From c2bba7bcf713fabc3124633d67c59f3509e33a22 Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Fri, 9 Jan 2026 21:06:46 +0100
Subject: [PATCH 01/19] update: added new method for agreeing with nonce

---
 .../CryptoHelpers.java                        |  4 +-
 .../SecurityCurve25519.kt                     | 37 +++++++++++++++++++
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java
index df6ed86..cdea976 100644
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java
+++ b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java
@@ -85,9 +85,7 @@ public static Mac HMAC256(byte[] data) throws GeneralSecurityException {
 
     public static byte[] generateRandomBytes(int length) {
         SecureRandom random = new SecureRandom();
-        byte[] bytes = new
-
-                byte[length];
+        byte[] bytes = new byte[length];
         random.nextBytes(bytes);
         return bytes;
     }
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
index 9382dbb..dd62d59 100644
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
+++ b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
@@ -7,6 +7,43 @@ class SecurityCurve25519(val privateKey: ByteArray = Curve25519.generateRandomKe
         return Curve25519.publicKey(this.privateKey)
     }
 
+    fun agreeWithAuthAndNonce(
+        authenticationPublicKey: ByteArray,
+        publicKey: ByteArray,
+        salt: ByteArray,
+        nonce1: ByteArray,
+        nonce2: ByteArray,
+        info: ByteArray,
+    ): ByteArray {
+        val handshakeSalt = nonce1 + nonce2
+        val dh1 = Curve25519.sharedSecret(this.privateKey, authenticationPublicKey)
+        val dh2 = Curve25519.sharedSecret(this.privateKey, publicKey)
+        var ck = CryptoHelpers.HKDF(
+            "HMACSHA256",
+            handshakeSalt,
+            salt,
+            info,
+            32,
+            1
+        )[0]
+        ck = CryptoHelpers.HKDF(
+            "HMACSHA256",
+            dh1,
+            ck,
+            info,
+            32,
+            1
+        )[0]
+        return CryptoHelpers.HKDF(
+            "HMACSHA256",
+            dh2,
+            ck,
+            info,
+            32,
+            1
+        )[0]
+    }
+
     fun calculateSharedSecret(publicKey: ByteArray): ByteArray {
         val sharedKey = Curve25519.sharedSecret(this.privateKey, publicKey)
         return CryptoHelpers.HKDF("HMACSHA256", sharedKey, null,

From 433c1fde62f7ab3654106dc3c1ef6d6367b012b1 Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Sun, 11 Jan 2026 18:48:12 +0100
Subject: [PATCH 02/19] update: removed python files

---
 .../CryptoHelpers.java                        |  4 +-
 .../SecurityCurve25519.kt                     | 37 -------------------
 2 files changed, 3 insertions(+), 38 deletions(-)

diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java
index cdea976..df6ed86 100644
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java
+++ b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java
@@ -85,7 +85,9 @@ public static Mac HMAC256(byte[] data) throws GeneralSecurityException {
 
     public static byte[] generateRandomBytes(int length) {
         SecureRandom random = new SecureRandom();
-        byte[] bytes = new byte[length];
+        byte[] bytes = new
+
+                byte[length];
         random.nextBytes(bytes);
         return bytes;
     }
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
index dd62d59..9382dbb 100644
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
+++ b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
@@ -7,43 +7,6 @@ class SecurityCurve25519(val privateKey: ByteArray = Curve25519.generateRandomKe
         return Curve25519.publicKey(this.privateKey)
     }
 
-    fun agreeWithAuthAndNonce(
-        authenticationPublicKey: ByteArray,
-        publicKey: ByteArray,
-        salt: ByteArray,
-        nonce1: ByteArray,
-        nonce2: ByteArray,
-        info: ByteArray,
-    ): ByteArray {
-        val handshakeSalt = nonce1 + nonce2
-        val dh1 = Curve25519.sharedSecret(this.privateKey, authenticationPublicKey)
-        val dh2 = Curve25519.sharedSecret(this.privateKey, publicKey)
-        var ck = CryptoHelpers.HKDF(
-            "HMACSHA256",
-            handshakeSalt,
-            salt,
-            info,
-            32,
-            1
-        )[0]
-        ck = CryptoHelpers.HKDF(
-            "HMACSHA256",
-            dh1,
-            ck,
-            info,
-            32,
-            1
-        )[0]
-        return CryptoHelpers.HKDF(
-            "HMACSHA256",
-            dh2,
-            ck,
-            info,
-            32,
-            1
-        )[0]
-    }
-
     fun calculateSharedSecret(publicKey: ByteArray): ByteArray {
         val sharedKey = Curve25519.sharedSecret(this.privateKey, publicKey)
         return CryptoHelpers.HKDF("HMACSHA256", sharedKey, null,

From 1d4745f02cff089ee1ec87b4a95f849c692e5ce9 Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Mon, 12 Jan 2026 11:55:30 +0100
Subject: [PATCH 03/19] update: brought back the files

---
 src/androidTest/java/com/afkanerd/.DS_Store   | Bin 0 -> 8196 bytes
 .../com/afkanerd/smswithoutborders/.DS_Store  | Bin 0 -> 6148 bytes
 .../SecurityRSATest.java                      |  14 +-
 .../SecurityX25519Test.kt                     |  40 +++-
 .../libsignal/RatchetsTest.kt                 | 105 ++++++++-
 .../libsignal/StateTest.kt                    |  10 +-
 src/main/java/com/afkanerd/.DS_Store          | Bin 0 -> 8196 bytes
 .../com/afkanerd/smswithoutborders/.DS_Store  | Bin 0 -> 6148 bytes
 .../libsignal_doubleratchet/.DS_Store         | Bin 0 -> 8196 bytes
 .../CryptoHelpers.java                        |   8 +-
 .../EncryptionController.kt                   |   8 +-
 .../SecurityCurve25519.kt                     | 105 ++++++++-
 .../extensions/context.kt                     |   9 +-
 .../libsignal/Protocols.java                  |  79 ++++++-
 .../libsignal/RatchetsHE.kt                   | 213 ++++++++++++++++++
 .../libsignal/States.java                     | 165 --------------
 .../libsignal/States.kt                       |  61 +++++
 17 files changed, 613 insertions(+), 204 deletions(-)
 create mode 100644 src/androidTest/java/com/afkanerd/.DS_Store
 create mode 100644 src/androidTest/java/com/afkanerd/smswithoutborders/.DS_Store
 create mode 100644 src/main/java/com/afkanerd/.DS_Store
 create mode 100644 src/main/java/com/afkanerd/smswithoutborders/.DS_Store
 create mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/.DS_Store
 create mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
 delete mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.java
 create mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt

diff --git a/src/androidTest/java/com/afkanerd/.DS_Store b/src/androidTest/java/com/afkanerd/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..e4cabc01e52098fdca113b7b1e2b256e9e9e627e
GIT binary patch
literal 8196
zcmeHMU2GIp6u#fI&{;arDYQ~*2R2=ZfNfb?pye;w{we=Owx!!rSax?tIxss^c4l|M
zQq!3DBB1d}<6rd2A0iJbYIxB^QS?#K1Y?ZBX#9E5L|;@MJTrF|Y=MLa0~+Th_nv$1
zx#!+{&YbVwo-JbxU3qmSV|9!%k*Z7ON@}iCT)A7XDS|&zP86iin9dwF$}E;A8kE2T
zfd>K)1Re-H5P0C<=mC1O-6G!L-RIJv4LlHd;D6}>_kIXdb!p6}lbm{22Q^*_K-5hE
zyh44-13aCuPh&ov<kVB8HF@>`Ulo3e0j^H+usfY-%%_u_a&-o-&fxD1KSP1HJL!eJ
z=?pPWgEsI$;DKvB;KHYx*(^)7I3<5iQy!mVD$}U7(?xqMZCGiVeKtL2=(ZD$eh#6m
ze8$WQu|ljA_r^!9V%$kNdAlo>+v9TmmSv<%{Zx9lt`(DVO}Aw_Dc#g^o`SAwG-YH^
zH&v_HW#vuP_H^T1Acn+HQm!8#Z(iBDrYXF#ZB2BdDLlTmHQE$j)wX70A|%#ER;=HZ
zJY-}|>jXCs{uRMyPc!%A&Dm<$g>G(ZS-fQH7bROmvnr+8%3xw>SQ<&na|>it-<YFY
zroCIs*+i3al}*NP&RFKooaV|0GnSFhns!pI&ZLY?-bguGr(wkP2Q(V1vNJi$Fm_tD
z?k+QwaI_<iE4xON7`CmP)9o#ml;ymw?b2v1y`c5bigrS$EnUT$X=WpIdd~bsi<dUH
zwr_~_Zr*<1g(|sv?mVeh8YVBBj()$c<%UvrMl)62JTOqyRcCatpxb)d(E80(Rtr_5
zDRiN#ZbAK>4T{1iTvaGdP2|)1;k@n~l_R3)?GaWQr4f}5x7||RT~tv%L+jA)OO!@s
zk1OfUY1FE|!ZPJ<soy3WL^;JLwn$N_{}6>oNVfS%o3vUPFj8sF2+1nnr$bt&3>LWm
zL-JNWxKXNA5*aI-B@^usAL~@Qm3{8E+fugEH>R2Hk<N43JtP~pM^ibiuSntPpJ)q>
zdY_cWU8P=CcPvjx-q_KoC`0aYovP~DP+zy8N{K52qWp<SpGY?gIzfUyD@TSHDSetq
zY&q{n-aYWO*W-?k#G-tho<oJTvL3dL?I!?^vy<#ec8a~h&an^JXY4EX1N)Wz4qzrK
zFbkEaK|L0u39HeL4y;8N`mhtb5XT5cq2nNI9KlhH;}{;sBRGzecoa|ISv-g5@d94K
zYj_=J@Fw2Dd3=PA@hL9h8+?oJ@H76vpSUc{5atVY!UCaDXcC%*7NK3}5Y`Fng&jhl
zkPuSBLBSHn`1yqr2>1H-_(V8LotwCD2!#HHBb>fI2pjI*w0VoP?LPy;i*r2K)zscG
zKfGl5id7vOJFkQ%kLOYd{~Z_}8m3^#LxUGB(<1qThfitYq7oplLX<;xfMBE@5nVLP
z75?nVVv%4Z&+yr$%ZS}7&*W@FbBjojl?9KL8d}>z1WdWiXPeuJ1!tu78$tw8x!h+L
z#)xGe)6me<OUs;>#eXXPFS1MQd-e;vOz}Sl^H7Jo5T&T^!Y1tS;y#W6>_Za!k%o#a
zOjtNf2snlbJcvm=MDc%u5bzit$5VJ3&kzb;#7lS?r|>Fa;4Qq3vv?2h;~YNp(eNc<
z;Ya*5Exxx;jc@#RbMak>=S;&g576uqQl>6+3%D}AN1dDh_ulyT|66d9V2i*5fd_7v
z2T<M<@9Co5Z*&v6xptW9eyVP9=S_0zsZisk<3zo5oamK*7*an>Q(c{yPbWF05h}O*
Whk)DlM|kl52k-yYg!;C>|9=7YAf>7R

literal 0
HcmV?d00001

diff --git a/src/androidTest/java/com/afkanerd/smswithoutborders/.DS_Store b/src/androidTest/java/com/afkanerd/smswithoutborders/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..68565d064e7e8f286bb29c4a9f83e012e5578add
GIT binary patch
literal 6148
zcmeHKyKVw85S&dYkkZgW>0ihnSO~r#9}ohE5~Nd33eaDd-_Gm<DW?ksO$xLtt;b&P
z*zy#&w*X{$Zk~Y|fGJ%O-#Uy<_ti)C5D_8LdBy?n_{1ApypFQ}4k&ld`~$W)4)_f^
zoEdGg#~05$VTTXSPt9@HZo95kYFa9g3Zw$5Kq`<5+^9el(CO2Syi898Qi1zdK)(-#
zu2=(mNBeYeuoi$gVc3jw>m`Uq1H>BGJ2FBOrxKki(PD_x884An1A9lOL!$YRxLKk@
z5xbq|7fXj!#~f3ERA8vUqc3M#|JU>@{r`}Zt5hHrxGM!@vU*u9`J||=qsM8jE%Xij
qV$8L44pxeZR*JdMQoQ(;S9H$(8rVA;opGZR^G85+NlOL(LxCSaks2KU

literal 0
HcmV?d00001

diff --git a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java
index ec9ebd2..98487f6 100644
--- a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java
+++ b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java
@@ -43,12 +43,12 @@ public void testCanStoreAndEncrypt() throws NoSuchAlgorithmException, NoSuchProv
 //                .build());
 //
 //        KeyPair keyPair = kpg.generateKeyPair();
-        PublicKey publicKey = SecurityRSA.generateKeyPair(keystoreAlias, 2048);
-        KeyPair keyPair = KeystoreHelpers.getKeyPairFromKeystore(keystoreAlias);
-
-        SecretKey secretKey = SecurityAES.generateSecretKey(256);
-        byte[] cipherText = SecurityRSA.encrypt(keyPair.getPublic(), secretKey.getEncoded());
-        byte[] plainText = SecurityRSA.decrypt(keyPair.getPrivate(), cipherText);
-        assertArrayEquals(secretKey.getEncoded(), plainText);
+//        PublicKey publicKey = SecurityRSA.generateKeyPair(keystoreAlias, 2048);
+//        KeyPair keyPair = KeystoreHelpers.getKeyPairFromKeystore(keystoreAlias);
+//
+//        SecretKey secretKey = SecurityAES.generateSecretKey(256);
+//        byte[] cipherText = SecurityRSA.encrypt(keyPair.getPublic(), secretKey.getEncoded());
+//        byte[] plainText = SecurityRSA.decrypt(keyPair.getPrivate(), cipherText);
+//        assertArrayEquals(secretKey.getEncoded(), plainText);
     }
 }
diff --git a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
index 52a1f89..b8fa7c2 100644
--- a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
+++ b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
@@ -1,12 +1,50 @@
 package com.afkanerd.smswithoutborders.libsignal_doubleratchet
 
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
 import androidx.test.filters.SmallTest
-import junit.framework.TestCase.assertEquals
 import org.junit.Assert.assertArrayEquals
 import org.junit.Test
+import java.security.KeyPairGenerator
+import java.security.KeyStore
+import java.security.Signature
 
 @SmallTest
 class SecurityX25519Test {
+    @Test
+    fun keystoreEd25519() {
+        val keystoreAlias = "keystoreAlias"
+        val kpg: KeyPairGenerator = KeyPairGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_EC,
+            "AndroidKeyStore"
+        )
+        val parameterSpec: KeyGenParameterSpec = KeyGenParameterSpec.Builder(
+            keystoreAlias,
+            KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_VERIFY
+        ).run {
+            setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
+            build()
+        }
+
+        kpg.initialize(parameterSpec)
+        val kp = kpg.generateKeyPair()
+
+        val ks: KeyStore = KeyStore.getInstance("AndroidKeyStore").apply {
+            load(null)
+        }
+        val entry: KeyStore.Entry = ks.getEntry(keystoreAlias, null)
+        if (entry !is KeyStore.PrivateKeyEntry) {
+            throw Exception("No instance of keystore")
+        }
+
+        val data = "Hello world".encodeToByteArray()
+        val signature: ByteArray = Signature.getInstance("SHA256withECDSA").run {
+            initSign(entry.privateKey)
+            update(data)
+            sign()
+        }
+
+    }
 
     @Test
     fun sharedSecret() {
diff --git a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
index 63a8fc3..63c31af 100644
--- a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
+++ b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
@@ -5,6 +5,7 @@ import androidx.core.util.component1
 import androidx.core.util.component2
 import androidx.test.filters.SmallTest
 import androidx.test.platform.app.InstrumentationRegistry
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoHelpers
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityCurve25519
 import org.junit.Assert.assertArrayEquals
 import org.junit.Test
@@ -14,6 +15,108 @@ import java.security.SecureRandom
 class RatchetsTest {
     var context: Context =
         InstrumentationRegistry.getInstrumentation().targetContext
+    @Test
+    fun completeRatchetHETest() {
+        val aliceEphemeralKeyPair = SecurityCurve25519()
+        val aliceEphemeralHeaderKeyPair = SecurityCurve25519()
+        val aliceEphemeralNextHeaderKeyPair = SecurityCurve25519()
+
+        val bobStaticKeyPair = SecurityCurve25519()
+        val bobEphemeralKeyPair = SecurityCurve25519()
+        val bobEphemeralHeaderKeyPair = SecurityCurve25519()
+        val bobEphemeralNextHeaderKeyPair = SecurityCurve25519()
+
+        val aliceNonce = CryptoHelpers.generateRandomBytes(16)
+        val bobNonce = CryptoHelpers.generateRandomBytes(16)
+
+        val (aliceSk, aliceSkH, aliceSkNh) = SecurityCurve25519(aliceEphemeralKeyPair.privateKey)
+            .agreeWithAuthAndNonce(
+                authenticationPublicKey = bobStaticKeyPair.generateKey(),
+                authenticationPrivateKey = null,
+                headerPrivateKey = aliceEphemeralHeaderKeyPair.privateKey,
+                nextHeaderPrivateKey = aliceEphemeralNextHeaderKeyPair.privateKey,
+                publicKey = bobEphemeralKeyPair.generateKey(),
+                headerPublicKey = bobEphemeralHeaderKeyPair.generateKey(),
+                nextHeaderPublicKey = bobEphemeralNextHeaderKeyPair.generateKey(),
+                salt = "RelaySMS v1".encodeToByteArray(),
+                nonce1 = aliceNonce,
+                nonce2 = bobNonce,
+                info = "RelaySMS C2S DR v1".encodeToByteArray()
+            )
+
+        val (bobSk, bobSkH, bobSkNh) = SecurityCurve25519(bobEphemeralKeyPair.privateKey)
+            .agreeWithAuthAndNonce(
+                authenticationPublicKey = null,
+                authenticationPrivateKey = bobStaticKeyPair.privateKey,
+                headerPrivateKey = bobEphemeralHeaderKeyPair.privateKey,
+                nextHeaderPrivateKey = bobEphemeralNextHeaderKeyPair.privateKey,
+                publicKey = aliceEphemeralKeyPair.generateKey(),
+                headerPublicKey = aliceEphemeralHeaderKeyPair.generateKey(),
+                nextHeaderPublicKey = aliceEphemeralNextHeaderKeyPair.generateKey(),
+                salt = "RelaySMS v1".encodeToByteArray(),
+                nonce1 = aliceNonce,
+                nonce2 = bobNonce,
+                info = "RelaySMS C2S DR v1".encodeToByteArray()
+            )
+
+        assertArrayEquals(aliceSk, bobSk)
+        assertArrayEquals(aliceSkH, bobSkH)
+        assertArrayEquals(aliceSkNh, bobSkNh)
+
+        val aliceState = States()
+        RatchetsHE.ratchetInitAlice(
+            state = aliceState,
+            SK = aliceSk,
+            bobDhPublicKey = bobEphemeralKeyPair.generateKey(),
+            sharedHka = aliceSkH,
+            sharedNhkb = aliceSkNh
+        )
+
+        val bobState = States()
+        RatchetsHE.ratchetInitBob(
+            state = bobState,
+            SK = bobSk,
+            bobDhPublicKeypair = bobEphemeralKeyPair.getKeypair(),
+            sharedHka = bobSkH,
+            sharedNhkb = bobSkNh
+        )
+
+        val originalText = SecureRandom.getSeed(32);
+        val (encHeader, aliceCipherText) = RatchetsHE.ratchetEncrypt(
+            aliceState,
+            originalText,
+            bobStaticKeyPair.generateKey()
+        )
+
+        var encHeader1: ByteArray? = null
+        var aliceCipherText1: ByteArray? = null
+        for(i in 1..10) {
+            val (encHeader2, aliceCipherText2) = RatchetsHE.ratchetEncrypt(
+                aliceState,
+                originalText,
+                bobStaticKeyPair.generateKey()
+            )
+            encHeader1 = encHeader2
+            aliceCipherText1 = aliceCipherText2
+        }
+
+        val bobPlainText = RatchetsHE.ratchetDecrypt(
+            state = bobState,
+            encHeader = encHeader,
+            cipherText = aliceCipherText,
+            AD = bobStaticKeyPair.generateKey()
+        )
+
+        val bobPlainText1 = RatchetsHE.ratchetDecrypt(
+            state = bobState,
+            encHeader = encHeader1!!,
+            cipherText = aliceCipherText1!!,
+            AD = bobStaticKeyPair.generateKey()
+        )
+
+        assertArrayEquals(originalText, bobPlainText)
+        assertArrayEquals(originalText, bobPlainText1)
+    }
 
     @Test
     fun completeRatchetTest() {
@@ -48,7 +151,7 @@ class RatchetsTest {
 
         val bobPlainText1 = Ratchets.ratchetDecrypt(bobState, header1, aliceCipherText1,
             bob.generateKey())
-        println(bobState.serializedStates)
+        println(bobState.serialize())
 
         assertArrayEquals(originalText, bobPlainText)
         assertArrayEquals(originalText, bobPlainText1)
diff --git a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt
index 42e3d84..42c254e 100644
--- a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt
+++ b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt
@@ -2,6 +2,7 @@ package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
 
 import androidx.test.filters.SmallTest
 import junit.framework.TestCase.assertEquals
+import kotlinx.serialization.json.Json
 import org.junit.Test
 import java.security.SecureRandom
 
@@ -12,11 +13,8 @@ class StateTest {
         val state = States()
         state.DHs = android.util.Pair(SecureRandom.getSeed(32),
             SecureRandom.getSeed(32))
-        val serializedStates = state.serializedStates
-        println("Encoded values: $serializedStates")
-        val state1 = States(serializedStates)
-        println(state1.serializedStates)
-
-        assertEquals(state, state1)
+        val serializedStates = Json.encodeToString(state)
+        val deserializedStates = Json.decodeFromString<States>(serializedStates)
+        assertEquals(state, deserializedStates)
     }
 }
\ No newline at end of file
diff --git a/src/main/java/com/afkanerd/.DS_Store b/src/main/java/com/afkanerd/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..fce4432f14a4875ae269202cf8c22cbcca51223b
GIT binary patch
literal 8196
zcmeHMU2GIp6u#fI&>1?=DYQ~*M>buEfGxD;r{yo%{we=Owx!!rSax?tIxss^c4l|M
zQq!3DqM-3f<6rd2A0iJbYIxB^QS?#K1Y?ZBX#9E5L|;@MJTrF|Y=MLa0~+Th_nv$1
zx#!+{&YbVwo-JbxU3smQu{y?>NY$fCB{kP5p4_Wf6(JZYCkoPM%wR4XWj4zb4NK^O
z&;y|dLJx!<2tDv`^Z>otUJ<YJ?sI9_h8_q#@W1qccRxg^dNdZ$NlyK%gBm{tAnK(6
zexW|)0lrQops|2Xa_Xznnml_zpo$>H09Pk@#G6hu7SKsfxjF+^X9#vikfFfeo%AC9
zbcPtGVH<iN^uW~~@ZeL;9G0b8oRYt%DUZ)Fjp@`n>7p~1HtjUcK9e3Z4aaS1`5Z!7
z`HYzrVue^K?v0Py#kiYt^G;VPx5wl9ZQD$j`l<A8LoX(knr_>2Q--DId<8?(Y0Ai;
zVQF@;%g$Sx<Lkz`K$Ju&snm~;H@B{7ZHlz6UbS|jDKfsct)(flYUP@V2}!Jtu2{b-
zdC1IK_Hk|=f-8c}o@VZe8?)7P3f<h+vUthXFG{vbvnu7;>R@7MSRP3#a|>it-<WII
zma|*WIYg66l|#mF&e+z@obJg7Gq#z}T24}_&ZNvt-b}fAr)kEG`*j+taxyvFG<VvL
z;Vm<iaP=duC%a0N7<TNO+wCuwRFu4<@6u^4qoDWDicZ3yEj`7WX=Xz@HD~_9MN697
z+Bd{{H*df9e3eo?cb;4;50jTI*SOEnb3-X7qg$F`9T+GYnmamJFdQRo>it$Kt4q~r
zlFnDvEvUb}K~?#LD+;BliG12PoHyK~N>mj6JtAtOJfhLzw%eMwizX_kX&u^qvD&Ea
z@g&_jomwqWSgPJ7_d8^RsHFJB<#LPMe~7|EQXD?AQeLeNn5ndGN{Yt!>5$i{g9Yw?
zN!iK=H_EkYB4cN>WTGSSu}-yH-REt)E#<g<W4h%X=^U5cO|oHUG?ml)iWHu~iMG(F
z|4C`wQ|i?W*Y<_vjUA1uI^-?ascF6q^>quX)VMkzDxZk-i43b?5G3fca%70n(x-{W
zmho=%-2-3yJ?`jetc8!$bEvX5*2A{3{RF^qc7i?0PO>-HS@r?@jD5v^V86280n9`N
zW}y-_sK+8SVKv&(fwkyDA9i9F;uygw3><`mBRGn29K%C+7?0ot9>o)Q7SG{%ynt8m
z8eYd~yoq;k4j<uTe2R<s2H)a4{ER>FCoTyyg!w|9us~=OnuKOyxzH|j2<wFP!VaNN
zNC+w6pkNDQ{QN=*gnI*f0wNrx&JA2R1j69L5l&qjgbnv>+Pp>H_MZXag*iU#YHDwr
zA6dL?#j1{totMLt$8#x!{|*cv4O1}Wqrs1sX_0*1$ESS9!V(~_K$JsvfMBE_5j`|3
z6~XN2B9UOE%m~;eONrg8%;aoC^Ky|Os|Y?TH?*yk2$)J)z&5uN3(m;vH%J6gr95Eo
zh!M+trlFyymzFuFi2qdlUtky6_v{yTiQ<0_=AjOEqJ^Tq3!AXRkNY?Vun$S>M;aQk
zuwdgbA>bG$@Bk+9AjSW2Lcn8q98ckCJVPjW5ij9ooW!eyfw%BB&fq<~kF)qNK*N`W
zg&*<LwD{gWHNNrNjm38%p0iBbIzY2aNSV6OP2kG-9(7*+-+TSv|8K%c!Yx7%gdVt6
z9zc0dyr+wHzuryc<=PRd`>A@xn>Wd+uR@KVjuZ9MaiW+1VMzT5P4#qQ0iEQOMyTBM
W9|CUGAK~HqAHM%r66#z2{{IDVccrob

literal 0
HcmV?d00001

diff --git a/src/main/java/com/afkanerd/smswithoutborders/.DS_Store b/src/main/java/com/afkanerd/smswithoutborders/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..68565d064e7e8f286bb29c4a9f83e012e5578add
GIT binary patch
literal 6148
zcmeHKyKVw85S&dYkkZgW>0ihnSO~r#9}ohE5~Nd33eaDd-_Gm<DW?ksO$xLtt;b&P
z*zy#&w*X{$Zk~Y|fGJ%O-#Uy<_ti)C5D_8LdBy?n_{1ApypFQ}4k&ld`~$W)4)_f^
zoEdGg#~05$VTTXSPt9@HZo95kYFa9g3Zw$5Kq`<5+^9el(CO2Syi898Qi1zdK)(-#
zu2=(mNBeYeuoi$gVc3jw>m`Uq1H>BGJ2FBOrxKki(PD_x884An1A9lOL!$YRxLKk@
z5xbq|7fXj!#~f3ERA8vUqc3M#|JU>@{r`}Zt5hHrxGM!@vU*u9`J||=qsM8jE%Xij
qV$8L44pxeZR*JdMQoQ(;S9H$(8rVA;opGZR^G85+NlOL(LxCSaks2KU

literal 0
HcmV?d00001

diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/.DS_Store b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..d661d7f9ee81c45fc4021d238049ba5b09d10fbe
GIT binary patch
literal 8196
zcmeHMU2GIp6u#fIrL%OP1GLg&M>buEfGsTLr{yo%{we=Owx!!rSY~&|c3?VFc4oI=
zscB4n5zzRg@h|%150M8I|6Vjv6n#`Q!5CvO8h;)%(HE5m&&-|Wr!8+{YMh(QJ@=e*
z&%O7Y`Oe%uEn^IAd2KagHH<Nl9*@cu)J@Yoz4uIMLLez43bJR+V1vwJDl;>qQ)Y*P
zFalu&!U%*B2qO?iU?xO>?rg7#H@Ww@HtfR)gc0~(M!@?%MCtKpBA^qT`kxN!{1Sj@
zDT)0?W2ysun`l520iEE~H>EXs^?<+>L5TrwPWq@fooFJU6P$8$25!y}?2Mp7fxkQ1
zMg8dv2~NX4j6fKHsS)sM_Xsnoa?dd5`ug1&$(VMAv~OodOv7>G@h>2hl$OmZ7t6&8
z@j!CO9!<Kcn|IpO+<uSiwrw+09IKgqhCZ5>tJ-bLRSiqe`38oj)0BZ;!_w^0Hal-=
zj&Gaf3Na!^(sJ$CSmTD(4bj!>;_Js7qGKDH;tkQYYu1mCN5tybs!e;-N6cZ%KFPg7
z@I_#ACV6*ide<~3Yi8)Ep4l{>n@*vfdtQ<(dj4h6^T_N9X^zsH>g$&V((?QQx!5)0
z8n)%^({m2dv|Q;>D7Iy7Yfn!1^u1Zz%nw^mTAr6x&1~LOUA@&blg9lz$ts;}&Nj_G
zwqtn9^rc+=nCt1Ls8aooopam$#nQ5zcl5nFtz{JS4qDMk8MLKmST!jMh@73faPg95
zjZMv)6P??3-FvZ8o;QDiR4w&W%q`cr&(L#ys*}|%&9DZ0Mh(p!>Ma<KkumjdOC8oD
z^Ux5vSXooM==M5A;S;VI6sM;08RKZ)aF5F|QS|qSD)rKUMu*#FYu+xJD4(NsX!oT`
zy|UlawC8l{wZLGxa+lQYkPo7)@`)>@xYT`wz!H%iE?Fb3Q+iA_qni;~<NLHo8<pMy
zkAFno!G&9-Y9*Dmhlj~UC&Fc|O1pB<+jghwxLqT<<sIn)*WFFJerHI{>0P4)*5E|j
zN$S5+l6yv-n&H~MlA^J@UQznI<ytk(_hC^@ZKaY_dPMnCkzSEu6%0xcdaXQ9#8~mw
z#1bp`F!tWyH~xqRI+loYIbDVdYhoR2Cp*M)Y>b^|Pp~uWb#|V8$UbLZvme=S><<95
zP>$KCKou5Y2^z2t&1k^}w4n=ouop=TU<d{d!@)5e#~4oFAv}zeIE_c}IG(|?cn;6w
zWxR^la1L+aU0lG&_ynKfGQP!k_#VIDPyB@|LYc5os1a&~dZ9sR6jln&LW{6b*d**0
zx`dRV3Wo(-7~$s^iaB{8@FyU`aT-jYbiwCFI6HmP)!nmo+jeQ^e<tZJ&Gpl)s`|Et
z(WNU^t!>%TdKHcwzeUJip9ntsZ^#)R{XRM-A@`!6kJ25BiwSrwC3%YWP}=CnL@#^g
z@?dssiAZT9mj&#y<;3ogXK}W!aivHpDhoa<)ite&P$J4D0o&M2EI1==+8m*jluHBl
zjs&sHXX@%YI%$~;viMKo{Sv#(eqg_{D}?vCSb!Sbi8!IW4O_9>$9WPxIEXY3Ap;G=
zuwdgTA^rr$@c<_9AmRNKA^uT3h9~h9o+i}4fEV!+&fpco{F`_S@8ErWfb;k$K>t^S
z{h#pjBs}lB5zqL2dOR1BIm@)ILDCj8;YPz5!Ikh+)OhuO=gt5AKO@c>9wLlD7=c?8
z0hD$mJKAXNn|-UiT02V5A$q*#&70uVH=)ii$BFvoIMJ*BFr;ymrg}DsfKG5q5^DeY
W9|ETQvc4rhy2JZFy#HtP{r@)<b(59=

literal 0
HcmV?d00001

diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java
index df6ed86..e84b2af 100644
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java
+++ b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java
@@ -1,7 +1,5 @@
 package com.afkanerd.smswithoutborders.libsignal_doubleratchet;
 
-import android.util.Base64;
-
 import com.google.common.primitives.Bytes;
 
 import java.security.GeneralSecurityException;
@@ -30,7 +28,7 @@ public static byte[] getCipherMacParameters(String ALGO, byte[] mk) throws Gener
 
     public static Mac buildVerificationHash(byte[] authKey, byte[] AD, byte[] cipherText) throws GeneralSecurityException {
         Mac mac = CryptoHelpers.HMAC256(authKey);
-        byte[] updatedParams = Bytes.concat(AD, cipherText);
+        byte[] updatedParams = (AD == null) ? cipherText : Bytes.concat(AD, cipherText);
         mac.update(updatedParams);
         return mac;
     }
@@ -85,9 +83,7 @@ public static Mac HMAC256(byte[] data) throws GeneralSecurityException {
 
     public static byte[] generateRandomBytes(int length) {
         SecureRandom random = new SecureRandom();
-        byte[] bytes = new
-
-                byte[length];
+        byte[] bytes = new byte[length];
         random.nextBytes(bytes);
         return bytes;
     }
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
index 548a0c3..f73bd34 100644
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
+++ b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
@@ -203,7 +203,7 @@ object EncryptionController {
                 android.util.Pair(keypair.second, keypair.first)
             )
         }
-        else state = States(String(currentState))
+        else state = States.deserialize(String(currentState))
 
         val keypair = context.getKeypairValues(address)
         var decryptedText: String?
@@ -215,7 +215,7 @@ object EncryptionController {
                 keypair.first
             ))
             context.saveBinaryDataEncrypted(keystore,
-                state.serializedStates.encodeToByteArray())
+                state.serialize().encodeToByteArray())
         } catch(e: Exception) {
             throw e
         }
@@ -253,7 +253,7 @@ object EncryptionController {
             val sk = context.calculateSharedSecret(address, publicKeyBytes)
             Ratchets.ratchetInitAlice(state, sk, publicKeyBytes)
         }
-        else state = States(String(currentState))
+        else state = States.deserialize(String(currentState))
 
         val ratchetOutput = Ratchets.ratchetEncrypt(state,
             text.encodeToByteArray(), publicKeyBytes)
@@ -264,7 +264,7 @@ object EncryptionController {
                 ratchetOutput.second
             )
             context.saveBinaryDataEncrypted(keystore,
-                state.serializedStates.encodeToByteArray())
+                state.serialize().encodeToByteArray())
             Base64.encodeToString(message, Base64.DEFAULT)
         } catch(e: Exception) {
             throw e
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
index 9382dbb..a4fc59c 100644
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
+++ b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
@@ -7,10 +7,109 @@ class SecurityCurve25519(val privateKey: ByteArray = Curve25519.generateRandomKe
         return Curve25519.publicKey(this.privateKey)
     }
 
-    fun calculateSharedSecret(publicKey: ByteArray): ByteArray {
+    private fun agreeWithAuthAndNonceImpl(
+        authenticationPublicKey: ByteArray?,
+        authenticationPrivateKey: ByteArray?,
+        publicKey: ByteArray,
+        salt: ByteArray,
+        info: ByteArray,
+        handshakeSalt: ByteArray,
+        privateKey: ByteArray? = null,
+    ): ByteArray {
+        val privateKey = privateKey ?: this.privateKey
+        val dh1 = if(authenticationPrivateKey == null)
+            Curve25519.sharedSecret(privateKey, authenticationPublicKey)
+        else
+            Curve25519.sharedSecret(authenticationPrivateKey, publicKey)
+        val dh2 = Curve25519.sharedSecret(privateKey, publicKey)
+        var ck = CryptoHelpers.HKDF(
+            "HMACSHA256",
+            handshakeSalt,
+            salt,
+            info,
+            32,
+            1
+        )[0]
+        ck = CryptoHelpers.HKDF(
+            "HMACSHA256",
+            dh1,
+            ck,
+            info,
+            32,
+            1
+        )[0]
+        return CryptoHelpers.HKDF(
+            "HMACSHA256",
+            dh2,
+            ck,
+            info,
+            32,
+            1
+        )[0]
+    }
+
+    fun agreeWithAuthAndNonce(
+        authenticationPublicKey: ByteArray?,
+        authenticationPrivateKey: ByteArray?,
+        headerPrivateKey: ByteArray,
+        nextHeaderPrivateKey: ByteArray,
+        publicKey: ByteArray,
+        headerPublicKey: ByteArray,
+        nextHeaderPublicKey: ByteArray,
+        salt: ByteArray,
+        nonce1: ByteArray,
+        nonce2: ByteArray,
+        info: ByteArray,
+    ): Triple<ByteArray, ByteArray, ByteArray> {
+        val handshakeSalt = nonce1 + nonce2
+        val headerInfo = "RelaySMS C2S DRHE v1".encodeToByteArray()
+
+        val rootKey = agreeWithAuthAndNonceImpl(
+            authenticationPublicKey = authenticationPublicKey,
+            authenticationPrivateKey = authenticationPrivateKey,
+            publicKey = publicKey,
+            salt = salt,
+            info = info,
+            handshakeSalt = handshakeSalt,
+        )
+
+        val headerKey = agreeWithAuthAndNonceImpl(
+            authenticationPublicKey = authenticationPublicKey,
+            authenticationPrivateKey = authenticationPrivateKey,
+            publicKey = headerPublicKey,
+            salt = salt,
+            info = headerInfo,
+            handshakeSalt = handshakeSalt,
+            privateKey = headerPrivateKey
+        )
+
+        val nextHeaderKey = agreeWithAuthAndNonceImpl(
+            authenticationPublicKey = authenticationPublicKey,
+            authenticationPrivateKey = authenticationPrivateKey,
+            publicKey = nextHeaderPublicKey,
+            salt = salt,
+            info = headerInfo,
+            handshakeSalt = handshakeSalt,
+            privateKey = nextHeaderPrivateKey
+        )
+
+        return Triple(rootKey, headerKey, nextHeaderKey)
+    }
+
+    fun calculateSharedSecret(
+        publicKey: ByteArray,
+        salt: ByteArray? = null,
+        info: ByteArray? = "x25591_key_exchange".encodeToByteArray(),
+    ): ByteArray {
         val sharedKey = Curve25519.sharedSecret(this.privateKey, publicKey)
-        return CryptoHelpers.HKDF("HMACSHA256", sharedKey, null,
-            "x25591_key_exchange".encodeToByteArray(), 32, 1)[0]
+        return CryptoHelpers.HKDF(
+            "HMACSHA256",
+            sharedKey,
+            salt,
+            info,
+            32,
+            1
+        )[0]
     }
 
     fun getKeypair(): android.util.Pair<ByteArray, ByteArray> {
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
index 7b2c70c..fbc7020 100644
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
+++ b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
@@ -11,20 +11,14 @@ import androidx.datastore.preferences.preferencesDataStore
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityAES
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityRSA
 import com.google.gson.Gson
-import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.first
-import kotlinx.coroutines.flow.map
 import java.io.IOException
-import java.security.KeyFactory
 import java.security.KeyPair
 import java.security.KeyStore
 import java.security.KeyStoreException
 import java.security.NoSuchAlgorithmException
 import java.security.UnrecoverableEntryException
 import java.security.cert.CertificateException
-import java.security.spec.PKCS8EncodedKeySpec
-import java.security.spec.X509EncodedKeySpec
-import javax.crypto.SecretKey
 import javax.crypto.spec.SecretKeySpec
 
 val Context.dataStore: DataStore<Preferences> by preferencesDataStore(name = "secure_comms")
@@ -134,8 +128,7 @@ suspend fun Context.saveBinaryDataEncrypted(
 @Throws
 suspend fun Context.getEncryptedBinaryData(keystoreAlias: String): ByteArray? {
     val keyValue = stringPreferencesKey(keystoreAlias)
-    val data = dataStore.data.first()[keyValue]
-    if(data == null) return null
+    val data = dataStore.data.first()[keyValue] ?: return null
 
     val savedBinaryData = Gson().fromJson(data, SavedBinaryData::class.java)
 
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.java b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.java
index 976ae94..3776adc 100644
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.java
+++ b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.java
@@ -13,6 +13,7 @@
 
 import java.io.IOException;
 import java.security.GeneralSecurityException;
+import java.util.ArrayList;
 
 import javax.crypto.Mac;
 
@@ -29,14 +30,36 @@
  */
 public class Protocols {
     final static int HKDF_LEN = 32;
-    final static int HKDF_NUM_KEYS = 2;
     final static String ALGO = "HMACSHA512";
+    final static byte[] KDF_RK_HE_INFO = "RelaySMS C2S DR Ratchet v1".getBytes();
 
     public static Pair<byte[], byte[]> GENERATE_DH() {
         SecurityCurve25519 securityCurve25519 = new SecurityCurve25519();
         return new Pair<>(securityCurve25519.getPrivateKey(), securityCurve25519.generateKey());
     }
 
+    /**
+     *
+     * @param dhPair This private key (keypair required in Android if supported)
+     * @param peerPublicKey
+     * @return
+     * @throws GeneralSecurityException
+     * @throws IOException
+     * @throws InterruptedException
+     */
+    public static byte[] DH_HE(
+            Pair<byte[], byte[]> dhPair,
+            byte[] peerPublicKey,
+            byte[] info
+    ) {
+        SecurityCurve25519 securityCurve25519 = new SecurityCurve25519(dhPair.first);
+        return securityCurve25519.calculateSharedSecret(
+                peerPublicKey,
+                null,
+                info
+        );
+    }
+
     /**
      *
      * @param dhPair This private key (keypair required in Android if supported)
@@ -48,12 +71,26 @@ public static Pair<byte[], byte[]> GENERATE_DH() {
      */
     public static byte[] DH(Pair<byte[], byte[]> dhPair, byte[] peerPublicKey) {
         SecurityCurve25519 securityCurve25519 = new SecurityCurve25519(dhPair.first);
-        return securityCurve25519.calculateSharedSecret(peerPublicKey);
+        return securityCurve25519.calculateSharedSecret(
+                peerPublicKey,
+                null,
+                "x25591_key_exchange".getBytes()
+        );
+    }
+
+    public static byte[][] KDF_RK_HE(
+            byte[] rk,
+            byte[] dhOut
+    ) throws GeneralSecurityException {
+        int numKeys = 3;
+        byte[] info = "SMSWithoutBorders DRHE v2".getBytes();
+        return CryptoHelpers.HKDF(ALGO, dhOut, rk, info, HKDF_LEN, numKeys);
     }
 
     public static Pair<byte[], byte[]> KDF_RK(byte[] rk, byte[] dhOut) throws GeneralSecurityException {
+        int numKeys = 2;
         byte[] info = "KDF_RK".getBytes();
-        byte[][] hkdfOutput = CryptoHelpers.HKDF(ALGO, dhOut, rk, info, HKDF_LEN, HKDF_NUM_KEYS);
+        byte[][] hkdfOutput = CryptoHelpers.HKDF(ALGO, dhOut, rk, info, HKDF_LEN, numKeys);
         return new Pair<>(hkdfOutput[0], hkdfOutput[1]);
     }
 
@@ -65,6 +102,24 @@ public static Pair<byte[], byte[]> KDF_CK(byte[] ck) throws GeneralSecurityExcep
         return new Pair<>(_ck, mk);
     }
 
+    public static byte[] HENCRYPT(
+            byte[] mk,
+            byte[] plainText
+    ) throws Throwable {
+        byte[] hkdfOutput = getCipherMacParameters(ALGO, mk);
+        byte[] key = new byte[32];
+        byte[] authenticationKey = new byte[32];
+        byte[] iv = new byte[16];
+
+        System.arraycopy(hkdfOutput, 0, key, 0, 32);
+        System.arraycopy(hkdfOutput, 32, authenticationKey, 0, 32);
+        System.arraycopy(hkdfOutput, 64, iv, 0, 16);
+
+        byte[] cipherText = SecurityAES.encryptAES256CBC(plainText, key, iv);
+        byte[] mac = buildVerificationHash(authenticationKey, null, cipherText).doFinal();
+        return Bytes.concat(cipherText, mac);
+    }
+
     public static byte[] ENCRYPT(byte[] mk, byte[] plainText, byte[] associated_data) throws Throwable {
         byte[] hkdfOutput = getCipherMacParameters(ALGO, mk);
         byte[] key = new byte[32];
@@ -80,6 +135,20 @@ public static byte[] ENCRYPT(byte[] mk, byte[] plainText, byte[] associated_data
         return Bytes.concat(cipherText, mac);
     }
 
+    public static byte[] HDECRYPT(
+            byte[] mk,
+            byte[] cipherText
+    ) throws Throwable {
+        cipherText = verifyCipherText(ALGO, mk, cipherText, null);
+
+        byte[] hkdfOutput = getCipherMacParameters(ALGO, mk);
+        byte[] key = new byte[32];
+        byte[] iv = new byte[16];
+        System.arraycopy(hkdfOutput, 0, key, 0, 32);
+        System.arraycopy(hkdfOutput, 64, iv, 0, 16);
+
+        return SecurityAES.decryptAES256CBC(cipherText, key, iv);
+    }
     public static byte[] DECRYPT(byte[] mk, byte[] cipherText, byte[] associated_data) throws Throwable {
         cipherText = verifyCipherText(ALGO, mk, cipherText, associated_data);
 
@@ -92,6 +161,10 @@ public static byte[] DECRYPT(byte[] mk, byte[] cipherText, byte[] associated_dat
         return SecurityAES.decryptAES256CBC(cipherText, key, iv);
     }
 
+    public static byte[] CONCAT_HE(byte[] AD, byte[] headers) throws IOException {
+        return Bytes.concat(AD, headers);
+    }
+
     public static byte[] CONCAT(byte[] AD, Headers headers) throws IOException {
         return Bytes.concat(AD, headers.getSerialized());
     }
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
new file mode 100644
index 0000000..8d93d95
--- /dev/null
+++ b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
@@ -0,0 +1,213 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
+
+import android.util.Pair
+import androidx.core.util.component1
+import androidx.core.util.component2
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.CONCAT_HE
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.DECRYPT
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.ENCRYPT
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.GENERATE_DH
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.HDECRYPT
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.HENCRYPT
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.KDF_CK
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.KDF_RK_HE
+
+object RatchetsHE {
+
+    const val MAX_SKIP: Int = 100
+
+    fun ratchetInitAlice(
+        state: States,
+        SK: ByteArray,
+        bobDhPublicKey: ByteArray,
+        sharedHka: ByteArray,
+        sharedNhkb: ByteArray,
+    ) {
+        state.DHRs = GENERATE_DH()
+        state.DHRr = bobDhPublicKey
+
+        val kdfRkHEOutputs = KDF_RK_HE(SK,
+            Protocols.DH_HE(
+                state.DHRs,
+                state.DHRr,
+                Protocols.KDF_RK_HE_INFO
+            )
+        )
+        state.RK = kdfRkHEOutputs[0]
+        state.CKs = kdfRkHEOutputs[1]
+        state.NHKs = kdfRkHEOutputs[2]
+
+        state.CKr = null
+        state.Ns = 0
+        state.Nr = 0
+        state.PN = 0
+        state.MKSKIPPED = mutableMapOf()
+        state.HKs = sharedHka
+        state.HKr = null
+        state.NHKr = sharedNhkb
+    }
+
+    fun ratchetInitBob(
+        state: States,
+        SK: ByteArray,
+        bobDhPublicKeypair: Pair<ByteArray, ByteArray>,
+        sharedHka: ByteArray,
+        sharedNhkb: ByteArray,
+    ) {
+        state.DHRs = bobDhPublicKeypair
+        state.DHRr = null
+        state.RK = SK
+        state.CKs = null
+        state.CKr = null
+        state.Ns = 0
+        state.Nr = 0
+        state.PN = 0
+        state.MKSKIPPED = mutableMapOf()
+        state.HKs = null
+        state.NHKs = sharedNhkb
+        state.HKr = null
+        state.NHKr = sharedHka
+    }
+
+    fun ratchetEncrypt(
+        state: States,
+        plaintext: ByteArray,
+        AD: ByteArray,
+    ) : Pair<ByteArray, ByteArray> {
+        val kdfCk = KDF_CK(state.CKs)
+        state.CKs = kdfCk.first
+        val mk = kdfCk.second
+        val header = Headers(state.DHRs, state.PN, state.Ns)
+        val encHeader = HENCRYPT(state.HKs, header.serialized)
+        state.Ns += 1
+        return Pair(encHeader,
+            ENCRYPT(mk, plaintext, CONCAT_HE(AD, encHeader)))
+    }
+
+    fun ratchetDecrypt(
+        state: States,
+        encHeader: ByteArray,
+        cipherText: ByteArray,
+        AD: ByteArray,
+    ): ByteArray {
+        val plaintext = trySkippedMessageKeys(state, encHeader, cipherText, AD)
+        if(plaintext != null)
+            return plaintext
+
+        val (header, dhRatchet) = decryptHeader(state, encHeader)
+        if(dhRatchet) {
+            skipMessageKeys(state, header.PN)
+            DHRatchetHE(state, header)
+        }
+
+        skipMessageKeys(state, header.N)
+        val kdfCk = KDF_CK(state.CKr)
+        state.CKr = kdfCk.first
+        val mk = kdfCk.second
+        state.Nr += 1
+        return DECRYPT(mk, cipherText, CONCAT_HE(AD, encHeader))
+    }
+
+    private fun skipMessageKeys(
+        state: States,
+        until: Int,
+    ) {
+        if(state.Nr + MAX_SKIP < until)
+            throw Exception("MAX_SKIP Exceeded")
+
+        state.CKr?.let{
+            while(state.Nr < until) {
+                val kdfCk = KDF_CK(state.CKr)
+                state.CKr = kdfCk.first
+                val mk = kdfCk.second
+                state.MKSKIPPED[Pair(state.HKr, state.Nr)] = mk
+                state.Nr += 1
+            }
+        }
+    }
+
+    private fun trySkippedMessageKeys(
+        state: States,
+        encHeader: ByteArray,
+        ciphertext: ByteArray,
+        AD: ByteArray
+    ) : ByteArray? {
+        state.MKSKIPPED.forEach {
+            val hk = it.key.first
+            val n = it.key.second
+            val mk = it.value
+
+            val header = HDECRYPT(hk, encHeader).run {
+                Headers.deSerializeHeader(this)
+            }
+            if(header != null && header.N == n) {
+                state.MKSKIPPED.remove(it.key)
+                return DECRYPT(mk, ciphertext, CONCAT_HE(AD, encHeader))
+            }
+        }
+
+        return null
+    }
+
+    private fun decryptHeader(
+        state: States,
+        encHeader: ByteArray
+    ) : Pair<Headers, Boolean> {
+        var header: Headers? = null
+        try {
+            header = HDECRYPT(state.HKr, encHeader).run {
+                Headers.deSerializeHeader(this)
+            }
+        } catch(e: Exception) {
+            e.printStackTrace()
+        }
+
+        header?.let {
+            return Pair(header, false)
+        }
+
+        header = HDECRYPT(state.NHKr, encHeader).run {
+            Headers.deSerializeHeader(this)
+        }
+        header?.let {
+            return Pair(header, true)
+        }
+        throw Exception("Generic error decrypting header...")
+    }
+
+    private fun DHRatchetHE(
+        state: States,
+        header: Headers
+    ) {
+        state.PN = state.Ns
+        state.Ns = 0
+        state.Nr = 0
+        state.HKs = state.NHKs
+        state.HKr = state.NHKr
+        state.DHRr = header.dh
+
+        var kdfRkHEOutputs = KDF_RK_HE(state.RK,
+            Protocols.DH_HE(
+                state.DHRs,
+                state.DHRr,
+                Protocols.KDF_RK_HE_INFO
+            )
+        )
+        state.RK = kdfRkHEOutputs[0]
+        state.CKr = kdfRkHEOutputs[1]
+        state.NHKr = kdfRkHEOutputs[2]
+
+        state.DHRs = GENERATE_DH()
+
+        kdfRkHEOutputs = KDF_RK_HE(state.RK,
+            Protocols.DH_HE(
+                state.DHRs,
+                state.DHRr,
+                Protocols.KDF_RK_HE_INFO
+            )
+        )
+        state.RK = kdfRkHEOutputs[0]
+        state.CKs = kdfRkHEOutputs[1]
+        state.NHKs = kdfRkHEOutputs[2]
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.java b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.java
deleted file mode 100644
index 1625b57..0000000
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.java
+++ /dev/null
@@ -1,165 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal;
-
-import android.util.Log;
-import android.util.Pair;
-import android.util.Base64;
-
-import androidx.annotation.Nullable;
-
-import com.google.gson.Gson;
-import com.google.gson.GsonBuilder;
-import com.google.gson.JsonArray;
-import com.google.gson.JsonElement;
-import com.google.gson.JsonObject;
-import com.google.gson.JsonPrimitive;
-import com.google.gson.JsonSerializationContext;
-
-import com.google.gson.JsonSerializer;
-
-import org.json.JSONArray;
-import org.json.JSONException;
-import org.json.JSONObject;
-
-import java.lang.reflect.Type;
-import java.security.KeyPair;
-import java.security.NoSuchAlgorithmException;
-import java.security.PublicKey;
-import java.security.spec.InvalidKeySpecException;
-import java.util.Arrays;
-import java.util.HashMap;
-import java.util.Map;
-
-public class States {
-    public Pair<byte[], byte[]> DHs;
-    public byte[] DHr;
-    public byte[] RK;
-    public byte[] CKs;
-    public byte[] CKr;
-
-    public int Ns = 0;
-    public int Nr = 0;
-    public int PN = 0;
-
-    public Map<Pair<byte[], Integer>, byte[]> MKSKIPPED = new HashMap<>();
-
-    public States(String states) throws JSONException {
-        if(states == null)
-            return;
-
-        JSONObject jsonObject = new JSONObject(states);
-        if(jsonObject.has("DHs")) {
-            String[] encodedValues = jsonObject.getString("DHs").split(" ");
-            this.DHs = new Pair<>(android.util.Base64.decode(encodedValues[0], Base64.NO_WRAP),
-                    android.util.Base64.decode(encodedValues[1], Base64.NO_WRAP));
-        }
-        if(jsonObject.has("DHr"))
-            this.DHr = Base64.decode(jsonObject.getString("DHr"), Base64.NO_WRAP);
-
-        if(jsonObject.has("RK"))
-            this.RK = Base64.decode(jsonObject.getString("RK"), Base64.NO_WRAP);
-        if(jsonObject.has("CKs"))
-            this.CKs = Base64.decode(jsonObject.get("CKs").toString(), Base64.NO_WRAP);
-        if(jsonObject.has("CKr"))
-            this.CKr = Base64.decode(jsonObject.getString("CKr"), Base64.NO_WRAP);
-        this.Ns = jsonObject.getInt("Ns");
-        this.Nr = jsonObject.getInt("Nr");
-        this.PN = jsonObject.getInt("PN");
-
-        JSONArray mkskipped = jsonObject.getJSONArray("MKSKIPPED");
-        for(int i=0;i<mkskipped.length();++i) {
-            JSONObject pair = mkskipped.getJSONObject(i);
-            byte[] pubkey = Base64.decode(pair.getString(StatesMKSKIPPED.PUBLIC_KEY), Base64.NO_WRAP);
-            this.MKSKIPPED.put(new Pair<>(pubkey, pair.getInt(StatesMKSKIPPED.N)),
-                    Base64.decode(pair.getString(StatesMKSKIPPED.MK), Base64.NO_WRAP));
-        }
-    }
-
-    public static byte[] getADForHeaders(States states, Headers headers) {
-        for(Map.Entry<Pair<byte[], Integer>, byte[]> entry : states.MKSKIPPED.entrySet()) {
-            if(entry.getKey().second == (headers.PN + headers.N))
-                return entry.getKey().first;
-        }
-
-        return null;
-    }
-
-    public States() {
-    }
-
-    public String getSerializedStates() {
-        GsonBuilder gsonBuilder = new GsonBuilder();
-        gsonBuilder.registerTypeAdapter(KeyPair.class, new StatesKeyPairSerializer());
-        gsonBuilder.registerTypeAdapter(PublicKey.class, new StatesPublicKeySerializer());
-        gsonBuilder.registerTypeAdapter(byte[].class, new StatesBytesSerializer());
-        gsonBuilder.registerTypeAdapter(Pair.class, new PairStatesBytesSerializer());
-        gsonBuilder.registerTypeAdapter(Map.class, new StatesMKSKIPPED());
-        gsonBuilder.setPrettyPrinting()
-                .disableHtmlEscaping();
-
-        Gson gson = gsonBuilder.create();
-        return gson.toJson(this);
-    }
-
-    @Override
-    public boolean equals(@Nullable Object obj) {
-        if(obj instanceof States state) {
-            return state.getSerializedStates().equals(this.getSerializedStates());
-        }
-        return false;
-    }
-
-    public static class StatesKeyPairSerializer implements JsonSerializer<KeyPair> {
-        @Override
-        public JsonElement serialize(KeyPair src, Type typeOfSrc, JsonSerializationContext context) {
-            return new JsonPrimitive(
-                    Base64.encodeToString(src.getPublic().getEncoded(), Base64.NO_WRAP));
-        }
-    }
-
-    public static class StatesPublicKeySerializer implements JsonSerializer<PublicKey> {
-        @Override
-        public JsonElement serialize(PublicKey src, Type typeOfSrc, JsonSerializationContext context) {
-            return new JsonPrimitive(Base64.encodeToString(src.getEncoded(), Base64.NO_WRAP));
-        }
-    }
-
-    public static class PairStatesBytesSerializer implements JsonSerializer<Pair<byte[], byte[]>> {
-        @Override
-        public JsonElement serialize(Pair<byte[], byte[]> src, Type typeOfSrc, JsonSerializationContext context) {
-            return new JsonPrimitive( Base64.encodeToString(src.first, Base64.NO_WRAP) + " " +
-                    Base64.encodeToString(src.second, Base64.NO_WRAP));
-        }
-    }
-
-    public static class StatesBytesSerializer implements JsonSerializer<byte[]> {
-        @Override
-        public JsonElement serialize(byte[] src, Type typeOfSrc, JsonSerializationContext context) {
-            return new JsonPrimitive( Base64.encodeToString(src, Base64.NO_WRAP));
-        }
-    }
-
-
-    public static class StatesMKSKIPPED implements JsonSerializer<Map<Pair<byte[], Integer>, byte[]>> {
-        public final static String PUBLIC_KEY = "PUBLIC_KEY";
-        public final static String N = "N";
-        public final static String MK = "MK";
-
-        @Override
-        public JsonElement serialize(Map<Pair<byte[], Integer>, byte[]> src, Type typeOfSrc, JsonSerializationContext context) {
-            JsonArray jsonArray = new JsonArray();
-            for(Map.Entry<Pair<byte[], Integer>, byte[]> entry: src.entrySet()) {
-                String publicKey = Base64.encodeToString(entry.getKey().first, Base64.NO_WRAP);
-                Integer n = entry.getKey().second;
-
-                JsonObject jsonObject1 = new JsonObject();
-                jsonObject1.addProperty(PUBLIC_KEY, publicKey);
-                jsonObject1.addProperty(N, n);
-                jsonObject1.addProperty(MK, Base64.encodeToString(entry.getValue(), Base64.NO_WRAP));
-
-                jsonArray.add(jsonObject1);
-            }
-            return jsonArray;
-        }
-    }
-
-}
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
new file mode 100644
index 0000000..79817ed
--- /dev/null
+++ b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
@@ -0,0 +1,61 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
+
+import android.util.Pair
+import kotlinx.serialization.json.Json
+
+data class States(
+    @JvmField
+    var DHs: Pair<ByteArray, ByteArray>? = null,
+
+    @JvmField
+    var DHr: ByteArray? = null,
+
+    @JvmField
+    var RK: ByteArray? = null,
+
+    @JvmField
+    var CKs: ByteArray? = null,
+
+    @JvmField
+    var CKr: ByteArray? = null,
+
+    @JvmField
+    var Ns: Int = 0,
+
+    @JvmField
+    var Nr: Int = 0,
+
+    @JvmField
+    var PN: Int = 0,
+
+    @JvmField
+    var DHRs: Pair<ByteArray, ByteArray>? = null,
+
+    @JvmField
+    var DHRr: ByteArray? = null,
+
+    @JvmField
+    var HKs: ByteArray? = null,
+
+    @JvmField
+    var HKr: ByteArray? = null,
+
+    @JvmField
+    var NHKs: ByteArray? = null,
+
+    @JvmField
+    var NHKr: ByteArray? = null,
+
+    @JvmField
+    var MKSKIPPED: MutableMap<Pair<ByteArray, Int>, ByteArray> = mutableMapOf()
+) {
+    fun serialize(): String {
+        return Json.encodeToString(this)
+    }
+
+    companion object {
+        fun deserialize(input: String): States {
+            return Json.decodeFromString<States>(input)
+        }
+    }
+}
\ No newline at end of file

From db3edfba76ac7690731dd30afa4d06c530304765 Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Sun, 12 Apr 2026 11:42:10 +0100
Subject: [PATCH 04/19] update: basic structure attained

---
 build.gradle                                  |  99 ++---
 double_ratchet/build.gradle                   |  74 ++++
 gradle.properties                             |   2 +
 settings.gradle                               |  13 +
 .../SecurityAESTest.kt                        |  21 --
 .../SecurityRSATest.java                      |  54 ---
 .../SecurityX25519Test.kt                     |  62 ----
 .../libsignal/HeadersTest.kt                  |  17 -
 .../libsignal/RatchetsTest.kt                 | 160 --------
 .../libsignal/StateTest.kt                    |  20 -
 src/main/AndroidManifest.xml                  |   7 -
 .../CryptoHelpers.java                        |  90 -----
 .../EncryptionController.kt                   | 348 ------------------
 .../libsignal_doubleratchet/SecurityAES.java  |  91 -----
 .../SecurityCurve25519.kt                     | 118 ------
 .../libsignal_doubleratchet/SecurityRSA.kt    |  90 -----
 .../extensions/context.kt                     | 146 --------
 .../libsignal/Headers.java                    |  76 ----
 .../libsignal/Protocols.java                  | 173 ---------
 .../libsignal/Ratchets.java                   | 119 ------
 .../libsignal/RatchetsHE.kt                   | 213 -----------
 .../libsignal/States.kt                       |  61 ---
 src/main/res/values/strings.xml               |   5 -
 23 files changed, 112 insertions(+), 1947 deletions(-)
 create mode 100644 double_ratchet/build.gradle
 create mode 100644 gradle.properties
 create mode 100644 settings.gradle
 delete mode 100644 src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt
 delete mode 100644 src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java
 delete mode 100644 src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
 delete mode 100644 src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/HeadersTest.kt
 delete mode 100644 src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
 delete mode 100644 src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt
 delete mode 100644 src/main/AndroidManifest.xml
 delete mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java
 delete mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
 delete mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAES.java
 delete mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
 delete mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSA.kt
 delete mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
 delete mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Headers.java
 delete mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.java
 delete mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Ratchets.java
 delete mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
 delete mode 100644 src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
 delete mode 100644 src/main/res/values/strings.xml

diff --git a/build.gradle b/build.gradle
index 607d7c6..9e0ca23 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,84 +1,31 @@
-plugins {
-    id 'com.android.library'
-//    id 'maven-publish'
-    id 'signing'
-    id 'org.jetbrains.kotlin.android'
-    id "com.vanniktech.maven.publish" version "0.34.0"
-    id 'org.jetbrains.kotlin.plugin.serialization' version '2.2.10'
-}
-
-android {
-    namespace 'com.afkanerd.smswithoutborders.libsignal_doubleratchet'
-    compileSdk 36
-
-    defaultConfig {
-        minSdk 24
-        targetSdk 36
-
-        testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
-        aarMetadata {
-            minCompileSdk = 24
-        }
+// Top-level build file where you can add configuration options common to all sub-projects/modules.
+buildscript {
+    ext {
+//        kotlin_version = '1.8.20-RC'
+//        kotlin_version = '1.9.23'
+        kotlin_version = '2.3.10'
+        agp_version = '8.5.0'
+        agp_version1 = '8.12.2'
     }
-
-    buildTypes {
-        release {
-            minifyEnabled false
-            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
-        }
-        nightly {
-        }
-    }
-    compileOptions {
-        sourceCompatibility JavaVersion.VERSION_17
-        targetCompatibility JavaVersion.VERSION_17
+    repositories {
+        google()
+        mavenCentral()
     }
+    dependencies {
+        classpath "com.android.tools.build:gradle:$agp_version1"
+        classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
 
-    testFixtures {
-        enable = true
-    }
-
-    kotlinOptions {
-        jvmTarget = '17'
+        // NOTE: Do not place your application dependencies here; they belong
+        // in the individual module build.gradle files
     }
 }
 
-import com.vanniktech.maven.publish.AndroidSingleVariantLibrary
-mavenPublishing {
-    // the first parameter represennts which variant is published
-    // the second whether to publish a sources jar
-    // the third whether to publish a javadoc jar
-    configure(new AndroidSingleVariantLibrary("release", true, true))
+plugins {
+    // Existing plugins
+//    alias(libs.plugins.compose.compiler) apply false
+//    alias(libs.plugins.org.jetbrains.kotlin.android) apply false
 }
 
-
-
-dependencies {
-    implementation fileTree(dir: 'libs', include: ['*.jar', "*.aar"])
-    implementation 'androidx.appcompat:appcompat:1.7.0'
-    implementation 'com.google.guava:guava:33.4.8-jre'
-    implementation 'com.madgag.spongycastle:prov:1.58.0.0'
-    implementation 'org.conscrypt:conscrypt-android:2.5.3'
-    implementation 'androidx.core:core-ktx:1.13.1'
-
-    testImplementation 'junit:junit:4.13.2'
-    androidTestImplementation 'androidx.test.ext:junit:1.2.1'
-    androidTestImplementation 'androidx.test.espresso:espresso-core:3.6.1'
-
-    implementation 'com.github.netricecake:x25519:2.0'
-    implementation 'com.google.code.gson:gson:2.11.0'
-    implementation 'at.favre.lib:hkdf:2.0.0'
-
-    implementation "androidx.datastore:datastore-preferences:1.1.7"
-
-    // optional - RxJava2 support
-    implementation "androidx.datastore:datastore-preferences-rxjava2:1.1.7"
-
-    // optional - RxJava3 support
-    implementation "androidx.datastore:datastore-preferences-rxjava3:1.1.7"
-
-    implementation "androidx.datastore:datastore-preferences-core:1.1.7"
-
-    implementation 'com.google.code.gson:gson:2.11.0'
-    implementation "org.jetbrains.kotlinx:kotlinx-serialization-json:1.9.0"
-}
+tasks.register('clean', Delete) {
+    delete rootProject.buildDir
+}
\ No newline at end of file
diff --git a/double_ratchet/build.gradle b/double_ratchet/build.gradle
new file mode 100644
index 0000000..d8fd260
--- /dev/null
+++ b/double_ratchet/build.gradle
@@ -0,0 +1,74 @@
+plugins {
+    id 'com.android.library'
+//    id 'maven-publish'
+    id 'signing'
+    id 'org.jetbrains.kotlin.android'
+    id "com.vanniktech.maven.publish" version "0.34.0"
+    id 'org.jetbrains.kotlin.plugin.serialization' version '2.2.10'
+}
+
+android {
+    namespace 'com.afkanerd.smswithoutborders.libsignal_doubleratchet'
+    compileSdk 36
+
+    defaultConfig {
+        minSdk 24
+        targetSdk 36
+
+        testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
+        aarMetadata {
+            minCompileSdk = 24
+        }
+    }
+
+    buildTypes {
+        release {
+            minifyEnabled false
+            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
+        }
+        nightly {
+        }
+    }
+    compileOptions {
+        sourceCompatibility JavaVersion.VERSION_17
+        targetCompatibility JavaVersion.VERSION_17
+    }
+
+    testFixtures {
+        enable = true
+    }
+
+    kotlinOptions {
+        jvmTarget = '17'
+    }
+}
+
+dependencies {
+    implementation fileTree(dir: 'libs', include: ['*.jar', "*.aar"])
+    implementation 'androidx.appcompat:appcompat:1.7.0'
+    implementation 'com.google.guava:guava:33.4.8-jre'
+    implementation 'com.madgag.spongycastle:prov:1.58.0.0'
+    implementation 'org.conscrypt:conscrypt-android:2.5.3'
+    implementation 'androidx.core:core-ktx:1.13.1'
+
+    testImplementation 'junit:junit:4.13.2'
+    androidTestImplementation 'androidx.test.ext:junit:1.2.1'
+    androidTestImplementation 'androidx.test.espresso:espresso-core:3.6.1'
+
+    implementation 'com.github.netricecake:x25519:2.0'
+    implementation 'com.google.code.gson:gson:2.11.0'
+    implementation 'at.favre.lib:hkdf:2.0.0'
+
+    implementation "androidx.datastore:datastore-preferences:1.1.7"
+
+    // optional - RxJava2 support
+    implementation "androidx.datastore:datastore-preferences-rxjava2:1.1.7"
+
+    // optional - RxJava3 support
+    implementation "androidx.datastore:datastore-preferences-rxjava3:1.1.7"
+
+    implementation "androidx.datastore:datastore-preferences-core:1.1.7"
+
+    implementation 'com.google.code.gson:gson:2.11.0'
+    implementation "org.jetbrains.kotlinx:kotlinx-serialization-json:1.9.0"
+}
diff --git a/gradle.properties b/gradle.properties
new file mode 100644
index 0000000..3deb2b0
--- /dev/null
+++ b/gradle.properties
@@ -0,0 +1,2 @@
+android.useAndroidX=true
+org.gradle.jvmargs=-Xmx4096M
\ No newline at end of file
diff --git a/settings.gradle b/settings.gradle
new file mode 100644
index 0000000..6e8cd15
--- /dev/null
+++ b/settings.gradle
@@ -0,0 +1,13 @@
+plugins {
+    id 'org.gradle.toolchains.foojay-resolver-convention' version '1.0.0'
+}
+dependencyResolutionManagement {
+    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
+    repositories {
+        google()
+        mavenCentral()
+        maven { setUrl("https://jitpack.io") }
+    }
+}
+rootProject.name = "lib_signal_double_ratchet_java"
+include ':double_ratchet'
\ No newline at end of file
diff --git a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt
deleted file mode 100644
index 82f93d4..0000000
--- a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt
+++ /dev/null
@@ -1,21 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet
-
-import androidx.test.filters.SmallTest
-import org.junit.Assert.assertArrayEquals
-import org.junit.Test
-import javax.crypto.SecretKey
-
-@SmallTest
-class SecurityAESTest {
-
-    @Test
-    fun aesTest() {
-        val secretKey = SecurityAES.generateSecretKey(256)
-
-        val input = CryptoHelpers.generateRandomBytes(277)
-        val cipher = SecurityAES.encryptAES256CBC(input, secretKey.encoded, null)
-        val output = SecurityAES.decryptAES256CBC(cipher, secretKey.encoded, null)
-
-        assertArrayEquals(input, output)
-    }
-}
\ No newline at end of file
diff --git a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java
deleted file mode 100644
index 98487f6..0000000
--- a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java
+++ /dev/null
@@ -1,54 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet;
-
-
-import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertEquals;
-
-import androidx.test.ext.junit.runners.AndroidJUnit4;
-
-import org.junit.Test;
-import org.junit.runner.RunWith;
-
-import java.io.IOException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
-import java.security.KeyPair;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.PublicKey;
-import java.security.UnrecoverableEntryException;
-import java.security.cert.CertificateException;
-
-import javax.crypto.BadPaddingException;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-
-@RunWith(AndroidJUnit4.class)
-public class SecurityRSATest {
-
-    String keystoreAlias = "keystoreAlias";
-    @Test
-    public void testCanStoreAndEncrypt() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException, UnrecoverableEntryException, CertificateException, KeyStoreException, IOException {
-//        KeyPairGenerator kpg = KeyPairGenerator.getInstance(
-//                KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
-//
-//        kpg.initialize(new KeyGenParameterSpec.Builder(keystoreAlias,
-//                KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
-//                .setKeySize(2048)
-//                .setDigests(KeyProperties.DIGEST_SHA1, KeyProperties.DIGEST_SHA256,
-//                        KeyProperties.DIGEST_SHA512)
-//                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
-//                .build());
-//
-//        KeyPair keyPair = kpg.generateKeyPair();
-//        PublicKey publicKey = SecurityRSA.generateKeyPair(keystoreAlias, 2048);
-//        KeyPair keyPair = KeystoreHelpers.getKeyPairFromKeystore(keystoreAlias);
-//
-//        SecretKey secretKey = SecurityAES.generateSecretKey(256);
-//        byte[] cipherText = SecurityRSA.encrypt(keyPair.getPublic(), secretKey.getEncoded());
-//        byte[] plainText = SecurityRSA.decrypt(keyPair.getPrivate(), cipherText);
-//        assertArrayEquals(secretKey.getEncoded(), plainText);
-    }
-}
diff --git a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
deleted file mode 100644
index b8fa7c2..0000000
--- a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
+++ /dev/null
@@ -1,62 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet
-
-import android.security.keystore.KeyGenParameterSpec
-import android.security.keystore.KeyProperties
-import androidx.test.filters.SmallTest
-import org.junit.Assert.assertArrayEquals
-import org.junit.Test
-import java.security.KeyPairGenerator
-import java.security.KeyStore
-import java.security.Signature
-
-@SmallTest
-class SecurityX25519Test {
-    @Test
-    fun keystoreEd25519() {
-        val keystoreAlias = "keystoreAlias"
-        val kpg: KeyPairGenerator = KeyPairGenerator.getInstance(
-            KeyProperties.KEY_ALGORITHM_EC,
-            "AndroidKeyStore"
-        )
-        val parameterSpec: KeyGenParameterSpec = KeyGenParameterSpec.Builder(
-            keystoreAlias,
-            KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_VERIFY
-        ).run {
-            setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
-            build()
-        }
-
-        kpg.initialize(parameterSpec)
-        val kp = kpg.generateKeyPair()
-
-        val ks: KeyStore = KeyStore.getInstance("AndroidKeyStore").apply {
-            load(null)
-        }
-        val entry: KeyStore.Entry = ks.getEntry(keystoreAlias, null)
-        if (entry !is KeyStore.PrivateKeyEntry) {
-            throw Exception("No instance of keystore")
-        }
-
-        val data = "Hello world".encodeToByteArray()
-        val signature: ByteArray = Signature.getInstance("SHA256withECDSA").run {
-            initSign(entry.privateKey)
-            update(data)
-            sign()
-        }
-
-    }
-
-    @Test
-    fun sharedSecret() {
-        val alice = SecurityCurve25519()
-        val bob = SecurityCurve25519()
-
-        val alicePubKey = alice.generateKey()
-        val bobPubKey = bob.generateKey()
-
-        val aliceSharedSecret = alice.calculateSharedSecret(bobPubKey)
-        val bobSharedSecret = bob.calculateSharedSecret(alicePubKey)
-
-        assertArrayEquals(aliceSharedSecret, bobSharedSecret)
-    }
-}
\ No newline at end of file
diff --git a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/HeadersTest.kt b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/HeadersTest.kt
deleted file mode 100644
index e4876ae..0000000
--- a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/HeadersTest.kt
+++ /dev/null
@@ -1,17 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
-
-import androidx.test.filters.SmallTest
-import junit.framework.TestCase.assertEquals
-import org.junit.Test
-import java.security.SecureRandom
-
-@SmallTest
-class HeadersTest {
-
-    @Test fun headersTest() {
-        val header = Headers(SecureRandom.getSeed(32), 0, 0)
-        val header1 = Headers.deSerializeHeader(header.serialized)
-
-        assertEquals(header, header1)
-    }
-}
\ No newline at end of file
diff --git a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
deleted file mode 100644
index 63c31af..0000000
--- a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
+++ /dev/null
@@ -1,160 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
-
-import android.content.Context
-import androidx.core.util.component1
-import androidx.core.util.component2
-import androidx.test.filters.SmallTest
-import androidx.test.platform.app.InstrumentationRegistry
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoHelpers
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityCurve25519
-import org.junit.Assert.assertArrayEquals
-import org.junit.Test
-import java.security.SecureRandom
-
-@SmallTest
-class RatchetsTest {
-    var context: Context =
-        InstrumentationRegistry.getInstrumentation().targetContext
-    @Test
-    fun completeRatchetHETest() {
-        val aliceEphemeralKeyPair = SecurityCurve25519()
-        val aliceEphemeralHeaderKeyPair = SecurityCurve25519()
-        val aliceEphemeralNextHeaderKeyPair = SecurityCurve25519()
-
-        val bobStaticKeyPair = SecurityCurve25519()
-        val bobEphemeralKeyPair = SecurityCurve25519()
-        val bobEphemeralHeaderKeyPair = SecurityCurve25519()
-        val bobEphemeralNextHeaderKeyPair = SecurityCurve25519()
-
-        val aliceNonce = CryptoHelpers.generateRandomBytes(16)
-        val bobNonce = CryptoHelpers.generateRandomBytes(16)
-
-        val (aliceSk, aliceSkH, aliceSkNh) = SecurityCurve25519(aliceEphemeralKeyPair.privateKey)
-            .agreeWithAuthAndNonce(
-                authenticationPublicKey = bobStaticKeyPair.generateKey(),
-                authenticationPrivateKey = null,
-                headerPrivateKey = aliceEphemeralHeaderKeyPair.privateKey,
-                nextHeaderPrivateKey = aliceEphemeralNextHeaderKeyPair.privateKey,
-                publicKey = bobEphemeralKeyPair.generateKey(),
-                headerPublicKey = bobEphemeralHeaderKeyPair.generateKey(),
-                nextHeaderPublicKey = bobEphemeralNextHeaderKeyPair.generateKey(),
-                salt = "RelaySMS v1".encodeToByteArray(),
-                nonce1 = aliceNonce,
-                nonce2 = bobNonce,
-                info = "RelaySMS C2S DR v1".encodeToByteArray()
-            )
-
-        val (bobSk, bobSkH, bobSkNh) = SecurityCurve25519(bobEphemeralKeyPair.privateKey)
-            .agreeWithAuthAndNonce(
-                authenticationPublicKey = null,
-                authenticationPrivateKey = bobStaticKeyPair.privateKey,
-                headerPrivateKey = bobEphemeralHeaderKeyPair.privateKey,
-                nextHeaderPrivateKey = bobEphemeralNextHeaderKeyPair.privateKey,
-                publicKey = aliceEphemeralKeyPair.generateKey(),
-                headerPublicKey = aliceEphemeralHeaderKeyPair.generateKey(),
-                nextHeaderPublicKey = aliceEphemeralNextHeaderKeyPair.generateKey(),
-                salt = "RelaySMS v1".encodeToByteArray(),
-                nonce1 = aliceNonce,
-                nonce2 = bobNonce,
-                info = "RelaySMS C2S DR v1".encodeToByteArray()
-            )
-
-        assertArrayEquals(aliceSk, bobSk)
-        assertArrayEquals(aliceSkH, bobSkH)
-        assertArrayEquals(aliceSkNh, bobSkNh)
-
-        val aliceState = States()
-        RatchetsHE.ratchetInitAlice(
-            state = aliceState,
-            SK = aliceSk,
-            bobDhPublicKey = bobEphemeralKeyPair.generateKey(),
-            sharedHka = aliceSkH,
-            sharedNhkb = aliceSkNh
-        )
-
-        val bobState = States()
-        RatchetsHE.ratchetInitBob(
-            state = bobState,
-            SK = bobSk,
-            bobDhPublicKeypair = bobEphemeralKeyPair.getKeypair(),
-            sharedHka = bobSkH,
-            sharedNhkb = bobSkNh
-        )
-
-        val originalText = SecureRandom.getSeed(32);
-        val (encHeader, aliceCipherText) = RatchetsHE.ratchetEncrypt(
-            aliceState,
-            originalText,
-            bobStaticKeyPair.generateKey()
-        )
-
-        var encHeader1: ByteArray? = null
-        var aliceCipherText1: ByteArray? = null
-        for(i in 1..10) {
-            val (encHeader2, aliceCipherText2) = RatchetsHE.ratchetEncrypt(
-                aliceState,
-                originalText,
-                bobStaticKeyPair.generateKey()
-            )
-            encHeader1 = encHeader2
-            aliceCipherText1 = aliceCipherText2
-        }
-
-        val bobPlainText = RatchetsHE.ratchetDecrypt(
-            state = bobState,
-            encHeader = encHeader,
-            cipherText = aliceCipherText,
-            AD = bobStaticKeyPair.generateKey()
-        )
-
-        val bobPlainText1 = RatchetsHE.ratchetDecrypt(
-            state = bobState,
-            encHeader = encHeader1!!,
-            cipherText = aliceCipherText1!!,
-            AD = bobStaticKeyPair.generateKey()
-        )
-
-        assertArrayEquals(originalText, bobPlainText)
-        assertArrayEquals(originalText, bobPlainText1)
-    }
-
-    @Test
-    fun completeRatchetTest() {
-        val alice = SecurityCurve25519()
-        val bob = SecurityCurve25519()
-
-        val SK = alice.calculateSharedSecret(bob.generateKey())
-        val SK1 = bob.calculateSharedSecret(alice.generateKey())
-        assertArrayEquals(SK, SK1)
-
-        val aliceState = States()
-        Ratchets.ratchetInitAlice(aliceState, SK, bob.generateKey())
-
-        val bobState = States()
-        Ratchets.ratchetInitBob(bobState, SK, bob.getKeypair())
-
-        val originalText = SecureRandom.getSeed(32);
-        val (header, aliceCipherText) = Ratchets.ratchetEncrypt(aliceState, originalText,
-            bob.generateKey())
-
-        var header1: Headers? = null
-        var aliceCipherText1: ByteArray? = null
-        for(i in 1..10) {
-            val (header, aliceCipherText) = Ratchets.ratchetEncrypt(aliceState, originalText,
-                bob.generateKey())
-            header1 = header
-            aliceCipherText1 = aliceCipherText
-        }
-
-        val bobPlainText = Ratchets.ratchetDecrypt(bobState, header, aliceCipherText,
-            bob.generateKey())
-
-        val bobPlainText1 = Ratchets.ratchetDecrypt(bobState, header1, aliceCipherText1,
-            bob.generateKey())
-        println(bobState.serialize())
-
-        assertArrayEquals(originalText, bobPlainText)
-        assertArrayEquals(originalText, bobPlainText1)
-    }
-}
-
diff --git a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt b/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt
deleted file mode 100644
index 42c254e..0000000
--- a/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt
+++ /dev/null
@@ -1,20 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
-
-import androidx.test.filters.SmallTest
-import junit.framework.TestCase.assertEquals
-import kotlinx.serialization.json.Json
-import org.junit.Test
-import java.security.SecureRandom
-
-@SmallTest
-class StateTest {
-
-    @Test fun testStates() {
-        val state = States()
-        state.DHs = android.util.Pair(SecureRandom.getSeed(32),
-            SecureRandom.getSeed(32))
-        val serializedStates = Json.encodeToString(state)
-        val deserializedStates = Json.decodeFromString<States>(serializedStates)
-        assertEquals(state, deserializedStates)
-    }
-}
\ No newline at end of file
diff --git a/src/main/AndroidManifest.xml b/src/main/AndroidManifest.xml
deleted file mode 100644
index 7b53da6..0000000
--- a/src/main/AndroidManifest.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<manifest xmlns:android="http://schemas.android.com/apk/res/android">
-
-    <application
-        android:label="@string/app_name"/>
-
-</manifest>
\ No newline at end of file
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java
deleted file mode 100644
index e84b2af..0000000
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoHelpers.java
+++ /dev/null
@@ -1,90 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet;
-
-import com.google.common.primitives.Bytes;
-
-import java.security.GeneralSecurityException;
-import java.security.SecureRandom;
-import java.util.Arrays;
-
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import at.favre.lib.hkdf.HKDF;
-
-public class CryptoHelpers {
-
-    public final static String pemStartPrefix = "-----BEGIN PUBLIC KEY-----\n";
-    public final static String pemEndPrefix = "\n-----END PUBLIC KEY-----";
-
-    public static byte[] getCipherMacParameters(String ALGO, byte[] mk) throws GeneralSecurityException {
-        int hashLen = 80;
-        byte[] info = "ENCRYPT".getBytes();
-        byte[] salt = new byte[hashLen];
-        Arrays.fill(salt, (byte) 0);
-
-        return HKDF(ALGO, mk, salt, info, hashLen, 1)[0];
-    }
-
-    public static Mac buildVerificationHash(byte[] authKey, byte[] AD, byte[] cipherText) throws GeneralSecurityException {
-        Mac mac = CryptoHelpers.HMAC256(authKey);
-        byte[] updatedParams = (AD == null) ? cipherText : Bytes.concat(AD, cipherText);
-        mac.update(updatedParams);
-        return mac;
-    }
-
-    public static byte[] verifyCipherText(String ALGO, byte[] mk, byte[] cipherText, byte[] AD) throws Exception {
-        final int SHA256_DIGEST_LEN = 32;
-
-        byte[] hkdfOutput = getCipherMacParameters(ALGO, mk);
-        byte[] key = new byte[32];
-        byte[] authenticationKey = new byte[32];
-        byte[] iv = new byte[16];
-
-        System.arraycopy(hkdfOutput, 32, authenticationKey, 0, 32);
-
-        byte[] macValue = new byte[SHA256_DIGEST_LEN];
-        System.arraycopy(cipherText, cipherText.length - SHA256_DIGEST_LEN,
-                macValue, 0, SHA256_DIGEST_LEN);
-
-        byte[] extractedCipherText = new byte[cipherText.length - SHA256_DIGEST_LEN];
-        System.arraycopy(cipherText, 0, extractedCipherText,
-                0, extractedCipherText.length);
-
-        byte[] reconstructedMac =
-                buildVerificationHash(authenticationKey, AD, extractedCipherText)
-                        .doFinal();
-        if(Arrays.equals(macValue, reconstructedMac)) {
-            return extractedCipherText;
-        }
-        throw new Exception("Cipher signature verification failed");
-    }
-
-    public static byte[][] HKDF(String algo, byte[] ikm, byte[] salt, byte[] info, int len, int num) throws GeneralSecurityException {
-        if (num < 1)
-            num = 1;
-
-        HKDF hkdf = algo.equals("HMACSHA512") ? HKDF.fromHmacSha512() : HKDF.fromHmacSha256();
-        byte[] output = hkdf.extractAndExpand(salt, ikm, info, len * num);
-        byte[][] outputs = new byte[num][len];
-        for (int i = 0; i < num; ++i) {
-            System.arraycopy(output, i * len, outputs[i], 0, len);
-        }
-        return outputs;
-    }
-
-    public static Mac HMAC256(byte[] data) throws GeneralSecurityException {
-        String algorithm = "HmacSHA256";
-        Mac hmacOutput = Mac.getInstance(algorithm);
-        SecretKey key = new SecretKeySpec(data, algorithm);
-        hmacOutput.init(key);
-        return hmacOutput;
-    }
-
-    public static byte[] generateRandomBytes(int length) {
-        SecureRandom random = new SecureRandom();
-        byte[] bytes = new byte[length];
-        random.nextBytes(bytes);
-        return bytes;
-    }
-}
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
deleted file mode 100644
index f73bd34..0000000
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
+++ /dev/null
@@ -1,348 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet
-
-import android.content.Context
-import android.util.Base64
-import android.widget.Toast
-import androidx.datastore.preferences.core.edit
-import androidx.datastore.preferences.core.stringPreferencesKey
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.dataStore
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.getEncryptedBinaryData
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.getKeypairValues
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.saveBinaryDataEncrypted
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.setKeypairValues
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Headers
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Ratchets
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.States
-import com.google.gson.Gson
-import kotlinx.coroutines.CoroutineScope
-import kotlinx.coroutines.Dispatchers
-import kotlinx.coroutines.flow.Flow
-import kotlinx.coroutines.flow.first
-import kotlinx.coroutines.flow.map
-import kotlinx.coroutines.launch
-import kotlinx.coroutines.withContext
-import kotlinx.serialization.Serializable
-
-object EncryptionController {
-
-    @Serializable
-    enum class SecureRequestMode {
-        REQUEST_NONE,
-        REQUEST_REQUESTED,
-        REQUEST_RECEIVED,
-        REQUEST_ACCEPTED,
-    }
-
-    enum class MessageRequestType(val code: Byte) {
-        TYPE_REQUEST(0x01.toByte()),
-        TYPE_ACCEPT(0x02.toByte()),
-        TYPE_MESSAGE(0x03.toByte());
-
-        companion object {
-            fun fromCode(code: Byte): MessageRequestType? =
-                entries.find { it.code == code } // Kotlin 1.9+, use values() before that
-
-            fun fromMessage(message: ByteArray): MessageRequestType? =
-                entries.find { it.code == message[0] } // Kotlin 1.9+, use values() before that
-        }
-    }
-
-    private fun extractRequestPublicKey( publicKey: ByteArray) : ByteArray {
-        val lenPubKey = publicKey[1].toInt()
-        return publicKey.drop(2).toByteArray()
-    }
-
-    private fun extractMessage(data: ByteArray) : Pair<Headers, ByteArray> {
-        val lenHeader = data[1].toInt()
-        val lenMessage = data[2].toInt()
-        val header = data.copyOfRange(3, 3 + lenHeader)
-        val message = data.copyOfRange(3 + lenHeader, (3 + lenHeader + lenMessage))
-        return Pair(Headers.deSerializeHeader(header), message)
-    }
-
-    @OptIn(ExperimentalUnsignedTypes::class)
-    private fun formatRequestPublicKey(
-        publicKey: ByteArray,
-        type: MessageRequestType
-    ) : ByteArray {
-        val mn = ubyteArrayOf(type.code.toUByte())
-        val lenPubKey = ubyteArrayOf(publicKey.size.toUByte())
-
-        return (mn + lenPubKey).toByteArray() + publicKey
-    }
-
-    @OptIn(ExperimentalUnsignedTypes::class)
-    private fun formatMessage(
-        header: Headers,
-        cipherText: ByteArray
-    ) : ByteArray {
-        val mn = ubyteArrayOf(MessageRequestType.TYPE_MESSAGE.code.toUByte())
-        val lenHeader = ubyteArrayOf(header.serialized.size.toUByte())
-        val lenMessage = ubyteArrayOf(cipherText.size.toUByte())
-
-        return (mn + lenHeader + lenMessage).toByteArray() + header.serialized + cipherText
-    }
-
-    suspend fun sendRequest(
-        context: Context,
-        address: String,
-        mode: SecureRequestMode,
-    ): ByteArray {
-        try {
-            val publicKey = generateIdentityPublicKeys(context, address)
-
-            var type: MessageRequestType? = null
-            val mode = when(mode) {
-                SecureRequestMode.REQUEST_RECEIVED -> {
-                    type = MessageRequestType.TYPE_ACCEPT
-                    SecureRequestMode.REQUEST_ACCEPTED
-                }
-                else -> {
-                    type = MessageRequestType.TYPE_REQUEST
-                    SecureRequestMode.REQUEST_REQUESTED
-                }
-            }
-
-            context.setEncryptionModeStates(address, mode)
-            return formatRequestPublicKey(publicKey, type)
-        } catch (e: Exception) {
-            throw e
-        }
-    }
-
-    suspend fun receiveRequest(
-        context: Context,
-        address: String,
-        publicKey: ByteArray,
-    ) : ByteArray? {
-        MessageRequestType.fromCode(publicKey[0])?.let { type ->
-            val publicKey = extractRequestPublicKey(publicKey)
-            try {
-                val mode = when(type) {
-                    MessageRequestType.TYPE_REQUEST -> {
-                        SecureRequestMode.REQUEST_RECEIVED
-                    }
-                    MessageRequestType.TYPE_ACCEPT -> {
-                        context.removeEncryptionRatchetStates(address)
-                        SecureRequestMode.REQUEST_ACCEPTED
-                    }
-                    else -> return null
-                }
-                context.setEncryptionModeStates(
-                    address,
-                    mode,
-                    publicKey,
-                )
-            } catch (e: Exception) {
-                throw e
-            }
-            return publicKey
-        }
-
-        return null
-    }
-
-    @Throws
-    private suspend fun generateIdentityPublicKeys(
-        context: Context,
-        address: String
-    ): ByteArray {
-        try {
-            val libSigCurve25519 = SecurityCurve25519()
-            val publicKey = libSigCurve25519.generateKey()
-            context.setKeypairValues(address, publicKey, libSigCurve25519.privateKey)
-            return publicKey
-        } catch (e: Exception) {
-            throw e
-        }
-    }
-
-    @Throws
-    suspend fun decrypt(
-        context: Context,
-        address: String,
-        text: String
-    ): String? {
-
-        val data = Base64.decode(text, Base64.DEFAULT)
-        if(MessageRequestType.fromCode(data[0]) != MessageRequestType.TYPE_MESSAGE)
-            return null
-
-        val payload = try { extractMessage(data) } catch(e: Exception) {
-            throw e
-        }
-
-        val modeStates = context.getEncryptionModeStatesSync(address)
-        val publicKey = Gson().fromJson(modeStates,
-            SavedEncryptedModes::class.java).publicKey
-
-        if(publicKey == null) {
-            CoroutineScope(Dispatchers.Main).launch {
-                Toast.makeText(
-                    context,
-                    context.getString(R.string.missing_public_key),
-                    Toast.LENGTH_LONG).show()
-            }
-            return null
-        }
-
-        val publicKeyBytes = Base64.decode(publicKey, Base64.DEFAULT)
-
-        val keystore = address + "_ratchet_state"
-        val currentState = context.getEncryptedBinaryData(keystore)
-
-        var state: States?
-        if(currentState == null) {
-            state = States()
-            val sk = context.calculateSharedSecret(address, publicKeyBytes)
-            val keypair = context.getKeypairValues(address) //public private
-
-            Ratchets.ratchetInitBob(
-                state,
-                sk,
-                android.util.Pair(keypair.second, keypair.first)
-            )
-        }
-        else state = States.deserialize(String(currentState))
-
-        val keypair = context.getKeypairValues(address)
-        var decryptedText: String?
-        try {
-            decryptedText = String(Ratchets.ratchetDecrypt(
-                state,
-                payload.first,
-                payload.second,
-                keypair.first
-            ))
-            context.saveBinaryDataEncrypted(keystore,
-                state.serialize().encodeToByteArray())
-        } catch(e: Exception) {
-            throw e
-        }
-        return decryptedText
-    }
-
-    @Throws
-    suspend fun encrypt(
-        context: Context,
-        address: String,
-        text: String
-    ) : String? {
-        val modeStates = context.getEncryptionModeStatesSync(address)
-        val publicKey = Gson().fromJson(modeStates,
-            SavedEncryptedModes::class.java).publicKey
-
-        if(publicKey == null) {
-            CoroutineScope(Dispatchers.Main).launch {
-                Toast.makeText(
-                    context,
-                    context.getString(R.string.missing_public_key),
-                    Toast.LENGTH_LONG).show()
-            }
-            return null
-        }
-
-        val publicKeyBytes = Base64.decode(publicKey, Base64.DEFAULT)
-
-        val keystore = address + "_ratchet_state"
-        val currentState = context.getEncryptedBinaryData(keystore)
-
-        var state: States?
-        if(currentState == null) {
-            state = States()
-            val sk = context.calculateSharedSecret(address, publicKeyBytes)
-            Ratchets.ratchetInitAlice(state, sk, publicKeyBytes)
-        }
-        else state = States.deserialize(String(currentState))
-
-        val ratchetOutput = Ratchets.ratchetEncrypt(state,
-            text.encodeToByteArray(), publicKeyBytes)
-
-        return try {
-            val message = formatMessage(
-                ratchetOutput.first,
-                ratchetOutput.second
-            )
-            context.saveBinaryDataEncrypted(keystore,
-                state.serialize().encodeToByteArray())
-            Base64.encodeToString(message, Base64.DEFAULT)
-        } catch(e: Exception) {
-            throw e
-        }
-    }
-}
-
-private suspend fun Context.calculateSharedSecret(
-    address: String,
-    publicKey: ByteArray
-): ByteArray? {
-    val keypair = getKeypairValues(address) //public private
-    keypair.second?.let { privateKey ->
-        val libSigCurve25519 = SecurityCurve25519(privateKey)
-        return libSigCurve25519.calculateSharedSecret(publicKey)
-    }
-    return null
-}
-
-data class SavedEncryptedModes(
-    var mode: EncryptionController.SecureRequestMode,
-    var publicKey: String? = null,
-)
-
-private suspend fun Context.setEncryptionModeStates(
-    address: String,
-    mode: EncryptionController.SecureRequestMode,
-    publicKey: ByteArray? = null,
-) {
-    val keyValue = stringPreferencesKey(address + "_mode_states")
-    dataStore.edit { secureComms ->
-        // Make a mutable copy of existing state
-        val currentState = secureComms[keyValue] ?: ""
-        val savedEncryptedModes = if(currentState.isNotEmpty()) Gson()
-            .fromJson(currentState, SavedEncryptedModes::class.java)
-            .apply { this.mode = mode }
-        else SavedEncryptedModes(mode = mode)
-
-        publicKey?.let { publicKey ->
-            savedEncryptedModes.publicKey =
-                Base64.encodeToString(publicKey, Base64.DEFAULT)
-        }
-
-        secureComms[keyValue] = Gson().toJson(savedEncryptedModes)
-    }
-}
-
-suspend fun Context.removeEncryptionRatchetStates(address: String) {
-    val keyValue = stringPreferencesKey(address + "_ratchet_state")
-    dataStore.edit { secureComms ->
-        secureComms.remove(keyValue)
-        withContext(Dispatchers.Main) {
-            Toast.makeText(
-                this@removeEncryptionRatchetStates,
-                getString(R.string.ratchet_states_removed),
-                Toast.LENGTH_LONG).show()
-        }
-    }
-}
-
-suspend fun Context.removeEncryptionModeStates(address: String) {
-    val keyValue = stringPreferencesKey(address + "_mode_states")
-    dataStore.edit { secureComms ->
-        secureComms.remove(keyValue)
-    }
-}
-
-fun Context.getEncryptionRatchetStates(address: String): Flow<String?> {
-    val keyValue = stringPreferencesKey(address + "_ratchet_state")
-    return dataStore.data.map { it[keyValue] }
-}
-
-suspend fun Context.getEncryptionModeStatesSync(address: String): String? {
-    val keyValue = stringPreferencesKey(address + "_mode_states")
-    return dataStore.data.first()[keyValue]
-}
-
-fun Context.getEncryptionModeStates(address: String): Flow<String?> {
-    val keyValue = stringPreferencesKey(address + "_mode_states")
-    return dataStore.data.map { it[keyValue] }
-}
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAES.java b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAES.java
deleted file mode 100644
index 30e47a1..0000000
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAES.java
+++ /dev/null
@@ -1,91 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet;
-
-import android.security.keystore.KeyProperties;
-
-import com.google.common.primitives.Bytes;
-
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-
-import javax.crypto.BadPaddingException;
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.KeyGenerator;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.GCMParameterSpec;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.SecretKeySpec;
-
-public class SecurityAES {
-
-    public static final String DEFAULT_AES_ALGORITHM = "AES/CBC/PKCS5Padding";
-
-    public static final String ALGORITHM = "AES";
-
-    public static SecretKey generateSecretKey(int size) throws NoSuchAlgorithmException {
-        KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES);
-        keyGenerator.init(size); // Adjust key size as needed
-        return keyGenerator.generateKey();
-    }
-
-    public static byte[] encryptAESGCM(byte[] data, SecretKey secretKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
-        Cipher aesCipher = Cipher.getInstance("AES/GCM/NoPadding");
-        aesCipher.init(Cipher.ENCRYPT_MODE, secretKey);
-        byte[] cipherText = aesCipher.doFinal(data);
-
-        final byte[] IV = aesCipher.getIV();
-        byte[] cipherTextIv = new byte[IV.length + cipherText.length];
-        System.arraycopy(IV, 0,  cipherTextIv, 0, IV.length);
-        System.arraycopy(cipherText, 0,  cipherTextIv, IV.length, cipherText.length);
-        return cipherTextIv;
-    }
-
-    public static byte[] decryptAESGCM(byte[] data, SecretKey secretKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException {
-        byte[] iv = new byte[12];
-        System.arraycopy(data, 0, iv, 0, iv.length);
-
-        byte[] _data = new byte[data.length - iv.length];
-        System.arraycopy(data, iv.length, _data, 0, _data.length);
-
-        GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(128,iv);
-
-        Cipher aesCipher = Cipher.getInstance("AES/GCM/NoPadding");
-        aesCipher.init(Cipher.DECRYPT_MODE, secretKey, gcmParameterSpec);
-        return aesCipher.doFinal(_data);
-    }
-
-    public static byte[] encryptAES256CBC(byte[] input, byte[] secretKey, byte[] iv) throws Throwable {
-        SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, 0, secretKey.length, "AES");
-
-        Cipher cipher = Cipher.getInstance(DEFAULT_AES_ALGORITHM);
-        if(iv != null) {
-            IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
-            cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivParameterSpec);
-            return cipher.doFinal(input);
-        }
-
-        cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);
-        byte[] ciphertext = cipher.doFinal(input);
-        return Bytes.concat(cipher.getIV(), ciphertext);
-    }
-
-    public static byte[] decryptAES256CBC(byte[] input, byte[] sharedKey, byte[] iv) throws Throwable {
-        SecretKeySpec secretKeySpec = new SecretKeySpec(sharedKey, ALGORITHM);
-
-        Cipher cipher = Cipher.getInstance(DEFAULT_AES_ALGORITHM);
-        if(iv == null) {
-            iv = new byte[16];
-            System.arraycopy(input, 0, iv, 0, 16);
-
-            byte[] content = new byte[input.length - 16];
-            System.arraycopy(input, 16, content, 0, content.length);
-            input = content;
-        }
-
-        IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
-        cipher.init(Cipher.DECRYPT_MODE, secretKeySpec, ivParameterSpec);
-        return cipher.doFinal(input);
-    }
-}
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
deleted file mode 100644
index a4fc59c..0000000
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
+++ /dev/null
@@ -1,118 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet
-
-import com.github.netricecake.ecdh.Curve25519
-
-class SecurityCurve25519(val privateKey: ByteArray = Curve25519.generateRandomKey()) {
-    fun generateKey(): ByteArray {
-        return Curve25519.publicKey(this.privateKey)
-    }
-
-    private fun agreeWithAuthAndNonceImpl(
-        authenticationPublicKey: ByteArray?,
-        authenticationPrivateKey: ByteArray?,
-        publicKey: ByteArray,
-        salt: ByteArray,
-        info: ByteArray,
-        handshakeSalt: ByteArray,
-        privateKey: ByteArray? = null,
-    ): ByteArray {
-        val privateKey = privateKey ?: this.privateKey
-        val dh1 = if(authenticationPrivateKey == null)
-            Curve25519.sharedSecret(privateKey, authenticationPublicKey)
-        else
-            Curve25519.sharedSecret(authenticationPrivateKey, publicKey)
-        val dh2 = Curve25519.sharedSecret(privateKey, publicKey)
-        var ck = CryptoHelpers.HKDF(
-            "HMACSHA256",
-            handshakeSalt,
-            salt,
-            info,
-            32,
-            1
-        )[0]
-        ck = CryptoHelpers.HKDF(
-            "HMACSHA256",
-            dh1,
-            ck,
-            info,
-            32,
-            1
-        )[0]
-        return CryptoHelpers.HKDF(
-            "HMACSHA256",
-            dh2,
-            ck,
-            info,
-            32,
-            1
-        )[0]
-    }
-
-    fun agreeWithAuthAndNonce(
-        authenticationPublicKey: ByteArray?,
-        authenticationPrivateKey: ByteArray?,
-        headerPrivateKey: ByteArray,
-        nextHeaderPrivateKey: ByteArray,
-        publicKey: ByteArray,
-        headerPublicKey: ByteArray,
-        nextHeaderPublicKey: ByteArray,
-        salt: ByteArray,
-        nonce1: ByteArray,
-        nonce2: ByteArray,
-        info: ByteArray,
-    ): Triple<ByteArray, ByteArray, ByteArray> {
-        val handshakeSalt = nonce1 + nonce2
-        val headerInfo = "RelaySMS C2S DRHE v1".encodeToByteArray()
-
-        val rootKey = agreeWithAuthAndNonceImpl(
-            authenticationPublicKey = authenticationPublicKey,
-            authenticationPrivateKey = authenticationPrivateKey,
-            publicKey = publicKey,
-            salt = salt,
-            info = info,
-            handshakeSalt = handshakeSalt,
-        )
-
-        val headerKey = agreeWithAuthAndNonceImpl(
-            authenticationPublicKey = authenticationPublicKey,
-            authenticationPrivateKey = authenticationPrivateKey,
-            publicKey = headerPublicKey,
-            salt = salt,
-            info = headerInfo,
-            handshakeSalt = handshakeSalt,
-            privateKey = headerPrivateKey
-        )
-
-        val nextHeaderKey = agreeWithAuthAndNonceImpl(
-            authenticationPublicKey = authenticationPublicKey,
-            authenticationPrivateKey = authenticationPrivateKey,
-            publicKey = nextHeaderPublicKey,
-            salt = salt,
-            info = headerInfo,
-            handshakeSalt = handshakeSalt,
-            privateKey = nextHeaderPrivateKey
-        )
-
-        return Triple(rootKey, headerKey, nextHeaderKey)
-    }
-
-    fun calculateSharedSecret(
-        publicKey: ByteArray,
-        salt: ByteArray? = null,
-        info: ByteArray? = "x25591_key_exchange".encodeToByteArray(),
-    ): ByteArray {
-        val sharedKey = Curve25519.sharedSecret(this.privateKey, publicKey)
-        return CryptoHelpers.HKDF(
-            "HMACSHA256",
-            sharedKey,
-            salt,
-            info,
-            32,
-            1
-        )[0]
-    }
-
-    fun getKeypair(): android.util.Pair<ByteArray, ByteArray> {
-        return android.util.Pair(privateKey, generateKey())
-    }
-}
\ No newline at end of file
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSA.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSA.kt
deleted file mode 100644
index fa8112d..0000000
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSA.kt
+++ /dev/null
@@ -1,90 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet
-
-import android.security.keystore.KeyGenParameterSpec
-import android.security.keystore.KeyProperties
-import java.security.InvalidAlgorithmParameterException
-import java.security.InvalidKeyException
-import java.security.KeyPairGenerator
-import java.security.NoSuchAlgorithmException
-import java.security.NoSuchProviderException
-import java.security.PrivateKey
-import java.security.PublicKey
-import java.security.spec.MGF1ParameterSpec
-import javax.crypto.BadPaddingException
-import javax.crypto.Cipher
-import javax.crypto.IllegalBlockSizeException
-import javax.crypto.NoSuchPaddingException
-import javax.crypto.spec.OAEPParameterSpec
-import javax.crypto.spec.PSource
-
-object SecurityRSA {
-    var defaultEncryptionDigest: MGF1ParameterSpec? = MGF1ParameterSpec.SHA256
-    var defaultDecryptionDigest: MGF1ParameterSpec? = MGF1ParameterSpec.SHA1
-
-    var encryptionDigestParam: OAEPParameterSpec = OAEPParameterSpec(
-        "SHA-256", "MGF1", defaultEncryptionDigest,
-        PSource.PSpecified.DEFAULT
-    )
-    var decryptionDigestParam: OAEPParameterSpec = OAEPParameterSpec(
-        "SHA-256", "MGF1", defaultDecryptionDigest,
-        PSource.PSpecified.DEFAULT
-    )
-
-    @JvmStatic
-    @Throws(
-        NoSuchAlgorithmException::class,
-        NoSuchProviderException::class,
-        InvalidAlgorithmParameterException::class
-    )
-    fun generateKeyPair(keystoreAlias: String, keySize: Int = 2048): PublicKey? {
-        val kpg = KeyPairGenerator.getInstance(
-            KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"
-        )
-        kpg.initialize(
-            KeyGenParameterSpec.Builder(
-                keystoreAlias,
-                KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
-            )
-                .setKeySize(keySize)
-                .setDigests(
-                    KeyProperties.DIGEST_SHA1, KeyProperties.DIGEST_SHA256,
-                    KeyProperties.DIGEST_SHA512
-                )
-                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
-                .build()
-        )
-        return kpg.generateKeyPair().public
-    }
-
-    @JvmStatic
-    @Throws(
-        NoSuchPaddingException::class,
-        NoSuchAlgorithmException::class,
-        IllegalBlockSizeException::class,
-        BadPaddingException::class,
-        InvalidKeyException::class,
-        InvalidAlgorithmParameterException::class
-    )
-    fun decrypt(privateKey: PrivateKey?, data: ByteArray?): ByteArray? {
-        val cipher = Cipher.getInstance("RSA/ECB/" + KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
-        //        cipher.init(Cipher.DECRYPT_MODE, privateKey, decryptionDigestParam);
-        cipher.init(Cipher.DECRYPT_MODE, privateKey)
-        return cipher.doFinal(data)
-    }
-
-    @JvmStatic
-    @Throws(
-        NoSuchPaddingException::class,
-        NoSuchAlgorithmException::class,
-        IllegalBlockSizeException::class,
-        BadPaddingException::class,
-        InvalidKeyException::class,
-        InvalidAlgorithmParameterException::class
-    )
-    fun encrypt(publicKey: PublicKey?, data: ByteArray?): ByteArray? {
-        val cipher = Cipher.getInstance("RSA/ECB/" + KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
-        //        cipher.init(Cipher.ENCRYPT_MODE, publicKey, encryptionDigestParam);
-        cipher.init(Cipher.ENCRYPT_MODE, publicKey)
-        return cipher.doFinal(data)
-    }
-}
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
deleted file mode 100644
index fbc7020..0000000
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
+++ /dev/null
@@ -1,146 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions
-
-import android.content.Context
-import android.util.Base64
-import androidx.datastore.core.DataStore
-import androidx.datastore.preferences.core.Preferences
-import androidx.datastore.preferences.core.edit
-import androidx.datastore.preferences.core.stringPreferencesKey
-import androidx.datastore.preferences.core.stringSetPreferencesKey
-import androidx.datastore.preferences.preferencesDataStore
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityAES
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityRSA
-import com.google.gson.Gson
-import kotlinx.coroutines.flow.first
-import java.io.IOException
-import java.security.KeyPair
-import java.security.KeyStore
-import java.security.KeyStoreException
-import java.security.NoSuchAlgorithmException
-import java.security.UnrecoverableEntryException
-import java.security.cert.CertificateException
-import javax.crypto.spec.SecretKeySpec
-
-val Context.dataStore: DataStore<Preferences> by preferencesDataStore(name = "secure_comms")
-
-/**
- * Pair<PublicKey, PrivateKey>
- */
-suspend fun Context.getKeypairValues(address: String): Pair<ByteArray?, ByteArray?> {
-    val keyValue = stringSetPreferencesKey(address + "_keypair")
-    val keypairSet = dataStore.data.first()[keyValue]
-    val encryptionPublicKey = getKeypairFromKeystore(address)
-
-    val publicKey = SecurityRSA.decrypt(
-        encryptionPublicKey?.private,
-        Base64.decode(keypairSet?.elementAt(0), Base64.DEFAULT)
-    )
-    val privateKey = SecurityRSA.decrypt(
-        encryptionPublicKey?.private,
-        Base64.decode(keypairSet?.elementAt(1), Base64.DEFAULT)
-    )
-    return Pair(publicKey, privateKey)
-}
-
-suspend fun Context.setKeypairValues(
-    address: String,
-    publicKey: ByteArray,
-    privateKey: ByteArray,
-) {
-    val encryptionPublicKey = SecurityRSA.generateKeyPair(address)
-
-    val keyValue = stringSetPreferencesKey(address + "_keypair")
-    dataStore.edit { secureComms->
-        secureComms[keyValue] = setOf(
-            Base64.encodeToString(publicKey.run {
-                SecurityRSA.encrypt(encryptionPublicKey, this)
-            }, Base64.DEFAULT),
-            Base64.encodeToString(privateKey.run {
-                SecurityRSA.encrypt(encryptionPublicKey, this)
-            }, Base64.DEFAULT),
-        )
-    }
-}
-
-@Throws(
-    KeyStoreException::class,
-    CertificateException::class,
-    IOException::class,
-    NoSuchAlgorithmException::class,
-    UnrecoverableEntryException::class
-)
-fun Context.getKeypairFromKeystore(keystoreAlias: String): KeyPair? {
-    val keyStore = KeyStore.getInstance("AndroidKeyStore")
-    keyStore.load(null)
-
-    val entry = keyStore.getEntry(keystoreAlias, null)
-    if (entry is KeyStore.PrivateKeyEntry) {
-        val privateKey = entry.privateKey
-        val publicKey = keyStore.getCertificate(keystoreAlias).publicKey
-        return KeyPair(publicKey, privateKey)
-    }
-    return null
-}
-
-data class SavedBinaryData(
-    val key: ByteArray,
-    val algorithm: String,
-    val data: ByteArray,
-)
-
-/**
- *  Would overwrite anything with the same Keystore Alias
- */
-@Throws
-suspend fun Context.saveBinaryDataEncrypted(
-    keystoreAlias: String,
-    data: ByteArray,
-) : Boolean {
-    val keyValue = stringPreferencesKey(keystoreAlias)
-
-    val aesGcmKey = SecurityAES.generateSecretKey(256)
-    val data = SecurityAES.encryptAESGCM(data, aesGcmKey)
-
-//    val encryptionPublicKey = getKeypairFromKeystore(keystoreAlias)?.public
-//        ?: SecurityRSA.generateKeyPair(keystoreAlias)
-
-    var saved = false
-    dataStore.edit { secureComms->
-        try {
-            val encryptionPublicKey = SecurityRSA.generateKeyPair(keystoreAlias)
-            SecurityRSA.encrypt(encryptionPublicKey, aesGcmKey.encoded)?.let { key ->
-                secureComms[keyValue] = Gson().toJson(
-                    SavedBinaryData(
-                        key = key,
-                        algorithm = aesGcmKey.algorithm,
-                        data = data
-                    )
-                )
-                saved = true
-            }
-        } catch(e: Exception) {
-            throw e
-        }
-    }
-    return saved
-}
-
-@Throws
-suspend fun Context.getEncryptedBinaryData(keystoreAlias: String): ByteArray? {
-    val keyValue = stringPreferencesKey(keystoreAlias)
-    val data = dataStore.data.first()[keyValue] ?: return null
-
-    val savedBinaryData = Gson().fromJson(data, SavedBinaryData::class.java)
-
-    return try {
-        val encryptionPublicKey = getKeypairFromKeystore(keystoreAlias)
-        SecurityRSA.decrypt(encryptionPublicKey?.private, savedBinaryData.key)
-            ?.run {
-                SecurityAES.decryptAESGCM(savedBinaryData.data,
-                    SecretKeySpec(this, savedBinaryData.algorithm)
-                )
-            }
-    } catch(e: Exception) {
-        throw e
-    }
-}
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Headers.java b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Headers.java
deleted file mode 100644
index e238589..0000000
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Headers.java
+++ /dev/null
@@ -1,76 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal;
-
-import android.util.Pair;
-
-import androidx.annotation.Nullable;
-
-import com.google.common.primitives.Bytes;
-
-import java.io.IOException;
-import java.nio.ByteBuffer;
-import java.nio.ByteOrder;
-import java.security.NoSuchAlgorithmException;
-import java.security.spec.InvalidKeySpecException;
-import java.util.Arrays;
-
-public class Headers {
-
-    public byte[] dh;
-    public int PN;
-    public int N;
-
-    /**
-     *
-     * @param dhPair This is a public key
-     * @param PN
-     * @param N
-     */
-    public Headers(Pair<byte[], byte[]> dhPair, int PN, int N) {
-        this.dh = dhPair.second;
-        this.PN = PN;
-        this.N = N;
-    }
-
-    public Headers(byte[] dh, int PN, int N) {
-        this.dh = dh;
-        this.PN = PN;
-        this.N = N;
-    }
-
-    public Headers() {}
-
-    public static Headers deSerializeHeader(byte[] serializedHeader) throws NumberFormatException {
-        byte[] bytesPN = new byte[4];
-        System.arraycopy(serializedHeader, 0, bytesPN, 0, 4);
-        int PN = ByteBuffer.wrap(bytesPN).order(ByteOrder.LITTLE_ENDIAN).getInt();
-
-        byte[] bytesN = new byte[4];
-        System.arraycopy(serializedHeader, 4, bytesN, 0, 4);
-        int N = ByteBuffer.wrap(bytesN).order(ByteOrder.LITTLE_ENDIAN).getInt();
-
-        byte[] pubKey = new byte[serializedHeader.length - 8];
-        System.arraycopy(serializedHeader, 8, pubKey, 0, pubKey.length);
-
-        return new Headers(pubKey, PN, N);
-    }
-
-    @Override
-    public boolean equals(@Nullable Object obj) {
-        if(obj instanceof Headers header) {
-            return Arrays.equals(header.dh, this.dh) &&
-                    header.PN == this.PN &&
-                    header.N == this.N;
-        }
-        return false;
-    }
-
-    public byte[] getSerialized() throws IOException {
-        byte[] bytesPN = new byte[4];
-        ByteBuffer.wrap(bytesPN).order(ByteOrder.LITTLE_ENDIAN).putInt(this.PN);
-
-        byte[] bytesN = new byte[4];
-        ByteBuffer.wrap(bytesN).order(ByteOrder.LITTLE_ENDIAN).putInt(this.N);
-
-        return Bytes.concat(bytesPN, bytesN, this.dh);
-    }
-}
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.java b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.java
deleted file mode 100644
index 3776adc..0000000
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.java
+++ /dev/null
@@ -1,173 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal;
-
-import static com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoHelpers.buildVerificationHash;
-import static com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoHelpers.getCipherMacParameters;
-import static com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoHelpers.verifyCipherText;
-
-import android.util.Pair;
-
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoHelpers;
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityAES;
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityCurve25519;
-import com.google.common.primitives.Bytes;
-
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.util.ArrayList;
-
-import javax.crypto.Mac;
-
-/**
- * This implementations are based on the signal protocols specifications.
- *
- * This are based on the recommended algorithms and parameters for the encryption
- * and decryption.
- *
- * The goal for this would be to transform it into library which can be used across
- * other SMS projects.
- *
- * <a href="https://signal.org/docs/specifications/doubleratchet/">...</a>
- */
-public class Protocols {
-    final static int HKDF_LEN = 32;
-    final static String ALGO = "HMACSHA512";
-    final static byte[] KDF_RK_HE_INFO = "RelaySMS C2S DR Ratchet v1".getBytes();
-
-    public static Pair<byte[], byte[]> GENERATE_DH() {
-        SecurityCurve25519 securityCurve25519 = new SecurityCurve25519();
-        return new Pair<>(securityCurve25519.getPrivateKey(), securityCurve25519.generateKey());
-    }
-
-    /**
-     *
-     * @param dhPair This private key (keypair required in Android if supported)
-     * @param peerPublicKey
-     * @return
-     * @throws GeneralSecurityException
-     * @throws IOException
-     * @throws InterruptedException
-     */
-    public static byte[] DH_HE(
-            Pair<byte[], byte[]> dhPair,
-            byte[] peerPublicKey,
-            byte[] info
-    ) {
-        SecurityCurve25519 securityCurve25519 = new SecurityCurve25519(dhPair.first);
-        return securityCurve25519.calculateSharedSecret(
-                peerPublicKey,
-                null,
-                info
-        );
-    }
-
-    /**
-     *
-     * @param dhPair This private key (keypair required in Android if supported)
-     * @param peerPublicKey
-     * @return
-     * @throws GeneralSecurityException
-     * @throws IOException
-     * @throws InterruptedException
-     */
-    public static byte[] DH(Pair<byte[], byte[]> dhPair, byte[] peerPublicKey) {
-        SecurityCurve25519 securityCurve25519 = new SecurityCurve25519(dhPair.first);
-        return securityCurve25519.calculateSharedSecret(
-                peerPublicKey,
-                null,
-                "x25591_key_exchange".getBytes()
-        );
-    }
-
-    public static byte[][] KDF_RK_HE(
-            byte[] rk,
-            byte[] dhOut
-    ) throws GeneralSecurityException {
-        int numKeys = 3;
-        byte[] info = "SMSWithoutBorders DRHE v2".getBytes();
-        return CryptoHelpers.HKDF(ALGO, dhOut, rk, info, HKDF_LEN, numKeys);
-    }
-
-    public static Pair<byte[], byte[]> KDF_RK(byte[] rk, byte[] dhOut) throws GeneralSecurityException {
-        int numKeys = 2;
-        byte[] info = "KDF_RK".getBytes();
-        byte[][] hkdfOutput = CryptoHelpers.HKDF(ALGO, dhOut, rk, info, HKDF_LEN, numKeys);
-        return new Pair<>(hkdfOutput[0], hkdfOutput[1]);
-    }
-
-    public static Pair<byte[], byte[]> KDF_CK(byte[] ck) throws GeneralSecurityException {
-//        Mac mac = CryptoHelpers.HMAC512(ck);
-        Mac mac = CryptoHelpers.HMAC256(ck);
-        byte[] _ck = mac.doFinal(new byte[]{0x01});
-        byte[] mk = mac.doFinal(new byte[]{0x02});
-        return new Pair<>(_ck, mk);
-    }
-
-    public static byte[] HENCRYPT(
-            byte[] mk,
-            byte[] plainText
-    ) throws Throwable {
-        byte[] hkdfOutput = getCipherMacParameters(ALGO, mk);
-        byte[] key = new byte[32];
-        byte[] authenticationKey = new byte[32];
-        byte[] iv = new byte[16];
-
-        System.arraycopy(hkdfOutput, 0, key, 0, 32);
-        System.arraycopy(hkdfOutput, 32, authenticationKey, 0, 32);
-        System.arraycopy(hkdfOutput, 64, iv, 0, 16);
-
-        byte[] cipherText = SecurityAES.encryptAES256CBC(plainText, key, iv);
-        byte[] mac = buildVerificationHash(authenticationKey, null, cipherText).doFinal();
-        return Bytes.concat(cipherText, mac);
-    }
-
-    public static byte[] ENCRYPT(byte[] mk, byte[] plainText, byte[] associated_data) throws Throwable {
-        byte[] hkdfOutput = getCipherMacParameters(ALGO, mk);
-        byte[] key = new byte[32];
-        byte[] authenticationKey = new byte[32];
-        byte[] iv = new byte[16];
-
-        System.arraycopy(hkdfOutput, 0, key, 0, 32);
-        System.arraycopy(hkdfOutput, 32, authenticationKey, 0, 32);
-        System.arraycopy(hkdfOutput, 64, iv, 0, 16);
-
-        byte[] cipherText = SecurityAES.encryptAES256CBC(plainText, key, iv);
-        byte[] mac = buildVerificationHash(authenticationKey, associated_data, cipherText).doFinal();
-        return Bytes.concat(cipherText, mac);
-    }
-
-    public static byte[] HDECRYPT(
-            byte[] mk,
-            byte[] cipherText
-    ) throws Throwable {
-        cipherText = verifyCipherText(ALGO, mk, cipherText, null);
-
-        byte[] hkdfOutput = getCipherMacParameters(ALGO, mk);
-        byte[] key = new byte[32];
-        byte[] iv = new byte[16];
-        System.arraycopy(hkdfOutput, 0, key, 0, 32);
-        System.arraycopy(hkdfOutput, 64, iv, 0, 16);
-
-        return SecurityAES.decryptAES256CBC(cipherText, key, iv);
-    }
-    public static byte[] DECRYPT(byte[] mk, byte[] cipherText, byte[] associated_data) throws Throwable {
-        cipherText = verifyCipherText(ALGO, mk, cipherText, associated_data);
-
-        byte[] hkdfOutput = getCipherMacParameters(ALGO, mk);
-        byte[] key = new byte[32];
-        byte[] iv = new byte[16];
-        System.arraycopy(hkdfOutput, 0, key, 0, 32);
-        System.arraycopy(hkdfOutput, 64, iv, 0, 16);
-
-        return SecurityAES.decryptAES256CBC(cipherText, key, iv);
-    }
-
-    public static byte[] CONCAT_HE(byte[] AD, byte[] headers) throws IOException {
-        return Bytes.concat(AD, headers);
-    }
-
-    public static byte[] CONCAT(byte[] AD, Headers headers) throws IOException {
-        return Bytes.concat(AD, headers.getSerialized());
-    }
-
-}
-
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Ratchets.java b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Ratchets.java
deleted file mode 100644
index 36e03cf..0000000
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Ratchets.java
+++ /dev/null
@@ -1,119 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal;
-
-import android.util.Pair;
-
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.util.Arrays;
-
-public class Ratchets {
-    public static final int MAX_SKIP = 100;
-
-    /**
-     *
-     * @param state
-     * @param SK
-     * @param dhPublicKeyBob
-     * @throws GeneralSecurityException
-     * @throws IOException
-     * @throws InterruptedException
-     */
-    public static void ratchetInitAlice(States state,
-                                          byte[] SK,
-                                          byte[] dhPublicKeyBob) throws GeneralSecurityException, IOException, InterruptedException {
-        state.DHs = Protocols.GENERATE_DH();
-        state.DHr = dhPublicKeyBob;
-        byte[] dh_out = Protocols.DH(state.DHs, state.DHr);
-        Pair<byte[], byte[]> kdfRkOutput = Protocols.KDF_RK(SK, dh_out);
-        state.RK = kdfRkOutput.first;
-        state.CKs = kdfRkOutput.second;
-    }
-
-    public static void ratchetInitBob(States state, byte[] SK, Pair<byte[], byte[]> dhKeyPairBob) {
-        state.DHs = dhKeyPairBob;
-        state.RK = SK;
-    }
-
-    public static Pair<Headers, byte[]> ratchetEncrypt(States state, byte[] plainText, byte[] AD) throws Throwable {
-        Pair<byte[], byte[]> kdfCkOutput = Protocols.KDF_CK(state.CKs);
-        state.CKs = kdfCkOutput.first;
-        byte[] mk = kdfCkOutput.second;
-        Headers header = new Headers(state.DHs, state.PN, state.Ns);
-        state.Ns += 1;
-
-        byte[] cipherText = Protocols.ENCRYPT(mk, plainText, Protocols.CONCAT(AD, header));
-        return new Pair<>(header, cipherText);
-    }
-
-    /**
-     *
-     * @param state
-     * @param header
-     * @param cipherText
-     * @param AD
-     * @return
-     * @throws Throwable
-     */
-    public static byte[] ratchetDecrypt(States state,
-                                        Headers header,
-                                        byte[] cipherText,
-                                        byte[] AD) throws Throwable {
-        byte[] plainText = trySkippedMessageKeys(state, header, cipherText, AD);
-        if(plainText != null)
-            return plainText;
-
-        if(state.DHr == null || !Arrays.equals(header.dh, state.DHr)) {
-            skipMessageKeys(state, header.PN);
-            DHRatchet(state, header);
-        }
-        skipMessageKeys(state, header.N);
-        Pair<byte[], byte[]> kdfCkOutput = Protocols.KDF_CK(state.CKr);
-        state.CKr = kdfCkOutput.first;
-        byte[] mk = kdfCkOutput.second;
-        state.Nr += 1;
-        return Protocols.DECRYPT(mk, cipherText, Protocols.CONCAT(AD, header));
-    }
-
-    private static void DHRatchet(States state, Headers header) throws GeneralSecurityException, IOException, InterruptedException {
-        state.PN = state.Ns;
-        state.Ns = 0;
-        state.Nr = 0;
-        state.DHr = header.dh;
-        byte[] dh_out = Protocols.DH(state.DHs, state.DHr);
-        Pair<byte[], byte[]> kdfRkOutput = Protocols.KDF_RK(state.RK, dh_out);
-        state.RK = kdfRkOutput.first;
-        state.CKr = kdfRkOutput.second;
-
-        state.DHs = Protocols.GENERATE_DH();
-        kdfRkOutput = Protocols.KDF_RK(state.RK, Protocols.DH(state.DHs, state.DHr));
-        state.RK = kdfRkOutput.first;
-        state.CKs = kdfRkOutput.second;
-    }
-
-    private static byte[] trySkippedMessageKeys(States state, Headers header, byte[] cipherText, byte[] AD) throws Throwable {
-        Pair<byte[], Integer> mkSkippedKeys = new Pair<>(header.dh, header.N);
-        if(state.MKSKIPPED.containsKey(mkSkippedKeys)){
-            byte[] mk = state.MKSKIPPED.get(mkSkippedKeys);
-            state.MKSKIPPED.remove(mkSkippedKeys);
-            return Protocols.DECRYPT(mk, cipherText, Protocols.CONCAT(AD, header));
-        }
-        return null;
-    }
-
-    private static void skipMessageKeys(States state, int until) throws Exception {
-        if((state.Nr + MAX_SKIP) < until) {
-            throw new Exception("MAX skip exceeded");
-        }
-
-        if(state.CKr != null) {
-            while(state.Nr < until) {
-                Pair<byte[], byte[]> kdfCkOutput = Protocols.KDF_CK(state.CKr);
-                state.CKr = kdfCkOutput.first;
-                byte[] mk = kdfCkOutput.second;
-                state.MKSKIPPED.put(new Pair<>(state.DHr, state.Nr), mk);
-                state.Nr +=1;
-            }
-        }
-    }
-
-}
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
deleted file mode 100644
index 8d93d95..0000000
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
+++ /dev/null
@@ -1,213 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
-
-import android.util.Pair
-import androidx.core.util.component1
-import androidx.core.util.component2
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.CONCAT_HE
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.DECRYPT
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.ENCRYPT
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.GENERATE_DH
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.HDECRYPT
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.HENCRYPT
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.KDF_CK
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols.KDF_RK_HE
-
-object RatchetsHE {
-
-    const val MAX_SKIP: Int = 100
-
-    fun ratchetInitAlice(
-        state: States,
-        SK: ByteArray,
-        bobDhPublicKey: ByteArray,
-        sharedHka: ByteArray,
-        sharedNhkb: ByteArray,
-    ) {
-        state.DHRs = GENERATE_DH()
-        state.DHRr = bobDhPublicKey
-
-        val kdfRkHEOutputs = KDF_RK_HE(SK,
-            Protocols.DH_HE(
-                state.DHRs,
-                state.DHRr,
-                Protocols.KDF_RK_HE_INFO
-            )
-        )
-        state.RK = kdfRkHEOutputs[0]
-        state.CKs = kdfRkHEOutputs[1]
-        state.NHKs = kdfRkHEOutputs[2]
-
-        state.CKr = null
-        state.Ns = 0
-        state.Nr = 0
-        state.PN = 0
-        state.MKSKIPPED = mutableMapOf()
-        state.HKs = sharedHka
-        state.HKr = null
-        state.NHKr = sharedNhkb
-    }
-
-    fun ratchetInitBob(
-        state: States,
-        SK: ByteArray,
-        bobDhPublicKeypair: Pair<ByteArray, ByteArray>,
-        sharedHka: ByteArray,
-        sharedNhkb: ByteArray,
-    ) {
-        state.DHRs = bobDhPublicKeypair
-        state.DHRr = null
-        state.RK = SK
-        state.CKs = null
-        state.CKr = null
-        state.Ns = 0
-        state.Nr = 0
-        state.PN = 0
-        state.MKSKIPPED = mutableMapOf()
-        state.HKs = null
-        state.NHKs = sharedNhkb
-        state.HKr = null
-        state.NHKr = sharedHka
-    }
-
-    fun ratchetEncrypt(
-        state: States,
-        plaintext: ByteArray,
-        AD: ByteArray,
-    ) : Pair<ByteArray, ByteArray> {
-        val kdfCk = KDF_CK(state.CKs)
-        state.CKs = kdfCk.first
-        val mk = kdfCk.second
-        val header = Headers(state.DHRs, state.PN, state.Ns)
-        val encHeader = HENCRYPT(state.HKs, header.serialized)
-        state.Ns += 1
-        return Pair(encHeader,
-            ENCRYPT(mk, plaintext, CONCAT_HE(AD, encHeader)))
-    }
-
-    fun ratchetDecrypt(
-        state: States,
-        encHeader: ByteArray,
-        cipherText: ByteArray,
-        AD: ByteArray,
-    ): ByteArray {
-        val plaintext = trySkippedMessageKeys(state, encHeader, cipherText, AD)
-        if(plaintext != null)
-            return plaintext
-
-        val (header, dhRatchet) = decryptHeader(state, encHeader)
-        if(dhRatchet) {
-            skipMessageKeys(state, header.PN)
-            DHRatchetHE(state, header)
-        }
-
-        skipMessageKeys(state, header.N)
-        val kdfCk = KDF_CK(state.CKr)
-        state.CKr = kdfCk.first
-        val mk = kdfCk.second
-        state.Nr += 1
-        return DECRYPT(mk, cipherText, CONCAT_HE(AD, encHeader))
-    }
-
-    private fun skipMessageKeys(
-        state: States,
-        until: Int,
-    ) {
-        if(state.Nr + MAX_SKIP < until)
-            throw Exception("MAX_SKIP Exceeded")
-
-        state.CKr?.let{
-            while(state.Nr < until) {
-                val kdfCk = KDF_CK(state.CKr)
-                state.CKr = kdfCk.first
-                val mk = kdfCk.second
-                state.MKSKIPPED[Pair(state.HKr, state.Nr)] = mk
-                state.Nr += 1
-            }
-        }
-    }
-
-    private fun trySkippedMessageKeys(
-        state: States,
-        encHeader: ByteArray,
-        ciphertext: ByteArray,
-        AD: ByteArray
-    ) : ByteArray? {
-        state.MKSKIPPED.forEach {
-            val hk = it.key.first
-            val n = it.key.second
-            val mk = it.value
-
-            val header = HDECRYPT(hk, encHeader).run {
-                Headers.deSerializeHeader(this)
-            }
-            if(header != null && header.N == n) {
-                state.MKSKIPPED.remove(it.key)
-                return DECRYPT(mk, ciphertext, CONCAT_HE(AD, encHeader))
-            }
-        }
-
-        return null
-    }
-
-    private fun decryptHeader(
-        state: States,
-        encHeader: ByteArray
-    ) : Pair<Headers, Boolean> {
-        var header: Headers? = null
-        try {
-            header = HDECRYPT(state.HKr, encHeader).run {
-                Headers.deSerializeHeader(this)
-            }
-        } catch(e: Exception) {
-            e.printStackTrace()
-        }
-
-        header?.let {
-            return Pair(header, false)
-        }
-
-        header = HDECRYPT(state.NHKr, encHeader).run {
-            Headers.deSerializeHeader(this)
-        }
-        header?.let {
-            return Pair(header, true)
-        }
-        throw Exception("Generic error decrypting header...")
-    }
-
-    private fun DHRatchetHE(
-        state: States,
-        header: Headers
-    ) {
-        state.PN = state.Ns
-        state.Ns = 0
-        state.Nr = 0
-        state.HKs = state.NHKs
-        state.HKr = state.NHKr
-        state.DHRr = header.dh
-
-        var kdfRkHEOutputs = KDF_RK_HE(state.RK,
-            Protocols.DH_HE(
-                state.DHRs,
-                state.DHRr,
-                Protocols.KDF_RK_HE_INFO
-            )
-        )
-        state.RK = kdfRkHEOutputs[0]
-        state.CKr = kdfRkHEOutputs[1]
-        state.NHKr = kdfRkHEOutputs[2]
-
-        state.DHRs = GENERATE_DH()
-
-        kdfRkHEOutputs = KDF_RK_HE(state.RK,
-            Protocols.DH_HE(
-                state.DHRs,
-                state.DHRr,
-                Protocols.KDF_RK_HE_INFO
-            )
-        )
-        state.RK = kdfRkHEOutputs[0]
-        state.CKs = kdfRkHEOutputs[1]
-        state.NHKs = kdfRkHEOutputs[2]
-    }
-}
\ No newline at end of file
diff --git a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt b/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
deleted file mode 100644
index 79817ed..0000000
--- a/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
+++ /dev/null
@@ -1,61 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
-
-import android.util.Pair
-import kotlinx.serialization.json.Json
-
-data class States(
-    @JvmField
-    var DHs: Pair<ByteArray, ByteArray>? = null,
-
-    @JvmField
-    var DHr: ByteArray? = null,
-
-    @JvmField
-    var RK: ByteArray? = null,
-
-    @JvmField
-    var CKs: ByteArray? = null,
-
-    @JvmField
-    var CKr: ByteArray? = null,
-
-    @JvmField
-    var Ns: Int = 0,
-
-    @JvmField
-    var Nr: Int = 0,
-
-    @JvmField
-    var PN: Int = 0,
-
-    @JvmField
-    var DHRs: Pair<ByteArray, ByteArray>? = null,
-
-    @JvmField
-    var DHRr: ByteArray? = null,
-
-    @JvmField
-    var HKs: ByteArray? = null,
-
-    @JvmField
-    var HKr: ByteArray? = null,
-
-    @JvmField
-    var NHKs: ByteArray? = null,
-
-    @JvmField
-    var NHKr: ByteArray? = null,
-
-    @JvmField
-    var MKSKIPPED: MutableMap<Pair<ByteArray, Int>, ByteArray> = mutableMapOf()
-) {
-    fun serialize(): String {
-        return Json.encodeToString(this)
-    }
-
-    companion object {
-        fun deserialize(input: String): States {
-            return Json.decodeFromString<States>(input)
-        }
-    }
-}
\ No newline at end of file
diff --git a/src/main/res/values/strings.xml b/src/main/res/values/strings.xml
deleted file mode 100644
index e8057bf..0000000
--- a/src/main/res/values/strings.xml
+++ /dev/null
@@ -1,5 +0,0 @@
-<resources>
-    <string name="app_name">SMSWithoutBorders DoubleRatchet LibSignal</string>
-    <string name="missing_public_key">Missing public key</string>
-    <string name="ratchet_states_removed">Ratchet states removed</string>
-</resources>
\ No newline at end of file

From 955b5d0a9f32d4cd9f043e80b88779ac8571b6eb Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Sun, 12 Apr 2026 17:17:59 +0100
Subject: [PATCH 05/19] update: basic structure attained

---
 .gitignore                                    |  39 +-
 double_ratchet/build.gradle                   |  27 +-
 .../SecurityAESTest.kt                        |  20 +
 .../SecurityRSATest.java                      |  54 +++
 .../SecurityX25519Test.kt                     |  62 ++++
 .../libsignal/HeadersTest.kt                  |  17 +
 .../libsignal/RatchetsTest.kt                 | 159 ++++++++
 .../libsignal/StateTest.kt                    |  20 +
 double_ratchet/src/main/AndroidManifest.xml   |   7 +
 .../libsignal_doubleratchet/CryptoUtils.kt    |  35 ++
 .../EncryptionController.kt                   | 348 ++++++++++++++++++
 .../libsignal_doubleratchet/SecurityAES.java  |  91 +++++
 .../SecurityCurve25519.kt                     | 115 ++++++
 .../libsignal_doubleratchet/SecurityRSA.kt    |  90 +++++
 .../extensions/context.kt                     | 154 ++++++++
 .../libsignal/Headers.kt                      |  37 ++
 .../libsignal/Protocols.kt                    | 175 +++++++++
 .../libsignal/RatchetsHE.kt                   | 213 +++++++++++
 .../libsignal/States.kt                       |  37 ++
 .../src/main/res/values/strings.xml           |   9 +
 gradle/wrapper/gradle-wrapper.jar             | Bin 0 -> 45457 bytes
 gradle/wrapper/gradle-wrapper.properties      |   7 +
 gradlew                                       | 251 +++++++++++++
 gradlew.bat                                   |  94 +++++
 24 files changed, 2046 insertions(+), 15 deletions(-)
 create mode 100644 double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt
 create mode 100644 double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java
 create mode 100644 double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
 create mode 100644 double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/HeadersTest.kt
 create mode 100644 double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
 create mode 100644 double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt
 create mode 100644 double_ratchet/src/main/AndroidManifest.xml
 create mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
 create mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
 create mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAES.java
 create mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
 create mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSA.kt
 create mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
 create mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Headers.kt
 create mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
 create mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
 create mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
 create mode 100644 double_ratchet/src/main/res/values/strings.xml
 create mode 100644 gradle/wrapper/gradle-wrapper.jar
 create mode 100644 gradle/wrapper/gradle-wrapper.properties
 create mode 100755 gradlew
 create mode 100644 gradlew.bat

diff --git a/.gitignore b/.gitignore
index 42afabf..dde283f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,38 @@
-/build
\ No newline at end of file
+*.iml
+.gradle
+/local.properties
+/.idea/*
+/.idea/caches
+/.idea/libraries
+/.idea/modules.xml
+/.idea/workspace.xml
+/.idea/navEditor.xml
+/.idea/assetWizardSettings.xml
+.DS_Store
+/build
+double_ratchet/build/*
+double_ratchet/build/
+double_ratchet/build
+/captures
+.externalNativeBuild
+.cxx
+*.aab
+*.apk
+local.properties
+keystore.properties
+*.jks
+ks.passwd
+venv/*
+/release.properties
+*.sw*
+gradle.properties
+*.tmp.sh
+*.logs
+/double_ratchet/.idea/.gitignore
+/double_ratchet/.ideadouble_ratchetInsightsSettings.xml
+/double_ratchet/.idea/caches/deviceStreaming.xml
+/double_ratchet/.idea/gradle.xml
+/double_ratchet/.idea/migrations.xml
+/double_ratchet/.idea/misc.xml
+/double_ratchet/.idea/runConfigurations.xml
+/double_ratchet/.idea/vcs.xml
\ No newline at end of file
diff --git a/double_ratchet/build.gradle b/double_ratchet/build.gradle
index d8fd260..aedd88b 100644
--- a/double_ratchet/build.gradle
+++ b/double_ratchet/build.gradle
@@ -45,30 +45,29 @@ android {
 
 dependencies {
     implementation fileTree(dir: 'libs', include: ['*.jar', "*.aar"])
-    implementation 'androidx.appcompat:appcompat:1.7.0'
-    implementation 'com.google.guava:guava:33.4.8-jre'
-    implementation 'com.madgag.spongycastle:prov:1.58.0.0'
+    implementation 'androidx.appcompat:appcompat:1.7.1'
+    implementation 'com.google.guava:guava:33.5.0-jre'
     implementation 'org.conscrypt:conscrypt-android:2.5.3'
-    implementation 'androidx.core:core-ktx:1.13.1'
+    implementation 'androidx.core:core-ktx:1.18.0'
 
     testImplementation 'junit:junit:4.13.2'
-    androidTestImplementation 'androidx.test.ext:junit:1.2.1'
-    androidTestImplementation 'androidx.test.espresso:espresso-core:3.6.1'
+    androidTestImplementation 'androidx.test.ext:junit:1.3.0'
+    androidTestImplementation 'androidx.test.espresso:espresso-core:3.7.0'
 
-    implementation 'com.github.netricecake:x25519:2.0'
-    implementation 'com.google.code.gson:gson:2.11.0'
+    implementation 'com.google.code.gson:gson:2.13.2'
     implementation 'at.favre.lib:hkdf:2.0.0'
 
-    implementation "androidx.datastore:datastore-preferences:1.1.7"
+    implementation "androidx.datastore:datastore-preferences:1.2.1"
 
     // optional - RxJava2 support
-    implementation "androidx.datastore:datastore-preferences-rxjava2:1.1.7"
+    implementation "androidx.datastore:datastore-preferences-rxjava2:1.2.1"
 
     // optional - RxJava3 support
-    implementation "androidx.datastore:datastore-preferences-rxjava3:1.1.7"
+    implementation "androidx.datastore:datastore-preferences-rxjava3:1.2.1"
 
-    implementation "androidx.datastore:datastore-preferences-core:1.1.7"
+    implementation "androidx.datastore:datastore-preferences-core:1.2.1"
 
-    implementation 'com.google.code.gson:gson:2.11.0'
-    implementation "org.jetbrains.kotlinx:kotlinx-serialization-json:1.9.0"
+    implementation 'com.google.code.gson:gson:2.13.2'
+    implementation "org.jetbrains.kotlinx:kotlinx-serialization-json:1.11.0"
+    implementation("org.bouncycastle:bcprov-jdk18on:1.83")
 }
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt
new file mode 100644
index 0000000..ced6619
--- /dev/null
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt
@@ -0,0 +1,20 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet
+
+import androidx.test.filters.SmallTest
+import org.junit.Assert.assertArrayEquals
+import org.junit.Test
+
+@SmallTest
+class SecurityAESTest {
+
+    @Test
+    fun aesTest() {
+        val secretKey = SecurityAES.generateSecretKey(256)
+
+        val input = CryptoUtils.generateRandomBytes(277)
+        val cipher = SecurityAES.encryptAES256CBC(input, secretKey.encoded, null)
+        val output = SecurityAES.decryptAES256CBC(cipher, secretKey.encoded, null)
+
+        assertArrayEquals(input, output)
+    }
+}
\ No newline at end of file
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java
new file mode 100644
index 0000000..98487f6
--- /dev/null
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java
@@ -0,0 +1,54 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet;
+
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+
+import androidx.test.ext.junit.runners.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.UnrecoverableEntryException;
+import java.security.cert.CertificateException;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+
+@RunWith(AndroidJUnit4.class)
+public class SecurityRSATest {
+
+    String keystoreAlias = "keystoreAlias";
+    @Test
+    public void testCanStoreAndEncrypt() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException, UnrecoverableEntryException, CertificateException, KeyStoreException, IOException {
+//        KeyPairGenerator kpg = KeyPairGenerator.getInstance(
+//                KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
+//
+//        kpg.initialize(new KeyGenParameterSpec.Builder(keystoreAlias,
+//                KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+//                .setKeySize(2048)
+//                .setDigests(KeyProperties.DIGEST_SHA1, KeyProperties.DIGEST_SHA256,
+//                        KeyProperties.DIGEST_SHA512)
+//                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
+//                .build());
+//
+//        KeyPair keyPair = kpg.generateKeyPair();
+//        PublicKey publicKey = SecurityRSA.generateKeyPair(keystoreAlias, 2048);
+//        KeyPair keyPair = KeystoreHelpers.getKeyPairFromKeystore(keystoreAlias);
+//
+//        SecretKey secretKey = SecurityAES.generateSecretKey(256);
+//        byte[] cipherText = SecurityRSA.encrypt(keyPair.getPublic(), secretKey.getEncoded());
+//        byte[] plainText = SecurityRSA.decrypt(keyPair.getPrivate(), cipherText);
+//        assertArrayEquals(secretKey.getEncoded(), plainText);
+    }
+}
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
new file mode 100644
index 0000000..b8fa7c2
--- /dev/null
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
@@ -0,0 +1,62 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet
+
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
+import androidx.test.filters.SmallTest
+import org.junit.Assert.assertArrayEquals
+import org.junit.Test
+import java.security.KeyPairGenerator
+import java.security.KeyStore
+import java.security.Signature
+
+@SmallTest
+class SecurityX25519Test {
+    @Test
+    fun keystoreEd25519() {
+        val keystoreAlias = "keystoreAlias"
+        val kpg: KeyPairGenerator = KeyPairGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_EC,
+            "AndroidKeyStore"
+        )
+        val parameterSpec: KeyGenParameterSpec = KeyGenParameterSpec.Builder(
+            keystoreAlias,
+            KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_VERIFY
+        ).run {
+            setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
+            build()
+        }
+
+        kpg.initialize(parameterSpec)
+        val kp = kpg.generateKeyPair()
+
+        val ks: KeyStore = KeyStore.getInstance("AndroidKeyStore").apply {
+            load(null)
+        }
+        val entry: KeyStore.Entry = ks.getEntry(keystoreAlias, null)
+        if (entry !is KeyStore.PrivateKeyEntry) {
+            throw Exception("No instance of keystore")
+        }
+
+        val data = "Hello world".encodeToByteArray()
+        val signature: ByteArray = Signature.getInstance("SHA256withECDSA").run {
+            initSign(entry.privateKey)
+            update(data)
+            sign()
+        }
+
+    }
+
+    @Test
+    fun sharedSecret() {
+        val alice = SecurityCurve25519()
+        val bob = SecurityCurve25519()
+
+        val alicePubKey = alice.generateKey()
+        val bobPubKey = bob.generateKey()
+
+        val aliceSharedSecret = alice.calculateSharedSecret(bobPubKey)
+        val bobSharedSecret = bob.calculateSharedSecret(alicePubKey)
+
+        assertArrayEquals(aliceSharedSecret, bobSharedSecret)
+    }
+}
\ No newline at end of file
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/HeadersTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/HeadersTest.kt
new file mode 100644
index 0000000..744e6b9
--- /dev/null
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/HeadersTest.kt
@@ -0,0 +1,17 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
+
+import androidx.test.filters.SmallTest
+import junit.framework.TestCase.assertEquals
+import org.junit.Test
+import java.security.SecureRandom
+
+@SmallTest
+class HeadersTest {
+
+    @Test fun headersTest() {
+        val header = Headers(SecureRandom.getSeed(32), 0, 0)
+        val header1 = Headers.deserialize(header.serialized)
+
+        assertEquals(header, header1)
+    }
+}
\ No newline at end of file
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
new file mode 100644
index 0000000..4cd94b0
--- /dev/null
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
@@ -0,0 +1,159 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
+
+import android.content.Context
+import androidx.test.filters.SmallTest
+import androidx.test.platform.app.InstrumentationRegistry
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.R
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityCurve25519
+import org.junit.Assert.assertArrayEquals
+import org.junit.Test
+import java.security.SecureRandom
+
+@SmallTest
+class RatchetsTest {
+    var context: Context =
+        InstrumentationRegistry.getInstrumentation().targetContext
+    @Test
+    fun completeRatchetHETest() {
+        val aliceEphemeralKeyPair = SecurityCurve25519()
+        val aliceEphemeralHeaderKeyPair = SecurityCurve25519()
+        val aliceEphemeralNextHeaderKeyPair = SecurityCurve25519()
+
+        val bobStaticKeyPair = SecurityCurve25519()
+        val bobEphemeralKeyPair = SecurityCurve25519()
+        val bobEphemeralHeaderKeyPair = SecurityCurve25519()
+        val bobEphemeralNextHeaderKeyPair = SecurityCurve25519()
+
+        val aliceNonce = CryptoUtils.generateRandomBytes(16)
+        val bobNonce = CryptoUtils.generateRandomBytes(16)
+
+        val (aliceSk, aliceSkH, aliceSkNh) = SecurityCurve25519(aliceEphemeralKeyPair.privateKey)
+            .agreeWithAuthAndNonce(
+                authenticationPublicKey = bobStaticKeyPair.generateKey(),
+                authenticationPrivateKey = null,
+                headerPrivateKey = aliceEphemeralHeaderKeyPair.privateKey,
+                nextHeaderPrivateKey = aliceEphemeralNextHeaderKeyPair.privateKey,
+                publicKey = bobEphemeralKeyPair.generateKey(),
+                headerPublicKey = bobEphemeralHeaderKeyPair.generateKey(),
+                nextHeaderPublicKey = bobEphemeralNextHeaderKeyPair.generateKey(),
+                salt = context.getString(R.string.dr_salt).encodeToByteArray(),
+                nonce1 = aliceNonce,
+                nonce2 = bobNonce,
+                info = context.getString(R.string.dr_info).encodeToByteArray()
+            )
+
+        val (bobSk, bobSkH, bobSkNh) = SecurityCurve25519(bobEphemeralKeyPair.privateKey)
+            .agreeWithAuthAndNonce(
+                authenticationPublicKey = null,
+                authenticationPrivateKey = bobStaticKeyPair.privateKey,
+                headerPrivateKey = bobEphemeralHeaderKeyPair.privateKey,
+                nextHeaderPrivateKey = bobEphemeralNextHeaderKeyPair.privateKey,
+                publicKey = aliceEphemeralKeyPair.generateKey(),
+                headerPublicKey = aliceEphemeralHeaderKeyPair.generateKey(),
+                nextHeaderPublicKey = aliceEphemeralNextHeaderKeyPair.generateKey(),
+                salt = context.getString(R.string.dr_salt).encodeToByteArray(),
+                nonce1 = aliceNonce,
+                nonce2 = bobNonce,
+                info = context.getString(R.string.dr_info).encodeToByteArray()
+            )
+
+        assertArrayEquals(aliceSk, bobSk)
+        assertArrayEquals(aliceSkH, bobSkH)
+        assertArrayEquals(aliceSkNh, bobSkNh)
+
+        val aliceState = States()
+        RatchetsHE.ratchetInitAlice(
+            state = aliceState,
+            SK = aliceSk,
+            bobDhPublicKey = bobEphemeralKeyPair.generateKey(),
+            sharedHka = aliceSkH,
+            sharedNhkb = aliceSkNh
+        )
+
+        val bobState = States()
+        RatchetsHE.ratchetInitBob(
+            state = bobState,
+            SK = bobSk,
+            bobDhPublicKeypair = bobEphemeralKeyPair.getKeypair(),
+            sharedHka = bobSkH,
+            sharedNhkb = bobSkNh
+        )
+
+        val originalText = SecureRandom.getSeed(32);
+        val (encHeader, aliceCipherText) = RatchetsHE.ratchetEncrypt(
+            aliceState,
+            originalText,
+            bobStaticKeyPair.generateKey()
+        )
+
+        var encHeader1: ByteArray? = null
+        var aliceCipherText1: ByteArray? = null
+        for(i in 1..10) {
+            val (encHeader2, aliceCipherText2) = RatchetsHE.ratchetEncrypt(
+                aliceState,
+                originalText,
+                bobStaticKeyPair.generateKey()
+            )
+            encHeader1 = encHeader2
+            aliceCipherText1 = aliceCipherText2
+        }
+
+        val bobPlainText = RatchetsHE.ratchetDecrypt(
+            state = bobState,
+            encHeader = encHeader,
+            cipherText = aliceCipherText,
+            AD = bobStaticKeyPair.generateKey()
+        )
+
+        val bobPlainText1 = RatchetsHE.ratchetDecrypt(
+            state = bobState,
+            encHeader = encHeader1!!,
+            cipherText = aliceCipherText1!!,
+            AD = bobStaticKeyPair.generateKey()
+        )
+
+        assertArrayEquals(originalText, bobPlainText)
+        assertArrayEquals(originalText, bobPlainText1)
+    }
+
+    @Test
+    fun completeRatchetTest() {
+        val alice = SecurityCurve25519()
+        val bob = SecurityCurve25519()
+
+        val SK = alice.calculateSharedSecret(bob.generateKey())
+        val SK1 = bob.calculateSharedSecret(alice.generateKey())
+        assertArrayEquals(SK, SK1)
+
+        val aliceState = States()
+        Ratchets.ratchetInitAlice(aliceState, SK, bob.generateKey())
+
+        val bobState = States()
+        Ratchets.ratchetInitBob(bobState, SK, bob.getKeypair())
+
+        val originalText = SecureRandom.getSeed(32);
+        val (header, aliceCipherText) = Ratchets.ratchetEncrypt(aliceState, originalText,
+            bob.generateKey())
+
+        var header1: Headers? = null
+        var aliceCipherText1: ByteArray? = null
+        for(i in 1..10) {
+            val (header, aliceCipherText) = Ratchets.ratchetEncrypt(aliceState, originalText,
+                bob.generateKey())
+            header1 = header
+            aliceCipherText1 = aliceCipherText
+        }
+
+        val bobPlainText = Ratchets.ratchetDecrypt(bobState, header, aliceCipherText,
+            bob.generateKey())
+
+        val bobPlainText1 = Ratchets.ratchetDecrypt(bobState, header1, aliceCipherText1,
+            bob.generateKey())
+        println(bobState.serialize())
+
+        assertArrayEquals(originalText, bobPlainText)
+        assertArrayEquals(originalText, bobPlainText1)
+    }
+}
+
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt
new file mode 100644
index 0000000..42c254e
--- /dev/null
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt
@@ -0,0 +1,20 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
+
+import androidx.test.filters.SmallTest
+import junit.framework.TestCase.assertEquals
+import kotlinx.serialization.json.Json
+import org.junit.Test
+import java.security.SecureRandom
+
+@SmallTest
+class StateTest {
+
+    @Test fun testStates() {
+        val state = States()
+        state.DHs = android.util.Pair(SecureRandom.getSeed(32),
+            SecureRandom.getSeed(32))
+        val serializedStates = Json.encodeToString(state)
+        val deserializedStates = Json.decodeFromString<States>(serializedStates)
+        assertEquals(state, deserializedStates)
+    }
+}
\ No newline at end of file
diff --git a/double_ratchet/src/main/AndroidManifest.xml b/double_ratchet/src/main/AndroidManifest.xml
new file mode 100644
index 0000000..7b53da6
--- /dev/null
+++ b/double_ratchet/src/main/AndroidManifest.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android">
+
+    <application
+        android:label="@string/app_name"/>
+
+</manifest>
\ No newline at end of file
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
new file mode 100644
index 0000000..8060e1d
--- /dev/null
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
@@ -0,0 +1,35 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet
+
+import at.favre.lib.hkdf.HKDF
+import com.google.common.primitives.Bytes
+import java.security.GeneralSecurityException
+import java.security.SecureRandom
+import javax.crypto.Mac
+import javax.crypto.SecretKey
+import javax.crypto.spec.SecretKeySpec
+
+object CryptoUtils {
+    fun hkdf(
+        ikm: ByteArray,
+        salt: ByteArray?,
+        info: ByteArray?,
+        len: Int,
+    ): ByteArray {
+        return HKDF.fromHmacSha512()
+            .extractAndExpand(
+                salt,
+                ikm,
+                info,
+                len
+            )
+    }
+
+    fun hmac(data: ByteArray?): Mac {
+        val algorithm = "HmacSHA512"
+        val output = Mac.getInstance(algorithm)
+        val key: SecretKey = SecretKeySpec(data, algorithm)
+        output.init(key)
+        return output
+    }
+
+}
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
new file mode 100644
index 0000000..a72bed4
--- /dev/null
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
@@ -0,0 +1,348 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet
+
+import android.content.Context
+import android.util.Base64
+import android.widget.Toast
+import androidx.datastore.preferences.core.edit
+import androidx.datastore.preferences.core.stringPreferencesKey
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.dataStore
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.getEncryptedBinaryData
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.getKeypairValues
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.saveBinaryDataEncrypted
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.setKeypairValues
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Headers
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Ratchets
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.States
+import com.google.gson.Gson
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.flow.Flow
+import kotlinx.coroutines.flow.first
+import kotlinx.coroutines.flow.map
+import kotlinx.coroutines.launch
+import kotlinx.coroutines.withContext
+import kotlinx.serialization.Serializable
+
+object EncryptionController {
+
+    @Serializable
+    enum class SecureRequestMode {
+        REQUEST_NONE,
+        REQUEST_REQUESTED,
+        REQUEST_RECEIVED,
+        REQUEST_ACCEPTED,
+    }
+
+    enum class MessageRequestType(val code: Byte) {
+        TYPE_REQUEST(0x01.toByte()),
+        TYPE_ACCEPT(0x02.toByte()),
+        TYPE_MESSAGE(0x03.toByte());
+
+        companion object {
+            fun fromCode(code: Byte): MessageRequestType? =
+                entries.find { it.code == code } // Kotlin 1.9+, use values() before that
+
+            fun fromMessage(message: ByteArray): MessageRequestType? =
+                entries.find { it.code == message[0] } // Kotlin 1.9+, use values() before that
+        }
+    }
+
+    private fun extractRequestPublicKey( publicKey: ByteArray) : ByteArray {
+        val lenPubKey = publicKey[1].toInt()
+        return publicKey.drop(2).toByteArray()
+    }
+
+    private fun extractMessage(data: ByteArray) : Pair<Headers, ByteArray> {
+        val lenHeader = data[1].toInt()
+        val lenMessage = data[2].toInt()
+        val header = data.copyOfRange(3, 3 + lenHeader)
+        val message = data.copyOfRange(3 + lenHeader, (3 + lenHeader + lenMessage))
+        return Pair(Headers.deserialize(header), message)
+    }
+
+    @OptIn(ExperimentalUnsignedTypes::class)
+    private fun formatRequestPublicKey(
+        publicKey: ByteArray,
+        type: MessageRequestType
+    ) : ByteArray {
+        val mn = ubyteArrayOf(type.code.toUByte())
+        val lenPubKey = ubyteArrayOf(publicKey.size.toUByte())
+
+        return (mn + lenPubKey).toByteArray() + publicKey
+    }
+
+    @OptIn(ExperimentalUnsignedTypes::class)
+    private fun formatMessage(
+        header: Headers,
+        cipherText: ByteArray
+    ) : ByteArray {
+        val mn = ubyteArrayOf(MessageRequestType.TYPE_MESSAGE.code.toUByte())
+        val lenHeader = ubyteArrayOf(header.serialized.size.toUByte())
+        val lenMessage = ubyteArrayOf(cipherText.size.toUByte())
+
+        return (mn + lenHeader + lenMessage).toByteArray() + header.serialized + cipherText
+    }
+
+    suspend fun sendRequest(
+        context: Context,
+        address: String,
+        mode: SecureRequestMode,
+    ): ByteArray {
+        try {
+            val publicKey = generateIdentityPublicKeys(context, address)
+
+            var type: MessageRequestType? = null
+            val mode = when(mode) {
+                SecureRequestMode.REQUEST_RECEIVED -> {
+                    type = MessageRequestType.TYPE_ACCEPT
+                    SecureRequestMode.REQUEST_ACCEPTED
+                }
+                else -> {
+                    type = MessageRequestType.TYPE_REQUEST
+                    SecureRequestMode.REQUEST_REQUESTED
+                }
+            }
+
+            context.setEncryptionModeStates(address, mode)
+            return formatRequestPublicKey(publicKey, type)
+        } catch (e: Exception) {
+            throw e
+        }
+    }
+
+    suspend fun receiveRequest(
+        context: Context,
+        address: String,
+        publicKey: ByteArray,
+    ) : ByteArray? {
+        MessageRequestType.fromCode(publicKey[0])?.let { type ->
+            val publicKey = extractRequestPublicKey(publicKey)
+            try {
+                val mode = when(type) {
+                    MessageRequestType.TYPE_REQUEST -> {
+                        SecureRequestMode.REQUEST_RECEIVED
+                    }
+                    MessageRequestType.TYPE_ACCEPT -> {
+                        context.removeEncryptionRatchetStates(address)
+                        SecureRequestMode.REQUEST_ACCEPTED
+                    }
+                    else -> return null
+                }
+                context.setEncryptionModeStates(
+                    address,
+                    mode,
+                    publicKey,
+                )
+            } catch (e: Exception) {
+                throw e
+            }
+            return publicKey
+        }
+
+        return null
+    }
+
+    @Throws
+    private suspend fun generateIdentityPublicKeys(
+        context: Context,
+        address: String
+    ): ByteArray {
+        try {
+            val libSigCurve25519 = SecurityCurve25519()
+            val publicKey = libSigCurve25519.generateKey()
+            context.setKeypairValues(address, publicKey, libSigCurve25519.privateKey)
+            return publicKey
+        } catch (e: Exception) {
+            throw e
+        }
+    }
+
+    @Throws
+    suspend fun decrypt(
+        context: Context,
+        address: String,
+        text: String
+    ): String? {
+
+        val data = Base64.decode(text, Base64.DEFAULT)
+        if(MessageRequestType.fromCode(data[0]) != MessageRequestType.TYPE_MESSAGE)
+            return null
+
+        val payload = try { extractMessage(data) } catch(e: Exception) {
+            throw e
+        }
+
+        val modeStates = context.getEncryptionModeStatesSync(address)
+        val publicKey = Gson().fromJson(modeStates,
+            SavedEncryptedModes::class.java).publicKey
+
+        if(publicKey == null) {
+            CoroutineScope(Dispatchers.Main).launch {
+                Toast.makeText(
+                    context,
+                    context.getString(R.string.missing_public_key),
+                    Toast.LENGTH_LONG).show()
+            }
+            return null
+        }
+
+        val publicKeyBytes = Base64.decode(publicKey, Base64.DEFAULT)
+
+        val keystore = address + "_ratchet_state"
+        val currentState = context.getEncryptedBinaryData(keystore)
+
+        var state: States?
+        if(currentState == null) {
+            state = States()
+            val sk = context.calculateSharedSecret(address, publicKeyBytes)
+            val keypair = context.getKeypairValues(address) //public private
+
+            Ratchets.ratchetInitBob(
+                state,
+                sk,
+                android.util.Pair(keypair.second, keypair.first)
+            )
+        }
+        else state = States.deserialize(String(currentState))
+
+        val keypair = context.getKeypairValues(address)
+        var decryptedText: String?
+        try {
+            decryptedText = String(Ratchets.ratchetDecrypt(
+                state,
+                payload.first,
+                payload.second,
+                keypair.first
+            ))
+            context.saveBinaryDataEncrypted(keystore,
+                state.serialize().encodeToByteArray())
+        } catch(e: Exception) {
+            throw e
+        }
+        return decryptedText
+    }
+
+    @Throws
+    suspend fun encrypt(
+        context: Context,
+        address: String,
+        text: String
+    ) : String? {
+        val modeStates = context.getEncryptionModeStatesSync(address)
+        val publicKey = Gson().fromJson(modeStates,
+            SavedEncryptedModes::class.java).publicKey
+
+        if(publicKey == null) {
+            CoroutineScope(Dispatchers.Main).launch {
+                Toast.makeText(
+                    context,
+                    context.getString(R.string.missing_public_key),
+                    Toast.LENGTH_LONG).show()
+            }
+            return null
+        }
+
+        val publicKeyBytes = Base64.decode(publicKey, Base64.DEFAULT)
+
+        val keystore = address + "_ratchet_state"
+        val currentState = context.getEncryptedBinaryData(keystore)
+
+        var state: States?
+        if(currentState == null) {
+            state = States()
+            val sk = context.calculateSharedSecret(address, publicKeyBytes)
+            Ratchets.ratchetInitAlice(state, sk, publicKeyBytes)
+        }
+        else state = States.deserialize(String(currentState))
+
+        val ratchetOutput = Ratchets.ratchetEncrypt(state,
+            text.encodeToByteArray(), publicKeyBytes)
+
+        return try {
+            val message = formatMessage(
+                ratchetOutput.first,
+                ratchetOutput.second
+            )
+            context.saveBinaryDataEncrypted(keystore,
+                state.serialize().encodeToByteArray())
+            Base64.encodeToString(message, Base64.DEFAULT)
+        } catch(e: Exception) {
+            throw e
+        }
+    }
+}
+
+private suspend fun Context.calculateSharedSecret(
+    address: String,
+    publicKey: ByteArray
+): ByteArray? {
+    val keypair = getKeypairValues(address) //public private
+    keypair.second?.let { privateKey ->
+        val libSigCurve25519 = SecurityCurve25519(privateKey)
+        return libSigCurve25519.calculateSharedSecret(publicKey)
+    }
+    return null
+}
+
+data class SavedEncryptedModes(
+    var mode: EncryptionController.SecureRequestMode,
+    var publicKey: String? = null,
+)
+
+private suspend fun Context.setEncryptionModeStates(
+    address: String,
+    mode: EncryptionController.SecureRequestMode,
+    publicKey: ByteArray? = null,
+) {
+    val keyValue = stringPreferencesKey(address + "_mode_states")
+    dataStore.edit { secureComms ->
+        // Make a mutable copy of existing state
+        val currentState = secureComms[keyValue] ?: ""
+        val savedEncryptedModes = if(currentState.isNotEmpty()) Gson()
+            .fromJson(currentState, SavedEncryptedModes::class.java)
+            .apply { this.mode = mode }
+        else SavedEncryptedModes(mode = mode)
+
+        publicKey?.let { publicKey ->
+            savedEncryptedModes.publicKey =
+                Base64.encodeToString(publicKey, Base64.DEFAULT)
+        }
+
+        secureComms[keyValue] = Gson().toJson(savedEncryptedModes)
+    }
+}
+
+suspend fun Context.removeEncryptionRatchetStates(address: String) {
+    val keyValue = stringPreferencesKey(address + "_ratchet_state")
+    dataStore.edit { secureComms ->
+        secureComms.remove(keyValue)
+        withContext(Dispatchers.Main) {
+            Toast.makeText(
+                this@removeEncryptionRatchetStates,
+                getString(R.string.ratchet_states_removed),
+                Toast.LENGTH_LONG).show()
+        }
+    }
+}
+
+suspend fun Context.removeEncryptionModeStates(address: String) {
+    val keyValue = stringPreferencesKey(address + "_mode_states")
+    dataStore.edit { secureComms ->
+        secureComms.remove(keyValue)
+    }
+}
+
+fun Context.getEncryptionRatchetStates(address: String): Flow<String?> {
+    val keyValue = stringPreferencesKey(address + "_ratchet_state")
+    return dataStore.data.map { it[keyValue] }
+}
+
+suspend fun Context.getEncryptionModeStatesSync(address: String): String? {
+    val keyValue = stringPreferencesKey(address + "_mode_states")
+    return dataStore.data.first()[keyValue]
+}
+
+fun Context.getEncryptionModeStates(address: String): Flow<String?> {
+    val keyValue = stringPreferencesKey(address + "_mode_states")
+    return dataStore.data.map { it[keyValue] }
+}
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAES.java b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAES.java
new file mode 100644
index 0000000..30e47a1
--- /dev/null
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAES.java
@@ -0,0 +1,91 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet;
+
+import android.security.keystore.KeyProperties;
+
+import com.google.common.primitives.Bytes;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.KeyGenerator;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+
+public class SecurityAES {
+
+    public static final String DEFAULT_AES_ALGORITHM = "AES/CBC/PKCS5Padding";
+
+    public static final String ALGORITHM = "AES";
+
+    public static SecretKey generateSecretKey(int size) throws NoSuchAlgorithmException {
+        KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES);
+        keyGenerator.init(size); // Adjust key size as needed
+        return keyGenerator.generateKey();
+    }
+
+    public static byte[] encryptAESGCM(byte[] data, SecretKey secretKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
+        Cipher aesCipher = Cipher.getInstance("AES/GCM/NoPadding");
+        aesCipher.init(Cipher.ENCRYPT_MODE, secretKey);
+        byte[] cipherText = aesCipher.doFinal(data);
+
+        final byte[] IV = aesCipher.getIV();
+        byte[] cipherTextIv = new byte[IV.length + cipherText.length];
+        System.arraycopy(IV, 0,  cipherTextIv, 0, IV.length);
+        System.arraycopy(cipherText, 0,  cipherTextIv, IV.length, cipherText.length);
+        return cipherTextIv;
+    }
+
+    public static byte[] decryptAESGCM(byte[] data, SecretKey secretKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException {
+        byte[] iv = new byte[12];
+        System.arraycopy(data, 0, iv, 0, iv.length);
+
+        byte[] _data = new byte[data.length - iv.length];
+        System.arraycopy(data, iv.length, _data, 0, _data.length);
+
+        GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(128,iv);
+
+        Cipher aesCipher = Cipher.getInstance("AES/GCM/NoPadding");
+        aesCipher.init(Cipher.DECRYPT_MODE, secretKey, gcmParameterSpec);
+        return aesCipher.doFinal(_data);
+    }
+
+    public static byte[] encryptAES256CBC(byte[] input, byte[] secretKey, byte[] iv) throws Throwable {
+        SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, 0, secretKey.length, "AES");
+
+        Cipher cipher = Cipher.getInstance(DEFAULT_AES_ALGORITHM);
+        if(iv != null) {
+            IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
+            cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivParameterSpec);
+            return cipher.doFinal(input);
+        }
+
+        cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);
+        byte[] ciphertext = cipher.doFinal(input);
+        return Bytes.concat(cipher.getIV(), ciphertext);
+    }
+
+    public static byte[] decryptAES256CBC(byte[] input, byte[] sharedKey, byte[] iv) throws Throwable {
+        SecretKeySpec secretKeySpec = new SecretKeySpec(sharedKey, ALGORITHM);
+
+        Cipher cipher = Cipher.getInstance(DEFAULT_AES_ALGORITHM);
+        if(iv == null) {
+            iv = new byte[16];
+            System.arraycopy(input, 0, iv, 0, 16);
+
+            byte[] content = new byte[input.length - 16];
+            System.arraycopy(input, 16, content, 0, content.length);
+            input = content;
+        }
+
+        IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
+        cipher.init(Cipher.DECRYPT_MODE, secretKeySpec, ivParameterSpec);
+        return cipher.doFinal(input);
+    }
+}
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
new file mode 100644
index 0000000..9f3bc28
--- /dev/null
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
@@ -0,0 +1,115 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet
+
+import android.content.Context
+import android.util.Pair
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair
+import org.bouncycastle.crypto.CipherParameters
+import org.bouncycastle.crypto.EphemeralKeyPair
+import org.bouncycastle.math.ec.custom.djb.Curve25519
+
+
+class SecurityCurve25519(context: Context) : Protocols(context) {
+
+    private fun generateKey(
+        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        authenticationPublicKey: CipherParameters,
+        ephemeralPublicKey: CipherParameters,
+        salt: ByteArray,
+        info: ByteArray,
+        handshakeSalt: ByteArray,
+    ) {
+        val dh1 = dh(ephemeralKeyPair, authenticationPublicKey)
+        val dh2 = dh(ephemeralKeyPair, ephemeralPublicKey)
+        return CryptoUtils.hkdf(
+            handshakeSalt,
+            salt,
+            info,
+            32,
+        ).run {
+            CryptoUtils.hkdf(
+                dh1,
+                this,
+                info,
+                32,
+            ).run {
+                CryptoUtils.hkdf(
+                    dh2,
+                    this,
+                    info,
+                    32,
+                )
+            }
+        }
+    }
+
+    fun agreeWithAuthAndNonce(
+        e: AsymmetricCipherKeyPair,
+        s: CipherParameters,
+        he: CipherParameters,
+        hne: CipherParameters,
+        salt: ByteArray,
+        nonce1: ByteArray,
+        nonce2: ByteArray,
+        info: ByteArray,
+        hInfo: ByteArray,
+    ): Triple<ByteArray, ByteArray, ByteArray> {
+        val handshakeSalt = nonce1 + nonce2
+        val rootKey = generateKey(
+            ephemeralKeyPair = ephemeralKeyPair,
+            authenticationPublicKey = authenticationPublicKey,
+            publicKey = TODO(),
+            salt = TODO(),
+            info = TODO(),
+            handshakeSalt = TODO()
+        )
+
+        val headerKey = agreeWithAuthAndNonceImpl(
+            authenticationPublicKey = authenticationPublicKey,
+            authenticationPrivateKey = authenticationPrivateKey,
+            publicKey = headerPublicKey,
+            salt = salt,
+            info = headerInfo,
+            handshakeSalt = handshakeSalt,
+            privateKey = headerPrivateKey
+        )
+
+        val nextHeaderKey = agreeWithAuthAndNonceImpl(
+            authenticationPublicKey = authenticationPublicKey,
+            authenticationPrivateKey = authenticationPrivateKey,
+            publicKey = nextHeaderPublicKey,
+            salt = salt,
+            info = headerInfo,
+            handshakeSalt = handshakeSalt,
+            privateKey = nextHeaderPrivateKey
+        )
+
+        return Triple(rootKey, headerKey, nextHeaderKey)
+    }
+
+    fun calculateSharedSecret(
+        publicKey: ByteArray,
+    ): ByteArray {
+        return Curve25519.sharedSecret(this.privateKey, publicKey)
+    }
+
+    fun calculateSharedSecret(
+        publicKey: ByteArray,
+        salt: ByteArray? = null,
+        info: ByteArray? = "x25591_key_exchange".encodeToByteArray(),
+    ): ByteArray {
+        val sharedKey = Curve25519.sharedSecret(this.privateKey, publicKey)
+        return CryptoUtils.hkdf(
+            "HMACSHA256",
+            sharedKey,
+            salt,
+            info,
+            32,
+            1
+        )[0]
+    }
+
+    fun getKeypair(): Pair<ByteArray, ByteArray> {
+        return Pair(privateKey, generateKey())
+    }
+}
\ No newline at end of file
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSA.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSA.kt
new file mode 100644
index 0000000..fa8112d
--- /dev/null
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSA.kt
@@ -0,0 +1,90 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet
+
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
+import java.security.InvalidAlgorithmParameterException
+import java.security.InvalidKeyException
+import java.security.KeyPairGenerator
+import java.security.NoSuchAlgorithmException
+import java.security.NoSuchProviderException
+import java.security.PrivateKey
+import java.security.PublicKey
+import java.security.spec.MGF1ParameterSpec
+import javax.crypto.BadPaddingException
+import javax.crypto.Cipher
+import javax.crypto.IllegalBlockSizeException
+import javax.crypto.NoSuchPaddingException
+import javax.crypto.spec.OAEPParameterSpec
+import javax.crypto.spec.PSource
+
+object SecurityRSA {
+    var defaultEncryptionDigest: MGF1ParameterSpec? = MGF1ParameterSpec.SHA256
+    var defaultDecryptionDigest: MGF1ParameterSpec? = MGF1ParameterSpec.SHA1
+
+    var encryptionDigestParam: OAEPParameterSpec = OAEPParameterSpec(
+        "SHA-256", "MGF1", defaultEncryptionDigest,
+        PSource.PSpecified.DEFAULT
+    )
+    var decryptionDigestParam: OAEPParameterSpec = OAEPParameterSpec(
+        "SHA-256", "MGF1", defaultDecryptionDigest,
+        PSource.PSpecified.DEFAULT
+    )
+
+    @JvmStatic
+    @Throws(
+        NoSuchAlgorithmException::class,
+        NoSuchProviderException::class,
+        InvalidAlgorithmParameterException::class
+    )
+    fun generateKeyPair(keystoreAlias: String, keySize: Int = 2048): PublicKey? {
+        val kpg = KeyPairGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"
+        )
+        kpg.initialize(
+            KeyGenParameterSpec.Builder(
+                keystoreAlias,
+                KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
+            )
+                .setKeySize(keySize)
+                .setDigests(
+                    KeyProperties.DIGEST_SHA1, KeyProperties.DIGEST_SHA256,
+                    KeyProperties.DIGEST_SHA512
+                )
+                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
+                .build()
+        )
+        return kpg.generateKeyPair().public
+    }
+
+    @JvmStatic
+    @Throws(
+        NoSuchPaddingException::class,
+        NoSuchAlgorithmException::class,
+        IllegalBlockSizeException::class,
+        BadPaddingException::class,
+        InvalidKeyException::class,
+        InvalidAlgorithmParameterException::class
+    )
+    fun decrypt(privateKey: PrivateKey?, data: ByteArray?): ByteArray? {
+        val cipher = Cipher.getInstance("RSA/ECB/" + KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
+        //        cipher.init(Cipher.DECRYPT_MODE, privateKey, decryptionDigestParam);
+        cipher.init(Cipher.DECRYPT_MODE, privateKey)
+        return cipher.doFinal(data)
+    }
+
+    @JvmStatic
+    @Throws(
+        NoSuchPaddingException::class,
+        NoSuchAlgorithmException::class,
+        IllegalBlockSizeException::class,
+        BadPaddingException::class,
+        InvalidKeyException::class,
+        InvalidAlgorithmParameterException::class
+    )
+    fun encrypt(publicKey: PublicKey?, data: ByteArray?): ByteArray? {
+        val cipher = Cipher.getInstance("RSA/ECB/" + KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
+        //        cipher.init(Cipher.ENCRYPT_MODE, publicKey, encryptionDigestParam);
+        cipher.init(Cipher.ENCRYPT_MODE, publicKey)
+        return cipher.doFinal(data)
+    }
+}
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
new file mode 100644
index 0000000..d970fd9
--- /dev/null
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
@@ -0,0 +1,154 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions
+
+import android.content.Context
+import android.util.Base64
+import androidx.datastore.core.DataStore
+import androidx.datastore.preferences.core.Preferences
+import androidx.datastore.preferences.core.edit
+import androidx.datastore.preferences.core.stringPreferencesKey
+import androidx.datastore.preferences.core.stringSetPreferencesKey
+import androidx.datastore.preferences.preferencesDataStore
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityAES
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityRSA
+import com.google.gson.Gson
+import kotlinx.coroutines.flow.first
+import java.io.IOException
+import java.security.KeyPair
+import java.security.KeyStore
+import java.security.KeyStoreException
+import java.security.NoSuchAlgorithmException
+import java.security.SecureRandom
+import java.security.UnrecoverableEntryException
+import java.security.cert.CertificateException
+import javax.crypto.spec.SecretKeySpec
+
+val Context.dataStore: DataStore<Preferences> by preferencesDataStore(name = "secure_comms")
+
+/**
+ * Pair<PublicKey, PrivateKey>
+ */
+suspend fun Context.getKeypairValues(address: String): Pair<ByteArray?, ByteArray?> {
+    val keyValue = stringSetPreferencesKey(address + "_keypair")
+    val keypairSet = dataStore.data.first()[keyValue]
+    val encryptionPublicKey = getKeypairFromKeystore(address)
+
+    val publicKey = SecurityRSA.decrypt(
+        encryptionPublicKey?.private,
+        Base64.decode(keypairSet?.elementAt(0), Base64.DEFAULT)
+    )
+    val privateKey = SecurityRSA.decrypt(
+        encryptionPublicKey?.private,
+        Base64.decode(keypairSet?.elementAt(1), Base64.DEFAULT)
+    )
+    return Pair(publicKey, privateKey)
+}
+
+suspend fun Context.setKeypairValues(
+    address: String,
+    publicKey: ByteArray,
+    privateKey: ByteArray,
+) {
+    val encryptionPublicKey = SecurityRSA.generateKeyPair(address)
+
+    val keyValue = stringSetPreferencesKey(address + "_keypair")
+    dataStore.edit { secureComms->
+        secureComms[keyValue] = setOf(
+            Base64.encodeToString(publicKey.run {
+                SecurityRSA.encrypt(encryptionPublicKey, this)
+            }, Base64.DEFAULT),
+            Base64.encodeToString(privateKey.run {
+                SecurityRSA.encrypt(encryptionPublicKey, this)
+            }, Base64.DEFAULT),
+        )
+    }
+}
+
+@Throws(
+    KeyStoreException::class,
+    CertificateException::class,
+    IOException::class,
+    NoSuchAlgorithmException::class,
+    UnrecoverableEntryException::class
+)
+fun Context.getKeypairFromKeystore(keystoreAlias: String): KeyPair? {
+    val keyStore = KeyStore.getInstance("AndroidKeyStore")
+    keyStore.load(null)
+
+    val entry = keyStore.getEntry(keystoreAlias, null)
+    if (entry is KeyStore.PrivateKeyEntry) {
+        val privateKey = entry.privateKey
+        val publicKey = keyStore.getCertificate(keystoreAlias).publicKey
+        return KeyPair(publicKey, privateKey)
+    }
+    return null
+}
+
+data class SavedBinaryData(
+    val key: ByteArray,
+    val algorithm: String,
+    val data: ByteArray,
+)
+
+/**
+ *  Would overwrite anything with the same Keystore Alias
+ */
+@Throws
+suspend fun Context.saveBinaryDataEncrypted(
+    keystoreAlias: String,
+    data: ByteArray,
+) : Boolean {
+    val keyValue = stringPreferencesKey(keystoreAlias)
+
+    val aesGcmKey = SecurityAES.generateSecretKey(256)
+    val data = SecurityAES.encryptAESGCM(data, aesGcmKey)
+
+//    val encryptionPublicKey = getKeypairFromKeystore(keystoreAlias)?.public
+//        ?: SecurityRSA.generateKeyPair(keystoreAlias)
+
+    var saved = false
+    dataStore.edit { secureComms->
+        try {
+            val encryptionPublicKey = SecurityRSA.generateKeyPair(keystoreAlias)
+            SecurityRSA.encrypt(encryptionPublicKey, aesGcmKey.encoded)?.let { key ->
+                secureComms[keyValue] = Gson().toJson(
+                    SavedBinaryData(
+                        key = key,
+                        algorithm = aesGcmKey.algorithm,
+                        data = data
+                    )
+                )
+                saved = true
+            }
+        } catch(e: Exception) {
+            throw e
+        }
+    }
+    return saved
+}
+
+@Throws
+suspend fun Context.getEncryptedBinaryData(keystoreAlias: String): ByteArray? {
+    val keyValue = stringPreferencesKey(keystoreAlias)
+    val data = dataStore.data.first()[keyValue] ?: return null
+
+    val savedBinaryData = Gson().fromJson(data, SavedBinaryData::class.java)
+
+    return try {
+        val encryptionPublicKey = getKeypairFromKeystore(keystoreAlias)
+        SecurityRSA.decrypt(encryptionPublicKey?.private, savedBinaryData.key)
+            ?.run {
+                SecurityAES.decryptAESGCM(savedBinaryData.data,
+                    SecretKeySpec(this, savedBinaryData.algorithm)
+                )
+            }
+    } catch(e: Exception) {
+        throw e
+    }
+}
+
+fun Context.generateRandomBytes(length: Int): ByteArray {
+    val random = SecureRandom()
+    val bytes = ByteArray(length)
+    random.nextBytes(bytes)
+    return bytes
+}
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Headers.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Headers.kt
new file mode 100644
index 0000000..f37fde8
--- /dev/null
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Headers.kt
@@ -0,0 +1,37 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
+
+import com.google.common.primitives.Bytes
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair
+import org.bouncycastle.crypto.params.X25519PublicKeyParameters
+import java.nio.ByteBuffer
+import java.nio.ByteOrder
+import java.security.KeyPair
+
+class Headers(var dh: AsymmetricCipherKeyPair, pn: UByte, n: UByte) {
+    var pn: UByte = 0u
+    var n: UByte = 0u
+
+    init {
+        this.pn = pn
+        this.n = n
+    }
+
+    val serialized: ByteArray
+        get() {
+            val pk = dh.public as X25519PublicKeyParameters
+            return byteArrayOf(pn.toByte()) + byteArrayOf(n.toByte()) + pk.encoded
+        }
+
+    companion object {
+        fun deserialize(header: ByteArray): Headers {
+            val pn = header[0].toUByte()
+            val n = header[1].toUByte()
+            val pk = header.sliceArray(2 until header.size)
+            return Headers(
+                AsymmetricCipherKeyPair(
+                    X25519PublicKeyParameters(pk, 0),
+                    null
+                ), pn, n)
+        }
+    }
+}
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
new file mode 100644
index 0000000..ff7ad07
--- /dev/null
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
@@ -0,0 +1,175 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
+
+import android.content.Context
+import android.util.Pair
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils.hkdf
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils.hmac
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.R
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityAES
+import com.google.common.primitives.Bytes
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair
+import org.bouncycastle.crypto.CipherParameters
+import org.bouncycastle.crypto.agreement.X25519Agreement
+import org.bouncycastle.crypto.generators.X25519KeyPairGenerator
+import org.bouncycastle.crypto.params.X25519KeyGenerationParameters
+import org.bouncycastle.jce.provider.BouncyCastleProvider
+import java.security.SecureRandom
+import java.security.Security
+
+/**
+ * This implementations are based on the signal protocols specifications.
+ * 
+ * This are based on the recommended algorithms and parameters for the encryption
+ * and decryption.
+ * 
+ * The goal for this would be to transform it into library which can be used across
+ * other SMS projects.
+ * 
+ * [...](https://signal.org/docs/specifications/doubleratchet/)
+ */
+open class Protocols(private val context: Context) {
+
+    init {
+        Security.removeProvider("BC")
+        Security.addProvider(BouncyCastleProvider())
+    }
+
+    fun generateDH(): AsymmetricCipherKeyPair {
+        val generator = X25519KeyPairGenerator()
+        generator.init(X25519KeyGenerationParameters(SecureRandom()))
+        return generator.generateKeyPair()
+    }
+
+    fun dh(keypair: AsymmetricCipherKeyPair, publicKey: CipherParameters): ByteArray {
+        val sharedSecret = ByteArray(32)
+        val agreement = X25519Agreement()
+        agreement.init(keypair.private)
+        agreement.calculateAgreement(publicKey, sharedSecret, 0)
+        return sharedSecret
+    }
+
+    fun kdfRk(
+        rk: ByteArray,
+        dhOut: ByteArray
+    ): Triple<ByteArray, ByteArray, ByteArray> {
+        val info = context.getString(R.string.dr_rk_info).encodeToByteArray()
+        return hkdf(dhOut, rk, info, 32*3).run {
+            Triple(
+                this.sliceArray(0 until 32),
+                this.sliceArray(32 until 64),
+                this.sliceArray(64 until 96),
+            )
+        }
+    }
+
+    fun kdfCk(ck: ByteArray?): Pair<ByteArray, ByteArray> {
+        if(ck == null) throw Exception("CK came in null! Terminating")
+
+        val mac = hmac(ck)
+        val newCk = mac.doFinal(byteArrayOf(0x01))
+        val mk = mac.doFinal(byteArrayOf(0x02))
+        return Pair(newCk, mk)
+    }
+
+    fun encrypt(
+        mk: ByteArray,
+        plainText: ByteArray,
+        ad: ByteArray,
+    ): ByteArray {
+        val len = 80
+        return hkdf(
+            ikm = mk,
+            salt = ByteArray(len),
+            info = context.getString(R.string.dr_encrypt_info).encodeToByteArray(),
+            len = len,
+        ).run {
+            val key = this.sliceArray(0 until 32)
+            val authKey = this.sliceArray(32 until 64)
+            val iv = this.sliceArray(64 until 80)
+
+            val cipherText = SecurityAES.encryptAES256CBC(plainText, key, iv)
+            val mac = hmac(authKey)
+            mac.update(ad + cipherText)
+            cipherText + mac.doFinal()
+        }
+    }
+
+    fun hEncrypt(
+        mk: ByteArray,
+        plainText: ByteArray,
+    ): ByteArray {
+        val len = 80
+        return hkdf(
+            ikm = mk,
+            salt = ByteArray(len),
+            info = context.getString(R.string.dr_encrypt_info).encodeToByteArray(),
+            len = len,
+        ).run {
+            val key = this.sliceArray(0 until 32)
+            val authKey = this.sliceArray(32 until 64)
+            val iv = this.sliceArray(64 until 80)
+
+            val cipherText = SecurityAES.encryptAES256CBC(plainText, key, iv)
+
+            val mac = hmac(authKey)
+            mac.update(cipherText)
+            cipherText + mac.doFinal()
+        }
+    }
+
+    fun decrypt(mk: ByteArray, cipherText: ByteArray, ad: ByteArray): ByteArray {
+        val len = 80
+        return hkdf(
+            ikm = mk,
+            salt = ByteArray(len),
+            info = context.getString(R.string.dr_encrypt_info).encodeToByteArray(),
+            len = len,
+        ).run {
+            val authKey = this.sliceArray(32 until 64)
+            val cipherText = cipherText.dropLast(32).toByteArray()
+
+            val mac = hmac(authKey)
+            mac.update(ad + cipherText)
+
+            val incomingMac = cipherText.takeLast(32).toByteArray()
+            if(!incomingMac.contentEquals(mac.doFinal())) {
+                throw Exception("Message failed authentication")
+            }
+
+            val key = this.sliceArray(0 until 32)
+            val iv = this.sliceArray(64 until 80)
+            SecurityAES.decryptAES256CBC(cipherText, key, iv)
+        }
+    }
+
+    fun hDecrypt(mk: ByteArray, cipherText: ByteArray): ByteArray {
+        val len = 80
+        return hkdf(
+            ikm = mk,
+            salt = ByteArray(len),
+            info = context.getString(R.string.dr_encrypt_info).encodeToByteArray(),
+            len = len,
+        ).run {
+            val authKey = this.sliceArray(32 until 64)
+            val cipherText = cipherText.dropLast(32).toByteArray()
+
+            val mac = hmac(authKey)
+            mac.update(cipherText)
+
+            val incomingMac = cipherText.takeLast(32).toByteArray()
+            if(!incomingMac.contentEquals(mac.doFinal())) {
+                throw Exception("Message failed authentication")
+            }
+
+            val key = this.sliceArray(0 until 32)
+            val iv = this.sliceArray(64 until 80)
+            SecurityAES.decryptAES256CBC(cipherText, key, iv)
+        }
+    }
+
+    fun concat(ad: ByteArray, headers: ByteArray): ByteArray {
+        return ad + headers
+    }
+}
+
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
new file mode 100644
index 0000000..eb30786
--- /dev/null
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
@@ -0,0 +1,213 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
+
+import android.content.Context
+import android.util.Pair
+import androidx.core.util.component1
+import androidx.core.util.component2
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.R
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair
+import org.bouncycastle.crypto.CipherParameters
+import org.bouncycastle.crypto.params.X25519PublicKeyParameters
+
+class RatchetPayload(
+    val header: ByteArray,
+    val cipherText: ByteArray,
+)
+
+class RatchetsHE(context: Context) : Protocols(context){
+    val MAX_SKIP = 255
+
+    /**
+     * @param state
+     * @param sk
+     * @param bobDhPublicKey
+     * @param sharedHka Alice's shared header key
+     * @param sharedNHka Alice's next shared header key
+     */
+    fun ratchetInitAlice(
+        state: States,
+        sk: ByteArray,
+        bobDhPublicKey: CipherParameters,
+        sharedHka: ByteArray,
+        sharedNHka: ByteArray,
+    ) {
+        state.DHRs = generateDH()
+        state.DHRr = bobDhPublicKey
+
+        kdfRk(
+            rk = sk, dh( state.DHRs!!, state.DHRr!!)
+        ).let {
+            state.RK = it.first
+            state.CKs = it.second
+            state.NHKs = it.third
+        }
+
+        state.CKr = null
+        state.Ns = 0u
+        state.Nr = 0u
+        state.PN = 0u
+        state.MKSKIPPED = mutableMapOf()
+        state.HKs = sharedHka
+        state.HKr = null
+        state.NHKr = sharedNHka
+    }
+
+    fun ratchetInitBob(
+        state: States,
+        sk: ByteArray,
+        bobDhPublicKeypair: AsymmetricCipherKeyPair,
+        sharedHka: ByteArray,
+        sharedNHka: ByteArray,
+    ) {
+        state.DHRs = bobDhPublicKeypair
+        state.DHRr = null
+        state.RK = sk
+        state.CKs = null
+        state.CKr = null
+        state.Ns = 0u
+        state.Nr = 0u
+        state.PN = 0u
+        state.MKSKIPPED = mutableMapOf()
+        state.HKs = null
+        state.NHKs = sharedNHka
+        state.HKr = null
+        state.NHKr = sharedHka
+    }
+
+    fun ratchetEncrypt(
+        state: States,
+        plaintext: ByteArray,
+        ad: ByteArray,
+    ) : RatchetPayload {
+        val (ck, mk) = kdfCk(state.CKs)
+        state.CKs = ck
+        val header = Headers(state.DHRs!!, state.PN, state.Ns)
+        val encHeader = hEncrypt(state.HKs!!, header.serialized)
+        state.Ns++
+        return RatchetPayload(
+            header = encHeader,
+            cipherText = encrypt(mk, plaintext, concat(ad, encHeader))
+        )
+    }
+
+    fun ratchetDecrypt(
+        state: States,
+        encHeader: ByteArray,
+        cipherText: ByteArray,
+        ad: ByteArray,
+    ): ByteArray {
+        val plaintext = trySkippedMessageKeys(state, encHeader, cipherText, ad)
+        if(plaintext != null)
+            return plaintext
+
+        val (header, dhRatchet) = decryptHeader(state, encHeader)
+        if(dhRatchet) {
+            skipMessageKeys(state, header.pn.toInt())
+            dhRatchet(state, header)
+        }
+
+        skipMessageKeys(state, header.n.toInt())
+        val kdfCk = kdfCk(state.CKr)
+        state.CKr = kdfCk.first
+        val mk = kdfCk.second
+        state.Nr++
+        return decrypt(mk, cipherText, concat(ad, encHeader))
+    }
+
+    private fun skipMessageKeys(
+        state: States,
+        until: Int,
+    ) {
+        if(state.Nr.toInt() + MAX_SKIP < until)
+            throw Exception("MAX SKIP Exceeded")
+
+        state.CKr?.let{
+            while(state.Nr.toInt() < until) {
+                val kdfCk = kdfCk(state.CKr)
+                state.CKr = kdfCk.first
+                val mk = kdfCk.second
+                state.MKSKIPPED[Pair(state.HKr, state.Nr.toInt())] = mk
+                state.Nr++
+            }
+        }
+    }
+
+    private fun trySkippedMessageKeys(
+        state: States,
+        encHeader: ByteArray,
+        ciphertext: ByteArray,
+        ad: ByteArray
+    ) : ByteArray? {
+        state.MKSKIPPED.forEach {
+            val (hk, n) = it.key
+            val mk = it.value
+
+            val header = hDecrypt(hk, encHeader).run {
+                Headers.deserialize(this)
+            }
+            if(header.n.toInt() == n) {
+                state.MKSKIPPED.remove(it.key)
+                return decrypt(mk, ciphertext, concat(ad, encHeader))
+            }
+        }
+
+        return null
+    }
+
+    private fun decryptHeader(
+        state: States,
+        encHeader: ByteArray
+    ) : Pair<Headers, Boolean> {
+        var header: Headers? = null
+        try {
+            header = hDecrypt(state.HKr!!, encHeader).run {
+                Headers.deserialize(this)
+            }
+        } catch(e: Exception) {
+            e.printStackTrace()
+        }
+
+        header?.let {
+            return Pair(header, false)
+        }
+
+        header = hDecrypt(state.NHKr!!, encHeader).run {
+            Headers.deserialize(this)
+        }
+
+        return Pair(header, true)
+    }
+
+    private fun dhRatchet(state: States, header: Headers) {
+        state.PN = state.Ns
+        state.Ns = 0u
+        state.Nr = 0u
+        state.HKs = state.NHKs
+        state.HKr = state.NHKr
+        state.DHRr = header.dh.public
+
+        kdfRk(state.RK!!,
+            dh(
+                state.DHRs!!,
+                state.DHRr!!,
+            )
+        ).let {
+            state.RK = it.first
+            state.CKr = it.second
+            state.NHKr = it.third
+        }
+
+        state.DHRs = generateDH()
+
+        kdfRk(state.RK!!,
+            dh(
+                state.DHRs!!,
+                state.DHRr!!,
+            )
+        ).let {
+            state.RK = it.first
+            state.CKs = it.second
+            state.NHKs = it.third
+        }
+    }
+}
\ No newline at end of file
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
new file mode 100644
index 0000000..5d776ba
--- /dev/null
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
@@ -0,0 +1,37 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
+
+import android.util.Pair
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.Json
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair
+import org.bouncycastle.crypto.CipherParameters
+import java.security.KeyPair
+import java.security.PrivateKey
+import java.security.PublicKey
+
+
+data class States(
+    var RK: ByteArray? = null,
+    var CKs: ByteArray? = null,
+    var CKr: ByteArray? = null,
+    var Ns: UByte = 0u,
+    var Nr: UByte = 0u,
+    var PN: UByte = 0u,
+    var DHRs: AsymmetricCipherKeyPair?,
+    var DHRr: CipherParameters? = null,
+    var HKs: ByteArray? = null,
+    var HKr: ByteArray? = null,
+    var NHKs: ByteArray? = null,
+    var NHKr: ByteArray? = null,
+    var MKSKIPPED: MutableMap<Pair<ByteArray, Int>, ByteArray> = mutableMapOf()
+) {
+    fun serialize(): String {
+        return Json.encodeToString(this)
+    }
+
+    companion object {
+        fun deserialize(input: String): States {
+            return Json.decodeFromString<States>(input)
+        }
+    }
+}
\ No newline at end of file
diff --git a/double_ratchet/src/main/res/values/strings.xml b/double_ratchet/src/main/res/values/strings.xml
new file mode 100644
index 0000000..90a2b76
--- /dev/null
+++ b/double_ratchet/src/main/res/values/strings.xml
@@ -0,0 +1,9 @@
+<resources>
+    <string name="app_name">SMSWithoutBorders DoubleRatchet LibSignal</string>
+    <string name="missing_public_key">Missing public key</string>
+    <string name="ratchet_states_removed">Ratchet states removed</string>
+    <string name="dr_salt">RelaySMS v1</string>
+    <string name="dr_nonce_info">RelaySMS C2S DR v1</string>
+    <string name="dr_rk_info">RelaySMS DRHE v2</string>
+    <string name="dr_encrypt_info">RelaySMS DR_ENCRYPTION v2</string>
+</resources>
\ No newline at end of file
diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
new file mode 100644
index 0000000000000000000000000000000000000000..8bdaf60c75ab801e22807dde59e12a8735a34077
GIT binary patch
literal 45457
zcma&NW0YlEwk;ePwr$(aux;D69T}N{9ky*d!_2U4+qUuIRNZ#Jck8}7U+vcB{<GGf
zxn>`IjNZqX3eq5;s6ddAkU&5{L|^Ow`ym2B0m+K02+~Q)i807X3X94qi>j)C0e$=H
zm31v`=T&y}ACuKx7G~yWSYncG=NFB>O2);i9EmJ(9jSamq?Crj$g~1l3m-4M7;BWn
zau2S&sSA0b0Rhg>6YlVLQa;D#)1yw+eGs~36Q$}5?avIRne3TQZXb<^e}?T69w<9~
zUmx1cG0uZ?Kd;Brd$$>r>&MrY*3$t^PWF1+J+G_xmpHW=>mly$<>~wHH+Bt3mzN7W
zhR)g{_veH6>*KxLJ~~s{9HZm!UeC86d_><i$ND47T#F$TCdTzWZOuMJShgR2TZ)vM
zP=IqD=h&PEo>42NRqd$ev8zSMq4kt)q*>8kJ8p|^w<Wp-%&#J4!yJnQX_raaL>uKx
zq2Is_HJPoQ_apSoT?zJj7vXBp!xejBc^7F|zU0rhy%Ub*Dy#jJs!>1?CmJ-gulPVX
zKit>RVmjL=G?>jytf^U@mfnC*1-7EVag@%ROu*#kA+)Rxq?MGK0v-dp^kM?nyMngb
z_poL>GLTh<v{ZeXikSh+0?&@p1sj!`Z7jNtdkf#m3FaN$hCAHps4WoZU)d1oBP|yT
zh9DSkPr$<K52f)PmmU{f23|AomM#grczP6q6-z+Qh`RKodZYOL6Rq-WPcHY?L7yYZ
zyIO+?-dl7K;&Qe#&g3xZyF~<fj8mZ?ic|FJDL&bJE4cN;ND}4C$!n8eOVK%ON-!J&
zXk-9R*U1rxL%b@z1Zb@G{4XRaxT*|^$vYYP&)x_YM=<Ma4(_&z4*1V0^5|A<#UwOO
zACGS*Q1$chXx}=t&vC(c`mrd!wd~W*vDaurQ9&NhXNhUqt5#M7?cXh?(SBexS;!V{
zTg3gQ=G1UEWr?FAgc3CepFUFCz1R{rKiU4dy>B7xAO*I7&?4^Nj`<@O@>&0M-QxIi
zD@n}s%CYI4Be19C<Tv*Xi^JfO!jHLy`l~@F2JR^?Qb-Ze!z)=V;IJ&#4`aFlgWH&9
zBQF7l-My3;_Ktx-=7J3V19;+Z6F|`v5EIidaxX(i=L+zLcIDJ`{SIfh#(vBXw^)?8
zTSS&JoPn`PN&@cNm`vZ6Ts|}^D}W^M3+?tAp`Nq1m3~=-ebbO4kYe5u65wD2X~*4;
zqyuBHW-iACub?x@&8ft21cOkJ|9x&~t^qj(Z#V&SJubRQv-AuVSIQK8Y7&HFdQYNp
ztq8>$lAb9Bbm6!R{&A;=yh=#fnFyb`s7S5W3?arZf?$khCwkGN!+GY~GT8-`!6pFr
zbFBVEF`kAgtecfjJ`flN2Z!$$<mCZRdOKr<(}-X}%srWn8MYL(Mv;4KfbN9vkEp?K
z#V3+47&~)58(x^>8}6hV>Tu;+rN%$X^t8fI>tXQnRn^$UhXO8Gu<T%_{T*k9)pQ|>
zt$~QON8`doV&{h}=2!}+xJKrNPcIQid?WuHUC-i%P^F(^z#XB`&&`xTK&L+i8a3a@
zkV-Jy;AnyQ`N=&KONV_^-0WJA{b|c#_l=v!19U@hS~M-*ix16$r01GN3#naZ|DxY2
z76nbjbOnFcx4bKbEoH~^=EikiZ)_*kOb>nW6>_vjf-UCf0uUy~QBb7~WfVO6qN@ns
zz=XEG0s5Yp`mlmUad)8!(QDgIzY=OK%_hhPStbyYYd|<oP68nvjb<!#OFoXusS{*y
z8aFj95!t-NCwLnH4MAPvP=ixG23CYj9$_8(3LK~1cdoLVdShviW6M1Xp>~zDIc3J4
zy9y%wZOW>}eG4&&;Z><utlUX*H&n`GC$B}M2Vu&*=%E@65~OacMqqF0*uxVax2ztD
zH!gf`lPwG?c{_o=!3PuNS_sod=p87^d}30F!dqV@WUl)|$m`jy#=>vj&Mjg+>4gL!
z(@oCTFf-I^54t=*4AhKRoE-0Ky=qg3XK2Mu!Bmw@z>y(|a#(6PcfbVTw-dUqyx4x4
z3O#+hW1ANwSv-<?OyjxS>U+9otHE#U9T>(nWx>^7RO_aI>${jvfZQ{mUwiaxHau!H
z0Nc}ucJu+bKux?l!dQ2QA(r@(5KZl(Or=U!=2K*8?D=ZT-IAcAX!5OI3w@`sF@$($
zbDk0p&3X0P%B0aKdijO|s})70K&mk1DC|P##b<rMn{!HN!$5#m+n$4XKV4K6dnkyc
z0N2IviGkR^^a~Hgu?xj?5*o^^XLt(qEWf7w>=k@fcJ|lo@JNWRUc>KL?6dJpvtSUK
zxR|w8Bo6K&y~Bd}gv<u8J1D%!ncRo{P`~}ETsZd38#JUX1WZYj`}#8%K~6;X=FS!W
z7nz%)k!L#iqcDZj10&7+Ph*BXpi;)7d}Z(sW3)ZFoouK*pWPpc&}w@N3!IN>uz*3z
z@sPJr{(!?mi@okhudaM{t3gp9TJ!|@j4e<!ePGTqsEX#>O1C&=@<ZI-T7P~mqcTE3
z=@Kh4h$-}V$z;NmMFH+D8AA<q6?{tGQ3oQ;3|Nm^cQ2yPbSoj;YhPIIR$GfkxeqgI
zaizAW%#d4{(9Zxahjb|Xj;@;_G6@{RIwXOp9Y`#=x6QsV9^3SmK>h#|QLCUKLaKVL
z!lls$%N&ZG7yO#jK?U>bJ+^F@K#A4d&Jz4boGmptagnK!Qu{Ob>%+60xRYK>iffd_
z>6%0K)p!VwP$^@Apm%NrS6TpKJwj_Q=k~?4=_*NIe~eh_QtRaqX4t-rJAGYdB{pGq
zSXX)-dR8mQ)X|;8@_=J6Dk7MfMp;x)^aZeCt<q3>ScHs12t3vL+p-6!qhPkOM1OYQ
z8YXW5tWp)Th(+$m7SnV_hNGKAP`JF4URkkNc@<K9-ly+wa8*|2#YOU^oq3FpJjgQ6
z?8N1-1nyOe$tqZ2dXte<(_#J8k|{5#tK5o`K^ehf`ZP2_$(;-ilwHBdm|qA&;*^~O
zRjDbX=$#ho(CjhOl*cuhBgJ<=BuCT;#cGbD1!b{ZWE$nr(?k-z6@#;#7_&h&vleH+
zB}}>YV9}<wseGH<$I;Hv)&#FgmTmE|cj%V7mn=g3^%FiO6Aak)9vi_kqVw2+4+4$_
z8HOwus$<g`1MuW(cQCdog5R7NCCqn3q;wkwYg!gHNhegXYr;-23aFrdTQ~X>FK$9k
zR&qgi$Cj#4bC1VK%#U)f%(+oQJ+EqvV{uAq1YG0riLvGxW@)m;*ayU-BSW61COFy0
z(-l>GJqYl;*x1PnRZ<tMPXye{0Lg*tr_v~d@QYV5NA0oxUVs|y=-QgKxa>(p3Lm}*
zlkpWyCoYtg9pAZ5RU^%w=vN{3Y<6WImxj(*SCcJsFj?o6CZ~>cWW^foliM#qN#We{
zwsL!u1$rzC1#4~bILZm*a!T{^kCci$XOJADm)P;y^%x<pGgM<A@N#oWOyRrm;2JV4
zYZ@<}{FJsnutYCS1%nMYIME7P71#U23_>5)#G#_!2uNp^S;cE`*ASCn;}H7pP^RRA
z6lfXK(r4dy<_}R|(7%Lyo>QFP#s31E8zsYA${gSUykUV@?lyDNF=KhTeF^*lu7C*{
zBCIjy;bIE;9inJ$IT8_jL%)Q{7itmncYlkf2`lHl(gTwD%LmEPo^gskydVxMd~Do`
zO8EzF!yn!r|BEgPjhW#>g(unY#n}=#4J;3FD2ThN5LpO0tI2~pqICaFAGT%%;3Xx$
z>~Ng(64xH-RV^Rj4=A_q1Ee8kcF}8HN{5kjYX0ADh}jq{q18x(pV!<a=V|89g29XF
ztUlPI7$_z>23pVsK5S}{M#p8|+LvfKx|_3;9{+6cu7%5o-+R@z>TlTft#kcJ`s2-j
zUe4dgpInZU!<}aTGuwgdWJZ#8TPiV9QW<<YLj^p8ODJBtC=W1{B}|KX`@{2dyAi0o
zT8}~fa&dH?q3O?N)dkG;>-o!ib<Y0I;ePP`I{~WDW%6VBDx9CM!M3T7PDQsN0s*@9
z^|j&qwVm_me3Cs3PP-=1yZ4gHY$eG0n1ebe9L7}!TgSY_<Z&092u7#SbuuDHdh$*E
z^!F_hk2Rph6{O$X$|p<YEG4hrYH0%p7?p?Pw1XS`2Up)yP%(U`oXT-pdGw9;(FFWj
zf87~iU6te-QXD~My0Ke9acCk62=g%?%~efzbxOJF_N`tRF^@#XXEO}EqM?9g9CLU{
z2Sz2VZu1atXa~|kyn*}YuU?NncOQMHBH&DbqPJ$XJ);2L(^?)`cL79~_o@TWB!lQw
zU)k}t`2qrgjYid>Bn&)?!ZDomECehvT7GSCRyF#VN2&5GShch9*}4p;8TX~cW*<#(
zv-HmU7&+YUWO__NN3UbTFJ&^#3vxW4U9q5=&ORa+2M$4rskA4xV$rFSEYBGy55b{z
z!)$_fYXiY<tl_uUIw5jm21`uILpbV*;TDaaD9(~up8x6mhP4%m*txdV?+pINh!Ku#
z4Xi~($Z*jv5yT}OChuKvG3&zHLF;qfN>?-GWDhGZXgTw}#ilrw=BiN(DGO*W7Vw(}
zjUexksYLt_Nq?pl_nVa@c1W#edQKbT>VSN1NK?DulHkFpI-LXl7{;dl@z0#v?x%U&
z8k8M1X6%TwR4BQ_eEWJASvMTy?@fQubBU__A_US567I-~;_VcX^NJ-E(ZPR^NASj1
zVP!LIf8QKtcdeH#w6ak50At)e={eF_Ns6J2Iko6dn8<H9ZXA=3`WBx{Gia6=T+;u%
z=HY#3LV|Y`f-b=xY4Q;xYAlA6PmkNxRE|?op4<ukc=AU<8UnJWDIfnB4hX1|0tiUq
z-|9uw|64E03d%`}i7Knm%ZmNCW~3V*hYnyw1l{r`yo|wEntDjlE>Qwa6!NQHZMGsD
zhzWeSFK<{hJV*!cIHxjgR+e#lkUHCss<VQQBEP}9Medn56PL;$c8lsGF@i+>-j)$g
zF}DyS531TUXKPPIoePo{yH%qEr-dLMOhv^sC<xCl@`GK(?jT#IEh7<MKPpGJa}#t0
zQ>&@9YI~uvl?rBp^A-57{aH<pY9)S&+Lo{N@At>_wLg0&a|UxKLlYZQ24fpb24Q<!
zTSGe&8B04;K__!pTT?q1Q4eEN2Nz3wJ9=XqLucpz-n^{*xKytIVwSD7wly!M$8|GB
zgRJm7Rc;ues621OmTy~Xk+nOAAqSNI62vtf4-~!+5P?+2&pZ~!tM{?Z!^Kw!pp0Jn
zfaGyAbl&Tr80&f_0_T=JUwY+uDmtgcm97FN<V%J8D~TPcCxI%3Dqlk$0*0W6r9(|*
z%vi9pv|7waz|Eb1JN?VKKDrjlwmLB;vPe2*_)&sv2;H>jil`4OCyt0<1eu>5i1Acv
zaZtQRF)Q;?Aw3idg;8Yg9Cb#)03?pQ<xHeBbO8Gw--HxZ_okfgtt-I<;<+C3?TVTf
z<|lc3W(z&4@*8V#2=Q6|Q=aOHR-VpFA)H3;DS!BYfxwTSyi3FyVELqpR>@O*bCloG
zC^|TnJl`GXN*8iI;Ql&_QIY0ik}rqB;cNZ-qagp=qmci9eScHsRXG$zRNdf4SleJ}
z7||<#PCW~0>3u8PP=-DjNhD(^(B0AFF+(oKOiQyO5#v4nI|v_D5@c2;zE`}DK!%;H
zUn|IZ6P;rl*5`E(srr6@-hpa<ngSjnAST1@6R_1E0}H9hMAsFa!mK#b0K>e!jW=-G
zC<*R?RLwL;#+hxN4fJ!oP4f<kGw>X`vC3&)o!#l4y@MrmbmL{t;VP%7tMA-&vju_L
zhtHbOL4`O;h*5^e3F{b9(mDwY6JwL8w`oi28xOyj`pVo!75hngQDNg7^D$h4t&1p2
ziWD_!ap3GM(S)?@UwWk=Szym^eDxSx3NaR}+l1~(@0car6t<aR)&2dG%u|9W)+*J5
z)XidA@|&=GZrJrWLa7yxb1G8STuVu-pwwL>fP#sZRTb~w!WAS{+|SgUN3Tv`J4OMf
z9ta_f>-`!`I@KA=CXj_J>CE7<A%a42m<%#xhNJ-0IOZ3`NMe6!SP;A!+0`l12$n#O
z#%$gMN3d&3`rWdKluJ=YBIB)k$GCxW)+(=_Z8l{I1<V&%{u`TML)Oe=Y?pgl{Uk@2
zrrqXHZrcRsO|k+>T`yGmej0}61sE(%nZa1WC_tV6odiysHA5gzfWN-`<JyAUd;+7m
zh0ZLd(s6hP-zYG;@2{kz)T174dj?L|3;ay9VD%#^<~wy>uXF46mhJGLpvNTBmx$!i
zF67bAz~E|P{L6t1B+K|Cutp&h$fDjyq9JFy$7c_tB(Q$sR<Drx!I-ZR*1^pm{GE;w
zRDh8?rW@Ex#w;@Xq-~0W#ZCj-N3_RAzKpjIRK%oXnY=?#<)c`{SP7iBZqP`DzIT=#
zP)#xRxWb2MfhkPr1DJP^zn~5=0<9MX3<R_a@^?^Y`CF(f7&<wdI*|&RxtKcr6ZX#k
z!aIq|w(=-~h(D5&@H>)#iMQH3{Og1AyD^lyQwX6#B|*ecl{-_;*B>~WSFInaRE_q6
zpK#uCprrCb`MU^AGddA#SS{P7-OS9h%+1`~9v-s^{s8faWNpt*Pmk_E<o8s95ZM~{
z*OU$T8-o29zxUV!pSc6kj?smZzfy>Cjt(wrpr{C_xd<MRO7zavV6=)lzD+x3H&#hX
zPOf;3hAa;&ezRJ?9YVZtbPjD4;;KRwYMCLj7A}c#itT8AGN`p!$uso91vZ{)3TXY^
z2RMZSXHk&rR$O}!>AqR(@!ERTSs@F%^DkE@No}wqol~pS^e7>ksF_NhL0?6R4g`P-
zk8lMrVir~b(KY+hk5LQngwm`ZQT5t1^7AzHB2My6o)_ejR0{VxU<*r-Gld`l6tfA`
zKoj%x9=>Ce|1R|1*aC}|F0R32^KMLAHN}MA<8NNaZ^j?HKxSwxz`N2hK8lEb{jE0&
zg4G_6F@#NyDN?=i@=)eidKhlg<RUdlS~bNB?!*#P+~K)U9{h=sW!S3Ujcvzh()TKH
z&9*=1OOzjTQJvX}-=b$IOZ7v;sn>!nQoA{`PgaH{;t|M#5z}a`u?^gy{5L~I2smLR
z*4RmNxHqf9>D>sXSemHK!h4uPwMRb+W`6F>Q6<Za#ehV3d=-hPb&{KMh~ZBYYW=88
zLY7aseEsRSfulcj-%KUg1wm>j@isZ>-F=)B2*sTCD9A^jjUy)hjAw71B&$u}R(^R;
zY9H3k8$|ounk>)EOi_;JAKV8U8ICSD@NrqB!&=)Ah_5hzp?L9Sw@c>>#f_kUhhm=p
z1jRz8X7)~|VwO(MF3PS(|CL++1<nns*2=4Dh`bm&pka{JG2-duVqmb1K_H}2-Imyd
z)$pKPjy(~_GAxTX{c2OaB*Rm3#m@xehi^Yk$mvq23f>n|KT3*dhGjg!t_vR|8Yg($
z+$S$K=J`K6eG#^(J54=4&X#+7Car=_aeAuC>dHE+%v9HFu>r%ry|rwkrO-XPhR_#K
zS{2Unv!_CvS7}Mb6IIT$D4Gq5v$Pvi5nbYB+1Yc&RY;3;XDihlvhhIG6AhAHsBYsm
zK@M<jVn;;|yer{XJ$-i~g5_bd_sMdM;4OQsy1Hv@GTkxmYg$zYH)T{#t(JS}xT8C6
zuAw}>gSzs~y|+f|j-lsXKT0(%E2SkEb)p+|EkV5w8=F^!r1&0#0^tGhf9yPZ)iLJ^
zIXOg)HW_Vt{|r0W(`NmMLF$?3ZQpq+^OtjR-DaVLHpz%1+GZ7QGFA?(BIqBlVQ;)k
zu)oO|KG&++gD9oL7aK4Zwjwi<hnI+V6DqgBfO>~5jqk6+w%{T$1`2>3Znh=OFg|kZ
z>1cn>CZ>P|iQO%-Pic8wE9c*e%=3qNYKJ+z1{2=QHHFe=u3rqCWNhV_N*qzneN8A5
zj`1Ir7-<g7HQtT5A>5`33rjDmyI<O<$)w}%;RSCjG62mNG@$~dF7;j1Z7!zn!WQ2}
zzmcrmI&e@85w42j6)=V5Q=^^|b^dy2lvCNvh+sW>GvTx4K3qsks(I(;Kgmn%p#p3K
zn8r9H8kQu+n@D$<#RZtmp$*T4B&QvT{K&qx(?>t@m<g%jocBF|eBLD3gr-aK*F-fP
z+XC<1Lee9i<}j7nO^=Vr>X%3Lh}sr?gI#vNi=vV5d(D<=Cp5-y!a{~&y|Uz*PU{qe
zI7g}mt!txT)U(q<+Xg_sSY%1wVH<V$c6;Re*&2NPzv_B%MZ3KKOSNV^!>y;Dv3uze
zJ>BIdSB2a|aK+?o63lR8QZhhP)KyQvV`J3)5q^j1-G}fq=E4&){*&hiam>ssYm!ya
z#PsY0F}vT#twY1mXkGYmdd%_Uh12x0*6lN-HS-&5XWbJ^%su)-vffvKZ%rvLHVA<;
zJP=h13;x?$v30`T)M<Eq{Wfdq5k&wIaUtajRo;Q6Ya}PF$`at=^Q+E+fK13}g;x1W
zMDY-R7skB*Nf=Ap*}L2QGa3CeJt?~wx|se;9A~OoYvY<@b?R$iY7|KlQ4HlS+sM_N
z2{~IxeKY=5WIF=PMA&R;!+i!n8n~Q!K1Lh3Kt69ZrxiU<eQh(_CtPV6)So7OPQm}A
z`}tGv1E_lRv@AI6k-H5BXG!8}bc}oQm1okM|Iyjw5aILr-u@e|xZKuBp|m-77DANu
zH5G3rq#O7yO1A@}T_H1|v;~kDRZtNq*HW3@dT_LsF_$6XqZBRweK`T;EMrPW907u5
zSVC%41oqhYtuK`1Iv+t{@q%(i-b6MY*jy<bce^-C4%<?<Dbgiw#&X@w1AQOQc5sD@
z7|NIHNeC|Rr{B`ZisQRt?;IF@{h5jP%mQ-J20lmR10PM|%uFaHZ|1a(coV{1ab@bA
zf*A0mG(dNJ9_<M<s>)htph`=if#<r0rWU$h{BlNqBS$)i>r#O5iC^ZHeXc6J8gewn
zL!49!)>3I-q6XOZRG0=zjyQc`tl|RFCR}f-sNtc)I^~?Vv2t7tZZHvgU2Mfc9$LqG
z!(iz&xb=q#4otDBO4p)KtEq}8NaIVcL3&pbvm@0Kk-~C@y3I{K61VDF_=}c`VN)3P
z+{nBy^;=1N`A=xH$01dPesY_na*zrcnssA}Ix60C=sWg9EY=2>-yH&iqhhm28qq9Z
z;}znS4ktr40Lf~G@6D5QxW&?<kd+M<f*J<1BL^j>q^R|=1+h!1%G4LhQs<n+4wqI(
z&{0f}<lb|ccO_hvJKr*{oK1L!?CD|+h7-hiSbqpcx9QRys_+ELNm?e0Ba#fIv{sD2
zrgKOHhaqeiWUKgT<lIjr^`mCAVlKkq-mjr6;-~rZ{kq6<5s)`sTNa4z>54c2Wo~4%
zCA||d==lv2bP=9%hd0Dw_a$cz9kk)(Vo}NpSPx!vnV*0Bh9$CYP~ia#lEoLRJ8D#5
zSJS?}ABn1LX>8(Mfg&eefX*c0I5bf4<`gCy6VC{e>$&BbwFSJ0CgVa;0-U7=F81R+
zUmzz&c;H|%G&mSQ0K16Vosh?sjJW(Gp+1Yw+Yf4qOi|BFVbMrdO6~-U8Hr|L@LHeZ
z0ALmXH<rYa+!{NNWidrncRVn++U#07+gP9-%~LahydlM)U1+X=a7#Nch^*T@=cvG_
ziHA0{$VlTm9(;Z{sEg+YD1>sVm137&xnt#yYF$H%&AU!lf{W436Wq87nC16b%)p?r
z70Wua59%7Quak50G7m3lOjtvcS>5}YL_~?Pti_pfAfQ!OxkX$arHRg|VrNx>R_Xyi
z`N|Y7KV`z3(ZB2wT9{Dl8mt<R@!h%`{&eO!{HXx+mC8+&hzBh@={LHM*j5%AN*T>l
zg^UOBv~k>Z(E)O>Z;~Z)W&4<kxGz4#;<ob>FhzwiPjUHE9&T#nlM)@hvAZL>cha-<
zQ8_RL#P1?&2Qhk#c9fK9+xM#AneqzE-g(>chLp<l{;+Gg@47K8JN8>_Q2Xh$=MAsW
z2ScEKr+YOD*R~mzy{bOJjs;X2y1}DVFZi7d_df^~((5a2%p%^4cf>vM_4Sn@@ssVJ
z9Ch<b4B0%I(3D-$A9v6mzJfej{7Tu${*=l(&83sdKI!!7d+Jy?vT*<2J8||@x>Ghs
zbanJ+h74)3tWOviXI|v!=HU2mE%3Th$Mpx&lEeGFEBWRy8ogJY`BCXj@7s~bjrOY!
z4nIU5S>_NrpN}|waZBC)$6ST8x91U2n?FGV8lS{&LFhHbuHU?SVU{p7yFSP_f#Eyh
zJhI@o9lAeEwbZYC=~<(FZ$sJx^6j@gtl{yTOAz`Gj!A<rYH{&9Jz+YStj^CL-@&8%
z@)C2m0pi+zK@{jrS8dGR!u`Bn)m=Q<^CeFd{%ti~t{^@l0$I()IdM!cA*Zl%=nj!e
z<WGDWVb<LI4||Nv5clX}#<`+>b^y})eG&`Qt2cXdog2^~oOH^K@oHcE(L;wu2QiMv
zJuGdhNd+H{t#Tjd<$PknMSfbI>L1YIdZ+uFf*Z=BEM)UPG3oDFe@8roB0h(*XAqRc
zoxw`wQD@^nxGFxQXN9@GpkLqd?9@(_ZRS@EFRCO8J5{iuNA<a}KRZdlVWhzJr^LJ~
zrcLfHf73!}oG>QO=!Lo5cCsPtt4=1qZN8z`EA2{ge@SjTyhiJE<K1loGy=B+s&&Qh
z;m+vd8>%ttk{~`SEl%5>s=9E~dUW0uws>&~3PwXJ!f>ShhP~U9dLvE8ElNt3g(6-d
zdgtD;rgd^>1URef?*=8BkE&+HmzXD-4w61(p6o~Oxm`XexcHmnR*B~5a|u-Qz$2lf
zXc$p91T~E4psJxhf^rdR!b_XmNv*?}!PK9@-asDTaen;p{Rxsa=1E}4kZ*}yQPoT0
zvM}t!CpJvk<`m~^$^1C^o1yM(BzY-Wz2q7C^+wfg-?}1bF?5Hk?S{^#U%wX4&lv0j
zkNb)byI+nql(&65xV?_L<0tj!KMHX8Hmh2(udEG>@OPQ}KPtdwEuEb$?acp~yT1&r
z|7YU<(v!0as6Xff5^XbKQIR&MpjSE)pmub+ECMZzn7c!|hnm_Rl&H_oXWU2!h7hhf
zo&-@cLkZr#eNgUN9>b=QLE1V^b`($EX3RQIyg#45A^=G<V)EhQwp(=0uB@%0%*-UQ
zIg6KD7G1jHCW}Wgz)d!RK7(vS<3qnRj|%s$p&jTg-3!@z2DjywSmLc-c?>!jMY`qJ
z8qjZ$*-V|?y0=zIM>!<pz__5!xD_D&BC)->2q!Gi*t4J5Otr^OT3XzQ_GjATc(*eM
zqllux#QtHhc>YtnswBNiS^t(dTDn|RYSI%i%-|sv1wh&|9jfeyx|IH<CH)NnE46FF
z@yx$rHTe|{HLUPPd0{<741=B?@s33hFfWdaktpq%U{B>owW)6uZWR<%n8I}6NidBm
zJ>P7#5m`gnXLu;?7jQZ!PwA80d|AS*+mtrU6z+lzms6^vc4)6Zf+$l+Lk3AsEK7`_
zQ9LsS!2o#-pK+V`g#3hC$6*Z~PD%cwtOT8;7K3O=<Ab*E{CNbC<vY}7H_iUm)bu+_
zIwq01TcfV}4}RXR3aawx<dX44wWm;6rOlx&oCkDPVsXCN&l*~=SiF{R*z4GU+NF+-
z`xRo3;nk`xPB#7Awowc5I)OH%l|#jx2B~5y6Go9n1<%Z90Ly$erLWjq#4LBLzZoQQ
zK*C913w{wlxfh#Oorz|iY`;YJY(WZ<c7=~%Y4GX176J!fVOm{^v|)Uy89hMNd+IfY
znc9!A)(x7dP(3)cR^$g{>gHdC=WLK-i_DjPO#WN__#YLX|Akw3LnqUJUw8&7pUR;K
zqJ98?rKMXE(tnmT`#080w<yyKQ40$D2LZ)y5iqaIHNmuLGq;I`#6nzSz2yR=^Fk4}
zgs~<YbJpT6$m_T_zXq7-oe%zDhR7JiZr=_Mi=E`B?Z0$7IGt3K9nJ@qVVr}^?qq4Y
zu(qY31WFr1T|hIVH<urS<zBXtt*V;et~rSc@iMZe6Ic{g$7ZHs&kvG^(kQEcJja<L
zZJ{@_OKERo7Lf$9;ss0z6X}MDdRTe*a2D?O<-U}Diy*4kq?OcdXQ%6C)J+hZiQzF1
zEwD=+F3huarf8CqI@M_vg0H}P`d-ZM;2CP;wT1$1g@vq|Y40(|!g}&a1$%Nr_lud=
zUDhlrcY`M7qHBovjC<SXq5U{z1GqQc!qw~ks@B~wa0*idFAd8opN0=n%o-A!*pQX*
zD18M>%l1bGno7wXHQbl?QFU=GoK@d!Ov=IgsdHd-iIs4ahcgS<h4T>j(L@F96=LKZ
zeb5cJOVlcKBudawbz~AYk@!^p+E=dT^UhPE`96Q5J~cT-8^tp`J43nLbFD*Nf!w;6
zs>V!5#;?bwYflf0HtFvX_6_jh4GEpa0_s8UUe02@%$w^ym&%wI5_APD?9S4r9O@4m
zq^Z5Br8#<LHe;XczBsF`J&J<`$g)0`Gz=jr8@&y5q3ky#4VYqd%D+y8MU7x$#q81k
z-7KxzC~my?n>K)y@z*fo08@XCs;wKBydn+60ks4Z>_+PFD+PVTGNPFPg-V-<dS-4v
zhpCjC+7Mk<1L%4OSDHW$IFcXauZ0l);y}=@p+BJu$@QngbVMfjE6btTxnvH%8vC%g
zI=lUdk3<&9ZlNsar_@86T(ftlF<wkHavHKaKXAH@iB*SANl)S-0B&;Aj$z$T-*;Av
zEuN#M&z)uLKl{ce5L4+HKku`Z7%b<f{bGF5C2|AePRR@Y;F2iNQ(R&E6-fn?v9SwZ
zkt7B7cZq=WKap_%f9fq!K~^4z2@x-z0TS^DBcr*(O9F8eeI*YP5t)#PTJ)zx|F85#
z?q$sOjl}avYN98icZ>|``!0l|XrTyUYA@mY?#bJYvD>jX&$o9VAbo?>?#Z^c+Y4Dl
zXU9k`s74Sb$OYh7^B|SAVVz*jEW&GWG^cP<_!hW+#Qp|4791Od=HJcesFo?$#0eWD
z8!Ib_>H1WQE}shsQiUNk!uWOyAzX>r(-N7;+(O333_ES7*^6z4{`p&O*q8xk{0xy@
zB&9LkW_B}_Y&?pXP-OYNJfqEWUVAPBk)pTP^;f+75Wa(W>^UO_*J05f1<i8#vro`L
z)&iM=zUo%T511+|nc?440IB4xIm0<C9}6uOLgRn5TgVA^<*tHPIj92U&*d)X**`1|
zg3X555|gm32Dft7y^o77-+<jdR%;XUxDOus6UCZw{X`Ojgv3Y7@Mm_gXg%WNnZu`j
z4r_(9#3Kjpis8rPWgj8JHV~P6R!$gFIv!v0k`Kvmptt8lvL2ZO3PT|}h8w_O81>k{
zd-}j!4m@q#CaC6mLsQHD1&7{tJ*}LtE{g9LB>sIT<v+5Q{|N_W7pJe{;9qpStCFrg
zvLGri2qY>7)l^ucm8&+L0=g1E_6#<G&5m+|m<(KJiXm2#?ITSc48y<&!aGQ()y#|t
zir-IusgAa(r*CF)!>KHfS>A_Z?;pFP96*nX=1&ejZ+XvZ=ML`@oVu>s^WIjn^SY}n
zboeP%`O9|dhzvnw%?wAsCw*lvVcv%bmO5M4cas>b%FHd;A6Z%Ej%;jgPuvL<Dr~Y2
zAHkDE12+#>$nk=VQ=$-OTwslYg<e#`pUmF%I!ayp6?~Jyjfd*je$Dlx%p$|4(L@4>
zJQtDS)|qkIs%)K$+r*_NTke8%Rv&w^v;|Ajh5QXaVh}ugccP}3E^(oGC5VO*4`&Q0
z&)z$6i_aKI*CqVBglCxo#9>eOkDD!voCJRFkNolvA2N&SAp^4<8{Y;#Kr<OA>5740
za|G`dYGE!9NGU3Ge6C)YByb6Wy#}EN`Ao#R!$LQ&SM#hifEvZp>1PAX{CSLqD4IuO
z4#N4AjMj5t2|!yTMrl5r)`_{V6DlqVeTwo|tq4MHLZdZc5;=v9*ibc;IGYh+G|~PB
zx2}BAv6p$}?7YpvhqHu7L;~)~Oe^Y)O(G(PJQB<&2AhwMw!(2#AHhjSsBYUd8MDeM
z+UXXyV@@cQ`w}mJ2PGs>=jHE{%i44QsPPh(=yorg>jHic+K+S*q3{th6Ik^j=@%xo
zXfa9L_<|xTL@UZ?4H`$vt9MOF`|*z&)!mECiuenMW`Eo2VE#|2>2ET7th6+VAmU(o
zq$Fz^TUB*@a<}kr6I>r;6`l%8NWtVtkE?}Q<<$BIm*6Z(1EhDtA29O%5d1$0q#C&f
zFhFrrss{hOsISjYGDOP*)j&zZUf9`xvR8G)gwxE$HtmKsezo`{Ta~V5u+J&Tg+{bh
zhLlNbdzJNF6m$wZNblWNbP6>dTWhngsu=J{);9D|PPJ96aqM4Lc?&6H-J1W15uIpQ
ziO{&pEc2}-cqw+)w$`p(k(_yRpmbp-Xcd`*;Y$X=o(v2K+ISW)B1(ZnkV`g4rHQ=s
z+J?F9&(||&86pi}snC07Lxi1ja>6kvnut;|Ql3fD)%k+ASe^S|lN<a76{Tdttj1rQ
zkdATxLAL!VM4B)z*Jg(di(WR4phx2zyjiKsNQv`acwr>69+Ek3UwsSx=2EH)t}K>~
z`Mz-SSVH29@DWyl`ChuGAkG>J;>8ZmLhm>uEmUvLqar~vK3lS;4s<{+ehMsFXM(l-
zRt=HT>h9G)JS*&(dbXrM&z;)66C=o{=+^}ciyt8|@e$Y}IREAyd_!2|CqTg=eu}yG
z@sI9T;Tjix*%v)c{4G84|0j@8wX^<DEXPFU^REstB5!gd>Iig_JsPU|T%(J&KtJ>V
zsAR+dcmyT5k&&G{!)VXN`oRS{n;3qd`BgAE9r?%AHy_Gf8>$&X$=>YD7M911?<{qX
zkJ;IOfY$nHdy@kKk_+X%g3`T(v|jS;>`pz`?>fqMZ>Fvbx1W=8nvtuve&y`JBfvU~
zr+5pF!`$`TUVsx<tK0VOs`iF*Qp3PFAH4ClmP-vjou{2D5iV^H;Nk_<<52}V706Ee
z<^q?AUMp?O<(g<1>3^<)48&+XT92U0<Ek_ATqWw(qc!O$vg#H$?|9=UtEHysIiNwZ
zy=z@aes<`Ti_JtEof094B0B<}qpnyS)?q^lov@(yqd;w^$N-q??7aq_$(OfzqlLOU
z2>DS|^X6FwSa-8yviRkZ*@Wu|c*lX!m?8&$0~4T!DB0@<A?8`89ISV{M$nQ4Yz0$`
z;h+Fki)KVm5^S$298Y7|_eRL<8w1T{Hu<5Ll}VE($}{OamF==8M0)YtlyQ?u?x6&R
zW2t$x+$qM;P*m0S71(SQZ=V5`30;e_S<LvUQZg&i>)n}ey+ew}T1U<OriD*~zrU(y
z>>|fH3=W5I!=nfoNs~OkzTY7^x^G&h>M7ewZqmZ=EL0}3#ikWg+(wuoA{7hm|7eJz
zNz78l-K81tP16rai+fvXtspOhN-%*RY3IzMX6~8<JEz+l^D}bJb~$wZQq2E#eJOzA
z4wbCk^g7J^Tlc!U^2-LRcRE(1kLB)bu&=yBt!gT4lPjk9%)N}?f#gkEU8^v@^UOq@
zcYIwZir{dK5C;MnDGNoc<W7XzmOzDx`u|sl%;cV+)8z~0gMX`V{(hw4pRD&Uxi?Z(
zTOCCmbA1q$qECY?hZWs4%?j#Q47DC&dw)nGFck8fSp6NNvxFEqi=$ajp&EgX?}ZlM
ziLt(qZ8?~hx^4FB48io~^o+e(Gn#+7CJoD>k9oFlXWgICx9dp;`)?Toz`fxV@&m8<
z{lzWJG_Y(N1nOox>yG^uDr}kDX_f`lMbtxfP`VD<Q%0$)RE4w&nr&*eyYDPIO``7Y
zT2iVWY=tejv*wdoDsq`b74uD<enmy6CN-lxu5m>@l$HR*B(sDeE(+T831V-3d3$+%
zDKzKnK_W(gLwAK{Saa2}zaV?1QmcuhDu$)#;*4gU(l&rgNXB^WcMuuTki*rt>|M)D
zoI;l$FTWIUp}euuZjDidpVw6AS-3dal2TJJaVMGj#CROWr|;^?q>PAo2k^u-27t~v
zCv10IL~E)o*|QgdM!GJTaT&|A?oW)m9qk2{=y*7qb@BIAlYgDIe)k(qVH@)#xx6%7
z@)l%aJwz5Joc84Q2jRp71d;=a@NkjSdMyN%L6OevML^(L0_msbef>ewImS=+DgrTk
z4ON%Y$mYgcZ^44O*;ctP>_7=}=pslsu>~<-bw=C(jeQ-X`kUo^BS&JDHy%#L32Cj_
zXRzDCfCXKXxGSW9y<!+J%0$d%m*GXT9B1`V63$=Iy_``|kU|zNna8A_K8{!uWaOu{
z=UE_~Jq53P{j9iESPwNCCY<&2RQx31I%G;mj{UOAGRj05Z}K}&#ga#bu=RL$-yiVC
zsqA;P+(Vluwro<MPjEvOx8YTT`={E_(&?Pb3Go*Kb3?e|B3{xZ;%<-J$*@ZDpRpx+
z`Xi0cAnDt_bp+DDUXSkrTyztfvudRp!Wc8U!9+cFB$`JUQ}+ReT+HgK%NW`hoQCd0
zYe_A&c8Y7cxeO!LS|d8uN#9Mu<|~M4T=1$CP;JX3TS(@&JBqlxgqp>OGMMOYqPKnU
zTF6gDj47!7PoL%z?*{1eyc2IVF*RXX?mj1RS}++hZg_%b@6&PdO)VzvmkXxJ*O7H}
z6I7XmJqwX3<>z%M@W|GD%(X|VOZ7A+=@~MxMt8zhDw`yz?V>H%C0&VY+ZZ><F~oka
zbsrk8iN(H2+UVblrotKnKT?X0-AC1RaH9o|-hmZiLp|?D4G51S7nROhpc-7HB#Z{5
zXzOBW)uDt!BLV!e07nz9P%6yGz6?%A-Jx6GRvrX<X@#c<L4>9AoDVZeO1c~z$r~!H
zA`N_9p`X?z>jm!-leBjW1R13_i2(0&aEY2$l_+-n#powuRO;n2Fr#%jp{+3@`h$c<
zcFMr;18Z`UN#spXv+3Ks_V_tSZ1!FY7H(tdAk!v}SkoL9RPYSD3O5w>A3%>7J+C-R
zZfDmu<I?~#To^uIu<zLVf;(t&d{0=dQ|AGi5x7=_t4@on;lHHCS37&vhpY07UjnM9
zv0>=9<1w1CV8rC<axcMV_=%6P8EA=aaU(ZDmqzFLHwm?2KcGuFaYMjhrn~o`0ZB|Z
ztL)x(7_Uo3zIhtB=UUzCrfYt1oq;nFi<47WS-TQ(Vyb{mM=tTG!q()iHP4n8^~cA(
z7yPm5Tj+v6(_Kr{UL7#8W5vG~7F6qvq65L9cDtz4kgmwnM201A-H_2YFmLY=P*$5r
z$64fie-7e5{X^d#kDu|MesSo`*HyKDFKGTBJo*pvH2J?~_5K%+>MEm{qyErCUaA3Q
zRYYw_z!W7UDEK)8DF}la9`}<?4ZDyaeNR?n>8z*?N32-6c-Bwx^Jf#Muwc67sVW24
zJ4nab<dJB476(BJYieW5(&O3k?RCZ@&*5J3pUzLDE>%>_EM8wPhL=MAN)xx1tozAl
zmhXN;*-X%)s>(L=Q@vm$qmuScku>PV(W_x-6E?SFRjSk)A1xVqnml_92fbj0m};UC
zcV}lRW-r*wY106|sshV`n#RN{)D9=!>XVH0vMh>od=9!1(U+sWF%#B|eeaKI9RpaW
z8Ol_wAJX%j0h5fkvF)WMZ1}?#R(n-OT0CtwsL)|qk;*(!a)5a5ku2nCR9=E*iOZ`9
zy4>LHKt<Gj4Qctf#-R}hYCSgE<uY_l)r#{#r3`aS%Cxne)(%A$dk$$Q?UdAZgR|?i
z+GQX=oAi;qR0g!6bkqRZAK^u%JfY=DS7)K6tyY@`oGcqeH+>-BgHL@R9CBSG!v4wK
zvjF8DORRva)@>nshE~VM@i2c$PKw?3nz(6-iVde;-S~~7R<5r2t$0U8k2_<5C0!$j
zQg#lsRYtI#Q1YRs(-%(;F-K7oY~!m&zhuU4LL}>j<FK-MUKf%O1p;757S8*!7Z(yY
z<y}fA&`Zd+(uV_%hK>bLC>B`tk8onRRcmIm{{0cpkD|o@Ixu#x9Wm5J)3oFkbf<X_
zQX(-nG-(wfm-Y^SH`zgE`>i62BX8IX1}VTe#{C(d@H|#gy5#Sa#t>sH@8v1h8<H`)
zX{(<hM&_TT+SH|5Ny-!($+g5~51q9ojZ~G>XFgNGs?)tyF_S^ueJX_-1%+LR`1X@C
zS<P92WuYWQHx(>3Oc)o)!8Z9!u9d!35YD^!aXtH;IMNzPp`NS|EcdaQw~<;z`lmkg
zE|tQRF7!S!UCsbag%XlQZXmzAOS<o3cZks@v<Bfl^A3!CTpPWg#<&grf+{2cHv>s=
zIUjgY2jcN9`xA6mzG{m|Zw=3kZC4@XY=Bj%k8%D&iadvne$pYNfZI$^2BAB|-MnZW
zU4U?*qE3<S_*8cN@#W8jG2d<&j}jc@cYRLDJXhg3aoU8F<Erd>`ZDx-bH})>wz~)a
z_SWM!E=-BS#wdrfh;EfPNOS*9!;*+wp-zDthj<>P0a2n?$xfe;YmX~5a;(mNV5nKx
zYR86%WtAPsOMIg&*o9uUfD!v&4(mpS6P`bFohPP<&^fZzfA|SvVzPQgbtwwM>IO>Z
z75ejU$1_SB1tn!Y-9tajZ~F=Fa~{cnj%Y|$;%z6fJV1X<YUFYimBQqTjXbdoeY;#C
zVrMVaxC|D83=@}i>C0080f)Pj|87j142q6`i>#)BCIi+x&jAH9|H#iMvS~?w;&E`y
zoarJ)+5HWmZ{&OqlzbdQU=SE3GKmnQq<tDCFoPxI796*s@<hhBT#bIvUHnvmZ;=S>
zI{h6f$C@}Mb<ri?nm?brMju@MyJ!lVIOFj+#Ly=sH$Ps$1w?t5^akkfGE|H?u)%*g
z;m9a#2?1aHru4V`M*F`N(f{JNfBH55!g96>qf#JDsJyi&7M0O2ORXtEB`#cZ;#AcB
zkao0`&|iH8XKvZ_RH|VaK@tAGKMq9x{sdd%p-o`!cJzmd&hb8<K0e<#yIQ+OZ*OH!
zr!OVga#(Moedh12J4fPj*_jtLu}L*WDzuqN@oJaj=@odDK-5Vm_)nyEOAZir31fQ&
zqPe-o&4kbKoE92CCfs3+H5_=cSW}d+PZNetSj}8T7Ov?RwC~@&XhJOZ_{Rky6YT4H
zs9UE1ppDEp!L^C8xe8c#deWzqT$6DkMT+UKRe)U@?-X>6<Iz~yNSWQMvRR5m?-aBY
zJW1sklqC!KH{wNdo;o$Y`i9Zy?+$s&nc2_@jqVrJl*YNR2xz|={BH1*Ml{3<{lAY*
z8iT9;I(GiSP$t9kVcZ?k0foHFo@G78u4n{Wak25o_!?#OG5Jzs*|+zEhEX!vLoWC3
zAI?S<=M}KhmyE6W+j-@GaoH^GzQ#4}3~d<9EWZZH6%1W0RGbXmOr4w!ZG<gMjjc_c
z{^jgkm93p;#ZY;1(j}M<$fRB%6^I}uMQGUyK;sJ(P5?KI^0RI^KANM}nmNI3ZE`~{
zX`jD7f%LKXnqf10+<&MPs~e>N!KKx<b3JZ2Pp<R69&9F81NnrX!uD2Ha^Lf3up{7y
z*6-4C3ofR*`_mqaGc776EyPujKqeET>p($2G?#(#BJn5%h<qQ_#iwDqyzABKd2OIP
zv|ym411+9ZsH*r=ehI&m0yMwd0QQ1viCHK#L<t9_i=m{*&~v(xr(W&a*LqtFHK1T=
z3W60Ptw@V$l?wZ=a3e?iMmaB3#PiUGdSman-bUj&(Yq@~FDC(F3V26&=6W>F0(^`=
z2qRg5?82({w-HyjbffI>eqUXavp&|D8(I6zMOfM}0;h%*D_Dr@+%TaWpIEQX3*$vQ
z8_)wkNMDi{rW`L+`y<vm=wMN7reeBnpm&d@%FD<!%y{5Q-f6%XKs(PPh1NUw+7OAK
zOn3b%Q1FWqv$IEK!Xd?lXUIBQi4M<dx(WJ~?vp9Z3*VJf4u)SoogPt%OSm#wc5GTC
z^+st08>N^J*Gt(l7PExu3_hrntgbW0s}7m~1<m8>K=(mFymoU87#{|t*fJ?w8&>Uh
zcS$Ny$HNRbT!UCFldTSp2*;%EoW+yhJD8<3FUt8@XSBeJM2dSEz+5}BWmBvdYK(OA
zlm`nDDsjKED{$v*jl(&)H7-+*#jWI)W|_X)!em1qpjS_CBbAiyMt;tx*+0P%*m&v<
zxV9rlslu8#cS!of#^1O$(ds8aviMFiT`6W+FzMHW{YS+SieJ^?TQb%NT&pasw^kbc
znd`=%(bebvrNx3#7vq@vAX-G`4|>cY0svIXopH02{v;GZ{wJM#psz4!m8(IZu<)9D
z<z#rj?c$45Ac=4Ue}9CvFRwpKUzv3#WtZq8mnLDA^*H(v(;{&hi9Dm__@AyG=L|f<
z{+FtdbEoY0NSMcw&#vZ0+7`Ogol*>qR~U7@cz-6H{724_*}-DWwE8Sk+dYBb*O-=c
z+wdchFcm6$$^Z0_qGnv0P`)h1=D$_eg8!2-|7Y;o*c)4ax!Me0*EVcioh{wI#!qcb
z1&xhOot<S3?F`NTS16h)%F3e(BKnSBFrWP<p{3k71jPYBQKrLTq6puSe%-ZpmbX8*
zspBO$&RP}-c|-jCX)Y%QkIVa%KbHnI5a3&K;dMD*E_FZoHMkCxwOiVioSu%bdrFvO
zCAUn<2|dTU1gDaPzA~hAsF`wrVzd@VbR06A>XMrlo7P6{+C8m;E#4*=8(2y!r0d<6
zKi$d2X;O*zS(&Xiz_?|`ympxITf|&M%^WHp=694g6W@k+BL_T1JtSYX0OZ}o%?Pzu
zJ{%P8A$uq?4F!NWGtq>_GLK3*c6dIcGH)??L`9Av&0k$A*14ED9!e9z_SZd3OH6ER
zg%5^)3^gw;4DFw(RC;~r`bPJOR}H}?2n60=g4ESUTud$bkBLPyI#4#Ye{5x3@Yw<*
z;P5Up>Yn(QdP#momCf=kOzZYzg9E330=67WOPbCMm2-T1%8{=or9L8+HGL{%83lri
zODB;<cyR|QGT@%jecS<?HD0Tbtw+6nIpPR+D_0P2+wL}yKBBL)bOE;L&mLpdbm&hS
zFXP`3@r_{{)6^>Y|LS`@mn#Wmez7t6-x`a2{}U9hE|xY7|BVcFCqoAZQzsEi=dYHB
z(bqG3J5?teVSBqTj{aiqe<9}}CEc$HdsJSMp#I;4(EXRy_k|Y8X#5hwkqAaIGKARF
zX?$|UO{>3-FU;IlFi80O^t+WMNw4So2nsg}^T1`-Ox&C%Gn_AZ-49Ni<g>r=2oYX6
z`uVke@L5PVh)YsvAgFMZfKi{DuSgWnlAaag{RN6t6oLm6{4)H~4xg#Xfcq-e@ALk&
z@UP4;uCe(Yjg4jaJZ4pu*+*?4#+XCi%sTrqaT*jNY7|WQ!oR;S8nt)cI27W$Sz!94
z01zoTW`C*P3E?1@6thPe(QpIue$A54gp#C7pmfwRj}GxIw$!!qQetn`nvuwIvMBQ;
zfF8K-D~O4aJKmLbNRN1?AZsWY&rp?iy`LP^3KT0UcGNy=Z@7qVM(#5u#Du#w>a&Bs
z@f#zU{wk&5n!YF%D11S9*CyaI8%^oX=vq$Ei9cL1&kvv9|8vZD;Mhs1&slm`$A%ED
zvz6SQ8aty~`IYp2Xd~G$z%Jf4zwVPKkCtqObrnc2gHKj^jg&-NH|xdNK_;+2d4ZXw
zN9j)`jcp7y65&6P@}LsD_OLSi(#GW#hC*qF5KpmeXuQDNS%ZYpuW<;JI<>P6ln!p@
z>KPAM>8^cX|2!n@tV=P)f2Euv?!}UM`^RJ~nTT@W>KC2{{}xXS{}WH{|3najkiEUj
z7l;fUWDPCtzQ$?(f)6RvzW~Tqan$bXibe%dv}**BqY!d4J?`1iX`-iy8nPo$s4^mQ
z5+@=3xuZAl#KoDF*%>bJ4UrEB2EE8m7sQn!r7Z-ggig`?yy`p~3;&NFukc$`_>?}a
z?LMo2LV^n>m!fv^HKKRrDn|2|zk?~S6i|xOHt%K(*TGWkq3{~|9+(G3M-L=;U-YRa
zp{kIXZ8P!koE;BN2A;nBx!={yg4v=-xGOMC#~MA07zfR)yZtSF_2W^pDLcXg->*WD
zY7Sz5%<_k+lbS^`y)=vX|KaN!gEMQob|(`%nP6huwr$%^?%0^vwr$(CZQD*Jc5?E(
zb-q9E`OfoWSJ$rUs$ILfSFg3Mb*-!Ozgaz^%7ZkX@=3km0G;?+e?FQT_l5A9vKr<>
z_CoemDo@6YIyl57l*gnJ^7+8xLW5oEGzjLv2P8vj*Q%O1^KOfrsC6eHvk{+$BMLGu
z%goP8UY?J7Lj=@jcI$4{m2Sw?1E%_0C7M$lj}w{E#hM4%3QX|;tH6>RJf-TI_1A0w
z@KcTEFx(@uitbo?UMMqUaSgt=n`Bu*;$4@cbg9JIS})3#2T;<Cw&f?rHH4?I`NFET
z*Wl+dF+Vjvy4HWn6XI_P`!V0Ej`Odp{$H-;e^y=Sn*eQTqi;kcWNf1EWa;=n?{fAw
zruN^SMe6%tF}D7H4w6VkX&WR_G%qms`WxqXHliRt5bGuoOQhid`2C?70bnt>B7S<P
zI;GGkm*I2irS>Z?HZkSa`=MM?n)?|XcM)@e1qmzJ$_4K^?-``~Oi&38`2}sjmP?kK
z$yT)K(UU3fJID@~3R;)fU%k%9*4f>oq`y>#t90$(y*sZTzWcW$H=Xv|%^<tJwxIB!
z)Q_%eEbe_9Q2SnHR4%QUVW5V3$!{KV&Ijn3=1!wr?!GPjmy4g)7i}N`+&VgWrGG7l
zkqB(L(r0oZ1itwyRyP|4m6oBoH-lto{!6#}J;<!zHH(Fho~jj~@0!Ib+_N5@-x#y^
zx`U^6W(!Fhmvg@A-MX(0H~~z$3>u^?2*n)Csx;35O0v7Nab-REgxDZNf5`cI69k$`
zx(&pP6zVxlK5Apn5hAhui}b)(IwZD}D?&)_{_yTL7QgTxL|_X!o@A`)P#!%t9al+#
zLD(Rr+?HHJEOl545~m1)cwawqY>cf~9hu-L`crI^5p~-9Mgp9{U5V&dJSwolnl_CM
zwAMM1Tl$D@>v?LN2PLe0IZrQL1<XhTK~bD*bG9h<P|mEVC!Gn|_x!<1v9a<!B7cqp
zYpSKT1fg7c%g=PhWqCgNe)0sgsCUyz3e*zLUpHizjDeoVa`gO?9;ndM$PXVtRV0>M
zcA%i@Lc)URretFJhtw7IaZXYC6#8slg|*HfUF2Z5{3R_tw)YQ94=dprT`SFAvHB+7
z)-Hd1yE8LB1S+4H7iy$5XruPxq6pc_V)+VO{seA8^`o5{T5s<8bJ`>I3&m%R4cm1S
z`hoNk%_=KU2;+#$Y!x7L%|;!Nxbu~TKw?zSP(?H0_b8Qqj4EPrb@~IE`~^#~C%D9k
zvJ=ERh`xLgUwvusQbo6S=I5T+?lITYsVyeCCwT9R>DwQa&$e(PxF<}RpLD9Vm2vV#
zI#M%ksVNFG1U?;QR{Kx2sf>@y$7sop6SOnBC4sv8S0-`gEt0eHJ{`QSW(_06Uwg*~
zIw}1dZ9c=K$a$N?;j`s3>)AqC$`ld?bOs^^stmYmsWA$<eaaK=Vdkdsujv)#J%b{k
zh%>XE<Nw?s`tC2(8Y&%e)v}HjuczNrJp2bROxBSIm--G5fBh>VhUtGlx&OyziN1~2
z)s5fD(d@gq7htIGX!GCxKT=8aAOHW&DAP=$MpZ)Spe<P!(3J1Bm+vLe>EZhk83}K)
z0(Uv)+&pE?|4)D2PX4r6gOGHDY}$8FSg$3eDb*nEVmkFQ#lFpcH~IPeatiH3nPTkP
z*xDN7l}r2GM9jwSsl=*!547nRPCS0pb;uE#myTqV+=se>bU<ZGtB)GcdX^ZT#naYj
zB@1&>=#e)f2}wCp%f-cIrh`FHA$2`monVy?qvJ~o2B6I7IE28bCY4=c#^){*essLG
zXUH50W&SWmi{RIG9G^p;PohSPtC}djjXSoC)kyA8`o+L}SjE{i?%;Vh=h;QC{s`T7
zLmmHCr8F}#^O8_~lR)^clv$mMe`e*{MW#Sxd`rDckCnFBo9sC*vw2)dA9Q3lUi*Fy
zgDsLt`xt|7G=O6+ms=`_FpD4}37uvelFLc^?snyNUNxbdSj2+<CvxQiSH~M%{*cUA
z4Pkn$kFZY?lQ_*s9$Rf*P8Zf*s$U-qk`3GV<SiQlR2xS64%#8Q4(9l)S&a3MhAqsn
z#mHPLj~bqpaQSFl;9pWZ3OuJY{_;mMw(%JZ7^$`{i#C@2*blvQ&X<KeT(ZDl_j$5`
zQ4TQL4_oQR<5Q3vtI!lMLMI151KHSv0_^A(doSE?l!&4}@dkg4(yBulJ@g<kL=XwC
zxVZFU(11z7z%U4z8|CgWjQah_rB_+b)byf|>Mpv<67NR{(mdtSDNJ3gSD@>gX_7S5
zCD)JP5Hnv!llc-9fwG=4@?=%qu~(4j>YXtgz%gZ#+A9i^H!_R!MxWlFsH(ClP3dU}
za&`m(cM0xebj&S170&KLU%39I+XVWOJ_1XpF^ip}3|y()Fn5P@$pP5rvtiEK6w&+w
z7uqIxZUj$#qN|<_LFhE@@SAdBy8)xTu>>`xC>VYU@d}E)^sb9k0}YKr=B8-5M?3}d
z7&LqQWQ`a&=ihhANxe3^YT>y<M^dMtXXa~J*SxXX*j&@+5uC<hdhbIDK*o^%J4`Fo
zgM3EA7vTH~^#S%z?46c!jt%~8as2;karpmkasL$^6{<nHYAK_9+AzjHabQa@76#@b
zXXpAl#-;i;Eima@%u^fTJH{pD4!$xtFuGk%xc9r;)cGiB$;oRW@bd}Vm6Ms3I|_tS
zQOFH~q9`Gwpgei<SAvEfZ?VS9#MM5|d%YZWIb3lcXSq*#PjNR#cRPOh|4^Z)+vqZ#
zPD(022ftsiwk|r?JXiF8n0z3oOlGZXvrsc(GA(4kvC2AZ>j&72x#X4NXRTc#+sk;K
z=VUp#I(YIRO`g7#;5))p=y=MQ54JWeS(A^$qt>Y#unGRT$0BG=rI(tr>YqSxNm+-x
z6n;-y8B>#FnhZX#mhVOT30baJ{47E^j-I6EOp;am;FvTlYRR2_?CjCWY+ypoUD-2S
zqnFH6F<jr48mh}s6JD$Z+6dFAP8q+;GU}o%KSNBqF2-h~iJs0Wlf2uqf&BAW6^ZP+
z#gZF$0b0FT>S+q$H$^7>>(nd^WE+?Zn#@HU3#t|&=JnEDgIU+;CgS+krs+Y8vMo6U
zHVkPoReZ-Di3z!xdBu#aW1f{8sC)etjN90`2|Y@{2=Os`(XLL9+<c3N1p=wQ{152b
zl-&aJHk6FM9Q*mk;a?dr6&4j65o%Wa8DYdg0d^Sukn=^z88UT2<5ruEBZc9`qs|G>
z1$_PE$GgTQrVx`^sx=Y(_y-Sv<yAF2-4IOoD%{NY2>quMF5<`9C=vM52+e+-r=g?D
z+<nx+?g>E|97MyoaK5M^n1(mnWeBpgtMs8fXOu4Q$89C5q4@YY0H{N47VANA1}M2e
zspor6LdndC=kEvxs3YrPGbc;`q}|zeg`f;t3-8na)dGdZ9&d(n{|%mNaHaKJOA~@8
zgP?nkzV-=ULb)<x`&v73BiF?4BYgrv;NxbnJcW0(FLbjwX^VmHH8X;2DYGUzyo9=e
zFOU%%r%V<i2_p1yLX5`tig(=%+nUcsOf1*oEh)OHYaEBKCjKo9kRll?A@?vQU(yuz
z{9uS#N_1s1Zs#xdr(>L3r`p)vj4<702a5h~Y%byo4)lh?rtu1YXYOY+qyTwzs!59I
zL}XLe=q$e<+Wm7tvB$n88#a9LzBkgHhfT<&i#%e*y|}@I<HIa$K6%z}Yn2#dwucfw
zYS1vgDAkGd1R+ePvLV1^V?&2ErxqbM#Vt&%A#S<NNR!CDFBL7i5xAZ&)Y?1#^5pO>
z!N~_)vodngB7%CI2pJT*{GX|cI5y>ZBN)}mezK~fFv@$*L`<!I1Wwd7)1Pt+*~@a;
z<{9$soemu=J{C6|WtNIjnfR|@Z9`aBN%kQGazN_<$-+L?J!v4VVAgm6?o6FxP7(7z
zG;~zizHbs`<(mxB_CVA`PDTwbBWkBHS-{qKhx0F;ZTmCC2`V?vZ5}2;cG|roMZ#&_
zj6Rry%<_~0Qhu%t5)-Ds$K$vH4@o*SOIlKIJ8M5yptlK8w<x@(9u&k^w)EjN_&b&*
z3!mtpjct`T_*rf!p%=pGsLFy6+h}=0IDyUjgVCzio17(OMW;zBw{xW%Cp|qo)9xEs
zHW$-`U22Nb)ATvGgbT$brQK9_c(ny0L<H7IPUWbjnP*wRpbVs?&J(rc5gcGRQdCmb
z=nxfe5QF}DSENGmh?Ep>84rb0)V=PvQ2KN}3lTpT@$>a=CP?kcC0S_^PZ#Vd9#CF4
zP&`6{Y!hd^qmL!zr#F~FB0yag-V;qrmW9Jnq~-l>Sg$b%%TpO}{Q+*Pd-@n2suVh_
z<MBX&@-)w121W6VrEIb*Hfm({Oj{B+Zq^QdBliP-M_+=j&fY&YPbYro1GIX|#esuG
z|2~gmt!a8rrF8qqU)^4BW1bI_+fQ_`6~~ax_^35W+Ukwi9yM7=x711QhOIy2@*LTt
zkw{&-+pk(t2*zP$O<MXYjpAg}D?|7i^V#Hw?2cx_?+;JRd}@lU+o~cb!>SYP->P@#
z&gQ^f{?}m(u5B9xqo63pUvDsJDQJ<AM|HJ8{ZhkA=T%oxhi>i5B~ak+J{tX8<WAhv
z6^v4wIEpufWdcfHO>$oL!_<w5hA^hs%gki9pN8*5KJI@NgDA&@H45YtBODqK`>{Dh
zL@=XFzWb+<Z{6B9PB93#&^qZG!ke8HMLr`erB7Fte06xWkTV+5e-*tF_VY+FPv`l6
z)-7lZNWlL_>83H3wPbTic+osVp&~UoW3SqK0#P6+BKbOzK65tz)-@AW#g}Ew+pE3@
zVbdJkJ}EM@-Ghx<TG?qB?LI`wrugJ9L2tOoxSHaVMu|}6pH#wqlf^>p_4a)|asEk*
z5)mMI&EK~BI^aaTMRl)oPJRH^Ld{;1FC&#pS`gh;l3Y;DF*`pR%OSz8U@B@zJxPNX
zwyP_&8GsQ7^eYyUO3FEE|9~I~X8;{WTN=DJW0$2OH=3-!KZG=X6TH?>URr(A0l@+d
zj^B9G-A<ssAY>Cel;yYGZc}G`w9sR$Mo{tzE7&%XKuW$|u7DM<6_z}L>I{o`(=!*1
z{5?1p3F^aBONr6Ws!<J{tvXSw;V|103pSto9gt;8Pmz)7JR40E7T@w5@Co_e+y}zf
zkpc8C;?wldU)HU*KR?8Cb3?{C)KwAJ+rwAf_z{6Cy9iv%yF+r9*2EO==4xm!;FqHe
zpSq?X)kbF$W9?et#fk4uJYxxImqzIWgzdGYY^dmIdQa^aY=f{cYXqXQp#AjXh2lh!
z_ZCBsT8#|+2ztyc!#2WUb9en+AFysMG7BEX&gd7Uch(AaBK9AicK_H-u`5_nA7wZP
z^l^%B1MN{0Dx1!#1vl?hZh>6@G?XRxJxXt_6b}2%Bp=0Iv5ngnpU^P+?(?O0hKwAK
z*|wAisG&8&Td1XY+6qI~-5&+4DE2<MX9fRW7FUl8;I60-1lx$lI5r0JXbg}FW?v!S
zYUh6JKU;>p|Dj8@d<Y~7d-ga9XNKS5Lk!mV$fbpTrR2$rXU?rA4ncopOj8MSjcbu$
z(5PR-eRW3M);!o2pO=jbZ1@<n($_r+7I<8hP*?fY$|pfZ4SkX6k;guV{18FA*ZQF&
z=6x0DNK-ZR;26y%nAIj6)w~DCz7^Vj*pmHDFeF;)HJy7yUe;#d0X98$!_Gx3N{i|#
zr`r?s8#HGf;yN6}5@mx>o;!40o)F)QuoeUY;*I&QZ0*4?u)$s`VTkNl1WG`}g@J_i
zjjmv4L%g&>@U9_|l>8^CN}`@4<<DOQtPly|J)dP*D>D2aMN&?XXD-HNnsVM`irjv$
z^YVNUx3r1{-o6waQfDp=OG^P+vd;qEvd{UUYc;gF0UwaeacXkw32He^qyoYHjZeFS
zo(#C9#&NEdFRcFrj7Q{CJgbmDejNS!H%<rj{~j=k{zr&O`C9-*%*M)C%ErdR$@ag3
z$H;%M*?%~nKR3N{)a2!q9F@r+*I~V4z(OG<e1kEhETlcmtzC-O3*Qpk+nEQx`_**O
zkeJe*f#2naR`ck?;JY?B9ZaSsQd^(apQd$zxO(b(+V}TWJ|ef`mtuZuZZA}Jbrosm
z;<jc<ZP3xZ&yWnExDgrd?eGl+G2>aF6?;|KJQn_*Ps3pkq9yE~G{0wIS*mo0XIEYH
zzIiJ>rbmD;sGXt#jlx7AXSGGcjty)5z5lTGp|M#5DCl0q0|~pNQ%1dP!-1>_7^BA~
zwu+uumJmTCcd)r|Hc)uWm7S!+Dw4;E|5+bwPb4i17Ued>NklnnsG+A{T-&}0=sLM-
zY;sA9v@YH>b9#c$Vg{j@+>UULBX=jtu~N^%Y#BB5)pB|$?0Mf7msMD<7eACoP1(XY
zPO^h5Brvhn$%(0JSo3KFwEPV&dz8<J$sQK=jT0PoK)K}_jqS02sEAvvmqSmsZ4F_c
zaM-s*_odc*|NT^KLSqN2%9tC@RjSUZT^V$KLA(nn>(P41o=mo7G~A*P6wLJ@-#|_A
z7>k~4&lbqyP1!la!qmhFBfIfT?nIHQ0j2WlohXk^sZ`?8-vwEwV0~uu{RDE^0yfl$
znua{^`VTZ)-h#ch_6^e2{VPaE@o&55|3dx$z_b6gbqduXJ(Lz(zq&ZbJ6qA4Ac4RT
zhJO4KBLN!t;h(eW(?cZJw^swf8lP@tWMZ8GD)zg)siA3!2EJYI(j>WI$=pK!mo!Ry
z?q&YkTIbTTr<>=}+N8C_EAR0XQL2&O{nNAXb?33iwo8{M``rUHJg<aMc_L=YRoiJ%
zriHHJtiDiGO6XLWo^U~VUK@eIpnE<&A$H?0-<Cyy0XJYsiqP1gepn2YfZOCii~>nk
z8KgZzZLFf|<PvTma*I!C=A@)t6J6a2MK9js?pZrk4F<Xthp^^Xwn-jm8r`H3(`@8o
zz6nEMeN9)>(O6oeugsm<;5m~4N$2Jm5#dph*@TgXC2_k&d%TG0L<M&e(;xRqqf3*Q
z*5yxg<~+#645@h=x+siBdcs-l_Rf7U#yFMH$%6>PY=Fw)=gf(hy9QmY*D6jCAiq44
zo-k2C+?3*+Wu7xm1w*LEAl`Vsq(sYPUMw|MiXrW)92>rVOAse5Pmx^OSi{y%EwPAE
zx|csvE{U3c{vA>@;>xcjdCW15pE31F3aoIBsz@OQRvi%_MMfgar2j3Ob`9e@gLQk#
zlzznEHgr|Ols%f*<a}+J>a+B-0klD`czi@RWGPPpR1tE@GB|nwe`td1OwG#OjGlTH
zfT#^r?%3Ocp^U0F8Kekck6-Vg2gWs|sD_DTJ%2TR<5H3a$}B4ZYpP=p)oAoHxr8I!
z1SYJ~v-iP&mNm{ra7!KP^KVpkER>-HFvq*>eG4J#kz1|eu;=~u2|>}TE_5nv2=d!0
z3P~?@blSo^uumuEt{lBsGcx{_IXPO8s01+7DP^yt&>k;<5(NRrF|To2h7hTWBFQ_A
z+;?Q$o5L|LlIB>PH(4j)j3`JIb1xA_C@HRFnPnlg{zGO|-RO7Xn}!*2U=Z2V?{5Al
z9+iL+n^_T~6Uu{law`R&fFadSVi}da8G>|>D<{(#vi{OU;}1ZnfXy8=etC7)Ae<2S
zAlI`&=HkNiHhT0|tQztSLNsRR6v8bmf&$6CI|7b8V4kyJ{=pG#h{1sVeC28&Ho%Fh
zwo_FIS}ST-2OF6jNQ$(pjrq)P)@sie#tigN1zSclxJLb-O9V|trp^G8<1rpsj8@+$
z2y27iiM>H8kfd%AMlK|9C>Lkvfs9iSk>k2}tCFlqF~Z_>-uWVQDd$5{3sM%2$du9;
z*ukNSo}~@w@DPF)_vS^VaZ)7Mk&8ij<ONg90wvCjm(4&Q?9nH8n%bX^(Wl#O#f!Rt
zCCBAwVCfs4+IIXcmxU1H31eoA%>X2hNhKom$<txY33TfsO_1#7qj(>#PM%bzSA-s$
z0O!broj`!Nuk)Qcp3(>dL|5om#XMx2RUS<tl4I0tiG)qytq8d#y#hCaYGHFO(Ta*R
z^ZjZ?pS(a|Or;2IlsjjqAloP>DMDY9#1|+~fxwP}1I4iYy4j$CGx3jD&eKhf%z`Jn
z7mD!y6`nVq%&Q#5yqG`|+e~1$Zkgu!O(~~pWSDTw2^va3u!DOMVRQ8ycq)sk&H%vb
z;$a`3gp74~I@swI!ILOkzVK3G&SdTcVe~RzN<+z`u(BY=yuwez{#<T)_!Oz|p8m|V
z%uBfRLezat%>T3a_83)8>2!X?`^02zVjqx-fN+tW`zCqH^XG>#Ies$qxa!n4*FF0m
zxgJlPPYl*q4ylX;DVu3G*I6T&JyWvs`A(*u0+62=+ylt2!u)6LJ=Qe1rA$OWcNCmH
zLu7PwMDY#rYQA1!!ONNcz~I^uMvi6N&Lo4dD&HF?1Su5}COTZ-jwR)-zLq=6@bN}X
zSP(-MY`TOJ@1O`bLPphMMSWm+YL{Ger>cA$KT~)DuTl+H)!2Lf`c+lZ0ipxd>KfKn
zIv;;eEmz(_(nwW24a+>v{K}$)A?=tp+?>zAmfL{}@0r|1>iFQfJ5C*6dKdijK=j16
zQpl4gl93ttF5@d<9e2LoZ~cqkH)aFMgt(el_)#OG4R4Hnqm(@D*Uj>2ZuUCy)o-yy
z_J|&S-@o5#2IMcL(}qWF3EL<4n(`cygenA)G%Ssi7k4w)LafelpV5FvS9uJES+(Ml
z?rzZ={vYrB#mB-Hd#ID{KS5dKl-|Wh_~v+Lvq3|<@w^MD-RA{q!$gkUUNIvAaex5y
z)jIGW{#U=#UWyku7FIAB=TES8>L%Y9*h2N`#Gghie+a?>$CRNth?ORq)!Tde24f5K
zKh>cz5oLC;ry*tHIEQEL>8L=zsjG7+(~LUN5K1pT`_Z-4Z}k^m%&H%g3*^e(FDCC{
zBh~eqx%bY?qqu_2qa+9A+oS&yFw^3nLRsN#?FcZvt?*dZhRC_a%Jd{qou(p5AG_Q6
ziOJMu8D~kJ7xEkG(69$Dl3t1J592=Olom%;13uZvYDda08YwzqFlND-;YodmA!SL)
z!AOSI=(uCnG#Yo&BgrH(muUemmhQW7?}IHfxI~T`44wuLGFOMdKreQO!a=Z-LkH{T
z@h;`A_l2Pp>Xg#`Vo@-?WJn-0((RR4uKM6P2*^-qprHgQhMzSd32@ho>%fFMbp9Y$
zx-#!r8gEu;VZN<h_vW7kvkv)VSb`nYqZ|%u#zR>(fDbP7he+Nu7^o3<+pT!<<>m;m
z=FC$N)wx)asxb_KLs}Z^;x*hQM}wQGr((&=%+=#jW^j|Gjn$(qqXwt-o-|>kL!?=T
zh0*?m<^>S*F}kPiq@)Cp+^fnKi2)%<-Tw4K3oHwmI-}h}Kc^+%1P!D8aWp!hB@-ZT
zybHrRdeYlYulE<HXpA5X-N}mI0J@JXNN9L@^$FbhJ{tBlaDPgRWeT3VBl_ta>j>Bk
zEIi|PU0eGg&~kWQ{q)gw%~bFT0`Q%k5S|tt!JIZXVXX=>er!7<fX7;dArE_x#<f$7
zQ8N6@(8IZII^t|&l66Ol%}W(|u@Mh9lCw;{&nPY^Glp&G=2uRBaEdBODWt#J1Otci
z74=obU`bg7oIM5DyP?YMNR`<}gV5X#Dts}!Vjua?1|wz%P9QQ;rGhehXvN?kFP<q+
zj_r|@6cuIE__e0lSArJmrdu7#8Qo!~W(a#pg2W-QvfFcL(iFsC#yRdhykX9Q{7r`0
z!Xfq)t{Yg6?J=}sIGu#uaJ2jr6Cm2w_^pDw$#;_myiEC74QHbZ6T7n(3nDM*Zsn9i
zXS7n4ea;v-y4E7ii>R^w>zeQ%M-(C|eOQG>5i|}i3}X#?aqAg~b1t{-fqwKd(&CyA
zmyy)et*E}+q_lEqgbClewiJ=u@bFX}LKe)5<oWBCVb1A!DV{wtigRR;cI?gew@k_z
zV9zfI-fGA23`Ka$SK8@6EtpaL;YV2R3j?1fDMTE+{eyX@vJoWs=$%aeaK_&8=h}Pw
zmndiNxr0v19-mXSy=AQhnYl<3SdD?)pyN47zzG$_9N_FsLuE|s7uN~L`F8SD-+g#!
zILaOmXsR^GjeyP%r&afg<(hC4-MWS022nd-Y;-lY+9eO^qJfiNmp;p5-csS|VqZ4a
zcAHguj_TC!b{SNAqQvUqL=P~Op2)lHYvP9T1y+ju)DTj$K|6Pshe(k^qkl7@F%gd9
z({7xM&lCKLzC$9m9jm6F%;wrbtyV&x7rD*rRXPC-3J{1^p6JY4nrZH0a%3NqT2;rW
zvX$V10-Igw1b2^a&xs!v>o26K9fS;R`!er~a?lUCKf60`4Zq7{2q$L?k?IrAdcDu+
z4A0QJB<xK|5kzva7ezkPn-qvpBAq8x@)H62_TM{it0uQoi;u4B;=FR5yXky%4I?n;
zdz?H)$HI)~imX<%$0UV6Q>UiGx&$TBASI2ASM_Wj{?fjv=CORO3GZz;1X*AYY`anM
zI`M6C%8OUFSc$tKjiFJ|V74Yj-lK&Epi7F^Gp*rLeDTokfW#o6sl33W^~4V|edbS1
zhx%1PTdnI!C96iYqSA=qu6;p&Dd%)Skjjw0fyl>3k@O?I@x5|>2_7G#_Yc2*1>=^#
z|H43bJDx$SS2!vkaMG!;VRGMbY{eJhT%FR{(a+RXDbd4OT?DRoE(`NhiVI6MsUCsT
z1gc^~Nv>i;cIm2~_SYOfFpkUvV)(iINXEep;i4>&8@N#|h+_;DgzLqh3I#lzhn>cN
zjm;m6U{+JXR2Mi)=~WxM&t9~WShlyA$Pnu+VIW2#;0)4J*C!{1W|y1TP{Q;!tldR<
zI7aoH&cMm*apW}~BabBT;`fQ1-9q|!?6nTzmhiIo6fGQ<A~ZCpj$?>lcP{pu)kJh-
zUK&Ei9lArSO6ep_SN$Lt_01|Y#@Ksznl@f<+%ku1F|k#Gc<eV+SP0L$+5UCGg)&x)
zR_U*#@*q6&8^vE-=dNu&o2`lQ*~JTFjXym>wa`(^M<2%M3FAZVb99?Ez4d9O)rqM<
zCbYsdZlSo{X#nKqiRA$}XG}1Tw@)D|jGKo1ITqmvE4;ovYH{NAk{h8*Ysh@=nZFiF
zmDF`@4do#UDKKM*@<a2N5Q%b}guzBftCOIE7!ENGHMCbt^u+9ig(}<<M4q`L76%r%
z(l`wFOj#ATV%OL1jvG(6HM-|<r4N#alVrZ;h)WBZ)BM~<BeBB$c%qgGUdj6`ykr!b
z$f(V55-Q2STD{aZ)-5E&-uu)J?9C@G!{&l$_*SQs&V$2!uVudI3Ddx0CO!!p*K9^$
z4rMj#&_MXH=aV#%J#L~9%NKB^Ul<>wDbwoO@tPx4aExhPF_dvlR&dB5>)W=wG6Pil
zq{eBzw%Ov!?D+%8&(uK`m7J<BUPX&}+Z`c2qh<Q+o%{IFDp*(uLJdoi{EZlJq*Fda
z{`TuAv5<Syq`ov`h<mHfg}o7~6t4p1-jQ%+*ibrT3b^YMSYhE3+61?Jv_f2G`nf!p
zDZUqlbNNW2v-<%VB>V7pqNp-krMd>ECQypq&?p#_3wy){eW{(2q}ij{6bfmyE+-ZO
z)G4OtI;ga9;EVyKF6v3<vZd2Xuye}rh<l_9vRj>kO1RdQV+!*>tV-ditH-=;`n|2T
zu(vYR*BJSBsjzFl1Oy#DpL=|pfEY4NM;y5Yly__T*Eg^3Mb_()pHwn)mAsh!7Yz-Z
zY`hBLDXS4F^{>x=oOphq|LMo;G!C(b2hS9A6lJqb+e$2af}7C>zW2p{m18@Bdd>iL
zoEE$nFUnaz_6p${cMO|;(c1f9nm5G5R;p)m4dcC1?1YD=2Mi&20=4{nu>AV#R^d%A
zsmm_RlT#`;g~an9mo#O1dYV)2{mgUWEqb*a@^Ok;ckj;uqy{%*YB^({d{^V)P9VvP
zC^qbK&lq~}TWm^RF8d4zbo~bJ<CZ23ct=-K&xJP;Zq}wB_`cf|m=D-U&VPZ2T5>uw
zFV!!}b^4BlJ0>5S3Q>;u*BLC&G6Fa5V<OgV7agDX#GG#Zy-TeNj)3W@ZgB|}ZOP<N
zVD-yiJNy&-MZjU2>|~w&bRZ*-YU>df6%qAvK?%Qf+#=M-+JqLw&w*l4{v7XTstY4j
z26z69U#SVzSbY9HBXyD;%P$#vVU7G*Yb-*fy)Qpx?;ed;-P24>-L6U+OAC9Jj63kg
zlY`G2+5tg1szc#*9ga3%f9H9~!(^QjECetX-PlacTR+^g8L<#VRovPGvsT)ln3lr=
zm5WO@!NDuw+d4MY;K4WJg3B|Sp|WdumpFJO>I2tz$72s4^uXljWseYSAd+vGfjutO
z-x~Qlct+BnlI+Iun)fOklxPH?30i&j9R$6g5^f&(x7bIom|FLKq9CUE);w2G>}vye
zxWvE<fYt6epj7<LwZ$~LH$jkgJN;W{?!#GUnPs1Wxp!sT@+agt7`(;QCpyEV+$qEc
z#5L!Y3D=((?1ecP?70ZPi+v+(1anW5e@>aXhx8|~2j)({Rq>0J9}lzdE`yhQ(l$z!
z;x%d%_u?^4vlES_>JaIjJBN|N8z5}@l1#PG_@{mh`oWXQOI41_kPG}R_pV+jd^PU)
zEor^SHo`VMul*80-K$0mSk|<NcIwv0krpM}-<HOX<KrRb(u7}mMV50?5D#Q=j4S6&
zt2fT81yThEk#a0kxi`*7_AU`Z0*L>FiI+tHdWt-hzt~S>6!2-!R&rdL_^gGGUzkPe
zEZkUKU=EY(5Ex)zeTA4-{Bkbn!Gm?nuaI4jLE%X;zMZ7bwn4FXz(?az;9(Uv;38U6
zi)}rA3xAcD2&6BY<~Pj9Q1~4Dyjs&!$)hyHi<mpiJH7w0N7ZaM!#>iTI@%qXd~+>>
zW}$_p<axH=z}d_(?sUA_U>uSSJ^uWv$jtWakn}}@eX6_LGz<VD*kmuE`!tzBA_YTP
zQQSUKTz_rFA}@n|#QwZ!@)Ehv%)eGOMuFb|*N`g$62z+hYp8@<CtOLPXaeCIfG}QG
zh=8&vD52is#Fwg`seBZmIX!!SCYp&$(z#Y!)|joeq2U>|7M#$!3yjY<F-`%kkr_Q>
ztS{>HmQ%-8u0@|ig{kzD&CNK~-dIK5e{;@uWOs8$r>J7^c2P~Pwx%QVX0e8~oXK0J
zM4HCNK?%t6?v~#;eP#t@tM$@SXRt;(b&kU7uDzlzUuu;+LQ5g%=FqpJPGrX8HJ8CS
zITK|(fjhs3@CR}H4@)Ej<FT$o;IZC%L$)fg;ow`W==gz=YDptK=gh)XGqfV}LWzK*
zS%b0yiwt<S=@MCrWp?n)<Ab}7JJG$<tkbMx9+?B3D;@G|iw*vljgu{+?DP%lD;zGt
ztIONganDW<=N9*aJJcu0Mx1G+D;J69_^YRoVvXvc1BdoDMIM(@?OSwZ8$?+JWIawP
z4Q`l6<V2Q|h7h$viy(mc6{b<}DPh4H?(OxTL~GSkoy04`KcQzzWg0E7VfwdWU;wnp
zI2B}6y`LWRS^W*A5Hs;^Ir<IC#PPFwwcBE^MsJVVKhn4%5e}Mx-hb~qqGe{f8>L@J
zV_HPexOQ!@k&kvsQG)n;7lZaUh>{87l4NS_=Y-O9Ul3CaKG8iy+xD=QXZSr57a-hb
z7jz3Ts-NVsMI783OPEdlE|e&a2;l^h@e>oYMh5@=Lte-9A+20|?!9>Djl~{<TfE?f
z#h8b-d$4;$q}7U~HTTwmg7;eKCGg!En8O%od^-G#8@yXVB4||G=gu$kP76nrFj)w(
z!5$*&{q)5c!(k{(p4L;GjmB|JM#9Ub=|GPvO}Y-o1YH{!u^6gJK|+Kz;6Va#upP2|
zf|M*K*LC&Njfmc^PR}5AGGHTuOrFcaEIor@N#7e>XkAo>0p9`n&nfWGdGAfT-mSYW
z1cvG>GT9dRJdcm7M_AG9JX5AqTCdJ6MRqR3p?+FvMxp(oB-6MZ`lRzSAj%N(1#8@_
zDnIIo9Rtv12(Eo}k_#FILhaZQ`yRD^Vn5tm+IK@hZO>s=t5`@p1#k?Umz2y*R64CF
zGM-v&*k}zZ%Xm<_?1=g~<*&3KAy;_^QfccIp~CS7NW24Tn|mSDxb%pvvi}S}(~`2#
z3I|kD@||l@lAW06K2%*gHd4x9YKeXWpwU%!ozYcJ+<XsLsS7(gf{|BGa`A68=FVR+
zET!pY^{*^zc|5|@XN(QXAB>KJeX!s6b94j!Qyy7>S!wb?{qaMa`rpbU1phn0EpF}L
zsBdZc|Im#iRiQmJjZwb5#n;`_O{$Zu$I<c=VB4wy&Anp~bZFS|667`32{rtk($?#o
zaT{?Pmi^!q1bAV4z)l??$U$LHD}{l#2u|rad1TK*gWz2V!a~AAXI~!TOAQTypI)b}
z$8S?ETifi%?iY=3xIb+x%vD=H=OkGxJw-jMQQAjj2G0o}YP(*GUQ^Ps9DgMpx0Kq>
zMXqbfu0yVmt!!Y`Fzl}QV7HUSOPib#da4i@vM$0u2FEYytsvrbR#ui9lrMkZ(AVVJ
zMVl^Wi_fSRsEXLA_#rdaG%r(@UCw#o7*yBN)%22b)VSNyng6Lxk|2;XK3Qb=C_<`F
zN##8MLHz-s%&O6JE~@P1=iHpj8go@4sC7*AWe99tuf$f7?2~wC&RA^UjB*2`K!%$y
zSDzMd7}!vvN|#wDuP%%nuGk8&>N)7eRxtqdMXHD1W%hP7tYW{W>^DJp`3WS>3}i+$
z_li?4AlEj`r=!SPiIc+NNUZ9NCrMv&G0BdQHBO&S7d48aB)LfGi@D%5CC1%)1hVcJ
zB~=yNC}LBn(K?cHkPmAX$5^M7JSnNkcc!X!0kD&^F$cJmRP(SJ`9b7}b)o$rj=BZ-
zC;BX3IG94%Qz&(V$)7O~v|!=jd-yU1(6wd1u;*$z4DDe6+BFLhz>+8?59?d2Ngxck
zm92yR!jk@MP@>>9FtAY2L+Z|MaSp{MnL-;fm}W3~fg!9TRr3;S@ysLf@#<)keHDRO
zsJI1tP`g3PNL`<n{K)DRede*wFp)OSv<$T(z4sej$_T@uJ}7GCwg(A_8F<3&Gz3uM
zIvnUGMA(N#w6js%ydm*5GS0F^Z89P)AhkT*j%9sV80}rG`y_Q)o=u0aAhq~5n*gZr
zB3Vdao87<$1A5N>2(8hK3!4;r|E-ZQbU0e-9u{(@du`4wjGj|A!QB&9w~?OI1r}M?
zw)6tvsknfPfmNijZ;3VZX&H<aq3Kn?*7=&hdA2k)_nEn-xOok_CdF)^gWK>M6=|&W
zy6GIe3a?_(pRxdUc==do9?C&v7+6cgIoL4)Ka^bOG9`l;S|QmVzjv%)3^PDi@=-cp
z=!R0bU<@_;#*D}e1m@0!%k=VPtyRAkWYW(VFl|eu0LteWH7eDB%P|uF7BQ-|D4`n;
z)UpuY1)*s32UwW756>!OoAq#5GAtfrjo*^7YUv^(eiySE?!TQzKxzqXE@jM_bq3Zq
zg#1orE*Zd5ZWEpDXW9$=NzuadNSO*NW)ZJ@IDuU`w}j_FRE4-QS*rD4mPVQPH(jGg
z+-Ye?3%G%=DT5U1b+TnNHHv(nz-<GO5xY^MWy6ef{YDczpl}h|%2WA}P?-MWgU#Pq
z4)qv=O=ar|xa((*d7|N#_A$34sdRa5_Y9}VTTW#@($I#;>S?3!M4hXtEB@J4WK%%p
zkv=Bb`1DHmgUdYo>3kwB(T>Ba#DKv%cLp2h4r8v}p=Np}wL!&PB5J-w4V4REM{kMD
z${oSuAw9?*yo3?tNp~X5WF@B^P<6L0HtIW0H7^`R8~9zAXgREH`6H{ntGu$aQ;oNq
zig;pB^@KMHNoJcEb0f1fz+!M6sy?hQjof-QoxJgBM`!k^T<XN~>~cykcmi^s_@1B9
z)t1)Y-ZsV9iA&FDrVoF=L7U#4&inXk{3+Xm9A|R<=Ergx<LhmzYlzsIN$*y#xgxLU
zI=M~}URRK4!1(fMWS&Z~$=mBi1NOF&X4`{jygcPqV=-8L;F!|Jmab(wsK105jE6;7
z&1u%X+K=eHb*Mv478{sq<{Rz6A-ld`IP=bp*PymPwv*$W|ElQ}_I<+tTnWa#?TeA@
z@E0^fkPRJw+!aN}lx#t-dKWqh^Lz%}44Kmt<9xjYL{0(&Tui-?-$66yj!ckl+7iwe
zAH)yK_A@a`42cb=zQU4C!lY=6(tLFp70}D4x8h9jwdd$choqzCY;M|rc=?->PW~Fq
zqu-~x0dIBlR+5_}`IK^*5l3f5$&K@l?J{)_d_*459pvsF*e*#+2guls(cid4!N%DG
zl3(2`az#5!^@HNRe3O4(_<vC?y?da?WAZ<JX!bT2p6iKHt?rM0?IcQcM0_bU96Psg
zuDU<xq5amD;4VD*+HL$nGlT}adRnk|H5F0%EJDYw<DL|6AkN#c5Y_}lxoNDM(WpqT
zt(>5nc+){q?ENQG2|uKW0U0$aJ5SQ6hg>G4OyN6os76y%u8qNNHi;}XnRNwpsf<ap
zFQ{&7F^j^>n^!6Qt(-4tE`uxaDZ`hQp#aFX373|F?vjEiSEkV>K)cTBG+UL#wDj0_
zM9$H&-86zP=9=5_Q7d3onkqKNr4PAlF<>U^^yYAAEso|Ak~p$3NNZ$~4&kE9Nj^As
zQPoo!m*uZ;z1~;#g(?zFECJ$O2@EBy<;F)fnQxOKvH`MojG5T?7thbe%F@JyN^k1K
zn3H*%Ymoim)ePf)xhl2%$T)vq3P=4ty%NK)@}po&7Q^~o3l))Zm4<75Y!fFihsXJc
z9?vecovF^nYfJVg#W~R3T1*PK{+^YFgb*7}Up2U#)oNyzkfJ#$)PkFxrq_{Ai?0zk
zWnjq_ixF~Hs7YS9Y6H&8&k0#2cAj~<r$*(nIl8DaU9s0gw=7r|!NAHQr>!Vv4{wCM
zi<n!~nGWd)1M3*mFB<3n1j0Aj%LFx`A37Y5=ELH_pyJ_LV%)YC;b*)2@F=M6#rH_E
zAzB)_L-`h4%3p5^9D6kQ4C_=|Y4{!9=U&UE)b(33$Zmi;rrWJ#IQGTi$bO8-<*P9=
zUk&xr46CmXD=FGQxS`e*O&UWxwZC?;@;$l#rk~9YBHW(Mn02XQB-e^H&CP_zJ3Now
z5{qB-egZ!O>2f1FjQf+F@=BOB)pD|T41a4AEz+8hnH<#_PT#H|Vwm7iQ0-Tw()WMN
za0eI-{B2G{sZ7+L+^k@BA)G;mOFWE$O+2nS|DzPSGZ)ede(9%+8kqu4W^wTn!yZPN
z7u!Qu<x$c&wvAB%yQH!i)GugaW$VPmAW5l>0u}K5(0euRZ$7=kn9DZ+llruq5A_l)
zOK~wof7_^8Yeh@Qd*=P!gM)lh`Z@7^M?k8Z?t$$vMAuBG>4p56Dt!R$p{)y>QG}it
zGG;Ei```7ewXrbGo6Z=!AJNQ!GP8l13m7|FIQTFZTpIg#kpZkl1wj)s1eySXjAAWy
zfl;;@{QQ;Qn<S)gLZUZh%veJ%Ww^LQNd2x1!MLImSYD_MghM!vVf_?>b$@LY8_Z&7
z6+d98F?z2Zo)sS)z$YoL(zzF>Ey8u#S_%n7)XUX1Pu(>e8gEUU1S;J=EH(#`cWi1+
zoL$5TN+?#NM8=4E7HOk)bf5MXvEo%<?8^*T4TFmtCJ%QpjOXYU*~@;;hJoAJF=0?#
zhrU`U)s$C=OkPpgRF0IoHKK59_n*aNXpA(BmJ+weB8obOVG@XhNIon^Kh2oR2EcF_
zC{Yt{)@X>he5QcB%_5YQ$cu_j)Pd^@5hi}d%nG}x9xXtD-JMQxr;KkC=r_dS-t`lf
zF&CS?Lk~>U^!)Y0LZqN<EA1#2$)qD^Ov6w;SZK5M^xXqFb_}}4Q7#rbWPvGvfFF0^
zX<{yu&i+u0<fuf@x-w+u8GGt;Yr$o;yG3>VJq+*_#F7W~!UkvZfQhzvW`q;^X&iv~
zEDDGIQ&(S;#Hb(Ej4j+#D#sDS_u<SHR#qXMNve$h0VYf3cX>HehlY0kZsQpktc?;O
z22W1b%wNcdf<LHoyb8RF&-G{QzFig`%P*$osIb5k7wxky;X|NMUgg)$k<iHRGTS=e
zgU0}CnVqj6?}59}{!h@aAe-**DW4_RzcGH3Ju`OknrY?iOuy+YwD9%n-gZ`ePyJff
z&9(C#_*nb|^|KJe;(0(#+N6|!;?1zoOZA;nrE`yP(Cy)C)nU{Aa(Vc=1PjIlji?Qi
zmF&TY`fl$rjLc3N>Nza<1M2{*mAkM<{}@(w`VuQ<^lG|iYSuWBD#lYK9+j<rcL%${
z8$?-5Y%eYpn1v&_dd~#*2q@DH(`S_9u4LwLGl?8pVcN#SC?2)W%3+ixDYru-E`Ngx
zW}mUWCJQQQ34Vt|QQ2h?Z0vyIEgeYRXWF2U<NvAIHp|c@uhNE3Gi}omK{&LMJHAp3
z9e_oC*v^<O0nUp2aJ23o`;2C4i*-V>sdA+&#;Y@=zXLVr84<SGi~2?J)113(0SrW$
z*QAul<ZVem%7*dim8OSF7iO``YvGw@5dV{A;gxp4!y60w9S-#s3E~C35vv=A^Zg6_
zpXBH+US41T=9~S4_HW72|A#yFKgrSm9seV{@LvQV<Jk3Y!3>0Nq_t5))#7}2s9pK*
zg42zd{EY|#sIVMDhg9>t6_Y#O>JoG<{GO&OzTa;iA9&&^6=5MT21f6$7o@nS=w;R)
znkgu*7Y{UNPu7B9&B&~q+N@@+%&cO0N`TZ-qQ|@f@e0g2BI+9xO$}NzMOzEbSSJ@v
z1<kTnz=<%!gVNRP%Bng%OH(TIL-vb`s0FH}=AZKo1+21^krFneM#-UD^@`<XmgO^@
z__nKlhycD*hSL<Es00$<!GQoTGb6=#Z&RbRxEoo6bn(jHU3dCkwFF?GBsNB>uNp(S
z-dioXc$5YyA6-My@gW~1GH($Q?;GCHfk{ej-{Q^{iTFs1^Sa67RNd5y{cjX1tG+$&
zbGrUte{U1{^Z_qpzW$-V!pJz$dQZrL<m}}7)O4gFVQ_9KbNi%Yy-j>5i(1MKU`%^=
z^)i;xua4w)evDBrFVm)Id5SbXMx2u7M5Df<2L4B`wy4-Y+Wec#b^QJO|J9xF{x#M8
zuLUer`%ZL^m3gy?U&dI+`kgNZ+?bl3H%8)&k84*-=aMfADh&@$xr&IS|4{3$v&K3q
zZ<Z5Tt2fsrh(bqL1yYk+Nai~DR#C-_UDXW$i*Sy$(Qif1^>Tn&f{N(#L6<-BZYNs4
zB*Kl*@_IhGXI^_8zfXT<OjmcjwOR<>^XNmjJ@5E~H*wFf<&er?p7suz85)$-Hqz@C
zGMFg1NKs;otNViu)r-u{SOLcqwqc7$poPvm(-^ag1m71}HL#cj5t4Hw(W?*fi4GSH
z9962NZ>p^ECP<Rd>qVc$N}phy>N8rQsWWm%%rc5B4XLATFEtffX&TM2%|8S2Lh_q;
zCytXua84HBn<XY<TjNfh`HSa&SgK4LMOeDqtU2EsDd1P<7#H6&{&823g>SybW-}(j
z3Zwv4CaK)jC!{oUvdsFRXK&Sx@t)yGm(h65$!WZ!-jL52no}NX6=E<=H!aZ74h_&>
zZ+~c@k!@}Cs84l{u+)%kg4fq~pOeTK3S4)gX~FKJw4t9ba!Ai{_gkKQYQvafZIyKq
zX|r4xgC(l%JgmW!tvR&yNt$6uME({M`uNIi7HFiPE<XDKYG#M>Qo_UMRkl~12&4c&
z^se;dbZWKu7>dLMg`IZq%@b@ME?|@{&xEIZEU<XP7MXlZI=9r(wRA@-x>(omKNUY?
z`JszxNghuO-VA;MrZKEC0|Gi0tz3c#M?aO?WGLy64LkG4T%|PBIt_?bl{C=L@9e;A
zia!35TZI7<`R8hr06xF62*rNH5T3N0v^acg+;ENvrLYo|B4!c^eILcn#+lxDZR!%l
zjL6!6h9zo)<5GrSPth7+R(rLAW?HF4uu$glo?w1U-y}CR@%v+wSAlsgIXn>e%b<q!
z`(~WF@2G8wPr#{?CKOdO*nY_KTcgd;a;(g>c{FE;j@R0AoNIWf#*@BSngZ)HmNqkB
z)cs3yN%_PT4f*K+Y1wFl)be=1iq+bb1G-}b|72|gJ|lMt`tf~0Jk}zMbS0+M-Mq}R
z>Bv}-W6J%}j#dIz`Z0}zD(DGKn`R;E8A`)$a6qDfr(c@iHKZcCVY_nJEDpcUddGH*
z*ct2$&)RelhmV}@jGXY>3Y~vp;b*l9M+hO}&x`e~q*heO8GVkvvJTwyxFetJC<cNY
zn{lq8lO`%~^Rv`Vxr*)C`kb(bbmTVCLZpbQq*NC1bMhnTV0BX*wC!=yQ$OcUR+VR0
z?s3&jfk>8VnhjR`5*+qHEDUNp16g`~$TbdliLLd}AFf}U+Od<GobOB#N(9L(A_U3I
znX`|ZJ4`b>a1JXwwseRFbj?DN96;VSX~z?JxJSuA^BF}262%Z0)nv<6teK<i2>K`F
zfm9^HsblS~?Xrb1_~^=5=PD!QH$Y1hD_&qe1HTQnese8N#&C(|Q)CvtAu6{{<XrK&
zfGT!&Qay^E09VZV6WiUgfQ!~GseAgg-U`OVi)l0==HMPy*eCJ8u>0Q%ut8ESVdn&&
z4y%nsCs!$(#9d{iVjXDR##3<jiIrvP%!UUL-A%~$Hbpr#+f8jUg3l=;elXr6CVHiL
zB|-mC!kiNG;SqUbAK{I{A5y^ht&4P#+TLCQ5%7-n!F7HM$sZf2-O@7!-El_{7j2m6
zsEw1Mx~Q8Yd$UH$w!D!n$c>UyoMNeY@_W^%qyuZ^K3Oa4(^!tDXOUS?b2P)yRtJ8j
zSX}@qGBj+gKf;|6Kb&<EBaK#|0Uuiqy`z?WGb1X$E6qh(0(Vj5o-v3;4-GIms~F;m
zFsVL|4zQ4UQai<GOrOg@-0Y3cwIbWz;LRgccy%a+)gZCZ&u1*d*Aji9N|q)NW&u!6
z`A;%cF*D7JIGU!m#UO#Xg%_FTYS2gN)46HcwX-BND&zo>rq`!}S*cSu-3&S>=pM<j
zpf9FbMW7y<(T_97a&isk7xuAGv=*~(Cfe@A)ah5U*{w84i(=YkL||LdDi~qb8`sKZ
z(ZsH&)@rfDmB~uixK!Xjj}1T`9s$=r!L=@7=<xyAF^^^&L1;qHlW46LE&F3+W~GKr
zEVAi=_-uEob7V4y)_k?r=oP^z*a-XIkY5|sQ@upGULz!?XYa@awf^R6qyz(^2ukAX
zQcBay<V=3Pv7WG^Cnfiy-Azy?z|WYT#)Ylf{@jR_+_o_RsZ3`rmbqJx_yx_m7M+IP
ztoGI+p_=-DOn7PQg}gwQKem=SRTxp>$eEB{K>PP~I}N|uGE|`3U#{Q6v^kO4nIsaq
zfPld}c|4tVPI4!=!ETCNW+LjcbmEoxm0RZ%ieV0`(nVlWKClZW5^>f&h79-~CF(%+
zv|KL(^xQ7$#a}&BSGr9zf{xJ(cCfq>UR*>^-Ou_pmknCt6Y--~!duL{k2D{yLMl__
z!KeMRRg&EsD2s|cmy?xgK&XcGIKeos`&UEVhBTw;mqy|8DlP1M7PYS2z{YmTJ;n!h
znPe(Qu?c7+xZz!Tm1AnE8|;&tf7fW$2dArX7ck1Jd(S1+91YB8bjISRZ`UL*?vb{b
zMp*!Xq7VaLc0Ogqj5qmop8NREQ{9_iC$;tviZlubGLy1jLlIFBxAymMr@SDLAcx+)
z5YRkl$bW**X)W0JzWNcLx9>fTqJj00ipY6Ua?mUlsgQrVVgpmaheE;RgA5U_+WsPh
z9+X|PU4zFyNxZ2?Q+V`Mo{xH~(m}OMRZa<&$nCl7o4x`^^|V4?aPz8#KwFm=8T6_}
z8=P_4$_rD2a%7}}H<m};M93(doUrEmKc#&IR8(vCJ|gYV3?YJ2(xsGi4I$l1N{1lb
zT|*2o0wPEw4WfW_cOx-`bVv#U(jo94?!Dh9@_E(Y`tP-7&6=~;?B~33-q`!R&!Y;t
zsm6p~`W|n?FVp>T6VQ>ZGKW=QF7zI-2=6oBNZR$HVn|gq`>l$HZ`48lkM7%R$>MS&
zgh<IHt`2TcVFmC$J>R`WZ9Xrd_6FaDedH6_aKVJhYev*2)UQ>!CRH3PQ_d9nXlO;c
z9PeqiKD@aGz^|mvD-tV<{BjfA;)B+76!*+`$CZOJ=#)}>{?!9fAg(Xngbh||n=q*C
zU0mGP`NxHn$uY#@)gN<0xr)%Ue80U{-`^FX1~Q@^<JVp*0@b|3;I#t1ZFta{o~`cU
zuMG;7FA6uF1du3`cotSr-YKhADNp4Bun>>WbLraiB|c#4v$5HX)0z!oA#jOXPyWg!
z8EC<V<BV{aQ%bVG(Qo;|Nph}}uT>}SBmG7j3T&zCenPLYA{kN(3l62pu}91KOWZl?
zg~>T4gQ%1y3AYa^J|>ba$7F5KlVx}_&*~me*q-SYLBCXZFU=U8mHQD4K!?;B61NoX
z?VS41SS&jHyhmB~+bC=w0a06V``ZXCkC~}oM9pM{$hU~-s_elYPmT1L!%B`?*<+?(
zFQ@TP%y+QL`_&Y0A3679pe5~iL=z)$b)k!oSbJRyw+K};SGAvvE=|<~*aiwJc<Pbw
zQ{CF1B~<8o_7wv26CG{e8G^L-@=+q!BKyH63^DxxM9s<}u<E@Y5nX?bJ0@A-0+mBP
zkug-N;YO(qC*&SSxfpuG--uYoP|VmhkqaM*%18$T+(-+jAx@5TULJ`SZ~M1hW_X4J
zbyI<JL^)}D$eNzgO}U{X{hH3vhj?YGuXPBp7FXM-T*qx9htMrHNz*5qUB~e@-Cr@Z
zW6WUcq<wI)Of1u>?uE@2?7a1i9|3=^N%*9smt3ZIhjY>gIsr{Q2rX(NovZ7I1n^V{
z#~(1ze-%`C>fM`^hCV**9BA-04lNuu&3=reevNOMwmX(A{yh`^c8%0mjAKMj{Th05
zXrM(zILwyL-Pcdw^(=gj(ZLVMA95zlzmLa^skb8tQq%8SV&4vp?S>L3+P4^tp`$xA
zr38jBw0ItR`VbO5vB1`<3d})}aorkIU1z3*ifYN&Lpp<!MUz&jjFrW%oy{&LwIch)
zGHz@yC14D-p586@My;F9azsANLZo7Mp}v7EYU4t~wb8tS7LepyE{Is9@WcVIHjThG
z-IR<tq82G4270&6FSg8Bz#4s^+}nYad7zyp%l{b@8m&_sCb$VbzFD(gj5<#iqo634
z(YTzO-vdK!pM7@hqGQ||y?!uCg*nZi)CW^|a!&P8NFM6O>)}|}QJS60th_v-EEkAM
zyOREuj!Ou|pVeZEWg;$Hf!x;xAmFu7gB^UR$=L0BuZ~thLC@#moJ(@@wejR|`t_K@
zuQ{XmpAWz%o&~2dk!SIGR$EmpZY)@+r^gvX26%)y>1u2bt~JUPTQzQu&<A;jsm@fZ
zzU!wCyoa%fQ4&QR_*zCZEeOL>_tB)|{19)&n$<SZo!Vl{d)aqp(K+#)Ay_Q(qO(-%
zFq#GCi91u1f;-}??KJ(9s6t)@?e%_}3|<ig&HK*-(3K>m5Fhw0A-8S1^%XpAD%`#a
z_ModVxsM|x!m3N1vRt_XEL`O-+J3cMsM1l*dbjT&S0c@}Xxl3I&AeMNT97G3c6%3C
zbrZS?2EAKcEq@@Pw?r%eh0YM6z0>&Qe#n+e9hEH<mnsw^vTsUcMn7@R3Jn9+@k+F7
zQfaJk>K?fzig3v5S#O2IxVLu;a>~c~ZfHVbgLox%_tg)bsC8Rl35P=Jhl+Y=w6zb$
z;<LT0T7;sX+y`o`zLd~nnE+;VmPN)JlV)IzP0N;dI?;ZKvI^Vp+D9OZ{bI|D?vKBU
zcH^03N0e0rc?|QplT5#dav4iNRG2@_t$4i`&uY5_r{?V%hUo!ESy@20m~>*uO%i^U
z^mp_QggBILLF$AyjPD41Z0SFd<xMIf24T4RBebWR<*%m5=%$|(`W|_BS2+6BxzpFt
z64c9L-U81>bDj&z&xjq~X|OoM7b<AoEdT1y(+#U`&5Vquvvn=ll9iL2XG5fBXe48C
zYG8L}SW&z2ZmY80ogB5EqBFR=Ag#h^s?J7NwX)qGd0RBFK@-=e^<f6TeTIt#qr8rv
z3T?}F%_Ajcvpw>CuBfma1CEd!4RKGqPR)K)e}+7^JfFUI_fy63cMyq#&)Z*#w18{S
zhC@f9U5k#2S2`d$-)cEoH-eAz{2Qh>YF1Xa)E$rWd52N-@{#lrw3lRqr)z?BGThgO
z-Mn>X=RPHQ)#9h{3ciF)<>s{uf_&XdKb&kC!a373l2OCu&y8&n#P%$7YwAVJ_lD-G
zX7tgMEV8}dY^mz`<LyO6>R6_0tQ5Eu@CdSOyaI63Vb*mR+rCzxgsjCXLSHOmzt0tA
zGoA0Cp&l>rtO@^uQayrkoe<eE6j*9NoPz7xs!~e1s>#d2@}|?SlQl9W{fmcxY(0*y
zHTZ6>FL;$8FEzbb;M(o%mBe-X?o<0+1dH?ZVjcf8)Kyq<AM-&<W?zS3`J{I;OXtN`
z<Xz(wt&Mtdy_cTPD$g;GU&8<7S;G#$xEqLS&9-aYeX6dyKDqqz1pRB=5Dc?>b07*a
zLfP1blbt)=W)TN}4M#<n73QEiM3_TJkDCVmjPqVKv>dUnt8Gdr4p$QRA<0W)J<KY2
z#ZeW0oUO8c5IEcBr1VA-Z*7PUNhTMWT%7MIh5^?-8Gcok;78^ux0uMZX)=i*J~s;+
zyaLwI<0vJ_BZc)kUMPtq-~Q_qnzQ)9z99|*g3;|?MJ{gtJaQpxZTi0)gMra-r3w)O
z@QiPhDE$jj5gbKr;Kbk;L`w4<c6RE!)O%DTPZnkz_$-O`A*T(*R76c`IZCqM=8#=L
zpRqrYXa+oC<QwZ<=UaB|dzJWVv%cQzdSNIHIK8=fd9mCgiPXKxDrYUPD4kHP+1{gj
zDRQwg{u3wCs&C;1?Gu-44vC!pdSDTL-WuN|7D#DNu6M4^L>hWLK3-g82Q~2Drmx4J
z;6m4re%igus136VL}MDI-V;WmSfs4guF_(7ifNl#M~Yx5HB!UF)<V@y2!QE6`E1fa
zTGp?JI(Yy})ewLY`1&C=udoQsR`u$rcx%o8B{EV|DBQCIshi+~EHeRsZTCz2%V6S<
zTw>>*-KDQl0U?u4UXV2I*qMhEfsxb%87fi+W;mW5{h?o8!52}VUs*Fpo#aSuXk(Ug
z>r>xC#&2<9Uwmao@iJQ|{V<rWG3g<O1{-IvG+b2O8BLL`IrUJvaEf5*xtsyvXpWIr
zF&Q{>r__?eRT2NB$OcoXQ-jZ{t|?Uy{7q$nU-i|&-R6fHPWJDgHZ69iVbK#Ab@2@y
zPD*Gj=hi<Z17Hk3iL9y;$$qY1K{z1d-E&HWXCkGsiX#}3RD~u_V3gC2L5#B6+mQtm
zSWS1uXx<%OvBneN@G+VjCJOuD(e@FwgVx{HXoCI5mpF$x{I-ba--7cY?G-H7NggtH
zrw~(^kaLgsSR{0o#HA71uNlt?ga~90v1X*fN>b?PWr8NGf;g$o5I!*n>94Z!IfqRm
zLvM>Gx$Y*rEL3Z-+lS42=cnEfXR)h1z`h8a+I%E_ss%qXsrgIV%qv9d|KT>fV5=3e
zw>P#ju>2naGc{=6!)9TeHq$S9Pk|>$UCEl}H}lE@;0(jbNT9TXUXyss>al>S4DuGi
zVCy;Qt=a2`iu2;TvrIkh2NTvNV}0)qun~9y1yEQMdOf#V#3(e(C<Q;+H3n&$n7=Kd
zQ#GmKfIP1Ng*Q>?+--8bCsJu={Q1z5qNJIk&yW>ZnVm;A=fL~29lvXQ*4j(SLau?P
zi8LC7&**O!6B6=vfY%M;!p2L2tQ+w3Y!am{b?14E`h4kN$1L0XqT5=y=DW8GI_yi%
zlIWsjmf0{l#|ei>)>&IM4>jXH)?>!fK?pfWIQn9gT9N(z&w3SvjlD|u*6T@oNQRF6
zU5Uo~SA}ml5f8mvxzX>BGL}c2#AT^6Lo-TM5XluWoqBRin$tiyRQK0wJ!Ro+7S!-K
z=S95p-(#IDKOZsRd{l65N(Xae`wOa4Dg9?g|Jx97N-7OfHG(rN#k=yNGW0K$Tia5J
zMMX1+!ulc1%8e*FNRV8jL|OSL-_9Nv6O=CH>Ty(W@sm`j=NFa1F3tT$?wM1}GZekB
z6F_VLMCSd7(b9T%IqUMo$w9sM5wOA7l8xW<(1w0T=S}MB+9X5UT|+nemtm_;!|bxX
z_bnOKN+F30ehJ$459k@=69yTz^_)-hNE4XMv$~_%vlH_y<hz~|2Zn^$p3Vb{fv*J4
zqpahpZ5TBz5+f!VNC}sl3cIMMW}7k}QTK)E-0aQ>^`P1pLxYF6#_IZyteO`9wpuS>
z#%Vyg<Y|KVPd1TtjFxV$D9)L^Z%iVU=~kYs=)$;4N^&1B?i%QauO<7*gYO$}ES70Q
zH4>5mMDt?}<ApFh6APo|6?gEf<k3WWuvEUTZ&$y01)q6oyX1x>j!0}MoBX|9PS0#B
zSVo6xLVjujMN57}IVc#A{VB*_yx;#mgM4~yT6wO;Qtm8MV6DX?u(JS~JFA~PvEl%9
z2XI<I^5JpB<|2P%X`UaqQHdBb%3JF^;ud5u7HlLGupBSJeCGQ_E4Y(Q3_$Aub8<!6
z>}c>OzPoPn_I<oonleF)T3AO0@92?wgnLjo4Q>oyXa<rTy91dby_8Bm0D7bMJ#zEd
z^*Z}%J4E94R<`M88gO#D8?pv5fx#N0_bg}&&IT4I49+W+5@wzjvr0qLmp6Dgu9FGi
zPv8{>2v}BA(M+sWq=_~L0rZ_yR17I5c^m4;?2&KdCc)3lCs!M|0OzH@(PbG8T6w%N
zKzR>%SLxL_C6~r3=xm9VG8<9yLHV6rJOjFHPaNdQHHflp><44l>&;)&7s)4lX%-er
znWCv8eJJe1KAi_t1p%c4`bgxD2(1v)jm(gvQLp2K-=04oaIJu{F7SIu8&)gyw7x>+
zbzYF7KXg;T71w!-=C0DjcnF^JP$^o_N>*BAjtH!^HD6t1o?(O7IrmcodeQVDD<*+j
zN)JdgB6v^iiJ1q`bZ(^WvN{v@sDqG$M9L`-UV!3q&sWZUnQ{&t<M3WHoCoWN7*ZNT
z>AkpX(nZ_L#rMs}>p7l0fU5I5IzArncQi6TWjP#1B=QZ|Uqm-3{)YPn=XFqHW-~Fb
z^!0CvIdelQbgcac9;By79%T`u<?L}Ox8;`b9mSuzRD+$%*`w-JP)VS*Eym!Z1sRWq
zEu`pO+i;3{#pd4R)tgJn9A~lv&dwF!qi;r%m?>vNhg9tS><<U~q?E+G79W2qZ@J;I
z$A1DyqfV<I2Pe;<^wFxjcR9Wpelq+7IzpkV6jduezF8D{P2As^K+Huv7h9i)N2m$f
zSdB?8ZT<TGWGZmz?Gtg4deQsPdYg1#EVe+x2d4#G{VaR>pL<dX%#<f25C?Gs6#As^
zQ5a$jfZKQF#KZ=<O3we{yo^ID?YRe^6HMT0!v8)j{YygapM&&pl3WvWQ%5`f3)0*x
z`54b=D>zXePP=JZzcO@?5GRAdF4)sY*)<P{vnWj?!d~#?4z-c{lrHvL=iaGO>YGP*
zyioMa3=HRQz(v}+cqXc0%2*Q%CQi%e2~$a9r+X*u3J8w^<PcL>Shg#%4I&?!$})y@
zzg8tQ6_<WDLJ*@F`ZhD)Eo82yQB^_?+=#&mQx23iHL0}-?KaMfx0HC(xyn$G2~19p
z>-`|TBa_2v$D;Q(pFutj7@yos0W$&__9$|Yn3DFe*)k{g^|JIV4bqI@2%-4kpb_p?
zQ4}qQcA>R6ihbxnVa{c;f7Y)VPV&mRY-*^qm~u3HB>8lf3P&&#GhQk8uIYYgwrugY
zei>mp`YdC*R^Cxuv@d0<H{ahoIZ6U%jDI3^d4f1F<^2kSaK<)!1GAI?2|SUF0pzWJ
z!90|Y^ldXHJ}Jb#j4OaKd97_sE3<323goknLu{_7My~|1Dy13cRt+P^UC~kFXw{_Z
zPm&@>V?$~d*=m-X?1Fqd9@*IM^wQ_^-nQEuc0!OqMr#TeT=8W`JbjjXc-Dh3Nhn<C
z?~IH#HZ5=s#ZrOb4ghy!is%l8|D?O{lLn)ak<395UhLC$ZlI6gTLoO=7p!Yv5CJq%
zx~;c3YFnB^^2Zk%hliX%eD)vTr<0A>Tj8e82yP;V_B<7LIeji<H$lWPf$G$v+ZOWC
zA5B8nxrE3aj2RK9K~>j+B{W1ViaJ_)+q?$BaLJpxt_4@&(?rWC3NC-_Z9Sg4JJWc(
zX!Y34j67vCMHKB=JcJ1|#UI^D^mn(i=A5rf-iV7y4bR5HhC=I`rFPZv4F>q+h?l34
z4(?KYwZYHwkPG%kK7$A&M#=lpIn3Qo<>s6UFy|J$Zca-s(oM7??dkuKh?f5b2`m57
zJhs4BTcVVmwsswlX?#70uQb*k1Fi3q4+9`V+ikSk{L3K<RfmSw9)qp1`mNVfj@JV;
z<~o7=;3?a$oGzbz+jYK?ym6nCH~gwQUw)(N{I9)%qIVzb<^?+i%C8<Nx}VSV|2$G4
z7h^-mpU_UKA35X0=Xl*{Cs8yR(R`-Y>=-5HgN0JekQ=J~549Nd*+H%5+fi6aJuR=K
zyD3xW{X$PL7&iR)=wumlTq2gY{LdrngAaPC<p#6J`#L)lPNq*cwx<p@+`UijkDL*l
zXR*OBN$AE3?=6xj7?pOn_=x1-m=sgg$PO|nh8Z+E?<&x2K0V72D<=<WE+$dH-q{U)
z+>;Qw_xLfVE0c0Z>y918TQpL!q@?`8{L!el18Qxiki3WZONF=eK$N3)p>36EW)I@Y
z7QxbWW_9_7a*`VS&5~4-9!~&g8M+*U9{I2Bz`@TJ@E(YL$l+%<=?FyR#&e&v?Y@@G
zqFF`J*v;l$&(A=s`na2>4ExKnxr`|OD+Xd-b4?6xl4mQ94xuk!-$l8*%+1zQU{)!=
zTooUhjC0SNBh!&Ne}Q=1%`_r=Vu1c8RuE!|(g4BQGcd5AbpLbvKv_Z~Y`l!mr!sCc
zDBupoc{W@U<eQlUn-9WLk0{kMw1%L^^H22=ym|=rAS8&xwo(-#eha7suzO^q{?{hM
zw7xwGWwTBFY?p<ni-6m+6CE=_yhN=1VN#M!Y{obT&|6?t3p|c~nX?5(c&T5B@aB$i
zgx2-qM$Ya<XD<>(6KWqW@xV_`;J0~+WDx|t^WeMri#=q0U5ZN7@@FAv<1!hP6!IYX
z>UjbhaEv2Fk<6C<Zn##64xbxc7Lxk$fUg>0M^@J`lH#LgKJ(`?6z5=uH<?KH)w&W^
z0Y^5p&3@Viz#^OmUJ;f1Blmj<IV!_$Q<H0E2k{v8m-bk<==iygyWQwnWg*f097l*g
z36Z0G(W`<-{JcQ__C`Xo&m*)a`3ViDu-eKsfw#k`oz|tp3xzdqR;I;q2WheTa|E#H
z{A;__`{noFoans(d}!zt^NS{1=t>+ImggSQaZtvh52WTK+EBN~-op#EQKYW`$yBmq
z4wgLTJPn3;mtbs0m0RO&+EG>?rb*ZECE0#eeSOFL!2YQ$w}cae>sun`<=}m!=go!v
zO2jn<0tN<D65=K$?fy#+&lO(}TJ$65H5A4%ZN5~aq0;i`qDODQS*|C^YQPKy7vh5S
zJzm%>h4E-4)ZA(ixh5nIUuXF-qYl>0I_1)K%EAw`D7~la$=gc@6g{iWF=>i_76?Mc
zh#l9h7))<|EY=sK!E|54;c!b;Zp}HLd5*-w^6^whxB98v`*P>cj!Nfu1R%@bcp{cb
zUZ2<QIbo3=$MK7Mwpz{7e&YcXkvw~|@jyT`%?$Ttw<|iUhMQC+O=Z8vH=YoU-29Ph
z8tNK(qZ<Zhw>4(fUXn3d&oc{6H%u(@4&_O?#HO(qd^YH=V`WJ=u*u6Zie8mE^r_Oz
zDw`DaXeq4G#m@EK5+p40Xe!Lr!-jTQL<Y4JJmukU!sb;2Bp@fN7i07V01KYgh9uh6
z3gHu2;jMd#IKNPTKjwKDDq_cP*%!((s=}RWf2c{YN6H{<TpGmkDzQSW&TtE8)SO}Q
z_`btKUVEWgNuj!S*SsyW)BAJH3W&P(BuUL6+@{QU9IiFq+VT~GFqIP<QM%q99F(LF
zdNyNFbnP^O0Xb`yD)VSUfwkj>CV3?R1|3#`%45h8#WSA!XoLDMS7=t!SluZ4H56;G
z6C<awI3C_HV27T0Uw?!Inadm#nn?dL@Q8ymq94eSt$g~)tTKR<ReyknsmOMX-h&+4
zrULU0fXK}{krsGz8SGY$OPJ<B0x*j_xi*Rh$i_tnuhW=o<v=rhKMF#_Gs36Rf}|(4
zG(DJhd8AjPUX&KiNKCikb1{(`a$%*k%6V$oFfE>9D(B6>k^ur_DGfJ@Y-=3$5HkrI
zO+3P>R@$6QZ#ATUI3$)xRBEL#<qyOEa7cLyi4@^a(dxHJYC%B{#}iPG3!w5gq$nb$
z-vNPZTbK*CFyyn2#|;N;YY5+eg@@sZ%=kTHc1@!95eIF<Q5xSyui*Bi5O4`)(7W-)
z05(AQH_g_=bX#8claQw9iru-%+g#Jq=Nie#%rrJahbO=1CTbcrZFX<hmCslpg7qC<
zaii_0YfpV~PB}ybLH9TYRnivdv_mH)k?k${a52R3!#5(*^0P9gM8+xKC^|^5te2sC
zkWSGG<5z4=QOmo;e_6jfs#1itZ`w3&y#7w5C_KQ*t`Iw>5IKs}yhf&fK;ANA#Qj~G
zdE|k|`puh$%dyE4R0$7dZd)M*#e7s%*PKPyrS;d%&S(d{_Ktq^!Hpi&bxZx`?9pEw
z%sPjo&adH<pE%~l1b7XR0D%Aj4Gpevgg}8%Se{P43cp@Qi-3Rwp8|h0IgqLdv$VVf
ztE{vbNL~e`rizRJ-!K2K8;ibf%^3LgO8AH12RCe32nhdmBPSv+Edf$dWs#HkS6AKQ
z71>m95F7Z1{RdY#*a!&LcBZVRe{qhn8d{pOUJ{fOu`_kFg7ZVeRYZ(!ezNktT5{Ab
z4BZI$vS0$vm3t9q`ECjDK;pmS{8ZTKs`Js~PYv2|=VkDv{Dtt)cLU@9%K6_KqtqfM
zaE*e$f$Xm=;IAURNUXw8g%=?jzG2}10ZA5qXzAaJ@eh)yv5B=ETyVwC-a*CD;GgRJ
z4J1~zMUey?4iVlS0zW|F-~0nenLiN<zFJIJpi-qQyh3B)75ZZ_dnx_^Q_kGp9xgHS
zca_3>3S0)l!T2}D%;<}Z9DzeVgcB+MSj;f$KY;uP%UR#f`0u*@6U@tk@jO3N?Fjq<
z{cUUhjrr$rmo>qE?52zKe+>6iP5P_tcUfxsLSy{9*)shB(w`UUveNH`a`kr$VEF@}
zKh&|lTD;4;m_H6C&)9#D`kRh;S(NTa=Ve^~<NU9h`i0Qu)jPi|o_3*Y_uXFd{oeWC
z9qu>xe_0~x$6h8Q@B_qu#ee=(lkI9@F6$0m=z@H=4&h%Q{htM>uHs(Sr@2ry`fgLA
zKj8lVXdGPyy)2J%A${}Rm_a{){wHnlM?yGPQ7#KO{8*(_l0QZHuV};nO?c%h?qwSL
z3wem|w*2tdxW5&PxC(Wd0QG_w|GPbw|0UFK`u$~U%!`QKcME;=Q@?*erh4_>FP~1n
zAldwG9h$$u_$RFK6Uxo20GHqJzc}Rl-EwVz3h<w|`mZW1U3Gl<W%D0vr_Jk^j(>4n
z;3~%DwD84i>)-8#&#y3k)3BG5cNaP3?<ODlQ@20OFkijd%NeO3hxzm9pL+dO8t|&~
z%W>t4q}F%yfv?*yEiC>sSo}$f>nh0QNZXH1N)-Q7kbk=2uL9OrF)nXrE@F1y%_8Yn
c82=K%Q<Oo5?~E>XLKFx%@O{wJjEi6Y56o#$)Bpeg

literal 0
HcmV?d00001

diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
new file mode 100644
index 0000000..2a84e18
--- /dev/null
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,7 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-9.0.0-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
diff --git a/gradlew b/gradlew
new file mode 100755
index 0000000..ef07e01
--- /dev/null
+++ b/gradlew
@@ -0,0 +1,251 @@
+#!/bin/sh
+
+#
+# Copyright © 2015 the original authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+##############################################################################
+#
+#   Gradle start up script for POSIX generated by Gradle.
+#
+#   Important for running:
+#
+#   (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+#       noncompliant, but you have some other compliant shell such as ksh or
+#       bash, then to run this script, type that shell name before the whole
+#       command line, like:
+#
+#           ksh Gradle
+#
+#       Busybox and similar reduced shells will NOT work, because this script
+#       requires all of these POSIX shell features:
+#         * functions;
+#         * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+#           «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+#         * compound commands having a testable exit status, especially «case»;
+#         * various built-in commands including «command», «set», and «ulimit».
+#
+#   Important for patching:
+#
+#   (2) This script targets any POSIX shell, so it avoids extensions provided
+#       by Bash, Ksh, etc; in particular arrays are avoided.
+#
+#       The "traditional" practice of packing multiple parameters into a
+#       space-separated string is a well documented source of bugs and security
+#       problems, so this is (mostly) avoided, by progressively accumulating
+#       options in "$@", and eventually passing that to Java.
+#
+#       Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+#       and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+#       see the in-line comments for details.
+#
+#       There are tweaks for specific operating systems such as AIX, CygWin,
+#       Darwin, MinGW, and NonStop.
+#
+#   (3) This script is generated from the Groovy template
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       within the Gradle project.
+#
+#       You can find Gradle at https://github.com/gradle/gradle/.
+#
+##############################################################################
+
+# Attempt to set APP_HOME
+
+# Resolve links: $0 may be a link
+app_path=$0
+
+# Need this for daisy-chained symlinks.
+while
+    APP_HOME=${app_path%"${app_path##*/}"}  # leaves a trailing /; empty if no leading path
+    [ -h "$app_path" ]
+do
+    ls=$( ls -ld "$app_path" )
+    link=${ls#*' -> '}
+    case $link in             #(
+      /*)   app_path=$link ;; #(
+      *)    app_path=$APP_HOME$link ;;
+    esac
+done
+
+# This is normally unused
+# shellcheck disable=SC2034
+APP_BASE_NAME=${0##*/}
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD=maximum
+
+warn () {
+    echo "$*"
+} >&2
+
+die () {
+    echo
+    echo "$*"
+    echo
+    exit 1
+} >&2
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "$( uname )" in                #(
+  CYGWIN* )         cygwin=true  ;; #(
+  Darwin* )         darwin=true  ;; #(
+  MSYS* | MINGW* )  msys=true    ;; #(
+  NONSTOP* )        nonstop=true ;;
+esac
+
+CLASSPATH="\\\"\\\""
+
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD=$JAVA_HOME/jre/sh/java
+    else
+        JAVACMD=$JAVA_HOME/bin/java
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD=java
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+fi
+
+# Increase the maximum file descriptors if we can.
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
+    case $MAX_FD in #(
+      max*)
+        # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
+        MAX_FD=$( ulimit -H -n ) ||
+            warn "Could not query maximum file descriptor limit"
+    esac
+    case $MAX_FD in  #(
+      '' | soft) :;; #(
+      *)
+        # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
+        ulimit -n "$MAX_FD" ||
+            warn "Could not set maximum file descriptor limit to $MAX_FD"
+    esac
+fi
+
+# Collect all arguments for the java command, stacking in reverse order:
+#   * args from the command line
+#   * the main class name
+#   * -classpath
+#   * -D...appname settings
+#   * --module-path (only if needed)
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
+
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if "$cygwin" || "$msys" ; then
+    APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+    JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    for arg do
+        if
+            case $arg in                                #(
+              -*)   false ;;                            # don't mess with options #(
+              /?*)  t=${arg#/} t=/${t%%/*}              # looks like a POSIX filepath
+                    [ -e "$t" ] ;;                      #(
+              *)    false ;;
+            esac
+        then
+            arg=$( cygpath --path --ignore --mixed "$arg" )
+        fi
+        # Roll the args list around exactly as many times as the number of
+        # args, so each arg winds up back in the position where it started, but
+        # possibly modified.
+        #
+        # NB: a `for` loop captures its iteration list before it begins, so
+        # changing the positional parameters here affects neither the number of
+        # iterations, nor the values presented in `arg`.
+        shift                   # remove old arg
+        set -- "$@" "$arg"      # push replacement arg
+    done
+fi
+
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
+
+set -- \
+        "-Dorg.gradle.appname=$APP_BASE_NAME" \
+        -classpath "$CLASSPATH" \
+        -jar "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" \
+        "$@"
+
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+#   readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+#   set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+        printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+        xargs -n1 |
+        sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+        tr '\n' ' '
+    )" '"$@"'
+
+exec "$JAVACMD" "$@"
diff --git a/gradlew.bat b/gradlew.bat
new file mode 100644
index 0000000..db3a6ac
--- /dev/null
+++ b/gradlew.bat
@@ -0,0 +1,94 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem      https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+@rem SPDX-License-Identifier: Apache-2.0
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" -jar "%APP_HOME%\gradle\wrapper\gradle-wrapper.jar" %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega

From b0291013bb4cd5ee62355ede7c0dea2bf8a93812 Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Sun, 12 Apr 2026 22:18:05 +0100
Subject: [PATCH 06/19] update: Nk looks good - should go to other ones

---
 .../SecurityAESTest.kt                        |   9 +-
 .../SecurityX25519Test.kt                     |  18 +-
 .../libsignal/HeadersTest.kt                  |  17 -
 .../libsignal/RatchetsTest.kt                 | 237 ++++---
 .../libsignal/StateTest.kt                    |   3 +-
 .../libsignal_doubleratchet/CryptoUtils.kt    |  77 +++
 .../EncryptionController.kt                   | 647 +++++++++---------
 .../SecurityCurve25519.kt                     | 115 ----
 .../extensions/context.kt                     |   2 +
 .../libsignal/Protocols.kt                    |  20 +-
 .../libsignal/RatchetsHE.kt                   |   4 +-
 .../libsignal/States.kt                       |   2 +-
 .../src/main/res/values/strings.xml           |   1 +
 13 files changed, 561 insertions(+), 591 deletions(-)
 delete mode 100644 double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/HeadersTest.kt
 delete mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt

diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt
index ced6619..5b92d58 100644
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt
@@ -1,17 +1,20 @@
 package com.afkanerd.smswithoutborders.libsignal_doubleratchet
 
+import android.content.Context
+import androidx.test.espresso.internal.inject.InstrumentationContext
 import androidx.test.filters.SmallTest
+import androidx.test.platform.app.InstrumentationRegistry
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.generateRandomBytes
 import org.junit.Assert.assertArrayEquals
 import org.junit.Test
 
 @SmallTest
 class SecurityAESTest {
-
+    var context: Context = InstrumentationRegistry.getInstrumentation().targetContext
     @Test
     fun aesTest() {
         val secretKey = SecurityAES.generateSecretKey(256)
-
-        val input = CryptoUtils.generateRandomBytes(277)
+        val input = context.generateRandomBytes(277)
         val cipher = SecurityAES.encryptAES256CBC(input, secretKey.encoded, null)
         val output = SecurityAES.decryptAES256CBC(cipher, secretKey.encoded, null)
 
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
index b8fa7c2..545634d 100644
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
@@ -1,8 +1,11 @@
 package com.afkanerd.smswithoutborders.libsignal_doubleratchet
 
+import android.content.Context
 import android.security.keystore.KeyGenParameterSpec
 import android.security.keystore.KeyProperties
 import androidx.test.filters.SmallTest
+import androidx.test.platform.app.InstrumentationRegistry
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols
 import org.junit.Assert.assertArrayEquals
 import org.junit.Test
 import java.security.KeyPairGenerator
@@ -11,6 +14,9 @@ import java.security.Signature
 
 @SmallTest
 class SecurityX25519Test {
+
+    var context: Context = InstrumentationRegistry.getInstrumentation().targetContext
+
     @Test
     fun keystoreEd25519() {
         val keystoreAlias = "keystoreAlias"
@@ -48,14 +54,12 @@ class SecurityX25519Test {
 
     @Test
     fun sharedSecret() {
-        val alice = SecurityCurve25519()
-        val bob = SecurityCurve25519()
-
-        val alicePubKey = alice.generateKey()
-        val bobPubKey = bob.generateKey()
+        val protocols = Protocols(context)
+        val alice = protocols.generateDH()
+        val bob = protocols.generateDH()
 
-        val aliceSharedSecret = alice.calculateSharedSecret(bobPubKey)
-        val bobSharedSecret = bob.calculateSharedSecret(alicePubKey)
+        val aliceSharedSecret = protocols.dh(alice, bob.public)
+        val bobSharedSecret = protocols.dh(bob, alice.public)
 
         assertArrayEquals(aliceSharedSecret, bobSharedSecret)
     }
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/HeadersTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/HeadersTest.kt
deleted file mode 100644
index 744e6b9..0000000
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/HeadersTest.kt
+++ /dev/null
@@ -1,17 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
-
-import androidx.test.filters.SmallTest
-import junit.framework.TestCase.assertEquals
-import org.junit.Test
-import java.security.SecureRandom
-
-@SmallTest
-class HeadersTest {
-
-    @Test fun headersTest() {
-        val header = Headers(SecureRandom.getSeed(32), 0, 0)
-        val header1 = Headers.deserialize(header.serialized)
-
-        assertEquals(header, header1)
-    }
-}
\ No newline at end of file
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
index 4cd94b0..dc3895b 100644
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
@@ -4,9 +4,11 @@ import android.content.Context
 import androidx.test.filters.SmallTest
 import androidx.test.platform.app.InstrumentationRegistry
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.R
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityCurve25519
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils.sha256
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.generateRandomBytes
+import org.bouncycastle.crypto.params.X25519PublicKeyParameters
 import org.junit.Assert.assertArrayEquals
+import org.junit.Before
 import org.junit.Test
 import java.security.SecureRandom
 
@@ -14,146 +16,159 @@ import java.security.SecureRandom
 class RatchetsTest {
     var context: Context =
         InstrumentationRegistry.getInstrumentation().targetContext
-    @Test
-    fun completeRatchetHETest() {
-        val aliceEphemeralKeyPair = SecurityCurve25519()
-        val aliceEphemeralHeaderKeyPair = SecurityCurve25519()
-        val aliceEphemeralNextHeaderKeyPair = SecurityCurve25519()
-
-        val bobStaticKeyPair = SecurityCurve25519()
-        val bobEphemeralKeyPair = SecurityCurve25519()
-        val bobEphemeralHeaderKeyPair = SecurityCurve25519()
-        val bobEphemeralNextHeaderKeyPair = SecurityCurve25519()
-
-        val aliceNonce = CryptoUtils.generateRandomBytes(16)
-        val bobNonce = CryptoUtils.generateRandomBytes(16)
-
-        val (aliceSk, aliceSkH, aliceSkNh) = SecurityCurve25519(aliceEphemeralKeyPair.privateKey)
-            .agreeWithAuthAndNonce(
-                authenticationPublicKey = bobStaticKeyPair.generateKey(),
-                authenticationPrivateKey = null,
-                headerPrivateKey = aliceEphemeralHeaderKeyPair.privateKey,
-                nextHeaderPrivateKey = aliceEphemeralNextHeaderKeyPair.privateKey,
-                publicKey = bobEphemeralKeyPair.generateKey(),
-                headerPublicKey = bobEphemeralHeaderKeyPair.generateKey(),
-                nextHeaderPublicKey = bobEphemeralNextHeaderKeyPair.generateKey(),
-                salt = context.getString(R.string.dr_salt).encodeToByteArray(),
-                nonce1 = aliceNonce,
-                nonce2 = bobNonce,
-                info = context.getString(R.string.dr_info).encodeToByteArray()
-            )
+    val protocol = Protocols(context)
+
+    lateinit var aliceRk: ByteArray
+    lateinit var aliceHk: ByteArray
+    lateinit var aliceNhk: ByteArray
+
+    lateinit var bobRk: ByteArray
+    lateinit var bobHk: ByteArray
+    lateinit var bobNhk: ByteArray
+
+    val aliceKeypair = protocol.generateDH()
+    val bobStaticKeypair = protocol.generateDH()
+    val bobKeypair = protocol.generateDH()
+
+    val salt = "completeRatchetTest_v1".encodeToByteArray()
+    val info = context.generateRandomBytes(16) +
+            (aliceKeypair.public as X25519PublicKeyParameters).encoded +
+            (bobKeypair.public as X25519PublicKeyParameters).encoded +
+            (bobStaticKeypair.public as X25519PublicKeyParameters).encoded
+
+    @Before
+    fun start() {
+        CryptoUtils.generateKeysNK(
+            context = context,
+            ephemeralKeyPair = aliceKeypair,
+            authenticationPublicKey = bobStaticKeypair.public,
+            ephemeralPublicKey = bobKeypair.public,
+            salt = salt,
+            info = info
+        ).let {
+            aliceRk = it.first
+            aliceHk = it.second
+            aliceNhk = it.third
+        }
 
-        val (bobSk, bobSkH, bobSkNh) = SecurityCurve25519(bobEphemeralKeyPair.privateKey)
-            .agreeWithAuthAndNonce(
-                authenticationPublicKey = null,
-                authenticationPrivateKey = bobStaticKeyPair.privateKey,
-                headerPrivateKey = bobEphemeralHeaderKeyPair.privateKey,
-                nextHeaderPrivateKey = bobEphemeralNextHeaderKeyPair.privateKey,
-                publicKey = aliceEphemeralKeyPair.generateKey(),
-                headerPublicKey = aliceEphemeralHeaderKeyPair.generateKey(),
-                nextHeaderPublicKey = aliceEphemeralNextHeaderKeyPair.generateKey(),
-                salt = context.getString(R.string.dr_salt).encodeToByteArray(),
-                nonce1 = aliceNonce,
-                nonce2 = bobNonce,
-                info = context.getString(R.string.dr_info).encodeToByteArray()
-            )
+        CryptoUtils.generateKeysNKServer(
+            context = context,
+            authenticationKeypair = bobStaticKeypair,
+            ephemeralKeyPair = bobKeypair,
+            ephemeralPublicKey = aliceKeypair.public,
+            salt = salt,
+            info = info
+        ).let {
+            bobRk = it.first
+            bobHk = it.second
+            bobNhk = it.third
+        }
 
-        assertArrayEquals(aliceSk, bobSk)
-        assertArrayEquals(aliceSkH, bobSkH)
-        assertArrayEquals(aliceSkNh, bobSkNh)
+        assertArrayEquals(aliceRk, bobRk)
+        assertArrayEquals(aliceHk, bobHk)
+        assertArrayEquals(aliceNhk, bobNhk)
+    }
 
+    @Test
+    fun completeRatchetTest() {
+        val ratchets = RatchetsHE(context)
         val aliceState = States()
-        RatchetsHE.ratchetInitAlice(
+        ratchets.ratchetInitAlice(
             state = aliceState,
-            SK = aliceSk,
-            bobDhPublicKey = bobEphemeralKeyPair.generateKey(),
-            sharedHka = aliceSkH,
-            sharedNhkb = aliceSkNh
+            sk = aliceRk,
+            bobDhPublicKey = bobKeypair.public,
+            sharedHka = aliceHk,
+            sharedNHka = aliceNhk
         )
 
         val bobState = States()
-        RatchetsHE.ratchetInitBob(
+        ratchets.ratchetInitBob(
             state = bobState,
-            SK = bobSk,
-            bobDhPublicKeypair = bobEphemeralKeyPair.getKeypair(),
-            sharedHka = bobSkH,
-            sharedNhkb = bobSkNh
+            sk = bobRk,
+            bobKeypair = bobKeypair,
+            sharedHka = bobHk,
+            sharedNHka = bobNhk
         )
 
         val originalText = SecureRandom.getSeed(32);
-        val (encHeader, aliceCipherText) = RatchetsHE.ratchetEncrypt(
-            aliceState,
-            originalText,
-            bobStaticKeyPair.generateKey()
-        )
 
-        var encHeader1: ByteArray? = null
-        var aliceCipherText1: ByteArray? = null
-        for(i in 1..10) {
-            val (encHeader2, aliceCipherText2) = RatchetsHE.ratchetEncrypt(
-                aliceState,
-                originalText,
-                bobStaticKeyPair.generateKey()
-            )
-            encHeader1 = encHeader2
-            aliceCipherText1 = aliceCipherText2
-        }
+        val ad = "RatchetsTest".encodeToByteArray().sha256()
+        var ratchetPayload = ratchets.ratchetEncrypt(
+            state = aliceState,
+            plaintext = originalText,
+            ad = ad
+        )
 
-        val bobPlainText = RatchetsHE.ratchetDecrypt(
+        var plaintext = ratchets.ratchetDecrypt(
             state = bobState,
-            encHeader = encHeader,
-            cipherText = aliceCipherText,
-            AD = bobStaticKeyPair.generateKey()
+            encHeader = ratchetPayload.header,
+            cipherText = ratchetPayload.cipherText,
+            ad = ad
         )
 
-        val bobPlainText1 = RatchetsHE.ratchetDecrypt(
+        assertArrayEquals(originalText, plaintext)
+
+        ratchetPayload = ratchets.ratchetEncrypt(
             state = bobState,
-            encHeader = encHeader1!!,
-            cipherText = aliceCipherText1!!,
-            AD = bobStaticKeyPair.generateKey()
+            plaintext = originalText,
+            ad = ad
         )
 
-        assertArrayEquals(originalText, bobPlainText)
-        assertArrayEquals(originalText, bobPlainText1)
+        plaintext = ratchets.ratchetDecrypt(
+            state = aliceState,
+            encHeader = ratchetPayload.header,
+            cipherText = ratchetPayload.cipherText,
+            ad = ad
+        )
+
+        assertArrayEquals(originalText, plaintext)
     }
 
     @Test
-    fun completeRatchetTest() {
-        val alice = SecurityCurve25519()
-        val bob = SecurityCurve25519()
-
-        val SK = alice.calculateSharedSecret(bob.generateKey())
-        val SK1 = bob.calculateSharedSecret(alice.generateKey())
-        assertArrayEquals(SK, SK1)
-
+    fun completeRatchetOutOfOrderTest() {
+        val ratchets = RatchetsHE(context)
         val aliceState = States()
-        Ratchets.ratchetInitAlice(aliceState, SK, bob.generateKey())
+        ratchets.ratchetInitAlice(
+            state = aliceState,
+            sk = aliceRk,
+            bobDhPublicKey = bobKeypair.public,
+            sharedHka = aliceHk,
+            sharedNHka = aliceNhk
+        )
 
         val bobState = States()
-        Ratchets.ratchetInitBob(bobState, SK, bob.getKeypair())
+        ratchets.ratchetInitBob(
+            state = bobState,
+            sk = bobRk,
+            bobKeypair = bobKeypair,
+            sharedHka = bobHk,
+            sharedNHka = bobNhk
+        )
 
         val originalText = SecureRandom.getSeed(32);
-        val (header, aliceCipherText) = Ratchets.ratchetEncrypt(aliceState, originalText,
-            bob.generateKey())
-
-        var header1: Headers? = null
-        var aliceCipherText1: ByteArray? = null
-        for(i in 1..10) {
-            val (header, aliceCipherText) = Ratchets.ratchetEncrypt(aliceState, originalText,
-                bob.generateKey())
-            header1 = header
-            aliceCipherText1 = aliceCipherText
-        }
 
-        val bobPlainText = Ratchets.ratchetDecrypt(bobState, header, aliceCipherText,
-            bob.generateKey())
+        val ad = "RatchetsTest".encodeToByteArray().sha256()
+        var ratchetPayload = ratchets.ratchetEncrypt(
+            state = aliceState,
+            plaintext = originalText,
+            ad = ad
+        )
+        for(i in 1..5) {
+            ratchetPayload = ratchets.ratchetEncrypt(
+                state = aliceState,
+                plaintext = originalText,
+                ad = ad
+            )
+        }
 
-        val bobPlainText1 = Ratchets.ratchetDecrypt(bobState, header1, aliceCipherText1,
-            bob.generateKey())
-        println(bobState.serialize())
+        val plaintext = ratchets.ratchetDecrypt(
+            state = bobState,
+            encHeader = ratchetPayload.header,
+            cipherText = ratchetPayload.cipherText,
+            ad = ad
+        )
 
-        assertArrayEquals(originalText, bobPlainText)
-        assertArrayEquals(originalText, bobPlainText1)
+        assertArrayEquals(originalText, plaintext)
     }
 }
 
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt
index 42c254e..addb3f4 100644
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/StateTest.kt
@@ -1,5 +1,6 @@
 package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
 
+import android.util.Pair
 import androidx.test.filters.SmallTest
 import junit.framework.TestCase.assertEquals
 import kotlinx.serialization.json.Json
@@ -11,8 +12,6 @@ class StateTest {
 
     @Test fun testStates() {
         val state = States()
-        state.DHs = android.util.Pair(SecureRandom.getSeed(32),
-            SecureRandom.getSeed(32))
         val serializedStates = Json.encodeToString(state)
         val deserializedStates = Json.decodeFromString<States>(serializedStates)
         assertEquals(state, deserializedStates)
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
index 8060e1d..f73ea4c 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
@@ -1,8 +1,13 @@
 package com.afkanerd.smswithoutborders.libsignal_doubleratchet
 
+import android.content.Context
 import at.favre.lib.hkdf.HKDF
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols
 import com.google.common.primitives.Bytes
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair
+import org.bouncycastle.crypto.CipherParameters
 import java.security.GeneralSecurityException
+import java.security.MessageDigest
 import java.security.SecureRandom
 import javax.crypto.Mac
 import javax.crypto.SecretKey
@@ -32,4 +37,76 @@ object CryptoUtils {
         return output
     }
 
+    fun generateKeysNK(
+        context: Context,
+        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        authenticationPublicKey: CipherParameters,
+        ephemeralPublicKey: CipherParameters,
+        salt: ByteArray,
+        info: ByteArray,
+    ): Triple<ByteArray, ByteArray, ByteArray> {
+        val protocols = Protocols(context)
+        val dh1 = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
+        val dh2 = protocols.dh(ephemeralKeyPair, ephemeralPublicKey)
+        return hkdf(
+            ikm = dh1,
+            salt = salt,
+            info = info,
+            len = 32,
+        ).run {
+            hkdf(
+                ikm = dh2,
+                salt = this,
+                info = info,
+                len = 96,
+            ).run {
+                Triple(
+                    this.sliceArray(0 until 32),
+                    this.sliceArray(32 until 64),
+                    this.sliceArray(64 until 96),
+                )
+            }
+        }
+    }
+
+    fun generateKeysNKServer(
+        context: Context,
+        authenticationKeypair: AsymmetricCipherKeyPair,
+        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        ephemeralPublicKey: CipherParameters,
+        salt: ByteArray,
+        info: ByteArray,
+    ): Triple<ByteArray, ByteArray, ByteArray> {
+        val protocols = Protocols(context)
+        val dh1 = protocols.dh(authenticationKeypair, ephemeralPublicKey)
+        val dh2 = protocols.dh(ephemeralKeyPair, ephemeralPublicKey)
+        return hkdf(
+            ikm = dh1,
+            salt = salt,
+            info = info,
+            len = 32,
+        ).run {
+            hkdf(
+                ikm = dh2,
+                salt = this,
+                info = info,
+                len = 96,
+            ).run {
+                Triple(
+                    this.sliceArray(0 until 32),
+                    this.sliceArray(32 until 64),
+                    this.sliceArray(64 until 96),
+                )
+            }
+        }
+    }
+
+    fun ByteArray.sha256(): ByteArray {
+        return MessageDigest
+            .getInstance("SHA-256")
+            .digest(this)
+    }
+
+
+
 }
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
index a72bed4..26e3f7a 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
@@ -11,7 +11,6 @@ import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.getKeyp
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.saveBinaryDataEncrypted
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.setKeypairValues
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Headers
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Ratchets
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.States
 import com.google.gson.Gson
 import kotlinx.coroutines.CoroutineScope
@@ -23,326 +22,326 @@ import kotlinx.coroutines.launch
 import kotlinx.coroutines.withContext
 import kotlinx.serialization.Serializable
 
-object EncryptionController {
-
-    @Serializable
-    enum class SecureRequestMode {
-        REQUEST_NONE,
-        REQUEST_REQUESTED,
-        REQUEST_RECEIVED,
-        REQUEST_ACCEPTED,
-    }
-
-    enum class MessageRequestType(val code: Byte) {
-        TYPE_REQUEST(0x01.toByte()),
-        TYPE_ACCEPT(0x02.toByte()),
-        TYPE_MESSAGE(0x03.toByte());
-
-        companion object {
-            fun fromCode(code: Byte): MessageRequestType? =
-                entries.find { it.code == code } // Kotlin 1.9+, use values() before that
-
-            fun fromMessage(message: ByteArray): MessageRequestType? =
-                entries.find { it.code == message[0] } // Kotlin 1.9+, use values() before that
-        }
-    }
-
-    private fun extractRequestPublicKey( publicKey: ByteArray) : ByteArray {
-        val lenPubKey = publicKey[1].toInt()
-        return publicKey.drop(2).toByteArray()
-    }
-
-    private fun extractMessage(data: ByteArray) : Pair<Headers, ByteArray> {
-        val lenHeader = data[1].toInt()
-        val lenMessage = data[2].toInt()
-        val header = data.copyOfRange(3, 3 + lenHeader)
-        val message = data.copyOfRange(3 + lenHeader, (3 + lenHeader + lenMessage))
-        return Pair(Headers.deserialize(header), message)
-    }
-
-    @OptIn(ExperimentalUnsignedTypes::class)
-    private fun formatRequestPublicKey(
-        publicKey: ByteArray,
-        type: MessageRequestType
-    ) : ByteArray {
-        val mn = ubyteArrayOf(type.code.toUByte())
-        val lenPubKey = ubyteArrayOf(publicKey.size.toUByte())
-
-        return (mn + lenPubKey).toByteArray() + publicKey
-    }
-
-    @OptIn(ExperimentalUnsignedTypes::class)
-    private fun formatMessage(
-        header: Headers,
-        cipherText: ByteArray
-    ) : ByteArray {
-        val mn = ubyteArrayOf(MessageRequestType.TYPE_MESSAGE.code.toUByte())
-        val lenHeader = ubyteArrayOf(header.serialized.size.toUByte())
-        val lenMessage = ubyteArrayOf(cipherText.size.toUByte())
-
-        return (mn + lenHeader + lenMessage).toByteArray() + header.serialized + cipherText
-    }
-
-    suspend fun sendRequest(
-        context: Context,
-        address: String,
-        mode: SecureRequestMode,
-    ): ByteArray {
-        try {
-            val publicKey = generateIdentityPublicKeys(context, address)
-
-            var type: MessageRequestType? = null
-            val mode = when(mode) {
-                SecureRequestMode.REQUEST_RECEIVED -> {
-                    type = MessageRequestType.TYPE_ACCEPT
-                    SecureRequestMode.REQUEST_ACCEPTED
-                }
-                else -> {
-                    type = MessageRequestType.TYPE_REQUEST
-                    SecureRequestMode.REQUEST_REQUESTED
-                }
-            }
-
-            context.setEncryptionModeStates(address, mode)
-            return formatRequestPublicKey(publicKey, type)
-        } catch (e: Exception) {
-            throw e
-        }
-    }
-
-    suspend fun receiveRequest(
-        context: Context,
-        address: String,
-        publicKey: ByteArray,
-    ) : ByteArray? {
-        MessageRequestType.fromCode(publicKey[0])?.let { type ->
-            val publicKey = extractRequestPublicKey(publicKey)
-            try {
-                val mode = when(type) {
-                    MessageRequestType.TYPE_REQUEST -> {
-                        SecureRequestMode.REQUEST_RECEIVED
-                    }
-                    MessageRequestType.TYPE_ACCEPT -> {
-                        context.removeEncryptionRatchetStates(address)
-                        SecureRequestMode.REQUEST_ACCEPTED
-                    }
-                    else -> return null
-                }
-                context.setEncryptionModeStates(
-                    address,
-                    mode,
-                    publicKey,
-                )
-            } catch (e: Exception) {
-                throw e
-            }
-            return publicKey
-        }
-
-        return null
-    }
-
-    @Throws
-    private suspend fun generateIdentityPublicKeys(
-        context: Context,
-        address: String
-    ): ByteArray {
-        try {
-            val libSigCurve25519 = SecurityCurve25519()
-            val publicKey = libSigCurve25519.generateKey()
-            context.setKeypairValues(address, publicKey, libSigCurve25519.privateKey)
-            return publicKey
-        } catch (e: Exception) {
-            throw e
-        }
-    }
-
-    @Throws
-    suspend fun decrypt(
-        context: Context,
-        address: String,
-        text: String
-    ): String? {
-
-        val data = Base64.decode(text, Base64.DEFAULT)
-        if(MessageRequestType.fromCode(data[0]) != MessageRequestType.TYPE_MESSAGE)
-            return null
-
-        val payload = try { extractMessage(data) } catch(e: Exception) {
-            throw e
-        }
-
-        val modeStates = context.getEncryptionModeStatesSync(address)
-        val publicKey = Gson().fromJson(modeStates,
-            SavedEncryptedModes::class.java).publicKey
-
-        if(publicKey == null) {
-            CoroutineScope(Dispatchers.Main).launch {
-                Toast.makeText(
-                    context,
-                    context.getString(R.string.missing_public_key),
-                    Toast.LENGTH_LONG).show()
-            }
-            return null
-        }
-
-        val publicKeyBytes = Base64.decode(publicKey, Base64.DEFAULT)
-
-        val keystore = address + "_ratchet_state"
-        val currentState = context.getEncryptedBinaryData(keystore)
-
-        var state: States?
-        if(currentState == null) {
-            state = States()
-            val sk = context.calculateSharedSecret(address, publicKeyBytes)
-            val keypair = context.getKeypairValues(address) //public private
-
-            Ratchets.ratchetInitBob(
-                state,
-                sk,
-                android.util.Pair(keypair.second, keypair.first)
-            )
-        }
-        else state = States.deserialize(String(currentState))
-
-        val keypair = context.getKeypairValues(address)
-        var decryptedText: String?
-        try {
-            decryptedText = String(Ratchets.ratchetDecrypt(
-                state,
-                payload.first,
-                payload.second,
-                keypair.first
-            ))
-            context.saveBinaryDataEncrypted(keystore,
-                state.serialize().encodeToByteArray())
-        } catch(e: Exception) {
-            throw e
-        }
-        return decryptedText
-    }
-
-    @Throws
-    suspend fun encrypt(
-        context: Context,
-        address: String,
-        text: String
-    ) : String? {
-        val modeStates = context.getEncryptionModeStatesSync(address)
-        val publicKey = Gson().fromJson(modeStates,
-            SavedEncryptedModes::class.java).publicKey
-
-        if(publicKey == null) {
-            CoroutineScope(Dispatchers.Main).launch {
-                Toast.makeText(
-                    context,
-                    context.getString(R.string.missing_public_key),
-                    Toast.LENGTH_LONG).show()
-            }
-            return null
-        }
-
-        val publicKeyBytes = Base64.decode(publicKey, Base64.DEFAULT)
-
-        val keystore = address + "_ratchet_state"
-        val currentState = context.getEncryptedBinaryData(keystore)
-
-        var state: States?
-        if(currentState == null) {
-            state = States()
-            val sk = context.calculateSharedSecret(address, publicKeyBytes)
-            Ratchets.ratchetInitAlice(state, sk, publicKeyBytes)
-        }
-        else state = States.deserialize(String(currentState))
-
-        val ratchetOutput = Ratchets.ratchetEncrypt(state,
-            text.encodeToByteArray(), publicKeyBytes)
-
-        return try {
-            val message = formatMessage(
-                ratchetOutput.first,
-                ratchetOutput.second
-            )
-            context.saveBinaryDataEncrypted(keystore,
-                state.serialize().encodeToByteArray())
-            Base64.encodeToString(message, Base64.DEFAULT)
-        } catch(e: Exception) {
-            throw e
-        }
-    }
-}
-
-private suspend fun Context.calculateSharedSecret(
-    address: String,
-    publicKey: ByteArray
-): ByteArray? {
-    val keypair = getKeypairValues(address) //public private
-    keypair.second?.let { privateKey ->
-        val libSigCurve25519 = SecurityCurve25519(privateKey)
-        return libSigCurve25519.calculateSharedSecret(publicKey)
-    }
-    return null
-}
-
-data class SavedEncryptedModes(
-    var mode: EncryptionController.SecureRequestMode,
-    var publicKey: String? = null,
-)
-
-private suspend fun Context.setEncryptionModeStates(
-    address: String,
-    mode: EncryptionController.SecureRequestMode,
-    publicKey: ByteArray? = null,
-) {
-    val keyValue = stringPreferencesKey(address + "_mode_states")
-    dataStore.edit { secureComms ->
-        // Make a mutable copy of existing state
-        val currentState = secureComms[keyValue] ?: ""
-        val savedEncryptedModes = if(currentState.isNotEmpty()) Gson()
-            .fromJson(currentState, SavedEncryptedModes::class.java)
-            .apply { this.mode = mode }
-        else SavedEncryptedModes(mode = mode)
-
-        publicKey?.let { publicKey ->
-            savedEncryptedModes.publicKey =
-                Base64.encodeToString(publicKey, Base64.DEFAULT)
-        }
-
-        secureComms[keyValue] = Gson().toJson(savedEncryptedModes)
-    }
-}
-
-suspend fun Context.removeEncryptionRatchetStates(address: String) {
-    val keyValue = stringPreferencesKey(address + "_ratchet_state")
-    dataStore.edit { secureComms ->
-        secureComms.remove(keyValue)
-        withContext(Dispatchers.Main) {
-            Toast.makeText(
-                this@removeEncryptionRatchetStates,
-                getString(R.string.ratchet_states_removed),
-                Toast.LENGTH_LONG).show()
-        }
-    }
-}
-
-suspend fun Context.removeEncryptionModeStates(address: String) {
-    val keyValue = stringPreferencesKey(address + "_mode_states")
-    dataStore.edit { secureComms ->
-        secureComms.remove(keyValue)
-    }
-}
-
-fun Context.getEncryptionRatchetStates(address: String): Flow<String?> {
-    val keyValue = stringPreferencesKey(address + "_ratchet_state")
-    return dataStore.data.map { it[keyValue] }
-}
-
-suspend fun Context.getEncryptionModeStatesSync(address: String): String? {
-    val keyValue = stringPreferencesKey(address + "_mode_states")
-    return dataStore.data.first()[keyValue]
-}
-
-fun Context.getEncryptionModeStates(address: String): Flow<String?> {
-    val keyValue = stringPreferencesKey(address + "_mode_states")
-    return dataStore.data.map { it[keyValue] }
-}
+//object EncryptionController {
+//
+//    @Serializable
+//    enum class SecureRequestMode {
+//        REQUEST_NONE,
+//        REQUEST_REQUESTED,
+//        REQUEST_RECEIVED,
+//        REQUEST_ACCEPTED,
+//    }
+//
+//    enum class MessageRequestType(val code: Byte) {
+//        TYPE_REQUEST(0x01.toByte()),
+//        TYPE_ACCEPT(0x02.toByte()),
+//        TYPE_MESSAGE(0x03.toByte());
+//
+//        companion object {
+//            fun fromCode(code: Byte): MessageRequestType? =
+//                entries.find { it.code == code } // Kotlin 1.9+, use values() before that
+//
+//            fun fromMessage(message: ByteArray): MessageRequestType? =
+//                entries.find { it.code == message[0] } // Kotlin 1.9+, use values() before that
+//        }
+//    }
+//
+//    private fun extractRequestPublicKey( publicKey: ByteArray) : ByteArray {
+//        val lenPubKey = publicKey[1].toInt()
+//        return publicKey.drop(2).toByteArray()
+//    }
+//
+//    private fun extractMessage(data: ByteArray) : Pair<Headers, ByteArray> {
+//        val lenHeader = data[1].toInt()
+//        val lenMessage = data[2].toInt()
+//        val header = data.copyOfRange(3, 3 + lenHeader)
+//        val message = data.copyOfRange(3 + lenHeader, (3 + lenHeader + lenMessage))
+//        return Pair(Headers.deserialize(header), message)
+//    }
+//
+//    @OptIn(ExperimentalUnsignedTypes::class)
+//    private fun formatRequestPublicKey(
+//        publicKey: ByteArray,
+//        type: MessageRequestType
+//    ) : ByteArray {
+//        val mn = ubyteArrayOf(type.code.toUByte())
+//        val lenPubKey = ubyteArrayOf(publicKey.size.toUByte())
+//
+//        return (mn + lenPubKey).toByteArray() + publicKey
+//    }
+//
+//    @OptIn(ExperimentalUnsignedTypes::class)
+//    private fun formatMessage(
+//        header: Headers,
+//        cipherText: ByteArray
+//    ) : ByteArray {
+//        val mn = ubyteArrayOf(MessageRequestType.TYPE_MESSAGE.code.toUByte())
+//        val lenHeader = ubyteArrayOf(header.serialized.size.toUByte())
+//        val lenMessage = ubyteArrayOf(cipherText.size.toUByte())
+//
+//        return (mn + lenHeader + lenMessage).toByteArray() + header.serialized + cipherText
+//    }
+//
+//    suspend fun sendRequest(
+//        context: Context,
+//        address: String,
+//        mode: SecureRequestMode,
+//    ): ByteArray {
+//        try {
+//            val publicKey = generateIdentityPublicKeys(context, address)
+//
+//            var type: MessageRequestType? = null
+//            val mode = when(mode) {
+//                SecureRequestMode.REQUEST_RECEIVED -> {
+//                    type = MessageRequestType.TYPE_ACCEPT
+//                    SecureRequestMode.REQUEST_ACCEPTED
+//                }
+//                else -> {
+//                    type = MessageRequestType.TYPE_REQUEST
+//                    SecureRequestMode.REQUEST_REQUESTED
+//                }
+//            }
+//
+//            context.setEncryptionModeStates(address, mode)
+//            return formatRequestPublicKey(publicKey, type)
+//        } catch (e: Exception) {
+//            throw e
+//        }
+//    }
+//
+//    suspend fun receiveRequest(
+//        context: Context,
+//        address: String,
+//        publicKey: ByteArray,
+//    ) : ByteArray? {
+//        MessageRequestType.fromCode(publicKey[0])?.let { type ->
+//            val publicKey = extractRequestPublicKey(publicKey)
+//            try {
+//                val mode = when(type) {
+//                    MessageRequestType.TYPE_REQUEST -> {
+//                        SecureRequestMode.REQUEST_RECEIVED
+//                    }
+//                    MessageRequestType.TYPE_ACCEPT -> {
+//                        context.removeEncryptionRatchetStates(address)
+//                        SecureRequestMode.REQUEST_ACCEPTED
+//                    }
+//                    else -> return null
+//                }
+//                context.setEncryptionModeStates(
+//                    address,
+//                    mode,
+//                    publicKey,
+//                )
+//            } catch (e: Exception) {
+//                throw e
+//            }
+//            return publicKey
+//        }
+//
+//        return null
+//    }
+//
+//    @Throws
+//    private suspend fun generateIdentityPublicKeys(
+//        context: Context,
+//        address: String
+//    ): ByteArray {
+//        try {
+//            val libSigCurve25519 = SecurityCurve25519()
+//            val publicKey = libSigCurve25519.generateKey()
+//            context.setKeypairValues(address, publicKey, libSigCurve25519.privateKey)
+//            return publicKey
+//        } catch (e: Exception) {
+//            throw e
+//        }
+//    }
+//
+//    @Throws
+//    suspend fun decrypt(
+//        context: Context,
+//        address: String,
+//        text: String
+//    ): String? {
+//
+//        val data = Base64.decode(text, Base64.DEFAULT)
+//        if(MessageRequestType.fromCode(data[0]) != MessageRequestType.TYPE_MESSAGE)
+//            return null
+//
+//        val payload = try { extractMessage(data) } catch(e: Exception) {
+//            throw e
+//        }
+//
+//        val modeStates = context.getEncryptionModeStatesSync(address)
+//        val publicKey = Gson().fromJson(modeStates,
+//            SavedEncryptedModes::class.java).publicKey
+//
+//        if(publicKey == null) {
+//            CoroutineScope(Dispatchers.Main).launch {
+//                Toast.makeText(
+//                    context,
+//                    context.getString(R.string.missing_public_key),
+//                    Toast.LENGTH_LONG).show()
+//            }
+//            return null
+//        }
+//
+//        val publicKeyBytes = Base64.decode(publicKey, Base64.DEFAULT)
+//
+//        val keystore = address + "_ratchet_state"
+//        val currentState = context.getEncryptedBinaryData(keystore)
+//
+//        var state: States?
+//        if(currentState == null) {
+//            state = States()
+//            val sk = context.calculateSharedSecret(address, publicKeyBytes)
+//            val keypair = context.getKeypairValues(address) //public private
+//
+//            Ratchets.ratchetInitBob(
+//                state,
+//                sk,
+//                android.util.Pair(keypair.second, keypair.first)
+//            )
+//        }
+//        else state = States.deserialize(String(currentState))
+//
+//        val keypair = context.getKeypairValues(address)
+//        var decryptedText: String?
+//        try {
+//            decryptedText = String(Ratchets.ratchetDecrypt(
+//                state,
+//                payload.first,
+//                payload.second,
+//                keypair.first
+//            ))
+//            context.saveBinaryDataEncrypted(keystore,
+//                state.serialize().encodeToByteArray())
+//        } catch(e: Exception) {
+//            throw e
+//        }
+//        return decryptedText
+//    }
+//
+//    @Throws
+//    suspend fun encrypt(
+//        context: Context,
+//        address: String,
+//        text: String
+//    ) : String? {
+//        val modeStates = context.getEncryptionModeStatesSync(address)
+//        val publicKey = Gson().fromJson(modeStates,
+//            SavedEncryptedModes::class.java).publicKey
+//
+//        if(publicKey == null) {
+//            CoroutineScope(Dispatchers.Main).launch {
+//                Toast.makeText(
+//                    context,
+//                    context.getString(R.string.missing_public_key),
+//                    Toast.LENGTH_LONG).show()
+//            }
+//            return null
+//        }
+//
+//        val publicKeyBytes = Base64.decode(publicKey, Base64.DEFAULT)
+//
+//        val keystore = address + "_ratchet_state"
+//        val currentState = context.getEncryptedBinaryData(keystore)
+//
+//        var state: States?
+//        if(currentState == null) {
+//            state = States()
+//            val sk = context.calculateSharedSecret(address, publicKeyBytes)
+//            Ratchets.ratchetInitAlice(state, sk, publicKeyBytes)
+//        }
+//        else state = States.deserialize(String(currentState))
+//
+//        val ratchetOutput = Ratchets.ratchetEncrypt(state,
+//            text.encodeToByteArray(), publicKeyBytes)
+//
+//        return try {
+//            val message = formatMessage(
+//                ratchetOutput.first,
+//                ratchetOutput.second
+//            )
+//            context.saveBinaryDataEncrypted(keystore,
+//                state.serialize().encodeToByteArray())
+//            Base64.encodeToString(message, Base64.DEFAULT)
+//        } catch(e: Exception) {
+//            throw e
+//        }
+//    }
+//}
+//
+//private suspend fun Context.calculateSharedSecret(
+//    address: String,
+//    publicKey: ByteArray
+//): ByteArray? {
+//    val keypair = getKeypairValues(address) //public private
+//    keypair.second?.let { privateKey ->
+//        val libSigCurve25519 = SecurityCurve25519(privateKey)
+//        return libSigCurve25519.calculateSharedSecret(publicKey)
+//    }
+//    return null
+//}
+//
+//data class SavedEncryptedModes(
+//    var mode: EncryptionController.SecureRequestMode,
+//    var publicKey: String? = null,
+//)
+//
+//private suspend fun Context.setEncryptionModeStates(
+//    address: String,
+//    mode: EncryptionController.SecureRequestMode,
+//    publicKey: ByteArray? = null,
+//) {
+//    val keyValue = stringPreferencesKey(address + "_mode_states")
+//    dataStore.edit { secureComms ->
+//        // Make a mutable copy of existing state
+//        val currentState = secureComms[keyValue] ?: ""
+//        val savedEncryptedModes = if(currentState.isNotEmpty()) Gson()
+//            .fromJson(currentState, SavedEncryptedModes::class.java)
+//            .apply { this.mode = mode }
+//        else SavedEncryptedModes(mode = mode)
+//
+//        publicKey?.let { publicKey ->
+//            savedEncryptedModes.publicKey =
+//                Base64.encodeToString(publicKey, Base64.DEFAULT)
+//        }
+//
+//        secureComms[keyValue] = Gson().toJson(savedEncryptedModes)
+//    }
+//}
+//
+//suspend fun Context.removeEncryptionRatchetStates(address: String) {
+//    val keyValue = stringPreferencesKey(address + "_ratchet_state")
+//    dataStore.edit { secureComms ->
+//        secureComms.remove(keyValue)
+//        withContext(Dispatchers.Main) {
+//            Toast.makeText(
+//                this@removeEncryptionRatchetStates,
+//                getString(R.string.ratchet_states_removed),
+//                Toast.LENGTH_LONG).show()
+//        }
+//    }
+//}
+//
+//suspend fun Context.removeEncryptionModeStates(address: String) {
+//    val keyValue = stringPreferencesKey(address + "_mode_states")
+//    dataStore.edit { secureComms ->
+//        secureComms.remove(keyValue)
+//    }
+//}
+//
+//fun Context.getEncryptionRatchetStates(address: String): Flow<String?> {
+//    val keyValue = stringPreferencesKey(address + "_ratchet_state")
+//    return dataStore.data.map { it[keyValue] }
+//}
+//
+//suspend fun Context.getEncryptionModeStatesSync(address: String): String? {
+//    val keyValue = stringPreferencesKey(address + "_mode_states")
+//    return dataStore.data.first()[keyValue]
+//}
+//
+//fun Context.getEncryptionModeStates(address: String): Flow<String?> {
+//    val keyValue = stringPreferencesKey(address + "_mode_states")
+//    return dataStore.data.map { it[keyValue] }
+//}
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
deleted file mode 100644
index 9f3bc28..0000000
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityCurve25519.kt
+++ /dev/null
@@ -1,115 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet
-
-import android.content.Context
-import android.util.Pair
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols
-import org.bouncycastle.crypto.AsymmetricCipherKeyPair
-import org.bouncycastle.crypto.CipherParameters
-import org.bouncycastle.crypto.EphemeralKeyPair
-import org.bouncycastle.math.ec.custom.djb.Curve25519
-
-
-class SecurityCurve25519(context: Context) : Protocols(context) {
-
-    private fun generateKey(
-        ephemeralKeyPair: AsymmetricCipherKeyPair,
-        authenticationPublicKey: CipherParameters,
-        ephemeralPublicKey: CipherParameters,
-        salt: ByteArray,
-        info: ByteArray,
-        handshakeSalt: ByteArray,
-    ) {
-        val dh1 = dh(ephemeralKeyPair, authenticationPublicKey)
-        val dh2 = dh(ephemeralKeyPair, ephemeralPublicKey)
-        return CryptoUtils.hkdf(
-            handshakeSalt,
-            salt,
-            info,
-            32,
-        ).run {
-            CryptoUtils.hkdf(
-                dh1,
-                this,
-                info,
-                32,
-            ).run {
-                CryptoUtils.hkdf(
-                    dh2,
-                    this,
-                    info,
-                    32,
-                )
-            }
-        }
-    }
-
-    fun agreeWithAuthAndNonce(
-        e: AsymmetricCipherKeyPair,
-        s: CipherParameters,
-        he: CipherParameters,
-        hne: CipherParameters,
-        salt: ByteArray,
-        nonce1: ByteArray,
-        nonce2: ByteArray,
-        info: ByteArray,
-        hInfo: ByteArray,
-    ): Triple<ByteArray, ByteArray, ByteArray> {
-        val handshakeSalt = nonce1 + nonce2
-        val rootKey = generateKey(
-            ephemeralKeyPair = ephemeralKeyPair,
-            authenticationPublicKey = authenticationPublicKey,
-            publicKey = TODO(),
-            salt = TODO(),
-            info = TODO(),
-            handshakeSalt = TODO()
-        )
-
-        val headerKey = agreeWithAuthAndNonceImpl(
-            authenticationPublicKey = authenticationPublicKey,
-            authenticationPrivateKey = authenticationPrivateKey,
-            publicKey = headerPublicKey,
-            salt = salt,
-            info = headerInfo,
-            handshakeSalt = handshakeSalt,
-            privateKey = headerPrivateKey
-        )
-
-        val nextHeaderKey = agreeWithAuthAndNonceImpl(
-            authenticationPublicKey = authenticationPublicKey,
-            authenticationPrivateKey = authenticationPrivateKey,
-            publicKey = nextHeaderPublicKey,
-            salt = salt,
-            info = headerInfo,
-            handshakeSalt = handshakeSalt,
-            privateKey = nextHeaderPrivateKey
-        )
-
-        return Triple(rootKey, headerKey, nextHeaderKey)
-    }
-
-    fun calculateSharedSecret(
-        publicKey: ByteArray,
-    ): ByteArray {
-        return Curve25519.sharedSecret(this.privateKey, publicKey)
-    }
-
-    fun calculateSharedSecret(
-        publicKey: ByteArray,
-        salt: ByteArray? = null,
-        info: ByteArray? = "x25591_key_exchange".encodeToByteArray(),
-    ): ByteArray {
-        val sharedKey = Curve25519.sharedSecret(this.privateKey, publicKey)
-        return CryptoUtils.hkdf(
-            "HMACSHA256",
-            sharedKey,
-            salt,
-            info,
-            32,
-            1
-        )[0]
-    }
-
-    fun getKeypair(): Pair<ByteArray, ByteArray> {
-        return Pair(privateKey, generateKey())
-    }
-}
\ No newline at end of file
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
index d970fd9..9cafd07 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
@@ -16,6 +16,7 @@ import java.io.IOException
 import java.security.KeyPair
 import java.security.KeyStore
 import java.security.KeyStoreException
+import java.security.MessageDigest
 import java.security.NoSuchAlgorithmException
 import java.security.SecureRandom
 import java.security.UnrecoverableEntryException
@@ -152,3 +153,4 @@ fun Context.generateRandomBytes(length: Int): ByteArray {
     random.nextBytes(bytes)
     return bytes
 }
+
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
index ff7ad07..8ff979d 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
@@ -30,6 +30,8 @@ import java.security.Security
  */
 open class Protocols(private val context: Context) {
 
+    private val MAC_LEN = 64
+
     init {
         Security.removeProvider("BC")
         Security.addProvider(BouncyCastleProvider())
@@ -127,19 +129,19 @@ open class Protocols(private val context: Context) {
             len = len,
         ).run {
             val authKey = this.sliceArray(32 until 64)
-            val cipherText = cipherText.dropLast(32).toByteArray()
+            val plaintextCiphertext = cipherText.dropLast(MAC_LEN).toByteArray()
 
             val mac = hmac(authKey)
-            mac.update(ad + cipherText)
+            mac.update(ad + plaintextCiphertext)
 
-            val incomingMac = cipherText.takeLast(32).toByteArray()
+            val incomingMac = cipherText.takeLast(MAC_LEN).toByteArray()
             if(!incomingMac.contentEquals(mac.doFinal())) {
                 throw Exception("Message failed authentication")
             }
 
             val key = this.sliceArray(0 until 32)
             val iv = this.sliceArray(64 until 80)
-            SecurityAES.decryptAES256CBC(cipherText, key, iv)
+            SecurityAES.decryptAES256CBC(plaintextCiphertext, key, iv)
         }
     }
 
@@ -152,19 +154,19 @@ open class Protocols(private val context: Context) {
             len = len,
         ).run {
             val authKey = this.sliceArray(32 until 64)
-            val cipherText = cipherText.dropLast(32).toByteArray()
-
             val mac = hmac(authKey)
-            mac.update(cipherText)
 
-            val incomingMac = cipherText.takeLast(32).toByteArray()
+            val plainCiphertext = cipherText.dropLast(MAC_LEN).toByteArray()
+            mac.update(plainCiphertext)
+
+            val incomingMac = cipherText.takeLast(MAC_LEN).toByteArray()
             if(!incomingMac.contentEquals(mac.doFinal())) {
                 throw Exception("Message failed authentication")
             }
 
             val key = this.sliceArray(0 until 32)
             val iv = this.sliceArray(64 until 80)
-            SecurityAES.decryptAES256CBC(cipherText, key, iv)
+            SecurityAES.decryptAES256CBC(plainCiphertext, key, iv)
         }
     }
 
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
index eb30786..8bcf04d 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
@@ -55,11 +55,11 @@ class RatchetsHE(context: Context) : Protocols(context){
     fun ratchetInitBob(
         state: States,
         sk: ByteArray,
-        bobDhPublicKeypair: AsymmetricCipherKeyPair,
+        bobKeypair: AsymmetricCipherKeyPair,
         sharedHka: ByteArray,
         sharedNHka: ByteArray,
     ) {
-        state.DHRs = bobDhPublicKeypair
+        state.DHRs = bobKeypair
         state.DHRr = null
         state.RK = sk
         state.CKs = null
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
index 5d776ba..fe0b438 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
@@ -17,7 +17,7 @@ data class States(
     var Ns: UByte = 0u,
     var Nr: UByte = 0u,
     var PN: UByte = 0u,
-    var DHRs: AsymmetricCipherKeyPair?,
+    var DHRs: AsymmetricCipherKeyPair? = null,
     var DHRr: CipherParameters? = null,
     var HKs: ByteArray? = null,
     var HKr: ByteArray? = null,
diff --git a/double_ratchet/src/main/res/values/strings.xml b/double_ratchet/src/main/res/values/strings.xml
index 90a2b76..cfccd9c 100644
--- a/double_ratchet/src/main/res/values/strings.xml
+++ b/double_ratchet/src/main/res/values/strings.xml
@@ -6,4 +6,5 @@
     <string name="dr_nonce_info">RelaySMS C2S DR v1</string>
     <string name="dr_rk_info">RelaySMS DRHE v2</string>
     <string name="dr_encrypt_info">RelaySMS DR_ENCRYPTION v2</string>
+    <string name="dr_protocol_salt">RelaySMS_NK_handshake_v1</string>
 </resources>
\ No newline at end of file

From 996e088dacba1d106cdbfeb9019fe1b05eaba820 Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Sun, 12 Apr 2026 22:27:09 +0100
Subject: [PATCH 07/19] update: Nk looks good - should go to other ones

---
 .../libsignal/RatchetsTest.kt                   | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
index dc3895b..e4a60aa 100644
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
@@ -161,8 +161,23 @@ class RatchetsTest {
             )
         }
 
-        val plaintext = ratchets.ratchetDecrypt(
+        var plaintext = ratchets.ratchetDecrypt(
+            state = bobState,
+            encHeader = ratchetPayload.header,
+            cipherText = ratchetPayload.cipherText,
+            ad = ad
+        )
+
+        assertArrayEquals(originalText, plaintext)
+
+        ratchetPayload = ratchets.ratchetEncrypt(
             state = bobState,
+            plaintext = originalText,
+            ad = ad
+        )
+
+        plaintext = ratchets.ratchetDecrypt(
+            state = aliceState,
             encHeader = ratchetPayload.header,
             cipherText = ratchetPayload.cipherText,
             ad = ad

From c707cbcfceff29f92101bb05199cb93512b76e1a Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Tue, 14 Apr 2026 12:17:32 +0100
Subject: [PATCH 08/19] update: integrated the IK keys for forward secrecy

---
 .../libsignal_doubleratchet/CryptoUtils.kt    | 140 +++++++
 .../libsignal_doubleratchet/Cryptography.kt   |  77 ++++
 .../EncryptionController.kt                   | 347 ------------------
 3 files changed, 217 insertions(+), 347 deletions(-)
 create mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
 delete mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt

diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
index f73ea4c..6f8b648 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
@@ -6,8 +6,11 @@ import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocol
 import com.google.common.primitives.Bytes
 import org.bouncycastle.crypto.AsymmetricCipherKeyPair
 import org.bouncycastle.crypto.CipherParameters
+import org.bouncycastle.crypto.EphemeralKeyPair
+import org.bouncycastle.crypto.params.X25519PublicKeyParameters
 import java.security.GeneralSecurityException
 import java.security.MessageDigest
+import java.security.PublicKey
 import java.security.SecureRandom
 import javax.crypto.Mac
 import javax.crypto.SecretKey
@@ -101,6 +104,143 @@ object CryptoUtils {
         }
     }
 
+    data class NoiseIKKey(
+        val keys: Triple<ByteArray, ByteArray, ByteArray>,
+        val h: ByteArray
+    )
+
+    fun generateKeysIK(
+        context: Context,
+        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        authenticationPublicKey: CipherParameters,
+        staticKeyPair: AsymmetricCipherKeyPair,
+        info: ByteArray,
+        headerInfo: ByteArray,
+    ) : NoiseIKKey {
+        val protocols = Protocols(context)
+
+        var h = "Noise_IK_25519_AESGCM_SHA256".encodeToByteArray().sha256()
+        var ck = h
+
+        h = (h + (authenticationPublicKey as X25519PublicKeyParameters).encoded).sha256()
+        h = (h + (ephemeralKeyPair.public as X25519PublicKeyParameters).encoded).sha256()
+
+        val dhEs = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
+
+        return hkdf(
+            ikm = dhEs,
+            salt = ck,
+            info = info,
+            len = 2
+        ).run {
+            ck = this.sliceArray(0 until 32)
+            var k = this.sliceArray(32 until 64)
+            val csPkEnc = Cryptography.AesGcm.encrypt(
+                SecretKeySpec(k, "AES"),
+                (staticKeyPair.public as X25519PublicKeyParameters).encoded,
+                h
+            )
+            h = (h + csPkEnc).sha256()
+            val dhSs = protocols.dh(staticKeyPair, authenticationPublicKey)
+
+            hkdf(
+                ikm = dhSs,
+                salt = ck,
+                info = info,
+                len = 2
+            ).run {
+                ck = this.sliceArray(0 until 32)
+                k = this.sliceArray(32 until 64)
+                val ciphertext = Cryptography.AesGcm.encrypt(
+                    SecretKeySpec(k, "AES"),
+                    "".encodeToByteArray(),
+                    h
+                )
+                h = (h + ciphertext).sha256()
+
+                hkdf(
+                    ikm = dhSs,
+                    salt = ck,
+                    info = headerInfo,
+                    len = 3
+                ).run {
+                    NoiseIKKey(
+                        Triple(
+                            this.sliceArray(0 until 32),
+                            this.sliceArray(32 until 64),
+                            this.sliceArray(64 until 96),
+                        ),
+                        h
+                    )
+                }
+            }
+        }
+    }
+
+    fun generateKeysIKForwardSecrecy(
+        context: Context,
+        h: ByteArray,
+        ck: ByteArray,
+        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        ephemeralResponderPublicKey: CipherParameters,
+        authenticationPublicKey: CipherParameters,
+        info: ByteArray,
+        headerInfo: ByteArray,
+    ) : NoiseIKKey{
+        val protocols = Protocols(context)
+
+        var h = (h + (ephemeralResponderPublicKey as X25519PublicKeyParameters).encoded).sha256()
+        val dhEe = protocols.dh(ephemeralKeyPair, ephemeralResponderPublicKey)
+
+        return hkdf(
+            ikm = dhEe,
+            salt = ck,
+            info = info,
+            len = 2
+        ).run {
+            var ck = this.sliceArray(0 until 32)
+            var k = this.sliceArray(32 until 64)
+            var ciphertext = Cryptography.AesGcm.encrypt(
+                SecretKeySpec(k, "AES"),
+                "".encodeToByteArray(),
+                h
+            )
+            h = (h + ciphertext).sha256()
+            val dhSe = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
+            hkdf(
+                ikm = dhSe,
+                salt = ck,
+                info = info,
+                len = 2
+            ).run {
+                ck = this.sliceArray(0 until 32)
+                k = this.sliceArray(32 until 64)
+                ciphertext = Cryptography.AesGcm.encrypt(
+                    SecretKeySpec(k, "AES"),
+                    "".encodeToByteArray(),
+                    h
+                )
+                h = (h + ciphertext).sha256()
+
+                hkdf(
+                    ikm = "".encodeToByteArray(),
+                    salt = ck,
+                    info = headerInfo,
+                    len = 3
+                ).run {
+                    NoiseIKKey(
+                        Triple(
+                            this.sliceArray(0 until 32),
+                            this.sliceArray(32 until 64),
+                            this.sliceArray(64 until 96),
+                        ),
+                        h
+                    )
+                }
+            }
+        }
+    }
+
     fun ByteArray.sha256(): ByteArray {
         return MessageDigest
             .getInstance("SHA-256")
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
new file mode 100644
index 0000000..152ae98
--- /dev/null
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
@@ -0,0 +1,77 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet
+
+import javax.crypto.Cipher
+import javax.crypto.KeyGenerator
+import javax.crypto.SecretKey
+import javax.crypto.spec.GCMParameterSpec
+import java.security.SecureRandom
+
+object Cryptography {
+
+    object AesGcm {
+        private const val ALGORITHM = "AES/GCM/NoPadding"
+        private const val KEY_SIZE_BITS = 256
+        private const val IV_SIZE_BYTES = 12   // 96-bit IV recommended for GCM
+        private const val TAG_SIZE_BITS = 128  // authentication tag length
+
+        data class CipherResult(
+            val ciphertext: ByteArray,  // encrypted data (includes appended GCM auth tag)
+            val iv: ByteArray           // IV — must be stored alongside ciphertext for decryption
+        )
+
+        fun generateKey(): SecretKey {
+            val keygen = KeyGenerator.getInstance("AES")
+            keygen.init(KEY_SIZE_BITS, SecureRandom())
+            return keygen.generateKey()
+        }
+
+        /**
+         * Encrypts [plaintext] with AES-256-GCM.
+         *
+         * @param key           AES secret key (128, 192, or 256-bit)
+         * @param plaintext     Data to encrypt
+         * @param associatedData  AAD: authenticated but NOT encrypted (e.g. headers, context).
+         *                        Pass null if not needed.
+         * @return CipherResult containing the ciphertext+tag and the IV used.
+         */
+        fun encrypt(
+            key: SecretKey,
+            plaintext: ByteArray,
+            associatedData: ByteArray? = null
+        ): ByteArray {
+            val iv = ByteArray(IV_SIZE_BYTES).also { SecureRandom().nextBytes(it) }
+            val spec = GCMParameterSpec(TAG_SIZE_BITS, iv)
+
+            val cipher = Cipher.getInstance(ALGORITHM)
+            cipher.init(Cipher.ENCRYPT_MODE, key, spec)
+            associatedData?.let { cipher.updateAAD(it) }
+
+            val ciphertext = cipher.doFinal(plaintext)
+            return iv + ciphertext
+        }
+
+        /**
+         * Decrypts and authenticates output from [encrypt].
+         * Throws [javax.crypto.AEADBadTagException] if the tag or AAD doesn't match.
+         *
+         * @param key           Same AES key used during encryption
+         * @param ciphertext    Encrypted bytes (ciphertext + appended GCM tag)
+         * @param iv            IV from the corresponding [CipherResult]
+         * @param associatedData  Must be identical to the AAD used during encryption
+         */
+        fun decrypt(
+            key: SecretKey,
+            ciphertext: ByteArray,
+            iv: ByteArray,
+            associatedData: ByteArray? = null
+        ): ByteArray {
+            val spec = GCMParameterSpec(TAG_SIZE_BITS, iv)
+
+            val cipher = Cipher.getInstance(ALGORITHM)
+            cipher.init(Cipher.DECRYPT_MODE, key, spec)
+            associatedData?.let { cipher.updateAAD(it) }
+
+            return cipher.doFinal(ciphertext)
+        }
+    }
+}
\ No newline at end of file
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
deleted file mode 100644
index 26e3f7a..0000000
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/EncryptionController.kt
+++ /dev/null
@@ -1,347 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet
-
-import android.content.Context
-import android.util.Base64
-import android.widget.Toast
-import androidx.datastore.preferences.core.edit
-import androidx.datastore.preferences.core.stringPreferencesKey
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.dataStore
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.getEncryptedBinaryData
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.getKeypairValues
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.saveBinaryDataEncrypted
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.setKeypairValues
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Headers
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.States
-import com.google.gson.Gson
-import kotlinx.coroutines.CoroutineScope
-import kotlinx.coroutines.Dispatchers
-import kotlinx.coroutines.flow.Flow
-import kotlinx.coroutines.flow.first
-import kotlinx.coroutines.flow.map
-import kotlinx.coroutines.launch
-import kotlinx.coroutines.withContext
-import kotlinx.serialization.Serializable
-
-//object EncryptionController {
-//
-//    @Serializable
-//    enum class SecureRequestMode {
-//        REQUEST_NONE,
-//        REQUEST_REQUESTED,
-//        REQUEST_RECEIVED,
-//        REQUEST_ACCEPTED,
-//    }
-//
-//    enum class MessageRequestType(val code: Byte) {
-//        TYPE_REQUEST(0x01.toByte()),
-//        TYPE_ACCEPT(0x02.toByte()),
-//        TYPE_MESSAGE(0x03.toByte());
-//
-//        companion object {
-//            fun fromCode(code: Byte): MessageRequestType? =
-//                entries.find { it.code == code } // Kotlin 1.9+, use values() before that
-//
-//            fun fromMessage(message: ByteArray): MessageRequestType? =
-//                entries.find { it.code == message[0] } // Kotlin 1.9+, use values() before that
-//        }
-//    }
-//
-//    private fun extractRequestPublicKey( publicKey: ByteArray) : ByteArray {
-//        val lenPubKey = publicKey[1].toInt()
-//        return publicKey.drop(2).toByteArray()
-//    }
-//
-//    private fun extractMessage(data: ByteArray) : Pair<Headers, ByteArray> {
-//        val lenHeader = data[1].toInt()
-//        val lenMessage = data[2].toInt()
-//        val header = data.copyOfRange(3, 3 + lenHeader)
-//        val message = data.copyOfRange(3 + lenHeader, (3 + lenHeader + lenMessage))
-//        return Pair(Headers.deserialize(header), message)
-//    }
-//
-//    @OptIn(ExperimentalUnsignedTypes::class)
-//    private fun formatRequestPublicKey(
-//        publicKey: ByteArray,
-//        type: MessageRequestType
-//    ) : ByteArray {
-//        val mn = ubyteArrayOf(type.code.toUByte())
-//        val lenPubKey = ubyteArrayOf(publicKey.size.toUByte())
-//
-//        return (mn + lenPubKey).toByteArray() + publicKey
-//    }
-//
-//    @OptIn(ExperimentalUnsignedTypes::class)
-//    private fun formatMessage(
-//        header: Headers,
-//        cipherText: ByteArray
-//    ) : ByteArray {
-//        val mn = ubyteArrayOf(MessageRequestType.TYPE_MESSAGE.code.toUByte())
-//        val lenHeader = ubyteArrayOf(header.serialized.size.toUByte())
-//        val lenMessage = ubyteArrayOf(cipherText.size.toUByte())
-//
-//        return (mn + lenHeader + lenMessage).toByteArray() + header.serialized + cipherText
-//    }
-//
-//    suspend fun sendRequest(
-//        context: Context,
-//        address: String,
-//        mode: SecureRequestMode,
-//    ): ByteArray {
-//        try {
-//            val publicKey = generateIdentityPublicKeys(context, address)
-//
-//            var type: MessageRequestType? = null
-//            val mode = when(mode) {
-//                SecureRequestMode.REQUEST_RECEIVED -> {
-//                    type = MessageRequestType.TYPE_ACCEPT
-//                    SecureRequestMode.REQUEST_ACCEPTED
-//                }
-//                else -> {
-//                    type = MessageRequestType.TYPE_REQUEST
-//                    SecureRequestMode.REQUEST_REQUESTED
-//                }
-//            }
-//
-//            context.setEncryptionModeStates(address, mode)
-//            return formatRequestPublicKey(publicKey, type)
-//        } catch (e: Exception) {
-//            throw e
-//        }
-//    }
-//
-//    suspend fun receiveRequest(
-//        context: Context,
-//        address: String,
-//        publicKey: ByteArray,
-//    ) : ByteArray? {
-//        MessageRequestType.fromCode(publicKey[0])?.let { type ->
-//            val publicKey = extractRequestPublicKey(publicKey)
-//            try {
-//                val mode = when(type) {
-//                    MessageRequestType.TYPE_REQUEST -> {
-//                        SecureRequestMode.REQUEST_RECEIVED
-//                    }
-//                    MessageRequestType.TYPE_ACCEPT -> {
-//                        context.removeEncryptionRatchetStates(address)
-//                        SecureRequestMode.REQUEST_ACCEPTED
-//                    }
-//                    else -> return null
-//                }
-//                context.setEncryptionModeStates(
-//                    address,
-//                    mode,
-//                    publicKey,
-//                )
-//            } catch (e: Exception) {
-//                throw e
-//            }
-//            return publicKey
-//        }
-//
-//        return null
-//    }
-//
-//    @Throws
-//    private suspend fun generateIdentityPublicKeys(
-//        context: Context,
-//        address: String
-//    ): ByteArray {
-//        try {
-//            val libSigCurve25519 = SecurityCurve25519()
-//            val publicKey = libSigCurve25519.generateKey()
-//            context.setKeypairValues(address, publicKey, libSigCurve25519.privateKey)
-//            return publicKey
-//        } catch (e: Exception) {
-//            throw e
-//        }
-//    }
-//
-//    @Throws
-//    suspend fun decrypt(
-//        context: Context,
-//        address: String,
-//        text: String
-//    ): String? {
-//
-//        val data = Base64.decode(text, Base64.DEFAULT)
-//        if(MessageRequestType.fromCode(data[0]) != MessageRequestType.TYPE_MESSAGE)
-//            return null
-//
-//        val payload = try { extractMessage(data) } catch(e: Exception) {
-//            throw e
-//        }
-//
-//        val modeStates = context.getEncryptionModeStatesSync(address)
-//        val publicKey = Gson().fromJson(modeStates,
-//            SavedEncryptedModes::class.java).publicKey
-//
-//        if(publicKey == null) {
-//            CoroutineScope(Dispatchers.Main).launch {
-//                Toast.makeText(
-//                    context,
-//                    context.getString(R.string.missing_public_key),
-//                    Toast.LENGTH_LONG).show()
-//            }
-//            return null
-//        }
-//
-//        val publicKeyBytes = Base64.decode(publicKey, Base64.DEFAULT)
-//
-//        val keystore = address + "_ratchet_state"
-//        val currentState = context.getEncryptedBinaryData(keystore)
-//
-//        var state: States?
-//        if(currentState == null) {
-//            state = States()
-//            val sk = context.calculateSharedSecret(address, publicKeyBytes)
-//            val keypair = context.getKeypairValues(address) //public private
-//
-//            Ratchets.ratchetInitBob(
-//                state,
-//                sk,
-//                android.util.Pair(keypair.second, keypair.first)
-//            )
-//        }
-//        else state = States.deserialize(String(currentState))
-//
-//        val keypair = context.getKeypairValues(address)
-//        var decryptedText: String?
-//        try {
-//            decryptedText = String(Ratchets.ratchetDecrypt(
-//                state,
-//                payload.first,
-//                payload.second,
-//                keypair.first
-//            ))
-//            context.saveBinaryDataEncrypted(keystore,
-//                state.serialize().encodeToByteArray())
-//        } catch(e: Exception) {
-//            throw e
-//        }
-//        return decryptedText
-//    }
-//
-//    @Throws
-//    suspend fun encrypt(
-//        context: Context,
-//        address: String,
-//        text: String
-//    ) : String? {
-//        val modeStates = context.getEncryptionModeStatesSync(address)
-//        val publicKey = Gson().fromJson(modeStates,
-//            SavedEncryptedModes::class.java).publicKey
-//
-//        if(publicKey == null) {
-//            CoroutineScope(Dispatchers.Main).launch {
-//                Toast.makeText(
-//                    context,
-//                    context.getString(R.string.missing_public_key),
-//                    Toast.LENGTH_LONG).show()
-//            }
-//            return null
-//        }
-//
-//        val publicKeyBytes = Base64.decode(publicKey, Base64.DEFAULT)
-//
-//        val keystore = address + "_ratchet_state"
-//        val currentState = context.getEncryptedBinaryData(keystore)
-//
-//        var state: States?
-//        if(currentState == null) {
-//            state = States()
-//            val sk = context.calculateSharedSecret(address, publicKeyBytes)
-//            Ratchets.ratchetInitAlice(state, sk, publicKeyBytes)
-//        }
-//        else state = States.deserialize(String(currentState))
-//
-//        val ratchetOutput = Ratchets.ratchetEncrypt(state,
-//            text.encodeToByteArray(), publicKeyBytes)
-//
-//        return try {
-//            val message = formatMessage(
-//                ratchetOutput.first,
-//                ratchetOutput.second
-//            )
-//            context.saveBinaryDataEncrypted(keystore,
-//                state.serialize().encodeToByteArray())
-//            Base64.encodeToString(message, Base64.DEFAULT)
-//        } catch(e: Exception) {
-//            throw e
-//        }
-//    }
-//}
-//
-//private suspend fun Context.calculateSharedSecret(
-//    address: String,
-//    publicKey: ByteArray
-//): ByteArray? {
-//    val keypair = getKeypairValues(address) //public private
-//    keypair.second?.let { privateKey ->
-//        val libSigCurve25519 = SecurityCurve25519(privateKey)
-//        return libSigCurve25519.calculateSharedSecret(publicKey)
-//    }
-//    return null
-//}
-//
-//data class SavedEncryptedModes(
-//    var mode: EncryptionController.SecureRequestMode,
-//    var publicKey: String? = null,
-//)
-//
-//private suspend fun Context.setEncryptionModeStates(
-//    address: String,
-//    mode: EncryptionController.SecureRequestMode,
-//    publicKey: ByteArray? = null,
-//) {
-//    val keyValue = stringPreferencesKey(address + "_mode_states")
-//    dataStore.edit { secureComms ->
-//        // Make a mutable copy of existing state
-//        val currentState = secureComms[keyValue] ?: ""
-//        val savedEncryptedModes = if(currentState.isNotEmpty()) Gson()
-//            .fromJson(currentState, SavedEncryptedModes::class.java)
-//            .apply { this.mode = mode }
-//        else SavedEncryptedModes(mode = mode)
-//
-//        publicKey?.let { publicKey ->
-//            savedEncryptedModes.publicKey =
-//                Base64.encodeToString(publicKey, Base64.DEFAULT)
-//        }
-//
-//        secureComms[keyValue] = Gson().toJson(savedEncryptedModes)
-//    }
-//}
-//
-//suspend fun Context.removeEncryptionRatchetStates(address: String) {
-//    val keyValue = stringPreferencesKey(address + "_ratchet_state")
-//    dataStore.edit { secureComms ->
-//        secureComms.remove(keyValue)
-//        withContext(Dispatchers.Main) {
-//            Toast.makeText(
-//                this@removeEncryptionRatchetStates,
-//                getString(R.string.ratchet_states_removed),
-//                Toast.LENGTH_LONG).show()
-//        }
-//    }
-//}
-//
-//suspend fun Context.removeEncryptionModeStates(address: String) {
-//    val keyValue = stringPreferencesKey(address + "_mode_states")
-//    dataStore.edit { secureComms ->
-//        secureComms.remove(keyValue)
-//    }
-//}
-//
-//fun Context.getEncryptionRatchetStates(address: String): Flow<String?> {
-//    val keyValue = stringPreferencesKey(address + "_ratchet_state")
-//    return dataStore.data.map { it[keyValue] }
-//}
-//
-//suspend fun Context.getEncryptionModeStatesSync(address: String): String? {
-//    val keyValue = stringPreferencesKey(address + "_mode_states")
-//    return dataStore.data.first()[keyValue]
-//}
-//
-//fun Context.getEncryptionModeStates(address: String): Flow<String?> {
-//    val keyValue = stringPreferencesKey(address + "_mode_states")
-//    return dataStore.data.map { it[keyValue] }
-//}

From 913b64689e0ba31341891b636ba239eab95f8d8a Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Tue, 14 Apr 2026 12:25:52 +0100
Subject: [PATCH 09/19] update: zeroed out for sec

---
 .../libsignal_doubleratchet/CryptoUtils.kt    | 200 ++++++++++--------
 1 file changed, 113 insertions(+), 87 deletions(-)

diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
index 6f8b648..8ab9e07 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
@@ -126,54 +126,62 @@ object CryptoUtils {
         h = (h + (ephemeralKeyPair.public as X25519PublicKeyParameters).encoded).sha256()
 
         val dhEs = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
+        val dhSs = protocols.dh(staticKeyPair, authenticationPublicKey)
 
-        return hkdf(
-            ikm = dhEs,
-            salt = ck,
-            info = info,
-            len = 2
-        ).run {
-            ck = this.sliceArray(0 until 32)
-            var k = this.sliceArray(32 until 64)
-            val csPkEnc = Cryptography.AesGcm.encrypt(
+        // Named references so we can zero them
+        var hkdf1: ByteArray? = null
+        var hkdf2: ByteArray? = null
+        var hkdf3: ByteArray? = null
+        var k: ByteArray? = null
+        var csPkEnc: ByteArray? = null
+        var ciphertext: ByteArray? = null
+
+        try {
+            hkdf1 = hkdf(ikm = dhEs, salt = ck, info = info, len = 2)
+            ck = hkdf1.sliceArray(0 until 32)
+            k = hkdf1.sliceArray(32 until 64)
+
+            csPkEnc = Cryptography.AesGcm.encrypt(
                 SecretKeySpec(k, "AES"),
                 (staticKeyPair.public as X25519PublicKeyParameters).encoded,
                 h
             )
             h = (h + csPkEnc).sha256()
-            val dhSs = protocols.dh(staticKeyPair, authenticationPublicKey)
 
-            hkdf(
-                ikm = dhSs,
-                salt = ck,
-                info = info,
-                len = 2
-            ).run {
-                ck = this.sliceArray(0 until 32)
-                k = this.sliceArray(32 until 64)
-                val ciphertext = Cryptography.AesGcm.encrypt(
-                    SecretKeySpec(k, "AES"),
-                    "".encodeToByteArray(),
-                    h
-                )
-                h = (h + ciphertext).sha256()
-
-                hkdf(
-                    ikm = dhSs,
-                    salt = ck,
-                    info = headerInfo,
-                    len = 3
-                ).run {
-                    NoiseIKKey(
-                        Triple(
-                            this.sliceArray(0 until 32),
-                            this.sliceArray(32 until 64),
-                            this.sliceArray(64 until 96),
-                        ),
-                        h
-                    )
-                }
-            }
+            hkdf2 = hkdf(ikm = dhSs, salt = ck, info = info, len = 2)
+            ck = hkdf2.sliceArray(0 until 32)
+            k.fill(0) // zero previous k before reassigning
+            k = hkdf2.sliceArray(32 until 64)
+
+            ciphertext = Cryptography.AesGcm.encrypt(
+                SecretKeySpec(k, "AES"),
+                "".encodeToByteArray(),
+                h
+            )
+            h = (h + ciphertext).sha256()
+
+            hkdf3 = hkdf(ikm = dhSs, salt = ck, info = headerInfo, len = 3)
+
+            return NoiseIKKey(
+                Triple(
+                    hkdf3.sliceArray(0 until 32),
+                    hkdf3.sliceArray(32 until 64),
+                    hkdf3.sliceArray(64 until 96),
+                ),
+                h
+            )
+        } finally {
+            // Zero everything sensitive regardless of success or exception
+            dhEs.fill(0)
+            dhSs.fill(0)
+            ck.fill(0)
+            k?.fill(0)
+            hkdf1?.fill(0)
+            hkdf2?.fill(0)
+            hkdf3?.fill(0)
+            // csPkEnc and ciphertext are non-secret ciphertext, but zero anyway
+            csPkEnc?.fill(0)
+            ciphertext?.fill(0)
         }
     }
 
@@ -186,61 +194,79 @@ object CryptoUtils {
         authenticationPublicKey: CipherParameters,
         info: ByteArray,
         headerInfo: ByteArray,
-    ) : NoiseIKKey{
+    ) : NoiseIKKey {
         val protocols = Protocols(context)
 
-        var h = (h + (ephemeralResponderPublicKey as X25519PublicKeyParameters).encoded).sha256()
+        // Shadowed vars — use local mutable copies so we can zero them
+        // Note: the incoming h and ck are owned by the caller; don't zero them here
+        var localH = (h + (ephemeralResponderPublicKey as X25519PublicKeyParameters).encoded).sha256()
+        var localCk = ck.copyOf() // defensive copy — we'll mutate and zero this
+
         val dhEe = protocols.dh(ephemeralKeyPair, ephemeralResponderPublicKey)
+        val dhSe = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
 
-        return hkdf(
-            ikm = dhEe,
-            salt = ck,
-            info = info,
-            len = 2
-        ).run {
-            var ck = this.sliceArray(0 until 32)
-            var k = this.sliceArray(32 until 64)
-            var ciphertext = Cryptography.AesGcm.encrypt(
+        var hkdf1: ByteArray? = null
+        var hkdf2: ByteArray? = null
+        var hkdf3: ByteArray? = null
+        var k: ByteArray? = null
+        var ciphertext1: ByteArray? = null
+        var ciphertext2: ByteArray? = null
+
+        try {
+            hkdf1 = hkdf(ikm = dhEe, salt = localCk, info = info, len = 2)
+            localCk.fill(0)
+            localCk = hkdf1.sliceArray(0 until 32)
+            k = hkdf1.sliceArray(32 until 64)
+
+            ciphertext1 = Cryptography.AesGcm.encrypt(
                 SecretKeySpec(k, "AES"),
                 "".encodeToByteArray(),
-                h
+                localH
             )
-            h = (h + ciphertext).sha256()
-            val dhSe = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
-            hkdf(
-                ikm = dhSe,
-                salt = ck,
-                info = info,
-                len = 2
-            ).run {
-                ck = this.sliceArray(0 until 32)
-                k = this.sliceArray(32 until 64)
-                ciphertext = Cryptography.AesGcm.encrypt(
-                    SecretKeySpec(k, "AES"),
-                    "".encodeToByteArray(),
-                    h
-                )
-                h = (h + ciphertext).sha256()
-
-                hkdf(
-                    ikm = "".encodeToByteArray(),
-                    salt = ck,
-                    info = headerInfo,
-                    len = 3
-                ).run {
-                    NoiseIKKey(
-                        Triple(
-                            this.sliceArray(0 until 32),
-                            this.sliceArray(32 until 64),
-                            this.sliceArray(64 until 96),
-                        ),
-                        h
-                    )
-                }
-            }
+            localH = (localH + ciphertext1).sha256()
+
+            hkdf2 = hkdf(ikm = dhSe, salt = localCk, info = info, len = 2)
+            localCk.fill(0)
+            localCk = hkdf2.sliceArray(0 until 32)
+            k.fill(0) // zero previous k before reassign
+            k = hkdf2.sliceArray(32 until 64)
+
+            ciphertext2 = Cryptography.AesGcm.encrypt(
+                SecretKeySpec(k, "AES"),
+                "".encodeToByteArray(),
+                localH
+            )
+            localH = (localH + ciphertext2).sha256()
+
+            hkdf3 = hkdf(
+                ikm = "".encodeToByteArray(),
+                salt = localCk,
+                info = headerInfo,
+                len = 3
+            )
+
+            return NoiseIKKey(
+                Triple(
+                    hkdf3.sliceArray(0 until 32),
+                    hkdf3.sliceArray(32 until 64),
+                    hkdf3.sliceArray(64 until 96),
+                ),
+                localH
+            )
+        } finally {
+            dhEe.fill(0)
+            dhSe.fill(0)
+            localCk.fill(0)
+            k?.fill(0)
+            hkdf1?.fill(0)
+            hkdf2?.fill(0)
+            hkdf3?.fill(0)
+            ciphertext1?.fill(0)
+            ciphertext2?.fill(0)
+            // Do NOT zero localH — it's returned inside NoiseIKKey
+            // Do NOT zero the caller's h and ck — we don't own them
         }
     }
-
     fun ByteArray.sha256(): ByteArray {
         return MessageDigest
             .getInstance("SHA-256")

From f122de37e312c9e4e9ed53af5fba204bb182341a Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Tue, 14 Apr 2026 12:30:26 +0100
Subject: [PATCH 10/19] update: zeroed out for sec

---
 .../libsignal_doubleratchet/CryptoUtils.kt    | 76 ++++++++++---------
 1 file changed, 39 insertions(+), 37 deletions(-)

diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
index 8ab9e07..5c724c3 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
@@ -49,29 +49,31 @@ object CryptoUtils {
         info: ByteArray,
     ): Triple<ByteArray, ByteArray, ByteArray> {
         val protocols = Protocols(context)
+
         val dh1 = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
         val dh2 = protocols.dh(ephemeralKeyPair, ephemeralPublicKey)
-        return hkdf(
-            ikm = dh1,
-            salt = salt,
-            info = info,
-            len = 32,
-        ).run {
-            hkdf(
-                ikm = dh2,
-                salt = this,
-                info = info,
-                len = 96,
-            ).run {
-                Triple(
-                    this.sliceArray(0 until 32),
-                    this.sliceArray(32 until 64),
-                    this.sliceArray(64 until 96),
-                )
-            }
+
+        var hkdf1: ByteArray? = null
+        var hkdf2: ByteArray? = null
+
+        try {
+            hkdf1 = hkdf(ikm = dh1, salt = salt, info = info, len = 32)
+            hkdf2 = hkdf(ikm = dh2, salt = hkdf1, info = info, len = 96)
+
+            return Triple(
+                hkdf2.sliceArray(0 until 32),
+                hkdf2.sliceArray(32 until 64),
+                hkdf2.sliceArray(64 until 96),
+            )
+        } finally {
+            dh1.fill(0)
+            dh2.fill(0)
+            hkdf1?.fill(0)
+            hkdf2?.fill(0)
+            // The sliceArray copies inside Triple are intentionally not zeroed —
+            // they are the return value and owned by the caller
         }
     }
-
     fun generateKeysNKServer(
         context: Context,
         authenticationKeypair: AsymmetricCipherKeyPair,
@@ -83,24 +85,24 @@ object CryptoUtils {
         val protocols = Protocols(context)
         val dh1 = protocols.dh(authenticationKeypair, ephemeralPublicKey)
         val dh2 = protocols.dh(ephemeralKeyPair, ephemeralPublicKey)
-        return hkdf(
-            ikm = dh1,
-            salt = salt,
-            info = info,
-            len = 32,
-        ).run {
-            hkdf(
-                ikm = dh2,
-                salt = this,
-                info = info,
-                len = 96,
-            ).run {
-                Triple(
-                    this.sliceArray(0 until 32),
-                    this.sliceArray(32 until 64),
-                    this.sliceArray(64 until 96),
-                )
-            }
+
+        var hkdf1: ByteArray? = null
+        var hkdf2: ByteArray? = null
+
+        try {
+            hkdf1 = hkdf( ikm = dh1, salt = salt, info = info, len = 32, )
+            hkdf2 = hkdf( ikm = dh2, salt = hkdf1, info = info, len = 96, )
+
+            return Triple(
+                hkdf2.sliceArray(0 until 32),
+                hkdf2.sliceArray(32 until 64),
+                hkdf2.sliceArray(64 until 96),
+            )
+        } finally {
+            dh1.fill(0)
+            dh2.fill(0)
+            hkdf1?.fill(0)
+            hkdf2?.fill(0)
         }
     }
 

From 4e543dcd5a29fdb839769023bd6389f73c2775c8 Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Tue, 14 Apr 2026 12:56:40 +0100
Subject: [PATCH 11/19] update: refactored

---
 .../libsignal/RatchetsTest.kt                 |   5 +-
 .../libsignal_doubleratchet/CryptoUtils.kt    | 229 -----------------
 .../libsignal_doubleratchet/Cryptography.kt   | 238 ++++++++++++++++++
 3 files changed, 241 insertions(+), 231 deletions(-)

diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
index e4a60aa..89093d2 100644
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
@@ -5,6 +5,7 @@ import androidx.test.filters.SmallTest
 import androidx.test.platform.app.InstrumentationRegistry
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils.sha256
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.Cryptography
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.generateRandomBytes
 import org.bouncycastle.crypto.params.X25519PublicKeyParameters
 import org.junit.Assert.assertArrayEquals
@@ -38,7 +39,7 @@ class RatchetsTest {
 
     @Before
     fun start() {
-        CryptoUtils.generateKeysNK(
+        Cryptography.generateKeysNK(
             context = context,
             ephemeralKeyPair = aliceKeypair,
             authenticationPublicKey = bobStaticKeypair.public,
@@ -51,7 +52,7 @@ class RatchetsTest {
             aliceNhk = it.third
         }
 
-        CryptoUtils.generateKeysNKServer(
+        Cryptography.generateKeysNKServer(
             context = context,
             authenticationKeypair = bobStaticKeypair,
             ephemeralKeyPair = bobKeypair,
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
index 5c724c3..eb4ddf8 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/CryptoUtils.kt
@@ -40,235 +40,6 @@ object CryptoUtils {
         return output
     }
 
-    fun generateKeysNK(
-        context: Context,
-        ephemeralKeyPair: AsymmetricCipherKeyPair,
-        authenticationPublicKey: CipherParameters,
-        ephemeralPublicKey: CipherParameters,
-        salt: ByteArray,
-        info: ByteArray,
-    ): Triple<ByteArray, ByteArray, ByteArray> {
-        val protocols = Protocols(context)
-
-        val dh1 = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
-        val dh2 = protocols.dh(ephemeralKeyPair, ephemeralPublicKey)
-
-        var hkdf1: ByteArray? = null
-        var hkdf2: ByteArray? = null
-
-        try {
-            hkdf1 = hkdf(ikm = dh1, salt = salt, info = info, len = 32)
-            hkdf2 = hkdf(ikm = dh2, salt = hkdf1, info = info, len = 96)
-
-            return Triple(
-                hkdf2.sliceArray(0 until 32),
-                hkdf2.sliceArray(32 until 64),
-                hkdf2.sliceArray(64 until 96),
-            )
-        } finally {
-            dh1.fill(0)
-            dh2.fill(0)
-            hkdf1?.fill(0)
-            hkdf2?.fill(0)
-            // The sliceArray copies inside Triple are intentionally not zeroed —
-            // they are the return value and owned by the caller
-        }
-    }
-    fun generateKeysNKServer(
-        context: Context,
-        authenticationKeypair: AsymmetricCipherKeyPair,
-        ephemeralKeyPair: AsymmetricCipherKeyPair,
-        ephemeralPublicKey: CipherParameters,
-        salt: ByteArray,
-        info: ByteArray,
-    ): Triple<ByteArray, ByteArray, ByteArray> {
-        val protocols = Protocols(context)
-        val dh1 = protocols.dh(authenticationKeypair, ephemeralPublicKey)
-        val dh2 = protocols.dh(ephemeralKeyPair, ephemeralPublicKey)
-
-        var hkdf1: ByteArray? = null
-        var hkdf2: ByteArray? = null
-
-        try {
-            hkdf1 = hkdf( ikm = dh1, salt = salt, info = info, len = 32, )
-            hkdf2 = hkdf( ikm = dh2, salt = hkdf1, info = info, len = 96, )
-
-            return Triple(
-                hkdf2.sliceArray(0 until 32),
-                hkdf2.sliceArray(32 until 64),
-                hkdf2.sliceArray(64 until 96),
-            )
-        } finally {
-            dh1.fill(0)
-            dh2.fill(0)
-            hkdf1?.fill(0)
-            hkdf2?.fill(0)
-        }
-    }
-
-    data class NoiseIKKey(
-        val keys: Triple<ByteArray, ByteArray, ByteArray>,
-        val h: ByteArray
-    )
-
-    fun generateKeysIK(
-        context: Context,
-        ephemeralKeyPair: AsymmetricCipherKeyPair,
-        authenticationPublicKey: CipherParameters,
-        staticKeyPair: AsymmetricCipherKeyPair,
-        info: ByteArray,
-        headerInfo: ByteArray,
-    ) : NoiseIKKey {
-        val protocols = Protocols(context)
-
-        var h = "Noise_IK_25519_AESGCM_SHA256".encodeToByteArray().sha256()
-        var ck = h
-
-        h = (h + (authenticationPublicKey as X25519PublicKeyParameters).encoded).sha256()
-        h = (h + (ephemeralKeyPair.public as X25519PublicKeyParameters).encoded).sha256()
-
-        val dhEs = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
-        val dhSs = protocols.dh(staticKeyPair, authenticationPublicKey)
-
-        // Named references so we can zero them
-        var hkdf1: ByteArray? = null
-        var hkdf2: ByteArray? = null
-        var hkdf3: ByteArray? = null
-        var k: ByteArray? = null
-        var csPkEnc: ByteArray? = null
-        var ciphertext: ByteArray? = null
-
-        try {
-            hkdf1 = hkdf(ikm = dhEs, salt = ck, info = info, len = 2)
-            ck = hkdf1.sliceArray(0 until 32)
-            k = hkdf1.sliceArray(32 until 64)
-
-            csPkEnc = Cryptography.AesGcm.encrypt(
-                SecretKeySpec(k, "AES"),
-                (staticKeyPair.public as X25519PublicKeyParameters).encoded,
-                h
-            )
-            h = (h + csPkEnc).sha256()
-
-            hkdf2 = hkdf(ikm = dhSs, salt = ck, info = info, len = 2)
-            ck = hkdf2.sliceArray(0 until 32)
-            k.fill(0) // zero previous k before reassigning
-            k = hkdf2.sliceArray(32 until 64)
-
-            ciphertext = Cryptography.AesGcm.encrypt(
-                SecretKeySpec(k, "AES"),
-                "".encodeToByteArray(),
-                h
-            )
-            h = (h + ciphertext).sha256()
-
-            hkdf3 = hkdf(ikm = dhSs, salt = ck, info = headerInfo, len = 3)
-
-            return NoiseIKKey(
-                Triple(
-                    hkdf3.sliceArray(0 until 32),
-                    hkdf3.sliceArray(32 until 64),
-                    hkdf3.sliceArray(64 until 96),
-                ),
-                h
-            )
-        } finally {
-            // Zero everything sensitive regardless of success or exception
-            dhEs.fill(0)
-            dhSs.fill(0)
-            ck.fill(0)
-            k?.fill(0)
-            hkdf1?.fill(0)
-            hkdf2?.fill(0)
-            hkdf3?.fill(0)
-            // csPkEnc and ciphertext are non-secret ciphertext, but zero anyway
-            csPkEnc?.fill(0)
-            ciphertext?.fill(0)
-        }
-    }
-
-    fun generateKeysIKForwardSecrecy(
-        context: Context,
-        h: ByteArray,
-        ck: ByteArray,
-        ephemeralKeyPair: AsymmetricCipherKeyPair,
-        ephemeralResponderPublicKey: CipherParameters,
-        authenticationPublicKey: CipherParameters,
-        info: ByteArray,
-        headerInfo: ByteArray,
-    ) : NoiseIKKey {
-        val protocols = Protocols(context)
-
-        // Shadowed vars — use local mutable copies so we can zero them
-        // Note: the incoming h and ck are owned by the caller; don't zero them here
-        var localH = (h + (ephemeralResponderPublicKey as X25519PublicKeyParameters).encoded).sha256()
-        var localCk = ck.copyOf() // defensive copy — we'll mutate and zero this
-
-        val dhEe = protocols.dh(ephemeralKeyPair, ephemeralResponderPublicKey)
-        val dhSe = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
-
-        var hkdf1: ByteArray? = null
-        var hkdf2: ByteArray? = null
-        var hkdf3: ByteArray? = null
-        var k: ByteArray? = null
-        var ciphertext1: ByteArray? = null
-        var ciphertext2: ByteArray? = null
-
-        try {
-            hkdf1 = hkdf(ikm = dhEe, salt = localCk, info = info, len = 2)
-            localCk.fill(0)
-            localCk = hkdf1.sliceArray(0 until 32)
-            k = hkdf1.sliceArray(32 until 64)
-
-            ciphertext1 = Cryptography.AesGcm.encrypt(
-                SecretKeySpec(k, "AES"),
-                "".encodeToByteArray(),
-                localH
-            )
-            localH = (localH + ciphertext1).sha256()
-
-            hkdf2 = hkdf(ikm = dhSe, salt = localCk, info = info, len = 2)
-            localCk.fill(0)
-            localCk = hkdf2.sliceArray(0 until 32)
-            k.fill(0) // zero previous k before reassign
-            k = hkdf2.sliceArray(32 until 64)
-
-            ciphertext2 = Cryptography.AesGcm.encrypt(
-                SecretKeySpec(k, "AES"),
-                "".encodeToByteArray(),
-                localH
-            )
-            localH = (localH + ciphertext2).sha256()
-
-            hkdf3 = hkdf(
-                ikm = "".encodeToByteArray(),
-                salt = localCk,
-                info = headerInfo,
-                len = 3
-            )
-
-            return NoiseIKKey(
-                Triple(
-                    hkdf3.sliceArray(0 until 32),
-                    hkdf3.sliceArray(32 until 64),
-                    hkdf3.sliceArray(64 until 96),
-                ),
-                localH
-            )
-        } finally {
-            dhEe.fill(0)
-            dhSe.fill(0)
-            localCk.fill(0)
-            k?.fill(0)
-            hkdf1?.fill(0)
-            hkdf2?.fill(0)
-            hkdf3?.fill(0)
-            ciphertext1?.fill(0)
-            ciphertext2?.fill(0)
-            // Do NOT zero localH — it's returned inside NoiseIKKey
-            // Do NOT zero the caller's h and ck — we don't own them
-        }
-    }
     fun ByteArray.sha256(): ByteArray {
         return MessageDigest
             .getInstance("SHA-256")
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
index 152ae98..504fa0c 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
@@ -1,13 +1,251 @@
 package com.afkanerd.smswithoutborders.libsignal_doubleratchet
 
+import android.content.Context
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils.hkdf
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils.sha256
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair
+import org.bouncycastle.crypto.CipherParameters
+import org.bouncycastle.crypto.params.X25519PublicKeyParameters
 import javax.crypto.Cipher
 import javax.crypto.KeyGenerator
 import javax.crypto.SecretKey
 import javax.crypto.spec.GCMParameterSpec
 import java.security.SecureRandom
+import javax.crypto.spec.SecretKeySpec
 
 object Cryptography {
 
+    fun generateKeysNK(
+        context: Context,
+        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        authenticationPublicKey: CipherParameters,
+        ephemeralPublicKey: CipherParameters,
+        salt: ByteArray,
+        info: ByteArray,
+    ): Triple<ByteArray, ByteArray, ByteArray> {
+        val protocols = Protocols(context)
+
+        val dh1 = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
+        val dh2 = protocols.dh(ephemeralKeyPair, ephemeralPublicKey)
+
+        var hkdf1: ByteArray? = null
+        var hkdf2: ByteArray? = null
+
+        try {
+            hkdf1 = hkdf(ikm = dh1, salt = salt, info = info, len = 32)
+            hkdf2 = hkdf(ikm = dh2, salt = hkdf1, info = info, len = 96)
+
+            return Triple(
+                hkdf2.sliceArray(0 until 32),
+                hkdf2.sliceArray(32 until 64),
+                hkdf2.sliceArray(64 until 96),
+            )
+        } finally {
+            dh1.fill(0)
+            dh2.fill(0)
+            hkdf1?.fill(0)
+            hkdf2?.fill(0)
+            // The sliceArray copies inside Triple are intentionally not zeroed —
+            // they are the return value and owned by the caller
+        }
+    }
+    fun generateKeysNKServer(
+        context: Context,
+        authenticationKeypair: AsymmetricCipherKeyPair,
+        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        ephemeralPublicKey: CipherParameters,
+        salt: ByteArray,
+        info: ByteArray,
+    ): Triple<ByteArray, ByteArray, ByteArray> {
+        val protocols = Protocols(context)
+        val dh1 = protocols.dh(authenticationKeypair, ephemeralPublicKey)
+        val dh2 = protocols.dh(ephemeralKeyPair, ephemeralPublicKey)
+
+        var hkdf1: ByteArray? = null
+        var hkdf2: ByteArray? = null
+
+        try {
+            hkdf1 = hkdf( ikm = dh1, salt = salt, info = info, len = 32, )
+            hkdf2 = hkdf( ikm = dh2, salt = hkdf1, info = info, len = 96, )
+
+            return Triple(
+                hkdf2.sliceArray(0 until 32),
+                hkdf2.sliceArray(32 until 64),
+                hkdf2.sliceArray(64 until 96),
+            )
+        } finally {
+            dh1.fill(0)
+            dh2.fill(0)
+            hkdf1?.fill(0)
+            hkdf2?.fill(0)
+        }
+    }
+
+    data class NoiseIKKey(
+        val keys: Triple<ByteArray, ByteArray, ByteArray>,
+        val h: ByteArray
+    )
+
+    fun generateKeysIK(
+        context: Context,
+        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        authenticationPublicKey: CipherParameters,
+        staticKeyPair: AsymmetricCipherKeyPair,
+        info: ByteArray,
+        headerInfo: ByteArray,
+    ) : NoiseIKKey {
+        val protocols = Protocols(context)
+
+        var h = "Noise_IK_25519_AESGCM_SHA256".encodeToByteArray().sha256()
+        var ck = h
+
+        h = (h + (authenticationPublicKey as X25519PublicKeyParameters).encoded).sha256()
+        h = (h + (ephemeralKeyPair.public as X25519PublicKeyParameters).encoded).sha256()
+
+        val dhEs = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
+        val dhSs = protocols.dh(staticKeyPair, authenticationPublicKey)
+
+        // Named references so we can zero them
+        var hkdf1: ByteArray? = null
+        var hkdf2: ByteArray? = null
+        var hkdf3: ByteArray? = null
+        var k: ByteArray? = null
+        var csPkEnc: ByteArray? = null
+        var ciphertext: ByteArray? = null
+
+        try {
+            hkdf1 = hkdf(ikm = dhEs, salt = ck, info = info, len = 2)
+            ck = hkdf1.sliceArray(0 until 32)
+            k = hkdf1.sliceArray(32 until 64)
+
+            csPkEnc = Cryptography.AesGcm.encrypt(
+                SecretKeySpec(k, "AES"),
+                (staticKeyPair.public as X25519PublicKeyParameters).encoded,
+                h
+            )
+            h = (h + csPkEnc).sha256()
+
+            hkdf2 = hkdf(ikm = dhSs, salt = ck, info = info, len = 2)
+            ck = hkdf2.sliceArray(0 until 32)
+            k.fill(0) // zero previous k before reassigning
+            k = hkdf2.sliceArray(32 until 64)
+
+            ciphertext = Cryptography.AesGcm.encrypt(
+                SecretKeySpec(k, "AES"),
+                "".encodeToByteArray(),
+                h
+            )
+            h = (h + ciphertext).sha256()
+
+            hkdf3 = hkdf(ikm = dhSs, salt = ck, info = headerInfo, len = 3)
+
+            return NoiseIKKey(
+                Triple(
+                    hkdf3.sliceArray(0 until 32),
+                    hkdf3.sliceArray(32 until 64),
+                    hkdf3.sliceArray(64 until 96),
+                ),
+                h
+            )
+        } finally {
+            // Zero everything sensitive regardless of success or exception
+            dhEs.fill(0)
+            dhSs.fill(0)
+            ck.fill(0)
+            k?.fill(0)
+            hkdf1?.fill(0)
+            hkdf2?.fill(0)
+            hkdf3?.fill(0)
+            // csPkEnc and ciphertext are non-secret ciphertext, but zero anyway
+            csPkEnc?.fill(0)
+            ciphertext?.fill(0)
+        }
+    }
+
+    fun generateKeysIKForwardSecrecy(
+        context: Context,
+        h: ByteArray,
+        ck: ByteArray,
+        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        ephemeralResponderPublicKey: CipherParameters,
+        authenticationPublicKey: CipherParameters,
+        info: ByteArray,
+        headerInfo: ByteArray,
+    ) : NoiseIKKey {
+        val protocols = Protocols(context)
+
+        // Shadowed vars — use local mutable copies so we can zero them
+        // Note: the incoming h and ck are owned by the caller; don't zero them here
+        var localH = (h + (ephemeralResponderPublicKey as X25519PublicKeyParameters).encoded).sha256()
+        var localCk = ck.copyOf() // defensive copy — we'll mutate and zero this
+
+        val dhEe = protocols.dh(ephemeralKeyPair, ephemeralResponderPublicKey)
+        val dhSe = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
+
+        var hkdf1: ByteArray? = null
+        var hkdf2: ByteArray? = null
+        var hkdf3: ByteArray? = null
+        var k: ByteArray? = null
+        var ciphertext1: ByteArray? = null
+        var ciphertext2: ByteArray? = null
+
+        try {
+            hkdf1 = hkdf(ikm = dhEe, salt = localCk, info = info, len = 2)
+            localCk.fill(0)
+            localCk = hkdf1.sliceArray(0 until 32)
+            k = hkdf1.sliceArray(32 until 64)
+
+            ciphertext1 = Cryptography.AesGcm.encrypt(
+                SecretKeySpec(k, "AES"),
+                "".encodeToByteArray(),
+                localH
+            )
+            localH = (localH + ciphertext1).sha256()
+
+            hkdf2 = hkdf(ikm = dhSe, salt = localCk, info = info, len = 2)
+            localCk.fill(0)
+            localCk = hkdf2.sliceArray(0 until 32)
+            k.fill(0) // zero previous k before reassign
+            k = hkdf2.sliceArray(32 until 64)
+
+            ciphertext2 = Cryptography.AesGcm.encrypt(
+                SecretKeySpec(k, "AES"),
+                "".encodeToByteArray(),
+                localH
+            )
+            localH = (localH + ciphertext2).sha256()
+
+            hkdf3 = hkdf(
+                ikm = "".encodeToByteArray(),
+                salt = localCk,
+                info = headerInfo,
+                len = 3
+            )
+
+            return NoiseIKKey(
+                Triple(
+                    hkdf3.sliceArray(0 until 32),
+                    hkdf3.sliceArray(32 until 64),
+                    hkdf3.sliceArray(64 until 96),
+                ),
+                localH
+            )
+        } finally {
+            dhEe.fill(0)
+            dhSe.fill(0)
+            localCk.fill(0)
+            k?.fill(0)
+            hkdf1?.fill(0)
+            hkdf2?.fill(0)
+            hkdf3?.fill(0)
+            ciphertext1?.fill(0)
+            ciphertext2?.fill(0)
+            // Do NOT zero localH — it's returned inside NoiseIKKey
+            // Do NOT zero the caller's h and ck — we don't own them
+        }
+    }
+
     object AesGcm {
         private const val ALGORITHM = "AES/GCM/NoPadding"
         private const val KEY_SIZE_BITS = 256

From 942f310efa93187dcfcd16a44c1b816a3bfab41f Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Tue, 14 Apr 2026 14:23:36 +0100
Subject: [PATCH 12/19] update: making use of use to zero out keys

---
 .../libsignal/RatchetsTest.kt                 | 312 ++++++++++--------
 .../libsignal_doubleratchet/Cryptography.kt   |  88 +++--
 .../libsignal/RatchetsHE.kt                   |  98 ++++--
 3 files changed, 305 insertions(+), 193 deletions(-)

diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
index 89093d2..35b03d7 100644
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
@@ -19,14 +19,6 @@ class RatchetsTest {
         InstrumentationRegistry.getInstrumentation().targetContext
     val protocol = Protocols(context)
 
-    lateinit var aliceRk: ByteArray
-    lateinit var aliceHk: ByteArray
-    lateinit var aliceNhk: ByteArray
-
-    lateinit var bobRk: ByteArray
-    lateinit var bobHk: ByteArray
-    lateinit var bobNhk: ByteArray
-
     val aliceKeypair = protocol.generateDH()
     val bobStaticKeypair = protocol.generateDH()
     val bobKeypair = protocol.generateDH()
@@ -37,8 +29,8 @@ class RatchetsTest {
             (bobKeypair.public as X25519PublicKeyParameters).encoded +
             (bobStaticKeypair.public as X25519PublicKeyParameters).encoded
 
-    @Before
-    fun start() {
+    @Test
+    fun completeRatchetTest() {
         Cryptography.generateKeysNK(
             context = context,
             ephemeralKeyPair = aliceKeypair,
@@ -46,145 +38,185 @@ class RatchetsTest {
             ephemeralPublicKey = bobKeypair.public,
             salt = salt,
             info = info
-        ).let {
-            aliceRk = it.first
-            aliceHk = it.second
-            aliceNhk = it.third
-        }
+        ).use { alice ->
+            Cryptography.generateKeysNKServer(
+                context = context,
+                authenticationKeypair = bobStaticKeypair,
+                ephemeralKeyPair = bobKeypair,
+                ephemeralPublicKey = aliceKeypair.public,
+                salt = salt,
+                info = info
+            ).let { bob ->
+                assertArrayEquals(alice.rk, bob.first)
+                assertArrayEquals(alice.hk, bob.second)
+                assertArrayEquals(alice.nhk, bob.third)
+
+                val ratchets = RatchetsHE(context)
+                val aliceState = States()
+                ratchets.ratchetInitAlice(
+                    state = aliceState,
+                    sk = alice.rk,
+                    bobDhPublicKey = bobKeypair.public,
+                    sharedHka = alice.hk,
+                    sharedNHka = alice.nhk
+                )
+
+                val bobState = States()
+                ratchets.ratchetInitBob(
+                    state = bobState,
+                    sk = bob.first,
+                    bobKeypair = bobKeypair,
+                    sharedHka = bob.second,
+                    sharedNHka = bob.third
+                )
+
+                val originalText = SecureRandom.getSeed(32);
+
+                val ad = "RatchetsTest".encodeToByteArray().sha256()
+                var ratchetPayload = ratchets.ratchetEncrypt(
+                    state = aliceState,
+                    plaintext = originalText,
+                    ad = ad
+                )
+
+                var plaintext = ratchets.ratchetDecrypt(
+                    state = bobState,
+                    encHeader = ratchetPayload.header,
+                    cipherText = ratchetPayload.cipherText,
+                    ad = ad
+                )
+
+                assertArrayEquals(originalText, plaintext)
+
+                ratchetPayload = ratchets.ratchetEncrypt(
+                    state = bobState,
+                    plaintext = originalText,
+                    ad = ad
+                )
+
+                plaintext = ratchets.ratchetDecrypt(
+                    state = aliceState,
+                    encHeader = ratchetPayload.header,
+                    cipherText = ratchetPayload.cipherText,
+                    ad = ad
+                )
+
+                assertArrayEquals(originalText, plaintext)
+            }
 
-        Cryptography.generateKeysNKServer(
-            context = context,
-            authenticationKeypair = bobStaticKeypair,
-            ephemeralKeyPair = bobKeypair,
-            ephemeralPublicKey = aliceKeypair.public,
-            salt = salt,
-            info = info
-        ).let {
-            bobRk = it.first
-            bobHk = it.second
-            bobNhk = it.third
         }
 
-        assertArrayEquals(aliceRk, bobRk)
-        assertArrayEquals(aliceHk, bobHk)
-        assertArrayEquals(aliceNhk, bobNhk)
-    }
 
-    @Test
-    fun completeRatchetTest() {
-        val ratchets = RatchetsHE(context)
-        val aliceState = States()
-        ratchets.ratchetInitAlice(
-            state = aliceState,
-            sk = aliceRk,
-            bobDhPublicKey = bobKeypair.public,
-            sharedHka = aliceHk,
-            sharedNHka = aliceNhk
-        )
-
-        val bobState = States()
-        ratchets.ratchetInitBob(
-            state = bobState,
-            sk = bobRk,
-            bobKeypair = bobKeypair,
-            sharedHka = bobHk,
-            sharedNHka = bobNhk
-        )
-
-        val originalText = SecureRandom.getSeed(32);
-
-        val ad = "RatchetsTest".encodeToByteArray().sha256()
-        var ratchetPayload = ratchets.ratchetEncrypt(
-            state = aliceState,
-            plaintext = originalText,
-            ad = ad
-        )
-
-        var plaintext = ratchets.ratchetDecrypt(
-            state = bobState,
-            encHeader = ratchetPayload.header,
-            cipherText = ratchetPayload.cipherText,
-            ad = ad
-        )
-
-        assertArrayEquals(originalText, plaintext)
-
-        ratchetPayload = ratchets.ratchetEncrypt(
-            state = bobState,
-            plaintext = originalText,
-            ad = ad
-        )
-
-        plaintext = ratchets.ratchetDecrypt(
-            state = aliceState,
-            encHeader = ratchetPayload.header,
-            cipherText = ratchetPayload.cipherText,
-            ad = ad
-        )
-
-        assertArrayEquals(originalText, plaintext)
     }
 
     @Test
     fun completeRatchetOutOfOrderTest() {
-        val ratchets = RatchetsHE(context)
-        val aliceState = States()
-        ratchets.ratchetInitAlice(
-            state = aliceState,
-            sk = aliceRk,
-            bobDhPublicKey = bobKeypair.public,
-            sharedHka = aliceHk,
-            sharedNHka = aliceNhk
-        )
-
-        val bobState = States()
-        ratchets.ratchetInitBob(
-            state = bobState,
-            sk = bobRk,
-            bobKeypair = bobKeypair,
-            sharedHka = bobHk,
-            sharedNHka = bobNhk
-        )
-
-        val originalText = SecureRandom.getSeed(32);
-
-        val ad = "RatchetsTest".encodeToByteArray().sha256()
-        var ratchetPayload = ratchets.ratchetEncrypt(
-            state = aliceState,
-            plaintext = originalText,
-            ad = ad
-        )
-        for(i in 1..5) {
-            ratchetPayload = ratchets.ratchetEncrypt(
-                state = aliceState,
-                plaintext = originalText,
-                ad = ad
-            )
-        }
+        Cryptography.generateKeysNK(
+            context = context,
+            ephemeralKeyPair = aliceKeypair,
+            authenticationPublicKey = bobStaticKeypair.public,
+            ephemeralPublicKey = bobKeypair.public,
+            salt = salt,
+            info = info
+        ).use { alice ->
+            Cryptography.generateKeysNKServer(
+                context = context,
+                authenticationKeypair = bobStaticKeypair,
+                ephemeralKeyPair = bobKeypair,
+                ephemeralPublicKey = aliceKeypair.public,
+                salt = salt,
+                info = info
+            ).let { bob ->
+                assertArrayEquals(alice.rk, bob.first)
+                assertArrayEquals(alice.hk, bob.second)
+                assertArrayEquals(alice.nhk, bob.third)
+
+                val ratchets = RatchetsHE(context)
+                val aliceState = States()
+                ratchets.ratchetInitAlice(
+                    state = aliceState,
+                    sk = alice.rk,
+                    bobDhPublicKey = bobKeypair.public,
+                    sharedHka = alice.hk,
+                    sharedNHka = alice.nhk
+                )
+
+                val bobState = States()
+                ratchets.ratchetInitBob(
+                    state = bobState,
+                    sk = bob.first,
+                    bobKeypair = bobKeypair,
+                    sharedHka = bob.second,
+                    sharedNHka = bob.third
+                )
+
+                val originalText = SecureRandom.getSeed(32);
+
+                val ad = "RatchetsTest".encodeToByteArray().sha256()
+                var ratchetPayload = ratchets.ratchetEncrypt(
+                    state = aliceState,
+                    plaintext = originalText,
+                    ad = ad
+                )
+
+                var plaintext = ratchets.ratchetDecrypt(
+                    state = bobState,
+                    encHeader = ratchetPayload.header,
+                    cipherText = ratchetPayload.cipherText,
+                    ad = ad
+                )
+
+                assertArrayEquals(originalText, plaintext)
+
+                ratchetPayload = ratchets.ratchetEncrypt(
+                    state = bobState,
+                    plaintext = originalText,
+                    ad = ad
+                )
+
+                plaintext = ratchets.ratchetDecrypt(
+                    state = aliceState,
+                    encHeader = ratchetPayload.header,
+                    cipherText = ratchetPayload.cipherText,
+                    ad = ad
+                )
+
+                assertArrayEquals(originalText, plaintext)
+
+                for(i in 1..5) {
+                    ratchetPayload = ratchets.ratchetEncrypt(
+                        state = aliceState,
+                        plaintext = originalText,
+                        ad = ad
+                    )
+                }
+
+                plaintext = ratchets.ratchetDecrypt(
+                    state = bobState,
+                    encHeader = ratchetPayload.header,
+                    cipherText = ratchetPayload.cipherText,
+                    ad = ad
+                )
+
+                assertArrayEquals(originalText, plaintext)
+
+                ratchetPayload = ratchets.ratchetEncrypt(
+                    state = bobState,
+                    plaintext = originalText,
+                    ad = ad
+                )
+
+                plaintext = ratchets.ratchetDecrypt(
+                    state = aliceState,
+                    encHeader = ratchetPayload.header,
+                    cipherText = ratchetPayload.cipherText,
+                    ad = ad
+                )
+
+                assertArrayEquals(originalText, plaintext)
+            }
 
-        var plaintext = ratchets.ratchetDecrypt(
-            state = bobState,
-            encHeader = ratchetPayload.header,
-            cipherText = ratchetPayload.cipherText,
-            ad = ad
-        )
-
-        assertArrayEquals(originalText, plaintext)
-
-        ratchetPayload = ratchets.ratchetEncrypt(
-            state = bobState,
-            plaintext = originalText,
-            ad = ad
-        )
-
-        plaintext = ratchets.ratchetDecrypt(
-            state = aliceState,
-            encHeader = ratchetPayload.header,
-            cipherText = ratchetPayload.cipherText,
-            ad = ad
-        )
-
-        assertArrayEquals(originalText, plaintext)
+        }
     }
 }
 
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
index 504fa0c..e2f5ddd 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
@@ -1,6 +1,7 @@
 package com.afkanerd.smswithoutborders.libsignal_doubleratchet
 
 import android.content.Context
+import androidx.datastore.core.Closeable
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils.hkdf
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils.sha256
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols
@@ -16,6 +17,34 @@ import javax.crypto.spec.SecretKeySpec
 
 object Cryptography {
 
+    data class NoiseNKKeys(
+        val rk: ByteArray,
+        val hk: ByteArray,
+        val nhk: ByteArray,
+    ): Closeable {
+        private var zeroed = false
+
+        override fun close() {
+            if(!zeroed) {
+                rk.fill(0)
+                hk.fill(0)
+                nhk.fill(0)
+                zeroed = true
+            }
+        }
+
+        inline fun <T> use(block: (NoiseNKKeys) -> T): T {
+            try {
+                return block(this)
+            } finally {
+                close()
+            }
+        }
+
+        // Prevent accidental logging/serialization of key material
+        override fun toString() = "NoiseNKKeys([REDACTED])"
+    }
+
     fun generateKeysNK(
         context: Context,
         ephemeralKeyPair: AsymmetricCipherKeyPair,
@@ -23,7 +52,7 @@ object Cryptography {
         ephemeralPublicKey: CipherParameters,
         salt: ByteArray,
         info: ByteArray,
-    ): Triple<ByteArray, ByteArray, ByteArray> {
+    ): NoiseNKKeys {
         val protocols = Protocols(context)
 
         val dh1 = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
@@ -36,7 +65,7 @@ object Cryptography {
             hkdf1 = hkdf(ikm = dh1, salt = salt, info = info, len = 32)
             hkdf2 = hkdf(ikm = dh2, salt = hkdf1, info = info, len = 96)
 
-            return Triple(
+            return NoiseNKKeys(
                 hkdf2.sliceArray(0 until 32),
                 hkdf2.sliceArray(32 until 64),
                 hkdf2.sliceArray(64 until 96),
@@ -82,10 +111,35 @@ object Cryptography {
         }
     }
 
-    data class NoiseIKKey(
-        val keys: Triple<ByteArray, ByteArray, ByteArray>,
+    data class NoiseIKKeys(
+        val rk: ByteArray,
+        val hk: ByteArray,
+        val nhk: ByteArray,
         val h: ByteArray
-    )
+    ): Closeable {
+        private var zeroed = false
+
+        override fun close() {
+            if(!zeroed) {
+                rk.fill(0)
+                hk.fill(0)
+                nhk.fill(0)
+                h.fill(0)
+                zeroed = true
+            }
+        }
+
+        inline fun <T> use(block: (NoiseIKKeys) -> T): T {
+            try {
+                return block(this)
+            } finally {
+                close()
+            }
+        }
+
+        // Prevent accidental logging/serialization of key material
+        override fun toString() = "NoiseIKKeys([REDACTED])"
+    }
 
     fun generateKeysIK(
         context: Context,
@@ -94,7 +148,7 @@ object Cryptography {
         staticKeyPair: AsymmetricCipherKeyPair,
         info: ByteArray,
         headerInfo: ByteArray,
-    ) : NoiseIKKey {
+    ) : NoiseIKKeys {
         val protocols = Protocols(context)
 
         var h = "Noise_IK_25519_AESGCM_SHA256".encodeToByteArray().sha256()
@@ -140,12 +194,10 @@ object Cryptography {
 
             hkdf3 = hkdf(ikm = dhSs, salt = ck, info = headerInfo, len = 3)
 
-            return NoiseIKKey(
-                Triple(
-                    hkdf3.sliceArray(0 until 32),
-                    hkdf3.sliceArray(32 until 64),
-                    hkdf3.sliceArray(64 until 96),
-                ),
+            return NoiseIKKeys(
+                hkdf3.sliceArray(0 until 32),
+                hkdf3.sliceArray(32 until 64),
+                hkdf3.sliceArray(64 until 96),
                 h
             )
         } finally {
@@ -172,7 +224,7 @@ object Cryptography {
         authenticationPublicKey: CipherParameters,
         info: ByteArray,
         headerInfo: ByteArray,
-    ) : NoiseIKKey {
+    ) : NoiseIKKeys {
         val protocols = Protocols(context)
 
         // Shadowed vars — use local mutable copies so we can zero them
@@ -223,12 +275,10 @@ object Cryptography {
                 len = 3
             )
 
-            return NoiseIKKey(
-                Triple(
-                    hkdf3.sliceArray(0 until 32),
-                    hkdf3.sliceArray(32 until 64),
-                    hkdf3.sliceArray(64 until 96),
-                ),
+            return NoiseIKKeys(
+                hkdf3.sliceArray(0 until 32),
+                hkdf3.sliceArray(32 until 64),
+                hkdf3.sliceArray(64 until 96),
                 localH
             )
         } finally {
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
index 8bcf04d..3390842 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
@@ -80,14 +80,19 @@ class RatchetsHE(context: Context) : Protocols(context){
         ad: ByteArray,
     ) : RatchetPayload {
         val (ck, mk) = kdfCk(state.CKs)
-        state.CKs = ck
-        val header = Headers(state.DHRs!!, state.PN, state.Ns)
-        val encHeader = hEncrypt(state.HKs!!, header.serialized)
-        state.Ns++
-        return RatchetPayload(
-            header = encHeader,
-            cipherText = encrypt(mk, plaintext, concat(ad, encHeader))
-        )
+        try {
+            state.CKs = ck
+            val header = Headers(state.DHRs!!, state.PN, state.Ns)
+            val encHeader = hEncrypt(state.HKs!!, header.serialized)
+            state.Ns++
+            return RatchetPayload(
+                header = encHeader,
+                cipherText = encrypt(mk, plaintext, concat(ad, encHeader))
+            )
+        } finally {
+            ck.fill(0)
+            mk.fill(0)
+        }
     }
 
     fun ratchetDecrypt(
@@ -107,11 +112,16 @@ class RatchetsHE(context: Context) : Protocols(context){
         }
 
         skipMessageKeys(state, header.n.toInt())
-        val kdfCk = kdfCk(state.CKr)
-        state.CKr = kdfCk.first
-        val mk = kdfCk.second
-        state.Nr++
-        return decrypt(mk, cipherText, concat(ad, encHeader))
+
+        val (ck, mk) = kdfCk(state.CKr)
+        try {
+            state.CKr = ck
+            state.Nr++
+            return decrypt(mk, cipherText, concat(ad, encHeader))
+        } finally {
+            ck.fill(0)
+            mk.fill(0)
+        }
     }
 
     private fun skipMessageKeys(
@@ -123,11 +133,16 @@ class RatchetsHE(context: Context) : Protocols(context){
 
         state.CKr?.let{
             while(state.Nr.toInt() < until) {
-                val kdfCk = kdfCk(state.CKr)
-                state.CKr = kdfCk.first
-                val mk = kdfCk.second
-                state.MKSKIPPED[Pair(state.HKr, state.Nr.toInt())] = mk
-                state.Nr++
+                val (ck, mk) = kdfCk(state.CKr)
+                try {
+                    state.CKr = ck
+                    val mk = mk
+                    state.MKSKIPPED[Pair(state.HKr, state.Nr.toInt())] = mk
+                    state.Nr++
+                } finally {
+                    ck.fill(0)
+                    mk.fill(0)
+                }
             }
         }
     }
@@ -142,12 +157,17 @@ class RatchetsHE(context: Context) : Protocols(context){
             val (hk, n) = it.key
             val mk = it.value
 
-            val header = hDecrypt(hk, encHeader).run {
-                Headers.deserialize(this)
-            }
-            if(header.n.toInt() == n) {
-                state.MKSKIPPED.remove(it.key)
-                return decrypt(mk, ciphertext, concat(ad, encHeader))
+            try {
+                val header = hDecrypt(hk, encHeader).run {
+                    Headers.deserialize(this)
+                }
+                if(header.n.toInt() == n) {
+                    state.MKSKIPPED.remove(it.key)
+                    return decrypt(mk, ciphertext, concat(ad, encHeader))
+                }
+            } finally {
+                hk.fill(0)
+                mk.fill(0)
             }
         }
 
@@ -186,28 +206,38 @@ class RatchetsHE(context: Context) : Protocols(context){
         state.HKr = state.NHKr
         state.DHRr = header.dh.public
 
-        kdfRk(state.RK!!,
+        val (rk, ck, nhk) = kdfRk(state.RK!!,
             dh(
                 state.DHRs!!,
                 state.DHRr!!,
             )
-        ).let {
-            state.RK = it.first
-            state.CKr = it.second
-            state.NHKr = it.third
+        )
+        try {
+            state.RK = rk.copyOf()
+            state.CKr = ck.copyOf()
+            state.NHKr = nhk.copyOf()
+        } finally {
+            rk.fill(0)
+            ck.fill(0)
+            nhk.fill(0)
         }
 
         state.DHRs = generateDH()
 
-        kdfRk(state.RK!!,
+        val (rk1, ck1, nhk1) = kdfRk(state.RK!!,
             dh(
                 state.DHRs!!,
                 state.DHRr!!,
             )
-        ).let {
-            state.RK = it.first
-            state.CKs = it.second
-            state.NHKs = it.third
+        )
+        try {
+            state.RK = rk1.copyOf()
+            state.CKs = ck1.copyOf()
+            state.NHKs = nhk1.copyOf()
+        } finally {
+            rk1.fill(0)
+            ck1.fill(0)
+            nhk1.fill(0)
         }
     }
 }
\ No newline at end of file

From 439872d3b45f1299e800866d3521d9b1281548cf Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Tue, 14 Apr 2026 14:59:32 +0100
Subject: [PATCH 13/19] update: memory for noise ik

---
 .../libsignal_doubleratchet/Cryptography.kt               | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
index e2f5ddd..b5c33aa 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
@@ -115,7 +115,8 @@ object Cryptography {
         val rk: ByteArray,
         val hk: ByteArray,
         val nhk: ByteArray,
-        val h: ByteArray
+        val ck: ByteArray? = null,
+        val h: ByteArray? = null,
     ): Closeable {
         private var zeroed = false
 
@@ -124,7 +125,8 @@ object Cryptography {
                 rk.fill(0)
                 hk.fill(0)
                 nhk.fill(0)
-                h.fill(0)
+                ck?.fill(0)
+                h?.fill(0)
                 zeroed = true
             }
         }
@@ -198,6 +200,7 @@ object Cryptography {
                 hkdf3.sliceArray(0 until 32),
                 hkdf3.sliceArray(32 until 64),
                 hkdf3.sliceArray(64 until 96),
+                ck,
                 h
             )
         } finally {
@@ -279,7 +282,6 @@ object Cryptography {
                 hkdf3.sliceArray(0 until 32),
                 hkdf3.sliceArray(32 until 64),
                 hkdf3.sliceArray(64 until 96),
-                localH
             )
         } finally {
             dhEe.fill(0)

From a42dea9702c39d69868ee9fab5a5827e36aa6b3a Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Tue, 21 Apr 2026 12:09:02 +0100
Subject: [PATCH 14/19] update: refactored

---
 .../SecurityAESTest.kt                        | 23 -----
 .../SecurityRSATest.java                      | 54 -----------
 .../SecurityX25519Test.kt                     | 66 -------------
 .../libsignal/RatchetsTest.kt                 | 22 ++---
 .../libsignal_doubleratchet/Cryptography.kt   | 35 ++++---
 .../libsignal_doubleratchet/SecurityAES.java  | 91 ------------------
 .../libsignal_doubleratchet/SecurityRSA.kt    | 90 ------------------
 .../extensions/context.kt                     | 94 -------------------
 .../libsignal/Headers.kt                      |  9 +-
 .../libsignal/Protocols.kt                    | 83 +++++++++++++---
 .../libsignal/RatchetsHE.kt                   | 12 +--
 .../libsignal/States.kt                       | 58 ++++++++++--
 12 files changed, 159 insertions(+), 478 deletions(-)
 delete mode 100644 double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt
 delete mode 100644 double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java
 delete mode 100644 double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
 delete mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAES.java
 delete mode 100644 double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSA.kt

diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt
deleted file mode 100644
index 5b92d58..0000000
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAESTest.kt
+++ /dev/null
@@ -1,23 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet
-
-import android.content.Context
-import androidx.test.espresso.internal.inject.InstrumentationContext
-import androidx.test.filters.SmallTest
-import androidx.test.platform.app.InstrumentationRegistry
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.extensions.generateRandomBytes
-import org.junit.Assert.assertArrayEquals
-import org.junit.Test
-
-@SmallTest
-class SecurityAESTest {
-    var context: Context = InstrumentationRegistry.getInstrumentation().targetContext
-    @Test
-    fun aesTest() {
-        val secretKey = SecurityAES.generateSecretKey(256)
-        val input = context.generateRandomBytes(277)
-        val cipher = SecurityAES.encryptAES256CBC(input, secretKey.encoded, null)
-        val output = SecurityAES.decryptAES256CBC(cipher, secretKey.encoded, null)
-
-        assertArrayEquals(input, output)
-    }
-}
\ No newline at end of file
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java
deleted file mode 100644
index 98487f6..0000000
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSATest.java
+++ /dev/null
@@ -1,54 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet;
-
-
-import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertEquals;
-
-import androidx.test.ext.junit.runners.AndroidJUnit4;
-
-import org.junit.Test;
-import org.junit.runner.RunWith;
-
-import java.io.IOException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
-import java.security.KeyPair;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.PublicKey;
-import java.security.UnrecoverableEntryException;
-import java.security.cert.CertificateException;
-
-import javax.crypto.BadPaddingException;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-
-@RunWith(AndroidJUnit4.class)
-public class SecurityRSATest {
-
-    String keystoreAlias = "keystoreAlias";
-    @Test
-    public void testCanStoreAndEncrypt() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, InvalidKeyException, UnrecoverableEntryException, CertificateException, KeyStoreException, IOException {
-//        KeyPairGenerator kpg = KeyPairGenerator.getInstance(
-//                KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
-//
-//        kpg.initialize(new KeyGenParameterSpec.Builder(keystoreAlias,
-//                KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
-//                .setKeySize(2048)
-//                .setDigests(KeyProperties.DIGEST_SHA1, KeyProperties.DIGEST_SHA256,
-//                        KeyProperties.DIGEST_SHA512)
-//                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
-//                .build());
-//
-//        KeyPair keyPair = kpg.generateKeyPair();
-//        PublicKey publicKey = SecurityRSA.generateKeyPair(keystoreAlias, 2048);
-//        KeyPair keyPair = KeystoreHelpers.getKeyPairFromKeystore(keystoreAlias);
-//
-//        SecretKey secretKey = SecurityAES.generateSecretKey(256);
-//        byte[] cipherText = SecurityRSA.encrypt(keyPair.getPublic(), secretKey.getEncoded());
-//        byte[] plainText = SecurityRSA.decrypt(keyPair.getPrivate(), cipherText);
-//        assertArrayEquals(secretKey.getEncoded(), plainText);
-    }
-}
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
deleted file mode 100644
index 545634d..0000000
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityX25519Test.kt
+++ /dev/null
@@ -1,66 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet
-
-import android.content.Context
-import android.security.keystore.KeyGenParameterSpec
-import android.security.keystore.KeyProperties
-import androidx.test.filters.SmallTest
-import androidx.test.platform.app.InstrumentationRegistry
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal.Protocols
-import org.junit.Assert.assertArrayEquals
-import org.junit.Test
-import java.security.KeyPairGenerator
-import java.security.KeyStore
-import java.security.Signature
-
-@SmallTest
-class SecurityX25519Test {
-
-    var context: Context = InstrumentationRegistry.getInstrumentation().targetContext
-
-    @Test
-    fun keystoreEd25519() {
-        val keystoreAlias = "keystoreAlias"
-        val kpg: KeyPairGenerator = KeyPairGenerator.getInstance(
-            KeyProperties.KEY_ALGORITHM_EC,
-            "AndroidKeyStore"
-        )
-        val parameterSpec: KeyGenParameterSpec = KeyGenParameterSpec.Builder(
-            keystoreAlias,
-            KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_VERIFY
-        ).run {
-            setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
-            build()
-        }
-
-        kpg.initialize(parameterSpec)
-        val kp = kpg.generateKeyPair()
-
-        val ks: KeyStore = KeyStore.getInstance("AndroidKeyStore").apply {
-            load(null)
-        }
-        val entry: KeyStore.Entry = ks.getEntry(keystoreAlias, null)
-        if (entry !is KeyStore.PrivateKeyEntry) {
-            throw Exception("No instance of keystore")
-        }
-
-        val data = "Hello world".encodeToByteArray()
-        val signature: ByteArray = Signature.getInstance("SHA256withECDSA").run {
-            initSign(entry.privateKey)
-            update(data)
-            sign()
-        }
-
-    }
-
-    @Test
-    fun sharedSecret() {
-        val protocols = Protocols(context)
-        val alice = protocols.generateDH()
-        val bob = protocols.generateDH()
-
-        val aliceSharedSecret = protocols.dh(alice, bob.public)
-        val bobSharedSecret = protocols.dh(bob, alice.public)
-
-        assertArrayEquals(aliceSharedSecret, bobSharedSecret)
-    }
-}
\ No newline at end of file
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
index 35b03d7..c1a5ba0 100644
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
@@ -25,17 +25,17 @@ class RatchetsTest {
 
     val salt = "completeRatchetTest_v1".encodeToByteArray()
     val info = context.generateRandomBytes(16) +
-            (aliceKeypair.public as X25519PublicKeyParameters).encoded +
-            (bobKeypair.public as X25519PublicKeyParameters).encoded +
-            (bobStaticKeypair.public as X25519PublicKeyParameters).encoded
+            aliceKeypair.publicKey +
+            bobKeypair.publicKey +
+            bobStaticKeypair.publicKey
 
     @Test
     fun completeRatchetTest() {
         Cryptography.generateKeysNK(
             context = context,
             ephemeralKeyPair = aliceKeypair,
-            authenticationPublicKey = bobStaticKeypair.public,
-            ephemeralPublicKey = bobKeypair.public,
+            authenticationPublicKey = X25519PublicKeyParameters(bobStaticKeypair.publicKey),
+            ephemeralPublicKey = X25519PublicKeyParameters(bobKeypair.publicKey),
             salt = salt,
             info = info
         ).use { alice ->
@@ -43,7 +43,7 @@ class RatchetsTest {
                 context = context,
                 authenticationKeypair = bobStaticKeypair,
                 ephemeralKeyPair = bobKeypair,
-                ephemeralPublicKey = aliceKeypair.public,
+                ephemeralPublicKey = X25519PublicKeyParameters(aliceKeypair.publicKey),
                 salt = salt,
                 info = info
             ).let { bob ->
@@ -56,7 +56,7 @@ class RatchetsTest {
                 ratchets.ratchetInitAlice(
                     state = aliceState,
                     sk = alice.rk,
-                    bobDhPublicKey = bobKeypair.public,
+                    bobDhPublicKey = X25519PublicKeyParameters(bobKeypair.publicKey),
                     sharedHka = alice.hk,
                     sharedNHka = alice.nhk
                 )
@@ -114,8 +114,8 @@ class RatchetsTest {
         Cryptography.generateKeysNK(
             context = context,
             ephemeralKeyPair = aliceKeypair,
-            authenticationPublicKey = bobStaticKeypair.public,
-            ephemeralPublicKey = bobKeypair.public,
+            authenticationPublicKey = X25519PublicKeyParameters(bobStaticKeypair.publicKey),
+            ephemeralPublicKey = X25519PublicKeyParameters(bobKeypair.publicKey),
             salt = salt,
             info = info
         ).use { alice ->
@@ -123,7 +123,7 @@ class RatchetsTest {
                 context = context,
                 authenticationKeypair = bobStaticKeypair,
                 ephemeralKeyPair = bobKeypair,
-                ephemeralPublicKey = aliceKeypair.public,
+                ephemeralPublicKey = X25519PublicKeyParameters(aliceKeypair.publicKey),
                 salt = salt,
                 info = info
             ).let { bob ->
@@ -136,7 +136,7 @@ class RatchetsTest {
                 ratchets.ratchetInitAlice(
                     state = aliceState,
                     sk = alice.rk,
-                    bobDhPublicKey = bobKeypair.public,
+                    bobDhPublicKey = X25519PublicKeyParameters(bobKeypair.publicKey),
                     sharedHka = alice.hk,
                     sharedNHka = alice.nhk
                 )
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
index b5c33aa..7dae0cf 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
@@ -47,7 +47,7 @@ object Cryptography {
 
     fun generateKeysNK(
         context: Context,
-        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        ephemeralKeyPair: Protocols.CloseableCurve15519KeyPair,
         authenticationPublicKey: CipherParameters,
         ephemeralPublicKey: CipherParameters,
         salt: ByteArray,
@@ -81,8 +81,8 @@ object Cryptography {
     }
     fun generateKeysNKServer(
         context: Context,
-        authenticationKeypair: AsymmetricCipherKeyPair,
-        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        authenticationKeypair: Protocols.CloseableCurve15519KeyPair,
+        ephemeralKeyPair: Protocols.CloseableCurve15519KeyPair,
         ephemeralPublicKey: CipherParameters,
         salt: ByteArray,
         info: ByteArray,
@@ -145,9 +145,9 @@ object Cryptography {
 
     fun generateKeysIK(
         context: Context,
-        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        ephemeralKeyPair: Protocols.CloseableCurve15519KeyPair,
         authenticationPublicKey: CipherParameters,
-        staticKeyPair: AsymmetricCipherKeyPair,
+        staticKeyPair: Protocols.CloseableCurve15519KeyPair,
         info: ByteArray,
         headerInfo: ByteArray,
     ) : NoiseIKKeys {
@@ -157,7 +157,7 @@ object Cryptography {
         var ck = h
 
         h = (h + (authenticationPublicKey as X25519PublicKeyParameters).encoded).sha256()
-        h = (h + (ephemeralKeyPair.public as X25519PublicKeyParameters).encoded).sha256()
+        h = (h + ephemeralKeyPair.publicKey).sha256()
 
         val dhEs = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
         val dhSs = protocols.dh(staticKeyPair, authenticationPublicKey)
@@ -175,9 +175,9 @@ object Cryptography {
             ck = hkdf1.sliceArray(0 until 32)
             k = hkdf1.sliceArray(32 until 64)
 
-            csPkEnc = Cryptography.AesGcm.encrypt(
+            csPkEnc = AesGcm.encrypt(
                 SecretKeySpec(k, "AES"),
-                (staticKeyPair.public as X25519PublicKeyParameters).encoded,
+                staticKeyPair.publicKey,
                 h
             )
             h = (h + csPkEnc).sha256()
@@ -222,7 +222,7 @@ object Cryptography {
         context: Context,
         h: ByteArray,
         ck: ByteArray,
-        ephemeralKeyPair: AsymmetricCipherKeyPair,
+        ephemeralKeyPair: Protocols.CloseableCurve15519KeyPair,
         ephemeralResponderPublicKey: CipherParameters,
         authenticationPublicKey: CipherParameters,
         info: ByteArray,
@@ -251,7 +251,7 @@ object Cryptography {
             localCk = hkdf1.sliceArray(0 until 32)
             k = hkdf1.sliceArray(32 until 64)
 
-            ciphertext1 = Cryptography.AesGcm.encrypt(
+            ciphertext1 = AesGcm.encrypt(
                 SecretKeySpec(k, "AES"),
                 "".encodeToByteArray(),
                 localH
@@ -264,7 +264,7 @@ object Cryptography {
             k.fill(0) // zero previous k before reassign
             k = hkdf2.sliceArray(32 until 64)
 
-            ciphertext2 = Cryptography.AesGcm.encrypt(
+            ciphertext2 = AesGcm.encrypt(
                 SecretKeySpec(k, "AES"),
                 "".encodeToByteArray(),
                 localH
@@ -282,6 +282,7 @@ object Cryptography {
                 hkdf3.sliceArray(0 until 32),
                 hkdf3.sliceArray(32 until 64),
                 hkdf3.sliceArray(64 until 96),
+                h = localH
             )
         } finally {
             dhEe.fill(0)
@@ -309,11 +310,6 @@ object Cryptography {
             val iv: ByteArray           // IV — must be stored alongside ciphertext for decryption
         )
 
-        fun generateKey(): SecretKey {
-            val keygen = KeyGenerator.getInstance("AES")
-            keygen.init(KEY_SIZE_BITS, SecureRandom())
-            return keygen.generateKey()
-        }
 
         /**
          * Encrypts [plaintext] with AES-256-GCM.
@@ -327,17 +323,18 @@ object Cryptography {
         fun encrypt(
             key: SecretKey,
             plaintext: ByteArray,
+            iv: ByteArray? = null,
             associatedData: ByteArray? = null
         ): ByteArray {
-            val iv = ByteArray(IV_SIZE_BYTES).also { SecureRandom().nextBytes(it) }
-            val spec = GCMParameterSpec(TAG_SIZE_BITS, iv)
+            val iv1 = iv ?: ByteArray(IV_SIZE_BYTES).also { SecureRandom().nextBytes(it) }
+            val spec = GCMParameterSpec(TAG_SIZE_BITS, iv1)
 
             val cipher = Cipher.getInstance(ALGORITHM)
             cipher.init(Cipher.ENCRYPT_MODE, key, spec)
             associatedData?.let { cipher.updateAAD(it) }
 
             val ciphertext = cipher.doFinal(plaintext)
-            return iv + ciphertext
+            return if(iv != null) ciphertext else iv1 + ciphertext
         }
 
         /**
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAES.java b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAES.java
deleted file mode 100644
index 30e47a1..0000000
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityAES.java
+++ /dev/null
@@ -1,91 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet;
-
-import android.security.keystore.KeyProperties;
-
-import com.google.common.primitives.Bytes;
-
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-
-import javax.crypto.BadPaddingException;
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.KeyGenerator;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.GCMParameterSpec;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.SecretKeySpec;
-
-public class SecurityAES {
-
-    public static final String DEFAULT_AES_ALGORITHM = "AES/CBC/PKCS5Padding";
-
-    public static final String ALGORITHM = "AES";
-
-    public static SecretKey generateSecretKey(int size) throws NoSuchAlgorithmException {
-        KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES);
-        keyGenerator.init(size); // Adjust key size as needed
-        return keyGenerator.generateKey();
-    }
-
-    public static byte[] encryptAESGCM(byte[] data, SecretKey secretKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
-        Cipher aesCipher = Cipher.getInstance("AES/GCM/NoPadding");
-        aesCipher.init(Cipher.ENCRYPT_MODE, secretKey);
-        byte[] cipherText = aesCipher.doFinal(data);
-
-        final byte[] IV = aesCipher.getIV();
-        byte[] cipherTextIv = new byte[IV.length + cipherText.length];
-        System.arraycopy(IV, 0,  cipherTextIv, 0, IV.length);
-        System.arraycopy(cipherText, 0,  cipherTextIv, IV.length, cipherText.length);
-        return cipherTextIv;
-    }
-
-    public static byte[] decryptAESGCM(byte[] data, SecretKey secretKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException {
-        byte[] iv = new byte[12];
-        System.arraycopy(data, 0, iv, 0, iv.length);
-
-        byte[] _data = new byte[data.length - iv.length];
-        System.arraycopy(data, iv.length, _data, 0, _data.length);
-
-        GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(128,iv);
-
-        Cipher aesCipher = Cipher.getInstance("AES/GCM/NoPadding");
-        aesCipher.init(Cipher.DECRYPT_MODE, secretKey, gcmParameterSpec);
-        return aesCipher.doFinal(_data);
-    }
-
-    public static byte[] encryptAES256CBC(byte[] input, byte[] secretKey, byte[] iv) throws Throwable {
-        SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, 0, secretKey.length, "AES");
-
-        Cipher cipher = Cipher.getInstance(DEFAULT_AES_ALGORITHM);
-        if(iv != null) {
-            IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
-            cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivParameterSpec);
-            return cipher.doFinal(input);
-        }
-
-        cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);
-        byte[] ciphertext = cipher.doFinal(input);
-        return Bytes.concat(cipher.getIV(), ciphertext);
-    }
-
-    public static byte[] decryptAES256CBC(byte[] input, byte[] sharedKey, byte[] iv) throws Throwable {
-        SecretKeySpec secretKeySpec = new SecretKeySpec(sharedKey, ALGORITHM);
-
-        Cipher cipher = Cipher.getInstance(DEFAULT_AES_ALGORITHM);
-        if(iv == null) {
-            iv = new byte[16];
-            System.arraycopy(input, 0, iv, 0, 16);
-
-            byte[] content = new byte[input.length - 16];
-            System.arraycopy(input, 16, content, 0, content.length);
-            input = content;
-        }
-
-        IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
-        cipher.init(Cipher.DECRYPT_MODE, secretKeySpec, ivParameterSpec);
-        return cipher.doFinal(input);
-    }
-}
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSA.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSA.kt
deleted file mode 100644
index fa8112d..0000000
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/SecurityRSA.kt
+++ /dev/null
@@ -1,90 +0,0 @@
-package com.afkanerd.smswithoutborders.libsignal_doubleratchet
-
-import android.security.keystore.KeyGenParameterSpec
-import android.security.keystore.KeyProperties
-import java.security.InvalidAlgorithmParameterException
-import java.security.InvalidKeyException
-import java.security.KeyPairGenerator
-import java.security.NoSuchAlgorithmException
-import java.security.NoSuchProviderException
-import java.security.PrivateKey
-import java.security.PublicKey
-import java.security.spec.MGF1ParameterSpec
-import javax.crypto.BadPaddingException
-import javax.crypto.Cipher
-import javax.crypto.IllegalBlockSizeException
-import javax.crypto.NoSuchPaddingException
-import javax.crypto.spec.OAEPParameterSpec
-import javax.crypto.spec.PSource
-
-object SecurityRSA {
-    var defaultEncryptionDigest: MGF1ParameterSpec? = MGF1ParameterSpec.SHA256
-    var defaultDecryptionDigest: MGF1ParameterSpec? = MGF1ParameterSpec.SHA1
-
-    var encryptionDigestParam: OAEPParameterSpec = OAEPParameterSpec(
-        "SHA-256", "MGF1", defaultEncryptionDigest,
-        PSource.PSpecified.DEFAULT
-    )
-    var decryptionDigestParam: OAEPParameterSpec = OAEPParameterSpec(
-        "SHA-256", "MGF1", defaultDecryptionDigest,
-        PSource.PSpecified.DEFAULT
-    )
-
-    @JvmStatic
-    @Throws(
-        NoSuchAlgorithmException::class,
-        NoSuchProviderException::class,
-        InvalidAlgorithmParameterException::class
-    )
-    fun generateKeyPair(keystoreAlias: String, keySize: Int = 2048): PublicKey? {
-        val kpg = KeyPairGenerator.getInstance(
-            KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"
-        )
-        kpg.initialize(
-            KeyGenParameterSpec.Builder(
-                keystoreAlias,
-                KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
-            )
-                .setKeySize(keySize)
-                .setDigests(
-                    KeyProperties.DIGEST_SHA1, KeyProperties.DIGEST_SHA256,
-                    KeyProperties.DIGEST_SHA512
-                )
-                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
-                .build()
-        )
-        return kpg.generateKeyPair().public
-    }
-
-    @JvmStatic
-    @Throws(
-        NoSuchPaddingException::class,
-        NoSuchAlgorithmException::class,
-        IllegalBlockSizeException::class,
-        BadPaddingException::class,
-        InvalidKeyException::class,
-        InvalidAlgorithmParameterException::class
-    )
-    fun decrypt(privateKey: PrivateKey?, data: ByteArray?): ByteArray? {
-        val cipher = Cipher.getInstance("RSA/ECB/" + KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
-        //        cipher.init(Cipher.DECRYPT_MODE, privateKey, decryptionDigestParam);
-        cipher.init(Cipher.DECRYPT_MODE, privateKey)
-        return cipher.doFinal(data)
-    }
-
-    @JvmStatic
-    @Throws(
-        NoSuchPaddingException::class,
-        NoSuchAlgorithmException::class,
-        IllegalBlockSizeException::class,
-        BadPaddingException::class,
-        InvalidKeyException::class,
-        InvalidAlgorithmParameterException::class
-    )
-    fun encrypt(publicKey: PublicKey?, data: ByteArray?): ByteArray? {
-        val cipher = Cipher.getInstance("RSA/ECB/" + KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
-        //        cipher.init(Cipher.ENCRYPT_MODE, publicKey, encryptionDigestParam);
-        cipher.init(Cipher.ENCRYPT_MODE, publicKey)
-        return cipher.doFinal(data)
-    }
-}
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
index 9cafd07..27c1a10 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/extensions/context.kt
@@ -8,8 +8,6 @@ import androidx.datastore.preferences.core.edit
 import androidx.datastore.preferences.core.stringPreferencesKey
 import androidx.datastore.preferences.core.stringSetPreferencesKey
 import androidx.datastore.preferences.preferencesDataStore
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityAES
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityRSA
 import com.google.gson.Gson
 import kotlinx.coroutines.flow.first
 import java.io.IOException
@@ -25,45 +23,6 @@ import javax.crypto.spec.SecretKeySpec
 
 val Context.dataStore: DataStore<Preferences> by preferencesDataStore(name = "secure_comms")
 
-/**
- * Pair<PublicKey, PrivateKey>
- */
-suspend fun Context.getKeypairValues(address: String): Pair<ByteArray?, ByteArray?> {
-    val keyValue = stringSetPreferencesKey(address + "_keypair")
-    val keypairSet = dataStore.data.first()[keyValue]
-    val encryptionPublicKey = getKeypairFromKeystore(address)
-
-    val publicKey = SecurityRSA.decrypt(
-        encryptionPublicKey?.private,
-        Base64.decode(keypairSet?.elementAt(0), Base64.DEFAULT)
-    )
-    val privateKey = SecurityRSA.decrypt(
-        encryptionPublicKey?.private,
-        Base64.decode(keypairSet?.elementAt(1), Base64.DEFAULT)
-    )
-    return Pair(publicKey, privateKey)
-}
-
-suspend fun Context.setKeypairValues(
-    address: String,
-    publicKey: ByteArray,
-    privateKey: ByteArray,
-) {
-    val encryptionPublicKey = SecurityRSA.generateKeyPair(address)
-
-    val keyValue = stringSetPreferencesKey(address + "_keypair")
-    dataStore.edit { secureComms->
-        secureComms[keyValue] = setOf(
-            Base64.encodeToString(publicKey.run {
-                SecurityRSA.encrypt(encryptionPublicKey, this)
-            }, Base64.DEFAULT),
-            Base64.encodeToString(privateKey.run {
-                SecurityRSA.encrypt(encryptionPublicKey, this)
-            }, Base64.DEFAULT),
-        )
-    }
-}
-
 @Throws(
     KeyStoreException::class,
     CertificateException::class,
@@ -93,59 +52,6 @@ data class SavedBinaryData(
 /**
  *  Would overwrite anything with the same Keystore Alias
  */
-@Throws
-suspend fun Context.saveBinaryDataEncrypted(
-    keystoreAlias: String,
-    data: ByteArray,
-) : Boolean {
-    val keyValue = stringPreferencesKey(keystoreAlias)
-
-    val aesGcmKey = SecurityAES.generateSecretKey(256)
-    val data = SecurityAES.encryptAESGCM(data, aesGcmKey)
-
-//    val encryptionPublicKey = getKeypairFromKeystore(keystoreAlias)?.public
-//        ?: SecurityRSA.generateKeyPair(keystoreAlias)
-
-    var saved = false
-    dataStore.edit { secureComms->
-        try {
-            val encryptionPublicKey = SecurityRSA.generateKeyPair(keystoreAlias)
-            SecurityRSA.encrypt(encryptionPublicKey, aesGcmKey.encoded)?.let { key ->
-                secureComms[keyValue] = Gson().toJson(
-                    SavedBinaryData(
-                        key = key,
-                        algorithm = aesGcmKey.algorithm,
-                        data = data
-                    )
-                )
-                saved = true
-            }
-        } catch(e: Exception) {
-            throw e
-        }
-    }
-    return saved
-}
-
-@Throws
-suspend fun Context.getEncryptedBinaryData(keystoreAlias: String): ByteArray? {
-    val keyValue = stringPreferencesKey(keystoreAlias)
-    val data = dataStore.data.first()[keyValue] ?: return null
-
-    val savedBinaryData = Gson().fromJson(data, SavedBinaryData::class.java)
-
-    return try {
-        val encryptionPublicKey = getKeypairFromKeystore(keystoreAlias)
-        SecurityRSA.decrypt(encryptionPublicKey?.private, savedBinaryData.key)
-            ?.run {
-                SecurityAES.decryptAESGCM(savedBinaryData.data,
-                    SecretKeySpec(this, savedBinaryData.algorithm)
-                )
-            }
-    } catch(e: Exception) {
-        throw e
-    }
-}
 
 fun Context.generateRandomBytes(length: Int): ByteArray {
     val random = SecureRandom()
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Headers.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Headers.kt
index f37fde8..1dbc230 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Headers.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Headers.kt
@@ -7,7 +7,7 @@ import java.nio.ByteBuffer
 import java.nio.ByteOrder
 import java.security.KeyPair
 
-class Headers(var dh: AsymmetricCipherKeyPair, pn: UByte, n: UByte) {
+class Headers(var dh: Protocols.CloseableCurve15519KeyPair, pn: UByte, n: UByte) {
     var pn: UByte = 0u
     var n: UByte = 0u
 
@@ -18,8 +18,7 @@ class Headers(var dh: AsymmetricCipherKeyPair, pn: UByte, n: UByte) {
 
     val serialized: ByteArray
         get() {
-            val pk = dh.public as X25519PublicKeyParameters
-            return byteArrayOf(pn.toByte()) + byteArrayOf(n.toByte()) + pk.encoded
+            return byteArrayOf(pn.toByte()) + byteArrayOf(n.toByte()) + dh.publicKey
         }
 
     companion object {
@@ -28,8 +27,8 @@ class Headers(var dh: AsymmetricCipherKeyPair, pn: UByte, n: UByte) {
             val n = header[1].toUByte()
             val pk = header.sliceArray(2 until header.size)
             return Headers(
-                AsymmetricCipherKeyPair(
-                    X25519PublicKeyParameters(pk, 0),
+                Protocols.CloseableCurve15519KeyPair(
+                    pk,
                     null
                 ), pn, n)
         }
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
index 8ff979d..65c12b9 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
@@ -5,22 +5,28 @@ import android.util.Pair
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils.hkdf
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils.hmac
+import com.afkanerd.smswithoutborders.libsignal_doubleratchet.Cryptography
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.R
-import com.afkanerd.smswithoutborders.libsignal_doubleratchet.SecurityAES
 import com.google.common.primitives.Bytes
 import org.bouncycastle.crypto.AsymmetricCipherKeyPair
 import org.bouncycastle.crypto.CipherParameters
 import org.bouncycastle.crypto.agreement.X25519Agreement
 import org.bouncycastle.crypto.generators.X25519KeyPairGenerator
 import org.bouncycastle.crypto.params.X25519KeyGenerationParameters
+import org.bouncycastle.crypto.params.X25519PrivateKeyParameters
+import org.bouncycastle.crypto.params.X25519PublicKeyParameters
 import org.bouncycastle.jce.provider.BouncyCastleProvider
+import java.lang.AutoCloseable
+import java.security.PrivateKey
 import java.security.SecureRandom
 import java.security.Security
+import javax.crypto.SecretKey
+import javax.crypto.spec.SecretKeySpec
 
 /**
- * This implementations are based on the signal protocols specifications.
+ * These implementations are based on the signal protocols specifications.
  * 
- * This are based on the recommended algorithms and parameters for the encryption
+ * These are based on the recommended algorithms and parameters for the encryption
  * and decryption.
  * 
  * The goal for this would be to transform it into library which can be used across
@@ -37,17 +43,50 @@ open class Protocols(private val context: Context) {
         Security.addProvider(BouncyCastleProvider())
     }
 
-    fun generateDH(): AsymmetricCipherKeyPair {
+    data class CloseableCurve15519KeyPair(
+        var publicKey: ByteArray,
+        var privateKey: ByteArray?
+    ): AutoCloseable {
+        private var isClosed = false
+
+        fun use(block: (CloseableCurve15519KeyPair) -> Unit) {
+            if (isClosed) throw IllegalStateException("Cannot use zeroed RatchetState")
+            block(this)
+        }
+
+        override fun close() {
+            if(isClosed) return
+            publicKey.fill(0)
+            privateKey?.fill(0)
+            isClosed = true
+        }
+
+    }
+
+    fun generateDH(): CloseableCurve15519KeyPair {
         val generator = X25519KeyPairGenerator()
         generator.init(X25519KeyGenerationParameters(SecureRandom()))
-        return generator.generateKeyPair()
+
+        val keypair = generator.generateKeyPair()
+        return try {
+            CloseableCurve15519KeyPair(
+                publicKey = (keypair.public as X25519PublicKeyParameters).encoded,
+                privateKey = (keypair.private as X25519PrivateKeyParameters).encoded,
+            )
+        } catch(e: Exception) {
+            e.printStackTrace()
+            (keypair.private as? X25519PrivateKeyParameters)?.encoded?.fill(0)
+            throw e
+        }
     }
 
-    fun dh(keypair: AsymmetricCipherKeyPair, publicKey: CipherParameters): ByteArray {
+    fun dh(keypair: CloseableCurve15519KeyPair, publicKey: CipherParameters): ByteArray {
         val sharedSecret = ByteArray(32)
         val agreement = X25519Agreement()
-        agreement.init(keypair.private)
-        agreement.calculateAgreement(publicKey, sharedSecret, 0)
+        keypair.use { kp ->
+            agreement.init(X25519PrivateKeyParameters(kp.privateKey, 0))
+            agreement.calculateAgreement(publicKey, sharedSecret, 0)
+        }
         return sharedSecret
     }
 
@@ -90,7 +129,11 @@ open class Protocols(private val context: Context) {
             val authKey = this.sliceArray(32 until 64)
             val iv = this.sliceArray(64 until 80)
 
-            val cipherText = SecurityAES.encryptAES256CBC(plainText, key, iv)
+            val cipherText = Cryptography.AesGcm.encrypt(
+                key = SecretKeySpec(key, "AES"),
+                iv = iv,
+                plaintext = plainText,
+            )
             val mac = hmac(authKey)
             mac.update(ad + cipherText)
             cipherText + mac.doFinal()
@@ -112,7 +155,11 @@ open class Protocols(private val context: Context) {
             val authKey = this.sliceArray(32 until 64)
             val iv = this.sliceArray(64 until 80)
 
-            val cipherText = SecurityAES.encryptAES256CBC(plainText, key, iv)
+            val cipherText = Cryptography.AesGcm.encrypt(
+                key = SecretKeySpec(key, "AES"),
+                iv = iv,
+                plaintext = plainText,
+            )
 
             val mac = hmac(authKey)
             mac.update(cipherText)
@@ -141,12 +188,18 @@ open class Protocols(private val context: Context) {
 
             val key = this.sliceArray(0 until 32)
             val iv = this.sliceArray(64 until 80)
-            SecurityAES.decryptAES256CBC(plaintextCiphertext, key, iv)
+            Cryptography.AesGcm.decrypt(
+                key = SecretKeySpec(key, "AES"),
+                ciphertext = plaintextCiphertext,
+                iv = iv,
+            )
         }
     }
 
-    fun hDecrypt(mk: ByteArray, cipherText: ByteArray): ByteArray {
+    fun hDecrypt(mk: ByteArray?, cipherText: ByteArray): ByteArray? {
         val len = 80
+        if(mk == null) return null
+
         return hkdf(
             ikm = mk,
             salt = ByteArray(len),
@@ -166,7 +219,11 @@ open class Protocols(private val context: Context) {
 
             val key = this.sliceArray(0 until 32)
             val iv = this.sliceArray(64 until 80)
-            SecurityAES.decryptAES256CBC(plainCiphertext, key, iv)
+            Cryptography.AesGcm.decrypt(
+                key = SecretKeySpec(key, "AES"),
+                ciphertext = plainCiphertext,
+                iv = iv,
+            )
         }
     }
 
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
index 3390842..4b2606c 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
@@ -55,7 +55,7 @@ class RatchetsHE(context: Context) : Protocols(context){
     fun ratchetInitBob(
         state: States,
         sk: ByteArray,
-        bobKeypair: AsymmetricCipherKeyPair,
+        bobKeypair: CloseableCurve15519KeyPair,
         sharedHka: ByteArray,
         sharedNHka: ByteArray,
     ) {
@@ -158,10 +158,10 @@ class RatchetsHE(context: Context) : Protocols(context){
             val mk = it.value
 
             try {
-                val header = hDecrypt(hk, encHeader).run {
+                val header = hDecrypt(hk, encHeader)?.run {
                     Headers.deserialize(this)
                 }
-                if(header.n.toInt() == n) {
+                if(header != null && header.n.toInt() == n) {
                     state.MKSKIPPED.remove(it.key)
                     return decrypt(mk, ciphertext, concat(ad, encHeader))
                 }
@@ -180,7 +180,7 @@ class RatchetsHE(context: Context) : Protocols(context){
     ) : Pair<Headers, Boolean> {
         var header: Headers? = null
         try {
-            header = hDecrypt(state.HKr!!, encHeader).run {
+            header = hDecrypt(state.HKr, encHeader)?.run {
                 Headers.deserialize(this)
             }
         } catch(e: Exception) {
@@ -191,7 +191,7 @@ class RatchetsHE(context: Context) : Protocols(context){
             return Pair(header, false)
         }
 
-        header = hDecrypt(state.NHKr!!, encHeader).run {
+        header = hDecrypt(state.NHKr!!, encHeader)?.run {
             Headers.deserialize(this)
         }
 
@@ -204,7 +204,7 @@ class RatchetsHE(context: Context) : Protocols(context){
         state.Nr = 0u
         state.HKs = state.NHKs
         state.HKr = state.NHKr
-        state.DHRr = header.dh.public
+        state.DHRr = X25519PublicKeyParameters(header.dh.publicKey)
 
         val (rk, ck, nhk) = kdfRk(state.RK!!,
             dh(
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
index fe0b438..f3d6810 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
@@ -1,10 +1,18 @@
 package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
 
+import android.R.id.input
 import android.util.Pair
+import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.Serializable
 import kotlinx.serialization.json.Json
+import kotlinx.serialization.json.decodeFromStream
+import kotlinx.serialization.json.encodeToStream
 import org.bouncycastle.crypto.AsymmetricCipherKeyPair
 import org.bouncycastle.crypto.CipherParameters
+import org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters
+import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters
+import java.io.ByteArrayOutputStream
+import java.lang.AutoCloseable
 import java.security.KeyPair
 import java.security.PrivateKey
 import java.security.PublicKey
@@ -17,21 +25,59 @@ data class States(
     var Ns: UByte = 0u,
     var Nr: UByte = 0u,
     var PN: UByte = 0u,
-    var DHRs: AsymmetricCipherKeyPair? = null,
+    var DHRs: Protocols.CloseableCurve15519KeyPair? = null,
     var DHRr: CipherParameters? = null,
     var HKs: ByteArray? = null,
     var HKr: ByteArray? = null,
     var NHKs: ByteArray? = null,
     var NHKr: ByteArray? = null,
     var MKSKIPPED: MutableMap<Pair<ByteArray, Int>, ByteArray> = mutableMapOf()
-) {
-    fun serialize(): String {
-        return Json.encodeToString(this)
+) : AutoCloseable {
+    @OptIn(ExperimentalSerializationApi::class)
+    fun serialize(): ByteArray {
+        val outputBuffer = ByteArrayOutputStream()
+        Json.encodeToStream(this, outputBuffer)
+        return outputBuffer.toByteArray()
+    }
+
+    private var isClosed = false
+    override fun close() {
+        if(isClosed) return
+        RK?.let { it.fill(0); RK = null }
+        CKs?.let { it.fill(0); CKs = null }
+        CKr?.let { it.fill(0); CKr = null }
+        HKs?.let { it.fill(0); HKs = null }
+        HKr?.let { it.fill(0); HKr = null }
+        NHKs?.let { it.fill(0); NHKs = null }
+        NHKr?.let { it.fill(0); NHKr = null }
+
+        (DHRr as? Ed25519PublicKeyParameters)?.encoded?.fill(0)
+        DHRr = null
+
+        val iterator = MKSKIPPED.entries.iterator()
+        while (iterator.hasNext()) {
+            val entry = iterator.next()
+            entry.key.first.fill(0)
+            entry.value.fill(0)
+            iterator.remove()
+        }
+        MKSKIPPED.clear()
+
+        Ns = 0u
+        Nr = 0u
+        PN = 0u
+        isClosed = true
+    }
+
+    fun use(block: (States) -> Unit) {
+        if (isClosed) throw IllegalStateException("Cannot use zeroed RatchetState")
+        block(this)
     }
 
     companion object {
-        fun deserialize(input: String): States {
-            return Json.decodeFromString<States>(input)
+        @OptIn(ExperimentalSerializationApi::class)
+        fun deserialize(data: ByteArray): States {
+            return Json.decodeFromStream<States>(data.inputStream())
         }
     }
 }
\ No newline at end of file

From dfc9711fcba056f4372f692f65fef2935c172f86 Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Tue, 21 Apr 2026 19:21:46 +0100
Subject: [PATCH 15/19] update: bytes are easier to zero out

---
 .../libsignal/PoCTest.kt                      | 28 +++++++++++++++++++
 .../libsignal/RatchetsTest.kt                 | 16 +++++------
 .../libsignal_doubleratchet/Cryptography.kt   | 14 +++++-----
 .../libsignal/Protocols.kt                    | 10 +++++--
 .../libsignal/RatchetsHE.kt                   |  4 +--
 .../libsignal/States.kt                       |  5 ++--
 6 files changed, 54 insertions(+), 23 deletions(-)
 create mode 100644 double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/PoCTest.kt

diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/PoCTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/PoCTest.kt
new file mode 100644
index 0000000..ba88ab8
--- /dev/null
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/PoCTest.kt
@@ -0,0 +1,28 @@
+package com.afkanerd.smswithoutborders.libsignal_doubleratchet.libsignal
+
+import android.content.Context
+import androidx.test.filters.SmallTest
+import androidx.test.platform.app.InstrumentationRegistry
+import org.bouncycastle.crypto.CipherParameters
+import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters
+import org.bouncycastle.crypto.params.X25519PublicKeyParameters
+import org.junit.Assert.assertArrayEquals
+import org.junit.Test
+
+@SmallTest
+class PoCTest {
+
+    var context: Context =
+        InstrumentationRegistry.getInstrumentation().targetContext
+    val protocol = Protocols(context)
+
+    @Test
+    fun zeroing() {
+        val keypair = protocol.generateDH()
+        val publicKey = X25519PublicKeyParameters(keypair.publicKey)
+
+        publicKey.encoded.fill(0)
+        val expected = ByteArray(32)
+        assertArrayEquals(expected, publicKey.encoded)
+    }
+}
\ No newline at end of file
diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
index c1a5ba0..52506c3 100644
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
@@ -34,8 +34,8 @@ class RatchetsTest {
         Cryptography.generateKeysNK(
             context = context,
             ephemeralKeyPair = aliceKeypair,
-            authenticationPublicKey = X25519PublicKeyParameters(bobStaticKeypair.publicKey),
-            ephemeralPublicKey = X25519PublicKeyParameters(bobKeypair.publicKey),
+            authenticationPublicKey = bobStaticKeypair.publicKey,
+            ephemeralPublicKey = bobKeypair.publicKey,
             salt = salt,
             info = info
         ).use { alice ->
@@ -43,7 +43,7 @@ class RatchetsTest {
                 context = context,
                 authenticationKeypair = bobStaticKeypair,
                 ephemeralKeyPair = bobKeypair,
-                ephemeralPublicKey = X25519PublicKeyParameters(aliceKeypair.publicKey),
+                ephemeralPublicKey = aliceKeypair.publicKey,
                 salt = salt,
                 info = info
             ).let { bob ->
@@ -56,7 +56,7 @@ class RatchetsTest {
                 ratchets.ratchetInitAlice(
                     state = aliceState,
                     sk = alice.rk,
-                    bobDhPublicKey = X25519PublicKeyParameters(bobKeypair.publicKey),
+                    bobDhPublicKey = bobKeypair.publicKey,
                     sharedHka = alice.hk,
                     sharedNHka = alice.nhk
                 )
@@ -114,8 +114,8 @@ class RatchetsTest {
         Cryptography.generateKeysNK(
             context = context,
             ephemeralKeyPair = aliceKeypair,
-            authenticationPublicKey = X25519PublicKeyParameters(bobStaticKeypair.publicKey),
-            ephemeralPublicKey = X25519PublicKeyParameters(bobKeypair.publicKey),
+            authenticationPublicKey = bobStaticKeypair.publicKey,
+            ephemeralPublicKey = bobKeypair.publicKey,
             salt = salt,
             info = info
         ).use { alice ->
@@ -123,7 +123,7 @@ class RatchetsTest {
                 context = context,
                 authenticationKeypair = bobStaticKeypair,
                 ephemeralKeyPair = bobKeypair,
-                ephemeralPublicKey = X25519PublicKeyParameters(aliceKeypair.publicKey),
+                ephemeralPublicKey = aliceKeypair.publicKey,
                 salt = salt,
                 info = info
             ).let { bob ->
@@ -136,7 +136,7 @@ class RatchetsTest {
                 ratchets.ratchetInitAlice(
                     state = aliceState,
                     sk = alice.rk,
-                    bobDhPublicKey = X25519PublicKeyParameters(bobKeypair.publicKey),
+                    bobDhPublicKey = bobKeypair.publicKey,
                     sharedHka = alice.hk,
                     sharedNHka = alice.nhk
                 )
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
index 7dae0cf..f7a9954 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
@@ -48,8 +48,8 @@ object Cryptography {
     fun generateKeysNK(
         context: Context,
         ephemeralKeyPair: Protocols.CloseableCurve15519KeyPair,
-        authenticationPublicKey: CipherParameters,
-        ephemeralPublicKey: CipherParameters,
+        authenticationPublicKey: ByteArray,
+        ephemeralPublicKey: ByteArray,
         salt: ByteArray,
         info: ByteArray,
     ): NoiseNKKeys {
@@ -83,7 +83,7 @@ object Cryptography {
         context: Context,
         authenticationKeypair: Protocols.CloseableCurve15519KeyPair,
         ephemeralKeyPair: Protocols.CloseableCurve15519KeyPair,
-        ephemeralPublicKey: CipherParameters,
+        ephemeralPublicKey: ByteArray,
         salt: ByteArray,
         info: ByteArray,
     ): Triple<ByteArray, ByteArray, ByteArray> {
@@ -146,7 +146,7 @@ object Cryptography {
     fun generateKeysIK(
         context: Context,
         ephemeralKeyPair: Protocols.CloseableCurve15519KeyPair,
-        authenticationPublicKey: CipherParameters,
+        authenticationPublicKey: ByteArray,
         staticKeyPair: Protocols.CloseableCurve15519KeyPair,
         info: ByteArray,
         headerInfo: ByteArray,
@@ -223,8 +223,8 @@ object Cryptography {
         h: ByteArray,
         ck: ByteArray,
         ephemeralKeyPair: Protocols.CloseableCurve15519KeyPair,
-        ephemeralResponderPublicKey: CipherParameters,
-        authenticationPublicKey: CipherParameters,
+        ephemeralResponderPublicKey: ByteArray,
+        authenticationPublicKey: ByteArray,
         info: ByteArray,
         headerInfo: ByteArray,
     ) : NoiseIKKeys {
@@ -232,7 +232,7 @@ object Cryptography {
 
         // Shadowed vars — use local mutable copies so we can zero them
         // Note: the incoming h and ck are owned by the caller; don't zero them here
-        var localH = (h + (ephemeralResponderPublicKey as X25519PublicKeyParameters).encoded).sha256()
+        var localH = h + ephemeralResponderPublicKey.sha256()
         var localCk = ck.copyOf() // defensive copy — we'll mutate and zero this
 
         val dhEe = protocols.dh(ephemeralKeyPair, ephemeralResponderPublicKey)
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
index 65c12b9..6f7c6c3 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
@@ -57,7 +57,7 @@ open class Protocols(private val context: Context) {
         override fun close() {
             if(isClosed) return
             publicKey.fill(0)
-            privateKey?.fill(0)
+            privateKey?.let{ it.fill(0); privateKey = null}
             isClosed = true
         }
 
@@ -80,12 +80,16 @@ open class Protocols(private val context: Context) {
         }
     }
 
-    fun dh(keypair: CloseableCurve15519KeyPair, publicKey: CipherParameters): ByteArray {
+    fun dh(keypair: CloseableCurve15519KeyPair, publicKey: ByteArray): ByteArray {
         val sharedSecret = ByteArray(32)
         val agreement = X25519Agreement()
         keypair.use { kp ->
             agreement.init(X25519PrivateKeyParameters(kp.privateKey, 0))
-            agreement.calculateAgreement(publicKey, sharedSecret, 0)
+            agreement.calculateAgreement(
+                X25519PublicKeyParameters(publicKey),
+                sharedSecret,
+                0
+            )
         }
         return sharedSecret
     }
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
index 4b2606c..aff098c 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
@@ -27,7 +27,7 @@ class RatchetsHE(context: Context) : Protocols(context){
     fun ratchetInitAlice(
         state: States,
         sk: ByteArray,
-        bobDhPublicKey: CipherParameters,
+        bobDhPublicKey: ByteArray,
         sharedHka: ByteArray,
         sharedNHka: ByteArray,
     ) {
@@ -204,7 +204,7 @@ class RatchetsHE(context: Context) : Protocols(context){
         state.Nr = 0u
         state.HKs = state.NHKs
         state.HKr = state.NHKr
-        state.DHRr = X25519PublicKeyParameters(header.dh.publicKey)
+        state.DHRr = header.dh.publicKey
 
         val (rk, ck, nhk) = kdfRk(state.RK!!,
             dh(
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
index f3d6810..9439c5b 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
@@ -26,7 +26,7 @@ data class States(
     var Nr: UByte = 0u,
     var PN: UByte = 0u,
     var DHRs: Protocols.CloseableCurve15519KeyPair? = null,
-    var DHRr: CipherParameters? = null,
+    var DHRr: ByteArray? = null,
     var HKs: ByteArray? = null,
     var HKr: ByteArray? = null,
     var NHKs: ByteArray? = null,
@@ -51,8 +51,7 @@ data class States(
         NHKs?.let { it.fill(0); NHKs = null }
         NHKr?.let { it.fill(0); NHKr = null }
 
-        (DHRr as? Ed25519PublicKeyParameters)?.encoded?.fill(0)
-        DHRr = null
+        DHRr?.let { it.fill(0); DHRr = null }
 
         val iterator = MKSKIPPED.entries.iterator()
         while (iterator.hasNext()) {

From 96782608abfb626b34e338a638d7d5b64a4f367e Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Wed, 22 Apr 2026 17:36:49 +0100
Subject: [PATCH 16/19] update: fixed closeables

---
 .../libsignal_doubleratchet/Cryptography.kt   | 20 ++-----------------
 .../libsignal/Protocols.kt                    |  5 -----
 .../libsignal/States.kt                       |  5 -----
 3 files changed, 2 insertions(+), 28 deletions(-)

diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
index f7a9954..424d0ae 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
@@ -21,7 +21,7 @@ object Cryptography {
         val rk: ByteArray,
         val hk: ByteArray,
         val nhk: ByteArray,
-    ): Closeable {
+    ): AutoCloseable {
         private var zeroed = false
 
         override fun close() {
@@ -33,14 +33,6 @@ object Cryptography {
             }
         }
 
-        inline fun <T> use(block: (NoiseNKKeys) -> T): T {
-            try {
-                return block(this)
-            } finally {
-                close()
-            }
-        }
-
         // Prevent accidental logging/serialization of key material
         override fun toString() = "NoiseNKKeys([REDACTED])"
     }
@@ -117,7 +109,7 @@ object Cryptography {
         val nhk: ByteArray,
         val ck: ByteArray? = null,
         val h: ByteArray? = null,
-    ): Closeable {
+    ): AutoCloseable {
         private var zeroed = false
 
         override fun close() {
@@ -131,14 +123,6 @@ object Cryptography {
             }
         }
 
-        inline fun <T> use(block: (NoiseIKKeys) -> T): T {
-            try {
-                return block(this)
-            } finally {
-                close()
-            }
-        }
-
         // Prevent accidental logging/serialization of key material
         override fun toString() = "NoiseIKKeys([REDACTED])"
     }
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
index 6f7c6c3..37770e9 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
@@ -49,11 +49,6 @@ open class Protocols(private val context: Context) {
     ): AutoCloseable {
         private var isClosed = false
 
-        fun use(block: (CloseableCurve15519KeyPair) -> Unit) {
-            if (isClosed) throw IllegalStateException("Cannot use zeroed RatchetState")
-            block(this)
-        }
-
         override fun close() {
             if(isClosed) return
             publicKey.fill(0)
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
index 9439c5b..7422b02 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
@@ -68,11 +68,6 @@ data class States(
         isClosed = true
     }
 
-    fun use(block: (States) -> Unit) {
-        if (isClosed) throw IllegalStateException("Cannot use zeroed RatchetState")
-        block(this)
-    }
-
     companion object {
         @OptIn(ExperimentalSerializationApi::class)
         fun deserialize(data: ByteArray): States {

From f5b390248ef19b445961b94cf150da77244582a7 Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Thu, 23 Apr 2026 13:22:26 +0100
Subject: [PATCH 17/19] update: fixed safety update: changed the use of kdf
 outputs

---
 .../libsignal_doubleratchet/Cryptography.kt   | 62 +++++++++++-------
 .../libsignal/Protocols.kt                    | 35 ++++++-----
 .../libsignal/RatchetsHE.kt                   | 63 +++++++++----------
 3 files changed, 90 insertions(+), 70 deletions(-)

diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
index 424d0ae..37e30c7 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
@@ -47,15 +47,20 @@ object Cryptography {
     ): NoiseNKKeys {
         val protocols = Protocols(context)
 
-        val dh1 = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
-        val dh2 = protocols.dh(ephemeralKeyPair, ephemeralPublicKey)
+        var dh1: ByteArray? = null
+        var dh2: ByteArray? = null
+
+        ephemeralKeyPair.use { ekp ->
+            dh1 = protocols.dh(ekp.privateKey!!, authenticationPublicKey)
+            dh2 = protocols.dh(ekp.privateKey!!, ephemeralPublicKey)
+        }
 
         var hkdf1: ByteArray? = null
         var hkdf2: ByteArray? = null
 
         try {
-            hkdf1 = hkdf(ikm = dh1, salt = salt, info = info, len = 32)
-            hkdf2 = hkdf(ikm = dh2, salt = hkdf1, info = info, len = 96)
+            hkdf1 = hkdf(ikm = dh1!!, salt = salt, info = info, len = 32)
+            hkdf2 = hkdf(ikm = dh2!!, salt = hkdf1, info = info, len = 96)
 
             return NoiseNKKeys(
                 hkdf2.sliceArray(0 until 32),
@@ -63,14 +68,18 @@ object Cryptography {
                 hkdf2.sliceArray(64 until 96),
             )
         } finally {
-            dh1.fill(0)
-            dh2.fill(0)
+            dh1?.fill(0)
+            dh2?.fill(0)
             hkdf1?.fill(0)
             hkdf2?.fill(0)
             // The sliceArray copies inside Triple are intentionally not zeroed —
             // they are the return value and owned by the caller
         }
     }
+
+    /**
+     * This exists only for test purposes, do not use for Production builds
+     */
     fun generateKeysNKServer(
         context: Context,
         authenticationKeypair: Protocols.CloseableCurve15519KeyPair,
@@ -80,8 +89,8 @@ object Cryptography {
         info: ByteArray,
     ): Triple<ByteArray, ByteArray, ByteArray> {
         val protocols = Protocols(context)
-        val dh1 = protocols.dh(authenticationKeypair, ephemeralPublicKey)
-        val dh2 = protocols.dh(ephemeralKeyPair, ephemeralPublicKey)
+        val dh1 = protocols.dh(authenticationKeypair.privateKey!!, ephemeralPublicKey)
+        val dh2 = protocols.dh(ephemeralKeyPair.privateKey!!, ephemeralPublicKey)
 
         var hkdf1: ByteArray? = null
         var hkdf2: ByteArray? = null
@@ -140,11 +149,18 @@ object Cryptography {
         var h = "Noise_IK_25519_AESGCM_SHA256".encodeToByteArray().sha256()
         var ck = h
 
-        h = (h + (authenticationPublicKey as X25519PublicKeyParameters).encoded).sha256()
+        h = (h + authenticationPublicKey).sha256()
         h = (h + ephemeralKeyPair.publicKey).sha256()
 
-        val dhEs = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
-        val dhSs = protocols.dh(staticKeyPair, authenticationPublicKey)
+        var dhEs: ByteArray? = null
+        var dhSs: ByteArray? = null
+
+        ephemeralKeyPair.use { ekp ->
+            staticKeyPair.use { skp ->
+                dhEs = protocols.dh(ekp.privateKey!!, authenticationPublicKey)
+                dhSs = protocols.dh(skp.privateKey!!, authenticationPublicKey)
+            }
+        }
 
         // Named references so we can zero them
         var hkdf1: ByteArray? = null
@@ -155,7 +171,7 @@ object Cryptography {
         var ciphertext: ByteArray? = null
 
         try {
-            hkdf1 = hkdf(ikm = dhEs, salt = ck, info = info, len = 2)
+            hkdf1 = hkdf(ikm = dhEs!!, salt = ck, info = info, len = 2)
             ck = hkdf1.sliceArray(0 until 32)
             k = hkdf1.sliceArray(32 until 64)
 
@@ -166,7 +182,7 @@ object Cryptography {
             )
             h = (h + csPkEnc).sha256()
 
-            hkdf2 = hkdf(ikm = dhSs, salt = ck, info = info, len = 2)
+            hkdf2 = hkdf(ikm = dhSs!!, salt = ck, info = info, len = 2)
             ck = hkdf2.sliceArray(0 until 32)
             k.fill(0) // zero previous k before reassigning
             k = hkdf2.sliceArray(32 until 64)
@@ -189,8 +205,8 @@ object Cryptography {
             )
         } finally {
             // Zero everything sensitive regardless of success or exception
-            dhEs.fill(0)
-            dhSs.fill(0)
+            dhEs?.fill(0)
+            dhSs?.fill(0)
             ck.fill(0)
             k?.fill(0)
             hkdf1?.fill(0)
@@ -219,8 +235,12 @@ object Cryptography {
         var localH = h + ephemeralResponderPublicKey.sha256()
         var localCk = ck.copyOf() // defensive copy — we'll mutate and zero this
 
-        val dhEe = protocols.dh(ephemeralKeyPair, ephemeralResponderPublicKey)
-        val dhSe = protocols.dh(ephemeralKeyPair, authenticationPublicKey)
+        var dhEe: ByteArray? = null
+        var dhSe: ByteArray? = null
+        ephemeralKeyPair.use { ekp ->
+            dhEe = protocols.dh(ekp.privateKey!!, ephemeralResponderPublicKey)
+            dhSe = protocols.dh(ekp.privateKey!!, authenticationPublicKey)
+        }
 
         var hkdf1: ByteArray? = null
         var hkdf2: ByteArray? = null
@@ -230,7 +250,7 @@ object Cryptography {
         var ciphertext2: ByteArray? = null
 
         try {
-            hkdf1 = hkdf(ikm = dhEe, salt = localCk, info = info, len = 2)
+            hkdf1 = hkdf(ikm = dhEe!!, salt = localCk, info = info, len = 2)
             localCk.fill(0)
             localCk = hkdf1.sliceArray(0 until 32)
             k = hkdf1.sliceArray(32 until 64)
@@ -242,7 +262,7 @@ object Cryptography {
             )
             localH = (localH + ciphertext1).sha256()
 
-            hkdf2 = hkdf(ikm = dhSe, salt = localCk, info = info, len = 2)
+            hkdf2 = hkdf(ikm = dhSe!!, salt = localCk, info = info, len = 2)
             localCk.fill(0)
             localCk = hkdf2.sliceArray(0 until 32)
             k.fill(0) // zero previous k before reassign
@@ -269,8 +289,8 @@ object Cryptography {
                 h = localH
             )
         } finally {
-            dhEe.fill(0)
-            dhSe.fill(0)
+            dhEe?.fill(0)
+            dhSe?.fill(0)
             localCk.fill(0)
             k?.fill(0)
             hkdf1?.fill(0)
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
index 37770e9..7093df7 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
@@ -75,32 +75,33 @@ open class Protocols(private val context: Context) {
         }
     }
 
-    fun dh(keypair: CloseableCurve15519KeyPair, publicKey: ByteArray): ByteArray {
+    fun dh(privateKey: ByteArray, publicKey: ByteArray): ByteArray {
         val sharedSecret = ByteArray(32)
         val agreement = X25519Agreement()
-        keypair.use { kp ->
-            agreement.init(X25519PrivateKeyParameters(kp.privateKey, 0))
-            agreement.calculateAgreement(
-                X25519PublicKeyParameters(publicKey),
-                sharedSecret,
-                0
-            )
-        }
+        agreement.init(X25519PrivateKeyParameters(privateKey, 0))
+        agreement.calculateAgreement(
+            X25519PublicKeyParameters(publicKey),
+            sharedSecret,
+            0
+        )
+        privateKey.fill(0)
+        publicKey.fill(0)
         return sharedSecret
     }
 
     fun kdfRk(
         rk: ByteArray,
         dhOut: ByteArray
-    ): Triple<ByteArray, ByteArray, ByteArray> {
+    ): Cryptography.NoiseNKKeys {
         val info = context.getString(R.string.dr_rk_info).encodeToByteArray()
-        return hkdf(dhOut, rk, info, 32*3).run {
-            Triple(
-                this.sliceArray(0 until 32),
-                this.sliceArray(32 until 64),
-                this.sliceArray(64 until 96),
-            )
-        }
+        val hkdf = hkdf(dhOut, rk, info, 32*3)
+        val keys = Cryptography.NoiseNKKeys(
+            hkdf.sliceArray(0 until 32),
+            hkdf.sliceArray(32 until 64),
+            hkdf.sliceArray(64 until 96),
+        )
+        hkdf.fill(0)
+        return keys
     }
 
     fun kdfCk(ck: ByteArray?): Pair<ByteArray, ByteArray> {
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
index aff098c..e32e43c 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
@@ -34,12 +34,15 @@ class RatchetsHE(context: Context) : Protocols(context){
         state.DHRs = generateDH()
         state.DHRr = bobDhPublicKey
 
-        kdfRk(
-            rk = sk, dh( state.DHRs!!, state.DHRr!!)
-        ).let {
-            state.RK = it.first
-            state.CKs = it.second
-            state.NHKs = it.third
+        state.DHRs.use { rs ->
+            val keys = kdfRk(
+                rk = sk, dh( rs?.privateKey!!, state.DHRr!!)
+            )
+            keys.use { k->
+                state.RK = k.rk
+                state.CKs = k.hk
+                state.NHKs = k.nhk
+            }
         }
 
         state.CKr = null
@@ -206,38 +209,34 @@ class RatchetsHE(context: Context) : Protocols(context){
         state.HKr = state.NHKr
         state.DHRr = header.dh.publicKey
 
-        val (rk, ck, nhk) = kdfRk(state.RK!!,
-            dh(
-                state.DHRs!!,
-                state.DHRr!!,
+        state.DHRs.use { rs ->
+            val keys = kdfRk(state.RK!!,
+                dh(
+                    rs?.privateKey!!,
+                    state.DHRr!!,
+                )
             )
-        )
-        try {
-            state.RK = rk.copyOf()
-            state.CKr = ck.copyOf()
-            state.NHKr = nhk.copyOf()
-        } finally {
-            rk.fill(0)
-            ck.fill(0)
-            nhk.fill(0)
+            keys.use { k ->
+                state.RK = k.rk
+                state.CKr = k.hk
+                state.NHKr = k.nhk
+            }
         }
 
         state.DHRs = generateDH()
 
-        val (rk1, ck1, nhk1) = kdfRk(state.RK!!,
-            dh(
-                state.DHRs!!,
-                state.DHRr!!,
+        state.DHRs.use { rs ->
+            val keys = kdfRk(state.RK!!,
+                dh(
+                    rs?.privateKey!!,
+                    state.DHRr!!,
+                )
             )
-        )
-        try {
-            state.RK = rk1.copyOf()
-            state.CKs = ck1.copyOf()
-            state.NHKs = nhk1.copyOf()
-        } finally {
-            rk1.fill(0)
-            ck1.fill(0)
-            nhk1.fill(0)
+            keys.use { k->
+                state.RK = k.rk
+                state.CKs = k.hk
+                state.NHKs = k.nhk
+            }
         }
     }
 }
\ No newline at end of file

From 855be82c7f1b5eb602cface10dd72fedd93f25c9 Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Thu, 23 Apr 2026 16:16:50 +0100
Subject: [PATCH 18/19] update: modified to use GCM update: better zero mec

---
 .../libsignal/RatchetsTest.kt                 | 154 +++++++++---------
 .../libsignal_doubleratchet/Cryptography.kt   |  45 ++++-
 .../libsignal/Protocols.kt                    | 146 ++++++++++-------
 .../libsignal/RatchetsHE.kt                   |  64 ++++----
 4 files changed, 247 insertions(+), 162 deletions(-)

diff --git a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
index 52506c3..9328291 100644
--- a/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
+++ b/double_ratchet/src/androidTest/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsTest.kt
@@ -19,98 +19,106 @@ class RatchetsTest {
         InstrumentationRegistry.getInstrumentation().targetContext
     val protocol = Protocols(context)
 
-    val aliceKeypair = protocol.generateDH()
-    val bobStaticKeypair = protocol.generateDH()
-    val bobKeypair = protocol.generateDH()
 
     val salt = "completeRatchetTest_v1".encodeToByteArray()
-    val info = context.generateRandomBytes(16) +
-            aliceKeypair.publicKey +
-            bobKeypair.publicKey +
-            bobStaticKeypair.publicKey
 
     @Test
     fun completeRatchetTest() {
-        Cryptography.generateKeysNK(
-            context = context,
-            ephemeralKeyPair = aliceKeypair,
-            authenticationPublicKey = bobStaticKeypair.publicKey,
-            ephemeralPublicKey = bobKeypair.publicKey,
-            salt = salt,
-            info = info
-        ).use { alice ->
-            Cryptography.generateKeysNKServer(
-                context = context,
-                authenticationKeypair = bobStaticKeypair,
-                ephemeralKeyPair = bobKeypair,
-                ephemeralPublicKey = aliceKeypair.publicKey,
-                salt = salt,
-                info = info
-            ).let { bob ->
-                assertArrayEquals(alice.rk, bob.first)
-                assertArrayEquals(alice.hk, bob.second)
-                assertArrayEquals(alice.nhk, bob.third)
-
-                val ratchets = RatchetsHE(context)
-                val aliceState = States()
-                ratchets.ratchetInitAlice(
-                    state = aliceState,
-                    sk = alice.rk,
-                    bobDhPublicKey = bobKeypair.publicKey,
-                    sharedHka = alice.hk,
-                    sharedNHka = alice.nhk
+        val aliceKeypair = protocol.generateDH()
+        val bobStaticKeypair = protocol.generateDH()
+        val bobKeypair = protocol.generateDH()
+//        val info = context.generateRandomBytes(16) +
+//                aliceKeypair.publicKey +
+//                bobKeypair.publicKey +
+//                bobStaticKeypair.publicKey
+        val info = ByteArray(32)
+
+        val ad = "RatchetsTest".encodeToByteArray().sha256()
+        val originalText = SecureRandom.getSeed(32);
+        var ratchetPayload: RatchetPayload?
+
+        aliceKeypair.use { aliceKeypair ->
+            bobKeypair.use { bobKeypair ->
+
+                val alicePublicKey = aliceKeypair.publicKey.copyOf()
+                val bobPublicKey = bobKeypair.publicKey.copyOf()
+                val authenticationPublicKey = bobStaticKeypair.publicKey.copyOf()
+
+                val aliceKey = Cryptography.generateKeysNK(
+                    context = context,
+                    ephemeralKeyPair = aliceKeypair,
+                    authenticationPublicKey = authenticationPublicKey,
+                    ephemeralPublicKey = bobPublicKey,
+                    salt = salt,
+                    info = info
                 )
 
-                val bobState = States()
-                ratchets.ratchetInitBob(
-                    state = bobState,
-                    sk = bob.first,
-                    bobKeypair = bobKeypair,
-                    sharedHka = bob.second,
-                    sharedNHka = bob.third
+                val bob = Cryptography.generateKeysNKServer(
+                    context = context,
+                    authenticationKeypair = bobStaticKeypair,
+                    ephemeralKeyPair = bobKeypair,
+                    ephemeralPublicKey = alicePublicKey,
+                    salt = salt,
+                    info = info
                 )
 
-                val originalText = SecureRandom.getSeed(32);
 
-                val ad = "RatchetsTest".encodeToByteArray().sha256()
-                var ratchetPayload = ratchets.ratchetEncrypt(
-                    state = aliceState,
-                    plaintext = originalText,
-                    ad = ad
-                )
-
-                var plaintext = ratchets.ratchetDecrypt(
-                    state = bobState,
-                    encHeader = ratchetPayload.header,
-                    cipherText = ratchetPayload.cipherText,
-                    ad = ad
-                )
-
-                assertArrayEquals(originalText, plaintext)
+                val ratchets = RatchetsHE(context)
 
-                ratchetPayload = ratchets.ratchetEncrypt(
-                    state = bobState,
-                    plaintext = originalText,
-                    ad = ad
-                )
+                aliceKey.use { alice ->
+                    assertArrayEquals(alice.rk, bob.first)
+                    assertArrayEquals(alice.hk, bob.second)
+                    assertArrayEquals(alice.nhk, bob.third)
+
+                    val aliceState = States()
+                    aliceState.use { aliceState ->
+                        ratchets.ratchetInitAlice(
+                            state = aliceState,
+                            sk = alice.rk,
+                            bobDhPublicKey = bobPublicKey.copyOf(),
+                            sharedHka = alice.hk,
+                            sharedNHka = alice.nhk
+                        )
+
+                        ratchetPayload = ratchets.ratchetEncrypt(
+                            state = aliceState,
+                            plaintext = originalText,
+                            ad = ad
+                        )
+                    }
+                }
 
-                plaintext = ratchets.ratchetDecrypt(
-                    state = aliceState,
-                    encHeader = ratchetPayload.header,
-                    cipherText = ratchetPayload.cipherText,
-                    ad = ad
-                )
 
-                assertArrayEquals(originalText, plaintext)
+                val bobState = States()
+                bobState.use { bobState ->
+                    ratchets.ratchetInitBob(
+                        state = bobState,
+                        sk = bob.first,
+                        bobKeypair = bobKeypair,
+                        sharedHka = bob.second,
+                        sharedNHka = bob.third
+                    )
+                    val plaintext = ratchets.ratchetDecrypt(
+                        state = bobState,
+                        encHeader = ratchetPayload!!.header,
+                        cipherText = ratchetPayload.cipherText,
+                        ad = ad
+                    )
+                    assertArrayEquals(originalText, plaintext)
+                }
             }
-
         }
-
-
     }
 
     @Test
     fun completeRatchetOutOfOrderTest() {
+        val aliceKeypair = protocol.generateDH()
+        val bobStaticKeypair = protocol.generateDH()
+        val bobKeypair = protocol.generateDH()
+        val info = context.generateRandomBytes(16) +
+                aliceKeypair.publicKey +
+                bobKeypair.publicKey +
+                bobStaticKeypair.publicKey
         Cryptography.generateKeysNK(
             context = context,
             ephemeralKeyPair = aliceKeypair,
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
index 37e30c7..b31b80b 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/Cryptography.kt
@@ -13,6 +13,7 @@ import javax.crypto.KeyGenerator
 import javax.crypto.SecretKey
 import javax.crypto.spec.GCMParameterSpec
 import java.security.SecureRandom
+import javax.crypto.spec.IvParameterSpec
 import javax.crypto.spec.SecretKeySpec
 
 object Cryptography {
@@ -362,7 +363,49 @@ object Cryptography {
             cipher.init(Cipher.DECRYPT_MODE, key, spec)
             associatedData?.let { cipher.updateAAD(it) }
 
-            return cipher.doFinal(ciphertext)
+            return try {
+                cipher.doFinal(ciphertext)
+            } catch (e: Exception) {
+                e.printStackTrace()
+                throw e
+            }
+        }
+    }
+
+    object AesCbc {
+        private const val ALGORITHM = "AES/CBC/PKCS5Padding"
+        private const val IV_SIZE = 16 // AES block size is always 16 bytes
+
+        fun encrypt(key: ByteArray, plaintext: ByteArray, iv: ByteArray? = null): ByteArray {
+            val cipher = Cipher.getInstance(ALGORITHM)
+
+            val finalIv = iv ?: ByteArray(IV_SIZE).apply { SecureRandom().nextBytes(this) }
+            val keySpec = SecretKeySpec(key, "AES")
+            val ivSpec = IvParameterSpec(finalIv)
+
+            cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec)
+            val ciphertext = cipher.doFinal(plaintext)
+
+            return if(iv == null) {
+                finalIv + ciphertext
+            } else {
+                ciphertext
+            }
+        }
+
+        fun decrypt(
+            key: ByteArray,
+            ciphertext: ByteArray,
+            iv: ByteArray
+        ): ByteArray {
+            val cipher = Cipher.getInstance(ALGORITHM)
+            val keySpec = SecretKeySpec(key, "AES")
+
+            val ivSpec = IvParameterSpec(iv)
+            cipher.init(Cipher.DECRYPT_MODE, keySpec, ivSpec)
+
+            val plaintext = cipher.doFinal(ciphertext)
+            return plaintext
         }
     }
 }
\ No newline at end of file
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
index 7093df7..8706f3f 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
@@ -80,12 +80,10 @@ open class Protocols(private val context: Context) {
         val agreement = X25519Agreement()
         agreement.init(X25519PrivateKeyParameters(privateKey, 0))
         agreement.calculateAgreement(
-            X25519PublicKeyParameters(publicKey),
+            X25519PublicKeyParameters(publicKey, 0),
             sharedSecret,
             0
         )
-        privateKey.fill(0)
-        publicKey.fill(0)
         return sharedSecret
     }
 
@@ -118,25 +116,33 @@ open class Protocols(private val context: Context) {
         plainText: ByteArray,
         ad: ByteArray,
     ): ByteArray {
-        val len = 80
-        return hkdf(
+        val len = 76
+        val hkdfOutput = hkdf(
             ikm = mk,
             salt = ByteArray(len),
             info = context.getString(R.string.dr_encrypt_info).encodeToByteArray(),
             len = len,
-        ).run {
-            val key = this.sliceArray(0 until 32)
-            val authKey = this.sliceArray(32 until 64)
-            val iv = this.sliceArray(64 until 80)
-
-            val cipherText = Cryptography.AesGcm.encrypt(
-                key = SecretKeySpec(key, "AES"),
-                iv = iv,
-                plaintext = plainText,
-            )
-            val mac = hmac(authKey)
-            mac.update(ad + cipherText)
-            cipherText + mac.doFinal()
+        )
+        try {
+            val key = hkdfOutput.sliceArray(0 until 32)
+            val authKey = hkdfOutput.sliceArray(32 until 64)
+            val iv = hkdfOutput.sliceArray(64 until 76)
+
+            try {
+                val cipherText = Cryptography.AesGcm.encrypt(
+                    key = SecretKeySpec(key, "AES"),
+                    iv = iv,
+                    plaintext = plainText,
+                )
+                val mac = hmac(authKey)
+                mac.update(ad + cipherText)
+                return cipherText + mac.doFinal()
+            } finally {
+                key.fill(0)
+                iv.fill(0)
+            }
+        } finally {
+            hkdfOutput.fill(0)
         }
     }
 
@@ -144,38 +150,48 @@ open class Protocols(private val context: Context) {
         mk: ByteArray,
         plainText: ByteArray,
     ): ByteArray {
-        val len = 80
-        return hkdf(
+        val len = 76
+        val hkdfOutputs = hkdf(
             ikm = mk,
             salt = ByteArray(len),
             info = context.getString(R.string.dr_encrypt_info).encodeToByteArray(),
             len = len,
-        ).run {
-            val key = this.sliceArray(0 until 32)
-            val authKey = this.sliceArray(32 until 64)
-            val iv = this.sliceArray(64 until 80)
-
-            val cipherText = Cryptography.AesGcm.encrypt(
-                key = SecretKeySpec(key, "AES"),
-                iv = iv,
-                plaintext = plainText,
-            )
+        )
 
-            val mac = hmac(authKey)
-            mac.update(cipherText)
-            cipherText + mac.doFinal()
+        try {
+            val key = hkdfOutputs.sliceArray(0 until 32)
+            val authKey = hkdfOutputs.sliceArray(32 until 64)
+            val iv = hkdfOutputs.sliceArray(64 until 76)
+
+            try {
+                val cipherText = Cryptography.AesGcm.encrypt(
+                    key = SecretKeySpec(key, "AES"),
+                    iv = iv,
+                    plaintext = plainText,
+                )
+                val mac = hmac(authKey)
+                mac.update(cipherText)
+                return cipherText + mac.doFinal()
+            } finally {
+                key.fill(0)
+                iv.fill(0)
+            }
+        } finally {
+            hkdfOutputs.fill(0)
         }
     }
 
     fun decrypt(mk: ByteArray, cipherText: ByteArray, ad: ByteArray): ByteArray {
-        val len = 80
-        return hkdf(
+        val len = 76
+        val hkdfOutput = hkdf(
             ikm = mk,
             salt = ByteArray(len),
             info = context.getString(R.string.dr_encrypt_info).encodeToByteArray(),
             len = len,
-        ).run {
-            val authKey = this.sliceArray(32 until 64)
+        )
+
+        try {
+            val authKey = hkdfOutput.sliceArray(32 until 64)
             val plaintextCiphertext = cipherText.dropLast(MAC_LEN).toByteArray()
 
             val mac = hmac(authKey)
@@ -186,27 +202,36 @@ open class Protocols(private val context: Context) {
                 throw Exception("Message failed authentication")
             }
 
-            val key = this.sliceArray(0 until 32)
-            val iv = this.sliceArray(64 until 80)
-            Cryptography.AesGcm.decrypt(
-                key = SecretKeySpec(key, "AES"),
-                ciphertext = plaintextCiphertext,
-                iv = iv,
-            )
+            val key = hkdfOutput.sliceArray(0 until 32)
+            val iv = hkdfOutput.sliceArray(64 until 76)
+            try {
+                return Cryptography.AesGcm.decrypt(
+                    key = SecretKeySpec(key, "AES"),
+                    ciphertext = plaintextCiphertext,
+                    iv = iv,
+                )
+            } finally {
+                key.fill(0)
+                iv.fill(0)
+            }
+        } finally {
+            hkdfOutput.fill(0)
         }
     }
 
     fun hDecrypt(mk: ByteArray?, cipherText: ByteArray): ByteArray? {
-        val len = 80
+        val len = 76
         if(mk == null) return null
 
-        return hkdf(
+        val hkdfOutputs = hkdf(
             ikm = mk,
             salt = ByteArray(len),
             info = context.getString(R.string.dr_encrypt_info).encodeToByteArray(),
             len = len,
-        ).run {
-            val authKey = this.sliceArray(32 until 64)
+        )
+
+        try {
+            val authKey = hkdfOutputs.sliceArray(32 until 64)
             val mac = hmac(authKey)
 
             val plainCiphertext = cipherText.dropLast(MAC_LEN).toByteArray()
@@ -217,13 +242,24 @@ open class Protocols(private val context: Context) {
                 throw Exception("Message failed authentication")
             }
 
-            val key = this.sliceArray(0 until 32)
-            val iv = this.sliceArray(64 until 80)
-            Cryptography.AesGcm.decrypt(
-                key = SecretKeySpec(key, "AES"),
-                ciphertext = plainCiphertext,
-                iv = iv,
-            )
+            val key = hkdfOutputs.sliceArray(0 until 32)
+            val iv = hkdfOutputs.sliceArray(64 until 76)
+            return try {
+                Cryptography.AesGcm.decrypt(
+                    key = SecretKeySpec(key, "AES"),
+                    ciphertext = plainCiphertext,
+                    iv = iv,
+                )
+            } catch (e: Exception){
+                e.fillInStackTrace()
+                throw e
+            } finally {
+                key.fill(0)
+                iv.fill(0)
+                authKey.fill(0)
+            }
+        } finally {
+            hkdfOutputs.fill(0)
         }
     }
 
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
index e32e43c..5a54515 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
@@ -34,15 +34,13 @@ class RatchetsHE(context: Context) : Protocols(context){
         state.DHRs = generateDH()
         state.DHRr = bobDhPublicKey
 
-        state.DHRs.use { rs ->
-            val keys = kdfRk(
-                rk = sk, dh( rs?.privateKey!!, state.DHRr!!)
-            )
-            keys.use { k->
-                state.RK = k.rk
-                state.CKs = k.hk
-                state.NHKs = k.nhk
-            }
+        val keys = kdfRk(
+            rk = sk, dh( state.DHRs?.privateKey!!, state.DHRr!!)
+        )
+        keys.use { k->
+            state.RK = k.rk
+            state.CKs = k.hk
+            state.NHKs = k.nhk
         }
 
         state.CKr = null
@@ -194,8 +192,12 @@ class RatchetsHE(context: Context) : Protocols(context){
             return Pair(header, false)
         }
 
-        header = hDecrypt(state.NHKr!!, encHeader)?.run {
-            Headers.deserialize(this)
+        val decryptedHeader = hDecrypt(state.NHKr!!, encHeader)
+        try {
+            if(decryptedHeader == null) throw Exception("Header is null")
+            header = Headers.deserialize(decryptedHeader)
+        } finally {
+            decryptedHeader?.fill(0)
         }
 
         return Pair(header, true)
@@ -209,34 +211,30 @@ class RatchetsHE(context: Context) : Protocols(context){
         state.HKr = state.NHKr
         state.DHRr = header.dh.publicKey
 
-        state.DHRs.use { rs ->
-            val keys = kdfRk(state.RK!!,
-                dh(
-                    rs?.privateKey!!,
-                    state.DHRr!!,
-                )
+        var keys = kdfRk(state.RK!!,
+            dh(
+                state.DHRs?.privateKey!!,
+                state.DHRr!!,
             )
-            keys.use { k ->
-                state.RK = k.rk
-                state.CKr = k.hk
-                state.NHKr = k.nhk
-            }
+        )
+        keys.use { k ->
+            state.RK = k.rk
+            state.CKr = k.hk
+            state.NHKr = k.nhk
         }
 
         state.DHRs = generateDH()
 
-        state.DHRs.use { rs ->
-            val keys = kdfRk(state.RK!!,
-                dh(
-                    rs?.privateKey!!,
-                    state.DHRr!!,
-                )
+        keys = kdfRk(state.RK!!,
+            dh(
+                state.DHRs?.privateKey!!,
+                state.DHRr!!,
             )
-            keys.use { k->
-                state.RK = k.rk
-                state.CKs = k.hk
-                state.NHKs = k.nhk
-            }
+        )
+        keys.use { k->
+            state.RK = k.rk
+            state.CKs = k.hk
+            state.NHKs = k.nhk
         }
     }
 }
\ No newline at end of file

From c4a12f8fcd966f2c52427e512e417b76028362e3 Mon Sep 17 00:00:00 2001
From: sherlockwisdom <wisdomnji@gmail.com>
Date: Thu, 23 Apr 2026 17:20:44 +0100
Subject: [PATCH 19/19] update: serializing states

---
 .../libsignal_doubleratchet/libsignal/Protocols.kt    |  2 ++
 .../libsignal_doubleratchet/libsignal/RatchetsHE.kt   |  7 ++++---
 .../libsignal_doubleratchet/libsignal/States.kt       | 11 +++++++++--
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
index 8706f3f..c49d5ec 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/Protocols.kt
@@ -8,6 +8,7 @@ import com.afkanerd.smswithoutborders.libsignal_doubleratchet.CryptoUtils.hmac
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.Cryptography
 import com.afkanerd.smswithoutborders.libsignal_doubleratchet.R
 import com.google.common.primitives.Bytes
+import kotlinx.serialization.Serializable
 import org.bouncycastle.crypto.AsymmetricCipherKeyPair
 import org.bouncycastle.crypto.CipherParameters
 import org.bouncycastle.crypto.agreement.X25519Agreement
@@ -43,6 +44,7 @@ open class Protocols(private val context: Context) {
         Security.addProvider(BouncyCastleProvider())
     }
 
+    @Serializable
     data class CloseableCurve15519KeyPair(
         var publicKey: ByteArray,
         var privateKey: ByteArray?
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
index 5a54515..ce3380f 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/RatchetsHE.kt
@@ -138,7 +138,7 @@ class RatchetsHE(context: Context) : Protocols(context){
                 try {
                     state.CKr = ck
                     val mk = mk
-                    state.MKSKIPPED[Pair(state.HKr, state.Nr.toInt())] = mk
+                    state.MKSKIPPED[MKSkippedPair(state.HKr, state.Nr.toInt())] = mk
                     state.Nr++
                 } finally {
                     ck.fill(0)
@@ -155,7 +155,8 @@ class RatchetsHE(context: Context) : Protocols(context){
         ad: ByteArray
     ) : ByteArray? {
         state.MKSKIPPED.forEach {
-            val (hk, n) = it.key
+            val hk = it.key.key
+            val n = it.key.count
             val mk = it.value
 
             try {
@@ -167,7 +168,7 @@ class RatchetsHE(context: Context) : Protocols(context){
                     return decrypt(mk, ciphertext, concat(ad, encHeader))
                 }
             } finally {
-                hk.fill(0)
+                hk?.fill(0)
                 mk.fill(0)
             }
         }
diff --git a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
index 7422b02..5f0c780 100644
--- a/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
+++ b/double_ratchet/src/main/java/com/afkanerd/smswithoutborders/libsignal_doubleratchet/libsignal/States.kt
@@ -18,6 +18,13 @@ import java.security.PrivateKey
 import java.security.PublicKey
 
 
+@Serializable
+data class MKSkippedPair(
+    val key: ByteArray?,
+    val count: Int
+)
+
+@Serializable
 data class States(
     var RK: ByteArray? = null,
     var CKs: ByteArray? = null,
@@ -31,7 +38,7 @@ data class States(
     var HKr: ByteArray? = null,
     var NHKs: ByteArray? = null,
     var NHKr: ByteArray? = null,
-    var MKSKIPPED: MutableMap<Pair<ByteArray, Int>, ByteArray> = mutableMapOf()
+    var MKSKIPPED: MutableMap<MKSkippedPair, ByteArray> = mutableMapOf()
 ) : AutoCloseable {
     @OptIn(ExperimentalSerializationApi::class)
     fun serialize(): ByteArray {
@@ -56,7 +63,7 @@ data class States(
         val iterator = MKSKIPPED.entries.iterator()
         while (iterator.hasNext()) {
             val entry = iterator.next()
-            entry.key.first.fill(0)
+            entry.key.key?.fill(0)
             entry.value.fill(0)
             iterator.remove()
         }