BouncyCastle ============ | Version: ``1.76`` (tag r1rv76) | Repository: https://github.com/bcgit/bc-java/ | Docs: https://bouncycastle.org/docs/docs1.8on/index.html Primitives ---------- Supports short-Weierstrass curves for the usual (ECDSA, ECDH). Supports X25519, Ed25519. Also more exotic stuff like ECMQV, GOST key exchange and signatures and lots of others. Lots of `scalarmults `__ available: - `Comb (w=6 for > 250 bits else w=5) `__ - `GLV `__ - `Window NAF L2R `__ - `Window "tau" NAF `__ Several `coordinate systems `__ supported: - Affine - Projective (Homogenous) - Jaobian - Jacobian-Chudnovsky - Jacobian-Modified - Lambda-Affine? (binary-field curves only) - Lambda-Projective? (binary-field curves only) - Skewed? (binary-field curves only) Some curve-custom code in: https://github.com/bcgit/bc-java/tree/r1rv76/core/src/main/java/org/bouncycastle/math/ec/custom/sec Specifically, fast-prime modular reduction for SECG curves, and (weirdly) a short-Weierstrass implementation of Curve25519. Ed25519 based on `Mike Hamburg's work `__. ECDH ^^^^ KeyGen: - Short-Weierstrass - `Comb `__ via ``ECKeyPairGenerator.generateKeyPair -> ECKeyPairGenerator.createBasePointMultiplier``. - `Jacobian-Modified `__ via ``ECCurve.FP_DEFAULT_COORDS``. SECP curves use Jacobian, SECT curves use Lambda-Projective. - Formulas unknown: `add-bc-r1rv76-jac `__, `dbl-bc-r1rv76-jac `__, `add-bc-r1rv76-mod `__, `dbl-bc-r1rv76-mod `__ Derive: - Short-Weierstrass - `GLV if possible, else Window NAF `__ via ``ECDHBasicAgreement.calculateAgreement -> ECPoint.multiply -> ECCurve.getMultiplier -> ECCurve.createDefaultMultiplier``. - `Jacobian-Modified `__ via ``ECCurve.FP_DEFAULT_COORDS``. SECP curves use Jacobian, SECT curves use Lambda-Projective. - Formulas same as KeyGen. ECDSA ^^^^^ KeyGen: - Short-Weierstrass - `Comb `__ via ``ECKeyPairGenerator.generateKeyPair -> ECKeyPairGenerator.createBasePointMultiplier``. - `Jacobian-Modified `__ via ``ECCurve.FP_DEFAULT_COORDS``. SECP curves use Jacobian, SECT curves use Lambda-Projective. - Formulas same as KeyGen. Sign: - Short-Weierstrass - `Comb `__ via ``ECDSASigner.generateSignature -> ECDSASigner.createBasePointMultiplier``. - `Jacobian-Modified `__ via ``ECCurve.FP_DEFAULT_COORDS``. SECP curves use Jacobian, SECT curves use Lambda-Projective. - Formulas same as KeyGen. Verify: - Short-Weierstrass - `Multi-scalar GLV if possible, else multi-scalar Window NAF with Shamir's trick `__ via ``ECDSASigner.verifySignature -> ECAlgorithms.sumOfTwoMultiples``. - `Jacobian-Modified `__ via ``ECCurve.FP_DEFAULT_COORDS``. SECP curves use Jacobian, SECT curves use Lambda-Projective. - Formulas same as KeyGen. X25519 ^^^^^^ KeyGen: - Twisted-Edwards - `Comb `__ via ``X25519.generatePublicKey -> X25519.scalarMultBase -> Ed25519.scalarMultBaseYZ -> Ed25519.scalarMultBase``. - Many coordinate systems: Extended, half-Niels, affine. - Some HWCD formulas are used. Derive: - Montgomery - `Ladder `__ via ``X25519.calculateAgreement -> X25519.scalarMult``. - `xz `__. - Unknown formulas: `ladd-bc-r1rv76-x25519 `__, `dbl-bc-r1rv76-x25519 `__. Code: `dbl `__ and `ladd `__ Ed25519 ^^^^^^^ KeyGen: - Twisted-Edwards - `Comb `__ via ``Ed25519.generatePublicKey -> Ed25519.scalarMultBaseEncoded -> Ed25519.scalarMultBase``. - Many coordinate systems: Extended, half-Niels, affine. - Some HWCD formulas are used. Sign: - Twisted-Edwards - `Comb `__ via ``Ed25519.sign -> Ed25519.implSign -> Ed25519.scalarMultBaseEncoded -> Ed25519.scalarMultBase``. - Many coordinate systems: Extended, half-Niels, affine. - Some HWCD formulas are used. Verify: - Twisted-Edwards - `Multi-scalar Window-NAF with Straus's trick `__ via ``Ed25519.verify -> Ed25519.implVerify -> Ed25519.scalarMultStraus128Var``. - Many coordinate systems: Extended, half-Niels, affine. - Some HWCD formulas are used.