Botan 3.1.1
Crypto and TLS for C&
Public Member Functions | Static Public Member Functions | List of all members
Botan::EC_Group Class Referencefinal

#include <ec_group.h>

Public Member Functions

bool a_is_minus_3 () const
 
bool a_is_zero () const
 
EC_Point blinded_base_point_multiply (const BigInt &k, RandomNumberGenerator &rng, std::vector< BigInt > &ws) const
 
BigInt blinded_base_point_multiply_x (const BigInt &k, RandomNumberGenerator &rng, std::vector< BigInt > &ws) const
 
EC_Point blinded_var_point_multiply (const EC_Point &point, const BigInt &k, RandomNumberGenerator &rng, std::vector< BigInt > &ws) const
 
BigInt cube_mod_order (const BigInt &x) const
 
std::vector< uint8_t > DER_encode (EC_Group_Encoding form) const
 
 EC_Group ()
 
 EC_Group (const BigInt &p, const BigInt &a, const BigInt &b, const BigInt &base_x, const BigInt &base_y, const BigInt &order, const BigInt &cofactor, const OID &oid=OID())
 
 EC_Group (const EC_Group &)=default
 
 EC_Group (const OID &oid)
 
template<typename Alloc >
 EC_Group (const std::vector< uint8_t, Alloc > &ber)
 
 EC_Group (const uint8_t ber[], size_t ber_len)
 
 EC_Group (EC_Group &&)=default
 
 EC_Group (std::string_view pem_or_oid)
 
const BigIntget_a () const
 
const BigIntget_b () const
 
const EC_Pointget_base_point () const
 
const BigIntget_cofactor () const
 
const OIDget_curve_oid () const
 
const BigIntget_g_x () const
 
const BigIntget_g_y () const
 
const BigIntget_order () const
 
size_t get_order_bits () const
 
size_t get_order_bytes () const
 
const BigIntget_p () const
 
size_t get_p_bits () const
 
size_t get_p_bytes () const
 
EC_Point hash_to_curve (std::string_view hash_fn, const uint8_t input[], size_t input_len, const uint8_t domain_sep[], size_t domain_sep_len, bool random_oracle=true) const
 
EC_Point hash_to_curve (std::string_view hash_fn, const uint8_t input[], size_t input_len, std::string_view domain_sep, bool random_oracle=true) const
 
bool initialized () const
 
BigInt inverse_mod_order (const BigInt &x) const
 
BigInt mod_order (const BigInt &x) const
 
BigInt multiply_mod_order (const BigInt &x, const BigInt &y) const
 
BigInt multiply_mod_order (const BigInt &x, const BigInt &y, const BigInt &z) const
 
EC_Groupoperator= (const EC_Group &)=default
 
EC_Groupoperator= (EC_Group &&)=default
 
bool operator== (const EC_Group &other) const
 
EC_Point OS2ECP (const uint8_t bits[], size_t len) const
 
EC_Point OS2ECP (std::span< const uint8_t > encoded_point) const
 
std::string PEM_encode () const
 
EC_Point point (const BigInt &x, const BigInt &y) const
 
EC_Point point_multiply (const BigInt &x, const EC_Point &pt, const BigInt &y) const
 
size_t point_size (EC_Point_Format format) const
 
BigInt random_scalar (RandomNumberGenerator &rng) const
 
EC_Group_Source source () const
 
BigInt square_mod_order (const BigInt &x) const
 
bool verify_group (RandomNumberGenerator &rng, bool strong=false) const
 
bool verify_public_element (const EC_Point &y) const
 
EC_Point zero_point () const
 
 ~EC_Group ()
 

Static Public Member Functions

static size_t clear_registered_curve_data ()
 
static EC_Group EC_Group_from_PEM (std::string_view pem)
 
static OID EC_group_identity_from_order (const BigInt &order)
 
static std::shared_ptr< EC_Group_Data > EC_group_info (const OID &oid)
 
static const std::set< std::string > & known_named_groups ()
 

Detailed Description

Class representing an elliptic curve

The internal representation is stored in a shared_ptr, so copying an EC_Group is inexpensive.

Definition at line 48 of file ec_group.h.

Constructor & Destructor Documentation

◆ EC_Group() [1/8]

Botan::EC_Group::EC_Group ( const BigInt p,
const BigInt a,
const BigInt b,
const BigInt base_x,
const BigInt base_y,
const BigInt order,
const BigInt cofactor,
const OID oid = OID() 
)

Construct Domain paramers from specified parameters

Parameters
pthe elliptic curve p
athe elliptic curve a param
bthe elliptic curve b param
base_xthe x coordinate of the base point
base_ythe y coordinate of the base point
orderthe order of the base point
cofactorthe cofactor
oidan optional OID used to identify this curve

Definition at line 428 of file ec_group.cpp.

435 {
436 m_data =
437 ec_group_data().lookup_or_create(p, a, b, base_x, base_y, order, cofactor, oid, EC_Group_Source::ExternalSource);
438}

References Botan::ExternalSource.

◆ EC_Group() [2/8]

Botan::EC_Group::EC_Group ( const uint8_t  ber[],
size_t  ber_len 
)
explicit

Decode a BER encoded ECC domain parameter set

Parameters
berthe bytes of the BER encoding
ber_lenthe length of ber

Definition at line 440 of file ec_group.cpp.

440 {
441 m_data = BER_decode_EC_group(ber, ber_len, EC_Group_Source::ExternalSource);
442}

References Botan::ExternalSource.

◆ EC_Group() [3/8]

template<typename Alloc >
Botan::EC_Group::EC_Group ( const std::vector< uint8_t, Alloc > &  ber)
inline

Definition at line 78 of file ec_group.h.

78: EC_Group(ber.data(), ber.size()) {}
Botan::EC_Group::EC_Group
EC_Group()

◆ EC_Group() [4/8]

Botan::EC_Group::EC_Group ( const OID oid)
explicit

Create an EC domain by OID (or throw if unknown)

Parameters
oidthe OID of the EC domain to create

Definition at line 390 of file ec_group.cpp.

390 {
391 this->m_data = ec_group_data().lookup(domain_oid);
392 if(!this->m_data) {
393 throw Invalid_Argument("Unknown EC_Group " + domain_oid.to_string());
394 }
395}

References Botan::OID::to_string().

◆ EC_Group() [5/8]

Botan::EC_Group::EC_Group ( std::string_view  pem_or_oid)
explicit

Create an EC domain from PEM encoding (as from PEM_encode), or from an OID name (eg "secp256r1", or "1.2.840.10045.3.1.7")

Parameters
pem_or_oidPEM-encoded data, or an OID
Warning
Support for PEM in this function is deprecated. Use EC_Group_from_PEM

Definition at line 397 of file ec_group.cpp.

397 {
398 if(str.empty()) {
399 return; // no initialization / uninitialized
400 }
401
402 try {
403 const OID oid = OID::from_string(str);
404 if(oid.has_value()) {
405 m_data = ec_group_data().lookup(oid);
406 }
407 } catch(...) {}
408
409 if(m_data == nullptr) {
410 if(str.size() > 30 && str.substr(0, 29) == "-----BEGIN EC PARAMETERS-----") {
411 // OK try it as PEM ...
412 secure_vector<uint8_t> ber = PEM_Code::decode_check_label(str, "EC PARAMETERS");
413 this->m_data = BER_decode_EC_group(ber.data(), ber.size(), EC_Group_Source::ExternalSource);
414 }
415 }
416
417 if(m_data == nullptr) {
418 throw Invalid_Argument(fmt("Unknown ECC group '{}'", str));
419 }
420}
Botan::OID::from_string
static OID from_string(std::string_view str)
Definition: asn1_oid.cpp:74
Botan::PEM_Code::decode_check_label
secure_vector< uint8_t > decode_check_label(DataSource &source, std::string_view label_want)
Definition: pem.cpp:49
Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition: fmt.h:53

References Botan::PEM_Code::decode_check_label(), Botan::ExternalSource, Botan::fmt(), Botan::OID::from_string(), and Botan::OID::has_value().

◆ EC_Group() [6/8]

Botan::EC_Group::EC_Group ( )
default

Create an uninitialized EC_Group

Referenced by EC_Group_from_PEM().

◆ ~EC_Group()

Botan::EC_Group::~EC_Group ( )
default

◆ EC_Group() [7/8]

Botan::EC_Group::EC_Group ( const EC_Group )
default

◆ EC_Group() [8/8]

Botan::EC_Group::EC_Group ( EC_Group &&  )
default

Member Function Documentation

◆ a_is_minus_3()

bool Botan::EC_Group::a_is_minus_3 ( ) const

Return if a == -3 mod p

Definition at line 451 of file ec_group.cpp.

451 {
452 return data().a_is_minus_3();
453}

◆ a_is_zero()

bool Botan::EC_Group::a_is_zero ( ) const

Return if a == 0 mod p

Definition at line 455 of file ec_group.cpp.

455 {
456 return data().a_is_zero();
457}

◆ blinded_base_point_multiply()

EC_Point Botan::EC_Group::blinded_base_point_multiply ( const BigInt k,
RandomNumberGenerator rng,
std::vector< BigInt > &  ws 
) const

Blinded point multiplication, attempts resistance to side channels

Parameters
kthe scalar
rnga random number generator
wsa temp workspace
Returns
base_point*k

Definition at line 558 of file ec_group.cpp.

560 {
561 return data().blinded_base_point_multiply(k, rng, ws);
562}

Referenced by Botan::EC_PrivateKey::EC_PrivateKey().

◆ blinded_base_point_multiply_x()

BigInt Botan::EC_Group::blinded_base_point_multiply_x ( const BigInt k,
RandomNumberGenerator rng,
std::vector< BigInt > &  ws 
) const

Blinded point multiplication, attempts resistance to side channels Returns just the x coordinate of the point

Parameters
kthe scalar
rnga random number generator
wsa temp workspace
Returns
x coordinate of base_point*k

Definition at line 564 of file ec_group.cpp.

566 {
567 const EC_Point pt = data().blinded_base_point_multiply(k, rng, ws);
568
569 if(pt.is_zero()) {
570 return BigInt::zero();
571 }
572 return pt.get_affine_x();
573}
Botan::BigInt::zero
static BigInt zero()
Definition: bigint.h:44

References Botan::EC_Point::get_affine_x(), Botan::EC_Point::is_zero(), and Botan::BigInt::zero().

◆ blinded_var_point_multiply()

EC_Point Botan::EC_Group::blinded_var_point_multiply ( const EC_Point point,
const BigInt k,
RandomNumberGenerator rng,
std::vector< BigInt > &  ws 
) const

Blinded point multiplication, attempts resistance to side channels

Parameters
pointinput point
kthe scalar
rnga random number generator
wsa temp workspace
Returns
point*k

Definition at line 579 of file ec_group.cpp.

582 {
583 EC_Point_Var_Point_Precompute mul(point, rng, ws);
584 return mul.mul(k, rng, get_order(), ws);
585}
Botan::EC_Group::get_order
const BigInt & get_order() const
Definition: ec_group.cpp:491
Botan::EC_Group::point
EC_Point point(const BigInt &x, const BigInt &y) const
Definition: ec_group.cpp:548

References get_order(), Botan::EC_Point_Var_Point_Precompute::mul(), and point().

◆ clear_registered_curve_data()

size_t Botan::EC_Group::clear_registered_curve_data ( )
static

Definition at line 301 of file ec_group.cpp.

301 {
302 return ec_group_data().clear();
303}

◆ cube_mod_order()

BigInt Botan::EC_Group::cube_mod_order ( const BigInt x) const
inline

Definition at line 225 of file ec_group.h.

225{ return multiply_mod_order(x, square_mod_order(x)); }
Botan::EC_Group::multiply_mod_order
BigInt multiply_mod_order(const BigInt &x, const BigInt &y) const
Definition: ec_group.cpp:515
Botan::EC_Group::square_mod_order
BigInt square_mod_order(const BigInt &x) const
Definition: ec_group.cpp:511

◆ DER_encode()

std::vector< uint8_t > Botan::EC_Group::DER_encode ( EC_Group_Encoding  form) const

Create the DER encoding of this domain

Parameters
formof encoding to use
Returns
bytes encododed as DER

Definition at line 621 of file ec_group.cpp.

621 {
622 std::vector<uint8_t> output;
623
624 DER_Encoder der(output);
625
626 if(form == EC_Group_Encoding::Explicit) {
627 const size_t ecpVers1 = 1;
628 const OID curve_type("1.2.840.10045.1.1"); // prime field
629
630 const size_t p_bytes = get_p_bytes();
631
632 der.start_sequence()
633 .encode(ecpVers1)
634 .start_sequence()
635 .encode(curve_type)
636 .encode(get_p())
637 .end_cons()
638 .start_sequence()
639 .encode(BigInt::encode_1363(get_a(), p_bytes), ASN1_Type::OctetString)
640 .encode(BigInt::encode_1363(get_b(), p_bytes), ASN1_Type::OctetString)
641 .end_cons()
642 .encode(get_base_point().encode(EC_Point_Format::Uncompressed), ASN1_Type::OctetString)
643 .encode(get_order())
644 .encode(get_cofactor())
645 .end_cons();
646 } else if(form == EC_Group_Encoding::NamedCurve) {
647 const OID oid = get_curve_oid();
648 if(oid.empty()) {
649 throw Encoding_Error("Cannot encode EC_Group as OID because OID not set");
650 }
651 der.encode(oid);
652 } else if(form == EC_Group_Encoding::ImplicitCA) {
653 der.encode_null();
654 } else {
655 throw Internal_Error("EC_Group::DER_encode: Unknown encoding");
656 }
657
658 return output;
659}
Botan::BigInt::encode_1363
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:105
Botan::EC_Group::get_b
const BigInt & get_b() const
Definition: ec_group.cpp:483
Botan::EC_Group::get_a
const BigInt & get_a() const
Definition: ec_group.cpp:479
Botan::EC_Group::get_cofactor
const BigInt & get_cofactor() const
Definition: ec_group.cpp:503
Botan::EC_Group::get_p
const BigInt & get_p() const
Definition: ec_group.cpp:475
Botan::EC_Group::get_base_point
const EC_Point & get_base_point() const
Definition: ec_group.cpp:487
Botan::EC_Group::get_curve_oid
const OID & get_curve_oid() const
Definition: ec_group.cpp:527
Botan::EC_Group::get_p_bytes
size_t get_p_bytes() const
Definition: ec_group.cpp:463
Botan::PEM_Code::encode
std::string encode(const uint8_t der[], size_t length, std::string_view label, size_t width)
Definition: pem.cpp:39

References Botan::OID::empty(), Botan::DER_Encoder::encode(), Botan::BigInt::encode_1363(), Botan::DER_Encoder::encode_null(), Botan::DER_Encoder::end_cons(), Botan::Explicit, get_a(), get_b(), get_base_point(), get_cofactor(), get_curve_oid(), get_order(), get_p(), get_p_bytes(), Botan::ImplicitCA, Botan::NamedCurve, Botan::OctetString, Botan::DER_Encoder::start_sequence(), and Botan::Uncompressed.

Referenced by Botan::TLS::Signature_Scheme::key_algorithm_identifier(), and PEM_encode().

◆ EC_Group_from_PEM()

EC_Group Botan::EC_Group::EC_Group_from_PEM ( std::string_view  pem)
static

Definition at line 423 of file ec_group.cpp.

423 {
424 const auto ber = PEM_Code::decode_check_label(pem, "EC PARAMETERS");
425 return EC_Group(ber.data(), ber.size());
426}

References Botan::PEM_Code::decode_check_label(), and EC_Group().

◆ EC_group_identity_from_order()

OID Botan::EC_Group::EC_group_identity_from_order ( const BigInt order)
static

Definition at line 344 of file ec_named.cpp.

345 {
346 const uint32_t low_bits = static_cast<uint32_t>(order.word_at(0));
347
348 if(low_bits == 0xFC632551 && order == BigInt("0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551")) {
349 return OID{1, 2, 840, 10045, 3, 1, 7};
350 }
351
352 if(low_bits == 0xCCC52973 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) {
353 return OID{1, 3, 132, 0, 34};
354 }
355
356 if(low_bits == 0x91386409 && order == BigInt("0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409")) {
357 return OID{1, 3, 132, 0, 35};
358 }
359
360 if(low_bits == 0x9E60FC09 && order == BigInt("0xE95E4A5F737059DC60DF5991D45029409E60FC09")) {
361 return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 1};
362 }
363
364 if(low_bits == 0x9AC4ACC1 && order == BigInt("0xC302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1")) {
365 return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 3};
366 }
367
368 if(low_bits == 0xA5A7939F && order == BigInt("0xD7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F")) {
369 return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 5};
370 }
371
372 if(low_bits == 0x974856A7 && order == BigInt("0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7")) {
373 return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 7};
374 }
375
376 if(low_bits == 0x44C59311 && order == BigInt("0xD35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311")) {
377 return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 9};
378 }
379
380 if(low_bits == 0xE9046565 && order == BigInt("0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565")) {
381 return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 11};
382 }
383
384 if(low_bits == 0x9CA90069 && order == BigInt("0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069")) {
385 return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 13};
386 }
387
388 if(low_bits == 0xC6D655E1 && order == BigInt("0xF1FD178C0B3AD58F10126DE8CE42435B53DC67E140D2BF941FFDD459C6D655E1")) {
389 return OID{1, 2, 250, 1, 223, 101, 256, 1};
390 }
391
392 if(low_bits == 0xB761B893 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893")) {
393 return OID{1, 2, 643, 7, 1, 2, 1, 1, 1};
394 }
395
396 if(low_bits == 0x1F10B275 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2B85DCACDB1411F10B275")) {
397 return OID{1, 2, 643, 7, 1, 2, 1, 2, 1};
398 }
399
400 if(low_bits == 0xCA16B6B3 && order == BigInt("0x100000000000000000001B8FA16DFAB9ACA16B6B3")) {
401 return OID{1, 3, 132, 0, 9};
402 }
403
404 if(low_bits == 0xCA752257 && order == BigInt("0x100000000000000000001F4C8F927AED3CA752257")) {
405 return OID{1, 3, 132, 0, 8};
406 }
407
408 if(low_bits == 0xF3A1A16B && order == BigInt("0x100000000000000000000351EE786A818F3A1A16B")) {
409 return OID{1, 3, 132, 0, 30};
410 }
411
412 if(low_bits == 0x74DEFD8D && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D")) {
413 return OID{1, 3, 132, 0, 31};
414 }
415
416 if(low_bits == 0xB4D22831 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) {
417 return OID{1, 2, 840, 10045, 3, 1, 1};
418 }
419
420 if(low_bits == 0x769FB1F7 && order == BigInt("0x10000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7")) {
421 return OID{1, 3, 132, 0, 32};
422 }
423
424 if(low_bits == 0x5C5C2A3D && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) {
425 return OID{1, 3, 132, 0, 33};
426 }
427
428 if(low_bits == 0xD0364141 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141")) {
429 return OID{1, 3, 132, 0, 10};
430 }
431
432 if(low_bits == 0x39D54123 && order == BigInt("0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123")) {
433 return OID{1, 2, 156, 10197, 1, 301};
434 }
435
436 if(low_bits == 0x48D8DD31 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31")) {
437 return OID{1, 2, 840, 10045, 3, 1, 2};
438 }
439
440 if(low_bits == 0xF640EC13 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13")) {
441 return OID{1, 2, 840, 10045, 3, 1, 3};
442 }
443
444 if(low_bits == 0x88909D0B && order == BigInt("0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B")) {
445 return OID{1, 2, 840, 10045, 3, 1, 4};
446 }
447
448 if(low_bits == 0xBC582063 && order == BigInt("0x7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063")) {
449 return OID{1, 2, 840, 10045, 3, 1, 5};
450 }
451
452 if(low_bits == 0x46526551 && order == BigInt("0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551")) {
453 return OID{1, 2, 840, 10045, 3, 1, 6};
454 }
455
456 return OID();
457}

References Botan::BigInt::word_at().

◆ EC_group_info()

std::shared_ptr< EC_Group_Data > Botan::EC_Group::EC_group_info ( const OID oid)
static

Definition at line 15 of file ec_named.cpp.

15 {
16 // secp256r1
17 if(oid == OID{1, 2, 840, 10045, 3, 1, 7}) {
18 return load_EC_group_info(
19 "0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
20 "0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
21 "0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
22 "0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
23 "0x4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
24 "0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
25 oid);
26 }
27
28 // secp384r1
29 if(oid == OID{1, 3, 132, 0, 34}) {
30 return load_EC_group_info(
31 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF",
32 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC",
33 "0xB3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF",
34 "0xAA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
35 "0x3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F",
36 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973",
37 oid);
38 }
39
40 // secp521r1
41 if(oid == OID{1, 3, 132, 0, 35}) {
42 return load_EC_group_info(
43 "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
44 "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC",
45 "0x51953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
46 "0xC6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
47 "0x11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650",
48 "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",
49 oid);
50 }
51
52 // brainpool160r1
53 if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 1}) {
54 return load_EC_group_info(
55 "0xE95E4A5F737059DC60DFC7AD95B3D8139515620F",
56 "0x340E7BE2A280EB74E2BE61BADA745D97E8F7C300",
57 "0x1E589A8595423412134FAA2DBDEC95C8D8675E58",
58 "0xBED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC3",
59 "0x1667CB477A1A8EC338F94741669C976316DA6321",
60 "0xE95E4A5F737059DC60DF5991D45029409E60FC09",
61 oid);
62 }
63
64 // brainpool192r1
65 if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 3}) {
66 return load_EC_group_info(
67 "0xC302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297",
68 "0x6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF",
69 "0x469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9",
70 "0xC0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6",
71 "0x14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F",
72 "0xC302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1",
73 oid);
74 }
75
76 // brainpool224r1
77 if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 5}) {
78 return load_EC_group_info(
79 "0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF",
80 "0x68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43",
81 "0x2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B",
82 "0xD9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D",
83 "0x58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD",
84 "0xD7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F",
85 oid);
86 }
87
88 // brainpool256r1
89 if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 7}) {
90 return load_EC_group_info(
91 "0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377",
92 "0x7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9",
93 "0x26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6",
94 "0x8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262",
95 "0x547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997",
96 "0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7",
97 oid);
98 }
99
100 // brainpool320r1
101 if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 9}) {
102 return load_EC_group_info(
103 "0xD35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E27",
104 "0x3EE30B568FBAB0F883CCEBD46D3F3BB8A2A73513F5EB79DA66190EB085FFA9F492F375A97D860EB4",
105 "0x520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD884539816F5EB4AC8FB1F1A6",
106 "0x43BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599C710AF8D0D39E20611",
107 "0x14FDD05545EC1CC8AB4093247F77275E0743FFED117182EAA9C77877AAAC6AC7D35245D1692E8EE1",
108 "0xD35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311",
109 oid);
110 }
111
112 // brainpool384r1
113 if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 11}) {
114 return load_EC_group_info(
115 "0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53",
116 "0x7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F90F8AA5814A503AD4EB04A8C7DD22CE2826",
117 "0x4A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DBC9943AB78696FA504C11",
118 "0x1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E",
119 "0x8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315",
120 "0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565",
121 oid);
122 }
123
124 // brainpool512r1
125 if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 13}) {
126 return load_EC_group_info(
127 "0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3",
128 "0x7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA",
129 "0x3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723",
130 "0x81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822",
131 "0x7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892",
132 "0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069",
133 oid);
134 }
135
136 // frp256v1
137 if(oid == OID{1, 2, 250, 1, 223, 101, 256, 1}) {
138 return load_EC_group_info(
139 "0xF1FD178C0B3AD58F10126DE8CE42435B3961ADBCABC8CA6DE8FCF353D86E9C03",
140 "0xF1FD178C0B3AD58F10126DE8CE42435B3961ADBCABC8CA6DE8FCF353D86E9C00",
141 "0xEE353FCA5428A9300D4ABA754A44C00FDFEC0C9AE4B1A1803075ED967B7BB73F",
142 "0xB6B3D4C356C139EB31183D4749D423958C27D2DCAF98B70164C97A2DD98F5CFF",
143 "0x6142E0F7C8B204911F9271F0F3ECEF8C2701C307E8E4C9E183115A1554062CFB",
144 "0xF1FD178C0B3AD58F10126DE8CE42435B53DC67E140D2BF941FFDD459C6D655E1",
145 oid);
146 }
147
148 // gost_256A
149 if(oid == OID{1, 2, 643, 7, 1, 2, 1, 1, 1} || oid == OID{1, 2, 643, 2, 2, 35, 1} || oid == OID{1, 2, 643, 2, 2, 36, 0}) {
150 return load_EC_group_info(
151 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97",
152 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94",
153 "0xA6",
154 "1",
155 "0x8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14",
156 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893",
157 OID{1, 2, 643, 7, 1, 2, 1, 1, 1});
158 }
159
160 // gost_512A
161 if(oid == OID{1, 2, 643, 7, 1, 2, 1, 2, 1}) {
162 return load_EC_group_info(
163 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC7",
164 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC4",
165 "0xE8C2505DEDFC86DDC1BD0B2B6667F1DA34B82574761CB0E879BD081CFD0B6265EE3CB090F30D27614CB4574010DA90DD862EF9D4EBEE4761503190785A71C760",
166 "3",
167 "0x7503CFE87A836AE3A61B8816E25450E6CE5E1C93ACF1ABC1778064FDCBEFA921DF1626BE4FD036E93D75E6A50E3A41E98028FE5FC235F5B889A589CB5215F2A4",
168 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2B85DCACDB1411F10B275",
169 oid);
170 }
171
172 // secp160k1
173 if(oid == OID{1, 3, 132, 0, 9}) {
174 return load_EC_group_info(
175 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73",
176 "0",
177 "7",
178 "0x3B4C382CE37AA192A4019E763036F4F5DD4D7EBB",
179 "0x938CF935318FDCED6BC28286531733C3F03C4FEE",
180 "0x100000000000000000001B8FA16DFAB9ACA16B6B3",
181 oid);
182 }
183
184 // secp160r1
185 if(oid == OID{1, 3, 132, 0, 8}) {
186 return load_EC_group_info(
187 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF",
188 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC",
189 "0x1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45",
190 "0x4A96B5688EF573284664698968C38BB913CBFC82",
191 "0x23A628553168947D59DCC912042351377AC5FB32",
192 "0x100000000000000000001F4C8F927AED3CA752257",
193 oid);
194 }
195
196 // secp160r2
197 if(oid == OID{1, 3, 132, 0, 30}) {
198 return load_EC_group_info(
199 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73",
200 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70",
201 "0xB4E134D3FB59EB8BAB57274904664D5AF50388BA",
202 "0x52DCB034293A117E1F4FF11B30F7199D3144CE6D",
203 "0xFEAFFEF2E331F296E071FA0DF9982CFEA7D43F2E",
204 "0x100000000000000000000351EE786A818F3A1A16B",
205 oid);
206 }
207
208 // secp192k1
209 if(oid == OID{1, 3, 132, 0, 31}) {
210 return load_EC_group_info(
211 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37",
212 "0",
213 "3",
214 "0xDB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D",
215 "0x9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D",
216 "0xFFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D",
217 oid);
218 }
219
220 // secp192r1
221 if(oid == OID{1, 2, 840, 10045, 3, 1, 1}) {
222 return load_EC_group_info(
223 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
224 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
225 "0x64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1",
226 "0x188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012",
227 "0x7192B95FFC8DA78631011ED6B24CDD573F977A11E794811",
228 "0xFFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831",
229 oid);
230 }
231
232 // secp224k1
233 if(oid == OID{1, 3, 132, 0, 32}) {
234 return load_EC_group_info(
235 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D",
236 "0",
237 "5",
238 "0xA1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C",
239 "0x7E089FED7FBA344282CAFBD6F7E319F7C0B0BD59E2CA4BDB556D61A5",
240 "0x10000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7",
241 oid);
242 }
243
244 // secp224r1
245 if(oid == OID{1, 3, 132, 0, 33}) {
246 return load_EC_group_info(
247 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
248 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
249 "0xB4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
250 "0xB70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
251 "0xBD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
252 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
253 oid);
254 }
255
256 // secp256k1
257 if(oid == OID{1, 3, 132, 0, 10}) {
258 return load_EC_group_info(
259 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F",
260 "0",
261 "7",
262 "0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798",
263 "0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8",
264 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141",
265 oid);
266 }
267
268 // sm2p256v1
269 if(oid == OID{1, 2, 156, 10197, 1, 301}) {
270 return load_EC_group_info(
271 "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF",
272 "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC",
273 "0x28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93",
274 "0x32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7",
275 "0xBC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0",
276 "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123",
277 oid);
278 }
279
280 // x962_p192v2
281 if(oid == OID{1, 2, 840, 10045, 3, 1, 2}) {
282 return load_EC_group_info(
283 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
284 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
285 "0xCC22D6DFB95C6B25E49C0D6364A4E5980C393AA21668D953",
286 "0xEEA2BAE7E1497842F2DE7769CFE9C989C072AD696F48034A",
287 "0x6574D11D69B6EC7A672BB82A083DF2F2B0847DE970B2DE15",
288 "0xFFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31",
289 oid);
290 }
291
292 // x962_p192v3
293 if(oid == OID{1, 2, 840, 10045, 3, 1, 3}) {
294 return load_EC_group_info(
295 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
296 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
297 "0x22123DC2395A05CAA7423DAECCC94760A7D462256BD56916",
298 "0x7D29778100C65A1DA1783716588DCE2B8B4AEE8E228F1896",
299 "0x38A90F22637337334B49DCB66A6DC8F9978ACA7648A943B0",
300 "0xFFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13",
301 oid);
302 }
303
304 // x962_p239v1
305 if(oid == OID{1, 2, 840, 10045, 3, 1, 4}) {
306 return load_EC_group_info(
307 "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
308 "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
309 "0x6B016C3BDCF18941D0D654921475CA71A9DB2FB27D1D37796185C2942C0A",
310 "0xFFA963CDCA8816CCC33B8642BEDF905C3D358573D3F27FBBD3B3CB9AAAF",
311 "0x7DEBE8E4E90A5DAE6E4054CA530BA04654B36818CE226B39FCCB7B02F1AE",
312 "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B",
313 oid);
314 }
315
316 // x962_p239v2
317 if(oid == OID{1, 2, 840, 10045, 3, 1, 5}) {
318 return load_EC_group_info(
319 "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
320 "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
321 "0x617FAB6832576CBBFED50D99F0249C3FEE58B94BA0038C7AE84C8C832F2C",
322 "0x38AF09D98727705120C921BB5E9E26296A3CDCF2F35757A0EAFD87B830E7",
323 "0x5B0125E4DBEA0EC7206DA0FC01D9B081329FB555DE6EF460237DFF8BE4BA",
324 "0x7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063",
325 oid);
326 }
327
328 // x962_p239v3
329 if(oid == OID{1, 2, 840, 10045, 3, 1, 6}) {
330 return load_EC_group_info(
331 "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
332 "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
333 "0x255705FA2A306654B1F4CB03D6A750A30C250102D4988717D9BA15AB6D3E",
334 "0x6768AE8E18BB92CFCF005C949AA2C6D94853D0E660BBF854B1C9505FE95A",
335 "0x1607E6898F390C06BC1D552BAD226F3B6FCFE48B6E818499AF18E3ED6CF3",
336 "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551",
337 oid);
338 }
339
340 return std::shared_ptr<EC_Group_Data>();
341}

◆ get_a()

const BigInt & Botan::EC_Group::get_a ( ) const

Return the a parameter of the elliptic curve equation

Definition at line 479 of file ec_group.cpp.

479 {
480 return data().a();
481}

Referenced by DER_encode(), Botan::EC_PublicKey::get_int_field(), hash_to_curve(), operator==(), Botan::sm2_compute_za(), and verify_group().

◆ get_b()

const BigInt & Botan::EC_Group::get_b ( ) const

Return the b parameter of the elliptic curve equation

Definition at line 483 of file ec_group.cpp.

483 {
484 return data().b();
485}

Referenced by DER_encode(), Botan::EC_PublicKey::get_int_field(), hash_to_curve(), operator==(), Botan::sm2_compute_za(), and verify_group().

◆ get_base_point()

const EC_Point & Botan::EC_Group::get_base_point ( ) const

Return group base point

Returns
base point

Definition at line 487 of file ec_group.cpp.

487 {
488 return data().base_point();
489}

Referenced by DER_encode(), Botan::EC_PrivateKey::EC_PrivateKey(), point_multiply(), and verify_group().

◆ get_cofactor()

const BigInt & Botan::EC_Group::get_cofactor ( ) const

Return the cofactor

Returns
the cofactor

Definition at line 503 of file ec_group.cpp.

503 {
504 return data().cofactor();
505}

Referenced by DER_encode(), Botan::ECIES_KA_Operation::derive_secret(), Botan::ECIES_Decryptor::ECIES_Decryptor(), Botan::EC_PublicKey::get_int_field(), operator==(), verify_group(), and verify_public_element().

◆ get_curve_oid()

const OID & Botan::EC_Group::get_curve_oid ( ) const

Return the OID of these domain parameters

Returns
the OID

Definition at line 527 of file ec_group.cpp.

527 {
528 return data().oid();
529}

Referenced by Botan::GOST_3410_PublicKey::algorithm_identifier(), DER_encode(), and Botan::EC_PublicKey::set_parameter_encoding().

◆ get_g_x()

const BigInt & Botan::EC_Group::get_g_x ( ) const

Return the x coordinate of the base point

Definition at line 495 of file ec_group.cpp.

495 {
496 return data().g_x();
497}

Referenced by Botan::EC_PublicKey::get_int_field(), operator==(), and Botan::sm2_compute_za().

◆ get_g_y()

const BigInt & Botan::EC_Group::get_g_y ( ) const

Return the y coordinate of the base point

Definition at line 499 of file ec_group.cpp.

499 {
500 return data().g_y();
501}

Referenced by Botan::EC_PublicKey::get_int_field(), operator==(), and Botan::sm2_compute_za().

◆ get_order()

const BigInt & Botan::EC_Group::get_order ( ) const

Return the order of the base point

Returns
order of the base point

Definition at line 491 of file ec_group.cpp.

491 {
492 return data().order();
493}

Referenced by blinded_var_point_multiply(), DER_encode(), Botan::ECIES_KA_Operation::derive_secret(), Botan::ECIES_Decryptor::ECIES_Decryptor(), Botan::EC_PublicKey::get_int_field(), operator==(), random_scalar(), verify_group(), and verify_public_element().

◆ get_order_bits()

size_t Botan::EC_Group::get_order_bits ( ) const

Return the size of group order in bits (same as get_order().bits())

Definition at line 467 of file ec_group.cpp.

467 {
468 return data().order_bits();
469}

◆ get_order_bytes()

size_t Botan::EC_Group::get_order_bytes ( ) const

Return the size of p in bytes (same as get_order().bytes())

Definition at line 471 of file ec_group.cpp.

471 {
472 return data().order_bytes();
473}

◆ get_p()

const BigInt & Botan::EC_Group::get_p ( ) const

Return the prime modulus of the field

Definition at line 475 of file ec_group.cpp.

475 {
476 return data().p();
477}

Referenced by DER_encode(), Botan::EC_PublicKey::get_int_field(), hash_to_curve(), Botan::hash_to_curve_sswu(), operator==(), and verify_group().

◆ get_p_bits()

size_t Botan::EC_Group::get_p_bits ( ) const

Return the size of p in bits (same as get_p().bits())

Definition at line 459 of file ec_group.cpp.

459 {
460 return data().p_bits();
461}

Referenced by Botan::GOST_3410_PublicKey::algo_name(), Botan::GOST_3410_PrivateKey::GOST_3410_PrivateKey(), Botan::GOST_3410_PublicKey::GOST_3410_PublicKey(), and Botan::EC_PublicKey::key_length().

◆ get_p_bytes()

size_t Botan::EC_Group::get_p_bytes ( ) const

Return the size of p in bits (same as get_p().bytes())

Definition at line 463 of file ec_group.cpp.

463 {
464 return data().p_bytes();
465}

Referenced by DER_encode(), point_size(), and Botan::sm2_compute_za().

◆ hash_to_curve() [1/2]

EC_Point Botan::EC_Group::hash_to_curve ( std::string_view  hash_fn,
const uint8_t  input[],
size_t  input_len,
const uint8_t  domain_sep[],
size_t  domain_sep_len,
bool  random_oracle = true 
) const

Hash onto the curve. For some curve types no mapping is currently available, in this case this function will throw an exception.

Parameters
hash_fnthe hash function to use (typically "SHA-256" or "SHA-512")
inputthe input to hash
input_lenlength of input in bytes
domain_sepa domain seperator
domain_sep_lenlength of domain_sep in bytes
random_oracleif the mapped point must be uniform (use "true" here unless you know what you are doing)

Definition at line 600 of file ec_group.cpp.

605 {
606#if defined(BOTAN_HAS_EC_HASH_TO_CURVE)
607
608 // Only have SSWU currently
609 if(get_a().is_zero() || get_b().is_zero() || get_p() % 4 == 1) {
610 throw Not_Implemented("EC_Group::hash_to_curve not available for this curve type");
611 }
612
613 return hash_to_curve_sswu(*this, hash_fn, input, input_len, domain_sep, domain_sep_len, random_oracle);
614
615#else
616 BOTAN_UNUSED(hash_fn, random_oracle, input, input_len, domain_sep, domain_sep_len);
617 throw Not_Implemented("EC_Group::hash_to_curve functionality not available in this configuration");
618#endif
619}
BOTAN_UNUSED
#define BOTAN_UNUSED
Definition: assert.h:118
Botan::hash_to_curve_sswu
EC_Point hash_to_curve_sswu(const EC_Group &group, std::string_view hash_fn, const uint8_t input[], size_t input_len, const uint8_t domain_sep[], size_t domain_sep_len, bool random_oracle)
Definition: ec_h2c.cpp:184

References BOTAN_UNUSED, get_a(), get_b(), get_p(), and Botan::hash_to_curve_sswu().

Referenced by hash_to_curve().

◆ hash_to_curve() [2/2]

EC_Point Botan::EC_Group::hash_to_curve ( std::string_view  hash_fn,
const uint8_t  input[],
size_t  input_len,
std::string_view  domain_sep,
bool  random_oracle = true 
) const

Hash onto the curve. For some curve types no mapping is currently available, in this case this function will throw an exception.

Parameters
hash_fnthe hash function to use (typically "SHA-256" or "SHA-512")
inputthe input to hash
input_lenlength of input in bytes
domain_sepa domain seperator
random_oracleif the mapped point must be uniform (use "true" here unless you know what you are doing)

Definition at line 591 of file ec_group.cpp.

595 {
596 return this->hash_to_curve(
597 hash_fn, input, input_len, reinterpret_cast<const uint8_t*>(domain.data()), domain.size(), random_oracle);
598}
Botan::EC_Group::hash_to_curve
EC_Point hash_to_curve(std::string_view hash_fn, const uint8_t input[], size_t input_len, const uint8_t domain_sep[], size_t domain_sep_len, bool random_oracle=true) const
Definition: ec_group.cpp:600

References hash_to_curve().

◆ initialized()

bool Botan::EC_Group::initialized ( ) const
inline

Definition at line 341 of file ec_group.h.

341{ return (m_data != nullptr); }

◆ inverse_mod_order()

BigInt Botan::EC_Group::inverse_mod_order ( const BigInt x) const

Definition at line 523 of file ec_group.cpp.

523 {
524 return data().inverse_mod_order(x);
525}

Referenced by Botan::EC_PrivateKey::EC_PrivateKey(), and Botan::SM2_PrivateKey::SM2_PrivateKey().

◆ known_named_groups()

const std::set< std::string > & Botan::EC_Group::known_named_groups ( )
static

Return a set of known named EC groups

Definition at line 460 of file ec_named.cpp.

460 {
461 static const std::set<std::string> named_groups = {
462 "brainpool160r1",
463 "brainpool192r1",
464 "brainpool224r1",
465 "brainpool256r1",
466 "brainpool320r1",
467 "brainpool384r1",
468 "brainpool512r1",
469 "frp256v1",
470 "gost_256A",
471 "gost_512A",
472 "secp160k1",
473 "secp160r1",
474 "secp160r2",
475 "secp192k1",
476 "secp192r1",
477 "secp224k1",
478 "secp224r1",
479 "secp256k1",
480 "secp256r1",
481 "secp384r1",
482 "secp521r1",
483 "sm2p256v1",
484 "x962_p192v2",
485 "x962_p192v3",
486 "x962_p239v1",
487 "x962_p239v2",
488 "x962_p239v3",
489 };
490 return named_groups;
491}

◆ mod_order()

BigInt Botan::EC_Group::mod_order ( const BigInt x) const

Definition at line 507 of file ec_group.cpp.

507 {
508 return data().mod_order(k);
509}

◆ multiply_mod_order() [1/2]

BigInt Botan::EC_Group::multiply_mod_order ( const BigInt x,
const BigInt y 
) const

Definition at line 515 of file ec_group.cpp.

515 {
516 return data().multiply_mod_order(x, y);
517}

◆ multiply_mod_order() [2/2]

BigInt Botan::EC_Group::multiply_mod_order ( const BigInt x,
const BigInt y,
const BigInt z 
) const

Definition at line 519 of file ec_group.cpp.

519 {
520 return data().multiply_mod_order(x, y, z);
521}

◆ operator=() [1/2]

EC_Group & Botan::EC_Group::operator= ( const EC_Group )
default

◆ operator=() [2/2]

EC_Group & Botan::EC_Group::operator= ( EC_Group &&  )
default

◆ operator==()

bool Botan::EC_Group::operator== ( const EC_Group other) const

Definition at line 666 of file ec_group.cpp.

666 {
667 if(m_data == other.m_data) {
668 return true; // same shared rep
669 }
670
671 return (get_p() == other.get_p() && get_a() == other.get_a() && get_b() == other.get_b() &&
672 get_g_x() == other.get_g_x() && get_g_y() == other.get_g_y() && get_order() == other.get_order() &&
673 get_cofactor() == other.get_cofactor());
674}
Botan::EC_Group::get_g_y
const BigInt & get_g_y() const
Definition: ec_group.cpp:499
Botan::EC_Group::get_g_x
const BigInt & get_g_x() const
Definition: ec_group.cpp:495

References get_a(), get_b(), get_cofactor(), get_g_x(), get_g_y(), get_order(), and get_p().

◆ OS2ECP() [1/2]

EC_Point Botan::EC_Group::OS2ECP ( const uint8_t  bits[],
size_t  len 
) const

Definition at line 544 of file ec_group.cpp.

544 {
545 return Botan::OS2ECP(bits, len, data().curve());
546}
Botan::OS2ECP
EC_Point OS2ECP(const uint8_t data[], size_t data_len, const CurveGFp &curve)
Definition: ec_point.cpp:627

References Botan::OS2ECP().

Referenced by Botan::EC_PrivateKey::EC_PrivateKey(), Botan::ECIES_Encryptor::ECIES_Encryptor(), and Botan::TLS::Callbacks::tls_ephemeral_key_agreement().

◆ OS2ECP() [2/2]

EC_Point Botan::EC_Group::OS2ECP ( std::span< const uint8_t >  encoded_point) const
inline

Definition at line 337 of file ec_group.h.

337 {
338 return this->OS2ECP(encoded_point.data(), encoded_point.size());
339 }
Botan::EC_Group::OS2ECP
EC_Point OS2ECP(const uint8_t bits[], size_t len) const
Definition: ec_group.cpp:544

References Botan::OS2ECP().

◆ PEM_encode()

std::string Botan::EC_Group::PEM_encode ( ) const

Return the PEM encoding (always in explicit form)

Returns
string containing PEM data

Definition at line 661 of file ec_group.cpp.

661 {
662 const std::vector<uint8_t> der = DER_encode(EC_Group_Encoding::Explicit);
663 return PEM_Code::encode(der, "EC PARAMETERS");
664}
Botan::EC_Group::DER_encode
std::vector< uint8_t > DER_encode(EC_Group_Encoding form) const
Definition: ec_group.cpp:621

References DER_encode(), Botan::PEM_Code::encode(), and Botan::Explicit.

◆ point()

EC_Point Botan::EC_Group::point ( const BigInt x,
const BigInt y 
) const

Return a point on this curve with the affine values x, y

Definition at line 548 of file ec_group.cpp.

548 {
549 // TODO: randomize the representation?
550 return EC_Point(data().curve(), x, y);
551}

Referenced by blinded_var_point_multiply(), Botan::GOST_3410_PublicKey::GOST_3410_PublicKey(), and verify_public_element().

◆ point_multiply()

EC_Point Botan::EC_Group::point_multiply ( const BigInt x,
const EC_Point pt,
const BigInt y 
) const

Multi exponentiate. Not constant time.

Returns
base_point*x + pt*y

Definition at line 553 of file ec_group.cpp.

553 {
554 EC_Point_Multi_Point_Precompute xy_mul(get_base_point(), pt);
555 return xy_mul.multi_exp(x, y);
556}

References get_base_point(), and Botan::EC_Point_Multi_Point_Precompute::multi_exp().

◆ point_size()

size_t Botan::EC_Group::point_size ( EC_Point_Format  format) const

Definition at line 535 of file ec_group.cpp.

535 {
536 // Hybrid and standard format are (x,y), compressed is y, +1 format byte
537 if(format == EC_Point_Format::Compressed) {
538 return (1 + get_p_bytes());
539 } else {
540 return (1 + 2 * get_p_bytes());
541 }
542}

References Botan::Compressed, and get_p_bytes().

◆ random_scalar()

BigInt Botan::EC_Group::random_scalar ( RandomNumberGenerator rng) const

Return a random scalar ie an integer in [1,order)

Definition at line 575 of file ec_group.cpp.

575 {
576 return BigInt::random_integer(rng, BigInt::one(), get_order());
577}
Botan::BigInt::random_integer
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
Definition: big_rand.cpp:43
Botan::BigInt::one
static BigInt one()
Definition: bigint.h:49

References get_order(), Botan::BigInt::one(), and Botan::BigInt::random_integer().

Referenced by Botan::EC_PrivateKey::EC_PrivateKey().

◆ source()

EC_Group_Source Botan::EC_Group::source ( ) const

Definition at line 531 of file ec_group.cpp.

531 {
532 return data().source();
533}

Referenced by verify_group().

◆ square_mod_order()

BigInt Botan::EC_Group::square_mod_order ( const BigInt x) const

Definition at line 511 of file ec_group.cpp.

511 {
512 return data().square_mod_order(x);
513}

◆ verify_group()

bool Botan::EC_Group::verify_group ( RandomNumberGenerator rng,
bool  strong = false 
) const

Verify EC_Group domain

Returns
true if group is valid. false otherwise

Definition at line 701 of file ec_group.cpp.

701 {
702 const bool is_builtin = source() == EC_Group_Source::Builtin;
703
704 if(is_builtin && !strong) {
705 return true;
706 }
707
708 const BigInt& p = get_p();
709 const BigInt& a = get_a();
710 const BigInt& b = get_b();
711 const BigInt& order = get_order();
712 const EC_Point& base_point = get_base_point();
713
714 if(p <= 3 || order <= 0) {
715 return false;
716 }
717 if(a < 0 || a >= p) {
718 return false;
719 }
720 if(b <= 0 || b >= p) {
721 return false;
722 }
723
724 const size_t test_prob = 128;
725 const bool is_randomly_generated = is_builtin;
726
727 //check if field modulus is prime
728 if(!is_prime(p, rng, test_prob, is_randomly_generated)) {
729 return false;
730 }
731
732 //check if order is prime
733 if(!is_prime(order, rng, test_prob, is_randomly_generated)) {
734 return false;
735 }
736
737 //compute the discriminant: 4*a^3 + 27*b^2 which must be nonzero
738 const Modular_Reducer mod_p(p);
739
740 const BigInt discriminant = mod_p.reduce(mod_p.multiply(4, mod_p.cube(a)) + mod_p.multiply(27, mod_p.square(b)));
741
742 if(discriminant == 0) {
743 return false;
744 }
745
746 //check for valid cofactor
747 if(get_cofactor() < 1) {
748 return false;
749 }
750
751 //check if the base point is on the curve
752 if(!base_point.on_the_curve()) {
753 return false;
754 }
755 if((base_point * get_cofactor()).is_zero()) {
756 return false;
757 }
758 //check if order of the base point is correct
759 if(!(base_point * order).is_zero()) {
760 return false;
761 }
762
763 return true;
764}
Botan::EC_Group::source
EC_Group_Source source() const
Definition: ec_group.cpp:531
Botan::is_prime
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition: numthry.cpp:362

References Botan::Builtin, Botan::Modular_Reducer::cube(), get_a(), get_b(), get_base_point(), get_cofactor(), get_order(), get_p(), Botan::is_prime(), Botan::Modular_Reducer::multiply(), Botan::EC_Point::on_the_curve(), Botan::Modular_Reducer::reduce(), source(), and Botan::Modular_Reducer::square().

Referenced by Botan::EC_PublicKey::check_key().

◆ verify_public_element()

bool Botan::EC_Group::verify_public_element ( const EC_Point y) const

Check if y is a plausible point on the curve

In particular, checks that it is a point on the curve, not infinity, and that it has order matching the group.

Definition at line 676 of file ec_group.cpp.

676 {
677 //check that public point is not at infinity
678 if(point.is_zero()) {
679 return false;
680 }
681
682 //check that public point is on the curve
683 if(point.on_the_curve() == false) {
684 return false;
685 }
686
687 //check that public point has order q
688 if((point * get_order()).is_zero() == false) {
689 return false;
690 }
691
692 if(get_cofactor() > 1) {
693 if((point * get_cofactor()).is_zero()) {
694 return false;
695 }
696 }
697
698 return true;
699}
Botan::EC_Point::is_zero
bool is_zero() const
Definition: ec_point.h:175
Botan::EC_Point::on_the_curve
bool on_the_curve() const
Definition: ec_point.cpp:510

References get_cofactor(), get_order(), Botan::EC_Point::is_zero(), Botan::EC_Point::on_the_curve(), and point().

Referenced by Botan::EC_PublicKey::check_key().

◆ zero_point()

EC_Point Botan::EC_Group::zero_point ( ) const

Return the zero (or infinite) point on this curve

Definition at line 587 of file ec_group.cpp.

587 {
588 return EC_Point(data().curve());
589}
The documentation for this class was generated from the following files:
Generated by doxygen 1.9.6