úÎ!t,n?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi (c) Marcel Fourné 20[09..]BSD3'Marcel Fourné (haskell@marcelfourne.de) experimentalGood TrustworthyF Keccrypto+return the maximum value storable in a Wordeccryptoreturn the bitSize of a Wordeccrypto5determine the needed storage for a bitlength in WordseccryptoDreturning the binary length of an Integer, uses integer-gmp directlyeccryptoVwe want word w at position i to result in a word to multiply by, eliminating branching(c) Marcel Fourné 20[14..]BSD3'Marcel Fourné (haskell@marcelfourne.de)betaGoodSafeÍeccrypto#a simple wrapper to ease transitioneccryptomost trivial (==) wrappereccrypto(+) in the fieldeccrypto(+) in the field eccrypto(-) in the field eccrypto(-) in the field eccryptonegation in the field eccryptobitshift wrapper eccrypto.modular reduction, a simple wrapper around modeccryptofield multiplication, a * beccryptofield multiplication, a * b j peccryptosimple squaring in the fieldeccrypto.the power function in the field, for 1>= k < peccryptofield inversioneccryptoconversion wrapper with a limiteccrypto a most simple conversion wrappereccrypto$like testBit, but give either 0 or 1   (c) Marcel Fourné 20[09..]BSD3'Marcel Fourné (haskell@marcelfourne.de)betaGoodSafe&'2m#Z eccryptodata of Elliptic Curve PointseccryptoEall Elliptic Curves, the parameters being the BitLength L, A, B and PeccryptoEinternal function, codifies point at infinity, is used in comparisonseccrypto‰translate point in internal format to a pair of Integers in affine x and y coordinate | this is intended as interface to other librarieseccrypto2generic getter, returning the affine x and y-valueeccrypto4add an elliptic point onto itself, base for padd a aeccryptoadd 2 elliptic pointseccrypto="generic" verify, if generic ECP is on EC via getxA and getyA eccryptoPoint Multiplication.   (c) Marcel Fourné 20[09..]BSD3'Marcel Fourné (haskell@marcelfourne.de)betaGoodSafe%!   (c) Marcel Fourné 20[09..]BSD3'Marcel Fourné (haskell@marcelfourne.de) experimentalGoodSafe2*L%eccrypto$Datatype for defined Standard Curves-eccryptoNIST Prime Curve P-192.eccryptoNIST Prime Curve P-224/eccryptoNIST Prime Curve P-2560eccryptoNIST Prime Curve P-3841eccryptoNIST Prime Curve P-521 %&,+*)('-./01 %&,+*)('-./01(c) Marcel Fourné 20[09..]BSD3'Marcel Fourné (haskell@marcelfourne.de) experimentalGoodSafe,Å2eccryptobasic ecdh for testing22(c) Marcel Fourné 20[14..]BSD3'Marcel Fourné (haskell@marcelfourne.de)alphaBad TrustworthyX[©'3eccrypto6just a newtype for the signature with appended message4eccryptojust a newtype for the message5eccryptoBjust a newtype for the signature (string of 2*32 bytes, b=256 bit)6eccrypto-just a wrapper for the secret key as a number8eccryptoAjust a wrapper for the secret key (string of 32 bytes, b=256 bit):eccryptoAjust a newtype for the public key as a point on the Edwards curve;eccryptoBjust a newtype for the public key (string of 32 bytes, b=256 bit)<eccryptoResult of verifying a signature should only yield if it's good or bad, not more, but contains an error string if underlying primitives failed=eccrypto"clear signal that everything is ok?eccryptoctwisted Edwards curve point, extended point format (x,y,z,t), neutral element (0,1,1,0), c=1, a=-1  >https://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html:, after "Twisted Edwards curves revisited" eprint 2008/522Aeccryptoworking on exactly 256 bitsBeccryptothe large primeCeccryptoNcurve parameter l, the group order, f.e. needed to use Farmat's little theoremDeccrypto7curve parameter d, non-square element, -(121665/121666)Eeccryptosqrt (-1) on our curveFeccryptowrapper for our hash functionGeccrypto%the prehash function, id in PureEdDSAHeccrypto/the y coordinate of the base point of the curveIeccrypto*additive neutral element, really (0,Z,Z,0)Jeccrypto#special form of FPrime, no bits setKeccrypto&special form of FPrime, lowest bit setLeccrypto$special form of FPrime, all bits setMeccrypto;recover the x coordinate from the y coordinate and a signumNeccryptobase point on the curveOeccryptopoint negationPeccrypto'k=2*d, constant used for point additionQeccryptopoint addition add-2008-hwcd-3Reccryptopoint doublingSeccrypto^scalar multiplication, branchfree in k, pattern-matched branch on j (static known length of k)Teccrypto4check if Point is on the curve, prevent some attacksUeccrypto4make scalar format Point from projective coordinatesVeccrypto,convert a point on the curve to a ByteStringWeccrypto,convert a ByteString to a point on the curveXeccryptoÿÀclamping of a string of bytes to make it suitable for usage on the (clamped) Edwards curve in Ed25519, reduces cofactor [ b Bits ] 001..1000 010..0 BigEndian 01x..x000 ==> ((getFPrime N) .&. (2^254-1-(2^0+2^1+2^2)) .|. (2^254)) .&. 28948022309329048855892746252171976963317496166410141009864396001978282409976 .|. 28948022309329048855892746252171976963317496166410141009864396001978282409984Yeccryptojconvert an 8 Byte little endian ByteString to either an error String (if too short) or a big endian FPrimeZeccryptoAconvert a big endian FPrime to an 8 Byte little endian ByteString[eccrypto/converts 32 little endian bytes into one FPrime\eccrypto/converts 64 little endian bytes into one FPrime]eccrypto7converts one FPrime into exactly 32 little endian bytes+3456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]+?@=><;:8967543ABCDEFGHIJKLMNOPQRSTUVWXYZ[\](c) Marcel Fourné 20[14..]BSD3'Marcel Fourné (haskell@marcelfourne.de)alphaBadSafeXhØbeccrypto×generate a new key pair (secret and derived public key) using some external entropy | This may be insecure, depending on your environment, so for your usage case you may need to implement some better key generator!ceccrypto!derive public key from secret keydeccryptoPsign with secret key the message, resulting in message appended to the signatureeeccryptogwrapper around dverify, in case we work with a signed message, i.e. the signature with appended messagefeccryptoHsign the message m with secret key sk, resulting in a detached signaturegeccrypto^in: public key, message and signature, out: is the signature valid for public key and message?3458;<=>bcdefgbcfdge4;853=>< (c) Marcel Fourné 20[14..]BSD3'Marcel Fourné (haskell@marcelfourne.de)alphaBadSafej· 3458;<=>?[ ?4;853=><[(c) Marcel Fourné 20[09..]BSD3'Marcel Fourné (haskell@marcelfourne.de) experimentalGood Trustworthyn heccryptobasic ecdsa for testingieccryptobasic ECDSA verificationkeccrypto using SHA-256hihil    !"#$%&'()*+,-./00123456789:;<=>?@ABCDEFGGHHIJKLMNOPQRSTUVWX)(+*YZ[\]^_`abcdefghijklmnopNq%eccrypto-0.2.1-6T9zFXdsmv45WV3axdx2bF Crypto.Common Crypto.Fi)Crypto.ECC.Weierstrass.Internal.Curvemath%Crypto.ECC.Weierstrass.StandardCurvesCrypto.ECC.Weierstrass.ECDH#Crypto.ECC.Ed25519.Internal.Ed25519Crypto.ECC.Ed25519.SignCrypto.ECC.Weierstrass.ECDSACrypto.ECC.Weierstrass.InternalCrypto.ECC.Ed25519.InternalwordMaxwordSize sizeinWordslog2lentestcondFPrimeeqaddaddrsubsubrnegshiftredcmulmulrsquarepowinv fromInteger toIntegercondBitECPFECPpECECiisinfexportaffinepdoublepaddisonpmul$fShowEC$fEqEC $fShowECPF$fEqECPF StandardCurvestdc_lstdc_pstdc_rstdc_bstdc_xpstdc_ypp192p224p256p384p521 basicecdh SignedMessageMessage Signature SecFPrimeSecNumSecKey SecKeyBytes PubKeyPointPubKey VerifyResultSigOKPointbqldihphbyinfnulleinsalleeinsxrecoverbPointpnegkscale pointtobs bstopointclampconvertLE8ByteTo64BEconvert64BEtoLE8Byte getFPrime32 getFPrime64 putFPrime $fEqPoint $fShowPoint $fShowSigOK $fEqSigOKgenkeys publickeysignverifydsigndverify basicecdsabasicecdsaVerifybaseGHC.Realmod