Botan::EC_Group Class Reference

#include <ec_group.h>

Public Member Functions
bool	a_is_minus_3 () const
bool	a_is_zero () const
EC_Point	blinded_base_point_multiply (const BigInt &k, RandomNumberGenerator &rng, std::vector< BigInt > &ws) const
BigInt	blinded_base_point_multiply_x (const BigInt &k, RandomNumberGenerator &rng, std::vector< BigInt > &ws) const
EC_Point	blinded_var_point_multiply (const EC_Point &point, const BigInt &k, RandomNumberGenerator &rng, std::vector< BigInt > &ws) const
BigInt	cube_mod_order (const BigInt &x) const
std::vector< uint8_t >	DER_encode (EC_Group_Encoding form) const
	EC_Group ()
	EC_Group (const BigInt &p, const BigInt &a, const BigInt &b, const BigInt &base_x, const BigInt &base_y, const BigInt &order, const BigInt &cofactor, const OID &oid=OID())
	EC_Group (const EC_Group &)
	EC_Group (const OID &oid)
	EC_Group (const OID &oid, const BigInt &p, const BigInt &a, const BigInt &b, const BigInt &base_x, const BigInt &base_y, const BigInt &order)
	EC_Group (const uint8_t ber[], size_t ber_len)
	EC_Group (EC_Group &&)=default
	EC_Group (std::span< const uint8_t > ber)
	EC_Group (std::string_view pem_or_oid)
const BigInt &	get_a () const
const BigInt &	get_b () const
const EC_Point &	get_base_point () const
const BigInt &	get_cofactor () const
const OID &	get_curve_oid () const
const BigInt &	get_g_x () const
const BigInt &	get_g_y () const
const BigInt &	get_order () const
size_t	get_order_bits () const
size_t	get_order_bytes () const
const BigInt &	get_p () const
size_t	get_p_bits () const
size_t	get_p_bytes () const
EC_Point	hash_to_curve (std::string_view hash_fn, const uint8_t input[], size_t input_len, const uint8_t domain_sep[], size_t domain_sep_len, bool random_oracle=true) const
EC_Point	hash_to_curve (std::string_view hash_fn, const uint8_t input[], size_t input_len, std::string_view domain_sep, bool random_oracle=true) const
bool	initialized () const
BigInt	inverse_mod_order (const BigInt &x) const
BigInt	mod_order (const BigInt &x) const
BigInt	multiply_mod_order (const BigInt &x, const BigInt &y) const
BigInt	multiply_mod_order (const BigInt &x, const BigInt &y, const BigInt &z) const
EC_Group &	operator= (const EC_Group &)
EC_Group &	operator= (EC_Group &&)=default
bool	operator== (const EC_Group &other) const
EC_Point	OS2ECP (const uint8_t bits[], size_t len) const
EC_Point	OS2ECP (std::span< const uint8_t > encoded_point) const
std::string	PEM_encode () const
EC_Point	point (const BigInt &x, const BigInt &y) const
EC_Point	point_multiply (const BigInt &x, const EC_Point &pt, const BigInt &y) const
size_t	point_size (EC_Point_Format format) const
BigInt	random_scalar (RandomNumberGenerator &rng) const
EC_Group_Source	source () const
BigInt	square_mod_order (const BigInt &x) const
bool	used_explicit_encoding () const
bool	verify_group (RandomNumberGenerator &rng, bool strong=false) const
bool	verify_public_element (const EC_Point &y) const
EC_Point	zero_point () const
	~EC_Group ()

Static Public Member Functions
static size_t	clear_registered_curve_data ()
static EC_Group	EC_Group_from_PEM (std::string_view pem)
static OID	EC_group_identity_from_order (const BigInt &order)
static std::shared_ptr< EC_Group_Data >	EC_group_info (const OID &oid)
static EC_Group	from_name (std::string_view name)
static EC_Group	from_OID (const OID &oid)
static EC_Group	from_PEM (std::string_view pem)
static const std::set< std::string > &	known_named_groups ()

Detailed Description

Class representing an elliptic curve

The internal representation is stored in a shared_ptr, so copying an EC_Group is inexpensive.

Definition at line 48 of file ec_group.h.

Constructor & Destructor Documentation

EC_Group() [1/9]

Botan::EC_Group::EC_Group	(	const BigInt &	p,
		const BigInt &	a,
		const BigInt &	b,
		const BigInt &	base_x,
		const BigInt &	base_y,
		const BigInt &	order,
		const BigInt &	cofactor,
		const OID &	oid = OID() )

Construct elliptic curve from the specified parameters

Parameters

p	the elliptic curve p
a	the elliptic curve a param
b	the elliptic curve b param
base_x	the x coordinate of the base point
base_y	the y coordinate of the base point
order	the order of the base point
cofactor	the cofactor
oid	an optional OID used to identify this curve

Warning

This constructor is deprecated and will be removed in Botan 4

support for cofactors > 1 is deprecated and will be removed

support for prime fields > 521 bits is deprecated and will be removed.

Support for explicitly encoded curve parameters is deprecated. An OID must be assigned.

Definition at line 468 of file ec_group.cpp.

                                   {
   m_data =
      ec_group_data().lookup_or_create(p, a, b, base_x, base_y, order, cofactor, oid, EC_Group_Source::ExternalSource);
}

References Botan::ExternalSource.

EC_Group() [2/9]

Botan::EC_Group::EC_Group	(	const OID &	oid,
		const BigInt &	p,
		const BigInt &	a,
		const BigInt &	b,
		const BigInt &	base_x,
		const BigInt &	base_y,
		const BigInt &	order )

Construct elliptic curve from the specified parameters

Unlike the deprecated constructor, this constructor imposes additional restrictions on the parameters, namely:

• The prime must be at least 128 bits and at most 512 bits, and a multiple of 32 bits.
• As an extension of the above restriction, the prime can also be exactly the 521-bit Mersenne prime (2**521-1)
• The prime must be congruent to 3 modulo 4
• The group order must have the same bit length as the prime (It is allowed for the order to be larger than p, but they must have the same bit length)
• An object identifier must be provided
• There must be no cofactor

Warning

use only elliptic curve parameters that you trust

Parameters

oid	an object identifier used to identify this curve
p	the elliptic curve prime (at most 521 bits)
a	the elliptic curve a param
b	the elliptic curve b param
base_x	the x coordinate of the group generator
base_y	the y coordinate of the group generator
order	the order of the group

Definition at line 480 of file ec_group.cpp.

                                        {
   BOTAN_ARG_CHECK(oid.has_value(), "An OID is required for creating an EC_Group");
   BOTAN_ARG_CHECK(p.bits() >= 128, "EC_Group p too small");
   BOTAN_ARG_CHECK(p.bits() <= 521, "EC_Group p too large");
 
   if(p.bits() == 521) {
      BOTAN_ARG_CHECK(p == BigInt::power_of_2(521) - 1, "EC_Group with p of 521 bits must be 2**521-1");
   } else {
      BOTAN_ARG_CHECK(p.bits() % 32 == 0, "EC_Group p must be a multiple of 32 bits");
   }
 
   BOTAN_ARG_CHECK(p % 4 == 3, "EC_Group p must be congruent to 3 modulo 4");
 
   BOTAN_ARG_CHECK(a >= 0 && a < p, "EC_Group a is invalid");
   BOTAN_ARG_CHECK(b > 0 && b < p, "EC_Group b is invalid");
   BOTAN_ARG_CHECK(base_x >= 0 && base_x < p, "EC_Group base_x is invalid");
   BOTAN_ARG_CHECK(base_y >= 0 && base_y < p, "EC_Group base_y is invalid");
   BOTAN_ARG_CHECK(p.bits() == order.bits(), "EC_Group p and order must have the same number of bits");
 
   BOTAN_ARG_CHECK(is_bailie_psw_probable_prime(p), "EC_Group p is not prime");
   BOTAN_ARG_CHECK(is_bailie_psw_probable_prime(order), "EC_Group order is not prime");
 
   // This catches someone "ignoring" a cofactor and just trying to
   // provide the subgroup order
   BOTAN_ARG_CHECK((p - order).abs().bits() <= (p.bits() / 2) + 1, "Hasse bound invalid");
 
   BigInt cofactor(1);
 
   m_data =
      ec_group_data().lookup_or_create(p, a, b, base_x, base_y, order, cofactor, oid, EC_Group_Source::ExternalSource);
}

References Botan::abs(), Botan::BigInt::bits(), BOTAN_ARG_CHECK, Botan::ExternalSource, Botan::OID::has_value(), Botan::is_bailie_psw_probable_prime(), and Botan::BigInt::power_of_2().

EC_Group() [3/9]

Botan::EC_Group::EC_Group ( std::span< const uint8_t > ber )

explicit

Decode a BER encoded ECC domain parameter set

Parameters

ber	the bytes of the BER encoding

Definition at line 518 of file ec_group.cpp.

                                             {
   auto data = BER_decode_EC_group(ber, EC_Group_Source::ExternalSource);
   m_data = data.first;
   m_explicit_encoding = data.second;
}

References Botan::ExternalSource.

EC_Group() [4/9]

Botan::EC_Group::EC_Group ( const uint8_t ber[], size_t ber_len )

inline

Definition at line 124 of file ec_group.h.

: EC_Group(std::span{ber, ber_len}) {}

EC_Group() [5/9]

Botan::EC_Group::EC_Group ( const OID & oid )

inlineexplicit

Create an EC domain by OID (or throw if unknown)

Parameters

oid	the OID of the EC domain to create

Definition at line 130 of file ec_group.h.

{ *this = EC_Group::from_OID(oid); }

EC_Group() [6/9]

Botan::EC_Group::EC_Group ( std::string_view pem_or_oid )

explicit

Create an EC domain from PEM encoding (as from PEM_encode), or from an OID name (eg "secp256r1", or "1.2.840.10045.3.1.7")

Parameters

pem_or_oid

PEM-encoded data, or an OID

Warning

Support for PEM in this function is deprecated. Use EC_Group::from_PEM or EC_Group::from_OID or EC_Group::from_name

Definition at line 434 of file ec_group.cpp.

                                     {
   if(str.empty()) {
      return;  // no initialization / uninitialized
   }
 
   try {
      const OID oid = OID::from_string(str);
      if(oid.has_value()) {
         m_data = ec_group_data().lookup(oid);
      }
   } catch(...) {}
 
   if(m_data == nullptr) {
      if(str.size() > 30 && str.substr(0, 29) == "-----BEGIN EC PARAMETERS-----") {
         // OK try it as PEM ...
         const auto ber = PEM_Code::decode_check_label(str, "EC PARAMETERS");
 
         auto data = BER_decode_EC_group(ber, EC_Group_Source::ExternalSource);
         this->m_data = data.first;
         this->m_explicit_encoding = data.second;
      }
   }
 
   if(m_data == nullptr) {
      throw Invalid_Argument(fmt("Unknown ECC group '{}'", str));
   }
}

References Botan::PEM_Code::decode_check_label(), Botan::ExternalSource, Botan::fmt(), Botan::OID::from_string(), and Botan::OID::has_value().

EC_Group() [7/9]

Botan::EC_Group::EC_Group ( )

default

Create an uninitialized EC_Group

Referenced by from_name(), from_OID(), and from_PEM().

~EC_Group()

Botan::EC_Group::~EC_Group ( )

default

EC_Group() [8/9]

Botan::EC_Group::EC_Group ( const EC_Group & )

default

EC_Group() [9/9]

Botan::EC_Group::EC_Group ( EC_Group && )

default

Member Function Documentation

a_is_minus_3()

bool Botan::EC_Group::a_is_minus_3

(

)

const

Return if a == -3 mod p

Definition at line 531 of file ec_group.cpp.

                                  {
   return data().a_is_minus_3();
}

a_is_zero()

bool Botan::EC_Group::a_is_zero

(

)

const

Return if a == 0 mod p

Definition at line 535 of file ec_group.cpp.

                               {
   return data().a_is_zero();
}

blinded_base_point_multiply()

EC_Point Botan::EC_Group::blinded_base_point_multiply	(	const BigInt &	k,
		RandomNumberGenerator &	rng,
		std::vector< BigInt > &	ws ) const

Blinded point multiplication, attempts resistance to side channels

Parameters

k	the scalar
rng	a random number generator
ws	a temp workspace

Returns

base_point*k

Definition at line 642 of file ec_group.cpp.

                                                                            {
   return data().blinded_base_point_multiply(k, rng, ws);
}

Referenced by Botan::EC_PrivateKey::EC_PrivateKey().

blinded_base_point_multiply_x()

BigInt Botan::EC_Group::blinded_base_point_multiply_x	(	const BigInt &	k,
		RandomNumberGenerator &	rng,
		std::vector< BigInt > &	ws ) const

Blinded point multiplication, attempts resistance to side channels Returns just the x coordinate of the point

Parameters

k	the scalar
rng	a random number generator
ws	a temp workspace

Returns

x coordinate of base_point*k

Definition at line 648 of file ec_group.cpp.

                                                                            {
   const EC_Point pt = data().blinded_base_point_multiply(k, rng, ws);
 
   if(pt.is_zero()) {
      return BigInt::zero();
   }
   return pt.get_affine_x();
}

References Botan::EC_Point::get_affine_x(), Botan::EC_Point::is_zero(), and Botan::BigInt::zero().

blinded_var_point_multiply()

EC_Point Botan::EC_Group::blinded_var_point_multiply	(	const EC_Point &	point,
		const BigInt &	k,
		RandomNumberGenerator &	rng,
		std::vector< BigInt > &	ws ) const

Blinded point multiplication, attempts resistance to side channels

Parameters

point	input point
k	the scalar
rng	a random number generator
ws	a temp workspace

Returns

point*k

Definition at line 663 of file ec_group.cpp.

                                                                           {
   EC_Point_Var_Point_Precompute mul(point, rng, ws);
   // We pass order*cofactor here to "correctly" handle the case where the
   // point is on the curve but not in the prime order subgroup. This only
   // matters for groups with cofactor > 1
   // See https://github.com/randombit/botan/issues/3800
   return mul.mul(k, rng, get_order() * get_cofactor(), ws);
}

References get_cofactor(), get_order(), Botan::EC_Point_Var_Point_Precompute::mul(), and point().

clear_registered_curve_data()

size_t Botan::EC_Group::clear_registered_curve_data ( )

static

Definition at line 301 of file ec_group.cpp.

                                             {
   return ec_group_data().clear();
}

cube_mod_order()

BigInt Botan::EC_Group::cube_mod_order

(

const BigInt &

x

)

const

Definition at line 595 of file ec_group.cpp.

                                                     {
   return multiply_mod_order(x, square_mod_order(x));
}

References multiply_mod_order(), and square_mod_order().

DER_encode()

std::vector< uint8_t > Botan::EC_Group::DER_encode

(

EC_Group_Encoding

form

)

const

Create the DER encoding of this domain

Parameters

form	of encoding to use

Returns

bytes encododed as DER

Definition at line 709 of file ec_group.cpp.

                                                                    {
   std::vector<uint8_t> output;
 
   DER_Encoder der(output);
 
   if(form == EC_Group_Encoding::Explicit) {
      const size_t ecpVers1 = 1;
      const OID curve_type("1.2.840.10045.1.1");  // prime field
 
      const size_t p_bytes = get_p_bytes();
 
      der.start_sequence()
         .encode(ecpVers1)
         .start_sequence()
         .encode(curve_type)
         .encode(get_p())
         .end_cons()
         .start_sequence()
         .encode(get_a().serialize(p_bytes), ASN1_Type::OctetString)
         .encode(get_b().serialize(p_bytes), ASN1_Type::OctetString)
         .end_cons()
         .encode(get_base_point().encode(EC_Point_Format::Uncompressed), ASN1_Type::OctetString)
         .encode(get_order())
         .encode(get_cofactor())
         .end_cons();
   } else if(form == EC_Group_Encoding::NamedCurve) {
      const OID oid = get_curve_oid();
      if(oid.empty()) {
         throw Encoding_Error("Cannot encode EC_Group as OID because OID not set");
      }
      der.encode(oid);
   } else if(form == EC_Group_Encoding::ImplicitCA) {
      der.encode_null();
   } else {
      throw Internal_Error("EC_Group::DER_encode: Unknown encoding");
   }
 
   return output;
}

References Botan::OID::empty(), Botan::DER_Encoder::encode(), Botan::DER_Encoder::encode_null(), Botan::DER_Encoder::end_cons(), Botan::Explicit, get_a(), get_b(), get_base_point(), get_cofactor(), get_curve_oid(), get_order(), get_p(), get_p_bytes(), Botan::ImplicitCA, Botan::NamedCurve, Botan::OctetString, Botan::DER_Encoder::start_sequence(), and Botan::Uncompressed.

Referenced by Botan::TLS::Signature_Scheme::key_algorithm_identifier(), and PEM_encode().

EC_Group_from_PEM()

static EC_Group Botan::EC_Group::EC_Group_from_PEM ( std::string_view pem )

inlinestatic

Definition at line 157 of file ec_group.h.

                                                                                                     {
         return EC_Group::from_PEM(pem);
      }

EC_group_identity_from_order()

OID Botan::EC_Group::EC_group_identity_from_order ( const BigInt & order )

static

Definition at line 344 of file ec_named.cpp.

   {
   const uint32_t low_bits = static_cast<uint32_t>(order.word_at(0));
 
   if(low_bits == 0xFC632551 && order == BigInt("0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551")) {
      return OID{1, 2, 840, 10045, 3, 1, 7};
   }
 
   if(low_bits == 0xCCC52973 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) {
      return OID{1, 3, 132, 0, 34};
   }
 
   if(low_bits == 0x91386409 && order == BigInt("0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409")) {
      return OID{1, 3, 132, 0, 35};
   }
 
   if(low_bits == 0x9E60FC09 && order == BigInt("0xE95E4A5F737059DC60DF5991D45029409E60FC09")) {
      return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 1};
   }
 
   if(low_bits == 0x9AC4ACC1 && order == BigInt("0xC302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1")) {
      return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 3};
   }
 
   if(low_bits == 0xA5A7939F && order == BigInt("0xD7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F")) {
      return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 5};
   }
 
   if(low_bits == 0x974856A7 && order == BigInt("0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7")) {
      return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 7};
   }
 
   if(low_bits == 0x44C59311 && order == BigInt("0xD35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311")) {
      return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 9};
   }
 
   if(low_bits == 0xE9046565 && order == BigInt("0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565")) {
      return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 11};
   }
 
   if(low_bits == 0x9CA90069 && order == BigInt("0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069")) {
      return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 13};
   }
 
   if(low_bits == 0xC6D655E1 && order == BigInt("0xF1FD178C0B3AD58F10126DE8CE42435B53DC67E140D2BF941FFDD459C6D655E1")) {
      return OID{1, 2, 250, 1, 223, 101, 256, 1};
   }
 
   if(low_bits == 0xB761B893 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893")) {
      return OID{1, 2, 643, 7, 1, 2, 1, 1, 1};
   }
 
   if(low_bits == 0x1F10B275 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2B85DCACDB1411F10B275")) {
      return OID{1, 2, 643, 7, 1, 2, 1, 2, 1};
   }
 
   if(low_bits == 0xCA16B6B3 && order == BigInt("0x100000000000000000001B8FA16DFAB9ACA16B6B3")) {
      return OID{1, 3, 132, 0, 9};
   }
 
   if(low_bits == 0xCA752257 && order == BigInt("0x100000000000000000001F4C8F927AED3CA752257")) {
      return OID{1, 3, 132, 0, 8};
   }
 
   if(low_bits == 0xF3A1A16B && order == BigInt("0x100000000000000000000351EE786A818F3A1A16B")) {
      return OID{1, 3, 132, 0, 30};
   }
 
   if(low_bits == 0x74DEFD8D && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D")) {
      return OID{1, 3, 132, 0, 31};
   }
 
   if(low_bits == 0xB4D22831 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) {
      return OID{1, 2, 840, 10045, 3, 1, 1};
   }
 
   if(low_bits == 0x769FB1F7 && order == BigInt("0x10000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7")) {
      return OID{1, 3, 132, 0, 32};
   }
 
   if(low_bits == 0x5C5C2A3D && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) {
      return OID{1, 3, 132, 0, 33};
   }
 
   if(low_bits == 0xD0364141 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141")) {
      return OID{1, 3, 132, 0, 10};
   }
 
   if(low_bits == 0x39D54123 && order == BigInt("0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123")) {
      return OID{1, 2, 156, 10197, 1, 301};
   }
 
   if(low_bits == 0x48D8DD31 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31")) {
      return OID{1, 2, 840, 10045, 3, 1, 2};
   }
 
   if(low_bits == 0xF640EC13 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13")) {
      return OID{1, 2, 840, 10045, 3, 1, 3};
   }
 
   if(low_bits == 0x88909D0B && order == BigInt("0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B")) {
      return OID{1, 2, 840, 10045, 3, 1, 4};
   }
 
   if(low_bits == 0xBC582063 && order == BigInt("0x7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063")) {
      return OID{1, 2, 840, 10045, 3, 1, 5};
   }
 
   if(low_bits == 0x46526551 && order == BigInt("0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551")) {
      return OID{1, 2, 840, 10045, 3, 1, 6};
   }
 
   return OID();
}

References Botan::BigInt::word_at().

EC_group_info()

std::shared_ptr< EC_Group_Data > Botan::EC_Group::EC_group_info ( const OID & oid )

static

Definition at line 15 of file ec_named.cpp.

                                                                   {
   // secp256r1
   if(oid == OID{1, 2, 840, 10045, 3, 1, 7}) {
      return load_EC_group_info(
         "0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
         "0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
         "0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
         "0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
         "0x4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
         "0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
         oid);
   }
 
   // secp384r1
   if(oid == OID{1, 3, 132, 0, 34}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC",
         "0xB3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF",
         "0xAA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
         "0x3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973",
         oid);
   }
 
   // secp521r1
   if(oid == OID{1, 3, 132, 0, 35}) {
      return load_EC_group_info(
         "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
         "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC",
         "0x51953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
         "0xC6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
         "0x11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650",
         "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",
         oid);
   }
 
   // brainpool160r1
   if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 1}) {
      return load_EC_group_info(
         "0xE95E4A5F737059DC60DFC7AD95B3D8139515620F",
         "0x340E7BE2A280EB74E2BE61BADA745D97E8F7C300",
         "0x1E589A8595423412134FAA2DBDEC95C8D8675E58",
         "0xBED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC3",
         "0x1667CB477A1A8EC338F94741669C976316DA6321",
         "0xE95E4A5F737059DC60DF5991D45029409E60FC09",
         oid);
   }
 
   // brainpool192r1
   if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 3}) {
      return load_EC_group_info(
         "0xC302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297",
         "0x6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF",
         "0x469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9",
         "0xC0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6",
         "0x14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F",
         "0xC302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1",
         oid);
   }
 
   // brainpool224r1
   if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 5}) {
      return load_EC_group_info(
         "0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF",
         "0x68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43",
         "0x2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B",
         "0xD9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D",
         "0x58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD",
         "0xD7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F",
         oid);
   }
 
   // brainpool256r1
   if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 7}) {
      return load_EC_group_info(
         "0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377",
         "0x7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9",
         "0x26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6",
         "0x8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262",
         "0x547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997",
         "0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7",
         oid);
   }
 
   // brainpool320r1
   if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 9}) {
      return load_EC_group_info(
         "0xD35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E27",
         "0x3EE30B568FBAB0F883CCEBD46D3F3BB8A2A73513F5EB79DA66190EB085FFA9F492F375A97D860EB4",
         "0x520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD884539816F5EB4AC8FB1F1A6",
         "0x43BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599C710AF8D0D39E20611",
         "0x14FDD05545EC1CC8AB4093247F77275E0743FFED117182EAA9C77877AAAC6AC7D35245D1692E8EE1",
         "0xD35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311",
         oid);
   }
 
   // brainpool384r1
   if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 11}) {
      return load_EC_group_info(
         "0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53",
         "0x7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F90F8AA5814A503AD4EB04A8C7DD22CE2826",
         "0x4A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DBC9943AB78696FA504C11",
         "0x1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E",
         "0x8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315",
         "0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565",
         oid);
   }
 
   // brainpool512r1
   if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 13}) {
      return load_EC_group_info(
         "0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3",
         "0x7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA",
         "0x3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723",
         "0x81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822",
         "0x7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892",
         "0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069",
         oid);
   }
 
   // frp256v1
   if(oid == OID{1, 2, 250, 1, 223, 101, 256, 1}) {
      return load_EC_group_info(
         "0xF1FD178C0B3AD58F10126DE8CE42435B3961ADBCABC8CA6DE8FCF353D86E9C03",
         "0xF1FD178C0B3AD58F10126DE8CE42435B3961ADBCABC8CA6DE8FCF353D86E9C00",
         "0xEE353FCA5428A9300D4ABA754A44C00FDFEC0C9AE4B1A1803075ED967B7BB73F",
         "0xB6B3D4C356C139EB31183D4749D423958C27D2DCAF98B70164C97A2DD98F5CFF",
         "0x6142E0F7C8B204911F9271F0F3ECEF8C2701C307E8E4C9E183115A1554062CFB",
         "0xF1FD178C0B3AD58F10126DE8CE42435B53DC67E140D2BF941FFDD459C6D655E1",
         oid);
   }
 
   // gost_256A
   if(oid == OID{1, 2, 643, 7, 1, 2, 1, 1, 1} || oid == OID{1, 2, 643, 2, 2, 35, 1} || oid == OID{1, 2, 643, 2, 2, 36, 0}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94",
         "0xA6",
         "1",
         "0x8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893",
         OID{1, 2, 643, 7, 1, 2, 1, 1, 1});
   }
 
   // gost_512A
   if(oid == OID{1, 2, 643, 7, 1, 2, 1, 2, 1}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC7",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC4",
         "0xE8C2505DEDFC86DDC1BD0B2B6667F1DA34B82574761CB0E879BD081CFD0B6265EE3CB090F30D27614CB4574010DA90DD862EF9D4EBEE4761503190785A71C760",
         "3",
         "0x7503CFE87A836AE3A61B8816E25450E6CE5E1C93ACF1ABC1778064FDCBEFA921DF1626BE4FD036E93D75E6A50E3A41E98028FE5FC235F5B889A589CB5215F2A4",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2B85DCACDB1411F10B275",
         oid);
   }
 
   // secp160k1
   if(oid == OID{1, 3, 132, 0, 9}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73",
         "0",
         "7",
         "0x3B4C382CE37AA192A4019E763036F4F5DD4D7EBB",
         "0x938CF935318FDCED6BC28286531733C3F03C4FEE",
         "0x100000000000000000001B8FA16DFAB9ACA16B6B3",
         oid);
   }
 
   // secp160r1
   if(oid == OID{1, 3, 132, 0, 8}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC",
         "0x1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45",
         "0x4A96B5688EF573284664698968C38BB913CBFC82",
         "0x23A628553168947D59DCC912042351377AC5FB32",
         "0x100000000000000000001F4C8F927AED3CA752257",
         oid);
   }
 
   // secp160r2
   if(oid == OID{1, 3, 132, 0, 30}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70",
         "0xB4E134D3FB59EB8BAB57274904664D5AF50388BA",
         "0x52DCB034293A117E1F4FF11B30F7199D3144CE6D",
         "0xFEAFFEF2E331F296E071FA0DF9982CFEA7D43F2E",
         "0x100000000000000000000351EE786A818F3A1A16B",
         oid);
   }
 
   // secp192k1
   if(oid == OID{1, 3, 132, 0, 31}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37",
         "0",
         "3",
         "0xDB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D",
         "0x9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D",
         "0xFFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D",
         oid);
   }
 
   // secp192r1
   if(oid == OID{1, 2, 840, 10045, 3, 1, 1}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
         "0x64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1",
         "0x188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012",
         "0x7192B95FFC8DA78631011ED6B24CDD573F977A11E794811",
         "0xFFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831",
         oid);
   }
 
   // secp224k1
   if(oid == OID{1, 3, 132, 0, 32}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D",
         "0",
         "5",
         "0xA1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C",
         "0x7E089FED7FBA344282CAFBD6F7E319F7C0B0BD59E2CA4BDB556D61A5",
         "0x10000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7",
         oid);
   }
 
   // secp224r1
   if(oid == OID{1, 3, 132, 0, 33}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
         "0xB4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
         "0xB70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
         "0xBD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
         oid);
   }
 
   // secp256k1
   if(oid == OID{1, 3, 132, 0, 10}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F",
         "0",
         "7",
         "0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798",
         "0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141",
         oid);
   }
 
   // sm2p256v1
   if(oid == OID{1, 2, 156, 10197, 1, 301}) {
      return load_EC_group_info(
         "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF",
         "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC",
         "0x28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93",
         "0x32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7",
         "0xBC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0",
         "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123",
         oid);
   }
 
   // x962_p192v2
   if(oid == OID{1, 2, 840, 10045, 3, 1, 2}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
         "0xCC22D6DFB95C6B25E49C0D6364A4E5980C393AA21668D953",
         "0xEEA2BAE7E1497842F2DE7769CFE9C989C072AD696F48034A",
         "0x6574D11D69B6EC7A672BB82A083DF2F2B0847DE970B2DE15",
         "0xFFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31",
         oid);
   }
 
   // x962_p192v3
   if(oid == OID{1, 2, 840, 10045, 3, 1, 3}) {
      return load_EC_group_info(
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
         "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
         "0x22123DC2395A05CAA7423DAECCC94760A7D462256BD56916",
         "0x7D29778100C65A1DA1783716588DCE2B8B4AEE8E228F1896",
         "0x38A90F22637337334B49DCB66A6DC8F9978ACA7648A943B0",
         "0xFFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13",
         oid);
   }
 
   // x962_p239v1
   if(oid == OID{1, 2, 840, 10045, 3, 1, 4}) {
      return load_EC_group_info(
         "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
         "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
         "0x6B016C3BDCF18941D0D654921475CA71A9DB2FB27D1D37796185C2942C0A",
         "0xFFA963CDCA8816CCC33B8642BEDF905C3D358573D3F27FBBD3B3CB9AAAF",
         "0x7DEBE8E4E90A5DAE6E4054CA530BA04654B36818CE226B39FCCB7B02F1AE",
         "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B",
         oid);
   }
 
   // x962_p239v2
   if(oid == OID{1, 2, 840, 10045, 3, 1, 5}) {
      return load_EC_group_info(
         "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
         "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
         "0x617FAB6832576CBBFED50D99F0249C3FEE58B94BA0038C7AE84C8C832F2C",
         "0x38AF09D98727705120C921BB5E9E26296A3CDCF2F35757A0EAFD87B830E7",
         "0x5B0125E4DBEA0EC7206DA0FC01D9B081329FB555DE6EF460237DFF8BE4BA",
         "0x7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063",
         oid);
   }
 
   // x962_p239v3
   if(oid == OID{1, 2, 840, 10045, 3, 1, 6}) {
      return load_EC_group_info(
         "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
         "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
         "0x255705FA2A306654B1F4CB03D6A750A30C250102D4988717D9BA15AB6D3E",
         "0x6768AE8E18BB92CFCF005C949AA2C6D94853D0E660BBF854B1C9505FE95A",
         "0x1607E6898F390C06BC1D552BAD226F3B6FCFE48B6E818499AF18E3ED6CF3",
         "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551",
         oid);
   }
 
   return std::shared_ptr<EC_Group_Data>();
}

from_name()

EC_Group Botan::EC_Group::from_name ( std::string_view name )

static

Initialize an EC group from a group common name (eg "secp256r1")

Definition at line 420 of file ec_group.cpp.

                                                {
   std::shared_ptr<EC_Group_Data> data;
 
   if(auto oid = OID::from_name(name)) {
      data = ec_group_data().lookup(oid.value());
   }
 
   if(!data) {
      throw Invalid_Argument(fmt("Unknown EC_Group '{}'", name));
   }
 
   return EC_Group(std::move(data));
}

References EC_Group(), Botan::fmt(), Botan::OID::from_name(), and name.

Referenced by Botan::create_private_key(), Botan::TLS::Signature_Scheme::key_algorithm_identifier(), Botan::TLS::Callbacks::tls_ephemeral_key_agreement(), and Botan::TLS::Callbacks::tls_generate_ephemeral_key().

from_OID()

EC_Group Botan::EC_Group::from_OID ( const OID & oid )

static

Initialize an EC group from a group named by an object identifier

Definition at line 409 of file ec_group.cpp.

                                          {
   auto data = ec_group_data().lookup(oid);
 
   if(!data) {
      throw Invalid_Argument(fmt("No EC_Group associated with OID '{}'", oid.to_string()));
   }
 
   return EC_Group(std::move(data));
}

References EC_Group(), Botan::fmt(), and Botan::OID::to_string().

Referenced by Botan::GOST_3410_PublicKey::GOST_3410_PublicKey().

from_PEM()

EC_Group Botan::EC_Group::from_PEM ( std::string_view pem )

static

Initialize an EC group from the PEM/ASN.1 encoding

Definition at line 463 of file ec_group.cpp.

                                              {
   const auto ber = PEM_Code::decode_check_label(pem, "EC PARAMETERS");
   return EC_Group(ber);
}

References Botan::PEM_Code::decode_check_label(), and EC_Group().

get_a()

const BigInt & Botan::EC_Group::get_a

(

)

const

Return the a parameter of the elliptic curve equation

Definition at line 559 of file ec_group.cpp.

                                    {
   return data().a();
}

Referenced by DER_encode(), Botan::EC_PublicKey::get_int_field(), hash_to_curve(), operator==(), Botan::sm2_compute_za(), and verify_group().

get_b()

const BigInt & Botan::EC_Group::get_b

(

)

const

Return the b parameter of the elliptic curve equation

Definition at line 563 of file ec_group.cpp.

                                    {
   return data().b();
}

Referenced by DER_encode(), Botan::EC_PublicKey::get_int_field(), hash_to_curve(), operator==(), Botan::sm2_compute_za(), and verify_group().

get_base_point()

const EC_Point & Botan::EC_Group::get_base_point

(

)

const

Return group base point

Returns

base point

Definition at line 567 of file ec_group.cpp.

                                               {
   return data().base_point();
}

Referenced by DER_encode(), Botan::EC_PrivateKey::EC_PrivateKey(), point_multiply(), and verify_group().

get_cofactor()

const BigInt & Botan::EC_Group::get_cofactor

(

)

const

Return the cofactor

Returns

the cofactor

Definition at line 583 of file ec_group.cpp.

                                           {
   return data().cofactor();
}

Referenced by blinded_var_point_multiply(), DER_encode(), Botan::ECIES_KA_Operation::derive_secret(), Botan::ECIES_Decryptor::ECIES_Decryptor(), Botan::EC_PublicKey::get_int_field(), operator==(), verify_group(), and verify_public_element().

get_curve_oid()

const OID & Botan::EC_Group::get_curve_oid

(

)

const

Return the OID of these domain parameters

Returns

the OID

Definition at line 611 of file ec_group.cpp.

                                         {
   return data().oid();
}

Referenced by Botan::GOST_3410_PublicKey::algorithm_identifier(), DER_encode(), Botan::hash_to_curve_sswu(), and Botan::EC_PublicKey::set_parameter_encoding().

get_g_x()

const BigInt & Botan::EC_Group::get_g_x

(

)

const

Return the x coordinate of the base point

Definition at line 575 of file ec_group.cpp.

                                      {
   return data().g_x();
}

Referenced by Botan::EC_PublicKey::get_int_field(), operator==(), and Botan::sm2_compute_za().

get_g_y()

const BigInt & Botan::EC_Group::get_g_y

(

)

const

Return the y coordinate of the base point

Definition at line 579 of file ec_group.cpp.

                                      {
   return data().g_y();
}

Referenced by Botan::EC_PublicKey::get_int_field(), operator==(), and Botan::sm2_compute_za().

get_order()

const BigInt & Botan::EC_Group::get_order

(

)

const

Return the order of the base point

Returns

order of the base point

Definition at line 571 of file ec_group.cpp.

                                        {
   return data().order();
}

Referenced by blinded_var_point_multiply(), Botan::EC_PrivateKey::check_key(), Botan::SM2_PrivateKey::check_key(), DER_encode(), Botan::EC_PrivateKey::EC_PrivateKey(), Botan::EC_PrivateKey::EC_PrivateKey(), Botan::ECIES_Decryptor::ECIES_Decryptor(), Botan::EC_PublicKey::get_int_field(), operator==(), random_scalar(), verify_group(), and verify_public_element().

get_order_bits()

size_t Botan::EC_Group::get_order_bits

(

)

const

Return the size of group order in bits (same as get_order().bits())

Definition at line 547 of file ec_group.cpp.

                                      {
   return data().order_bits();
}

get_order_bytes()

size_t Botan::EC_Group::get_order_bytes

(

)

const

Return the size of the group order in bytes (same as get_order().bytes())

Definition at line 551 of file ec_group.cpp.

                                       {
   return data().order_bytes();
}

Referenced by Botan::ECIES_KA_Operation::derive_secret(), and Botan::EC_PrivateKey::raw_private_key_bits().

get_p()

const BigInt & Botan::EC_Group::get_p

(

)

const

Return the prime modulus of the field

Definition at line 555 of file ec_group.cpp.

                                    {
   return data().p();
}

Referenced by DER_encode(), Botan::EC_PublicKey::get_int_field(), hash_to_curve(), operator==(), and verify_group().

get_p_bits()

size_t Botan::EC_Group::get_p_bits

(

)

const

Return the size of p in bits (same as get_p().bits())

Definition at line 539 of file ec_group.cpp.

                                  {
   return data().p_bits();
}

Referenced by Botan::GOST_3410_PublicKey::algo_name(), Botan::GOST_3410_PrivateKey::GOST_3410_PrivateKey(), Botan::GOST_3410_PublicKey::GOST_3410_PublicKey(), and Botan::EC_PublicKey::key_length().

get_p_bytes()

size_t Botan::EC_Group::get_p_bytes

(

)

const

Return the size of p in bits (same as get_p().bytes())

Definition at line 543 of file ec_group.cpp.

                                   {
   return data().p_bytes();
}

Referenced by DER_encode(), point_size(), and Botan::sm2_compute_za().

hash_to_curve() [1/2]

EC_Point Botan::EC_Group::hash_to_curve	(	std::string_view	hash_fn,
		const uint8_t	input[],
		size_t	input_len,
		const uint8_t	domain_sep[],
		size_t	domain_sep_len,
		bool	random_oracle = true ) const

Hash onto the curve. For some curve types no mapping is currently available, in this case this function will throw an exception.

Parameters

hash_fn	the hash function to use (typically "SHA-256" or "SHA-512")
input	the input to hash
input_len	length of input in bytes
domain_sep	a domain seperator
domain_sep_len	length of domain_sep in bytes
random_oracle	if the mapped point must be uniform (use "true" here unless you know what you are doing)

Definition at line 688 of file ec_group.cpp.

                                                           {
#if defined(BOTAN_HAS_EC_HASH_TO_CURVE)
 
   // Only have SSWU currently
   if(get_a().is_zero() || get_b().is_zero() || get_p() % 4 == 1) {
      throw Not_Implemented("EC_Group::hash_to_curve not available for this curve type");
   }
 
   return hash_to_curve_sswu(*this, hash_fn, {input, input_len}, {domain_sep, domain_sep_len}, random_oracle);
 
#else
   BOTAN_UNUSED(hash_fn, random_oracle, input, input_len, domain_sep, domain_sep_len);
   throw Not_Implemented("EC_Group::hash_to_curve functionality not available in this configuration");
#endif
}

References BOTAN_UNUSED, get_a(), get_b(), get_p(), and Botan::hash_to_curve_sswu().

Referenced by hash_to_curve().

hash_to_curve() [2/2]

EC_Point Botan::EC_Group::hash_to_curve	(	std::string_view	hash_fn,
		const uint8_t	input[],
		size_t	input_len,
		std::string_view	domain_sep,
		bool	random_oracle = true ) const

Hash onto the curve. For some curve types no mapping is currently available, in this case this function will throw an exception.

Parameters

hash_fn	the hash function to use (typically "SHA-256" or "SHA-512")
input	the input to hash
input_len	length of input in bytes
domain_sep	a domain seperator
random_oracle	if the mapped point must be uniform (use "true" here unless you know what you are doing)

Definition at line 679 of file ec_group.cpp.

                                                           {
   return this->hash_to_curve(
      hash_fn, input, input_len, reinterpret_cast<const uint8_t*>(domain.data()), domain.size(), random_oracle);
}

References hash_to_curve().

initialized()

bool Botan::EC_Group::initialized ( ) const

inline

Definition at line 357 of file ec_group.h.

{ return (m_data != nullptr); }

inverse_mod_order()

BigInt Botan::EC_Group::inverse_mod_order

(

const BigInt &

x

)

const

Definition at line 607 of file ec_group.cpp.

                                                        {
   return data().inverse_mod_order(x);
}

Referenced by Botan::EC_PrivateKey::EC_PrivateKey(), Botan::EC_PrivateKey::EC_PrivateKey(), Botan::SM2_PrivateKey::SM2_PrivateKey(), and Botan::SM2_PrivateKey::SM2_PrivateKey().

known_named_groups()

const std::set< std::string > & Botan::EC_Group::known_named_groups ( )

static

Return a set of known named EC groups

Definition at line 460 of file ec_named.cpp.

                                                      {
   static const std::set<std::string> named_groups = {
      "brainpool160r1",
      "brainpool192r1",
      "brainpool224r1",
      "brainpool256r1",
      "brainpool320r1",
      "brainpool384r1",
      "brainpool512r1",
      "frp256v1",
      "gost_256A",
      "gost_512A",
      "secp160k1",
      "secp160r1",
      "secp160r2",
      "secp192k1",
      "secp192r1",
      "secp224k1",
      "secp224r1",
      "secp256k1",
      "secp256r1",
      "secp384r1",
      "secp521r1",
      "sm2p256v1",
      "x962_p192v2",
      "x962_p192v3",
      "x962_p239v1",
      "x962_p239v2",
      "x962_p239v3",
   };
   return named_groups;
}

mod_order()

BigInt Botan::EC_Group::mod_order

(

const BigInt &

x

)

const

Definition at line 587 of file ec_group.cpp.

                                                {
   return data().mod_order(k);
}

multiply_mod_order() [1/2]

BigInt Botan::EC_Group::multiply_mod_order	(	const BigInt &	x,
		const BigInt &	y ) const

Definition at line 599 of file ec_group.cpp.

                                                                          {
   return data().multiply_mod_order(x, y);
}

Referenced by cube_mod_order().

multiply_mod_order() [2/2]

BigInt Botan::EC_Group::multiply_mod_order	(	const BigInt &	x,
		const BigInt &	y,
		const BigInt &	z ) const

Definition at line 603 of file ec_group.cpp.

                                                                                           {
   return data().multiply_mod_order(x, y, z);
}

operator=() [1/2]

EC_Group & Botan::EC_Group::operator= ( const EC_Group & )

default

operator=() [2/2]

EC_Group & Botan::EC_Group::operator= ( EC_Group && )

default

References Botan::OS2ECP().

operator==()

bool Botan::EC_Group::operator==

(

const EC_Group &

other

)

const

Definition at line 754 of file ec_group.cpp.

                                                     {
   if(m_data == other.m_data) {
      return true;  // same shared rep
   }
 
   return (get_p() == other.get_p() && get_a() == other.get_a() && get_b() == other.get_b() &&
           get_g_x() == other.get_g_x() && get_g_y() == other.get_g_y() && get_order() == other.get_order() &&
           get_cofactor() == other.get_cofactor());
}

References get_a(), get_b(), get_cofactor(), get_g_x(), get_g_y(), get_order(), and get_p().

OS2ECP() [1/2]

EC_Point Botan::EC_Group::OS2ECP	(	const uint8_t	bits[],
		size_t	len ) const

OS2ECP (Octet String To Elliptic Curve Point)

Deserialize an encoded point. Verifies that the point is on the curve.

Definition at line 628 of file ec_group.cpp.

                                                                {
   return Botan::OS2ECP(bits, len, data().curve());
}

References Botan::OS2ECP().

Referenced by Botan::EC_PrivateKey::EC_PrivateKey(), Botan::ECIES_Encryptor::ECIES_Encryptor(), and Botan::hash_to_curve_sswu().

OS2ECP() [2/2]

EC_Point Botan::EC_Group::OS2ECP ( std::span< const uint8_t > encoded_point ) const

inline

Definition at line 353 of file ec_group.h.

                                                                  {
         return this->OS2ECP(encoded_point.data(), encoded_point.size());
      }

References Botan::OS2ECP().

PEM_encode()

std::string Botan::EC_Group::PEM_encode

(

)

const

Return the PEM encoding (always in explicit form)

Returns

string containing PEM data

Definition at line 749 of file ec_group.cpp.

                                     {
   const std::vector<uint8_t> der = DER_encode(EC_Group_Encoding::Explicit);
   return PEM_Code::encode(der, "EC PARAMETERS");
}

References DER_encode(), Botan::PEM_Code::encode(), and Botan::Explicit.

point()

EC_Point Botan::EC_Group::point	(	const BigInt &	x,
		const BigInt &	y ) const

Return a point on this curve with the affine values x, y

Definition at line 632 of file ec_group.cpp.

                                                               {
   // TODO: randomize the representation?
   return EC_Point(data().curve(), x, y);
}

Referenced by blinded_var_point_multiply(), Botan::GOST_3410_PublicKey::GOST_3410_PublicKey(), and verify_public_element().

point_multiply()

EC_Point Botan::EC_Group::point_multiply	(	const BigInt &	x,
		const EC_Point &	pt,
		const BigInt &	y ) const

Multi exponentiate. Not constant time.

Returns

base_point*x + pt*y

Definition at line 637 of file ec_group.cpp.

                                                                                            {
   EC_Point_Multi_Point_Precompute xy_mul(get_base_point(), pt);
   return xy_mul.multi_exp(x, y);
}

References get_base_point(), and Botan::EC_Point_Multi_Point_Precompute::multi_exp().

point_size()

size_t Botan::EC_Group::point_size

(

EC_Point_Format

format

)

const

Definition at line 619 of file ec_group.cpp.

                                                        {
   // Hybrid and standard format are (x,y), compressed is y, +1 format byte
   if(format == EC_Point_Format::Compressed) {
      return (1 + get_p_bytes());
   } else {
      return (1 + 2 * get_p_bytes());
   }
}

References Botan::Compressed, and get_p_bytes().

random_scalar()

BigInt Botan::EC_Group::random_scalar

(

RandomNumberGenerator &

rng

)

const

Return a random scalar ie an integer in [1,order)

Definition at line 659 of file ec_group.cpp.

                                                               {
   return BigInt::random_integer(rng, BigInt::one(), get_order());
}

References get_order(), Botan::BigInt::one(), and Botan::BigInt::random_integer().

Referenced by Botan::EC_PrivateKey::EC_PrivateKey().

source()

EC_Group_Source Botan::EC_Group::source

(

)

const

Definition at line 615 of file ec_group.cpp.

                                       {
   return data().source();
}

Referenced by verify_group().

square_mod_order()

BigInt Botan::EC_Group::square_mod_order

(

const BigInt &

x

)

const

Definition at line 591 of file ec_group.cpp.

                                                       {
   return data().square_mod_order(x);
}

Referenced by cube_mod_order().

used_explicit_encoding()

bool Botan::EC_Group::used_explicit_encoding ( ) const

inline

Return true if this EC_Group was derived from an explicit encoding

Explicit encoding of groups is deprecated; when support for explicit curves is removed in a future major release, this function will also be removed.

Definition at line 375 of file ec_group.h.

{ return m_explicit_encoding; }

Referenced by botan_pubkey_ecc_key_used_explicit_encoding().

verify_group()

bool Botan::EC_Group::verify_group	(	RandomNumberGenerator &	rng,
		bool	strong = false ) const

Verify EC_Group domain

Returns

true if group is valid. false otherwise

Definition at line 789 of file ec_group.cpp.

                                                                         {
   const bool is_builtin = source() == EC_Group_Source::Builtin;
 
   if(is_builtin && !strong) {
      return true;
   }
 
   const BigInt& p = get_p();
   const BigInt& a = get_a();
   const BigInt& b = get_b();
   const BigInt& order = get_order();
   const EC_Point& base_point = get_base_point();
 
   if(p <= 3 || order <= 0) {
      return false;
   }
   if(a < 0 || a >= p) {
      return false;
   }
   if(b <= 0 || b >= p) {
      return false;
   }
 
   const size_t test_prob = 128;
   const bool is_randomly_generated = is_builtin;
 
   //check if field modulus is prime
   if(!is_prime(p, rng, test_prob, is_randomly_generated)) {
      return false;
   }
 
   //check if order is prime
   if(!is_prime(order, rng, test_prob, is_randomly_generated)) {
      return false;
   }
 
   //compute the discriminant: 4*a^3 + 27*b^2 which must be nonzero
   const Modular_Reducer mod_p(p);
 
   const BigInt discriminant = mod_p.reduce(mod_p.multiply(4, mod_p.cube(a)) + mod_p.multiply(27, mod_p.square(b)));
 
   if(discriminant == 0) {
      return false;
   }
 
   //check for valid cofactor
   if(get_cofactor() < 1) {
      return false;
   }
 
   //check if the base point is on the curve
   if(!base_point.on_the_curve()) {
      return false;
   }
   if((base_point * get_cofactor()).is_zero()) {
      return false;
   }
   //check if order of the base point is correct
   if(!(base_point * order).is_zero()) {
      return false;
   }
 
   // check the Hasse bound (roughly)
   if((p - get_cofactor() * order).abs().bits() > (p.bits() / 2) + 1) {
      return false;
   }
 
   return true;
}

References Botan::abs(), Botan::BigInt::bits(), Botan::Builtin, Botan::Modular_Reducer::cube(), get_a(), get_b(), get_base_point(), get_cofactor(), get_order(), get_p(), Botan::is_prime(), Botan::Modular_Reducer::multiply(), Botan::EC_Point::on_the_curve(), Botan::Modular_Reducer::reduce(), source(), and Botan::Modular_Reducer::square().

Referenced by Botan::EC_PublicKey::check_key().

verify_public_element()

bool Botan::EC_Group::verify_public_element

(

const EC_Point &

y

)

const

Check if y is a plausible point on the curve

In particular, checks that it is a point on the curve, not infinity, and that it has order matching the group.

Definition at line 764 of file ec_group.cpp.

                                                                {
   //check that public point is not at infinity
   if(point.is_zero()) {
      return false;
   }
 
   //check that public point is on the curve
   if(point.on_the_curve() == false) {
      return false;
   }
 
   //check that public point has order q
   if((point * get_order()).is_zero() == false) {
      return false;
   }
 
   if(get_cofactor() > 1) {
      if((point * get_cofactor()).is_zero()) {
         return false;
      }
   }
 
   return true;
}

References get_cofactor(), get_order(), Botan::EC_Point::is_zero(), Botan::EC_Point::on_the_curve(), and point().

Referenced by Botan::EC_PublicKey::check_key().

zero_point()

EC_Point Botan::EC_Group::zero_point

(

)

const

Return the zero (or infinite) point on this curve

Definition at line 675 of file ec_group.cpp.

                                    {
   return EC_Point(data().curve());
}

---

The documentation for this class was generated from the following files:

• src/lib/pubkey/ec_group/ec_group.h
• src/lib/pubkey/ec_group/ec_group.cpp
• src/lib/pubkey/ec_group/ec_named.cpp