нУЁh*  Nv  IHё                   	  
                                               !  "  #  $  %  &  '  (  )  *  +  ,  -  .  /  0  1  2  3  4  5  6  7  8  9  :  ;  <  =  >  ?  @  A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z  [  \  ]  ^  _  `  a  b  c  d  e  f  g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v  w  x  y  z  {  |  }  ~    ─  │  ┌  ┐  └  ┘  ├  ┤  ┬  ┴  	┼  	▀  	▄  	█  	▌  	▐  	░  	▒  	▓  	⌠  	■  	∙  	√  	≈  	≤  	≥  	   	⌡  	°  	²  	·  	÷  	═  	║  	╒  	
0.1.0.0    (c) 2024 Auth GlobalApache2   Safe-Inferred"(  , phkdfО Extends a PHKDF end-of-message tag in order to ensure the last SHA-256
   block contains something interesting.╟Tags less than 160 bits (20 bytes) long are appended directly, without
   extension, as the final portion of the message. Thus this function
   is the identity on short inputs.╗After extension, tags that are at least 20 bytes long should be thought
   of as a bitstring with a single null bit appended at the end to make it
   a full bytestring.▐Tags 160 bits or longer are first extended, iff necessary, to a full
   bytestring by adding a single "1" bit followed by zero to six "0" bits.ВThe bytestring is then extended by 0-63 bytes as needed to make the
   overall length equivalent to 19 (mod 64). The first byte of the extension
   is a null byte, then followed by the bytestring, then starting again
   at the null byte as needed.ЙThe length of this extension takes up the first 6 bits of the last byte,
   followed by a "0" bit denoting the tag is a bytestring, or a "1" denoting
   that the tag is a proper bitstring whose length is not an exact multiple
   of 8.з The final bit is reserved for SHA-256's end-of-message padding, which
   will set it to 1. phkdfThis function robustly undoes  Р , thus "proving" that all
   collisions on PHKDF's tag are cryptographically non-trivial, even after
   extension.*This is a "proof" in the sense that if
   'trimExtendedTag (extendTag x) == Just x  is true for all bytestrings
   x╚, then all collisions are non-trivial, but we haven't presented a
   full deductive proof of this property.  It is part of the test suite,
   tested by quickcheck fuzzing.КThe rest of PHKDF and the G3P's syntax follows this as an iron rule
   of syntax design. I've not literally written a program to parse out
   the original arguments, but I've ensured that it is straightforward
   to do so in principle.ЄIn the case of variable-length PHKDF, starting from some known buffer
   position (usually either 0 or 32), first there are zero or more
   bitstring arguments encoded via TupleHash syntax. Since TupleHash's
   length encoding cannot start with a null byte, a single null byte
   is used to signal the end of these input arguments. Then 0-63 end
   padding bytes are generated in order to bring the buffer position
   equivalent to 32 (mod 64), then 4 bytes of counter, then the extended
   version of PHKDF's end-of-message tag, then finally SHA256's end padding.ЗThis is easy to robustly undo, as I've started to demonstrate in this
   subroutine. This leads to a simple categorical/combinatorial style proof
   that all collisions over PHKDF's input arguments and domain tag are
   cryptographically non-trivial. phkdfadd64WhileLt b c is equivalent to  #while (b < c) { b += 64 }; return b phkdfEquivalent to  к , except with trace debugging.  This should
   never be used in production. phkdf8Partition a bytestring into chunks of up to a given size phkdfФ Partition a cyclically extended bytestring into chunks of
   a given size, starting at a given offset.ш Note that repetitions of the original string get a single
   null byte placed between them.  phkdfDesired chunk size phkdf!String to be cyclically extended. phkdfStarting offset phkdfInfinite stream of chunks	
	
      (c) 2024 Auth GlobalApache2   Safe-Inferred"(  Е phkdfadd64WhileLt b c is equivalent to  #while (b < c) { b += 64 }; return b            Safe-Inferred(Д   %  :ёє╔і ї╗╘╙╚╛ґў╞╟╠╡ЁЄ╣ІЇ╦╧╨╩╪ҐЎ©юабцдефгхийклмнопярстужвьыз            Safe-Inferred(Д   ю  #ёшэщєчъЮ╔АБЦіДЕФ ГХИЙКЛМНОПЯРСТУЖВЬ       (c) 2024 Auth GlobalApache2   Safe-Inferred   H  &')(*+!"#$%, &')(*+!"#$%,       (c) 2024 Auth GlobalApache2   Safe-Inferred   ╠  -./0-./0      (c) 2024 Auth GlobalApache2   Safe-Inferred"щ   ╡1 phkdfinitialize an empty phkdfStream# context from a plaintext HMAC key.2 phkdfinitialize an empty phkdfStream2 context from a plaintext or precomputed HMAC key.3 phkdfinitialize an empty phkdfStreamд  context from a plaintext, precomputed, or buffer-prefixed HMAC key.4 phkdfinitialize an empty phkdfStream% context from a precomputed HMAC key.5 phkdfinitialize an empty phkdfStream) context from a buffer-prefixed HMAC key.: phkdfinitialize a new empty phkdfStreamИ  context from the HMAC key
   originally supplied to the context, discarding all arguments already added.; phkdf┘initialize a new empty HMAC context from the key originally supplied to
   the PHKDF context, discarding all arguments already added.< phkdf'append a single string onto the end of phkdfStream's list of
   arguments.= phkdf,append zero or more strings onto the end of phkdfStream's list of
   arguments.@ phkdfclose out a phkdfStreamЧ  context using the first mode of operation,
   examining only the first output block and discarding the rest of the
   stream.A phkdfTurn a  & into a incomplete call to hmacО , with the option of
   adding additional data to the end of the message that need not be
   TupleHash encoded.B phkdf"improperly" close out a  & as if it were a call to hmac instead
   of phkdfStream+, though with a TupleHash message encoding.C phkdfclose out a phkdfStream% context with a given counter and tagQ phkdfclose out a phkdfStream context with a call to phkdfSlowExtract!,
   providing the counter, tag, fnName0, and number of rounds to compute.
   Note that fnNameЙ  is truncated to a length of 25-29 bytes long,
   depending upon the number of rounds specified. Thus the fnName4 is
   primarily intended to be a protocol constant.R phkdfAdd a tweak to a call to phkdfSlowExtract.S phkdf%Add zero or more tweaks to a call to phkdfSlowExtract.T phkdffinalize a call to phkdfSlowExtract<, discarding all but the first block
   of the output streamU phkdffinalize a call to phkdfSlowExtract , &)124536789;:<=>?@BACD!QRSTUEFHIGJKLMONP, &124536789);:<=>?@BACD!QRSTUEFHIGJKLMONP      (c) 2024 Auth GlobalApache2   Safe-Inferred   M  ]^a_`bVWXYZ[\]^a_`bVWXYZ[\      (c) 2024 Auth GlobalApache2   Safe-Inferred   ╙  cdcd      (c) 2024 Auth GlobalApache2   Safe-Inferred"щ   'e phkdfinitialize an empty phkdfStream# context from a plaintext HMAC key.f phkdfinitialize an empty phkdfStream2 context from a plaintext or precomputed HMAC key.g phkdfinitialize an empty phkdfStreamд  context from a plaintext, precomputed, or buffer-prefixed HMAC key.h phkdfinitialize an empty phkdfStream% context from a precomputed HMAC key.i phkdfinitialize an empty phkdfStream) context from a buffer-prefixed HMAC key.j phkdfш Retrieve the HmacKeyPlain that the phkdfCtx was originally
   initialized with, if possiblek phkdfэ Retrieve the HmacKeyHashed that the phkdfCtx was originally
   initialized with, if possiblel phkdfр Retrieve the HmacKeyPrefixed that the phkdfCtx was originally
   initialized with.m phkdfв Retrieve the HmacKey that the phkdfCtx was originally
   initialized with, if possible.n phkdfinitialize a new empty phkdfStreamИ  context from the HMAC key
   originally supplied to the context, discarding all arguments already added.o phkdf┘initialize a new empty HMAC context from the key originally supplied to
   the PHKDF context, discarding all arguments already added.p phkdf'append a single string onto the end of phkdfStream's list of
   arguments.q phkdf,append zero or more strings onto the end of phkdfStream's list of
   arguments.t phkdfclose out a phkdfStreamЧ  context using the first mode of operation,
   examining only the first output block and discarding the rest of the
   stream.u phkdfTurn a  ] into a incomplete call to hmacО , with the option of
   adding additional data to the end of the message that need not be
   TupleHash encoded.v phkdfTurn a  ] into a  ёэ  by adding a null byte followed
   by 0-63 bytes as needed to get to a SHA256 block boundaryw phkdf"improperly" close out a  ] as if it were a call to hmac instead
   of phkdfStream+, though with a TupleHash message encoding.x phkdfclose out a phkdfStream% context with a given counter and tagy phkdfю How long would the end padding be if the PhkdfCtx was finalized?z phkdf'How long would the block padding be if  v is
   called?t  phkdfй end-of-message padding, output length must be equal to the number provided phkdfcounter phkdftagv  phkdfп block synchronization padding, ouput length must be equal to the number provided{  phkdfй end-of-message padding, output length must be equal to the number provided phkdfcounter phkdftag+ ]a_efhigjklmonpqrstwuvx{yzVX|}─~│┌┐└├┤┘┬+ ]efhigjklmaonpqrstwuvx{_yzV|}─~│┌┐└X├┤┘┬    	  (c) 2024 Auth GlobalApache2   Safe-Inferred"  Hэ┴ phkdf=A plain-old-data explicit representation of the intermediate  ═
   computation after the  ≤ and  ⌠┴ have been
   processed and key stretching has been completed, but before the tweaks
   have been applied and the final output generated.х If you ever need to serialize or persist a seed, you probably want this.Intended to be generated by  ║. and then consumed
   without modification by  ╒.▐ phkdfЩThese parameters are used to tweak the final output, without redoing any
   expensive key stretching.  A possible use case is including a high entropy
   secret in the role itself that isn't available until after a successful
   stage of authentication.МSince these parameters are processed in a context that could conceivably be
   performance sensitive, we don't apply any length padding or side-channel
   hardening.  Instead we opt for maximizing free tagging space.  Thus we
   want to avoid incurring additional SHA256 block computations, one of the
   favorite techniques employed by the key-stretching phase of  ═+
   to harden against timing side-channels.ыA deployment could conceivably harden this expansion phase against timing
   side channels themselves, if the were sufficiently inclined. There are
   several techniques. For starters, a deployment could specify an additional
   variable-length string in the role vector, used to control its relative
   ending position inside the SHA256 buffer.⌠ phkdf░The username and password are grouped together because they are normally
   expected to be supplied by users or other observers of a deployment.сFurthermore, the credentials vector is here because it is an ideal
   location to include other user input. For example, one could implement
   a Two-Secret Key Derivation (2SKD) scheme analogous to 1Password's.ЩA deployment can also specify additional constant tags as part of the
   credentials vector.  As the plaintext of these tags is only ever hashed
   into the output a single time, this is the least expensive
   pay-as-you-go option for plaintext tagging.├The credentials vector is constant time on 0-63 encoded bytes, incurring
   one additional SHA256 block every 64 bytes thereafter. This includes
   a variable-length field that encodes the bit length of each string; this
   field itself requires 2 or more bytes.╙The username and password are constant time as long as their encoded
   lengths add up to less than roughly 3 kilobytes, or the username,
   password, and domain tag add up to less than roughly 8 kilobytes.
   The actual numbers are somewhat less in both cases, but this is a
   good approximation.∙ phkdfЗThe name of this parameter is suggestive, but this parameter is
   functionally identical to a second password. The only difference
   is the fact that a password can be cracked without knowledge of the
   plaintext username. By contrast, the password acts as a plaintext tag
   if one provides the username: guessing the username implies plaintext
   knowledge of the password.≤ phkdfяThese input parameters are grouped together because the envisioned use
   for them is that they are constants (or near-constants) specified by
   a deployment. User-supplied inputs would typically not go here.СThe seguid parameter acts as a deployment-wide salt. Cryptographically
   speaking, the most important thing a deployment can do is specify a
   constant seguid.  It is highly recommended that the seguid input be a
   genuine Self-Documenting Globally Unique Identifier attesting to the
   parameters, purposes, and public playbook of the protocol for y'all
   to follow.УIn more concrete cryptographic terms, the seguid parameter is the constant
   HMAC key used by the protocol right up until the final output exansion.
   This design is closely modelled on the HKDF construction. As such, adding
   null bytes onto the ends of seguids that are less than 64 bytes long
   should be the only source of trivial collisions in the entire protocol.УThe remaining parameter strings are all directly-documenting plaintext
   tags. A deployment can use these tags to encode a message into the password
   hash function so that it must be known to whomever is hashing a password
   of their choice.фFinally, the rounds parameter determines the latency of the function.
   At least 250,000 rounds are recommended if PHKDF is used as the sole key
   stretching component of a password hash database.эUnfortunately PHKDF is inexpensively parallelized, so large investments
   here aren't a good expenditure of a user's latency budget. This is why
   the G3P integrates bcrypt, and cuts the suggested rounds down to 20,000For comparison, n3 rounds of PHKDF is approximately equivalent to
   (1.5 + dtl)*n + c rounds  of PBKDF2, where dtlн  is related to the domain
   tag length, and c is a bit larger than 130 or so.Here, dtl▄ is 0 when the domain tag is between 0 and 19 bytes long, 0.5
   when the domain tag is between 20 and 83 bytes long, and an additional 0.5
   for every 64 bytes thereafter.  Thus these functions exhibit extreme
   timing side channels on the length of the domain tag.ДBy contrast, the long tag is hardened against timing side channels up to
   a bit less than 5 kilobytes in length.  However, an extremely long tag
   does reduce the headroom provided to masking the length of the username
   and password fields,  however the minimum headroom allocated to the
   username and password fields is a bit less than 3 kilobytes./As an alternate tagging location, consider the  ≈щ 
   vector, which can be used as an inexpensive, pay-as-you-go plaintext
   tagging location.$If the total encoded byte length of  ²░ is between 0-63
   bytes, then these hash protocols operate in a constant number of SHA256
   blocks.  Every additional 64 bytes incurs the computation of two or three
   additional SHA256 blocks, because these tags are hashed into the result
   two times in the case of  ═$, and three times in the case of
    ÷ (and g3pHash).  phkdfЬ HMAC-SHA256 key, usable as a high-repetition indirect tag via
   self-documenting globally unique identifiers (seguids).⌡ phkdfЇplaintext tag with one repetition per round.  0-19 bytes are free,
   20-83 bytes cost a additional sha256 block per round, with every
   64 bytes thereafter incurring a similar cost.° phkdfЭ plaintext tag with 1x repetition, then cycled for roughly
   8 kilobytes.  Constant time on inputs up to nearly 5 kilobytes.² phkdf"plaintext tag with 2x repetition ( ═) or 3x repetition
   ( ÷ь). Constant-time on 0-63 encoded bytes, which includes
   the length encoding of each string. Thus 60 of those bytes are usable
   if the tags vector is a single string, or less if it contains two or
   more strings.· phkdf²how expensive will this hash function be? An optimal implementation
   computes exactly three SHA256 blocks per round if the domain tag is
   19 bytes or less.  It is not recommended that phkdf be used as the
   primary key-stretching component of a deployment, but if it is used
   this way, we recommend at least 250,000 rounds.  This can be adjusted
   downward in the case of domain tags longer than 19 bytes.÷ phkdf3A non-tweakable, complete password prehash protocol═ phkdfыA tweakable, complete prehash protocol.   Note that this function is very
   intentionally implemented in such a way that the following idiom is
   efficient, and only performs the expensive key stretching phase once:ь  let mySeed = phkdfPass block args
  in [ mySeed tweak1, mySeed tweak2, mySeed tweak3 ]
Ь However in the case that you want or need to persist or serialize the
   intermediate seed, then the plain-old-datatype  ┴  and its
   companion functions  ║ and  ╒&
   are likely to be more appropriate.║ phkdfт This generates a seed, which encapsulates the expensive key-stretching component of  ═Ц  into a reusable, tweakable cryptographic value.  This function is way slower than it's companion,  ╒к .  Broadly comparable to HKDF-Extract, though with key stretching built-in.╒ phkdfТ This consumes a seed and tweaks to produce the final output stream.
 This function is the output expansion phase of  ═4.  This function
 is way faster than it's companion  ║&.  Broadly comparable to
 HKDF-Expand. ┴▌█▄▀┼▐▓▒░⌠≈√∙■≤·²°⌡ ≥÷═║╒≤·²°⌡ ≥⌠≈√∙■▐▓▒░┴▌█▄▀┼÷═║╒  Ы                                                    !   "         #   $   %   &   '  (  (   )   *   +   ,   -  .  .   /   0   1  2  2   3   4   5   6   7   8   9   :   ;   <   =   >   ?   @   A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z   [   \   ]   ^   _   `  (  (   )   *   +   ,   -  2  2   a   3   4   6   8   :   <   =   >   ?   @   A   B   C   D   E   F   G   H   I   J   K   L   b   M   N   c   d   O   P   Q   R   S   T   U   V   W   X   Y   e   Z   [  	f  	f  	 g  	 h  	 i  	 j  	k  	k  	 l  	 m  	n  	n  	 o  	 p  	 q  	r  	r  	 s  	 t  	 u  	 v  	 w  	 x  	 y  	 z  	 { | } ~  ─  │  ┌  ┐  └  ┘  ├  ┤  ┬  ┴  ┼  ▀  ▄  █  ▌  ▐  ░  ▒  ▓  ⌠  ■  ∙  √  ≈  ≤  ≥     ⌡  °  ²  ·  ÷  ═  ║  ╒  ё  є  ╔  і  ї  ╗  ╘  ╙  ╚  ╛  ґ  ў  ╞  ╟  ╠  ╡  Ё |  Є  ╣ }  І  Ї ~  ╦  ╧ ╨ ╩ ╪ Ґ Ў  ©  ю  а  б  ц  д  е  ф  г  х  и  й  к  л  м  но$phkdf-0.1.0.0-HhmyRSSXptvA4zqp60xn1iCrypto.PHKDF.PrimitivesCrypto.Encoding.PHKDFCrypto.Encoding.PHKDF.V1Crypto.PHKDF.Primitives.SubtleCrypto.PHKDF.Primitives.AssertCrypto.PHKDF.SubtleCrypto.PHKDF.AssertCrypto.PHKDFCrypto.PHKDF.V1.CookbookphkdfCrypto.PHKDF.HMACCrypto.PHKDF.HMAC.Subtle%sha256-0.1.0.2-BtfTb451cqRKdC6SfPoEmf!Crypto.Sha256.Hmac.ImplementationHmacKeyCrypto.Sha256.HmachmacKeyextendTagToList	extendTagtrimExtendedTagadd64WhileLtadd64WhileLt'dropBstakeBstakeBs'takeB'assertTakeB'
nullBufferchunkifychunkifyCyclecycleByteStringToListcycleByteStringWithNullToListcycleByteStringcycleByteStringWithNull
trimExtTagusernamePaddingpasswordPaddingBytespasswordPaddingcredentialsPaddingPhkdfGenphkdfGen_hmacKeyLikephkdfGen_extTagphkdfGen_counterphkdfGen_statephkdfGen_initCtxPhkdfSlowCtxphkdfSlowCtx_phkdfCtxphkdfSlowCtx_counterphkdfSlowCtx_tagPhkdfCtxphkdfCtx_statephkdfCtx_hmacKeyLikephkdfCtx_byteLenphkdfCtx_unsafeFeedphkdfSlowCtx_liftphkdfCtx_assertBufferPosition'"phkdfSlowCtx_assertBufferPosition'phkdfCtx_assertBufferPosition!phkdfSlowCtx_assertBufferPositionphkdfCtxphkdfCtx_initphkdfCtx_initLikephkdfCtx_initHashedphkdfCtx_initPrefixedphkdfCtx_hmacKeyPlainphkdfCtx_hmacKeyHashedphkdfCtx_hmacKeyPrefixedphkdfCtx_hmacKeyphkdfCtx_resetphkdfCtx_toResetHmacCtxphkdfCtx_feedArgphkdfCtx_feedArgsphkdfCtx_feedArgsByphkdfCtx_feedArgConcatphkdfCtx_finalizephkdfCtx_toHmacCtxphkdfCtx_finalizeHmacphkdfCtx_toStreamphkdfCtx_toGenphkdfGenphkdfGen_initphkdfGen_initLikephkdfGen_initHashedphkdfGen_initPrefixedphkdfGen_hmacKeyPlainphkdfGen_hmacKeyHashedphkdfGen_hmacKeyPrefixedphkdfGen_hmacKeyphkdfGen_peekphkdfGen_readphkdfGen_toStreamphkdfSlowCtx_extractphkdfSlowCtx_feedArgphkdfSlowCtx_feedArgsphkdfSlowCtx_finalizephkdfSlowCtx_toStreamphkdfCtx_byteCountphkdfCtx_toHmacKeyPrefixedphkdfCtx_endPaddingLengthphkdfCtx_blockPaddingLengthphkdfGen_head	PhkdfSeedphkdfSeed_seguidphkdfSeed_seguidKeyphkdfSeed_domainTagphkdfSeed_secretPhkdfInputTweakphkdfInputTweak_rolephkdfInputTweak_echoTagPhkdfInputArgsphkdfInputArgs_usernamephkdfInputArgs_passwordphkdfInputArgs_credentialsPhkdfInputBlockphkdfInputBlock_seguidphkdfInputBlock_domainTagphkdfInputBlock_longTagphkdfInputBlock_tagsphkdfInputBlock_roundsphkdfSimple	phkdfPassphkdfPass_seedInitphkdfPass_seedFinalizeHmacKeyPrefixedHmacKeyHashedHmacCtxHmacKeyLikeHmacKeyPlainhmacKey_toHashedhmacKeyLike_toPrefixedhmacKeyPrefixed_initHashedhmacKeyPrefixed_blockCounthmacKey_toPlainhmacKey_forgetPlainhmacKeyLikehmacKeyLike_inithmacKeyLike_initHashedhmacKeyLike_initPrefixedhmacKeyLike_toPlainhmacKeyLike_toHashedhmacKeyLike_toKeyhmacKeyLike_runhmacKeyLike_byteCounthmacKeyLike_blockCounthmacKeyLike_bufferLengthhmacKey_hashedhmacKey_runhmacKeyHashedhmacKeyHashed_toKeyhmacKeyHashed_runhmacKeyHashed_runWithhmacKeyPrefixedhmacKeyPrefixed_inithmacKeyPrefixed_initLikehmacKeyPrefixed_toHashedhmacKeyPrefixed_feedhmacKeyPrefixed_feedshmacKeyPrefixed_feedsWithhmacKeyPrefixed_runhmacKeyPrefixed_byteCounthmacKeyPrefixed_bufferLengthhmachmac'hmacCtxhmacCtx_inithmacCtx_initWithhmacCtx_updatehmacCtx_feedhmacCtx_updateshmacCtx_feedshmacCtx_finalizehmacCtx_finalizeBitshmacCtx_finalize_toByteString!hmacCtx_finalizeBits_toByteStringhmacCtx_finalizeBytes"hmacCtx_finalizeBytes_toByteStringhmacCtx_byteCounthmacCtx_blockCounthmacCtx_bufferLengthhmacKeyPrefixed_opadhmacKeyPrefixed_ipadCtxhmacKeyHashed_opadhmacKeyHashed_ipadhmacCtx_opadhmacCtx_ipadCtxHmacKeyLike_PlainHmacKeyLike_HashedHmacKeyLike_PrefixedHmacKey_PlainHmacKey_HashedhmacKey_ipadhmacKey_ipadCtxhmacKey_opadhmacKey_opadCtxhmacKeyLike_ipadCtxhmacKeyLike_opadhmacKeyLike_opadCtxhmacKeyLike_runIpadCtxhmacKeyLike_runOpadCtxhmacKeyHashed_ipadCtxhmacKeyHashed_runIpadCtxhmacKeyHashed_opadCtxhmacKeyHashed_runOpadCtxhmacKeyPrefixed_runIpadCtxhmacKeyPrefixed_runOpadCtxhmacKeyPrefixed_opadCtx