h$ T;      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi (c) Marcel Fourn 20[09..]BSD3'Marcel Fourn (haskell@marcelfourne.de) experimentalGood Trustworthyeccrypto+return the maximum value storable in a Wordeccryptoreturn the bitSize of a Wordeccrypto5determine the needed storage for a bitlength in Wordseccryptoreturning the binary length of an Integer, uses integer-gmp directlyeccryptowe want word w at position i to result in a word to multiply by, eliminating branching(c) Marcel Fourn 20[14..]BSD3'Marcel Fourn (haskell@marcelfourne.de)betaGoodSafeeccrypto#a simple wrapper to ease transitioneccryptomost trivial (==) wrappereccrypto(+) in the fieldeccrypto(+) in the field eccrypto(-) in the field eccrypto(-) in the field eccryptonegation in the field eccryptobitshift wrapper eccrypto.modular reduction, a simple wrapper around modeccryptofield multiplication, a * beccryptofield multiplication, a * b j peccryptosimple squaring in the fieldeccrypto.the power function in the field, for 1>= k < peccryptofield inversioneccryptoconversion wrapper with a limiteccrypto a most simple conversion wrappereccrypto$like testBit, but give either 0 or 1   (c) Marcel Fourn 20[09..]BSD3'Marcel Fourn (haskell@marcelfourne.de)betaGoodSafe'(3 eccryptodata of Elliptic Curve Pointseccryptoall Elliptic Curves, the parameters being the BitLength L, A, B and Peccryptointernal function, codifies point at infinity, is used in comparisonseccryptotranslate point in internal format to a pair of Integers in affine x and y coordinate | this is intended as interface to other librarieseccrypto2generic getter, returning the affine x and y-valueeccrypto4add an elliptic point onto itself, base for padd a aeccryptoadd 2 elliptic pointseccrypto="generic" verify, if generic ECP is on EC via getxA and getyA eccryptoPoint Multiplication.   (c) Marcel Fourn 20[09..]BSD3'Marcel Fourn (haskell@marcelfourne.de)betaGoodSafe   (c) Marcel Fourn 20[09..]BSD3'Marcel Fourn (haskell@marcelfourne.de) experimentalGoodSafe3 %eccrypto$Datatype for defined Standard Curves-eccryptoNIST Prime Curve P-192.eccryptoNIST Prime Curve P-224/eccryptoNIST Prime Curve P-2560eccryptoNIST Prime Curve P-3841eccryptoNIST Prime Curve P-521 %&,+*)('-./01 %&,+*)('-./01(c) Marcel Fourn 20[09..]BSD3'Marcel Fourn (haskell@marcelfourne.de) experimentalGoodSafe 2eccryptobasic ecdh for testing22(c) Marcel Fourn 20[14..]BSD3'Marcel Fourn (haskell@marcelfourne.de)alphaBad TrustworthyD'3eccrypto6just a newtype for the signature with appended message4eccryptojust a newtype for the message5eccryptojust a newtype for the signature (string of 2*32 bytes, b=256 bit)6eccrypto-just a wrapper for the secret key as a number8eccryptojust a wrapper for the secret key (string of 32 bytes, b=256 bit):eccryptojust a newtype for the public key as a point on the Edwards curve;eccryptojust a newtype for the public key (string of 32 bytes, b=256 bit)<eccryptoResult of verifying a signature should only yield if it's good or bad, not more, but contains an error string if underlying primitives failed=eccrypto"clear signal that everything is ok?eccryptotwisted Edwards curve point, extended point format (x,y,z,t), neutral element (0,1,1,0), c=1, a=-1  >https://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html:, after "Twisted Edwards curves revisited" eprint 2008/522Aeccryptoworking on exactly 256 bitsBeccryptothe large primeCeccryptocurve parameter l, the group order, f.e. needed to use Farmat's little theoremDeccrypto7curve parameter d, non-square element, -(121665/121666)Eeccryptosqrt (-1) on our curveFeccryptowrapper for our hash functionGeccrypto%the prehash function, id in PureEdDSAHeccrypto/the y coordinate of the base point of the curveIeccrypto*additive neutral element, really (0,Z,Z,0)Jeccrypto#special form of FPrime, no bits setKeccrypto&special form of FPrime, lowest bit setLeccrypto$special form of FPrime, all bits setMeccrypto;recover the x coordinate from the y coordinate and a signumNeccryptobase point on the curveOeccryptopoint negationPeccrypto'k=2*d, constant used for point additionQeccryptopoint addition add-2008-hwcd-3Reccryptopoint doublingSeccryptoscalar multiplication, branchfree in k, pattern-matched branch on j (static known length of k)Teccrypto4check if Point is on the curve, prevent some attacksUeccrypto4make scalar format Point from projective coordinatesVeccrypto,convert a point on the curve to a ByteStringWeccrypto,convert a ByteString to a point on the curveXeccryptoclamping of a string of bytes to make it suitable for usage on the (clamped) Edwards curve in Ed25519, reduces cofactor [ b Bits ] 001..1000 010..0 BigEndian 01x..x000 ==> ((getFPrime N) .&. (2^254-1-(2^0+2^1+2^2)) .|. (2^254)) .&. 28948022309329048855892746252171976963317496166410141009864396001978282409976 .|. 28948022309329048855892746252171976963317496166410141009864396001978282409984Yeccryptoconvert an 8 Byte little endian ByteString to either an error String (if too short) or a big endian FPrimeZeccryptoconvert a big endian FPrime to an 8 Byte little endian ByteString[eccrypto/converts 32 little endian bytes into one FPrime\eccrypto/converts 64 little endian bytes into one FPrime]eccrypto7converts one FPrime into exactly 32 little endian bytes+3456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]+?@=><;:8967543ABCDEFGHIJKLMNOPQRSTUVWXYZ[\](c) Marcel Fourn 20[14..]BSD3'Marcel Fourn (haskell@marcelfourne.de)alphaBadSafebeccryptogenerate a new key pair (secret and derived public key) using some external entropy | This may be insecure, depending on your environment, so for your usage case you may need to implement some better key generator!ceccrypto!derive public key from secret keydeccryptosign with secret key the message, resulting in message appended to the signatureeeccryptowrapper around dverify, in case we work with a signed message, i.e. the signature with appended messagefeccryptosign the message m with secret key sk, resulting in a detached signaturegeccryptoin: public key, message and signature, out: is the signature valid for public key and message?3458;<=>bcdefgbcfdge4;853=>< (c) Marcel Fourn 20[14..]BSD3'Marcel Fourn (haskell@marcelfourne.de)alphaBadSafeP 3458;<=>?[ ?4;853=><[(c) Marcel Fourn 20[09..]BSD3'Marcel Fourn (haskell@marcelfourne.de) experimentalGood Trustworthy1heccryptobasic ecdsa for testingieccryptobasic ECDSA verificationhihi    !"#$%&'()*+,-./00123456789:;<=>?@ABCDEFGGHHIJKLMNOPQRSTUVWX)(+*YZ[\]^_`abcdefghijklmnop%eccrypto-0.2.3-AdUXa1BA0kk4G22GfqjYi3 Crypto.Common Crypto.Fi)Crypto.ECC.Weierstrass.Internal.Curvemath%Crypto.ECC.Weierstrass.StandardCurvesCrypto.ECC.Weierstrass.ECDH#Crypto.ECC.Ed25519.Internal.Ed25519Crypto.ECC.Ed25519.SignCrypto.ECC.Weierstrass.ECDSACrypto.ECC.Weierstrass.InternalCrypto.ECC.Ed25519.InternalwordMaxwordSize sizeinWordslog2lentestcondFPrimeeqaddaddrsubsubrnegshiftredcmulmulrsquarepowinv fromInteger toIntegercondBitECPFECPpECECiisinfexportaffinepdoublepaddisonpmul$fShowEC$fEqEC $fShowECPF$fEqECPF StandardCurvestdc_lstdc_pstdc_rstdc_bstdc_xpstdc_ypp192p224p256p384p521 basicecdh SignedMessageMessage Signature SecFPrimeSecNumSecKey SecKeyBytes PubKeyPointPubKey VerifyResultSigOKPointbqldihphbyinfnulleinsalleeinsxrecoverbPointpnegkscale pointtobs bstopointclampconvertLE8ByteTo64BEconvert64BEtoLE8Byte getFPrime32 getFPrime64 putFPrime $fShowSigOK $fEqSigOK $fEqPoint $fShowPointgenkeys publickeysignverifydsigndverify basicecdsabasicecdsaVerifybaseGHC.Realmod