Botan

Version: 3.2.0 (tag 3.2.0)

Repository: https://github.com/randombit/botan/

Docs: https://botan.randombit.net/handbook/

Primitives

Has coordinate and scalar blinding,

ECDH

KeyGen:

• Short-Weierstrass

• Fixed Window with FullPrecomputation (no doublings) (w=3), via blinded_base_point_multiply -> EC_Point_Base_Point_Precompute::mul.

• Jacobian

• add-1998-cmo-2

Derive:

• Short-Weierstrass

• Fixed Window (w=4) via blinded_var_point_multiply -> EC_Point_Var_Point_Precompute::mul.

• Jacobian

• add-1998-cmo-2, dbl-1986-cc

ECDSA

KeyGen:

• Short-Weierstrass

• Fixed Window with FullPrecomputation (no doublings) (w=3), via blinded_base_point_multiply -> EC_Point_Base_Point_Precompute::mul.

• Jacobian

• add-1998-cmo-2

Sign:

• Short-Weierstrass

• Fixed Window with FullPrecomputation (no doublings) (w=3), via blinded_base_point_multiply -> EC_Point_Base_Point_Precompute::mul.

• Jacobian

• add-1998-cmo-2

Verify:

• Short-Weierstrass

• Multi-scalar (interleaved) fixed-window via ECDSA::verify -> EC_Point_Multi_Point_Precompute::multi_exp.

• Jacobian

• add-1998-cmo-2, dbl-1986-cc

X25519

Based on curve25519_donna.

• Montgomery

• Montgomery ladder (unrolled several iterations)

• xz

• Unknown formula: ladd-botan-x25519

Ed25519

Based on ref10 of Ed25519. See BoringSSL.