BouncyCastle

Version: 1.76 (tag r1rv76)

Repository: https://github.com/bcgit/bc-java/

Docs: https://bouncycastle.org/docs/docs1.8on/index.html

Primitives

Supports short-Weierstrass curves for the usual (ECDSA, ECDH). Supports X25519, Ed25519. Also more exotic stuff like ECMQV, GOST key exchange and signatures and lots of others.

Lots of scalarmults available:

• Comb (w=6 for > 250 bits else w=5)

• GLV

• Window NAF L2R

• Window “tau” NAF

Several coordinate systems supported:

• Affine

• Projective (Homogenous)

• Jaobian

• Jacobian-Chudnovsky

• Jacobian-Modified

• Lambda-Affine? (binary-field curves only)

• Lambda-Projective? (binary-field curves only)

• Skewed? (binary-field curves only)

Some curve-custom code in: https://github.com/bcgit/bc-java/tree/r1rv76/core/src/main/java/org/bouncycastle/math/ec/custom/sec Specifically, fast-prime modular reduction for SECG curves, and (weirdly) a short-Weierstrass implementation of Curve25519.

Ed25519 based on Mike Hamburg’s work.

ECDH

KeyGen:

• Short-Weierstrass

• Comb via ECKeyPairGenerator.generateKeyPair -> ECKeyPairGenerator.createBasePointMultiplier.

• Jacobian-Modified via ECCurve.FP_DEFAULT_COORDS. SECP curves use Jacobian, SECT curves use Lambda-Projective.

• Formulas unknown: add-bc-r1rv76-jac, dbl-bc-r1rv76-jac, add-bc-r1rv76-mod, dbl-bc-r1rv76-mod

Derive:

• Short-Weierstrass

• GLV if possible, else Window NAF via ECDHBasicAgreement.calculateAgreement -> ECPoint.multiply -> ECCurve.getMultiplier -> ECCurve.createDefaultMultiplier.

• Jacobian-Modified via ECCurve.FP_DEFAULT_COORDS. SECP curves use Jacobian, SECT curves use Lambda-Projective.

• Formulas same as KeyGen.

ECDSA

KeyGen:

• Short-Weierstrass

• Comb via ECKeyPairGenerator.generateKeyPair -> ECKeyPairGenerator.createBasePointMultiplier.

• Jacobian-Modified via ECCurve.FP_DEFAULT_COORDS. SECP curves use Jacobian, SECT curves use Lambda-Projective.

• Formulas same as KeyGen.

Sign:

• Short-Weierstrass

• Comb via ECDSASigner.generateSignature -> ECDSASigner.createBasePointMultiplier.

• Jacobian-Modified via ECCurve.FP_DEFAULT_COORDS. SECP curves use Jacobian, SECT curves use Lambda-Projective.

• Formulas same as KeyGen.

Verify:

• Short-Weierstrass

• Multi-scalar GLV if possible, else multi-scalar Window NAF with Shamir’s trick via ECDSASigner.verifySignature -> ECAlgorithms.sumOfTwoMultiples.

• Jacobian-Modified via ECCurve.FP_DEFAULT_COORDS. SECP curves use Jacobian, SECT curves use Lambda-Projective.

• Formulas same as KeyGen.

X25519

KeyGen:

• Twisted-Edwards

• Comb via X25519.generatePublicKey -> X25519.scalarMultBase -> Ed25519.scalarMultBaseYZ -> Ed25519.scalarMultBase.

• Many coordinate systems: Extended, half-Niels, affine.

• Some HWCD formulas are used.

Derive:

• Montgomery

• Ladder via X25519.calculateAgreement -> X25519.scalarMult.

• xz.

• Unknown formulas: ladd-bc-r1rv76-x25519, dbl-bc-r1rv76-x25519. Code: dbl and ladd

Ed25519

KeyGen:

• Twisted-Edwards

• Comb via Ed25519.generatePublicKey -> Ed25519.scalarMultBaseEncoded -> Ed25519.scalarMultBase.

• Many coordinate systems: Extended, half-Niels, affine.

• Some HWCD formulas are used.

Sign:

• Twisted-Edwards

• Comb via Ed25519.sign -> Ed25519.implSign -> Ed25519.scalarMultBaseEncoded -> Ed25519.scalarMultBase.

• Many coordinate systems: Extended, half-Niels, affine.

• Some HWCD formulas are used.

Verify:

• Twisted-Edwards

• Multi-scalar Window-NAF with Straus’s trick via Ed25519.verify -> Ed25519.implVerify -> Ed25519.scalarMultStraus128Var.

• Many coordinate systems: Extended, half-Niels, affine.

• Some HWCD formulas are used.