptonite#SHA512 cryptographic hash algorithmef` BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HVg cryptonite#SHA384 cryptographic hash algorithmgha BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HVi cryptonite,SHA3 (512 bits) cryptographic hash algorithmk cryptonite,SHA3 (384 bits) cryptographic hash algorithmm cryptonite,SHA3 (256 bits) cryptographic hash algorithmo cryptonite,SHA3 (224 bits) cryptographic hash algorithmijklmnopb BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HVq cryptonite#SHA256 cryptographic hash algorithmqrc BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HVs cryptonite#SHA224 cryptographic hash algorithmstd BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HV,u cryptonite!SHA1 cryptographic hash algorithmuve BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HVew cryptonite&RIPEMD160 cryptographic hash algorithmwxf BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HVy cryptonite MD5 cryptographic hash algorithmyzg BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HV{ cryptonite MD4 cryptographic hash algorithm{|h BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HV} cryptonite MD2 cryptographic hash algorithm}~i BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HV cryptonite.Keccak (512 bits) cryptographic hash algorithm cryptonite.Keccak (384 bits) cryptographic hash algorithm cryptonite.Keccak (256 bits) cryptographic hash algorithm cryptonite.Keccak (224 bits) cryptographic hash algorithm BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneMX" cryptoniteA Mutable hash context cryptonite"Create a new mutable hash context.Jthe algorithm used is automatically determined from the return constraint. cryptonite"Create a new mutable hash context.0The algorithm is explicitely passed as parameter cryptonite&Update a mutable hash context in place cryptonite4Finalize a mutable hash context and compute a digest cryptonite:Reset the mutable context to the initial state of the hashGHIJLMPNOKGHIJLMPNOKj BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HV cryptonite0Blake2sp (256 bits) cryptographic hash algorithm cryptonite0Blake2sp (224 bits) cryptographic hash algorithmk BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HV- cryptonite/Blake2s (256 bits) cryptographic hash algorithm cryptonite/Blake2s (224 bits) cryptographic hash algorithm cryptonite/Blake2s (160 bits) cryptographic hash algorithml BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HVО cryptonite0Blake2bp (512 bits) cryptographic hash algorithmm BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone.2HVֳ cryptonite/Blake2b (512 bits) cryptographic hash algorithm cryptonite/Blake2b (384 bits) cryptographic hash algorithm cryptonite/Blake2b (256 bits) cryptographic hash algorithm cryptonite/Blake2b (224 bits) cryptographic hash algorithm cryptonite/Blake2b (160 bits) cryptographic hash algorithm n BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNoner cryptonite)Compute the gfmul with the XTS polynomialblock size need to be 128 bits."FIXME: add support for big endian.ro BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNoneESX cryptonite8Authenticated Encryption with Associated Data algorithms cryptoniteAEAD Implementation cryptonite1Append some header information to an AEAD context cryptonite-Encrypt some data and update the AEAD context cryptonite-Decrypt some data and update the AEAD context cryptonite;Finalize the AEAD context and return the authentication tag cryptoniteSimple AEAD encryption cryptoniteSimple AEAD decryption cryptoniteA new AEAD Context cryptonite#Optional Authentication data header cryptoniteOptional Plaintext cryptonite Tag length cryptonite!Authentication tag and ciphertext cryptoniteA new AEAD Context cryptonite#Optional Authentication data header cryptonite Ciphertext cryptoniteThe authentication tag cryptonite Plaintextp BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNone%@AESXw cryptonite0class of block cipher with a 128 bits block size cryptoniteencrypt using the XTS mode.ainput need to be a multiple of the blocksize, and the cipher need to process 128 bits block only cryptonitedecrypt using the XTS mode.ainput need to be a multiple of the blocksize, and the cipher need to process 128 bits block only cryptoniteSymmetric block cipher class cryptonite7Return the size of block required for this block cipher cryptoniteEncrypt blocks6the input string need to be multiple of the block size cryptoniteDecrypt blocks6the input string need to be multiple of the block size cryptoniteencrypt using the CBC mode.,input need to be a multiple of the blocksize cryptonitedecrypt using the CBC mode.,input need to be a multiple of the blocksize cryptoniteencrypt using the CFB mode.,input need to be a multiple of the blocksize cryptonitedecrypt using the CFB mode.,input need to be a multiple of the blocksize cryptonitecombine using the CTR mode.hCTR mode produce a stream of randomized data that is combined (by XOR operation) with the input stream.1encryption and decryption are the same operation.input can be of any size cryptoniteInitialize a new AEAD State:When Nothing is returns, it means the mode is not handled.s cryptonite XTS callback cryptonite an IV parametrized by the cipher cryptonite)Create an IV for a specified block cipher cryptonite:Create an IV that is effectively representing the number 0 cryptoniteIncrement an IV by a number.&Assume the IV is in Big Endian format. cryptonite2Usually represent the Data Unit (e.g. disk sector) cryptonite+Offset in the data unit in number of blocks cryptonite Plaintext cryptonite Ciphertext cryptonite2Usually represent the Data Unit (e.g. disk sector) cryptonite+Offset in the data unit in number of blocks cryptonite Ciphertext cryptonite Plaintexts cryptonite2Usually represent the Data Unit (e.g. disk sector) cryptonite+Offset in the data unit in number of blocks cryptoniteData cryptoniteProcessed Data!st BSD-style#Vincent Hanquez <vincent@snarc.org>Stable ExcellentNone2 *A%&'()*+,-./0123456789:;<=>?@ABCDA%&'(CD>?@AB)*+,-.3456789:/012;<= BSD-style"Kei Hibino <ex8k.hibino@gmail.com> experimentalunknownNoneM cryptoniteKCompute Miyaguchi-Preneel one way compress using the supplied block cipher. cryptonite|Compute Miyaguchi-Preneel one way compress using the inferred block cipher. Only safe when KEY-SIZE equals to BLOCK-SIZE. Simple usage "mp' msg :: MiyaguchiPreneel AES128u cryptonite%computation step of Miyaguchi-Preneel cryptoniteSkey build function to compute Miyaguchi-Preneel. care about block-size and key-size cryptonite input message cryptonite output tag cryptonite input message cryptonite output tagNone  BSD-style experimental???Nonea cryptoniteL3DES where the first and third keys are equal, used in alternative direction cryptoniteI3DES where the first and third keys are equal, used in the same direction cryptonite83DES with 3 different keys used in alternative direction cryptonite93DES with 3 different keys used all in the same direction  BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNone cryptonite DES Context  BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneM(. cryptonite Salsa context cryptonite\Initialize a new Salsa context with the number of rounds, the key and the nonce associated. cryptonitepCombine the salsa output and an arbitrary message with a xor, and return the combined output and the new state. cryptonite9Generate a number of bytes from the Salsa output directly cryptonitenumber of rounds (8,12,20) cryptonitethe key (128 or 256 bits) cryptonitethe nonce (64 or 96 bits) cryptonitethe initial Salsa state cryptonitethe current Salsa state cryptonite$the source to xor with the generator cryptonitethe current Salsa state cryptonitethe length of data to generate  BSD-style-Brandon Hamilton <brandon.hamilton@gmail.com>stablegoodNone6 cryptonite]Initialize a new XSalsa context with the number of rounds, the key and the nonce associated. cryptonite\Use an already initialized context and new nonce material to derive another XSalsa context.4This allows a multi-level cascade where a first key k1 and nonce n1 is used to get  HState(k1,n1)%, and this value is then used as key k2 to build  XSalsa(k2,n2) . Function - is to be called with the first 192 bits of n1|n2, and the call to derive# should add the remaining 128 bits.OThe output context always uses the same number of rounds as the input context. cryptonitenumber of rounds (8,12,20) cryptonitethe key (256 bits) cryptonitethe nonce (192 bits) cryptonitethe initial XSalsa state cryptonitebase XSalsa state cryptonitethe remainder nonce (128 bits) cryptonitethe new XSalsa state  BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNoneMC cryptoniteThe encryption state for RC4v cryptonite%C Call for initializing the encryptor cryptoniteRC4 context initialization.gseed the context with an initial key. the key size need to be adequate otherwise security takes a hit. cryptonitePgenerate the next len bytes of the rc4 stream without combining it to anything. cryptonite3RC4 xor combination of the rc4 stream with an inputw cryptonitePointer to the permutation cryptonitePointer to the clear text cryptoniteLength of the clear text cryptonite Output bufferv cryptonite The rc4 key cryptoniteThe key length cryptonite The context cryptoniteThe key cryptonite%The RC4 context with the key mixed in cryptonite rc4 context cryptoniteinput cryptonitenew rc4 context, and the output BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneMSA cryptonite<ChaCha context for DRG purpose (see Crypto.Random.ChaChaDRG) cryptoniteChaCha context cryptonite]Initialize a new ChaCha context with the number of rounds, the key and the nonce associated. cryptoniteInitialize simple ChaCha State*The seed need to be at least 40 bytes long cryptoniteqCombine the chacha output and an arbitrary message with a xor, and return the combined output and the new state. cryptonite:Generate a number of bytes from the ChaCha output directly cryptonite similar to  but assume certains values cryptonitenumber of rounds (8,12,20) cryptonitethe key (128 or 256 bits) cryptonitethe nonce (64 or 96 bits) cryptonitethe initial ChaCha state cryptonitea 40 bytes long seed cryptonitethe current ChaCha state cryptonite$the source to xor with the generator cryptonitethe current ChaCha state cryptonitethe length of data to generateq BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNone%M"x cryptonite AESCCM Statey cryptonite AESOCB Statez cryptonite AESGCM State{ cryptoniteAES Context (pre-processed key)| cryptonite)Create an AES AEAD implementation for GCM} cryptonite)Create an AES AEAD implementation for OCB~ cryptonite)Create an AES AEAD implementation for CCM cryptonite#Initialize a new context with a keyRKey needs to be of length 16, 24 or 32 bytes. Any other values will return failure cryptonite(encrypt using Electronic Code Book (ECB) cryptonite)encrypt using Cipher Block Chaining (CBC) cryptonitevgenerate a counter mode pad. this is generally xor-ed to an input to make the standard counter mode block operations.if the length requested is not a multiple of the block cipher size, more data will be returned, so that the returned bytearray is a multiple of the block cipher size. cryptonitevgenerate a counter mode pad. this is generally xor-ed to an input to make the standard counter mode block operations.if the length requested is not a multiple of the block cipher size, more data will be returned, so that the returned bytearray is a multiple of the block cipher size. Similiar to - but also return the next IV for continuation cryptonite encrypt using Counter mode (CTR)<in CTR mode encryption and decryption is the same operation. cryptoniteencrypt using XTSdthe first key is the normal block encryption key the second key is used for the initial block tweak cryptonite(decrypt using Electronic Code Book (ECB) cryptonite)decrypt using Cipher block chaining (CBC) cryptonite!decrypt using Counter mode (CTR).<in CTR mode encryption and decryption is the same operation. cryptonitedecrypt using XTS cryptoniteHencrypt/decrypt using Counter mode (32-bit wrapping used in AES-GCM-SIV) cryptoniteinitialize a gcm context cryptoniteGappend data which is only going to be authenticated to the GCM context.Uneeds to happen after initialization and before appending encryption/decryption data. cryptonite4append data to encrypt and append to the GCM contextthe bytearray needs to be a multiple of AES block size, unless it's the last call to this function. needs to happen after AAD appending, or after initialization if no AAD data. cryptonite4append data to decrypt and append to the GCM contextthe bytearray needs to be a multiple of AES block size, unless it's the last call to this function. needs to happen after AAD appending, or after initialization if no AAD data. cryptonite!Generate the Tag from GCM context cryptoniteinitialize an ocb context cryptoniteGappend data which is going to just be authenticated to the OCB context.Tneed to happen after initialization and before appending encryption/decryption data. cryptonite4append data to encrypt and append to the OCB contextthe bytearray needs to be a multiple of the AES block size, unless it's the last call to this function. need to happen after AAD appending, or after initialization if no AAD data. cryptonite4append data to decrypt and append to the OCB contextthe bytearray needs to be a multiple of the AES block size, unless it's the last call to this function. need to happen after AAD appending, or after initialization if no AAD data. cryptonite!Generate the Tag from OCB context cryptoniteinitialize a ccm context cryptoniteGappend data which is only going to be authenticated to the CCM context.Uneeds to happen after initialization and before appending encryption/decryption data. cryptonite4append data to encrypt and append to the CCM contextthe bytearray needs to be a multiple of AES block size, unless it's the last call to this function. needs to happen after AAD appending, or after initialization if no AAD data. cryptonite4append data to decrypt and append to the CCM contextthe bytearray needs to be a multiple of AES block size, unless it's the last call to this function. needs to happen after AAD appending, or after initialization if no AAD data. cryptonite!Generate the Tag from CCM context cryptonite AES Context cryptonite Initial vector of AES block size cryptonite plaintext cryptonite ciphertext cryptonite Cipher Key. cryptoniteusually a 128 bit integer. cryptonitelength of bytes required. cryptonite AES Context cryptoniteIinitial vector of AES block size (usually representing a 128 bit integer) cryptoniteplaintext input cryptoniteciphertext output cryptoniteAES cipher and tweak context cryptonite:a 128 bits IV, typically a sector or a block offset in XTS cryptoniteLnumber of rounds to skip, also seen a 16 byte offset in the sector or block. cryptoniteinput to encrypt cryptoniteoutput encrypted cryptonite AES Context cryptonite6initial vector, usually representing a 128 bit integer cryptoniteciphertext input cryptoniteplaintext output cryptoniteAES cipher and tweak context cryptonite:a 128 bits IV, typically a sector or a block offset in XTS cryptoniteLnumber of rounds to skip, also seen a 16 byte offset in the sector or block. cryptoniteinput to decrypt cryptoniteoutput decrypted cryptonite AES Context cryptoniteIinitial vector of AES block size (usually representing a 128 bit integer) cryptoniteplaintext input cryptoniteciphertext outputyz{|}~ BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneM cryptoniteAES with 256 bit key cryptoniteAES with 192 bit key cryptoniteAES with 128 bit keyrSafe ,.HUV+ cryptoniteensure the given bitlen is divisible by 8 cryptoniteensure the given bitlen is greater or equal to n cryptoniteensure the given bitlen is lesser or equal to ns BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone .2HUVX cryptoniteSHAKE256 (256 bits) extendable output function. Supports an arbitrary digest size, to be specified as a type parameter of kind .Note: outputs from  n and  mb for the same input are correlated (one being a prefix of the other). Results are unrelated to   results.  cryptoniteSHAKE128 (128 bits) extendable output function. Supports an arbitrary digest size, to be specified as a type parameter of kind .Note: outputs from   n and   mb for the same input are correlated (one being a prefix of the other). Results are unrelated to  results.  cryptoniteType class of SHAKE algorithms. cryptonite(Alternate finalization needed for cSHAKE cryptoniteGet the digest bit length    t BSD-style*Nicolas Di Prima <nicolas@primetype.co.uk> experimentalunknownNone.2HVXQ cryptoniteFast cryptographic hash.6It is especially known to target 64bits architectures.Known supported digest sizes: Blake2b 160 Blake2b 224 Blake2b 256 Blake2b 384 Blake2b 512 cryptonite1Fast and secure alternative to SHA1 and HMAC-SHA16It is espacially known to target 32bits architectures.Known supported digest sizes: Blake2s 160 Blake2s 224 Blake2s 256  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneYGQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~    YG}~{|yzuvstqrghefcdabwxSTopmnklij    _`]^[\YZWXUVQR BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneX  cryptonite'Hash a strict bytestring into a digest. cryptonite%Hash a lazy bytestring into a digest. cryptonite0Initialize a new context for this hash algorithm cryptoniteHrun hashUpdates on one single bytestring and return the updated context. cryptonite`Update the context with a list of strict bytestring, and return a new context with the updates. cryptonite'Finalize a context and return a digest. cryptonite7Initialize a new context for a specified hash algorithm cryptoniteRun the 8 function but takes an explicit hash algorithm parameter cryptoniteATry to transform a bytearray into a Digest of specific algorithm.[If the digest is not the right size for the algorithm specified, then Nothing is returned.fEFGLKQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~     FEKLu BSD-style#Vincent Hanquez <vincent@snarc.org>stableGoodNoneF cryptoniteArray of mutable Word32 cryptoniteArray of Word64 cryptoniteArray of Word32 cryptoniteArray of Word8 cryptonite*Create an array of Word8 aliasing an Addr# cryptonite@Create an Array of Word32 of specific size from a list of Word32 cryptonite-Create an Array of BE Word32 aliasing an Addr cryptonite.Create an Array of Word32 using an initializer cryptonite@Create an Array of Word64 of specific size from a list of Word64 cryptoniteGCreate a Mutable Array of Word32 of specific size from a list of Word32 cryptonite4Create a Mutable Array of BE Word32 aliasing an Addr cryptoniteAfreeze a Mutable Array of Word32 into a immutable Array of Word32 cryptoniteRead a Word8 from an Array cryptoniteRead a Word32 from an Array cryptoniteRead a Word64 from an Array cryptonite,Read a Word32 from a Mutable Array of Word32 cryptonite-Write a Word32 from a Mutable Array of Word32 cryptonitedWrite into the Mutable Array of Word32 by combining through xor the current value and the new value. x[i] = x[i] xor valuevNoneF cryptonite-Initialize a 128-bit, 192-bit, or 256-bit key_Return the initialized key or a error message if the given keyseed was not 16-bytes in length. cryptonite1Encrypts the given ByteString using the given Key cryptonite1Decrypts the given ByteString using the given Key cryptonite%The key to create the twofish context cryptoniteThe key to use cryptoniteThe data to encrypt cryptoniteThe key to use cryptoniteThe data to decryptNone  w BSD-styleNoneF cryptoniteAll subkeys for 12 or 16 rounds cryptonite(Encrypts a block using the specified key cryptonite(Decrypts a block using the specified key cryptonite+Precompute "masking" and "rotation" subkeys cryptoniteTrue( for short keys that only need 12 rounds cryptoniteInput key padded to 16 bytes cryptoniteOutput data structure BSD-style)Olivier Chron <olivier.cheron@gmail.com>stablegoodNonek' cryptoniteNCAST5 block cipher (also known as CAST-128). Key is between 40 and 128 bits.''x BSD-style experimentalGoodNoneF cryptonitewCopy the state of one key schedule into the other. The first parameter is the destination and the second the source. cryptoniteLCreate a key schedule mutable array of the pbox followed by all the sboxes.y BSD-style experimentalGoodNone: cryptonite-Initialize a new Blowfish context from a key.'key needs to be between 0 and 448 bits. cryptoniteEGet an immutable Blowfish context by freezing a mutable key schedule. cryptoniteEncrypt blocks&Input need to be a multiple of 8 bytes cryptoniteDecrypt blocks&Input need to be a multiple of 8 bytes cryptonite-Encrypt or decrypt a single block of 64 bits.;The inverse argument decides whether to encrypt or decrypt. cryptoniteCBlowfish encrypt a Word using the current state of the key schedule cryptoniteThe key schedule cryptoniteThe key cryptoniteThe salt cryptoniteThe key schedule cryptoniteThe key cryptoniteFirst word of the salt cryptoniteSecond word of the salt  BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneM* cryptonite448 bit keyed blowfish state+ cryptonite256 bit keyed blowfish state, cryptonite128 bit keyed blowfish state- cryptonite64 bit keyed blowfish state. cryptonitevariable keyed blowfish state*+,-..-,+*z BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownSafe  cryptoniteSplit a R into the highest and lowest Q cryptoniteReconstruct a R from two Q{ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneF cryptoniteCamellia context cryptoniteInitialize a 128-bit key`Return the initialized key or a error message if the given keyseed was not 16-bytes in length. cryptonite1Encrypts the given ByteString using the given Key cryptonite1Decrypts the given ByteString using the given Key cryptonite&The key to create the camellia context cryptoniteThe key to use cryptoniteThe data to encrypt cryptoniteThe key to use cryptoniteThe data to decrypt BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone> cryptonite&Camellia block cipher with 128 bit key>> BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone. A cryptoniteRParameters that can be adjusted to change the runtime performance of the hashing.F cryptoniteWhich variant of Argon2 to use.G cryptoniteWhich version of Argon2 to use.H cryptoniteCA parallelism degree, which defines the number of parallel threads.|} <= hashParallelism <= |~ && | <= hashParallelism <= |I cryptoniteDThe memory cost, which defines the memory usage, given in kibibytes.max | (8 * hashParallelism) <=  hashMemory <= |J cryptoniteThe time cost, which defines the amount of computation realized and therefore the execution time, given in number of iterations.| <= hashIterations <= |K cryptoniteWhich version of Argon2 to useN cryptonitexWhich variant of Argon2 to use. You should choose the variant that is most applicable to your intention to hash inputs.O cryptoniteArgon2d is faster than Argon2i and uses data-depending memory access, which makes it suitable for cryptocurrencies and applications with no threats from side-channel timing attacks.P cryptoniteArgon2i uses data-independent memory access, which is preferred for password hashing and password-based key derivation. Argon2i is slower as it makes more passes over the memory to protect from tradeoff attacks.Q cryptoniteArgon2id is a hybrid of Argon2i and Argon2d, using a combination of data-depending and data-independent memory accesses, which gives some of Argon2i's resistance to side-channel cache timing attacks and much of Argon2d's resistance to GPU cracking attacksABDCEFGHIJKLMNOPQRSABDCEFGJIHNOPQKLMRS BSD-style experimentalGoodNone5f cryptoniteHThe number of user-defined iterations for the algorithm (must be > 0)g cryptoniteJThe number of bytes to generate out of BCryptPBKDF (must be in 1..1024)h cryptoniteBDerive a key of specified length using the bcrypt_pbkdf algorithm.i cryptoniteInternal hash function used by h."Normal users should not need this.degfhidegfhi BSD-style"Kei Hibino <ex8k.hibino@gmail.com> experimentalunknownNoneM<m cryptoniteAuthentication coden cryptonite'compute a MAC using the supplied ciphero cryptonitemake sub-keys used in CMACn cryptonitekey to compute CMAC with cryptonite input message cryptonite output tago cryptonitekey to compute CMAC with cryptonitesub-keys to compute CMAC cryptonite width in byte cryptonite(irreducible binary polynomial definition cryptoniteresult bit patternmnonmo BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneMLr cryptonite;Represent an ongoing HMAC state, that can be appended with y and finalize to an HMAC with  hmacFinalizet cryptoniteORepresent an HMAC that is a phantom type with the hash used to produce the mac._The Eq instance is constant time. No Show instance is provided, to avoid printing by mistake.w cryptonite1compute a MAC using the supplied hashing functionx cryptonite)Initialize a new incremental HMAC contexty cryptonite#Incrementally update a HMAC contextz cryptonite9Increamentally update a HMAC context with multiple inputs{ cryptonite,Finalize a HMAC context and return the HMAC.w cryptonite Secret key cryptoniteMessage to MACx cryptonite Secret keyy cryptoniteCurrent HMAC context cryptoniteMessage to append to the MAC cryptoniteUpdated HMAC contextz cryptoniteCurrent HMAC context cryptoniteMessages to append to the MAC cryptoniteUpdated HMAC context rstuvwxyz{ wtuvrsxyz{ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneT~ cryptoniteParameters for PBKDF2 cryptoniteNthe number of user-defined iterations for the algorithms. e.g. WPA2 uses 4000. cryptonite-the number of bytes to generate out of PBKDF2 cryptoniteThe PRF used for PBKDF2 cryptonite>PRF for PBKDF2 using HMAC with the hash algorithm as parameter cryptonite;generate the pbkdf2 key derivation function from the output cryptonitethe password parameters cryptonite the content cryptoniteprf(password,content) ~ ~ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone[ cryptoniteParameters for Scrypt cryptoniteLCpu/Memory cost ratio. must be a power of 2 greater than 1. also known as N. cryptoniteMust satisfy r * p < 2^30 cryptoniteMust satisfy r * p < 2^30 cryptonite-the number of bytes to generate out of Scrypt cryptonite'Generate the scrypt key derivation data BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonef cryptonitePseudo Random Key cryptoniteRExtract a Pseudo Random Key using the parameter and the underlaying hash mechanism cryptonite2Create a PRK directly from the input key material.Only use when guaranteed to have a good quality and random data to use directly as key. This effectively skip a HMAC with key=salt and data=key. cryptonite<Expand key material of specific length out of the parameters cryptoniteSalt cryptoniteInput Keying Material cryptonitePseudo random key cryptonitePseudo Random Key cryptonite5Optional context and application specific information cryptoniteOutput length in bytes cryptonite Output data BSD-style)Olivier Chron <olivier.cheron@gmail.com> experimentalunknownNoneMXrT cryptonite;Represent an ongoing KMAC state, that can be appended with  and finalized to a  with . cryptoniteORepresent a KMAC that is a phantom type with the hash used to produce the mac._The Eq instance is constant time. No Show instance is provided, to avoid printing by mistake. cryptonite?Compute a KMAC using the supplied customization string and key. cryptoniteZInitialize a new incremental KMAC context with the supplied customization string and key. cryptonite$Incrementally update a KMAC context. cryptonite9Incrementally update a KMAC context with multiple inputs. cryptonite,Finalize a KMAC context and return the KMAC.     BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneMyV cryptonite Poly1305 Auth cryptonite(Poly1305 State. use State instead of Ctx cryptonitePoly1305 State cryptoniteinitialize a Poly1305 context cryptonite"update a context with a bytestring cryptonite+updates a context with multiples bytestring cryptonite-finalize the context into a digest bytestring cryptoniteOne-pass authorization creation   BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNone  cryptoniteValid Nonce for ChaChaPoly1305.It can be created with  or  cryptoniteA ChaChaPoly1305 State.9The state is immutable, and only new state can be created cryptonite6Nonce smart constructor 12 bytes IV, nonce constructor cryptonite8 bytes IV, nonce constructor cryptoniteIncrement a nonce cryptonite%Initialize a new ChaChaPoly1305 StateIThe key length need to be 256 bits, and the nonce procured using either  or  cryptoniteJAppend Authenticated Data to the State and return the new modified State.MOnce no further call to this function need to be make, the user should call  cryptonite>Finalize the Authenticated Data and return the finalized State cryptoniteNEncrypt a piece of data and returns the encrypted Data and the updated State. cryptoniteNDecrypt a piece of data and returns the decrypted Data and the updated State. cryptonite.Generate an authentication tag from the State. cryptonite4 bytes constant cryptonite 8 bytes IV   BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneF cryptoniteGMP Supported / Unsupported cryptoniteDSimple combinator in case the operation is not supported through GMP cryptonite-Compute the GCDE of a two integer through GMP cryptonite6Compute the binary logarithm of an integer through GMP cryptoniteXCompute the power modulus using extra security to remain constant time wise through GMP cryptonite%Compute the power modulus through GMP cryptonite'Inverse modulus of a number through GMP cryptonite4Get the next prime from a specific value through GMP cryptonite,Test if a number is prime using Miller Rabin cryptonite&Return the size in bytes of an integer cryptonite%Return the size in bits of an integer cryptonite*Export an integer to a memory (big-endian) cryptonite-Export an integer to a memory (little-endian) cryptonite,Import an integer from a memory (big-endian) cryptonite/Import an integer from a memory (little-endian) BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone cryptonitesqrti returns two integers (l,b) so that l <= sqrt i <= b. The implementation is quite naive, use an approximation for the first number and use a dichotomy algorithm to compute the bound relatively efficiently. cryptonite8Get the extended GCD of two integer using integer divModgcde a b& find (x,y,gcd(a,b)) where ax + by = d cryptonite'Check if a list of integer are all even cryptonite)Compute the binary logarithm of a integer cryptonite)Compute the number of bits for an integer cryptonite*Compute the number of bytes for an integer cryptonite4Express an integer as an odd number and a power of 2 BSD-style#Vincent Hanquez <vincent@snarc.org> Experimental ExcellentNone2M~  cryptoniteDefine a point on a curve. cryptonitePoint at Infinity cryptoniteECC Private Number cryptonitePDefine common parameters in a curve definition of the form: y^2 = x^3 + ax + b. cryptonitecurve parameter a cryptonitecurve parameter b cryptonite base point cryptonite order of G cryptonitecofactor cryptonite!get the size of the curve in bits cryptonite"get the size of the curve in bytes cryptonite*Define names for known recommended curves.Z      !"#$%&'()*+,-./0123456789:;<=>?  BSD-style"Danny Navarro <j@dannynavarro.net> experimentalGoodNone  cryptonite+Binary Polynomial represented by an integer cryptonite-Addition over F m. This is just a synonym of @. cryptoniteReduction by modulo over F m.This function is undefined for negative arguments, because their bit representation is platform-dependent. Zero modulus is also prohibited. cryptoniteMultiplication over F m.This function is undefined for negative arguments, because their bit representation is platform-dependent. Zero modulus is also prohibited. cryptoniteSquaring over F m.This function is undefined for negative arguments, because their bit representation is platform-dependent. Zero modulus is also prohibited. cryptonite.Squaring over F m without reduction by modulo.The implementation utilizes the fact that for binary polynomial S(x) we have S(x)^2 = S(x^2). In other words, insert a zero bit between every bits of argument: 1101 -> 1010001.kThis function is undefined for negative arguments, because their bit representation is platform-dependent. cryptonite#Exponentiation in F m by computing  a^b mod fx.dThis implements an exponentiation by squaring based solution. It inherits the same restrictions as $. Negative exponents are disallowed. cryptoniteSquare rooot in F m.We exploit the fact that  a^(2^m) = a, or in particular, a^(2^m - 1) = 1F from a classical result by Lagrange. Thus the square root is simply a^(2^(m - 1)).A cryptonite,Extended GCD algorithm for polynomials. For a and b returns  (g, u, v) such that a * u + b * v == g. Reference: thttps://en.wikipedia.org/wiki/Polynomial_greatest_common_divisor#B.C3.A9zout.27s_identity_and_extended_GCD_algorithm cryptonite Modular inversion over F m. If n doesn't have an inverse, B is returned.This function is undefined for negative arguments, because their bit representation is platform-dependent. Zero modulus is also prohibited. cryptoniteGDivision over F m. If the dividend doesn't have an inverse it returns B.This function is undefined for negative arguments, because their bit representation is platform-dependent. Zero modulus is also prohibited. cryptoniteModulus cryptoniteModulus cryptoniteModulus cryptoniteModulus cryptonitea cryptoniteb cryptoniteModulus cryptonitea cryptoniteModulus cryptoniteModulus cryptoniteDividend cryptoniteDivisor cryptoniteQuotient  ! BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone C cryptonite8Raised when the assumption about the modulus is invalid.D cryptonite@Raised when two numbers are supposed to be coprimes but are not. cryptonitezCompute the modular exponentiation of base^exponent using algorithms design to avoid side channels and timing measurementPModulo need to be odd otherwise the normal fast modular exponentiation is used.When used with integer-simple, this function is not different from expFast, and thus provide the same unstudied and dubious timing and side channels claims.mBefore GHC 8.4.2, powModSecInteger is missing from integer-gmp, so expSafe has the same security as expFast. cryptoniteCompute the modular exponentiation of base^exponent using the fastest algorithm without any consideration for hiding parameters.AUse this function when all the parameters are public, otherwise  should be preferred.E cryptoniteexponentiation$ computes modular exponentiation as  b^e mod m using repetitive squaring. cryptoniteinverse$ computes the modular inverse as in  g^(-1) mod m. cryptonite~Compute the modular inverse of two coprime numbers. This is equivalent to inverse except that the result is known to exists.GIf the numbers are not defined as coprime, this function will raise a D. cryptonite<Computes the Jacobi symbol (a/n). 0 "d a < n; n "e 3 and odd.The Legendre and Jacobi symbols are indistinguishable exactly when the lower argument is an odd prime, in which case they have the same value.USee algorithm 2.149 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al. cryptonite|Modular inverse using Fermat's little theorem. This works only when the modulus is prime but avoids side channels like in . cryptoniteModular square root of g modulo a prime p.DIf the modulus is found not to be prime, the function will raise a C.UThis implementation is variable time and should be used with public parameters only. cryptonitebase cryptoniteexponent cryptonitemodulo cryptoniteresult cryptonitebase cryptoniteexponent cryptonitemodulo cryptoniteresult BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone.UV cryptonite(get a runtime proof that the constraint  n is satified cryptonite(get a runtime proof that the constraint  value bound is satified cryptonite(get a runtime proof that the constraint  value bound is satified" BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone cryptoniteFFill a pointer with the big endian binary representation of an integerIf the room available ptrSzl is less than the number of bytes needed, 0 is returned. Likewise if a parameter is invalid, 0 is returned.#Returns the number of bytes written cryptonite Similar to 3, except it will pad any remaining space with zero. cryptoniteeTransform a big endian binary integer representation pointed by a pointer and a size into an integer# BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone cryptoniteos2ip0 converts a byte string into a positive integer. cryptonitei2osp0 converts a positive integer into a byte string.`The first byte is MSB (most significant byte); the last byte is the LSB (least significant byte) cryptonite Just like M, but takes an extra parameter for size. If the number is too big to fit in len bytes, B? is returned otherwise the number is padded with 0 to fit the len required. cryptonite Just like l except that it doesn't expect a failure: i.e. an integer larger than the number of output bytes requested.hFor example if you just took a modulo of the number that represent the size (example the RSA modulo n).$ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone  cryptoniteIFill a pointer with the little endian binary representation of an integerIf the room available ptrSzl is less than the number of bytes needed, 0 is returned. Likewise if a parameter is invalid, 0 is returned.#Returns the number of bytes written cryptonite Similar to 3, except it will pad any remaining space with zero. cryptonitehTransform a little endian binary integer representation pointed by a pointer and a size into an integer% BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone# cryptoniteos2ip0 converts a byte string into a positive integer. cryptonitei2osp0 converts a positive integer into a byte string.`The first byte is LSB (least significant byte); the last byte is the MSB (most significant byte) cryptonite Just like M, but takes an extra parameter for size. If the number is too big to fit in len bytes, B? is returned otherwise the number is padded with 0 to fit the len required. cryptonite Just like l except that it doesn't expect a failure: i.e. an integer larger than the number of output bytes requested.hFor example if you just took a modulo of the number that represent the size (example the RSA modulo n).&NoneXD  cryptonite"An integral time value in seconds. cryptoniteqThe strength of the calculated HOTP value, namely the number of digits (between 4 and 9) in the extracted value. cryptonite9A one-time password which is a sequence of 4 to 9 digits. cryptonitefAttempt to resynchronize the server's counter value with the client, given a sequence of HOTP values. cryptoniteThe default TOTP configuration. cryptonite7Create a TOTP configuration with customized parameters. cryptonite*Calculate a totp value for the given time. cryptonitejCheck a supplied TOTP value is valid for the given time, within the window defined by the skew parameter. cryptoniteENumber of digits in the HOTP value extracted from the calculated HMAC cryptonite+Shared secret between the client and server cryptonite8Counter value synchronized between the client and server cryptoniteThe HOTP value cryptoniteThe look-ahead window parameter. Up to this many values will be calculated and checked against the value(s) submitted by the client cryptoniteThe shared secret cryptonite The current server counter value cryptonitedThe first OTP submitted by the client and a list of additional sequential OTPs (which may be empty) cryptoniteThe new counter value, synchronized with the client's current counter or Nothing if the submitted OTP values didn't match anywhere within the window cryptoniteThe T0 parameter in seconds. This is the Unix time from which to start counting steps (default 0). Must be before the current time. cryptoniteFThe time step parameter X in seconds (default 30, maximum allowed 300) cryptonite0Number of required digits in the OTP (default 6) cryptoniteThe number of time steps to check either side of the current value to allow for clock skew between client and server and or delay in submitting the value. The default is two time steps. cryptoniteThe shared secret cryptonitebThe time for which the OTP should be calculated. This is usually the current time as returned by "Data.Time.Clock.POSIX.getPOSIXTime' BSD-style#Vincent Hanquez <vincent@snarc.org> Experimental ExcellentNone2V cryptonite*Define names for known recommended curves.# cryptonitePDefine common parameters in a curve definition of the form: y^2 = x^3 + ax + b.% cryptonitecurve parameter a& cryptonitecurve parameter b' cryptonite base point( cryptonite order of G) cryptonitecofactor* cryptoniteIDefine an elliptic curve in =p. The first parameter is the Prime Number., cryptonitezDefine an elliptic curve in =(2^m). The firt parameter is the Integer representatioin of the irreducible polynomial f(x).. cryptoniteDefine a point on a curve.0 cryptonitePoint at Infinity1 cryptoniteECC Private Number2 cryptoniteECC Public Point3 cryptonite.Define either a binary curve or a prime curve.4 cryptonite=(2^m)5 cryptonite=p6 cryptonite5Parameters in common between binary and prime curves.7 cryptoniteHIrreducible polynomial representing the characteristic of a CurveBinary.8 cryptonite=Prime number representing the characteristic of a CurvePrime.9 cryptonite!get the size of the curve in bits: cryptoniteHGet the curve definition associated with a recommended known curve name.:      !"#$('%&)*+,-./0123456789::345./021,-*+6978#$('%&)      !": BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone\zF cryptoniteThis is a strict version of andG cryptoniteThis is a strict version of &&.H cryptonite$Truncate and hash for DSA and ECDSA.I cryptonite$Truncate a digest for DSA and ECDSA.FGHI( BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone_X cryptonite%Represent a mask generation algorithmY cryptoniteMask generation algorithm MGF1X cryptoniteseed cryptonitelength to generateXYXY) BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone2MwZ cryptoniteRepresent RSA KeyPairRnote the RSA private key contains already an instance of public key for efficiency\ cryptoniteRepresent a RSA private key.-Only the pub, d fields are mandatory to fill.p, q, dP, dQ, qinv are by-product during RSA generation, but are useful to record here to speed up massively the decrypt and sign operation./implementations can leave optional fields to 0.^ cryptonite,public part of a private key (size, n and e)_ cryptoniteprivate exponent d` cryptonitep prime numbera cryptoniteq prime numberb cryptonite d mod (p-1)c cryptonite d mod (q-1)d cryptonite q^(-1) mod pe cryptoniteRepresent a RSA public keyg cryptonitesize of key in bytesh cryptonite public p*qi cryptonitepublic exponent ej cryptonite8error possible during encryption, decryption or signing.k cryptoniteNthe message to decrypt is not of the correct size (need to be == private_size)l cryptonite"the message to encrypt is too longm cryptoniteDthe message decrypted doesn't have a PKCS15 structure (0 2 .. 0 msg)n cryptonite the message's digest is too longo cryptonite-some parameters lead to breaking assumptions.p cryptonitelBlinder which is used to obfuscate the timing of the decryption primitive (used by decryption and signing).r cryptonite(get the size in bytes from a private keys cryptoniteget n from a private keyt cryptoniteget e from a private keyu cryptonitePublic key of a RSA KeyPairv cryptonitePrivate key of a RSA KeyPairZ[\]^_`abcdefghijklmnopqrstuvjklmnopqefghi\]^_`abcdZ[uvrst* BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone~b cryptoniteCompute the RSA decrypt primitive. if the p and q numbers are available, then dpFast is used otherwise, we use dpSlow which only need d and n. cryptonite!Compute the RSA encrypt primitiveJ cryptoniteKmultiply 2 integers in Zm only performing the modulo operation if necessary BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodSafeK cryptoniteRA handle to an entropy maker, either a system capability or a hardware generator.L cryptonite%Try to open an handle for this sourceM cryptonitebTry to gather a number of entropy bytes into a buffer. Return the number of actual bytes gatheredN cryptoniteClose an open handleKNML BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodSafeQO cryptonite3Fake handle to Intel RDRand entropy CPU instructionO BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodSafeXFP cryptoniteEntropy device devurandom on unix systemQ cryptoniteEntropy device devrandom on unix systemPQ BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodSafeEX cryptoniteAny Entropy Backend cryptoniteAll supported backends R cryptoniteOpen a backend handle cryptonite%Gather randomness from an open handle cryptoniteAn open Entropy Backend cryptonitePointer to a buffer to write to cryptonitenumber of bytes to write cryptonite+return the number of bytes actually written+ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodSafe cryptoniteRefill the entropy in a bufferICall each entropy backend in turn until the buffer has been replenished.YIf the buffer cannot be refill after 3 loopings, this will raise an User Error exception, BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneG cryptonite2Get some entropy from the system source of entropy- BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone cryptonitefPool of Entropy. Contains a self-mutating pool of entropy, that is always guaranteed to contain data. cryptonite,Create a new entropy pool of a specific sizegWhile you can create as many entropy pools as you want, the pool can be shared between multiples RNGs. cryptonite.Create a new entropy pool with a default size.gWhile you can create as many entropy pools as you want, the pool can be shared between multiples RNGs.S cryptonite-Put a chunk of the entropy pool into a buffer cryptonite.Grab a chunk of entropy from the entropy pool.. BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone cryptoniteOA simple Monad class very similar to a State Monad with the state being a DRG. cryptonite,A Deterministic Random Generator (DRG) class cryptonite)Generate N bytes of randomness from a DRG cryptonite7A monad constraint that allows to generate random bytes cryptoniteERun a pure computation with a Deterministic Random Generator in the  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone cryptonite]A referentially transparent System representation of the random evaluated out of the system.fHolding onto a specific DRG means that all the already evaluated bytes will be consistently replayed.NThere's no need to reseed this DRG, as only pure entropy is represented here. cryptonite#Grab one instance of the System DRG BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneM cryptonite%ChaCha Deterministic Random GeneratorT cryptonite]Initialize a new ChaCha context with the number of rounds, the key and the nonce associated.U cryptoniteInitialize a new ChaCha context from 5-tuple of words64. This interface is useful when creating a RNG out of tests generators (e.g. QuickCheck).T cryptonite40 bytes of seed cryptonitethe initial ChaCha stateTU/ BSD-style#Vincent Hanquez <vincent@snarc.org>stablegoodNoneM cryptonite%Create a new Seed from system entropy cryptoniteConvert a Seed to an integer cryptoniteConvert an integer to a Seed cryptoniteConvert a binary to a seed cryptonite$Create a new DRG from system entropy cryptoniteCreate a new DRG from a seed cryptoniteCreate a new DRG from 5 Word64._This is a convenient interface to create deterministic interface for quickcheck style testing._It can also be used in other contexts provided the input has been properly randomly generated.Note that the  Arbitrary% instance provided by QuickCheck for RL does not have a uniform distribution. It is often better to use instead arbitraryBoundedRandom. cryptonite Generate 6len random bytes and mapped the bytes to the function f.(This is equivalent to use Control.Arrow ^ with  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone]V cryptoniteThis create a random number generator out of thin air with the system entropy; don't generally use as the IO is not exposed this can have unexpected random for.This is useful for probabilistic algorithm like Miller Rabin probably prime algorithm, given appropriate choice of the heuristic1Generally, it's advised not to use this function.V0 BSD-style)Olivier Chron <olivier.cheron@gmail.com> experimentalunknownNoneM  cryptoniteAn Ed448 signature cryptoniteAn Ed448 public key cryptoniteAn Ed448 Secret key cryptonite*Try to build a public key from a bytearray cryptonite*Try to build a secret key from a bytearray cryptonite)Try to build a signature from a bytearray cryptonite%Create a public key from a secret key cryptonite!Sign a message using the key pair cryptoniteVerify a message cryptoniteGenerate a secret key cryptoniteA public key is 57 bytes cryptoniteA secret key is 57 bytes cryptoniteA signature is 114 bytes  1 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneM  cryptoniteAn Ed25519 signature cryptoniteAn Ed25519 public key cryptoniteAn Ed25519 Secret key cryptonite*Try to build a public key from a bytearray cryptonite*Try to build a secret key from a bytearray cryptonite)Try to build a signature from a bytearray cryptonite%Create a public key from a secret key cryptonite!Sign a message using the key pair cryptoniteVerify a message cryptoniteGenerate a secret key cryptoniteA public key is 32 bytes cryptoniteA secret key is 32 bytes cryptoniteA signature is 64 bytes  2 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneM cryptonite A P256 point cryptonite A P256 scalar cryptonite%Get the base point for the P256 Curve cryptoniteLift to curve a scalar0Using the curve generator as base point compute:  scalar * G cryptoniteAdd a point to another point cryptoniteNegate a point cryptoniteMultiply a point by a scalarwarning: variable time cryptonite Similar to i, serializing the x coordinate as binary. When scalar is multiple of point order the result is all zero. cryptonitemultiply the point p with &n2 and add a lifted to curve value @n1 n1 * G + n2 * pwarning: variable time cryptonite Check if a  is valid cryptonite Check if a  is the point at infinity cryptoniteReturn the x coordinate as a  if the point is not at infinity cryptonite!Convert a point to (x,y) Integers cryptonite&Convert from (x,y) Integers to a point cryptonite*Convert a point to a binary representation cryptonite$Convert from binary to a valid point cryptonite0Convert from binary to a point, possibly invalid cryptonite(Generate a randomly generated new scalar cryptoniteThe scalar representing 0 cryptonite'The scalar representing the curve order cryptoniteCheck if the scalar is 0 cryptonite$Perform addition between two scalars a + b cryptonite'Perform subtraction between two scalars a - b cryptonite*Perform multiplication between two scalars a * b cryptoniteGive the inverse of the scalar 1 / awarning: variable time cryptonite8Give the inverse of the scalar using safe exponentiation 1 / a cryptoniteCompare 2 Scalar cryptoniteconvert a scalar from binary cryptoniteconvert a scalar to binary cryptonite(Convert from an Integer to a P256 Scalar cryptonite(Convert from a P256 Scalar to an Integer3 BSD-style John Galt <jgalt@centromere.net> experimentalunknownNoneM  cryptoniteKA Curve448 Diffie Hellman secret related to a public key and a secret key. cryptoniteA Curve448 public key cryptoniteA Curve448 Secret key cryptonite*Try to build a public key from a bytearray  cryptonite*Try to build a secret key from a bytearray  cryptonite)Create a DhSecret from a bytearray object  cryptoniteECompute the Diffie Hellman secret from a public key and a secret key.YThis implementation may return an all-zero value as it does not check for the condition.  cryptonite%Create a public key from a secret key  cryptoniteGenerate a secret key.W cryptonitepublic cryptonitesecretX cryptonitepublic cryptonite basepoint cryptonitesecret           4 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneFMXp  cryptoniteMA Curve25519 Diffie Hellman secret related to a public key and a secret key. cryptoniteA Curve25519 public key cryptoniteA Curve25519 Secret key cryptonite*Try to build a public key from a bytearray cryptonite*Try to build a secret key from a bytearray cryptonite)Create a DhSecret from a bytearray object  cryptoniteECompute the Diffie Hellman secret from a public key and a secret key.YThis implementation may return an all-zero value as it does not check for the condition.! cryptonite%Create a public key from a secret key" cryptoniteGenerate a secret key.Y cryptonitepublic cryptonitesecret cryptonite basepoint  !"  !"5None,/ cryptoniteCreate a bcrypt hash for a password with a provided cost value. Typically used to create a hash when a new user account is registered or when a user changes their password.{Each increment of the cost approximately doubles the time taken. The 16 bytes of random salt will be generated internally.0 cryptoniteHCreate a bcrypt hash for a password with a provided cost value and salt.OCost value under 4 will be automatically adjusted back to 10 for safety reason.1 cryptoniteICheck a password against a stored bcrypt hash when authenticating a user.Returns False^ if the password doesn't match the hash, or if the hash is invalid or an unsupported version.2 cryptonite&Check a password against a bcrypt hashAs for validatePasswordV but will provide error information if the hash is invalid or an unsupported version.Z cryptonite%Create a key schedule for the BCrypt EKS version.QSalt must be a 128-bit byte array. Cost must be between 4 and 31 inclusive See jhttps://www.usenix.org/conference/1999-usenix-annual-technical-conference/future-adaptable-password-scheme/ cryptonite~The cost parameter. Should be between 4 and 31 (inclusive). Values which lie outside this range will be adjusted accordingly. cryptoniteEThe password. Should be the UTF-8 encoded bytes of the password text. cryptonite#The bcrypt hash in standard format.0 cryptonite~The cost parameter. Should be between 4 and 31 (inclusive). Values which lie outside this range will be adjusted accordingly. cryptonite@The salt. Must be 16 bytes in length or an error will be raised. cryptoniteEThe password. Should be the UTF-8 encoded bytes of the password text. cryptonite#The bcrypt hash in standard format./012/1206 BSD-style)Olivier Chron <olivier.cheron@gmail.com> experimentalunknownNoneMG93 cryptoniteA point on curve edwards25519.4 cryptonite2A scalar modulo prime order of curve edwards25519.5 cryptoniteGenerate a random scalar.6 cryptoniteCSerialize a scalar to binary, i.e. a 32-byte little-endian number.7 cryptoniteeDeserialize a little-endian number as a scalar. Input array can have any length from 0 to 64 bytes.Note: it is not advised to put secret information in the 3 lowest bits of a scalar if this scalar may be multiplied to untrusted points outside the prime-order subgroup.8 cryptoniteAdd two scalars.9 cryptoniteMultiply two scalars.: cryptonite.Multiplies a scalar with the curve base point.; cryptonite%Serialize a point to a 32-byte array.!Format is binary compatible with 1 from module Crypto.PubKey.Ed25519.< cryptoniteUDeserialize a 32-byte array as a point, ensuring the point is valid on edwards25519.WARNING: variable time= cryptonitebTest whether a point belongs to the prime-order subgroup generated by the base point. Result is [ for the identity point. pointHasPrimeOrder p = > p == B l_minus_one p > cryptoniteNegate a point.? cryptoniteAdd two points.@ cryptoniteAdd a point to itself. pointDouble p = ? p p A cryptoniteMultiply a point by h = 8. pointMulByCofactor p = B scalar_8 p B cryptonite.Scalar multiplication over curve edwards25519.Note: when the scalar had reduction modulo L and the input point has a torsion component, the output point may not be in the expected subgroup.C cryptoniteMultiply the point p with s2! and add a lifted to curve value s1. pointsMulVarTime s1 s2 p = ? (: s1) (B s2 p) WARNING: variable time3456789:;<=>?@ABC43576<;=:89>?@BAC7 BSD-style)Olivier Chron <olivier.cheron@gmail.com> experimentalunknownNoneMS5J cryptonite-Nonce value for AES-GCM-SIV, always 12 bytes.K cryptonite6Nonce smart constructor. Accepts only 12-byte inputs.L cryptonite1Generate a random nonce for use with AES-GCM-SIV.M cryptonite\AEAD encryption with the specified key and nonce. The key must be given as an initialized  or  cipher.iLengths of additional data and plaintext must be less than 2^32 bytes, otherwise an exception is thrown.N cryptonite\AEAD decryption with the specified key and nonce. The key must be given as an initialized  or  cipher.jLengths of additional data and ciphertext must be less than 2^32 bytes, otherwise an exception is thrown.JKLMNJKLMN8 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone_R cryptonite(Top bits policy when generating a numberS cryptoniteset the highest bitT cryptoniteset the two highest bitU cryptoniteUGenerate a number for a specific size of bits, and optionaly set bottom and top bitsIf the top bit policy is BT, then nothing is done on the highest bit (it's whatever the random generator set).If @generateOdd is set to [`, then the number generated is guaranteed to be odd. Otherwise it will be whatever is generatedV cryptonite2Generate a positive integer x, s.t. 0 <= x < rangeW cryptonite9generate a number between the inclusive bound [low,high].U cryptonitenumber of bits cryptonitetop bit policy cryptoniteforce the number to be oddV cryptoniterangeRSTUVWRSTUVW9Nonet} Z cryptonite,Generate a valid scalar for a specific Curve[ cryptonite Elliptic Curve point negation: pointNegate c p returns point q such that pointAdd c p q == PointO.\ cryptoniteElliptic Curve point addition.WARNING: Vulnerable to timing attacks.] cryptoniteElliptic Curve point doubling.WARNING: Vulnerable to timing attacks.This perform the following calculation: > lambda = (3 * xp ^ 2 + a) / 2 yp > xr = lambda ^ 2 - 2 xp > yr = lambda (xp - xr) - ypWith binary curve: > xp == 0 => P = O > otherwise => > s = xp + (yp / xp) > xr = s ^ 2 + s + a > yr = xp ^ 2 + (s+1) * xr^ cryptonite2Elliptic curve point multiplication using the baseWARNING: Vulnerable to timing attacks._ cryptonite?Elliptic curve point multiplication (double and add algorithm).WARNING: Vulnerable to timing attacks.` cryptoniteBElliptic curve double-scalar multiplication (uses Shamir's trick). }pointAddTwoMuls c n1 p1 n2 p2 == pointAdd c (pointMul c n1 p1) (pointMul c n2 p2)WARNING: Vulnerable to timing attacks.a cryptonite*Check if a point is the point at infinity.b cryptonite%check if a point is on specific curveThis perform three checks:x is not out of rangey is not out of range the equation y^2 = x^3 + a*x + b (mod p) holds\ cryptonite div and mod Z[\]^_`ab Z\[]^_`ab:None2 c cryptoniteECDSA Key Pair.e cryptoniteECDSA Public Key.i cryptoniteECDSA Private Key.m cryptonite+Represent a ECDSA signature namely R and S.o cryptoniteECDSA rp cryptoniteECDSA sq cryptonitePublic key of a ECDSA Key pair.r cryptonite Private key of a ECDSA Key pair.s cryptonite;Sign digest using the private key and an explicit k number.WARNING: Vulnerable to timing attacks.t cryptonite<Sign message using the private key and an explicit k number.WARNING: Vulnerable to timing attacks.u cryptonite"Sign digest using the private key.WARNING: Vulnerable to timing attacks.v cryptonite#Sign message using the private key.WARNING: Vulnerable to timing attacks.w cryptonite%Verify a digest using the public key.x cryptonite)Verify a bytestring using the public key.s cryptonitek random number cryptonite private key cryptonitedigest to signt cryptonitek random number cryptonite private key cryptonite hash function cryptonitemessage to sign12cdefghijlkmnopqrstuvwxmnop2efgh1ijlkcdqrtsvuxw;None cryptoniteGenerate Q given d.WARNING: Vulnerable to timing attacks. cryptonite)Generate a pair of (private, public) key.WARNING: Vulnerable to timing attacks. cryptoniteElliptic Curve< BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone2 cryptoniteRepresent a DSA key pair cryptoniteRepresent a DSA private key.VOnly x need to be secret. the DSA parameters are publicly shared with the other side. cryptoniteDSA parameters cryptonite DSA private X cryptoniteRepresent a DSA public key. cryptoniteDSA parameters cryptonite DSA public Y cryptonite)Represent a DSA signature namely R and S. cryptoniteDSA r cryptoniteDSA s cryptonite,Represent DSA parameters namely P, G, and Q. cryptoniteDSA p cryptoniteDSA g cryptoniteDSA q cryptonite7DSA Private Number, usually embedded in DSA Private Key cryptonite5DSA Public Number, usually embedded in DSA Public Key cryptonitePublic key of a DSA Key pair cryptonitePrivate key of a DSA Key pair cryptoniteagenerate a private number with no specific property this number is usually called X in DSA text. cryptoniteCCalculate the public number from the parameters and the private key cryptonite<sign message using the private key and an explicit k number. cryptonite#sign message using the private key. cryptonite)verify a bytestring using the public key. cryptonitek random number cryptonite private key cryptonite hash function cryptonitemessage to sign= BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone  cryptoniteReturns if the number is probably prime. First a list of small primes are implicitely tested for divisibility, then a fermat primality test is used with arbitrary numbers and then the Miller Rabin algorithm is used with an accuracy of 30 recursions. cryptonite\Generate a prime number of the required bitsize (i.e. in the range [2^(b-1)+2^(b-2), 2^b)). May throw a  if the requested size is less than 5 bits, as the smallest prime meeting these conditions is 29. This function requires that the two highest bits are set, so that when multiplied with another prime to create a key, it is guaranteed to be of the proper size. cryptonite|Generate a prime number of the form 2p+1 where p is also prime. it is also knowed as a Sophie Germaine prime or safe prime.The number of safe prime is significantly smaller to the number of prime, as such it shouldn't be used if this number is supposed to be kept safe. May throw a l if the requested size is less than 6 bits, as the smallest safe prime with the two highest bits set is 59. cryptonite;Find a prime from a starting point where the property hold. cryptonite=Find a prime from a starting point with no specific property. cryptoniteMiller Rabin algorithm return if the number is probably prime or composite. the tries parameter is the number of recursion, that determines the accuracy of the test. cryptoniteProbabilitic Test using Fermat primility test. Beware of Carmichael numbers that are Fermat liars, i.e. this test is useless for them. always combines with some other test. cryptoniteeTest naively is integer is prime. while naive, we skip even number and stop iteration at i > sqrt(n) cryptonite-Test is two integer are coprime to each other] cryptonite#List of the first primes till 2903. cryptonite%number of iterations of the algorithm cryptonite starting a cryptonitenumber to test for primality  > BSD-style(Carlos Rodriguez-Vega <crodveg@yahoo.es> experimentalunknownNone  cryptonite8Error possible during encryption, decryption or signing. cryptonite"the message to encrypt is too long cryptonite3the message decrypted doesn't have a OAEP structure cryptonite,some parameters lead to breaking assumptions cryptoniteGenerate primes p & q cryptonitesize in bytes  cryptonitecondition prime p must satisfy cryptonitecondition prime q must satisfy cryptonitechosen distinct primes p and q? BSD-style(Carlos Rodriguez-Vega <crodveg@yahoo.es> experimentalunknownNone cryptoniteParameters for OAEP padding. cryptonitehash function to use cryptonitemask Gen algorithm to use cryptonite#optional label prepended to message cryptonite.Default Params with a specified hash function. cryptonitePad a message using OAEP. cryptoniteUn-pad a OAEP encoded message. cryptoniteSeed cryptoniteOAEP params to use cryptonitesize of public key in bytes cryptonite Message pad cryptoniteOAEP params to use cryptonitesize of public key in bytes cryptoniteencoded message (not encrypted)@ BSD-style(Carlos Rodriguez-Vega <crodveg@yahoo.es> experimentalunknownNone2 cryptonite'Represent a Rabin-Williams private key. cryptonitep prime number cryptoniteq prime number cryptonite&Represent a Rabin-Williams public key. cryptonitesize of key in bytes cryptonite public p*q cryptonitezGenerate a pair of (private, public) key of size in bytes. Prime p is congruent 3 mod 8 and prime q is congruent 7 mod 8. cryptonite=Encrypt plaintext using public key an a predefined OAEP seed.TSee algorithm 8.11 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al. cryptonite#Encrypt plaintext using public key. cryptonite%Decrypt ciphertext using private key. cryptonite2Sign message using hash algorithm and private key. cryptonite5Verify signature using hash algorithm and public key.^ cryptoniteEncryption primitive 1_ cryptoniteEncryption primitive 2` cryptoniteDecryption primitive 1a cryptoniteDecryption primitive 2 cryptoniteSeed cryptonite OAEP padding cryptonite public key cryptonite plaintext cryptoniteOAEP padding parameters cryptonite public key cryptonite plaintext  cryptoniteOAEP padding parameters cryptonite private key cryptonite ciphertext cryptonite private key cryptonite hash function cryptonitemessage to sign cryptonite public key cryptonite hash function cryptonitemessage cryptonite signatureA BSD-style(Carlos Rodriguez-Vega <crodveg@yahoo.es> experimentalunknownNone2  cryptonite'Represent a Modified-Rabin private key. cryptonitep prime number cryptoniteq prime number cryptonite&Represent a Modified-Rabin public key. cryptonitesize of key in bytes cryptonite public p*q cryptonitezGenerate a pair of (private, public) key of size in bytes. Prime p is congruent 3 mod 8 and prime q is congruent 7 mod 8. cryptonite2Sign message using hash algorithm and private key. cryptonite5Verify signature using hash algorithm and public key. cryptonite private key cryptonite hash function cryptonitemessage to sign cryptonite public key cryptonite hash function cryptonitemessage cryptonite signature  B BSD-style(Carlos Rodriguez-Vega <crodveg@yahoo.es> experimentalunknownNone2% cryptoniteRabin Signature. cryptoniteRepresent a Rabin private key.  cryptonitep prime number  cryptoniteq prime number cryptoniteRepresent a Rabin public key. cryptonitesize of key in bytes cryptonite public p*q cryptonitefGenerate a pair of (private, public) key of size in bytes. Primes p and q are both congruent 3 mod 4.TSee algorithm 8.11 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al. cryptonite=Encrypt plaintext using public key an a predefined OAEP seed.TSee algorithm 8.11 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al. cryptonite#Encrypt plaintext using public key. cryptonite%Decrypt ciphertext using private key.TSee algorithm 8.12 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al. cryptonite;Sign message using padding, hash algorithm and private key.See  7https://en.wikipedia.org/wiki/Rabin_signature_algorithm. cryptonite2Sign message using hash algorithm and private key.See  7https://en.wikipedia.org/wiki/Rabin_signature_algorithm.b cryptoniteCalculate hash of message and padding. If the padding is valid, then the result of the hash operation is returned, otherwise an error. cryptonite5Verify signature using hash algorithm and public key.See  7https://en.wikipedia.org/wiki/Rabin_signature_algorithm.c cryptoniteSquare roots modulo prime p where p is congruent 3 mod 4 Value a must be a quadratic residue modulo p (i.e. jacobi symbol (a/n) = 1).TSee algorithm 3.36 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.d cryptoniteSquare roots modulo n given its prime factors p and q (both congruent 3 mod 4) Value a must be a quadratic residue of both modulo p and modulo q (i.e. jacobi symbols (ap) = (aq) = 1).TSee algorithm 3.44 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.  cryptoniteSeed cryptonite OAEP padding cryptonite public key cryptonite plaintext cryptoniteOAEP padding parameters cryptonite public key cryptonite plaintext  cryptoniteOAEP padding parameters cryptonite private key cryptonite ciphertext cryptonitepadding cryptonite private key cryptonite hash function cryptonitemessage to sign cryptonite private key cryptonite hash function cryptonitemessage to signb cryptonitepadding cryptonite private key cryptonite hash function cryptonitemessage to sign cryptonite private key cryptonite hash function cryptonitemessage cryptonite signaturec cryptoniteprime pd cryptoniteprime p cryptoniteprime q cryptonitec such that c*p + d*q = 1 cryptonited such that c*p + d*q = 1 cryptoniten = p*q          C BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone(Y% cryptonite"Generate a key pair given p and q.*p and q need to be distinct prime numbers.e need to be coprime to phi=(p-1)*(q-1). If that's not the case, the function will not return a key pair. A small hamming weight results in better performance.e=0x10001 is a popular choiceFe=3 is popular as well, but proven to not be as secure for some cases.& cryptonite:generate a pair of (private, public) key of size in bytes.' cryptonite?Generate a blinder to use with decryption and signing operationWthe unique parameter apart from the random number generator is the public key value N.% cryptonitechosen distinct primes p and q cryptonite size in bytes cryptoniteRSA public exponent e& cryptonite size in bytes cryptoniteRSA public exponent e' cryptoniteRSA public N parameter.\]^_`abcdefghijklmnopq%&'jklmnoefghi\]^_`abcdpq%&'D BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneJ( cryptonite*Parameters for PSS signature/verification.* cryptoniteHash function to use+ cryptoniteMask Gen algorithm to use, cryptonite&Length of salt. need to be <= to hLen.- cryptoniteTrailer field, usually 0xbc. cryptonite-Default Params with a specified hash function/ cryptonite$Default Params using SHA1 algorithm.0 cryptoniteLSign using the PSS parameters and the salt explicitely passed as parameters.6the function ignore SaltLength from the PSS Parameters1 cryptoniteLSign using the PSS parameters and the salt explicitely passed as parameters.6the function ignore SaltLength from the PSS Parameters2 cryptoniteSign using the PSS Parameters3 cryptoniteSign using the PSS Parameters4 cryptoniteESign using the PSS Parameters and an automatically generated blinder.5 cryptoniteESign using the PSS Parameters and an automatically generated blinder.6 cryptonite+Verify a signature using the PSS Parameters7 cryptonite+Verify a signature using the PSS Parameters0 cryptonite Salt to use cryptoniteoptional blinder to use cryptonitePSS Parameters to use cryptoniteRSA Private Key cryptoniteMessage digest1 cryptonite Salt to use cryptoniteoptional blinder to use cryptonitePSS Parameters to use cryptoniteRSA Private Key cryptoniteMessage to sign2 cryptoniteoptional blinder to use cryptonitePSS Parameters to use cryptoniteRSA Private Key cryptoniteMessage to sign3 cryptoniteoptional blinder to use cryptonitePSS Parameters to use cryptoniteRSA Private Key cryptoniteMessage digest4 cryptonitePSS Parameters to use cryptonite private key cryptonitemessage to sign5 cryptonitePSS Parameters to use cryptonite private key cryptonite message digst6 cryptonite\PSS Parameters to use to verify, this need to be identical to the parameters when signing cryptoniteRSA Public Key cryptoniteMessage to verify cryptonite Signature7 cryptonite\PSS Parameters to use to verify, this need to be identical to the parameters when signing cryptoniteRSA Public Key cryptoniteDigest to verify cryptonite Signature()*+,-./01234567()*+,-./10234567E BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneg 8 cryptoniteA specialized class for hash algorithm that can product a ASN1 wrapped description the algorithm plus the content of the digest.e cryptonite;Convert a Digest into an ASN1 wrapped descriptive ByteArray9 cryptonite6This produce a standard PKCS1.5 padding for encryption: cryptonite0Produce a standard PKCS1.5 padding for signature; cryptonite4Try to remove a standard PKCS1.5 encryption padding.< cryptonite&decrypt message using the private key.When the decryption is not in a context where an attacker could gain information from the timing of the operation, the blinder can be set to None.2If unsure always set a blinder or use decryptSafer"The message is returned un-padded.= cryptonitePdecrypt message using the private key and by automatically generating a blinder.> cryptonite*encrypt a bytestring using the public key.ZThe message needs to be smaller than the key size - 11. The message should not be padded.? cryptonite?sign message using private key, a hash and its ASN1 descriptionWhen the signature is not in a context where an attacker could gain information from the timing of the operation, the blinder can be set to None./If unsure always set a blinder or use signSafer@ cryptoniteMsign message using the private key and by automatically generating a blinder.A cryptonite&verify message with the signed messagef cryptonitemake signature digest, used in ? and A< cryptoniteoptional blinder cryptoniteRSA private key cryptonite cipher text= cryptoniteRSA private key cryptonite cipher text? cryptoniteoptional blinder cryptonitehash algorithm cryptonite private key cryptonitemessage to sign@ cryptoniteHash algorithm cryptonite private key cryptonitemessage to signf cryptoniteoptional hashing algorithm 89:;<=>?@A 9:;<=?@>A8F BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone~ L cryptonite)Parameters for OAEP encryption/decryptionN cryptoniteHash function to use.O cryptoniteMask Gen algorithm to use.P cryptonite$Optional label prepended to message.Q cryptonite-Default Params with a specified hash functionR cryptonite4Encrypt a message using OAEP with a predefined seed.S cryptoniteEncrypt a message using OAEPg cryptoniteun-pad a OAEP encoded message.-It doesn't apply the RSA decryption primitiveT cryptoniteDecrypt a ciphertext using OAEPWhen the signature is not in a context where an attacker could gain information from the timing of the operation, the blinder can be set to None.2If unsure always set a blinder or use decryptSaferU cryptoniteJDecrypt a ciphertext using OAEP and by automatically generating a blinder.R cryptoniteSeed cryptonite!OAEP params to use for encryption cryptonite Public key. cryptoniteMessage to encryptS cryptonite"OAEP params to use for encryption. cryptonite Public key. cryptoniteMessage to encryptg cryptoniteOAEP params to use cryptonitesize of the key in bytes cryptoniteencoded message (not encrypted)T cryptoniteOptional blinder cryptonite!OAEP params to use for decryption cryptonite Private key cryptonite Cipher textU cryptonite!OAEP params to use for decryption cryptonite Private key cryptonite Cipher text LMNOPQRSTU LMNOPQRSTUG BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNone2M7 V cryptonite'Represent Diffie Hellman shared secret.X cryptonite*Represent Diffie Hellman private number X.Z cryptonite)Represent Diffie Hellman public number Y.\ cryptoniteHRepresent Diffie Hellman parameters namely P (prime), and G (generator).a cryptonitegenerate params from a specific generator (2 or 5 are common values) we generate a safe prime (a prime number of the form 2p+1 where p is also prime)b cryptonite`generate a private number with no specific property this number is usually called X in DH text.c cryptonitepcalculate the public number from the parameters and the private key this number is usually called Y in DH text.d cryptonitepcalculate the public number from the parameters and the private key this number is usually called Y in DH text.DEPRECATED use calculatePublice cryptonitePgenerate a shared key using our private number and the other party public numbera cryptonitenumber of bits cryptonite generatorVWXYZ[\]^_`abcde\]^_`Z[XYVWabcde BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalGoodNoneM h cryptonite1ElGamal Ephemeral key. also called Temporary key.i cryptoniteElGamal Signaturej cryptonitegenerate a private number with no specific property this number is usually called a and need to be between 0 and q (order of the group G).k cryptonite~generate an ephemeral key which is a number with no specific property, and need to be between 0 and q (order of the group G).l cryptonitecgenerate a public number that is for the other party benefits. this number is usually called h=g^am cryptoniteCencrypt with a specified ephemeral key do not reuse ephemeral key.n cryptoniteZencrypt a message using params and public keys will generate b (called the ephemeral key)o cryptonitedecrypt messagep cryptonite(sign a message with an explicit k number7if k is not appropriate, then no signature is returned.with some appropriate value of k, the signature generation can fail, and no signature is returned. User of this function need to retry with a different k value.q cryptonite sign messageThis function will generate a random number, however as the signature might fail, the function will automatically retry until a proper signature has been created.r cryptoniteverify a signaturep cryptonite3random number k, between 0 and p-1 and gcd(k,p-1)=1 cryptoniteDH params (p,g) cryptoniteDH private key cryptonite"collision resistant hash algorithm cryptonitemessage to signq cryptoniteDH params (p,g) cryptoniteDH private key cryptonite"collision resistant hash algorithm cryptonitemessage to signVXZ\hsijlmnopqrH BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone cryptoniteGenerating a private number d. cryptoniteGenerating a public point Q. cryptoniteUGenerating a shared key using our private number and the other party public point.123VW321VWNoneX\ t cryptonite,Generate a valid scalar for a specific Curveu cryptonite Elliptic Curve point negation:  pointNegate p returns point q such that pointAdd p q == PointO.v cryptoniteElliptic Curve point addition.WARNING: Vulnerable to timing attacks.w cryptoniteElliptic Curve point doubling.WARNING: Vulnerable to timing attacks.This perform the following calculation: > lambda = (3 * xp ^ 2 + a) / 2 yp > xr = lambda ^ 2 - 2 xp > yr = lambda (xp - xr) - ypWith binary curve: > xp == 0 => P = O > otherwise => > s = xp + (yp / xp) > xr = s ^ 2 + s + a > yr = xp ^ 2 + (s+1) * xrx cryptonite2Elliptic curve point multiplication using the baseWARNING: Vulnerable to timing attacks.y cryptonite?Elliptic curve point multiplication (double and add algorithm).WARNING: Vulnerable to timing attacks.z cryptoniteBElliptic curve double-scalar multiplication (uses Shamir's trick). qpointAddTwoMuls n1 p1 n2 p2 == pointAdd (pointMul n1 p1) (pointMul n2 p2)WARNING: Vulnerable to timing attacks.{ cryptonite*Check if a point is the point at infinity.| cryptonite5Make a point on a curve from integer (x,y) coordinate\if the point is not valid related to the curve then an error is returned instead of a point} cryptonite%check if a point is on specific curveThis perform three checks:x is not out of rangey is not out of range the equation y^2 = x^3 + a*x + b (mod p) holds~ cryptonite div and mod tuvwxyz{|}I BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone 2>HMVX cryptonite P256 Curvealso known as P256 cryptonite Get the curve order size in bits cryptonite+Multiply a scalar with the curve base point cryptoniteMultiply the point p with s2! and add a lifted to curve value s1 cryptonite4Encode an elliptic curve scalar into big-endian form cryptonite=Try to decode the big-endian form of an elliptic curve scalar cryptonite.Convert an elliptic curve scalar to an integer cryptonite6Try to create an elliptic curve scalar from an integer cryptonite1Add two scalars and reduce modulo the curve order cryptonite6Multiply two scalars and reduce modulo the curve order cryptoniteAdd points on a curve cryptoniteNegate a curve point cryptonite Scalar Multiplication on a curve cryptonite'Generate a Diffie hellman secret value.UThis is generally just the .x coordinate of the resulting point, that is not hashed.use $ to keep the result in Point format.WARNING: Curve implementations may return a special value or an exception when the public point lies in a subgroup of small order. This function is adequate when the scalar is in expected range and contributory behaviour is not needed. Otherwise use . cryptonite`Generate a Diffie hellman secret value and verify that the result is not the point at infinity.9This additional test avoids risks existing with function #. Implementations always return a  - instead of a special value or an exception. cryptonitePoint on an Elliptic Curve cryptonite#Scalar in the Elliptic Curve domain cryptoniteGenerate a new random scalar on the curve. The scalar will represent a number between 1 and the order of the curve non included cryptoniteGenerate a new random keypair cryptoniteGet the curve size in bits cryptonite.Encode a elliptic curve point into binary form cryptonite8Try to decode the binary form of an elliptic curve point cryptonite^An elliptic curve key pair composed of the private part (a scalar), and the associated point.++J BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone cryptonite\Generate random a new Shared secret and the associated point to do a ECIES style encryption cryptoniteNDerive the shared secret with the receiver key and the R point of the scheme. cryptoniterepresentation of the curve cryptonitethe public key of the receiver cryptoniterepresentation of the curve cryptoniteCThe received R (supposedly, randomly generated on the encrypt side) cryptoniteThe secret key of the receiverK BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone 1>HVX cryptonite(Elliptic curves with ECDSA capabilities. cryptonite+Is a scalar in the accepted range for ECDSA cryptoniteTest whether the scalar is zero cryptonite'Scalar inversion modulo the curve order cryptonite)Return the point X coordinate as a scalar cryptoniteECDSA Private Key. cryptoniteECDSA Public Key. cryptonite+Represent a ECDSA signature namely R and S. cryptoniteECDSA r cryptoniteECDSA s cryptonite(Create a signature from integers (R, S). cryptonite%Get integers (R, S) from a signature.JThe values can then be used to encode the signature to binary with ASN.1. cryptoniteVEncode a public key into binary form, i.e. the uncompressed encoding referenced from  #https://tools.ietf.org/html/rfc5480RFC 5480 section 2.2. cryptonite.Try to decode the binary form of a public key. cryptonite0Encode a private key into binary form, i.e. the  privateKey field described in  #https://tools.ietf.org/html/rfc5915RFC 5915. cryptonite/Try to decode the binary form of a private key. cryptonite'Create a public key from a private key. cryptonite;Sign digest using the private key and an explicit k scalar. cryptonite<Sign message using the private key and an explicit k scalar. cryptonite)Sign a digest using hash and private key. cryptonite*Sign a message using hash and private key. cryptonite*Verify a digest using hash and public key. cryptonite-Verify a signature using hash and public key. cryptonite,Truncate a digest based on curve order size.L BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneX? cryptoniteMSplit data to diffused data, using a random generator and an hash algorithm.the diffused data will consist of random data for (expandTimes-1) then the last block will be xor of the accumulated random data diffused by the hash algorithm. ---------orig - ---------#--------- ---------- --------------"rand1 - - rand2 - - orig ^ acc -#--------- ---------- --------------9where acc is : acc(n+1) = hash (n ++ rand(n)) ^ acc(n) cryptonite9Merge previously diffused data back to the original data. cryptonite%inplace Xor with an input dst = src @ dst cryptonite!Hash algorithm to use as diffuser cryptoniteRandom generator to use cryptonite$Number of times to diffuse the data. cryptoniteoriginal data to diffuse. cryptoniteThe diffused data cryptoniteHash algorithm used as diffuser cryptonite&Number of times to un-diffuse the data cryptonite Diffused data cryptonite Original data cryptonite Hash function to use as diffuser cryptonite"buffer to diffuse, modify in place cryptonitelength of buffer to diffuseM BSD-style)Olivier Chron <olivier.cheron@gmail.com> experimentalunknownNone2 cryptoniteJCPU options impacting cryptography implementation and library performance. cryptonite(Support for AES instructions, with flag  support_aesni cryptonite*Support for CLMUL instructions, with flag support_pclmuldq cryptonite*Support for RDRAND instruction, with flag support_rdrand cryptoniteVOptions which have been enabled at compile time and are supported by the current CPU.Safe -OOOOOOOOOOOOOOOOOOOOOOOOOOOOOUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUVVXXXXXXXXXXXXZZ[[\\\\\\\\]]]]^^^^__``aaaaaaaabbccddeeffgghhiiiiiiiijjjjk k k k k k l l m m mmmmmmmmoooooooooooooooop p!p"p#p$p%p&p'p(p)p*p+p,p-p.p/p0123456 7 8 9 : ; < = > ? @ A B C D E F G H I J K K L M N O L P K L N M Q ORKLSMNTOUVWXYZ[\]^_`abrcrdresfsfsgsgshtititjtjtktktltlmnopqrstYuvwxyz{|}~mNLNNLKLQKL          !!!!!!!!! ! !   """####$$$%%%%&&&&&&&&&&&&&& &!&"&#&$&%&&&'&(&)&*&+&,'-'.'/'0'1'2'3'4'5'6'7'8'9':';'<'='>'?'@'A'B'C'D'E'F'G'H'I'J'K'L'M'N'O'O'P'Q'R'S'T'U'U'V'V'W'W'X'Y'Z'['\']'^'_'`'a'b'c'd'e'f'g'h'i'j'k'l'm'n'o'p'q'r's't'u'v'w'x'y'z'{'|'}'~'(())))))))))))))))))))))))))))))))))))))))))))))))**+,----...........//////////000000000000000000000000011111111111111111111111112W22222222222222222222222222222222222e2g2c3333333 33333333333 3 3 3 4444444 44444444444 4 4 4 55556W666666666666666666g6e666c777777778888 8!8"8#8$99999%99&9'9(:::::):*:::+::::,:-:::.:/:0::1:::2::3::::::::::::;4;N<<<<<5<6<<<7<8<<<,<-<9<9<:<;<<<Y<=<<<><?</<<<@<<<<<A<B<C<D<<2<<3<<<<<<<<<<<<=E=F=G=H=I=J=K=L=M>>>>>N>>?O?O?P?Q?R?S??@@@@@@@@@@@N@T@@@@@@@@@@@@AAAAAAAAAAANAAAAAAAAAABBBBBBBBUBVBBBBBNBTBBB/BBBBBBBBBBBB2BB3CWCNCXDYDYDZD[D\D]D^D_D`DaDD0DbDcDD1EdEEeEEEfEEEbEEgEhEiEjEkElEmEnEoEpFOFOFPFQFRFSFTFFFfGqGqGYGYG=G=G9G9G:G;GrG G>G?GsGtG@GAGBGCGDGuGvGwGxGyGzG{G|G}G~GGGGGGGGGGH>H?HtIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIWIIIIaIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJKKKKKKKKKK,K-KKKKKKKK.K/K0KK1KKKKKKKLLMMMMMMMMMNNNNNP      !"!"#$#%#&#'#(#)Q*R+S,S-S.S/S0123124565758595:5;5<=>?@ABCDEFGFHFIFJFKFLFMFNFNFOPQPRSTSTSUVWXYZ[Z\5]5^5_5`55a5b5cXXndpep-f g hqiqjqkqlqmqnqoqpqqqrqsqtquqvqwqxqyqzq{q|q}q~qqqqqqqqqqqqrrrrr=>ssuuuuuuuuuuuuuuuuuuvvvvwwwwxxxxyyyyyyyyyyyzz{{{{WXaNNMMLLKKJJIIHHGGFFEEDDCCBBAA@@??>>==<<;;::99887766554433221100//..WVU[ !!!*-L3345=>9=@@@@BBBEEF>s/%&'(KLL&cryptonite-0.27-1OR6zYa0VCy6lkihzS4RoVCrypto.Data.Padding Crypto.ErrorCrypto.Cipher.Types Crypto.HashCrypto.Hash.IOCrypto.Hash.Algorithms%Crypto.ConstructHash.MiyaguchiPreneelCrypto.Cipher.UtilsCrypto.Cipher.TripleDESCrypto.Cipher.DESCrypto.Cipher.SalsaCrypto.Cipher.XSalsaCrypto.Cipher.RC4Crypto.Cipher.ChaChaCrypto.Cipher.AESCrypto.Number.NatCrypto.MAC.KMACCrypto.Cipher.TwofishCrypto.Cipher.CAST5Crypto.Cipher.BlowfishCrypto.Cipher.CamelliaCrypto.KDF.Argon2Crypto.KDF.BCryptPBKDFCrypto.MAC.CMACCrypto.MAC.HMACCrypto.KDF.PBKDF2Crypto.KDF.ScryptCrypto.KDF.HKDFCrypto.MAC.Poly1305Crypto.Cipher.ChaChaPoly1305Crypto.Number.BasicCrypto.Number.F2mCrypto.Number.ModArithmetic Crypto.Number.Serialize.InternalCrypto.Number.Serialize#Crypto.Number.Serialize.Internal.LECrypto.Number.Serialize.LE Crypto.OTPCrypto.PubKey.ECC.TypesCrypto.PubKey.MaskGenFunctionCrypto.PubKey.RSA.TypesCrypto.PubKey.RSA.PrimCrypto.Random.Entropy.UnsafeCrypto.Random.EntropyCrypto.Random.EntropyPoolCrypto.Random.Types Crypto.RandomCrypto.PubKey.Ed448Crypto.PubKey.Ed25519Crypto.PubKey.ECC.P256Crypto.PubKey.Curve448Crypto.PubKey.Curve25519Crypto.KDF.BCryptCrypto.ECC.Edwards25519Crypto.Cipher.AESGCMSIVCrypto.Number.GenerateCrypto.PubKey.ECC.PrimCrypto.PubKey.ECC.ECDSACrypto.PubKey.ECC.GenerateCrypto.PubKey.DSACrypto.Number.PrimeCrypto.PubKey.Rabin.TypesCrypto.PubKey.Rabin.OAEPCrypto.PubKey.Rabin.RWCrypto.PubKey.Rabin.ModifiedCrypto.PubKey.Rabin.BasicCrypto.PubKey.RSACrypto.PubKey.RSA.PSSCrypto.PubKey.RSA.PKCS15Crypto.PubKey.RSA.OAEPCrypto.PubKey.DHCrypto.PubKey.ECC.DH Crypto.ECCCrypto.PubKey.ECIESCrypto.PubKey.ECDSACrypto.Data.AFISCrypto.System.CPUCrypto.Cipher.DES.PrimitiveCrypto.Error.TypesCrypto.Internal.CompatCrypto.Internal.ByteArrayCrypto.Cipher.Types.UtilsCrypto.Internal.CompatPrimCrypto.Internal.DeepSeqCrypto.Cipher.Types.BaseCrypto.Cipher.Types.StreamCrypto.Internal.ImportsCrypto.Hash.TypesdigestFromByteStringCrypto.Hash.WhirlpoolCrypto.Hash.TigerCrypto.Hash.Skein512Crypto.Hash.Skein256Crypto.Hash.SHA512tCrypto.Hash.SHA512Crypto.Hash.SHA384Crypto.Hash.SHA3Crypto.Hash.SHA256Crypto.Hash.SHA224Crypto.Hash.SHA1Crypto.Hash.RIPEMD160Crypto.Hash.MD5Crypto.Hash.MD4Crypto.Hash.MD2Crypto.Hash.KeccakCrypto.Hash.Blake2spCrypto.Hash.Blake2sCrypto.Hash.Blake2bpCrypto.Hash.Blake2bCrypto.Cipher.Types.GFCrypto.Cipher.Types.AEADCrypto.Cipher.Types.BlockCrypto.Cipher.AES.PrimitiveCrypto.Internal.NatCrypto.Hash.SHAKECrypto.Hash.Blake2Crypto.Internal.WordArrayCrypto.Cipher.Twofish.PrimitiveCrypto.Cipher.CAST5.PrimitiveCrypto.Cipher.Blowfish.Box Crypto.Cipher.Blowfish.PrimitiveCrypto.Internal.Words Crypto.Cipher.Camellia.PrimitiveFFIARGON2_MIN_LANESARGON2_MAX_LANESARGON_MIN_THREADSARGON2_MAX_THREADSARGON2_MIN_MEMORYARGON2_MAX_MEMORYARGON2_MIN_TIMEARGON2_MAX_TIMECrypto.Number.CompatCrypto.ECC.Simple.TypesCrypto.PubKey.InternalCrypto.Random.Entropy.SourceCrypto.Random.Entropy.RDRandCrypto.Random.Entropy.UnixCrypto.Random.Entropy.BackendCrypto.Random.SystemDRGCrypto.Random.ChaChaDRGCrypto.Random.Probabilistic PublicKeyAES128AES256Crypto.PubKey.ElGamalCrypto.ECC.Simple.PrimCrypto.TutorialFormatPKCS5PKCS7ZEROpadunpad $fShowFormat $fEqFormatCryptoFailable CryptoPassed CryptoFailed CryptoErrorCryptoError_KeySizeInvalidCryptoError_IvSizeInvalidCryptoError_SeedSizeInvalid CryptoError_AEADModeNotSupported CryptoError_SecretKeySizeInvalid%CryptoError_SecretKeyStructureInvalid CryptoError_PublicKeySizeInvalid#CryptoError_SharedSecretSizeInvalidCryptoError_EcScalarOutOfBoundsCryptoError_PointSizeInvalidCryptoError_PointFormatInvalid"CryptoError_PointFormatUnsupported#CryptoError_PointCoordinatesInvalid'CryptoError_ScalarMultiplicationInvalidCryptoError_MacKeyInvalid(CryptoError_AuthenticationTagSizeInvalidCryptoError_PrimeSizeInvalidCryptoError_SaltTooSmall CryptoError_OutputLengthTooSmallCryptoError_OutputLengthTooBigthrowCryptoErrorIOthrowCryptoErroronCryptoFailureeitherCryptoErrormaybeCryptoErrorCipher cipherInit cipherName cipherKeySizeAEADModeAEAD_OCBAEAD_CCMAEAD_EAXAEAD_CWCAEAD_GCMCCM_LCCM_L2CCM_L3CCM_L4CCM_MCCM_M4CCM_M6CCM_M8CCM_M10CCM_M12CCM_M14CCM_M16AuthTag unAuthTagDataUnitOffsetKeySizeSpecifier KeySizeRange KeySizeEnum KeySizeFixed StreamCipher streamCombineDigestContext HashAlgorithm HashBlockSizeHashDigestSizeHashInternalContextSize hashBlockSizehashDigestSizehashInternalContextSizehashInternalInithashInternalUpdatehashInternalFinalize WhirlpoolTiger Skein512_512 Skein512_384 Skein512_256 Skein512_224 Skein256_256 Skein256_224 SHA512t_256 SHA512t_224SHA512SHA384SHA3_512SHA3_384SHA3_256SHA3_224SHA256SHA224SHA1 RIPEMD160MD5MD4MD2 Keccak_512 Keccak_384 Keccak_256 Keccak_224MutableContexthashMutableInithashMutableInitWithhashMutableUpdatehashMutableFinalizehashMutableReset$fByteArrayAccessMutableContext Blake2sp_256 Blake2sp_224 Blake2s_256 Blake2s_224 Blake2s_160 Blake2bp_512 Blake2b_512 Blake2b_384 Blake2b_256 Blake2b_224 Blake2b_160AEAD aeadModeImpl aeadState AEADModeImplaeadImplAppendHeaderaeadImplEncryptaeadImplDecryptaeadImplFinalizeaeadAppendHeader aeadEncrypt aeadDecrypt aeadFinalizeaeadSimpleEncryptaeadSimpleDecryptBlockCipher128 xtsEncrypt xtsDecrypt BlockCipher blockSize ecbEncrypt ecbDecrypt cbcEncrypt cbcDecrypt cfbEncrypt cfbDecrypt ctrCombineaeadInitIVmakeIVnullIVivAddMiyaguchiPreneelcompute'compute$fEqMiyaguchiPreneel!$fByteArrayAccessMiyaguchiPreneelvalidateKeySizeDES_EDE2DES_EEE2DES_EDE3DES_EEE3$fBlockCipherDES_EEE3$fCipherDES_EEE3$fBlockCipherDES_EDE3$fCipherDES_EDE3$fBlockCipherDES_EEE2$fCipherDES_EEE2$fBlockCipherDES_EDE2$fCipherDES_EDE2 $fEqDES_EEE3 $fEqDES_EDE3 $fEqDES_EEE2 $fEqDES_EDE2DES$fBlockCipherDES $fCipherDES$fEqDESState initializecombinegenerate $fNFDataStatederive$fByteArrayAccessState StateSimpleinitializeSimplegenerateSimple$fNFDataStateSimpleAES192$fBlockCipher128AES128$fBlockCipherAES128$fCipherAES128$fBlockCipher128AES192$fBlockCipherAES192$fCipherAES192$fBlockCipher128AES256$fBlockCipherAES256$fCipherAES256$fNFDataAES128$fNFDataAES192$fNFDataAES256IsDivisibleBy8 IsAtLeastIsAtMostSHAKE256SHAKE128 HashSHAKEBlake2bpBlake2spBlake2bBlake2shashhashlazyhashInit hashUpdate hashUpdates hashFinalize hashInitWithhashWith Twofish256 Twofish192 Twofish128$fBlockCipherTwofish128$fCipherTwofish128$fBlockCipherTwofish192$fCipherTwofish192$fBlockCipherTwofish256$fCipherTwofish256CAST5$fBlockCipherCAST5 $fCipherCAST5 Blowfish448 Blowfish256 Blowfish128 Blowfish64Blowfish$fBlockCipherBlowfish$fCipherBlowfish$fBlockCipherBlowfish64$fCipherBlowfish64$fBlockCipherBlowfish128$fCipherBlowfish128$fBlockCipherBlowfish256$fCipherBlowfish256$fBlockCipherBlowfish448$fCipherBlowfish448$fNFDataBlowfish$fNFDataBlowfish64$fNFDataBlowfish128$fNFDataBlowfish256$fNFDataBlowfish448 Camellia128$fBlockCipherCamellia128$fCipherCamellia128Options iterationsmemory parallelismvariantversion Parallelism MemoryCostTimeCostVersion Version10 Version13VariantArgon2dArgon2iArgon2iddefaultOptions $fEqVariant $fOrdVariant $fReadVariant $fShowVariant $fEnumVariant$fBoundedVariant $fEqVersion $fOrdVersion $fReadVersion $fShowVersion $fEnumVersion$fBoundedVersion $fEqOptions $fOrdOptions $fReadOptions $fShowOptions Parameters iterCounts outputLength hashInternal$fEqParameters$fOrdParameters$fShowParametersCMACcmacsubKeys$fEqCMAC$fByteArrayAccessCMACHMAC hmacGetDigesthmacupdateupdatesfinalize$fEqHMAC$fByteArrayAccessHMACPRFprfHMACfastPBKDF2_SHA1fastPBKDF2_SHA256fastPBKDF2_SHA512nrpPRKextract extractSkipexpand$fByteArrayAccessPRK$fEqPRKKMAC kmacGetDigestkmac$fEqKMAC$fByteArrayAccessKMACAuthCtxauthTagauth$fEqAuth$fByteArrayAccessAuth $fNFDataAuthNoncenonce12nonce8incrementNonce appendAAD finalizeAADencryptdecrypt$fByteArrayAccessNoncesqrtigcdeareEvenlog2numBitsnumBytesasPowerOf2AndOddBinaryPolynomialaddF2mmodF2mmulF2m squareF2m squareF2m'powF2msqrtF2minvF2mdivF2mexpSafeexpFastinverseinverseCoprimesjacobi inverseFermat squareRoot!$fExceptionCoprimesAssertionError $fExceptionModulusAssertionError$fShowCoprimesAssertionError$fShowModulusAssertionErrorisDivisibleBy8isAtMost isAtLeasti2ospi2ospOfos2ipi2ospOf_ ClockSkewNoSkewOneStepTwoSteps ThreeSteps FourSteps TOTPParamsOTPTime OTPDigitsOTP4OTP5OTP6OTP7OTP8OTP9OTPhotp resynchronizedefaultTOTPParams mkTOTPParamstotp totpVerify$fShowOTPDigits$fEnumClockSkew$fShowClockSkew$fShowTOTPParams CurveName SEC_p112r1 SEC_p112r2 SEC_p128r1 SEC_p128r2 SEC_p160k1 SEC_p160r1 SEC_p160r2 SEC_p192k1 SEC_p192r1 SEC_p224k1 SEC_p224r1 SEC_p256k1 SEC_p256r1 SEC_p384r1 SEC_p521r1 SEC_t113r1 SEC_t113r2 SEC_t131r1 SEC_t131r2 SEC_t163k1 SEC_t163r1 SEC_t163r2 SEC_t193r1 SEC_t193r2 SEC_t233k1 SEC_t233r1 SEC_t239k1 SEC_t283k1 SEC_t283r1 SEC_t409k1 SEC_t409r1 SEC_t571k1 SEC_t571r1 CurveCommonecc_aecc_becc_gecc_necc_h CurvePrime CurveBinaryPointPointO PrivateNumber PublicPointCurveCurveF2mCurveFP common_curveecc_fxecc_p curveSizeBitsgetCurveByName $fNFDataPoint$fNFDataCurveBinary $fShowPoint $fReadPoint $fEqPoint $fDataPoint$fShowCurveCommon$fReadCurveCommon$fEqCurveCommon$fDataCurveCommon$fShowCurvePrime$fReadCurvePrime$fEqCurvePrime$fDataCurvePrime$fShowCurveBinary$fReadCurveBinary$fEqCurveBinary$fDataCurveBinary $fShowCurve $fReadCurve $fEqCurve $fDataCurve$fShowCurveName$fReadCurveName $fEqCurveName$fOrdCurveName$fEnumCurveName$fBoundedCurveName$fDataCurveNameMaskGenAlgorithmmgf1KeyPair PrivateKey private_pub private_d private_p private_q private_dP private_dQ private_qinv public_sizepublic_npublic_eErrorMessageSizeIncorrectMessageTooLongMessageNotRecognizedSignatureTooLongInvalidParametersBlinder private_size private_n private_e toPublicKey toPrivateKey$fNFDataPublicKey$fNFDataPrivateKey $fShowBlinder $fEqBlinder $fShowError $fEqError$fShowPublicKey$fReadPublicKey $fEqPublicKey$fDataPublicKey$fShowPrivateKey$fReadPrivateKey$fEqPrivateKey$fDataPrivateKey $fShowKeyPair $fReadKeyPair $fEqKeyPair $fDataKeyPair$fNFDataKeyPairdpepEntropyBackendsupportedBackends gatherBackend replenish getEntropy EntropyPoolcreateEntropyPoolWithcreateEntropyPoolgetEntropyFromMonadPseudoRandomDRGrandomBytesGenerate MonadRandomgetRandomByteswithDRG$fMonadRandomIO$fMonadRandomMonadPseudoRandom$fMonadMonadPseudoRandom$fApplicativeMonadPseudoRandom$fFunctorMonadPseudoRandom SystemDRG getSystemDRG ChaChaDRGSeedseedNew seedToIntegerseedFromIntegerseedFromBinarydrgNew drgNewSeed drgNewTestwithRandomBytes$fByteArrayAccessSeed Signature SecretKey publicKey secretKey signaturetoPublicsignverifygenerateSecretKey publicKeySize secretKeySize signatureSize$fShowSecretKey $fEqSecretKey$fByteArrayAccessSecretKey$fNFDataSecretKey$fByteArrayAccessPublicKey$fShowSignature $fEqSignature$fByteArrayAccessSignature$fNFDataSignatureScalar pointBasetoPointpointAdd pointNegatepointMulpointDhpointsMulVarTime pointIsValidpointIsAtInfinitypointXpointToIntegerspointFromIntegers pointToBinarypointFromBinaryunsafePointFromBinaryscalarGenerate scalarZeroscalarN scalarIsZero scalarAdd scalarSub scalarMul scalarInv scalarInvSafe scalarCmpscalarFromBinaryscalarToBinaryscalarFromIntegerscalarToInteger $fShowScalar $fEqScalar$fByteArrayAccessScalar$fNFDataScalarDhSecretdhSecretdh$fShowDhSecret $fEqDhSecret$fByteArrayAccessDhSecret$fNFDataDhSecret hashPasswordbcryptvalidatePasswordvalidatePasswordEither scalarEncodescalarDecodeLong pointEncode pointDecodepointHasPrimeOrder pointDoublepointMulByCofactornonce generateNonce $fShowNonce $fEqNonce GenTopPolicy SetHighest SetTwoHighestgenerateParams generateMaxgenerateBetween$fShowGenTopPolicy$fEqGenTopPolicy pointBaseMulpointAddTwoMulsisPointAtInfinity isPointValid public_curvepublic_q private_curvesign_rsign_ssignDigestWithsignWith signDigest verifyDigest$fReadSignature$fDataSignature generateQprivate_params private_x public_paramspublic_yParamsparams_pparams_gparams_q PublicNumbergeneratePrivatecalculatePublic$fNFDataParams $fShowParams $fReadParams $fEqParams $fDataParamsisProbablyPrime generatePrimegenerateSafePrimefindPrimeFromWith findPrimeFromprimalityTestMillerRabinprimalityTestFermatprimalityTestNaive isCoprimegeneratePrimes OAEPParamsoaepHashoaepMaskGenAlg oaepLabeldefaultOAEPParamsencryptWithSeed private_a private_b generateWithgenerateBlinder PSSParamspssHash pssMaskGenAlg pssSaltLengthpssTrailerFielddefaultPSSParamsdefaultPSSParamsSHA1signDigestWithSalt signWithSalt signSafersignDigestSaferHashAlgorithmASN1 padSignature decryptSafer$fHashAlgorithmASN1RIPEMD160$fHashAlgorithmASN1SHA512t_256$fHashAlgorithmASN1SHA512t_224$fHashAlgorithmASN1SHA512$fHashAlgorithmASN1SHA384$fHashAlgorithmASN1SHA256$fHashAlgorithmASN1SHA224$fHashAlgorithmASN1SHA1$fHashAlgorithmASN1MD5$fHashAlgorithmASN1MD2 SharedKey params_bitsgeneratePublic getShared$fShowPublicNumber$fReadPublicNumber$fEqPublicNumber$fEnumPublicNumber$fRealPublicNumber$fNumPublicNumber$fOrdPublicNumber$fNFDataPublicNumber$fShowPrivateNumber$fReadPrivateNumber$fEqPrivateNumber$fEnumPrivateNumber$fRealPrivateNumber$fNumPrivateNumber$fOrdPrivateNumber$fNFDataPrivateNumber$fShowSharedKey $fEqSharedKey$fByteArrayAccessSharedKey$fNFDataSharedKeyCurve_Edwards25519 Curve_X448 Curve_X25519 Curve_P521R1 Curve_P384R1 Curve_P256R1EllipticCurveBasepointArithcurveOrderBits pointBaseSmulpointsSmulVarTime encodeScalar decodeScalarEllipticCurveArith pointSmulEllipticCurveDHecdhRawecdh EllipticCurvecurveGenerateScalarcurveGenerateKeyPair encodePoint decodePoint SharedSecretkeypairGetPublickeypairGetPrivate)$fEllipticCurveBasepointArithCurve_P256R1$fEllipticCurveDHCurve_P256R1 $fEllipticCurveArithCurve_P256R1$fEllipticCurveCurve_P256R1)$fEllipticCurveBasepointArithCurve_P384R1$fEllipticCurveDHCurve_P384R1 $fEllipticCurveArithCurve_P384R1$fEllipticCurveCurve_P384R1)$fEllipticCurveBasepointArithCurve_P521R1$fEllipticCurveDHCurve_P521R1 $fEllipticCurveArithCurve_P521R1$fEllipticCurveCurve_P521R1$fEllipticCurveDHCurve_X25519$fEllipticCurveCurve_X25519$fEllipticCurveDHCurve_X448$fEllipticCurveCurve_X448/$fEllipticCurveBasepointArithCurve_Edwards25519&$fEllipticCurveArithCurve_Edwards25519!$fEllipticCurveCurve_Edwards25519$fEqSharedSecret$fByteArrayAccessSharedSecret$fNFDataSharedSecret$fShowCurve_P256R1$fDataCurve_P256R1$fShowCurve_P384R1$fDataCurve_P384R1$fShowCurve_P521R1$fDataCurve_P521R1$fShowCurve_X25519$fDataCurve_X25519$fShowCurve_X448$fDataCurve_X448$fShowCurve_Edwards25519$fDataCurve_Edwards25519 deriveEncrypt deriveDecryptEllipticCurveECDSA scalarIsValidsignatureFromIntegerssignatureToIntegers encodePublic decodePublic encodePrivate decodePrivate $fEllipticCurveECDSACurve_P521R1 $fEllipticCurveECDSACurve_P384R1 $fEllipticCurveECDSACurve_P256R1splitmergeProcessorOptionAESNIPCLMULRDRANDprocessorOptions$fShowProcessorOption$fEqProcessorOption$fEnumProcessorOption$fDataProcessorOptionBlockunBlockbase Data.Eithereither unsafeDoIO GHC.IO.UnsafeunsafeDupablePerformIOGHC.Word byteSwap64 Data.BitspopCount$memory-0.15.0-BDpL7xANPQtKTtLLiFSTuVData.ByteArray.BytesBytesData.ByteArray.EncodingconvertFromBase convertToBaseBaseBase16Base32Base64Base64URLUnpadded Base64OpenBSDData.ByteArray.Mapping mapAsWord64 mapAsWord128 fromW64BEtoW64LEtoW64BEData.ByteArray.ViewdropViewtakeViewviewViewData.ByteArray.MethodsconvertallanyconstEqeqzero replicate copyAndFreezecopyRetcopyappendconcatreversespandroptakesplitAtindexxorsnoccons singletonunconsunpackpacknullempty unsafeCreateallocAndFreezecreateallocData.ByteArray.ScrubbedBytes ScrubbedBytesData.ByteArray.MemViewMemViewData.ByteArray.TypesByteArrayAccesslength withByteArraycopyByteArrayToPtr ByteArrayallocRet constAllZerochunkbe32Primle32Primbyteswap32Prim convert4To32 booleanPrimdeepseq-1.4.4.0Control.DeepSeqNFDatarnfGHC.Base<$ Applicativepure<*>*>liftA2<*ghc-prim GHC.TypesWordWord8Word16Word32Word64Data.TraversableforMControl.Applicativeoptional WrappedMonad WrapMonad unwrapMonad WrappedArrow WrapArrow unwrapArrowZipList getZipList Control.ArrowfirstsecondData.Functor.ConstConstgetConst Data.FoldableforM_ byteSwap32 byteSwap16 Data.Functorvoid<$>liftA3liftA<**> Alternative<|>somemanyxtsGFMulXTSstep c_rc4_init c_rc4_combineAESCCMAESOCBAESGCMAESgcmModeocbModeccmModeinitAES encryptECB encryptCBCgenCTR genCounter encryptCTR encryptXTS decryptECB decryptCBC decryptCTR decryptXTS combineC32gcmInit gcmAppendAADgcmAppendEncryptgcmAppendDecrypt gcmFinishocbInit ocbAppendAADocbAppendEncryptocbAppendDecrypt ocbFinishccmInit ccmAppendAAD ccmEncrypt ccmDecrypt ccmFinishMod8IsDiv8Div8byteLenintegralNatValNatcshakeInternalFinalizecshakeOutputLengthMutableArray32Array64Array32Array8array8array32array32FromAddrBEallocArray32AndFreezearray64mutableArray32mutableArray32FromAddrBEmutableArray32Freeze arrayRead8 arrayRead32 arrayRead64mutableArrayRead32mutableArrayWrite32mutableArrayWriteXor32 initTwofishTwofishKeybuildKeycopyKeySchedulecreateKeySchedule KeySchedule initBlowfishfreezeKeySchedule cipherBlockcipherBlockMutableexpandKeyWithSaltAnyexpandKeyWithSalt128 expandKeyexpandKeyWithSaltw64to32w32to64Data.Memory.ExtendedWordsWord128Camellia initCamellia expandIPT' GmpSupportedonGmpUnsupportedgmpGcdegmpLog2gmpPowModSecIntegergmpPowModInteger gmpInverse gmpNextPrimegmpTestPrimeMillerRabingmpSizeInBytes gmpSizeInBitsgmpExportIntegergmpExportIntegerLEgmpImportIntegergmpImportIntegerLEGmpUnsupportedCurveParameters curveEccA curveEccB curveEccG curveEccN curveEccHcurveSizeBytes$fCurveSEC_p112r1 CurveTypeCurvePrimeParamCurveBinaryParamcurveParameters curveTypegcdF2m GHC.MaybeNothingModulusAssertionErrorCoprimesAssertionErrorexponentiationand'&&! dsaTruncHashdsaTruncHashDigestmultiplication EntropySource entropyOpen entropyGather entropyCloseRDRand DevURandom DevRandom openBackend getEntropyPtrinitializeWords probabilisticdecaf_x448_derive_public_key decaf_x448ccryptonite_curve25519expensiveBlowfishContextTruedivmod firstPrimesep1ep2dp1dp2 calculateHashsqrootsqroot'hashDigestASN1 makeSignature EphemeralKeygenerateEphemeral encryptWith tHashDigestxorMemdiffuse