transcrypto 1.2.0__py3-none-any.whl → 1.3.0__py3-none-any.whl

transcrypto/rsa.py

@@ -14,6 +14,8 @@ import logging
 # import pdb
 from typing import Self
 
+import gmpy2  # type:ignore
+
 from . import base, modmath, aes
 
 __author__ = 'balparda@github.com'
@@ -100,7 +102,7 @@ class RSAPublicKey(base.CryptoKey, base.Encryptor, base.Verifier):
     if not 0 < message < self.public_modulus:
       raise base.InputError(f'invalid message: {message=}')
     # encrypt
-    return modmath.ModExp(message, self.encrypt_exp, self.public_modulus)
+    return int(gmpy2.powmod(message, self.encrypt_exp, self.public_modulus))  # type:ignore  # pylint:disable=no-member
 
   def Encrypt(self, plaintext: bytes, /, *, associated_data: bytes | None = None) -> bytes:
     """Encrypt `plaintext` and return `ciphertext`.
@@ -290,8 +292,8 @@ class RSAObfuscationPair(RSAPublicKey):
     if not 0 < message < self.public_modulus:
       raise base.InputError(f'invalid message: {message=}')
     # encrypt
-    return (message * modmath.ModExp(
-        self.random_key, self.encrypt_exp, self.public_modulus)) % self.public_modulus
+    return (message * int(gmpy2.powmod(  # type:ignore  # pylint:disable=no-member
+        self.random_key, self.encrypt_exp, self.public_modulus))) % self.public_modulus
 
   def RevealOriginalSignature(self, message: int, signature: int, /) -> int:
     """Recover original signature for `message` from obfuscated `signature`.
@@ -451,9 +453,9 @@ class RSAPrivateKey(RSAPublicKey, base.Decryptor, base.Signer):  # pylint: disab
     if not 0 <= ciphertext < self.public_modulus:
       raise base.InputError(f'invalid message: {ciphertext=}')
     # decrypt using CRT (Chinese Remainder Theorem); 4x speedup; all the below is equivalent
-    # of doing: return modmath.ModExp(ciphertext, self.decrypt_exp, self.public_modulus)
-    m_p: int = modmath.ModExp(ciphertext % self.modulus_p, self.remainder_p, self.modulus_p)
-    m_q: int = modmath.ModExp(ciphertext % self.modulus_q, self.remainder_q, self.modulus_q)
+    # of doing: return pow(ciphertext, self.decrypt_exp, self.public_modulus)
+    m_p: int = int(gmpy2.powmod(ciphertext % self.modulus_p, self.remainder_p, self.modulus_p))  # type:ignore  # pylint:disable=no-member
+    m_q: int = int(gmpy2.powmod(ciphertext % self.modulus_q, self.remainder_q, self.modulus_q))  # type:ignore  # pylint:disable=no-member
     h: int = (self.q_inverse_p * (m_p - m_q)) % self.modulus_p
     return (m_q + h * self.modulus_q) % self.public_modulus
 
@@ -568,21 +570,19 @@ class RSAPrivateKey(RSAPublicKey, base.Decryptor, base.Signer):  # pylint: disab
     failures: int = 0
     while True:
       try:
-        primes: list[int] = [modmath.NBitRandomPrime(bit_length // 2),
-                             modmath.NBitRandomPrime(bit_length // 2)]
-        modulus: int = primes[0] * primes[1]
-        while modulus.bit_length() != bit_length or primes[0] == primes[1]:
-          primes.remove(min(primes))
-          primes.append(modmath.NBitRandomPrime(
-              bit_length // 2 + (bit_length % 2 if modulus.bit_length() < bit_length else 0)))
-          modulus = primes[0] * primes[1]
+        primes: set[int] = set()
+        modulus: int = 0
+        p: int = 0
+        q: int = 0
+        while modulus.bit_length() != bit_length:
+          primes = modmath.NBitRandomPrimes((bit_length + 1) // 2, n_primes=2)
+          p, q = min(primes), max(primes)  # "p" is always the smaller, "q" the larger
+          modulus = p * q
         # build object
-        phi: int = (primes[0] - 1) * (primes[1] - 1)
+        phi: int = (p - 1) * (q - 1)
         prime_exp: int = (_SMALL_ENCRYPTION_EXPONENT if phi <= _BIG_ENCRYPTION_EXPONENT else
                           _BIG_ENCRYPTION_EXPONENT)
         decrypt_exp: int = modmath.ModInv(prime_exp, phi)
-        p: int = min(primes)  # "p" is always the smaller
-        q: int = max(primes)  # "q" is always the larger
         return cls(
             modulus_p=p,
             modulus_q=q,

transcrypto/sss.py

@@ -314,9 +314,7 @@ class ShamirSharedSecretPrivate(ShamirSharedSecretPublic):
     if bit_length < 10:
       raise base.InputError(f'invalid bit length: {bit_length=}')
     # make the primes
-    unique_primes: set[int] = set()
-    while len(unique_primes) < minimum_shares:
-      unique_primes.add(modmath.NBitRandomPrime(bit_length))
+    unique_primes: set[int] = modmath.NBitRandomPrimes(bit_length, n_primes=minimum_shares)
     # get the largest prime for the modulus
     ordered_primes: list[int] = list(unique_primes)
     modulus: int = max(ordered_primes)

transcrypto/transcrypto.py

@@ -321,12 +321,12 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
           '  poetry run transcrypto mod crt 6 7 127 13\n\n'
           '  # --- Hashing ---\n'
           '  poetry run transcrypto hash sha256 xyz\n'
-          '  poetry run transcrypto --b64 hash sha512 eHl6\n'
+          '  poetry run transcrypto --b64 hash sha512 -- eHl6\n'
           '  poetry run transcrypto hash file /etc/passwd --digest sha512\n\n'
           '  # --- AES ---\n'
           '  poetry run transcrypto --out-b64 aes key "correct horse battery staple"\n'
-          '  poetry run transcrypto --b64 --out-b64 aes encrypt -k "<b64key>" "secret"\n'
-          '  poetry run transcrypto --b64 --out-b64 aes decrypt -k "<b64key>" "<ciphertext>"\n'
+          '  poetry run transcrypto --b64 --out-b64 aes encrypt -k "<b64key>" -- "secret"\n'
+          '  poetry run transcrypto --b64 --out-b64 aes decrypt -k "<b64key>" -- "<ciphertext>"\n'
           '  poetry run transcrypto aes ecb -k "<b64key>" encrypt "<128bithexblock>"\n'    # cspell:disable-line
           '  poetry run transcrypto aes ecb -k "<b64key>" decrypt "<128bithexblock>"\n\n'  # cspell:disable-line
           '  # --- RSA ---\n'
@@ -335,6 +335,10 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
           '  poetry run transcrypto -p rsa-key.priv rsa rawdecrypt <ciphertext>\n'
           '  poetry run transcrypto -p rsa-key.priv rsa rawsign <message>\n'
           '  poetry run transcrypto -p rsa-key.pub rsa rawverify <message> <signature>\n\n'
+          '  poetry run transcrypto --bin --out-b64 -p rsa-key.pub rsa encrypt -a <aad> <plaintext>\n'
+          '  poetry run transcrypto --b64 --out-bin -p rsa-key.priv rsa decrypt -a <aad> -- <ciphertext>\n'
+          '  poetry run transcrypto --bin --out-b64 -p rsa-key.priv rsa sign <message>\n'
+          '  poetry run transcrypto --b64 -p rsa-key.pub rsa verify -- <message> <signature>\n\n'
           '  # --- ElGamal ---\n'
           '  poetry run transcrypto -p eg-key elgamal shared --bits 2048\n'
           '  poetry run transcrypto -p eg-key elgamal new\n'
@@ -342,19 +346,27 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
           '  poetry run transcrypto -p eg-key.priv elgamal rawdecrypt <c1:c2>\n'
           '  poetry run transcrypto -p eg-key.priv elgamal rawsign <message>\n'
           '  poetry run transcrypto-p eg-key.pub elgamal rawverify <message> <s1:s2>\n\n'
+          '  poetry run transcrypto --bin --out-b64 -p eg-key.pub elgamal encrypt <plaintext>\n'
+          '  poetry run transcrypto --b64 --out-bin -p eg-key.priv elgamal decrypt -- <ciphertext>\n'
+          '  poetry run transcrypto --bin --out-b64 -p eg-key.priv elgamal sign <message>\n'
+          '  poetry run transcrypto --b64 -p eg-key.pub elgamal verify -- <message> <signature>\n\n'
           '  # --- DSA ---\n'
           '  poetry run transcrypto -p dsa-key dsa shared --p-bits 2048 --q-bits 256\n'
           '  poetry run transcrypto -p dsa-key dsa new\n'
           '  poetry run transcrypto -p dsa-key.priv dsa rawsign <message>\n'
           '  poetry run transcrypto -p dsa-key.pub dsa rawverify <message> <s1:s2>\n\n'
+          '  poetry run transcrypto --bin --out-b64 -p dsa-key.priv dsa sign <message>\n'
+          '  poetry run transcrypto --b64 -p dsa-key.pub dsa verify -- <message> <signature>\n\n'
           '  # --- Public Bid ---\n'
           '  poetry run transcrypto --bin bid new "tomorrow it will rain"\n'
           '  poetry run transcrypto --out-bin bid verify\n\n'
           '  # --- Shamir Secret Sharing (SSS) ---\n'
           '  poetry run transcrypto -p sss-key sss new 3 --bits 1024\n'
-          '  poetry run transcrypto -p sss-key sss rawshares <secret> 5\n'
+          '  poetry run transcrypto -p sss-key sss rawshares <secret> <n>\n'
           '  poetry run transcrypto -p sss-key sss rawrecover\n'
           '  poetry run transcrypto -p sss-key sss rawverify <secret>'
+          '  poetry run transcrypto --bin -p sss-key sss shares <secret> <n>\n'
+          '  poetry run transcrypto --out-bin -p sss-key sss recover\n'
       ),
       formatter_class=argparse.RawTextHelpFormatter)
   sub = parser.add_subparsers(dest='command')
@@ -368,7 +380,10 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
   # --hex/--b64/--bin for input mode (default hex)
   in_grp = parser.add_mutually_exclusive_group()
   in_grp.add_argument('--hex', action='store_true', help='Treat inputs as hex string (default)')
-  in_grp.add_argument('--b64', action='store_true', help='Treat inputs as base64url')
+  in_grp.add_argument(
+      '--b64', action='store_true',
+      help=('Treat inputs as base64url; sometimes base64 will start with "-" and that can '
+            'conflict with flags, so use "--" before positional args if needed'))
   in_grp.add_argument('--bin', action='store_true', help='Treat inputs as binary (bytes)')
 
   # --out-hex/--out-b64/--out-bin for output mode (default hex)
@@ -557,7 +572,7 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
       help='SHA-256 of input `data`.',
       epilog=('--bin hash sha256 xyz\n'
               '3608bca1e44ea6c4d268eb6db02260269892c0b42b86bbf1e77a6fa16c3c9282 $$'
-              '--b64 hash sha256 eHl6  # "xyz" in base-64\n'
+              '--b64 hash sha256 -- eHl6  # "xyz" in base-64\n'
               '3608bca1e44ea6c4d268eb6db02260269892c0b42b86bbf1e77a6fa16c3c9282'))
   p_h256.add_argument('data', type=str, help='Input data (raw text; or use --hex/--b64/--bin)')
 
@@ -568,7 +583,7 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
       epilog=('--bin hash sha512 xyz\n'
               '4a3ed8147e37876adc8f76328e5abcc1b470e6acfc18efea0135f983604953a5'
               '8e183c1a6086e91ba3e821d926f5fdeb37761c7ca0328a963f5e92870675b728 $$'
-              '--b64 hash sha512 eHl6  # "xyz" in base-64\n'
+              '--b64 hash sha512 -- eHl6  # "xyz" in base-64\n'
               '4a3ed8147e37876adc8f76328e5abcc1b470e6acfc18efea0135f983604953a5'
               '8e183c1a6086e91ba3e821d926f5fdeb37761c7ca0328a963f5e92870675b728'))
   p_h512.add_argument('data', type=str, help='Input data (raw text; or use --hex/--b64/--bin)')
@@ -614,10 +629,10 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
             'can use `--bin`/`--hex`/`--b64` flags. Attention: if you provide `-a`/`--aad` '
             '(associated data, AAD), you will need to provide the same AAD when decrypting '
             'and it is NOT included in the `ciphertext`/CT returned by this method!'),
-      epilog=('--b64 --out-b64 aes encrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= '          # cspell:disable-line
+      epilog=('--b64 --out-b64 aes encrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= -- '       # cspell:disable-line
               'AAAAAAB4eXo=\nF2_ZLrUw5Y8oDnbTP5t5xCUWX8WtVILLD0teyUi_37_4KHeV-YowVA== $$ '            # cspell:disable-line
               '--b64 --out-b64 aes encrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= -a eHl6 '  # cspell:disable-line
-              'AAAAAAB4eXo=\nxOlAHPUPpeyZHId-f3VQ_QKKMxjIW0_FBo9WOfIBrzjn0VkVV6xTRA=='))              # cspell:disable-line
+              '-- AAAAAAB4eXo=\nxOlAHPUPpeyZHId-f3VQ_QKKMxjIW0_FBo9WOfIBrzjn0VkVV6xTRA=='))           # cspell:disable-line
   p_aes_enc.add_argument('plaintext', type=str, help='Input data to encrypt (PT)')
   p_aes_enc.add_argument(
       '-k', '--key', type=str, default='', help='Key if `-p`/`--key-path` wasn\'t used (32 bytes)')
@@ -632,10 +647,10 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
             '`-p`/`--key-path` keyfile. All inputs are raw, or you '
             'can use `--bin`/`--hex`/`--b64` flags. Attention: if you provided `-a`/`--aad` '
             '(associated data, AAD) during encryption, you will need to provide the same AAD now!'),
-      epilog=('--b64 --out-b64 aes decrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= '      # cspell:disable-line
-              'F2_ZLrUw5Y8oDnbTP5t5xCUWX8WtVILLD0teyUi_37_4KHeV-YowVA==\nAAAAAAB4eXo= $$ '        # cspell:disable-line
-              '--b64 --out-b64 aes decrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= '      # cspell:disable-line
-              '-a eHl6 xOlAHPUPpeyZHId-f3VQ_QKKMxjIW0_FBo9WOfIBrzjn0VkVV6xTRA==\nAAAAAAB4eXo='))  # cspell:disable-line
+      epilog=('--b64 --out-b64 aes decrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= -- '      # cspell:disable-line
+              'F2_ZLrUw5Y8oDnbTP5t5xCUWX8WtVILLD0teyUi_37_4KHeV-YowVA==\nAAAAAAB4eXo= $$ '           # cspell:disable-line
+              '--b64 --out-b64 aes decrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= '         # cspell:disable-line
+              '-a eHl6 -- xOlAHPUPpeyZHId-f3VQ_QKKMxjIW0_FBo9WOfIBrzjn0VkVV6xTRA==\nAAAAAAB4eXo='))  # cspell:disable-line
   p_aes_dec.add_argument('ciphertext', type=str, help='Input data to decrypt (CT)')
   p_aes_dec.add_argument(
       '-k', '--key', type=str, default='', help='Key if `-p`/`--key-path` wasn\'t used (32 bytes)')
@@ -724,8 +739,8 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
   p_rsa_dec_safe: argparse.ArgumentParser = rsa_sub.add_parser(
       'decrypt',
       help='Decrypt `ciphertext` with private key.',
-      epilog=('--b64 --out-bin -p rsa-key.priv rsa decrypt "AO6knI6xwq6TGR…Qy22jiFhXi1eQ==" '
-              '-a "eHl6"\nabcde'))
+      epilog=('--b64 --out-bin -p rsa-key.priv rsa decrypt -a eHl6 -- '
+              'AO6knI6xwq6TGR…Qy22jiFhXi1eQ== \nabcde'))
   p_rsa_dec_safe.add_argument('ciphertext', type=str, help='Ciphertext to decrypt')
   p_rsa_dec_safe.add_argument(
       '-a', '--aad', type=str, default='',
@@ -763,10 +778,10 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
   p_rsa_ver_safe: argparse.ArgumentParser = rsa_sub.add_parser(
       'verify',
       help='Verify `signature` for `message` with public key.',
-      epilog=('--b64 -p rsa-key.pub rsa verify "eHl6" '
-              '"91TS7gC6LORiL…6RD23Aejsfxlw=="\nRSA signature: OK $$ '     # cspell:disable-line
-              '--b64 -p rsa-key.pub rsa verify "eLl6" '
-              '"91TS7gC6LORiL…6RD23Aejsfxlw=="\nRSA signature: INVALID'))  # cspell:disable-line
+      epilog=('--b64 -p rsa-key.pub rsa verify -- eHl6 '
+              '91TS7gC6LORiL…6RD23Aejsfxlw==\nRSA signature: OK $$ '     # cspell:disable-line
+              '--b64 -p rsa-key.pub rsa verify -- eLl6 '
+              '91TS7gC6LORiL…6RD23Aejsfxlw==\nRSA signature: INVALID'))  # cspell:disable-line
   p_rsa_ver_safe.add_argument('message', type=str, help='Message that was signed earlier')
   p_rsa_ver_safe.add_argument('signature', type=str, help='Putative signature for `message`')
   p_rsa_ver_safe.add_argument(
@@ -814,7 +829,7 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
   p_eg_enc_safe: argparse.ArgumentParser = eg_sub.add_parser(
       'encrypt',
       help='Encrypt `message` with public key.',
-      epilog=(' --bin --out-b64 -p eg-key.pub elgamal encrypt "abcde" -a "xyz"\n'
+      epilog=('--bin --out-b64 -p eg-key.pub elgamal encrypt "abcde" -a "xyz"\n'
               'CdFvoQ_IIPFPZLua…kqjhcUTspISxURg=='))  # cspell:disable-line
   p_eg_enc_safe.add_argument('plaintext', type=str, help='Message to encrypt')
   p_eg_enc_safe.add_argument(
@@ -834,8 +849,8 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
   p_eg_dec_safe: argparse.ArgumentParser = eg_sub.add_parser(
       'decrypt',
       help='Decrypt `ciphertext` with private key.',
-      epilog=('--b64 --out-bin -p eg-key.priv elgamal decrypt '
-              '"CdFvoQ_IIPFPZLua…kqjhcUTspISxURg==" -a "eHl6"\nabcde'))  # cspell:disable-line
+      epilog=('--b64 --out-bin -p eg-key.priv elgamal decrypt -a eHl6 -- '
+              'CdFvoQ_IIPFPZLua…kqjhcUTspISxURg==\nabcde'))  # cspell:disable-line
   p_eg_dec_safe.add_argument('ciphertext', type=str, help='Ciphertext to decrypt')
   p_eg_dec_safe.add_argument(
       '-a', '--aad', type=str, default='',
@@ -877,9 +892,9 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
   p_eg_ver_safe: argparse.ArgumentParser = eg_sub.add_parser(
       'verify',
       help='Verify `signature` for `message` with public key.',
-      epilog=('--b64 -p eg-key.pub elgamal verify "eHl6" "Xl4hlYK8SHVGw…0fCKJE1XVzA=="\n'  # cspell:disable-line
+      epilog=('--b64 -p eg-key.pub elgamal verify -- eHl6 Xl4hlYK8SHVGw…0fCKJE1XVzA==\n'  # cspell:disable-line
               'El-Gamal signature: OK $$ '
-              '--b64 -p eg-key.pub elgamal verify "eLl6" "Xl4hlYK8SHVGw…0fCKJE1XVzA=="\n'  # cspell:disable-line
+              '--b64 -p eg-key.pub elgamal verify -- eLl6 Xl4hlYK8SHVGw…0fCKJE1XVzA==\n'  # cspell:disable-line
               'El-Gamal signature: INVALID'))
   p_eg_ver_safe.add_argument('message', type=str, help='Message that was signed earlier')
   p_eg_ver_safe.add_argument('signature', type=str, help='Putative signature for `message`')
@@ -956,9 +971,9 @@ def _BuildParser() -> argparse.ArgumentParser:  # pylint: disable=too-many-state
   p_dsa_verify_safe: argparse.ArgumentParser = dsa_sub.add_parser(
       'verify',
       help='Verify `signature` for `message` with public key.',
-      epilog=('--b64 -p dsa-key.pub dsa verify "eHl6" "yq8InJVpViXh9…BD4par2XuA="\n'
+      epilog=('--b64 -p dsa-key.pub dsa verify -- eHl6 yq8InJVpViXh9…BD4par2XuA=\n'
               'DSA signature: OK $$ '
-              '--b64 -p dsa-key.pub dsa verify "eLl6" "yq8InJVpViXh9…BD4par2XuA="\n'
+              '--b64 -p dsa-key.pub dsa verify -- eLl6 yq8InJVpViXh9…BD4par2XuA=\n'
               'DSA signature: INVALID'))
   p_dsa_verify_safe.add_argument('message', type=str, help='Message that was signed earlier')
   p_dsa_verify_safe.add_argument('signature', type=str, help='Putative signature for `message`')
@@ -1544,7 +1559,7 @@ def main(argv: list[str] | None = None, /) -> int:  # pylint: disable=invalid-na
           case 'bytes':
             print(base.BytesToHex(base.RandBytes(args.n)))
           case 'prime':
-            print(modmath.NBitRandomPrime(args.bits))
+            print(modmath.NBitRandomPrimes(args.bits).pop())
           case _:
             raise NotImplementedError()
       case 'hash':

{transcrypto-1.2.0.dist-info → transcrypto-1.3.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: transcrypto
-Version: 1.2.0
+Version: 1.3.0
 Summary: Basic crypto primitives, not intended for actual use, but as a companion to --Criptografia, Métodos e Algoritmos--
 Author-email: Daniel Balparda <balparda@github.com>
 License-Expression: Apache-2.0
@@ -62,28 +62,40 @@ Started in July/2025, by Daniel Balparda. Since version 1.0.2 it is PyPI package
     - [`rsa`](#rsa)
       - [`rsa new`](#rsa-new)
       - [`rsa rawencrypt`](#rsa-rawencrypt)
+      - [`rsa encrypt`](#rsa-encrypt)
       - [`rsa rawdecrypt`](#rsa-rawdecrypt)
+      - [`rsa decrypt`](#rsa-decrypt)
       - [`rsa rawsign`](#rsa-rawsign)
+      - [`rsa sign`](#rsa-sign)
       - [`rsa rawverify`](#rsa-rawverify)
+      - [`rsa verify`](#rsa-verify)
     - [`elgamal`](#elgamal)
       - [`elgamal shared`](#elgamal-shared)
       - [`elgamal new`](#elgamal-new)
       - [`elgamal rawencrypt`](#elgamal-rawencrypt)
+      - [`elgamal encrypt`](#elgamal-encrypt)
       - [`elgamal rawdecrypt`](#elgamal-rawdecrypt)
+      - [`elgamal decrypt`](#elgamal-decrypt)
       - [`elgamal rawsign`](#elgamal-rawsign)
+      - [`elgamal sign`](#elgamal-sign)
       - [`elgamal rawverify`](#elgamal-rawverify)
+      - [`elgamal verify`](#elgamal-verify)
     - [`dsa`](#dsa)
       - [`dsa shared`](#dsa-shared)
       - [`dsa new`](#dsa-new)
       - [`dsa rawsign`](#dsa-rawsign)
+      - [`dsa sign`](#dsa-sign)
       - [`dsa rawverify`](#dsa-rawverify)
+      - [`dsa verify`](#dsa-verify)
     - [`bid`](#bid)
       - [`bid new`](#bid-new)
       - [`bid verify`](#bid-verify)
     - [`sss`](#sss)
       - [`sss new`](#sss-new)
       - [`sss rawshares`](#sss-rawshares)
+      - [`sss shares`](#sss-shares)
       - [`sss rawrecover`](#sss-rawrecover)
+      - [`sss recover`](#sss-recover)
       - [`sss rawverify`](#sss-rawverify)
     - [`doc`](#doc)
       - [`doc md`](#doc-md)
@@ -185,7 +197,7 @@ poetry run transcrypto <command> [sub-command] [options...]
 |---|---|
 | `-v, --verbose` | Increase verbosity (use -v/-vv/-vvv/-vvvv for ERROR/WARN/INFO/DEBUG) |
 | `--hex` | Treat inputs as hex string (default) |
-| `--b64` | Treat inputs as base64url |
+| `--b64` | Treat inputs as base64url; sometimes base64 will start with "-" and that can conflict with flags, so use "--" before positional args if needed |
 | `--bin` | Treat inputs as binary (bytes) |
 | `--out-hex` | Outputs as hex (default) |
 | `--out-b64` | Outputs as base64url |
@@ -237,13 +249,13 @@ Examples:
 
   # --- Hashing ---
   poetry run transcrypto hash sha256 xyz
-  poetry run transcrypto --b64 hash sha512 eHl6
+  poetry run transcrypto --b64 hash sha512 -- eHl6
   poetry run transcrypto hash file /etc/passwd --digest sha512
 
   # --- AES ---
   poetry run transcrypto --out-b64 aes key "correct horse battery staple"
-  poetry run transcrypto --b64 --out-b64 aes encrypt -k "<b64key>" "secret"
-  poetry run transcrypto --b64 --out-b64 aes decrypt -k "<b64key>" "<ciphertext>"
+  poetry run transcrypto --b64 --out-b64 aes encrypt -k "<b64key>" -- "secret"
+  poetry run transcrypto --b64 --out-b64 aes decrypt -k "<b64key>" -- "<ciphertext>"
   poetry run transcrypto aes ecb -k "<b64key>" encrypt "<128bithexblock>"
   poetry run transcrypto aes ecb -k "<b64key>" decrypt "<128bithexblock>"
 
@@ -254,6 +266,11 @@ Examples:
   poetry run transcrypto -p rsa-key.priv rsa rawsign <message>
   poetry run transcrypto -p rsa-key.pub rsa rawverify <message> <signature>
 
+  poetry run transcrypto --bin --out-b64 -p rsa-key.pub rsa encrypt -a <aad> <plaintext>
+  poetry run transcrypto --b64 --out-bin -p rsa-key.priv rsa decrypt -a <aad> -- <ciphertext>
+  poetry run transcrypto --bin --out-b64 -p rsa-key.priv rsa sign <message>
+  poetry run transcrypto --b64 -p rsa-key.pub rsa verify -- <message> <signature>
+
   # --- ElGamal ---
   poetry run transcrypto -p eg-key elgamal shared --bits 2048
   poetry run transcrypto -p eg-key elgamal new
@@ -262,21 +279,31 @@ Examples:
   poetry run transcrypto -p eg-key.priv elgamal rawsign <message>
   poetry run transcrypto-p eg-key.pub elgamal rawverify <message> <s1:s2>
 
+  poetry run transcrypto --bin --out-b64 -p eg-key.pub elgamal encrypt <plaintext>
+  poetry run transcrypto --b64 --out-bin -p eg-key.priv elgamal decrypt -- <ciphertext>
+  poetry run transcrypto --bin --out-b64 -p eg-key.priv elgamal sign <message>
+  poetry run transcrypto --b64 -p eg-key.pub elgamal verify -- <message> <signature>
+
   # --- DSA ---
   poetry run transcrypto -p dsa-key dsa shared --p-bits 2048 --q-bits 256
   poetry run transcrypto -p dsa-key dsa new
   poetry run transcrypto -p dsa-key.priv dsa rawsign <message>
   poetry run transcrypto -p dsa-key.pub dsa rawverify <message> <s1:s2>
 
+  poetry run transcrypto --bin --out-b64 -p dsa-key.priv dsa sign <message>
+  poetry run transcrypto --b64 -p dsa-key.pub dsa verify -- <message> <signature>
+
   # --- Public Bid ---
   poetry run transcrypto --bin bid new "tomorrow it will rain"
   poetry run transcrypto --out-bin bid verify
 
   # --- Shamir Secret Sharing (SSS) ---
   poetry run transcrypto -p sss-key sss new 3 --bits 1024
-  poetry run transcrypto -p sss-key sss rawshares <secret> 5
+  poetry run transcrypto -p sss-key sss rawshares <secret> <n>
   poetry run transcrypto -p sss-key sss rawrecover
-  poetry run transcrypto -p sss-key sss rawverify <secret>
+  poetry run transcrypto -p sss-key sss rawverify <secret>  poetry run transcrypto --bin -p sss-key sss shares <secret> <n>
+  poetry run transcrypto --out-bin -p sss-key sss recover
+
 ```
 
 ---
@@ -671,7 +698,7 @@ poetry run transcrypto hash sha256 [-h] data
 ```bash
 $ poetry run transcrypto --bin hash sha256 xyz
 3608bca1e44ea6c4d268eb6db02260269892c0b42b86bbf1e77a6fa16c3c9282
-$ poetry run transcrypto --b64 hash sha256 eHl6  # "xyz" in base-64
+$ poetry run transcrypto --b64 hash sha256 -- eHl6  # "xyz" in base-64
 3608bca1e44ea6c4d268eb6db02260269892c0b42b86bbf1e77a6fa16c3c9282
 ```
 
@@ -692,7 +719,7 @@ poetry run transcrypto hash sha512 [-h] data
 ```bash
 $ poetry run transcrypto --bin hash sha512 xyz
 4a3ed8147e37876adc8f76328e5abcc1b470e6acfc18efea0135f983604953a58e183c1a6086e91ba3e821d926f5fdeb37761c7ca0328a963f5e92870675b728
-$ poetry run transcrypto --b64 hash sha512 eHl6  # "xyz" in base-64
+$ poetry run transcrypto --b64 hash sha512 -- eHl6  # "xyz" in base-64
 4a3ed8147e37876adc8f76328e5abcc1b470e6acfc18efea0135f983604953a58e183c1a6086e91ba3e821d926f5fdeb37761c7ca0328a963f5e92870675b728
 ```
 
@@ -764,9 +791,9 @@ poetry run transcrypto aes encrypt [-h] [-k KEY] [-a AAD] plaintext
 **Example:**
 
 ```bash
-$ poetry run transcrypto --b64 --out-b64 aes encrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= AAAAAAB4eXo=
+$ poetry run transcrypto --b64 --out-b64 aes encrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= -- AAAAAAB4eXo=
 F2_ZLrUw5Y8oDnbTP5t5xCUWX8WtVILLD0teyUi_37_4KHeV-YowVA==
-$ poetry run transcrypto --b64 --out-b64 aes encrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= -a eHl6 AAAAAAB4eXo=
+$ poetry run transcrypto --b64 --out-b64 aes encrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= -a eHl6 -- AAAAAAB4eXo=
 xOlAHPUPpeyZHId-f3VQ_QKKMxjIW0_FBo9WOfIBrzjn0VkVV6xTRA==
 ```
 
@@ -787,9 +814,9 @@ poetry run transcrypto aes decrypt [-h] [-k KEY] [-a AAD] ciphertext
 **Example:**
 
 ```bash
-$ poetry run transcrypto --b64 --out-b64 aes decrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= F2_ZLrUw5Y8oDnbTP5t5xCUWX8WtVILLD0teyUi_37_4KHeV-YowVA==
+$ poetry run transcrypto --b64 --out-b64 aes decrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= -- F2_ZLrUw5Y8oDnbTP5t5xCUWX8WtVILLD0teyUi_37_4KHeV-YowVA==
 AAAAAAB4eXo=
-$ poetry run transcrypto --b64 --out-b64 aes decrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= -a eHl6 xOlAHPUPpeyZHId-f3VQ_QKKMxjIW0_FBo9WOfIBrzjn0VkVV6xTRA==
+$ poetry run transcrypto --b64 --out-b64 aes decrypt -k DbWJ_ZrknLEEIoq_NpoCQwHYfjskGokpueN2O_eY0es= -a eHl6 -- xOlAHPUPpeyZHId-f3VQ_QKKMxjIW0_FBo9WOfIBrzjn0VkVV6xTRA==
 AAAAAAB4eXo=
 ```
 
@@ -947,7 +974,7 @@ poetry run transcrypto rsa decrypt [-h] [-a AAD] ciphertext
 **Example:**
 
 ```bash
-$ poetry run transcrypto --b64 --out-bin -p rsa-key.priv rsa decrypt "AO6knI6xwq6TGR…Qy22jiFhXi1eQ==" -a "eHl6"
+$ poetry run transcrypto --b64 --out-bin -p rsa-key.priv rsa decrypt -a eHl6 -- AO6knI6xwq6TGR…Qy22jiFhXi1eQ==
 abcde
 ```
 
@@ -1029,9 +1056,9 @@ poetry run transcrypto rsa verify [-h] [-a AAD] message signature
 **Example:**
 
 ```bash
-$ poetry run transcrypto --b64 -p rsa-key.pub rsa verify "eHl6" "91TS7gC6LORiL…6RD23Aejsfxlw=="
+$ poetry run transcrypto --b64 -p rsa-key.pub rsa verify -- eHl6 91TS7gC6LORiL…6RD23Aejsfxlw==
 RSA signature: OK
-$ poetry run transcrypto --b64 -p rsa-key.pub rsa verify "eLl6" "91TS7gC6LORiL…6RD23Aejsfxlw=="
+$ poetry run transcrypto --b64 -p rsa-key.pub rsa verify -- eLl6 91TS7gC6LORiL…6RD23Aejsfxlw==
 RSA signature: INVALID
 ```
 
@@ -1154,7 +1181,7 @@ poetry run transcrypto elgamal decrypt [-h] [-a AAD] ciphertext
 **Example:**
 
 ```bash
-$ poetry run transcrypto --b64 --out-bin -p eg-key.priv elgamal decrypt "CdFvoQ_IIPFPZLua…kqjhcUTspISxURg==" -a "eHl6"
+$ poetry run transcrypto --b64 --out-bin -p eg-key.priv elgamal decrypt -a eHl6 -- CdFvoQ_IIPFPZLua…kqjhcUTspISxURg==
 abcde
 ```
 
@@ -1236,9 +1263,9 @@ poetry run transcrypto elgamal verify [-h] [-a AAD] message signature
 **Example:**
 
 ```bash
-$ poetry run transcrypto --b64 -p eg-key.pub elgamal verify "eHl6" "Xl4hlYK8SHVGw…0fCKJE1XVzA=="
+$ poetry run transcrypto --b64 -p eg-key.pub elgamal verify -- eHl6 Xl4hlYK8SHVGw…0fCKJE1XVzA==
 El-Gamal signature: OK
-$ poetry run transcrypto --b64 -p eg-key.pub elgamal verify "eLl6" "Xl4hlYK8SHVGw…0fCKJE1XVzA=="
+$ poetry run transcrypto --b64 -p eg-key.pub elgamal verify -- eLl6 Xl4hlYK8SHVGw…0fCKJE1XVzA==
 El-Gamal signature: INVALID
 ```
 
@@ -1367,9 +1394,9 @@ poetry run transcrypto dsa verify [-h] [-a AAD] message signature
 **Example:**
 
 ```bash
-$ poetry run transcrypto --b64 -p dsa-key.pub dsa verify "eHl6" "yq8InJVpViXh9…BD4par2XuA="
+$ poetry run transcrypto --b64 -p dsa-key.pub dsa verify -- eHl6 yq8InJVpViXh9…BD4par2XuA=
 DSA signature: OK
-$ poetry run transcrypto --b64 -p dsa-key.pub dsa verify "eLl6" "yq8InJVpViXh9…BD4par2XuA="
+$ poetry run transcrypto --b64 -p dsa-key.pub dsa verify -- eLl6 yq8InJVpViXh9…BD4par2XuA=
 DSA signature: INVALID
 ```
 
@@ -1947,7 +1974,7 @@ for p in modmath.PrimeGenerator(1_000_000):
     break
 
 # Secure random 384-bit prime (for RSA/ECC experiments)
-p384 = modmath.NBitRandomPrime(384)
+p384 = modmath.NBitRandomPrimes(384).pop()
 
 for k, m_p, perfect in modmath.MersennePrimesGenerator(0):
   print(f'p = {k:>8}  M = {m_p}  perfect = {perfect}')
@@ -2437,7 +2464,7 @@ To activate like a regular environment do:
 ```sh
 poetry env activate
 # will print activation command which you next execute, or you can do:
-source .env/bin/activate                         # if .env is local to the project
+source .venv/bin/activate                        # if .venv is local to the project
 source "$(poetry env info --path)/bin/activate"  # for other paths
 
 pytest  # or other commands
@@ -2505,11 +2532,31 @@ poetry run transcrypto doc md > CLI.md
 You can find the 10 top slowest tests by running:
 
 ```sh
-poetry run pytest -vvv -q --durations=10
+poetry run pytest -vvv -q --durations=30
+
+poetry run pytest -vvv -q --durations=30 -m "not slow"      # find slow > 0.1s
+poetry run pytest -vvv -q --durations=30 -m "not veryslow"  # find veryslow > 1s
+
+poetry run pytest -vvv -q --durations=30 -m slow      # check
+poetry run pytest -vvv -q --durations=30 -m veryslow  # check
 ```
 
-You can search for flaky tests by running all tests 100 times:
+You can search for flaky tests by running all tests 100 times, or more:
 
 ```sh
 poetry run pytest --flake-finder --flake-runs=100
+poetry run pytest --flake-finder --flake-runs=500 -m "not veryslow"
+poetry run pytest --flake-finder --flake-runs=10000 -m "not slow"
 ```
+
+You can instrument your code to find bottlenecks:
+
+```sh
+$ source .venv/bin/activate
+$ which transcrypto
+/path/to/.venv/bin/transcrypto  # place this in the command below:
+$ pyinstrument -r html -o dsa_shared.html -- /path/to/.venv/bin/transcrypto -p rsa-key rsa new
+$ deactivate
+```
+
+Hint: 85%+ is inside `MillerRabinIsPrime()`/`ModExp()`...

transcrypto-1.3.0.dist-info/RECORD

@@ -0,0 +1,15 @@
+transcrypto/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+transcrypto/aes.py,sha256=bCMz4-mXuDJl931kMztOCRdhagmRjguCovY5KFafX0c,11446
+transcrypto/base.py,sha256=5TZr85BPdgApxNsa1KVc7ZVfnLnBujNdJyoWfkhyJdY,37582
+transcrypto/dsa.py,sha256=wxpaOinxyeQfEsuc05WI8Go243NPQjz9-1Gv6VxRwRM,19706
+transcrypto/elgamal.py,sha256=uR0bJ7A13UrAZynW6QRWJZhe86ZvoozaO5U9rDpam_I,21350
+transcrypto/modmath.py,sha256=EEVQyRyWUl0pFXLhuUlYgLFD2Hl7b8dwPC5c_WMamrg,56400
+transcrypto/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+transcrypto/rsa.py,sha256=3SYUEGOdHn_8UbezzocyQA8bkytL7d_d9rudsv4Zx9A,24926
+transcrypto/sss.py,sha256=Jl7pa1fleNQ-1kvneaeO-B2PfM0ilNKTYw4vVJ5WGwc,17100
+transcrypto/transcrypto.py,sha256=yv9gZN4rpxvGVXnkg1She05xI_h9JnQAV2nsi4cD-W0,78242
+transcrypto-1.3.0.dist-info/licenses/LICENSE,sha256=DVQuDIgE45qn836wDaWnYhSdxoLXgpRRKH4RuTjpRZQ,10174
+transcrypto-1.3.0.dist-info/METADATA,sha256=NtNwNQUWjEquUMUMbXkb_iGGLRBwmMM91tcTGOpoVVc,80426
+transcrypto-1.3.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+transcrypto-1.3.0.dist-info/top_level.txt,sha256=9IfB0nGtVzQbYok5QIYNOy3coDv2UKX2OZtlFyxFDDQ,12
+transcrypto-1.3.0.dist-info/RECORD,,

transcrypto-1.2.0.dist-info/RECORD

@@ -1,15 +0,0 @@
-transcrypto/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-transcrypto/aes.py,sha256=bCMz4-mXuDJl931kMztOCRdhagmRjguCovY5KFafX0c,11446
-transcrypto/base.py,sha256=NH3TR7RGr1yaWv2bP0ZYk3lg8utZkLVIjfI0TM-nV1A,37582
-transcrypto/dsa.py,sha256=QBWivto9qxK3ArDTltdJAJPUhKDT8YU2QLyI23Zm0Dg,17524
-transcrypto/elgamal.py,sha256=VE6i7TD6fWND2ZDYAvrrYwbp0gMZ-d7rCjeFI7-9zZs,20886
-transcrypto/modmath.py,sha256=FL9rwOOuzNzFSf7ScMVPwb98sKPzhyA2Cu6uyqLz65M,18616
-transcrypto/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-transcrypto/rsa.py,sha256=E01NtWUw03kqKy5FeFnhOQxFMUWlt998JHLSJagW1Gk,25003
-transcrypto/sss.py,sha256=-SBsHNCyAPvQPDprjILqjVP6GbArWRxi8D6pBBvk0yo,17152
-transcrypto/transcrypto.py,sha256=55mKAHmk6OexgMU38MuB_E9EM6O470icbJC3hAMXixg,76935
-transcrypto-1.2.0.dist-info/licenses/LICENSE,sha256=DVQuDIgE45qn836wDaWnYhSdxoLXgpRRKH4RuTjpRZQ,10174
-transcrypto-1.2.0.dist-info/METADATA,sha256=oRLeX2jwv2s2JIYFuf3Zvrv_fG6fCJDqoJgPXqENqEk,78084
-transcrypto-1.2.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-transcrypto-1.2.0.dist-info/top_level.txt,sha256=9IfB0nGtVzQbYok5QIYNOy3coDv2UKX2OZtlFyxFDDQ,12
-transcrypto-1.2.0.dist-info/RECORD,,