OpenSSL

Version: 3.1.4
Repository: https://github.com/openssl/openssl
Docs: https://www.openssl.org/docs/

Primitives

ECDH, ECDSA on standard and custom curves. x25519, x448 and Ed25519, Ed448. Also SM2 specific methods.

The ladder methods have coordinate randomization and fix scalar bit-length.

Has several EC_METHODs.

  • EC_GFp_simple_method

  • EC_GFp_mont_method

  • EC_GFp_nist_method

  • EC_GFp_nistp224_method

  • EC_GFp_nistp256_method

  • EC_GFp_nistz256_method

  • EC_GFp_nistp521_method

ossl_ec_GFp_simple_ladder_pre:

  • Short-Weierstrass

  • xz

  • dbl-2002-it-2

ossl_ec_GFp_simple_ladder_step:

  • Short-Weierstrass

  • xz

  • mladd-2002-it-4

ossl_ec_GFp_simple_ladder_post:

  • Short-Weierstrass

  • xz to y-recovery

ECDH

KeyGen:

  • Short-Weierstrass

  • ? via EVP_EC_gen -> EVP_PKEY_Q_keygen -> evp_pkey_keygen -> EVP_PKEY_generate -> evp_keymgmt_util_gen -> evp_keymgmt_gen -> EC_KEYMGMT.gen -> ec_gen -> EC_KEY_generate_key -> ec_method.keygen  -> ossl_ec_key_simple_generate_key -> EC_POINT_mul(k, G, NULL, NULL) all methods then either ec_method.mul or ossl_ec_wNAF_mul

    • EC_GFp_simple_method -> ossl_ec_wNAF_mul -> ossl_ec_scalar_mul_ladder (Lopez-Dahab ladder) for [k]G and [k]P. Otherwise multi-scalar wNAF with interleaving?

    • EC_GFp_mont_method -> ossl_ec_wNAF_mul -> ossl_ec_scalar_mul_ladder (Lopez-Dahab ladder) for [k]G and [k]P. Otherwise multi-scalar wNAF with interleaving?

    • EC_GFp_nist_method -> ossl_ec_wNAF_mul -> ossl_ec_scalar_mul_ladder (Lopez-Dahab ladder) for [k]G and [k]P. Otherwise multi-scalar wNAF with interleaving?

      • ec_point_ladder_pre -> ec_method.ladder_pre or EC_POINT_dbl

      • ec_point_ladder_step -> ec_method.ladder_step or EC_POINT_add + EC_POINT_dbl

      • ec_point_ladder_post -> ec_method.ladder_post

      • the methods all use ossl_ec_GFp_simple_ladder_* functions as ladder_*.

    • EC_GFp_nistp224_method -> ossl_ec_GFp_nistp224_points_mul -> Comb for generator, (signed, Booth) Fixed Window (width = 5) for other points.

    • EC_GFp_nistp256_method -> ossl_ec_GFp_nistp256_points_mul -> Comb for generator, (signed, Booth) Fixed Window (width = 5) for other points.

    • EC_GFp_nistz256_method -> ecp_nistz256_points_mul -> (signed, Booth) Fixed Window (width = 7) with full precomputation from [SG14].

    • EC_GFp_nistp521_method -> ossl_ec_GFp_nistp521_points_mul -> Comb for generator, (signed, Booth) Fixed Window (width = 5) for other points.

  • Jacobian (or Jacobian-3 for NIST)

  • Formulas:

    • EC_GFp_simple_method -> LibreSSL add and LibreSSL dbl

    • EC_GFp_mont_method -> LibreSSL add and LibreSSL dbl

    • EC_GFp_nist_method -> LibreSSL add and LibreSSL dbl

    • EC_GFp_nistp224_method -> BoringSSL P-224 add and dbl

    • EC_GFp_nistp256_method -> add-2007-bl, dbl-2001-b

    • EC_GFp_nistz256_method -> Unknown: add-openssl-z256, add-openssl-z256a

    • EC_GFp_nistp521_method -> add-2007-bl, dbl-2001-b

Derive:
  • Same as KeyGen, except for:

    • nistp{224,256,521} methods, where the Fixed Window branch of the scalar multiplier is taken,

    • nistz256 where a (signed, Booth) Fixed Window (width = 5) is taken.

ECDSA

KeyGen:

  • Same as ECDH.

Sign:

  • Same as KeyGen.

Verify:

  • Short-Weierstrass

  • EC_GFp_simple_method, EC_GFp_mont_method, EC_GFp_nist_method: Interleaved multi-scalar wNAF via ec_method.verify_sig -> ossl_ecdsa_simple_verify_sig -> EC_POINT_mul -> ossl_ec_wNAF_mul.

  • EC_GFp_nistp224_method, EC_GFp_nistp256_method, EC_GFp_nistp521_method: Interleaved Comb for G and (signed, Booth) Fixed Window (width = 5) for other point.

  • EC_GFp_nistz256_method: Same as KeyGen for G and same as ECDH Derive for other point.

x25519

Taken from ref10 of Ed25519. See BoringSSL.

KeyGen:

  • Twisted-Edwards

  • Pippenger via ossl_x25519_public_from_private -> ge_scalarmult_base.

  • Mixes coordinate models:

    ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z
ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
ge_precomp (Duif): (y+x,y-x,2dxy)
Derive:

  • Montgomery

  • Montgomery ladder via ossl_x25519 -> x25519_scalar_mult

  • xz coords

  • Unknown ladder formula: ladd-openssl-x25519

Ed25519

Taken from ref10 of Ed25519. See BoringSSL.

KeyGen:

  • Same as x25519 KeyGen via ossl_ed25519_public_from_private -> ge_scalarmult_base.

Sign:

  • Same as x25519 KeyGen via ossl_ed25519_sign -> ge_scalarmult_base.

Verify:

  • Sliding window (signed) with interleaving? via ossl_ed25519_verify -> ge_double_scalarmult_vartime.

  • Otherwise same mixed coordinates and formulas.