Dear Haskell Community! I'd like to introduce some new cryptographic code, containing a verified[*] timing-attack safe pure Haskell[**] implementation of Ed25519 and as of yet unverified implementations of textbook ECDH and ECDSA on the NIST prime curves. Install it by $ cabal install eccrypto or download it from Hackage[0]. Also contained are test vectors, usable by the trusty $ cabal test as well as benchmarking code which you can invoke by $ cabal bench if you want to try my code before using it. Please note that this is a one person project, so there is still much room for optimization. The intended focus groups are implementors of cryptographic protocols as well as other cryptographers and interested third parties. My code uses no[**] embedded C code or assembly to achieve timing attack resistance, only careful Haskell constructions in the internal modules, the obligatory hackers footgun included only in those. ;-) Security sketch: The timing attack safety is built on the constant time criterion, namely, that no branches or memory access indices may be based on the content of the secret key bits. The name of this criterion is from the strict evaluation world of cryptography, but does not prohibit non-strict evaluation semantics per se. The API is only slightly different from contemporary libraries like "ed25519"[1], but the content of the signatures is just the same. The number of dependencies are also in the same ballpark, if you'd like to use the code for infrastructure - but in that case, please talk to me to not use unverified/insecure operations! Best of wishes to a thriving community, Marcel Fourné [*]: paper upcoming but as of now it only exists in my notes; analysis was done "by hand" on assembly generated by GHC 8.4.4, mechanization based on established proofs is planned [**]: using integer-gmp, might change in the future to low-level Haskell [0]: https://hackage.haskell.org/package/eccrypto-0.1.0 [1]: https://hackage.haskell.org/package/ed25519