cipherstash
diff --git a/‎diagrams/overview-insert.drawio.svg
-457 b/‎diagrams/overview-insert.drawio.svg
-457
diff --git a/‎diagrams/overview-select.drawio.svg
-552 b/‎diagrams/overview-select.drawio.svg
-552
diff --git a/‎src/blake3/functions.sql
+40 b/‎src/blake3/functions.sql
+40
diff --git a/‎src/blake3/types.sql
+4 b/‎src/blake3/types.sql
+4
diff --git a/‎src/common.sql
+48 b/‎src/common.sql
+48
diff --git a/‎src/encrypted/functions.sql
+12 b/‎src/encrypted/functions.sql
+12
@@ -0,0 +1,40 @@
+-- REQUIRE: src/schema.sql
+-- REQUIRE: src/mac/types.sql
+
+
+-- extracts ste_vec index from a jsonb value
+DROP FUNCTION IF EXISTS  eql_v1.blake3(val jsonb);
+
+-- extracts blake3 index from a jsonb value
+DROP FUNCTION IF EXISTS  eql_v1.blake3(val jsonb);
+
+CREATE FUNCTION eql_v1.blake3(val jsonb)
+  RETURNS eql_v1.blake3
+  IMMUTABLE STRICT PARALLEL SAFE
+AS $$
+	BEGIN
+
+    IF NOT (val ? 'b') NULL THEN
+        RAISE 'Expected a blake3 index (b) value in json: %', val;
+    END IF;
+
+    IF val->>'b' IS NULL THEN
+      RETURN NULL;
+    END IF;
+
+    RETURN val->>'b';
+  END;
+$$ LANGUAGE plpgsql;
+
+
+-- extracts blake3 index from an eql_v1_encrypted value
+DROP FUNCTION IF EXISTS  eql_v1.blake3(val eql_v1_encrypted);
+
+CREATE FUNCTION eql_v1.blake3(val eql_v1_encrypted)
+  RETURNS eql_v1.blake3
+  IMMUTABLE STRICT PARALLEL SAFE
+AS $$
+  BEGIN
+    RETURN (SELECT eql_v1.blake3(val.data));
+  END;
+$$ LANGUAGE plpgsql;
@@ -0,0 +1,4 @@
+-- REQUIRE: src/schema.sql
+
+DROP DOMAIN IF EXISTS eql_v1.blake3;
+CREATE DOMAIN eql_v1.blake3 AS text;
@@ -2,6 +2,54 @@
 -- REQUIRE: src/schema.sql
 
 
+-- Constant time comparison of 2 bytea values
+DROP FUNCTION IF EXISTS eql_v1.bytea_eq(a bytea, b bytea);
+
+CREATE FUNCTION eql_v1.bytea_eq(a bytea, b bytea) RETURNS boolean AS $$
+DECLARE
+    result boolean;
+    differing bytea;
+BEGIN
+
+    -- Check if the bytea values are the same length
+    IF LENGTH(a) != LENGTH(b) THEN
+        RETURN false;
+    END IF;
+
+    -- Compare each byte in the bytea values
+    result := true;
+    FOR i IN 1..LENGTH(a) LOOP
+        IF SUBSTRING(a FROM i FOR 1) != SUBSTRING(b FROM i FOR 1) THEN
+            result := result AND false;
+        END IF;
+    END LOOP;
+
+    RETURN result;
+END;
+$$ LANGUAGE plpgsql;
+
+
+DROP FUNCTION IF EXISTS eql_v1.jsonb_array_to_bytea_array(val jsonb);
+
+-- Casts a jsonb array of hex-encoded strings to an array of bytea.
+CREATE FUNCTION eql_v1.jsonb_array_to_bytea_array(val jsonb)
+RETURNS bytea[] AS $$
+DECLARE
+  terms_arr bytea[];
+BEGIN
+  IF jsonb_typeof(val) = 'null' THEN
+    RETURN NULL;
+  END IF;
+
+  SELECT array_agg(decode(value::text, 'hex')::bytea)
+    INTO terms_arr
+  FROM jsonb_array_elements_text(val) AS value;
+
+  RETURN terms_arr;
+END;
+$$ LANGUAGE plpgsql;
+
+
 
 --
 -- Convenience function to log a message
 
@@ -19,6 +19,18 @@ AS $$
 $$ LANGUAGE plpgsql;
 
 
+DROP FUNCTION IF EXISTS eql_v1.ciphertext(val eql_v1_encrypted);
+
+CREATE FUNCTION eql_v1.ciphertext(val eql_v1_encrypted)
+  RETURNS text
+  IMMUTABLE STRICT PARALLEL SAFE
+AS $$
+	BEGIN
+    RETURN eql_v1.ciphertext(val.data);
+  END;
+$$ LANGUAGE plpgsql;
+
+
 DROP FUNCTION IF EXISTS eql_v1.to_jsonb(val eql_v1_encrypted);
 
 CREATE FUNCTION eql_v1.to_jsonb(val eql_v1_encrypted)