LibreSSL¶

Version: v3.8.2
Repository: https://github.com/libressl/portable
Docs:

Primitives¶

Supports ECDH, ECDSA as well as x25519 and Ed25519.

KeyGen:

Short-Weierstrass
Simple Ladder via kmethod.keygen -> ec_key_gen -> EC_POINT_mul -> method.mul_generator_ct -> ec_GFp_simple_mul_generator_ct -> ec_GFp_simple_mul_ct. Also does coordinate blinding and fixes scalar bit-length.
Jacobian coordinates.
Unknown formulas: add-libressl-v382, dbl-libressl-v382

Derive:

Short-Weierstrass
Simple Ladder via kmethod.compute_key -> ecdh_compute_key -> EC_POINT_mul -> method.mul_single_ct -> ec_GFp_simple_mul_single_ct -> ec_GFp_simple_mul_ct. Also does coordinate blinding and fixes scalar bit-length.
Same as KeyGen.

KeyGen:

Sign:

Short-Weierstrass
Simple Ladder via ECDSA_sign -> kmethod.sign -> ecdsa_sign -> ECDSA_do_sign -> kmethod.sign_sig -> ecdsa_sign_sig -> ECDSA_sign_setup -> kmethod.sign_setup -> ecdsa_sign_setup -> EC_POINT_mul -> method.mul_generator_ct -> ec_GFp_simple_mul_generator_ct -> ec_GFp_simple_mul_ct.
Same as ECDH.

Verify:

Short-Weierstrass
Window NAF interleaving multi-exponentiation method ECDSA_verify -> kmethod.verify -> ecdsa_verify -> ECDSA_do_verify -> kmethod.verify_sig -> ecdsa_verify_sig -> EC_POINT_mul -> method.mul_double_nonct -> ec_GFp_simple_mul_double_nonct -> ec_wNAF_mul. Refers to http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp and https://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#fastexp
Same coordinates and formulas as ECDH.

Based on ref10 of Ed25519. See BoringSSL. Not exactly the same.

Based on ref10 of Ed25519. See BoringSSL. Not exactly the same.