!vpk      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij (c) Marcel Fourn 20[09..]BSD3'Marcel Fourn (haskell@marcelfourne.de) experimentalGood TrustworthyF Xeccrypto+return the maximum value storable in a Wordeccryptoreturn the bitSize of a Wordeccrypto5determine the needed storage for a bitlength in WordseccryptoDreturning the binary length of an Integer, uses integer-gmp directlyeccryptoVwe want word w at position i to result in a word to multiply by, eliminating branching(c) Marcel Fourn 20[14..]BSD3'Marcel Fourn (haskell@marcelfourne.de)betaGoodSafeeccrypto#a simple wrapper to ease transitioneccryptomost trivial (==) wrappereccrypto(+) in the fieldeccrypto(+) in the field eccrypto(-) in the field eccrypto(-) in the field eccryptonegation in the field eccryptobitshift wrapper eccrypto.modular reduction, a simple wrapper around modeccryptofield multiplication, a * beccryptofield multiplication, a * b k peccryptosimple squaring in the fieldeccrypto.the power function in the field, for 1>= k < peccryptofield inversioneccryptoconversion wrapper with a limiteccrypto a most simple conversion wrappereccrypto$like testBit, but give either 0 or 1   (c) Marcel Fourn 20[09..]BSD3'Marcel Fourn (haskell@marcelfourne.de)betaGoodSafe&'2m#g eccryptodata of Elliptic Curve PointseccryptoEall Elliptic Curves, the parameters being the BitLength L, A, B and PeccryptoEinternal function, codifies point at infinity, is used in comparisonseccryptotranslate point in internal format to a pair of Integers in affine x and y coordinate | this is intended as interface to other librarieseccrypto2generic getter, returning the affine x and y-valueeccrypto4add an elliptic point onto itself, base for padd a aeccryptoadd 2 elliptic pointseccrypto="generic" verify, if generic ECP is on EC via getxA and getyA eccryptoPoint Multiplication.   (c) Marcel Fourn 20[09..]BSD3'Marcel Fourn (haskell@marcelfourne.de)betaGoodSafe%.   (c) Marcel Fourn 20[09..]BSD3'Marcel Fourn (haskell@marcelfourne.de) experimentalGoodSafe2*Y%eccrypto$Datatype for defined Standard Curves-eccryptoNIST Prime Curve P-192.eccryptoNIST Prime Curve P-224/eccryptoNIST Prime Curve P-2560eccryptoNIST Prime Curve P-3841eccryptoNIST Prime Curve P-521 %&,+*)('-./01 %&,+*)('-./01(c) Marcel Fourn 20[09..]BSD3'Marcel Fourn (haskell@marcelfourne.de) experimentalGoodSafe,2eccryptobasic ecdh for testing22(c) Marcel Fourn 20[14..]BSD3'Marcel Fourn (haskell@marcelfourne.de)alphaBadSafeX['3eccrypto6just a newtype for the signature with appended message4eccryptojust a newtype for the message5eccryptoBjust a newtype for the signature (string of 2*32 bytes, b=256 bit)6eccrypto-just a wrapper for the secret key as a number8eccryptoAjust a wrapper for the secret key (string of 32 bytes, b=256 bit):eccryptoAjust a newtype for the public key as a point on the Edwards curve;eccryptoBjust a newtype for the public key (string of 32 bytes, b=256 bit)<eccryptoResult of verifying a signature should only yield if it's good or bad, not more, but contains an error string if underlying primitives failed=eccrypto"clear signal that everything is ok?eccryptoctwisted Edwards curve point, extended point format (x,y,z,t), neutral element (0,1,1,0), c=1, a=-1  >https://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html:, after "Twisted Edwards curves revisited" eprint 2008/522Aeccryptoworking on exactly 256 bitsBeccryptothe large primeCeccryptoNcurve parameter l, the group order, f.e. needed to use Farmat's little theoremDeccrypto7curve parameter d, non-square element, -(121665/121666)Eeccryptosqrt (-1) on our curveFeccryptowrapper for our hash functionGeccrypto%the prehash function, id in PureEdDSAHeccrypto/the y coordinate of the base point of the curveIeccrypto*additive neutral element, really (0,Z,Z,0)Jeccrypto#special form of FPrime, no bits setKeccrypto&special form of FPrime, lowest bit setLeccrypto$special form of FPrime, all bits setMeccrypto;recover the x coordinate from the y coordinate and a signumNeccryptobase point on the curveOeccryptopoint negationPeccrypto'k=2*d, constant used for point additionQeccryptopoint addition add-2008-hwcd-3Reccryptopoint doublingSeccrypto^scalar multiplication, branchfree in k, pattern-matched branch on j (static known length of k)Teccrypto4check if Point is on the curve, prevent some attacksUeccrypto4make scalar format Point from projective coordinatesVeccrypto,convert a point on the curve to a ByteStringWeccrypto,convert a ByteString to a point on the curveXeccryptoclamping of a string of bytes to make it suitable for usage on the (clamped) Edwards curve in Ed25519, reduces cofactor [ b Bits ] 001..1000 010..0 BigEndian 01x..x000 ==> ((getFPrime N) .&. (2^254-1-(2^0+2^1+2^2)) .|. (2^254)) .&. 28948022309329048855892746252171976963317496166410141009864396001978282409976 .|. 28948022309329048855892746252171976963317496166410141009864396001978282409984Yeccryptojconvert an 8 Byte little endian ByteString to either an error String (if too short) or a big endian FPrimeZeccryptoAconvert a big endian FPrime to an 8 Byte little endian ByteString[eccrypto/converts 32 little endian bytes into one FPrime\eccrypto/converts 64 little endian bytes into one FPrime]eccrypto7converts one FPrime into exactly 32 little endian bytes+3456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]+?@=><;:8967543ABCDEFGHIJKLMNOPQRSTUVWXYZ[\](c) Marcel Fourn 20[14..]BSD3'Marcel Fourn (haskell@marcelfourne.de)alphaBad TrustworthyWXk3beccryptogenerate a new key pair (secret and derived public key) using some external entropy | This may be insecure, depending on your environment, so it's better to use the genkeys function and supply a random number generator which is secure for your usage case!ceccrypto_generate a new key pair (secret and derived public key) using the supplied randomness-generatordeccrypto!derive public key from secret keyeeccryptoPsign with secret key the message, resulting in message appended to the signaturefeccryptogwrapper around dverify, in case we work with a signed message, i.e. the signature with appended messagegeccryptoHsign the message m with secret key sk, resulting in a detached signatureheccrypto^in: public key, message and signature, out: is the signature valid for public key and message?3458;<=>bcdefghcbdgehf4;853=>< (c) Marcel Fourn 20[14..]BSD3'Marcel Fourn (haskell@marcelfourne.de)alphaBadSafem 3458;<=>?[ ?4;853=><[(c) Marcel Fourn 20[09..]BSD3'Marcel Fourn (haskell@marcelfourne.de) experimentalGoodSafepgieccryptobasic ecdsa for testingjeccryptobasic ECDSA verificationleccrypto using SHA-256ijijm    !"#$%&'()*+,-./00123456789:;<=>?@ABCDEFGGHHIJKLMNOPQRSTUVWX)(+*YZ[\]^_`abcdefghijklmnopqNr%eccrypto-0.1.0-L1XkXjfEFEJBGwYQXS2UOJ Crypto.Common Crypto.Fi)Crypto.ECC.Weierstrass.Internal.Curvemath%Crypto.ECC.Weierstrass.StandardCurvesCrypto.ECC.Weierstrass.ECDH#Crypto.ECC.Ed25519.Internal.Ed25519Crypto.ECC.Ed25519.SignCrypto.ECC.Weierstrass.ECDSACrypto.ECC.Weierstrass.InternalCrypto.ECC.Ed25519.InternalwordMaxwordSize sizeinWordslog2lentestcondFPrimeeqaddaddrsubsubrnegshiftredcmulmulrsquarepowinv fromInteger toIntegercondBitECPFECPpECECiisinfexportaffinepdoublepaddisonpmul$fShowEC$fEqEC $fShowECPF$fEqECPF StandardCurvestdc_lstdc_pstdc_rstdc_bstdc_xpstdc_ypp192p224p256p384p521 basicecdh SignedMessageMessage Signature SecFPrimeSecNumSecKey SecKeyBytes PubKeyPointPubKey VerifyResultSigOKPointbqldihphbyinfnulleinsalleeinsxrecoverbPointpnegkscale pointtobs bstopointclampconvertLE8ByteTo64BEconvert64BEtoLE8Byte getFPrime32 getFPrime64 putFPrime $fEqPoint $fShowPoint $fShowSigOK $fEqSigOK genkeysSimplegenkeys publickeysignverifydsigndverify basicecdsabasicecdsaVerifybaseGHC.Realmod