From bcd33af599c1fda61043276b1f959f2fe5edd03b Mon Sep 17 00:00:00 2001
From: "kepler155c@gmail.com" <kepler155c@gmail.com>
Date: Thu, 27 Jun 2019 21:08:46 -0400
Subject: [PATCH] The big Anavrins security update (round 1)

---
 sys/apis/crypto.lua              | 150 -----
 sys/apis/crypto/chacha20.lua     | 167 ++++++
 sys/apis/crypto/ecc/elliptic.lua | 300 ++++++++++
 sys/apis/crypto/ecc/fp.lua       | 928 +++++++++++++++++++++++++++++++
 sys/apis/crypto/ecc/fq.lua       | 741 ++++++++++++++++++++++++
 sys/apis/crypto/ecc/init.lua     |  87 +++
 sys/apis/{ => crypto}/sha2.lua   |  21 +-
 sys/apis/injector.lua            |   2 +-
 sys/apis/security.lua            |  29 +-
 sys/apis/socket.lua              |  11 +-
 sys/apis/util.lua                |  13 +
 sys/apps/Welcome.lua             |   5 +-
 sys/apps/network/trust.lua       |   6 +-
 sys/apps/password.lua            |   4 +-
 sys/apps/system/password.lua     |   6 +-
 sys/apps/trust.lua               |   6 +-
 sys/autorun/welcome.lua          |  36 +-
 17 files changed, 2308 insertions(+), 204 deletions(-)
 delete mode 100644 sys/apis/crypto.lua
 create mode 100644 sys/apis/crypto/chacha20.lua
 create mode 100644 sys/apis/crypto/ecc/elliptic.lua
 create mode 100644 sys/apis/crypto/ecc/fp.lua
 create mode 100644 sys/apis/crypto/ecc/fq.lua
 create mode 100644 sys/apis/crypto/ecc/init.lua
 rename sys/apis/{ => crypto}/sha2.lua (92%)

diff --git a/sys/apis/crypto.lua b/sys/apis/crypto.lua
deleted file mode 100644
index fc1075b..0000000
--- a/sys/apis/crypto.lua
+++ /dev/null
@@ -1,150 +0,0 @@
--- https://github.com/PixelToast/ComputerCraft/blob/master/apis/enc
-
-local Crypto = { }
-
-local function serialize(t) 
-	local sType = type(t)
-	if sType == "table" then
-		local lstcnt=0
-		for k,v in pairs(t) do
-			lstcnt = lstcnt + 1
-		end
-		local result = "{"
-		local aset=1
-		for k,v in pairs(t) do
-			if k==aset then
-				result = result..serialize(v)..","
-				aset=aset+1
-			else
-				result = result..("["..serialize(k).."]="..serialize(v)..",")
-			end
-		end
-		result = result.."}"
-		return result
-	elseif sType == "string" then
-		return string.format("%q",t)
-	elseif sType == "number" or sType == "boolean" or sType == "nil" then
-		return tostring(t)
-	elseif sType == "function" then
-		local status,data=pcall(string.dump,t)
-		if status then
-			data2=""
-			for char in string.gmatch(data,".") do
-				data2=data2..zfill(string.byte(char))
-			end
-			return 'f("'..data2..'")'
-		else
-			error("Invalid function: "..data)
-		end
-	else
-		error("Could not serialize type "..sType..".")
-	end
-end
-
-local function unserialize( s )
-	local func, e = loadstring( "return "..s, "serialize" )
-	if not func then
-		return s,e
-	else
-		setfenv( func, {
-			f=function(S)
-				return loadstring(splitnum(S))
-			end,
-		})
-		return func()
-	end
-end
-
-local function splitnum(S)
-	local Out=""
-	for l1=1,#S,2 do
-		local l2=(#S-l1)+1
-		local function sure(N,n)
-			if (l2-n)<1 then N="0" end
-			return N
-		end
-		local CNum=tonumber("0x"..sure(string.sub(S,l2-1,l2-1),1) .. sure(string.sub(S,l2,l2),0))
-		Out=string.char(CNum)..Out
-	end
-	return Out
-end
-
-local function zfill(N)
-	N=string.format("%X",N)
-	Zs=""
-	if #N==1 then
-		Zs="0"
-	end
-	return Zs..N
-end
-
-local function wrap(N)
-	return N-(math.floor(N/256)*256)
-end
-
-local function checksum(S)
-	local sum=0
-	for char in string.gmatch(S,".") do
-		math.randomseed(string.byte(char)+sum)
-		sum=sum+math.random(0,9999)
-	end
-	math.randomseed(sum)
-	return sum
-end
-
-local function genkey(len,psw)
-	checksum(psw)
-	local key={}
-	local tKeys={}
-	for l1=1,len do
-		local num=math.random(1,len)
-		while tKeys[num] do
-			num=math.random(1,len)
-		end
-		tKeys[num]=true
-		key[l1]={num,math.random(0,255)}
-	end
-	return key
-end
-
-function Crypto.encrypt(data,psw)
-	data=serialize(data)
-	local chs=checksum(data)
-	local key=genkey(#data,psw)
-	local out={}
-	local cnt=1
-	for char in string.gmatch(data,".") do
-		table.insert(out,key[cnt][1],zfill(wrap(string.byte(char)+key[cnt][2])),chars)
-		cnt=cnt+1
-	end
-	return string.sub(serialize({chs,table.concat(out)}),2,-3)
-end
-
-function Crypto.decrypt(data,psw)
-	local oData=data
-	data=unserialize("{"..data.."}")
-	if type(data)~="table" then
-		return oData
-	end
-	local chs=data[1]
-	data=data[2]
-	local key=genkey((#data)/2,psw)
-	local sKey={}
-	for k,v in pairs(key) do
-		sKey[v[1]]={k,v[2]}
-	end
-	local str=splitnum(data)
-	local cnt=1
-	local out={}
-	for char in string.gmatch(str,".") do
-		table.insert(out,sKey[cnt][1],string.char(wrap(string.byte(char)-sKey[cnt][2])))
-		cnt=cnt+1
-	end
-	out=table.concat(out)
-	if checksum(out or "")==chs then
-		return unserialize(out)
-	end
-	return oData,out,chs
-end
-
-return Crypto
diff --git a/sys/apis/crypto/chacha20.lua b/sys/apis/crypto/chacha20.lua
new file mode 100644
index 0000000..b0763dd
--- /dev/null
+++ b/sys/apis/crypto/chacha20.lua
@@ -0,0 +1,167 @@
+-- Chacha20 cipher in ComputerCraft
+-- By Anavrins
+
+local sha2 = require('crypto.sha2')
+local util = require('util')
+
+local ROUNDS = 20 -- Adjust this for speed tradeoff
+
+local bxor = bit32.bxor
+local band = bit32.band
+local blshift = bit32.lshift
+local brshift = bit32.arshift
+local textutils = _G.textutils
+
+local mod = 2^32
+local tau = {("expand 16-byte k"):byte(1,-1)}
+local sigma = {("expand 32-byte k"):byte(1,-1)}
+
+local function rotl(n, b)
+	local s = n/(2^(32-b))
+	local f = s%1
+	return (s-f) + f*mod
+end
+
+local function quarterRound(s, a, b, c, d)
+	s[a] = (s[a]+s[b])%mod; s[d] = rotl(bxor(s[d], s[a]), 16)
+	s[c] = (s[c]+s[d])%mod; s[b] = rotl(bxor(s[b], s[c]), 12)
+	s[a] = (s[a]+s[b])%mod; s[d] = rotl(bxor(s[d], s[a]), 8)
+	s[c] = (s[c]+s[d])%mod; s[b] = rotl(bxor(s[b], s[c]), 7)
+	return s
+end
+
+local function hashBlock(state, rnd)
+	local s = {unpack(state)}
+	for i = 1, rnd do
+		local r = i%2==1
+		s = r and quarterRound(s, 1, 5,  9, 13) or quarterRound(s, 1, 6, 11, 16)
+		s = r and quarterRound(s, 2, 6, 10, 14) or quarterRound(s, 2, 7, 12, 13)
+		s = r and quarterRound(s, 3, 7, 11, 15) or quarterRound(s, 3, 8,  9, 14)
+		s = r and quarterRound(s, 4, 8, 12, 16) or quarterRound(s, 4, 5, 10, 15)
+	end
+	for i = 1, 16 do s[i] = (s[i]+state[i])%mod end
+	return s
+end
+
+local function LE_toInt(bs, i)
+	return (bs[i+1] or 0)+
+	blshift((bs[i+2] or 0), 8)+
+	blshift((bs[i+3] or 0), 16)+
+	blshift((bs[i+4] or 0), 24)
+end
+
+local function initState(key, nonce, counter)
+	local isKey256 = #key == 32
+	local const = isKey256 and sigma or tau
+	local state = {}
+
+	state[ 1] = LE_toInt(const, 0)
+	state[ 2] = LE_toInt(const, 4)
+	state[ 3] = LE_toInt(const, 8)
+	state[ 4] = LE_toInt(const, 12)
+
+	state[ 5] = LE_toInt(key, 0)
+	state[ 6] = LE_toInt(key, 4)
+	state[ 7] = LE_toInt(key, 8)
+	state[ 8] = LE_toInt(key, 12)
+	state[ 9] = LE_toInt(key, isKey256 and 16 or 0)
+	state[10] = LE_toInt(key, isKey256 and 20 or 4)
+	state[11] = LE_toInt(key, isKey256 and 24 or 8)
+	state[12] = LE_toInt(key, isKey256 and 28 or 12)
+
+	state[13] = counter
+	state[14] = LE_toInt(nonce, 0)
+	state[15] = LE_toInt(nonce, 4)
+	state[16] = LE_toInt(nonce, 8)
+
+	return state
+end
+
+local function serialize(state)
+	local r = {}
+	for i = 1, 16 do
+		r[#r+1] = band(state[i], 0xFF)
+		r[#r+1] = band(brshift(state[i], 8), 0xFF)
+		r[#r+1] = band(brshift(state[i], 16), 0xFF)
+		r[#r+1] = band(brshift(state[i], 24), 0xFF)
+	end
+	return r
+end
+
+local mt = {
+	__tostring = function(a) return string.char(unpack(a)) end,
+	__index = {
+		toHex = function(self, s) return ("%02x"):rep(#self):format(unpack(self)) end,
+		isEqual = function(self, t)
+			if type(t) ~= "table" then return false end
+			if #self ~= #t then return false end
+			local ret = 0
+			for i = 1, #self do
+				ret = bit32.bor(ret, bxor(self[i], t[i]))
+			end
+			return ret == 0
+		end
+	}
+}
+
+local function crypt(data, key, nonce, cntr, round)
+	assert(type(key) == "table", "ChaCha20: Invalid key format ("..type(key).."), must be table")
+	assert(type(nonce) == "table", "ChaCha20: Invalid nonce format ("..type(nonce).."), must be table")
+	assert(#key == 16 or #key == 32, "ChaCha20: Invalid key length ("..#key.."), must be 16 or 32")
+	assert(#nonce == 12, "ChaCha20: Invalid nonce length ("..#nonce.."), must be 12")
+
+	local data = type(data) == "table" and {unpack(data)} or {tostring(data):byte(1,-1)}
+	cntr = tonumber(cntr) or 1
+	round = tonumber(round) or 20
+
+	local out = {}
+	local state = initState(key, nonce, cntr)
+	local blockAmt = math.floor(#data/64)
+	for i = 0, blockAmt do
+		local ks = serialize(hashBlock(state, round))
+		state[13] = (state[13]+1) % mod
+
+		local block = {}
+		for j = 1, 64 do
+			block[j] = data[((i)*64)+j]
+		end
+		for j = 1, #block do
+			out[#out+1] = bxor(block[j], ks[j])
+		end
+
+		if i % 1000 == 0 then
+			os.queueEvent("")
+			os.pullEvent("")
+		end
+	end
+	return setmetatable(out, mt)
+end
+
+local function genNonce(len)
+	local nonce = {}
+	for i = 1, len do
+		nonce[i] = math.random(0, 0xFF)
+	end
+	return setmetatable(nonce, mt)
+end
+
+local function encrypt(data, key)
+	local nonce = genNonce(12)
+	data = textutils.serialise(data)
+	key = sha2.digest(key)
+	local ctx = crypt(data, key, nonce, 1, ROUNDS)
+	return { nonce:toHex(), ctx:toHex() }
+end
+
+local function decrypt(data, key)
+	local nonce = util.hexToByteArray(data[1])
+	data = util.hexToByteArray(data[2])
+	key = sha2.digest(key)
+	local ptx = crypt(data, key, nonce, 1, ROUNDS)
+	return textutils.unserialise(tostring(ptx))
+end
+
+return {
+	encrypt = encrypt,
+	decrypt = decrypt,
+}
diff --git a/sys/apis/crypto/ecc/elliptic.lua b/sys/apis/crypto/ecc/elliptic.lua
new file mode 100644
index 0000000..ca2b5b5
--- /dev/null
+++ b/sys/apis/crypto/ecc/elliptic.lua
@@ -0,0 +1,300 @@
+---- Elliptic Curve Arithmetic
+
+---- About the Curve Itself
+-- Field Size: 192 bits
+-- Field Modulus (p): 65533 * 2^176 + 3
+-- Equation: x^2 + y^2 = 1 + 108 * x^2 * y^2
+-- Parameters: Edwards Curve with c = 1, and d = 108
+-- Curve Order (n): 4 * 1569203598118192102418711808268118358122924911136798015831
+-- Cofactor (h): 4
+-- Generator Order (q): 1569203598118192102418711808268118358122924911136798015831
+---- About the Curve's Security
+-- Current best attack security: 94.822 bits (Pollard's Rho)
+-- Rho Security: log2(0.884 * sqrt(q)) = 94.822
+-- Transfer Security? Yes: p ~= q; k > 20
+-- Field Discriminant Security? Yes: t = 67602300638727286331433024168; s = 2^2; |D| = 5134296629560551493299993292204775496868940529592107064435 > 2^100
+-- Rigidity? A little, the parameters are somewhat small.
+-- XZ/YZ Ladder Security? No: Single coordinate ladders are insecure, so they can't be used.
+-- Small Subgroup Security? Yes: Secret keys are calculated modulo 4q.
+-- Invalid Curve Security? Yes: Any point to be multiplied is checked beforehand.
+-- Invalid Curve Twist Security? No: The curve is not protected against single coordinate ladder attacks, so don't use them.
+-- Completeness? Yes: The curve is an Edwards Curve with non-square d and square a, so the curve is complete.
+-- Indistinguishability? No: The curve does not support indistinguishability maps.
+
+local fp = require('crypto.ecc.fp')
+local eq = fp.eq
+local mul = fp.mul
+local sqr = fp.sqr
+local add = fp.add
+local sub = fp.sub
+local shr = fp.shr
+local mont = fp.mont
+local invMont = fp.invMont
+local sub192 = fp.sub192
+
+local bits = 192
+local pMinusTwoBinary = {1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}
+local pMinusThreeOverFourBinary = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0}
+local ZERO = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+local ONE = mont({1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0})
+
+local p = mont({3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 65533})
+local G = {
+	mont({30457, 58187, 5603, 63215, 8936, 58151, 26571, 7272, 26680, 23486, 32353, 59456}),
+	mont({3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}),
+	mont({1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0})
+}
+local GTable = {G}
+
+local d = mont({108, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0})
+
+local function generator()
+	return G
+end
+
+local function expMod(a, t)
+	local a = {unpack(a)}
+	local result = {unpack(ONE)}
+
+	for i = 1, bits do
+		if t[i] == 1 then
+			result = mul(result, a)
+		end
+		a = mul(a, a)
+	end
+
+	return result
+end
+
+-- We're using Projective Coordinates
+-- For Edwards curves
+-- The identity element is represented by (0:1:1)
+local function pointDouble(P1)
+	local X1, Y1, Z1 = unpack(P1)
+
+	local b = add(X1, Y1)
+	local B = sqr(b)
+	local C = sqr(X1)
+	local D = sqr(Y1)
+	local E = add(C, D)
+	local H = sqr(Z1)
+	local J = sub(E, add(H, H))
+	local X3 = mul(sub(B, E), J)
+	local Y3 = mul(E, sub(C, D))
+	local Z3 = mul(E, J)
+
+	local P3 = {X3, Y3, Z3}
+
+	return P3
+end
+
+local function pointAdd(P1, P2)
+	local X1, Y1, Z1 = unpack(P1)
+	local X2, Y2, Z2 = unpack(P2)
+
+	local A = mul(Z1, Z2)
+	local B = sqr(A)
+	local C = mul(X1, X2)
+	local D = mul(Y1, Y2)
+	local E = mul(d, mul(C, D))
+	local F = sub(B, E)
+	local G = add(B, E)
+	local X3 = mul(A, mul(F, sub(mul(add(X1, Y1), add(X2, Y2)), add(C, D))))
+	local Y3 = mul(A, mul(G, sub(D, C)))
+	local Z3 = mul(F, G)
+
+	local P3 = {X3, Y3, Z3}
+
+	return P3
+end
+
+local function pointNeg(P1)
+	local X1, Y1, Z1 = unpack(P1)
+
+	local X3 = sub(p, X1)
+	local Y3 = {unpack(Y1)}
+	local Z3 = {unpack(Z1)}
+
+	local P3 = {X3, Y3, Z3}
+
+	return P3
+end
+
+local function pointSub(P1, P2)
+	return pointAdd(P1, pointNeg(P2))
+end
+
+local function pointScale(P1)
+	local X1, Y1, Z1 = unpack(P1)
+
+	local A = expMod(Z1, pMinusTwoBinary)
+	local X3 = mul(X1, A)
+	local Y3 = mul(Y1, A)
+	local Z3 = {unpack(ONE)}
+
+	local P3 = {X3, Y3, Z3}
+
+	return P3
+end
+
+local function pointEq(P1, P2)
+	local X1, Y1, Z1 = unpack(P1)
+	local X2, Y2, Z2 = unpack(P2)
+
+	local A1 = mul(X1, Z2)
+	local B1 = mul(Y1, Z2)
+	local A2 = mul(X2, Z1)
+	local B2 = mul(Y2, Z1)
+
+	return eq(A1, A2) and eq(B1, B2)
+end
+
+local function isOnCurve(P1)
+	local X1, Y1, Z1 = unpack(P1)
+
+	local X12 = sqr(X1)
+	local Y12 = sqr(Y1)
+	local Z12 = sqr(Z1)
+	local Z14 = sqr(Z12)
+	local a = add(X12, Y12)
+	a = mul(a, Z12)
+	local b = mul(d, mul(X12, Y12))
+	b = add(Z14, b)
+
+	return eq(a, b)
+end
+
+local function mods(d)
+	-- w = 5
+	local result = d[1] % 32
+
+	if result >= 16 then
+		result = result - 32
+	end
+
+	return result
+end
+
+local function NAF(d)
+	local t = {}
+	local d = {unpack(d)}
+
+	while d[12] >= 0 and not eq(d, ZERO) do
+		if d[1] % 2 == 1 then
+			t[#t + 1] = mods(d)
+			d = sub192(d, {t[#t], 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0})
+		else
+			t[#t + 1] = 0
+		end
+
+		d = shr(d)
+	end
+
+	return t
+end
+
+local function scalarMul(s, P1)
+	local naf = NAF(s)
+	local PTable = {P1}
+	local P2 = pointDouble(P1)
+
+	for i = 3, 31, 2 do
+		PTable[i] = pointAdd(PTable[i - 2], P2)
+	end
+
+	local Q = {{unpack(ZERO)}, {unpack(ONE)}, {unpack(ONE)}}
+	for i = #naf, 1, -1 do
+		Q = pointDouble(Q)
+		if naf[i] > 0 then
+			Q = pointAdd(Q, PTable[naf[i]])
+		elseif naf[i] < 0 then
+			Q = pointSub(Q, PTable[-naf[i]])
+		end
+	end
+
+	return Q
+end
+
+for i = 2, 196 do
+	GTable[i] = pointDouble(GTable[i - 1])
+end
+
+local function scalarMulG(s)
+	local result = {{unpack(ZERO)}, {unpack(ONE)}, {unpack(ONE)}}
+	local k = 1
+
+	for i = 1, 12 do
+		local w = s[i]
+
+		for j = 1, 16 do
+			if w % 2 == 1 then
+				result = pointAdd(result, GTable[k])
+			end
+
+			k = k + 1
+
+			w = w / 2
+			w = w - w % 1
+		end
+	end
+
+	return result
+end
+
+local function pointEncode(P1)
+	P1 = pointScale(P1)
+
+	local result = {}
+	local x, y = unpack(P1)
+
+	result[1] = x[1] % 2
+
+	for i = 1, 12 do
+		local m = y[i] % 256
+		result[2 * i] = m
+		result[2 * i + 1] = (y[i] - m) / 256
+	end
+
+	return result
+end
+
+local function pointDecode(enc)
+	local y = {}
+	for i = 1, 12 do
+		y[i] = enc[2 * i]
+		y[i] = y[i] + enc[2 * i + 1] * 256
+	end
+
+	local y2 = sqr(y)
+	local u = sub(y2, ONE)
+	local v = sub(mul(d, y2), ONE)
+	local u2 = sqr(u)
+	local u3 = mul(u, u2)
+	local u5 = mul(u3, u2)
+	local v3 = mul(v, sqr(v))
+	local w = mul(u5, v3)
+	local x = mul(u3, mul(v, expMod(w, pMinusThreeOverFourBinary)))
+
+	if x[1] % 2 ~= enc[1] then
+		x = sub(p, x)
+	end
+
+	local P3 = {x, y, {unpack(ONE)}}
+
+	return P3
+end
+
+return {
+	generator = generator,
+	pointDouble = pointDouble,
+	pointAdd = pointAdd,
+	pointNeg = pointNeg,
+	pointSub = pointSub,
+	pointScale = pointScale,
+	pointEq = pointEq,
+	isOnCurve = isOnCurve,
+	scalarMul = scalarMul,
+	scalarMulG = scalarMulG,
+	pointEncode = pointEncode,
+	pointDecode = pointDecode,
+}
diff --git a/sys/apis/crypto/ecc/fp.lua b/sys/apis/crypto/ecc/fp.lua
new file mode 100644
index 0000000..3a8c4c6
--- /dev/null
+++ b/sys/apis/crypto/ecc/fp.lua
@@ -0,0 +1,928 @@
+-- Fp Integer Arithmetic
+
+local n = 0xffff
+local m = 0x10000
+
+local p = {3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 65533}
+local p2 = {21845, 21845, 21845, 21845, 21845, 21845, 21845, 21845, 21845, 21845, 21845, 43690}
+local r2 = {44014, 58358, 19452, 6484, 45852, 58974, 63348, 64806, 65292, 65454, 65508, 21512}
+
+local function eq(a, b)
+	for i = 1, 12 do
+		if a[i] ~= b[i] then
+			return false
+		end
+	end
+
+	return true
+end
+
+local function reduce(a)
+	local r1 = a[1]
+	local r2 = a[2]
+	local r3 = a[3]
+	local r4 = a[4]
+	local r5 = a[5]
+	local r6 = a[6]
+	local r7 = a[7]
+	local r8 = a[8]
+	local r9 = a[9]
+	local r10 = a[10]
+	local r11 = a[11]
+	local r12 = a[12]
+
+	if r12 < 65533 or r12 == 65533 and r1 < 3 then
+		return {unpack(a)}
+	end
+
+	r1 = r1 - 3
+	r12 = r12 - 65533
+
+	if r1 < 0 then
+		r2 = r2 - 1
+		r1 = r1 + m
+	end
+	if r2 < 0 then
+		r3 = r3 - 1
+		r2 = r2 + m
+	end
+	if r3 < 0 then
+		r4 = r4 - 1
+		r3 = r3 + m
+	end
+	if r4 < 0 then
+		r5 = r5 - 1
+		r4 = r4 + m
+	end
+	if r5 < 0 then
+		r6 = r6 - 1
+		r5 = r5 + m
+	end
+	if r6 < 0 then
+		r7 = r7 - 1
+		r6 = r6 + m
+	end
+	if r7 < 0 then
+		r8 = r8 - 1
+		r7 = r7 + m
+	end
+	if r8 < 0 then
+		r9 = r9 - 1
+		r8 = r8 + m
+	end
+	if r9 < 0 then
+		r10 = r10 - 1
+		r9 = r9 + m
+	end
+	if r10 < 0 then
+		r11 = r11 - 1
+		r10 = r10 + m
+	end
+	if r11 < 0 then
+		r12 = r12 - 1
+		r11 = r11 + m
+	end
+
+	return {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12}
+end
+
+local function add(a, b)
+	local r1 = a[1] + b[1]
+	local r2 = a[2] + b[2]
+	local r3 = a[3] + b[3]
+	local r4 = a[4] + b[4]
+	local r5 = a[5] + b[5]
+	local r6 = a[6] + b[6]
+	local r7 = a[7] + b[7]
+	local r8 = a[8] + b[8]
+	local r9 = a[9] + b[9]
+	local r10 = a[10] + b[10]
+	local r11 = a[11] + b[11]
+	local r12 = a[12] + b[12]
+
+	if r1 > n then
+		r2 = r2 + 1
+		r1 = r1 - m
+	end
+	if r2 > n then
+		r3 = r3 + 1
+		r2 = r2 - m
+	end
+	if r3 > n then
+		r4 = r4 + 1
+		r3 = r3 - m
+	end
+	if r4 > n then
+		r5 = r5 + 1
+		r4 = r4 - m
+	end
+	if r5 > n then
+		r6 = r6 + 1
+		r5 = r5 - m
+	end
+	if r6 > n then
+		r7 = r7 + 1
+		r6 = r6 - m
+	end
+	if r7 > n then
+		r8 = r8 + 1
+		r7 = r7 - m
+	end
+	if r8 > n then
+		r9 = r9 + 1
+		r8 = r8 - m
+	end
+	if r9 > n then
+		r10 = r10 + 1
+		r9 = r9 - m
+	end
+	if r10 > n then
+		r11 = r11 + 1
+		r10 = r10 - m
+	end
+	if r11 > n then
+		r12 = r12 + 1
+		r11 = r11 - m
+	end
+
+	local result = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12}
+
+	return reduce(result)
+end
+
+local function shr(a)
+	local r1 = a[1]
+	local r2 = a[2]
+	local r3 = a[3]
+	local r4 = a[4]
+	local r5 = a[5]
+	local r6 = a[6]
+	local r7 = a[7]
+	local r8 = a[8]
+	local r9 = a[9]
+	local r10 = a[10]
+	local r11 = a[11]
+	local r12 = a[12]
+
+	r1 = r1 / 2
+	r1 = r1 - r1 % 1
+	r1 = r1 + (r2 % 2) * 0x8000
+	r2 = r2 / 2
+	r2 = r2 - r2 % 1
+	r2 = r2 + (r3 % 2) * 0x8000
+	r3 = r3 / 2
+	r3 = r3 - r3 % 1
+	r3 = r3 + (r4 % 2) * 0x8000
+	r4 = r4 / 2
+	r4 = r4 - r4 % 1
+	r4 = r4 + (r5 % 2) * 0x8000
+	r5 = r5 / 2
+	r5 = r5 - r5 % 1
+	r5 = r5 + (r6 % 2) * 0x8000
+	r6 = r6 / 2
+	r6 = r6 - r6 % 1
+	r6 = r6 + (r7 % 2) * 0x8000
+	r7 = r7 / 2
+	r7 = r7 - r7 % 1
+	r7 = r7 + (r8 % 2) * 0x8000
+	r8 = r8 / 2
+	r8 = r8 - r8 % 1
+	r8 = r8 + (r9 % 2) * 0x8000
+	r9 = r9 / 2
+	r9 = r9 - r9 % 1
+	r9 = r9 + (r10 % 2) * 0x8000
+	r10 = r10 / 2
+	r10 = r10 - r10 % 1
+	r10 = r10 + (r11 % 2) * 0x8000
+	r11 = r11 / 2
+	r11 = r11 - r11 % 1
+	r11 = r11 + (r12 % 2) * 0x8000
+	r12 = r12 / 2
+	r12 = r12 - r12 % 1
+
+	local result = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12}
+
+	return result
+end
+
+local function sub192(a, b)
+	local r1 = a[1] - b[1]
+	local r2 = a[2] - b[2]
+	local r3 = a[3] - b[3]
+	local r4 = a[4] - b[4]
+	local r5 = a[5] - b[5]
+	local r6 = a[6] - b[6]
+	local r7 = a[7] - b[7]
+	local r8 = a[8] - b[8]
+	local r9 = a[9] - b[9]
+	local r10 = a[10] - b[10]
+	local r11 = a[11] - b[11]
+	local r12 = a[12] - b[12]
+
+	if r1 < 0 then
+		r2 = r2 - 1
+		r1 = r1 + m
+	end
+	if r2 < 0 then
+		r3 = r3 - 1
+		r2 = r2 + m
+	end
+	if r3 < 0 then
+		r4 = r4 - 1
+		r3 = r3 + m
+	end
+	if r4 < 0 then
+		r5 = r5 - 1
+		r4 = r4 + m
+	end
+	if r5 < 0 then
+		r6 = r6 - 1
+		r5 = r5 + m
+	end
+	if r6 < 0 then
+		r7 = r7 - 1
+		r6 = r6 + m
+	end
+	if r7 < 0 then
+		r8 = r8 - 1
+		r7 = r7 + m
+	end
+	if r8 < 0 then
+		r9 = r9 - 1
+		r8 = r8 + m
+	end
+	if r9 < 0 then
+		r10 = r10 - 1
+		r9 = r9 + m
+	end
+	if r10 < 0 then
+		r11 = r11 - 1
+		r10 = r10 + m
+	end
+	if r11 < 0 then
+		r12 = r12 - 1
+		r11 = r11 + m
+	end
+
+	local result = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12}
+	
+	return result
+end
+
+local function sub(a, b)
+	local r1 = a[1] - b[1]
+	local r2 = a[2] - b[2]
+	local r3 = a[3] - b[3]
+	local r4 = a[4] - b[4]
+	local r5 = a[5] - b[5]
+	local r6 = a[6] - b[6]
+	local r7 = a[7] - b[7]
+	local r8 = a[8] - b[8]
+	local r9 = a[9] - b[9]
+	local r10 = a[10] - b[10]
+	local r11 = a[11] - b[11]
+	local r12 = a[12] - b[12]
+
+	if r1 < 0 then
+		r2 = r2 - 1
+		r1 = r1 + m
+	end
+	if r2 < 0 then
+		r3 = r3 - 1
+		r2 = r2 + m
+	end
+	if r3 < 0 then
+		r4 = r4 - 1
+		r3 = r3 + m
+	end
+	if r4 < 0 then
+		r5 = r5 - 1
+		r4 = r4 + m
+	end
+	if r5 < 0 then
+		r6 = r6 - 1
+		r5 = r5 + m
+	end
+	if r6 < 0 then
+		r7 = r7 - 1
+		r6 = r6 + m
+	end
+	if r7 < 0 then
+		r8 = r8 - 1
+		r7 = r7 + m
+	end
+	if r8 < 0 then
+		r9 = r9 - 1
+		r8 = r8 + m
+	end
+	if r9 < 0 then
+		r10 = r10 - 1
+		r9 = r9 + m
+	end
+	if r10 < 0 then
+		r11 = r11 - 1
+		r10 = r10 + m
+	end
+	if r11 < 0 then
+		r12 = r12 - 1
+		r11 = r11 + m
+	end
+
+	local result = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12}
+
+	if r12 < 0 then
+		result = add(result, p)
+	end
+
+	return result
+end
+
+local function add384(a, b)
+	local r1 = a[1] + b[1]
+	local r2 = a[2] + b[2]
+	local r3 = a[3] + b[3]
+	local r4 = a[4] + b[4]
+	local r5 = a[5] + b[5]
+	local r6 = a[6] + b[6]
+	local r7 = a[7] + b[7]
+	local r8 = a[8] + b[8]
+	local r9 = a[9] + b[9]
+	local r10 = a[10] + b[10]
+	local r11 = a[11] + b[11]
+	local r12 = a[12] + b[12]
+	local r13 = a[13] + b[13]
+	local r14 = a[14] + b[14]
+	local r15 = a[15] + b[15]
+	local r16 = a[16] + b[16]
+	local r17 = a[17] + b[17]
+	local r18 = a[18] + b[18]
+	local r19 = a[19] + b[19]
+	local r20 = a[20] + b[20]
+	local r21 = a[21] + b[21]
+	local r22 = a[22] + b[22]
+	local r23 = a[23] + b[23]
+	local r24 = a[24] + b[24]
+
+	if r1 > n then
+		r2 = r2 + 1
+		r1 = r1 - m
+	end
+	if r2 > n then
+		r3 = r3 + 1
+		r2 = r2 - m
+	end
+	if r3 > n then
+		r4 = r4 + 1
+		r3 = r3 - m
+	end
+	if r4 > n then
+		r5 = r5 + 1
+		r4 = r4 - m
+	end
+	if r5 > n then
+		r6 = r6 + 1
+		r5 = r5 - m
+	end
+	if r6 > n then
+		r7 = r7 + 1
+		r6 = r6 - m
+	end
+	if r7 > n then
+		r8 = r8 + 1
+		r7 = r7 - m
+	end
+	if r8 > n then
+		r9 = r9 + 1
+		r8 = r8 - m
+	end
+	if r9 > n then
+		r10 = r10 + 1
+		r9 = r9 - m
+	end
+	if r10 > n then
+		r11 = r11 + 1
+		r10 = r10 - m
+	end
+	if r11 > n then
+		r12 = r12 + 1
+		r11 = r11 - m
+	end
+	if r12 > n then
+		r13 = r13 + 1
+		r12 = r12 - m
+	end
+	if r13 > n then
+		r14 = r14 + 1
+		r13 = r13 - m
+	end
+	if r14 > n then
+		r15 = r15 + 1
+		r14 = r14 - m
+	end
+	if r15 > n then
+		r16 = r16 + 1
+		r15 = r15 - m
+	end
+	if r16 > n then
+		r17 = r17 + 1
+		r16 = r16 - m
+	end
+	if r17 > n then
+		r18 = r18 + 1
+		r17 = r17 - m
+	end
+	if r18 > n then
+		r19 = r19 + 1
+		r18 = r18 - m
+	end
+	if r19 > n then
+		r20 = r20 + 1
+		r19 = r19 - m
+	end
+	if r20 > n then
+		r21 = r21 + 1
+		r20 = r20 - m
+	end
+	if r21 > n then
+		r22 = r22 + 1
+		r21 = r21 - m
+	end
+	if r22 > n then
+		r23 = r23 + 1
+		r22 = r22 - m
+	end
+	if r23 > n then
+		r24 = r24 + 1
+		r23 = r23 - m
+	end
+
+	local result = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12, r13, r14, r15, r16, r17, r18, r19, r20, r21, r22, r23, r24}
+
+	return result
+end
+
+local function mul384(a, b)
+	local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12 = unpack(a)
+	local b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12 = unpack(b)
+
+	local r1 = a1 * b1
+
+	local r2 = a1 * b2
+	r2 = r2 + a2 * b1
+
+	local r3 = a1 * b3
+	r3 = r3 + a2 * b2
+	r3 = r3 + a3 * b1
+
+	local r4 = a1 * b4
+	r4 = r4 + a2 * b3
+	r4 = r4 + a3 * b2
+	r4 = r4 + a4 * b1
+
+	local r5 = a1 * b5
+	r5 = r5 + a2 * b4
+	r5 = r5 + a3 * b3
+	r5 = r5 + a4 * b2
+	r5 = r5 + a5 * b1
+
+	local r6 = a1 * b6
+	r6 = r6 + a2 * b5
+	r6 = r6 + a3 * b4
+	r6 = r6 + a4 * b3
+	r6 = r6 + a5 * b2
+	r6 = r6 + a6 * b1
+
+	local r7 = a1 * b7
+	r7 = r7 + a2 * b6
+	r7 = r7 + a3 * b5
+	r7 = r7 + a4 * b4
+	r7 = r7 + a5 * b3
+	r7 = r7 + a6 * b2
+	r7 = r7 + a7 * b1
+
+	local r8 = a1 * b8
+	r8 = r8 + a2 * b7
+	r8 = r8 + a3 * b6
+	r8 = r8 + a4 * b5
+	r8 = r8 + a5 * b4
+	r8 = r8 + a6 * b3
+	r8 = r8 + a7 * b2
+	r8 = r8 + a8 * b1
+
+	local r9 = a1 * b9
+	r9 = r9 + a2 * b8
+	r9 = r9 + a3 * b7
+	r9 = r9 + a4 * b6
+	r9 = r9 + a5 * b5
+	r9 = r9 + a6 * b4
+	r9 = r9 + a7 * b3
+	r9 = r9 + a8 * b2
+	r9 = r9 + a9 * b1
+
+	local r10 = a1 * b10
+	r10 = r10 + a2 * b9
+	r10 = r10 + a3 * b8
+	r10 = r10 + a4 * b7
+	r10 = r10 + a5 * b6
+	r10 = r10 + a6 * b5
+	r10 = r10 + a7 * b4
+	r10 = r10 + a8 * b3
+	r10 = r10 + a9 * b2
+	r10 = r10 + a10 * b1
+
+	local r11 = a1 * b11
+	r11 = r11 + a2 * b10
+	r11 = r11 + a3 * b9
+	r11 = r11 + a4 * b8
+	r11 = r11 + a5 * b7
+	r11 = r11 + a6 * b6
+	r11 = r11 + a7 * b5
+	r11 = r11 + a8 * b4
+	r11 = r11 + a9 * b3
+	r11 = r11 + a10 * b2
+	r11 = r11 + a11 * b1
+
+	local r12 = a1 * b12
+	r12 = r12 + a2 * b11
+	r12 = r12 + a3 * b10
+	r12 = r12 + a4 * b9
+	r12 = r12 + a5 * b8
+	r12 = r12 + a6 * b7
+	r12 = r12 + a7 * b6
+	r12 = r12 + a8 * b5
+	r12 = r12 + a9 * b4
+	r12 = r12 + a10 * b3
+	r12 = r12 + a11 * b2
+	r12 = r12 + a12 * b1
+
+	local r13 = a2 * b12
+	r13 = r13 + a3 * b11
+	r13 = r13 + a4 * b10
+	r13 = r13 + a5 * b9
+	r13 = r13 + a6 * b8
+	r13 = r13 + a7 * b7
+	r13 = r13 + a8 * b6
+	r13 = r13 + a9 * b5
+	r13 = r13 + a10 * b4
+	r13 = r13 + a11 * b3
+	r13 = r13 + a12 * b2
+
+	local r14 = a3 * b12
+	r14 = r14 + a4 * b11
+	r14 = r14 + a5 * b10
+	r14 = r14 + a6 * b9
+	r14 = r14 + a7 * b8
+	r14 = r14 + a8 * b7
+	r14 = r14 + a9 * b6
+	r14 = r14 + a10 * b5
+	r14 = r14 + a11 * b4
+	r14 = r14 + a12 * b3
+
+	local r15 = a4 * b12
+	r15 = r15 + a5 * b11
+	r15 = r15 + a6 * b10
+	r15 = r15 + a7 * b9
+	r15 = r15 + a8 * b8
+	r15 = r15 + a9 * b7
+	r15 = r15 + a10 * b6
+	r15 = r15 + a11 * b5
+	r15 = r15 + a12 * b4
+
+	local r16 = a5 * b12
+	r16 = r16 + a6 * b11
+	r16 = r16 + a7 * b10
+	r16 = r16 + a8 * b9
+	r16 = r16 + a9 * b8
+	r16 = r16 + a10 * b7
+	r16 = r16 + a11 * b6
+	r16 = r16 + a12 * b5
+
+	local r17 = a6 * b12
+	r17 = r17 + a7 * b11
+	r17 = r17 + a8 * b10
+	r17 = r17 + a9 * b9
+	r17 = r17 + a10 * b8
+	r17 = r17 + a11 * b7
+	r17 = r17 + a12 * b6
+
+	local r18 = a7 * b12
+	r18 = r18 + a8 * b11
+	r18 = r18 + a9 * b10
+	r18 = r18 + a10 * b9
+	r18 = r18 + a11 * b8
+	r18 = r18 + a12 * b7
+
+	local r19 = a8 * b12
+	r19 = r19 + a9 * b11
+	r19 = r19 + a10 * b10
+	r19 = r19 + a11 * b9
+	r19 = r19 + a12 * b8
+
+	local r20 = a9 * b12
+	r20 = r20 + a10 * b11
+	r20 = r20 + a11 * b10
+	r20 = r20 + a12 * b9
+
+	local r21 = a10 * b12
+	r21 = r21 + a11 * b11
+	r21 = r21 + a12 * b10
+
+	local r22 = a11 * b12
+	r22 = r22 + a12 * b11
+
+	local r23 = a12 * b12
+
+	local r24 = 0
+
+	r2 = r2 + (r1 / m)
+	r2 = r2 - r2 % 1
+	r1 = r1 % m
+	r3 = r3 + (r2 / m)
+	r3 = r3 - r3 % 1
+	r2 = r2 % m
+	r4 = r4 + (r3 / m)
+	r4 = r4 - r4 % 1
+	r3 = r3 % m
+	r5 = r5 + (r4 / m)
+	r5 = r5 - r5 % 1
+	r4 = r4 % m
+	r6 = r6 + (r5 / m)
+	r6 = r6 - r6 % 1
+	r5 = r5 % m
+	r7 = r7 + (r6 / m)
+	r7 = r7 - r7 % 1
+	r6 = r6 % m
+	r8 = r8 + (r7 / m)
+	r8 = r8 - r8 % 1
+	r7 = r7 % m
+	r9 = r9 + (r8 / m)
+	r9 = r9 - r9 % 1
+	r8 = r8 % m
+	r10 = r10 + (r9 / m)
+	r10 = r10 - r10 % 1
+	r9 = r9 % m
+	r11 = r11 + (r10 / m)
+	r11 = r11 - r11 % 1
+	r10 = r10 % m
+	r12 = r12 + (r11 / m)
+	r12 = r12 - r12 % 1
+	r11 = r11 % m
+	r13 = r13 + (r12 / m)
+	r13 = r13 - r13 % 1
+	r12 = r12 % m
+	r14 = r14 + (r13 / m)
+	r14 = r14 - r14 % 1
+	r13 = r13 % m
+	r15 = r15 + (r14 / m)
+	r15 = r15 - r15 % 1
+	r14 = r14 % m
+	r16 = r16 + (r15 / m)
+	r16 = r16 - r16 % 1
+	r15 = r15 % m
+	r17 = r17 + (r16 / m)
+	r17 = r17 - r17 % 1
+	r16 = r16 % m
+	r18 = r18 + (r17 / m)
+	r18 = r18 - r18 % 1
+	r17 = r17 % m
+	r19 = r19 + (r18 / m)
+	r19 = r19 - r19 % 1
+	r18 = r18 % m
+	r20 = r20 + (r19 / m)
+	r20 = r20 - r20 % 1
+	r19 = r19 % m
+	r21 = r21 + (r20 / m)
+	r21 = r21 - r21 % 1
+	r20 = r20 % m
+	r22 = r22 + (r21 / m)
+	r22 = r22 - r22 % 1
+	r21 = r21 % m
+	r23 = r23 + (r22 / m)
+	r23 = r23 - r23 % 1
+	r22 = r22 % m
+	r24 = r24 + (r23 / m)
+	r24 = r24 - r24 % 1
+	r23 = r23 % m
+
+	local result = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12, r13, r14, r15, r16, r17, r18, r19, r20, r21, r22, r23, r24}
+
+	return result
+end
+
+local function REDC(T)
+	local m = {unpack(mul384({unpack(T, 1, 12)}, p2), 1, 12)}
+	local t = {unpack(add384(T, mul384(m, p)), 13, 24)}
+
+	return reduce(t)
+end
+
+local function mul(a, b)
+	return REDC(mul384(a, b))
+end
+
+local function sqr(a)
+	local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12 = unpack(a)
+
+	local r1 = a1 * a1
+
+	local r2 = a1 * a2 * 2
+
+	local r3 = a1 * a3 * 2
+	r3 = r3 + a2 * a2
+
+	local r4 = a1 * a4 * 2
+	r4 = r4 + a2 * a3 * 2
+
+	local r5 = a1 * a5 * 2
+	r5 = r5 + a2 * a4 * 2
+	r5 = r5 + a3 * a3
+
+	local r6 = a1 * a6 * 2
+	r6 = r6 + a2 * a5 * 2
+	r6 = r6 + a3 * a4 * 2
+
+	local r7 = a1 * a7 * 2
+	r7 = r7 + a2 * a6 * 2
+	r7 = r7 + a3 * a5 * 2
+	r7 = r7 + a4 * a4
+
+	local r8 = a1 * a8 * 2
+	r8 = r8 + a2 * a7 * 2
+	r8 = r8 + a3 * a6 * 2
+	r8 = r8 + a4 * a5 * 2
+
+	local r9 = a1 * a9 * 2
+	r9 = r9 + a2 * a8 * 2
+	r9 = r9 + a3 * a7 * 2
+	r9 = r9 + a4 * a6 * 2
+	r9 = r9 + a5 * a5
+
+	local r10 = a1 * a10 * 2
+	r10 = r10 + a2 * a9 * 2
+	r10 = r10 + a3 * a8 * 2
+	r10 = r10 + a4 * a7 * 2
+	r10 = r10 + a5 * a6 * 2
+
+	local r11 = a1 * a11 * 2
+	r11 = r11 + a2 * a10 * 2
+	r11 = r11 + a3 * a9 * 2
+	r11 = r11 + a4 * a8 * 2
+	r11 = r11 + a5 * a7 * 2
+	r11 = r11 + a6 * a6
+
+	local r12 = a1 * a12 * 2
+	r12 = r12 + a2 * a11 * 2
+	r12 = r12 + a3 * a10 * 2
+	r12 = r12 + a4 * a9 * 2
+	r12 = r12 + a5 * a8 * 2
+	r12 = r12 + a6 * a7 * 2
+
+	local r13 = a2 * a12 * 2
+	r13 = r13 + a3 * a11 * 2
+	r13 = r13 + a4 * a10 * 2
+	r13 = r13 + a5 * a9 * 2
+	r13 = r13 + a6 * a8 * 2
+	r13 = r13 + a7 * a7
+
+	local r14 = a3 * a12 * 2
+	r14 = r14 + a4 * a11 * 2
+	r14 = r14 + a5 * a10 * 2
+	r14 = r14 + a6 * a9 * 2
+	r14 = r14 + a7 * a8 * 2
+
+	local r15 = a4 * a12 * 2
+	r15 = r15 + a5 * a11 * 2
+	r15 = r15 + a6 * a10 * 2
+	r15 = r15 + a7 * a9 * 2
+	r15 = r15 + a8 * a8
+
+	local r16 = a5 * a12 * 2
+	r16 = r16 + a6 * a11 * 2
+	r16 = r16 + a7 * a10 * 2
+	r16 = r16 + a8 * a9 * 2
+
+	local r17 = a6 * a12 * 2
+	r17 = r17 + a7 * a11 * 2
+	r17 = r17 + a8 * a10 * 2
+	r17 = r17 + a9 * a9
+
+	local r18 = a7 * a12 * 2
+	r18 = r18 + a8 * a11 * 2
+	r18 = r18 + a9 * a10 * 2
+
+	local r19 = a8 * a12 * 2
+	r19 = r19 + a9 * a11 * 2
+	r19 = r19 + a10 * a10
+
+	local r20 = a9 * a12 * 2
+	r20 = r20 + a10 * a11 * 2
+
+	local r21 = a10 * a12 * 2
+	r21 = r21 + a11 * a11
+
+	local r22 = a11 * a12 * 2
+
+	local r23 = a12 * a12
+
+	local r24 = 0
+
+	r2 = r2 + (r1 / m)
+	r2 = r2 - r2 % 1
+	r1 = r1 % m
+	r3 = r3 + (r2 / m)
+	r3 = r3 - r3 % 1
+	r2 = r2 % m
+	r4 = r4 + (r3 / m)
+	r4 = r4 - r4 % 1
+	r3 = r3 % m
+	r5 = r5 + (r4 / m)
+	r5 = r5 - r5 % 1
+	r4 = r4 % m
+	r6 = r6 + (r5 / m)
+	r6 = r6 - r6 % 1
+	r5 = r5 % m
+	r7 = r7 + (r6 / m)
+	r7 = r7 - r7 % 1
+	r6 = r6 % m
+	r8 = r8 + (r7 / m)
+	r8 = r8 - r8 % 1
+	r7 = r7 % m
+	r9 = r9 + (r8 / m)
+	r9 = r9 - r9 % 1
+	r8 = r8 % m
+	r10 = r10 + (r9 / m)
+	r10 = r10 - r10 % 1
+	r9 = r9 % m
+	r11 = r11 + (r10 / m)
+	r11 = r11 - r11 % 1
+	r10 = r10 % m
+	r12 = r12 + (r11 / m)
+	r12 = r12 - r12 % 1
+	r11 = r11 % m
+	r13 = r13 + (r12 / m)
+	r13 = r13 - r13 % 1
+	r12 = r12 % m
+	r14 = r14 + (r13 / m)
+	r14 = r14 - r14 % 1
+	r13 = r13 % m
+	r15 = r15 + (r14 / m)
+	r15 = r15 - r15 % 1
+	r14 = r14 % m
+	r16 = r16 + (r15 / m)
+	r16 = r16 - r16 % 1
+	r15 = r15 % m
+	r17 = r17 + (r16 / m)
+	r17 = r17 - r17 % 1
+	r16 = r16 % m
+	r18 = r18 + (r17 / m)
+	r18 = r18 - r18 % 1
+	r17 = r17 % m
+	r19 = r19 + (r18 / m)
+	r19 = r19 - r19 % 1
+	r18 = r18 % m
+	r20 = r20 + (r19 / m)
+	r20 = r20 - r20 % 1
+	r19 = r19 % m
+	r21 = r21 + (r20 / m)
+	r21 = r21 - r21 % 1
+	r20 = r20 % m
+	r22 = r22 + (r21 / m)
+	r22 = r22 - r22 % 1
+	r21 = r21 % m
+	r23 = r23 + (r22 / m)
+	r23 = r23 - r23 % 1
+	r22 = r22 % m
+	r24 = r24 + (r23 / m)
+	r24 = r24 - r24 % 1
+	r23 = r23 % m
+
+	local result = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12, r13, r14, r15, r16, r17, r18, r19, r20, r21, r22, r23, r24}
+
+	return REDC(result)
+end
+
+local function mont(a)
+	return mul(a, r2)
+end
+
+local function invMont(a)
+	local a = {unpack(a)}
+
+	for i = 13, 24 do
+		a[i] = 0
+	end
+
+	return REDC(a)
+end
+
+return {
+	eq = eq,
+	add = add,
+	shr = shr,
+	sub192 = sub192,
+	sub = sub,
+	mul = mul,
+	sqr = sqr,
+	mont = mont,
+	invMont = invMont,
+}
diff --git a/sys/apis/crypto/ecc/fq.lua b/sys/apis/crypto/ecc/fq.lua
new file mode 100644
index 0000000..277f64d
--- /dev/null
+++ b/sys/apis/crypto/ecc/fq.lua
@@ -0,0 +1,741 @@
+-- Fq Integer Arithmetic
+
+local n = 0xffff
+local m = 0x10000
+
+local q = {1372, 62520, 47765, 8105, 45059, 9616, 65535, 65535, 65535, 65535, 65535, 65532}
+local qn = {1372, 62520, 47765, 8105, 45059, 9616, 65535, 65535, 65535, 65535, 65535, 65532, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+
+local function eq(a, b)
+	for i = 1, 12 do
+		if a[i] ~= b[i] then
+			return false
+		end
+	end
+
+	return true
+end
+
+local function cmp(a, b)
+	for i = 12, 1, -1 do
+		if a[i] > b[i] then
+			return 1
+		elseif a[i] < b[i] then
+			return -1
+		end
+	end
+
+	return 0
+end
+
+local function cmp384(a, b)
+	for i = 24, 1, -1 do
+		if a[i] > b[i] then
+			return 1
+		elseif a[i] < b[i] then
+			return -1
+		end
+	end
+
+	return 0
+end
+
+local function bytes(x)
+	local result = {}
+
+	for i = 0, 11 do
+		local m = x[i + 1] % 256
+		result[2 * i + 1] = m
+		result[2 * i + 2] = (x[i + 1] - m) / 256
+	end
+
+	return result
+end
+
+local function fromBytes(enc)
+	local result = {}
+
+	for i = 0, 11 do
+		result[i + 1] = enc[2 * i + 1] % 256
+		result[i + 1] = result[i + 1] + enc[2 * i + 2] * 256
+	end
+
+	return result
+end
+
+local function sub192(a, b)
+	local r1 = a[1] - b[1]
+	local r2 = a[2] - b[2]
+	local r3 = a[3] - b[3]
+	local r4 = a[4] - b[4]
+	local r5 = a[5] - b[5]
+	local r6 = a[6] - b[6]
+	local r7 = a[7] - b[7]
+	local r8 = a[8] - b[8]
+	local r9 = a[9] - b[9]
+	local r10 = a[10] - b[10]
+	local r11 = a[11] - b[11]
+	local r12 = a[12] - b[12]
+
+	if r1 < 0 then
+		r2 = r2 - 1
+		r1 = r1 + m
+	end
+	if r2 < 0 then
+		r3 = r3 - 1
+		r2 = r2 + m
+	end
+	if r3 < 0 then
+		r4 = r4 - 1
+		r3 = r3 + m
+	end
+	if r4 < 0 then
+		r5 = r5 - 1
+		r4 = r4 + m
+	end
+	if r5 < 0 then
+		r6 = r6 - 1
+		r5 = r5 + m
+	end
+	if r6 < 0 then
+		r7 = r7 - 1
+		r6 = r6 + m
+	end
+	if r7 < 0 then
+		r8 = r8 - 1
+		r7 = r7 + m
+	end
+	if r8 < 0 then
+		r9 = r9 - 1
+		r8 = r8 + m
+	end
+	if r9 < 0 then
+		r10 = r10 - 1
+		r9 = r9 + m
+	end
+	if r10 < 0 then
+		r11 = r11 - 1
+		r10 = r10 + m
+	end
+	if r11 < 0 then
+		r12 = r12 - 1
+		r11 = r11 + m
+	end
+
+	local result = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12}
+
+	return result
+end
+
+local function reduce(a)
+	local result = {unpack(a)}
+
+	if cmp(result, q) >= 0 then
+		result = sub192(result, q)
+	end
+
+	return result
+end
+
+local function add(a, b)
+	local r1 = a[1] + b[1]
+	local r2 = a[2] + b[2]
+	local r3 = a[3] + b[3]
+	local r4 = a[4] + b[4]
+	local r5 = a[5] + b[5]
+	local r6 = a[6] + b[6]
+	local r7 = a[7] + b[7]
+	local r8 = a[8] + b[8]
+	local r9 = a[9] + b[9]
+	local r10 = a[10] + b[10]
+	local r11 = a[11] + b[11]
+	local r12 = a[12] + b[12]
+
+	if r1 > n then
+		r2 = r2 + 1
+		r1 = r1 - m
+	end
+	if r2 > n then
+		r3 = r3 + 1
+		r2 = r2 - m
+	end
+	if r3 > n then
+		r4 = r4 + 1
+		r3 = r3 - m
+	end
+	if r4 > n then
+		r5 = r5 + 1
+		r4 = r4 - m
+	end
+	if r5 > n then
+		r6 = r6 + 1
+		r5 = r5 - m
+	end
+	if r6 > n then
+		r7 = r7 + 1
+		r6 = r6 - m
+	end
+	if r7 > n then
+		r8 = r8 + 1
+		r7 = r7 - m
+	end
+	if r8 > n then
+		r9 = r9 + 1
+		r8 = r8 - m
+	end
+	if r9 > n then
+		r10 = r10 + 1
+		r9 = r9 - m
+	end
+	if r10 > n then
+		r11 = r11 + 1
+		r10 = r10 - m
+	end
+	if r11 > n then
+		r12 = r12 + 1
+		r11 = r11 - m
+	end
+
+	local result = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12}
+
+	return reduce(result)
+end
+
+local function sub(a, b)
+	local result = sub192(a, b)
+
+	if result[12] < 0 then
+		result = add(result, q)
+	end
+
+	return result
+end
+
+local function add384(a, b)
+	local r1 = a[1] + b[1]
+	local r2 = a[2] + b[2]
+	local r3 = a[3] + b[3]
+	local r4 = a[4] + b[4]
+	local r5 = a[5] + b[5]
+	local r6 = a[6] + b[6]
+	local r7 = a[7] + b[7]
+	local r8 = a[8] + b[8]
+	local r9 = a[9] + b[9]
+	local r10 = a[10] + b[10]
+	local r11 = a[11] + b[11]
+	local r12 = a[12] + b[12]
+	local r13 = a[13] + b[13]
+	local r14 = a[14] + b[14]
+	local r15 = a[15] + b[15]
+	local r16 = a[16] + b[16]
+	local r17 = a[17] + b[17]
+	local r18 = a[18] + b[18]
+	local r19 = a[19] + b[19]
+	local r20 = a[20] + b[20]
+	local r21 = a[21] + b[21]
+	local r22 = a[22] + b[22]
+	local r23 = a[23] + b[23]
+	local r24 = a[24] + b[24]
+
+	if r1 > n then
+		r2 = r2 + 1
+		r1 = r1 - m
+	end
+	if r2 > n then
+		r3 = r3 + 1
+		r2 = r2 - m
+	end
+	if r3 > n then
+		r4 = r4 + 1
+		r3 = r3 - m
+	end
+	if r4 > n then
+		r5 = r5 + 1
+		r4 = r4 - m
+	end
+	if r5 > n then
+		r6 = r6 + 1
+		r5 = r5 - m
+	end
+	if r6 > n then
+		r7 = r7 + 1
+		r6 = r6 - m
+	end
+	if r7 > n then
+		r8 = r8 + 1
+		r7 = r7 - m
+	end
+	if r8 > n then
+		r9 = r9 + 1
+		r8 = r8 - m
+	end
+	if r9 > n then
+		r10 = r10 + 1
+		r9 = r9 - m
+	end
+	if r10 > n then
+		r11 = r11 + 1
+		r10 = r10 - m
+	end
+	if r11 > n then
+		r12 = r12 + 1
+		r11 = r11 - m
+	end
+	if r12 > n then
+		r13 = r13 + 1
+		r12 = r12 - m
+	end
+	if r13 > n then
+		r14 = r14 + 1
+		r13 = r13 - m
+	end
+	if r14 > n then
+		r15 = r15 + 1
+		r14 = r14 - m
+	end
+	if r15 > n then
+		r16 = r16 + 1
+		r15 = r15 - m
+	end
+	if r16 > n then
+		r17 = r17 + 1
+		r16 = r16 - m
+	end
+	if r17 > n then
+		r18 = r18 + 1
+		r17 = r17 - m
+	end
+	if r18 > n then
+		r19 = r19 + 1
+		r18 = r18 - m
+	end
+	if r19 > n then
+		r20 = r20 + 1
+		r19 = r19 - m
+	end
+	if r20 > n then
+		r21 = r21 + 1
+		r20 = r20 - m
+	end
+	if r21 > n then
+		r22 = r22 + 1
+		r21 = r21 - m
+	end
+	if r22 > n then
+		r23 = r23 + 1
+		r22 = r22 - m
+	end
+	if r23 > n then
+		r24 = r24 + 1
+		r23 = r23 - m
+	end
+
+	local result = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12, r13, r14, r15, r16, r17, r18, r19, r20, r21, r22, r23, r24}
+
+	return result
+end
+
+local function sub384(a, b)
+	local r1 = a[1] - b[1]
+	local r2 = a[2] - b[2]
+	local r3 = a[3] - b[3]
+	local r4 = a[4] - b[4]
+	local r5 = a[5] - b[5]
+	local r6 = a[6] - b[6]
+	local r7 = a[7] - b[7]
+	local r8 = a[8] - b[8]
+	local r9 = a[9] - b[9]
+	local r10 = a[10] - b[10]
+	local r11 = a[11] - b[11]
+	local r12 = a[12] - b[12]
+	local r13 = a[13] - b[13]
+	local r14 = a[14] - b[14]
+	local r15 = a[15] - b[15]
+	local r16 = a[16] - b[16]
+	local r17 = a[17] - b[17]
+	local r18 = a[18] - b[18]
+	local r19 = a[19] - b[19]
+	local r20 = a[20] - b[20]
+	local r21 = a[21] - b[21]
+	local r22 = a[22] - b[22]
+	local r23 = a[23] - b[23]
+	local r24 = a[24] - b[24]
+
+	if r1 < 0 then
+		r2 = r2 - 1
+		r1 = r1 + m
+	end
+	if r2 < 0 then
+		r3 = r3 - 1
+		r2 = r2 + m
+	end
+	if r3 < 0 then
+		r4 = r4 - 1
+		r3 = r3 + m
+	end
+	if r4 < 0 then
+		r5 = r5 - 1
+		r4 = r4 + m
+	end
+	if r5 < 0 then
+		r6 = r6 - 1
+		r5 = r5 + m
+	end
+	if r6 < 0 then
+		r7 = r7 - 1
+		r6 = r6 + m
+	end
+	if r7 < 0 then
+		r8 = r8 - 1
+		r7 = r7 + m
+	end
+	if r8 < 0 then
+		r9 = r9 - 1
+		r8 = r8 + m
+	end
+	if r9 < 0 then
+		r10 = r10 - 1
+		r9 = r9 + m
+	end
+	if r10 < 0 then
+		r11 = r11 - 1
+		r10 = r10 + m
+	end
+	if r11 < 0 then
+		r12 = r12 - 1
+		r11 = r11 + m
+	end
+	if r12 < 0 then
+		r13 = r13 - 1
+		r12 = r12 + m
+	end
+	if r13 < 0 then
+		r14 = r14 - 1
+		r13 = r13 + m
+	end
+	if r14 < 0 then
+		r15 = r15 - 1
+		r14 = r14 + m
+	end
+	if r15 < 0 then
+		r16 = r16 - 1
+		r15 = r15 + m
+	end
+	if r16 < 0 then
+		r17 = r17 - 1
+		r16 = r16 + m
+	end
+	if r17 < 0 then
+		r18 = r18 - 1
+		r17 = r17 + m
+	end
+	if r18 < 0 then
+		r19 = r19 - 1
+		r18 = r18 + m
+	end
+	if r19 < 0 then
+		r20 = r20 - 1
+		r19 = r19 + m
+	end
+	if r20 < 0 then
+		r21 = r21 - 1
+		r20 = r20 + m
+	end
+	if r21 < 0 then
+		r22 = r22 - 1
+		r21 = r21 + m
+	end
+	if r22 < 0 then
+		r23 = r23 - 1
+		r22 = r22 + m
+	end
+	if r23 < 0 then
+		r24 = r24 - 1
+		r23 = r23 + m
+	end
+
+	local result = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12, r13, r14, r15, r16, r17, r18, r19, r20, r21, r22, r23, r24}
+
+	return result
+end
+
+local function mul384(a, b)
+	local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12 = unpack(a)
+	local b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12 = unpack(b)
+
+	local r1 = a1 * b1
+
+	local r2 = a1 * b2
+	r2 = r2 + a2 * b1
+
+	local r3 = a1 * b3
+	r3 = r3 + a2 * b2
+	r3 = r3 + a3 * b1
+
+	local r4 = a1 * b4
+	r4 = r4 + a2 * b3
+	r4 = r4 + a3 * b2
+	r4 = r4 + a4 * b1
+
+	local r5 = a1 * b5
+	r5 = r5 + a2 * b4
+	r5 = r5 + a3 * b3
+	r5 = r5 + a4 * b2
+	r5 = r5 + a5 * b1
+
+	local r6 = a1 * b6
+	r6 = r6 + a2 * b5
+	r6 = r6 + a3 * b4
+	r6 = r6 + a4 * b3
+	r6 = r6 + a5 * b2
+	r6 = r6 + a6 * b1
+
+	local r7 = a1 * b7
+	r7 = r7 + a2 * b6
+	r7 = r7 + a3 * b5
+	r7 = r7 + a4 * b4
+	r7 = r7 + a5 * b3
+	r7 = r7 + a6 * b2
+	r7 = r7 + a7 * b1
+
+	local r8 = a1 * b8
+	r8 = r8 + a2 * b7
+	r8 = r8 + a3 * b6
+	r8 = r8 + a4 * b5
+	r8 = r8 + a5 * b4
+	r8 = r8 + a6 * b3
+	r8 = r8 + a7 * b2
+	r8 = r8 + a8 * b1
+
+	local r9 = a1 * b9
+	r9 = r9 + a2 * b8
+	r9 = r9 + a3 * b7
+	r9 = r9 + a4 * b6
+	r9 = r9 + a5 * b5
+	r9 = r9 + a6 * b4
+	r9 = r9 + a7 * b3
+	r9 = r9 + a8 * b2
+	r9 = r9 + a9 * b1
+
+	local r10 = a1 * b10
+	r10 = r10 + a2 * b9
+	r10 = r10 + a3 * b8
+	r10 = r10 + a4 * b7
+	r10 = r10 + a5 * b6
+	r10 = r10 + a6 * b5
+	r10 = r10 + a7 * b4
+	r10 = r10 + a8 * b3
+	r10 = r10 + a9 * b2
+	r10 = r10 + a10 * b1
+
+	local r11 = a1 * b11
+	r11 = r11 + a2 * b10
+	r11 = r11 + a3 * b9
+	r11 = r11 + a4 * b8
+	r11 = r11 + a5 * b7
+	r11 = r11 + a6 * b6
+	r11 = r11 + a7 * b5
+	r11 = r11 + a8 * b4
+	r11 = r11 + a9 * b3
+	r11 = r11 + a10 * b2
+	r11 = r11 + a11 * b1
+
+	local r12 = a1 * b12
+	r12 = r12 + a2 * b11
+	r12 = r12 + a3 * b10
+	r12 = r12 + a4 * b9
+	r12 = r12 + a5 * b8
+	r12 = r12 + a6 * b7
+	r12 = r12 + a7 * b6
+	r12 = r12 + a8 * b5
+	r12 = r12 + a9 * b4
+	r12 = r12 + a10 * b3
+	r12 = r12 + a11 * b2
+	r12 = r12 + a12 * b1
+
+	local r13 = a2 * b12
+	r13 = r13 + a3 * b11
+	r13 = r13 + a4 * b10
+	r13 = r13 + a5 * b9
+	r13 = r13 + a6 * b8
+	r13 = r13 + a7 * b7
+	r13 = r13 + a8 * b6
+	r13 = r13 + a9 * b5
+	r13 = r13 + a10 * b4
+	r13 = r13 + a11 * b3
+	r13 = r13 + a12 * b2
+
+	local r14 = a3 * b12
+	r14 = r14 + a4 * b11
+	r14 = r14 + a5 * b10
+	r14 = r14 + a6 * b9
+	r14 = r14 + a7 * b8
+	r14 = r14 + a8 * b7
+	r14 = r14 + a9 * b6
+	r14 = r14 + a10 * b5
+	r14 = r14 + a11 * b4
+	r14 = r14 + a12 * b3
+
+	local r15 = a4 * b12
+	r15 = r15 + a5 * b11
+	r15 = r15 + a6 * b10
+	r15 = r15 + a7 * b9
+	r15 = r15 + a8 * b8
+	r15 = r15 + a9 * b7
+	r15 = r15 + a10 * b6
+	r15 = r15 + a11 * b5
+	r15 = r15 + a12 * b4
+
+	local r16 = a5 * b12
+	r16 = r16 + a6 * b11
+	r16 = r16 + a7 * b10
+	r16 = r16 + a8 * b9
+	r16 = r16 + a9 * b8
+	r16 = r16 + a10 * b7
+	r16 = r16 + a11 * b6
+	r16 = r16 + a12 * b5
+
+	local r17 = a6 * b12
+	r17 = r17 + a7 * b11
+	r17 = r17 + a8 * b10
+	r17 = r17 + a9 * b9
+	r17 = r17 + a10 * b8
+	r17 = r17 + a11 * b7
+	r17 = r17 + a12 * b6
+
+	local r18 = a7 * b12
+	r18 = r18 + a8 * b11
+	r18 = r18 + a9 * b10
+	r18 = r18 + a10 * b9
+	r18 = r18 + a11 * b8
+	r18 = r18 + a12 * b7
+
+	local r19 = a8 * b12
+	r19 = r19 + a9 * b11
+	r19 = r19 + a10 * b10
+	r19 = r19 + a11 * b9
+	r19 = r19 + a12 * b8
+
+	local r20 = a9 * b12
+	r20 = r20 + a10 * b11
+	r20 = r20 + a11 * b10
+	r20 = r20 + a12 * b9
+
+	local r21 = a10 * b12
+	r21 = r21 + a11 * b11
+	r21 = r21 + a12 * b10
+
+	local r22 = a11 * b12
+	r22 = r22 + a12 * b11
+
+	local r23 = a12 * b12
+
+	local r24 = 0
+
+	r2 = r2 + (r1 / m)
+	r2 = r2 - r2 % 1
+	r1 = r1 % m
+	r3 = r3 + (r2 / m)
+	r3 = r3 - r3 % 1
+	r2 = r2 % m
+	r4 = r4 + (r3 / m)
+	r4 = r4 - r4 % 1
+	r3 = r3 % m
+	r5 = r5 + (r4 / m)
+	r5 = r5 - r5 % 1
+	r4 = r4 % m
+	r6 = r6 + (r5 / m)
+	r6 = r6 - r6 % 1
+	r5 = r5 % m
+	r7 = r7 + (r6 / m)
+	r7 = r7 - r7 % 1
+	r6 = r6 % m
+	r8 = r8 + (r7 / m)
+	r8 = r8 - r8 % 1
+	r7 = r7 % m
+	r9 = r9 + (r8 / m)
+	r9 = r9 - r9 % 1
+	r8 = r8 % m
+	r10 = r10 + (r9 / m)
+	r10 = r10 - r10 % 1
+	r9 = r9 % m
+	r11 = r11 + (r10 / m)
+	r11 = r11 - r11 % 1
+	r10 = r10 % m
+	r12 = r12 + (r11 / m)
+	r12 = r12 - r12 % 1
+	r11 = r11 % m
+	r13 = r13 + (r12 / m)
+	r13 = r13 - r13 % 1
+	r12 = r12 % m
+	r14 = r14 + (r13 / m)
+	r14 = r14 - r14 % 1
+	r13 = r13 % m
+	r15 = r15 + (r14 / m)
+	r15 = r15 - r15 % 1
+	r14 = r14 % m
+	r16 = r16 + (r15 / m)
+	r16 = r16 - r16 % 1
+	r15 = r15 % m
+	r17 = r17 + (r16 / m)
+	r17 = r17 - r17 % 1
+	r16 = r16 % m
+	r18 = r18 + (r17 / m)
+	r18 = r18 - r18 % 1
+	r17 = r17 % m
+	r19 = r19 + (r18 / m)
+	r19 = r19 - r19 % 1
+	r18 = r18 % m
+	r20 = r20 + (r19 / m)
+	r20 = r20 - r20 % 1
+	r19 = r19 % m
+	r21 = r21 + (r20 / m)
+	r21 = r21 - r21 % 1
+	r20 = r20 % m
+	r22 = r22 + (r21 / m)
+	r22 = r22 - r22 % 1
+	r21 = r21 % m
+	r23 = r23 + (r22 / m)
+	r23 = r23 - r23 % 1
+	r22 = r22 % m
+	r24 = r24 + (r23 / m)
+	r24 = r24 - r24 % 1
+	r23 = r23 % m
+
+	local result = {r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12, r13, r14, r15, r16, r17, r18, r19, r20, r21, r22, r23, r24}
+
+	return result
+end
+
+local function reduce384(a)
+	local result = {unpack(a)}
+
+	while cmp384(result, qn) >= 0 do
+		local qn = {unpack(qn)}
+		local qn2 = add384(qn, qn)
+		while cmp384(result, qn2) > 0 do
+			qn = qn2
+			qn2 = add384(qn2, qn2)
+		end
+		result = sub384(result, qn)
+	end
+
+	result = {unpack(result, 1, 12)}
+
+	return result
+end
+
+local function mul(a, b)
+	return reduce384(mul384(a, b))
+end
+
+return {
+	eq = eq,
+	cmp = cmp,
+	bytes = bytes,
+	fromBytes = fromBytes,
+	reduce = reduce,
+	add = add,
+	sub = sub,
+	mul = mul,
+}
diff --git a/sys/apis/crypto/ecc/init.lua b/sys/apis/crypto/ecc/init.lua
new file mode 100644
index 0000000..51e3b57
--- /dev/null
+++ b/sys/apis/crypto/ecc/init.lua
@@ -0,0 +1,87 @@
+local fq       = require('crypto.ecc.fq')
+local elliptic = require('crypto.ecc.elliptic')
+local sha256   = require('crypto.sha2')
+
+local q = {1372, 62520, 47765, 8105, 45059, 9616, 65535, 65535, 65535, 65535, 65535, 65532}
+
+local sLen = 24
+local eLen = 24
+
+local function hashModQ(sk)
+	local hash = sha256.hmac({0x00}, sk)
+	local x
+	repeat
+		hash = sha256.digest(hash)
+		x = fq.fromBytes(hash)
+	until fq.cmp(x, q) <= 0
+
+	return x
+end
+
+local function publicKey(sk)
+	local x = hashModQ(sk)
+
+	local Y = elliptic.scalarMulG(x)
+	local pk = elliptic.pointEncode(Y)
+
+	return pk
+end
+
+local function exchange(sk, pk)
+	local Y = elliptic.pointDecode(pk)
+	local x = hashModQ(sk)
+
+	local Z = elliptic.scalarMul(x, Y)
+	Z = elliptic.pointScale(Z)
+
+	local ss = fq.bytes(Z[2])
+	local ss = sha256.digest(ss)
+
+	return ss
+end
+
+local function sign(sk, message)
+	message = type(message) == "table" and string.char(unpack(message)) or message
+	sk = type(sk) == "table" and string.char(unpack(sk)) or sk
+	local epoch = tostring(os.epoch("utc"))
+	local x = hashModQ(sk)
+	local k = hashModQ(message .. epoch .. sk)
+
+	local R = elliptic.scalarMulG(k)
+	R = string.char(unpack(elliptic.pointEncode(R)))
+	local e = hashModQ(R .. message)
+	local s = fq.sub(k, fq.mul(x, e))
+
+	e = fq.bytes(e)
+	s = fq.bytes(s)
+
+	local sig = {unpack(e)}
+
+	for i = 1, #s do
+		sig[#sig + 1] = s[i]
+	end
+
+	return sig
+end
+
+local function verify(pk, message, sig)
+	local Y = elliptic.pointDecode(pk)
+	local e = {unpack(sig, 1, eLen)}
+	local s = {unpack(sig, eLen + 1, eLen + sLen)}
+
+	e = fq.fromBytes(e)
+	s = fq.fromBytes(s)
+
+	local R = elliptic.pointAdd(elliptic.scalarMulG(s), elliptic.scalarMul(e, Y))
+	R = string.char(unpack(elliptic.pointEncode(R)))
+	local e2 = hashModQ(R .. message)
+
+	return fq.eq(e2, e)
+end
+
+return {
+	publicKey = publicKey,
+	exchange = exchange,
+	sign = sign,
+	verify = verify,
+}
diff --git a/sys/apis/sha2.lua b/sys/apis/crypto/sha2.lua
similarity index 92%
rename from sys/apis/sha2.lua
rename to sys/apis/crypto/sha2.lua
index f7965bc..162f5cb 100644
--- a/sys/apis/sha2.lua
+++ b/sys/apis/crypto/sha2.lua
@@ -1,8 +1,6 @@
 -- SHA-256, HMAC and PBKDF2 functions in ComputerCraft
 -- By Anavrins
 
-local bit = _G.bit
-
 local mod32 = 2^32
 local band    = bit32 and bit32.band or bit.band
 local bnot    = bit32 and bit32.bnot or bit.bnot
@@ -40,7 +38,7 @@ local function counter(incr)
 	local t1, t2 = 0, 0
 	if 0xFFFFFFFF - t1 < incr then
 		t2 = t2 + 1
-		t1 = incr - (0xFFFFFFFF - t1) - 1
+		t1 = incr - (0xFFFFFFFF - t1) - 1		
 	else t1 = t1 + incr
 	end
 	return t2, t1
@@ -68,7 +66,7 @@ end
 
 local function digestblock(w, C)
 	for j = 17, 64 do
-		--local v = w[j-15]
+		local v = w[j-15]
 		local s0 = bxor(bxor(rrotate(w[j-15], 7), rrotate(w[j-15], 18)), brshift(w[j-15], 3))
 		local s1 = bxor(bxor(rrotate(w[j-2], 17), rrotate(w[j-2], 19)), brshift(w[j-2], 10))
 		w[j] = (w[j-16] + s0 + w[j-7] + s1)%mod32
@@ -97,7 +95,7 @@ end
 local mt = {
 	__tostring = function(a) return string.char(unpack(a)) end,
 	__index = {
-		toHex = function(self) return ("%02x"):rep(#self):format(unpack(self)) end,
+		toHex = function(self, s) return ("%02x"):rep(#self):format(unpack(self)) end,
 		isEqual = function(self, t)
 			if type(t) ~= "table" then return false end
 			if #self ~= #t then return false end
@@ -122,7 +120,7 @@ local function toBytes(t, n)
 end
 
 local function digest(data)
-	data = data or ""
+	local data = data or ""
 	data = type(data) == "table" and {upack(data)} or {tostring(data):byte(1,-1)}
 
 	data = preprocess(data)
@@ -132,8 +130,8 @@ local function digest(data)
 end
 
 local function hmac(data, key)
-	data = type(data) == "table" and {upack(data)} or {tostring(data):byte(1,-1)}
-	key = type(key) == "table" and {upack(key)} or {tostring(key):byte(1,-1)}
+	local data = type(data) == "table" and {upack(data)} or {tostring(data):byte(1,-1)}
+	local key = type(key) == "table" and {upack(key)} or {tostring(key):byte(1,-1)}
 
 	local blocksize = 64
 
@@ -163,13 +161,12 @@ local function hmac(data, key)
 end
 
 local function pbkdf2(pass, salt, iter, dklen)
+	local salt = type(salt) == "table" and salt or {tostring(salt):byte(1,-1)}
 	local hashlen = 32
+	local dklen = dklen or 32
 	local block = 1
 	local out = {}
 
-	dklen = dklen or 32
-  salt = type(salt) == "table" and salt or {tostring(salt):byte(1,-1)}
-
 	while dklen > 0 do
 		local ikey = {}
 		local isalt = {upack(salt)}
@@ -197,4 +194,4 @@ return {
 	digest = digest,
 	hmac = hmac,
 	pbkdf2 = pbkdf2,
-}
\ No newline at end of file
+}
diff --git a/sys/apis/injector.lua b/sys/apis/injector.lua
index 5497b24..799cf0b 100644
--- a/sys/apis/injector.lua
+++ b/sys/apis/injector.lua
@@ -192,7 +192,7 @@ return function(env)
 				error(msg, 2)
 			end
 		end
-		error('Unable to find module ' .. modname)
+		error('Unable to find module ' .. modname, 2)
 	end
 
 	return env.require -- backwards compatible
diff --git a/sys/apis/security.lua b/sys/apis/security.lua
index ab0fea8..691df97 100644
--- a/sys/apis/security.lua
+++ b/sys/apis/security.lua
@@ -1,4 +1,6 @@
 local Config = require('config')
+local Util   = require('util')
+local ECC    = require('crypto.ecc')
 
 local Security = { }
 
@@ -14,33 +16,18 @@ end
 function Security.getSecretKey()
 	local config = Config.load('os')
 	if not config.secretKey then
-		config.secretKey = math.random(100000, 999999)
+		config.secretKey = ""
+		for _ = 1, 32 do
+			config.secretKey = config.secretKey .. ("%02x"):format(math.random(0, 0xFF))
+		end
 		Config.update('os', config)
 	end
-	return config.secretKey
+	return Util.hexToByteArray(config.secretKey)
 end
 
 function Security.getPublicKey()
-	local exchange = {
-		base = 11,
-		primeMod = 625210769
-	}
-
-	local function modexp(base, exponent, modulo)
-		local remainder = base
-
-		for _ = 1, exponent-1 do
-			remainder = remainder * remainder
-			if remainder >= modulo then
-				remainder = remainder % modulo
-			end
-		end
-
-		return remainder
-	end
-
 	local secretKey = Security.getSecretKey()
-	return modexp(exchange.base, secretKey, exchange.primeMod)
+	return ECC.publicKey(secretKey)
 end
 
 function Security.updatePassword(password)
diff --git a/sys/apis/socket.lua b/sys/apis/socket.lua
index 726b4d3..ae1bc60 100644
--- a/sys/apis/socket.lua
+++ b/sys/apis/socket.lua
@@ -1,4 +1,4 @@
-local Crypto   = require('crypto')
+local Crypto   = require('crypto.chacha20')
 local Security = require('security')
 local Util     = require('util')
 
@@ -167,15 +167,16 @@ local function trusted(msg, port)
 	local trustList = Util.readTable('usr/.known_hosts') or { }
 	local pubKey = trustList[msg.shost]
 
-	if pubKey then
-		local data = Crypto.decrypt(msg.t or '', pubKey)
+	if pubKey and msg.t then
+		pubKey = Util.hexToByteArray(pubKey)
+		local data = Crypto.decrypt(msg.t, pubKey)
 
-		if data.nts then -- upgraded security
+		if data and data.nts then -- upgraded security
 			return data.nts and tonumber(data.nts) and math.abs(os.epoch('utc') - data.nts) < 1024
 		end
 
 		--local sharedKey = modexp(pubKey, exchange.secretKey, public.primeMod)
-		return data.ts and tonumber(data.ts) and math.abs(os.time() - data.ts) < 24
+		return data and data.ts and tonumber(data.ts) and math.abs(os.time() - data.ts) < 24
 	end
 end
 
diff --git a/sys/apis/util.lua b/sys/apis/util.lua
index 042ba84..271fcfd 100644
--- a/sys/apis/util.lua
+++ b/sys/apis/util.lua
@@ -10,6 +10,19 @@ local _sformat  = string.format
 local _srep     = string.rep
 local _ssub     = string.sub
 
+function Util.hexToByteArray(str)
+	local r = {}
+	str = tostring(str)
+	for b in str:gmatch("%x%x?") do
+			r[#r+1] = tonumber(b, 16)
+	end
+	return r
+end
+
+function Util.byteArrayToHex(tbl)
+	return ("%02x"):rep(#tbl):format(unpack(tbl))
+end
+
 function Util.tryTimed(timeout, f, ...)
 	local c = os.clock()
 	repeat
diff --git a/sys/apps/Welcome.lua b/sys/apps/Welcome.lua
index 80d170e..8a4507b 100644
--- a/sys/apps/Welcome.lua
+++ b/sys/apps/Welcome.lua
@@ -1,7 +1,6 @@
 local Ansi     = require('ansi')
-local Config   = require('config')
 local Security = require('security')
-local SHA1     = require('sha1')
+local SHA2     = require('crypto.sha2')
 local UI       = require('ui')
 
 local colors   = _G.colors
@@ -108,7 +107,7 @@ end
 
 function page.wizard.pages.password:validate()
 	if #self.newPass.value > 0 then
-		Security.updatePassword(SHA1.sha1(self.newPass.value))
+		Security.updatePassword(SHA2.digest(self.newPass.value):toHex())
 	end
 	--[[
 	if #self.group.value > 0 then
diff --git a/sys/apps/network/trust.lua b/sys/apps/network/trust.lua
index 9d12c3a..b2e493f 100644
--- a/sys/apps/network/trust.lua
+++ b/sys/apps/network/trust.lua
@@ -1,4 +1,4 @@
-local Crypto   = require('crypto')
+local Crypto   = require('crypto.chacha20')
 local Event    = require('event')
 local Security = require('security')
 local Socket   = require('socket')
@@ -14,7 +14,7 @@ local function trustConnection(socket)
 			data = Crypto.decrypt(data, password)
 			if data and data.pk and data.dh == socket.dhost then
 				local trustList = Util.readTable('usr/.known_hosts') or { }
-				trustList[data.dh] = data.pk
+				trustList[data.dh] = Util.byteArrayToHex(data.pk)
 				Util.writeTable('usr/.known_hosts', trustList)
 
 				socket:write({ success = true, msg = 'Trust accepted' })
@@ -26,8 +26,8 @@ local function trustConnection(socket)
 end
 
 Event.addRoutine(function()
-
 	print('trust: listening on port 19')
+
 	while true do
 		local socket = Socket.server(19)
 
diff --git a/sys/apps/password.lua b/sys/apps/password.lua
index ca0f5b5..6beb700 100644
--- a/sys/apps/password.lua
+++ b/sys/apps/password.lua
@@ -1,10 +1,10 @@
 local Security = require('security')
-local SHA1     = require('sha1')
+local SHA2     = require('crypto.sha2')
 local Terminal = require('terminal')
 
 local password = Terminal.readPassword('Enter new password: ')
 
 if password then
-	Security.updatePassword(SHA1.sha1(password))
+	Security.updatePassword(SHA2.digest(password):toHex())
 	print('Password updated')
 end
diff --git a/sys/apps/system/password.lua b/sys/apps/system/password.lua
index 5f705a6..7ad5769 100644
--- a/sys/apps/system/password.lua
+++ b/sys/apps/system/password.lua
@@ -1,5 +1,5 @@
 local Security = require('security')
-local SHA1     = require('sha1')
+local SHA2     = require('crypto.sha2')
 local UI       = require('ui')
 
 local colors   = _G.colors
@@ -40,11 +40,11 @@ function passwordTab:eventHandler(event)
 		if #self.newPass.value == 0 then
 			self:emit({ type = 'error_message', message = 'Invalid password' })
 
-		elseif Security.getPassword() and not Security.verifyPassword(SHA1.sha1(self.oldPass.value)) then
+		elseif Security.getPassword() and not Security.verifyPassword(SHA2.digest(self.oldPass.value):toHex()) then
 			self:emit({ type = 'error_message', message = 'Passwords do not match' })
 
 		else
-			Security.updatePassword(SHA1.sha1(self.newPass.value))
+			Security.updatePassword(SHA2.digest(self.newPass.value):toHex())
 			self.oldPass.inactive = false
 			self:emit({ type = 'success_message', message = 'Password updated' })
 		end
diff --git a/sys/apps/trust.lua b/sys/apps/trust.lua
index da8ff55..90c01d4 100644
--- a/sys/apps/trust.lua
+++ b/sys/apps/trust.lua
@@ -1,6 +1,6 @@
-local Crypto   = require('crypto')
+local Crypto   = require('crypto.chacha20')
 local Security = require('security')
-local SHA1     = require('sha1')
+local SHA2     = require('crypto.sha2')
 local Socket   = require('socket')
 local Terminal = require('terminal')
 
@@ -35,7 +35,7 @@ end
 
 local publicKey = Security.getPublicKey()
 
-socket:write(Crypto.encrypt({ pk = publicKey, dh = os.getComputerID() }, SHA1.sha1(password)))
+socket:write(Crypto.encrypt({ pk = publicKey, dh = os.getComputerID() }, SHA2.digest(password):toHex()))
 
 local data = socket:read(2)
 socket:close()
diff --git a/sys/autorun/welcome.lua b/sys/autorun/welcome.lua
index 2ecf6d8..e3a7b5a 100644
--- a/sys/autorun/welcome.lua
+++ b/sys/autorun/welcome.lua
@@ -1,11 +1,45 @@
 local Config = require('config')
+local Util   = require('util')
 
-local shell = _ENV.shell
+local fs     = _G.fs
+local shell  = _ENV.shell
 
 local config = Config.load('os')
 if not config.welcomed and shell.openForegroundTab then
 	config.welcomed = true
+	config.securityUpdate = true
+	config.readNotes = 1
 	Config.update('os', config)
 
 	shell.openForegroundTab('Welcome')
 end
+
+if not config.securityUpdate then
+	config.securityUpdate = true
+	config.secretKey = nil
+	config.password = nil
+	config.readNotes = 1
+	Config.update('os', config)
+
+	fs.delete('usr/.known_hosts')
+
+	Util.writeFile('sys/notes_1.txt', [[
+An important security update has been applied.
+
+Unfortunately, this update has reset the
+password on the system. You can set a new
+password in System->System->Password.
+
+All computers that you connect to will also
+need to be updated as well.
+
+Thanks for your patience. And... thanks to
+Anavrins for the much improved security.
+	]])
+end
+
+if fs.exists('sys/notes_1.txt') and shell.openForegroundTab then
+	shell.openForegroundTab('edit sys/notes_1.txt')
+	os.sleep(2)
+	fs.delete('sys/notes_1.txt')
+end