### Install pyecsca-codegen from source Source: https://github.com/j08ny/pyecsca/blob/master/docs/installation.rst Installs the pyecsca-codegen package directly from its source repository. This method is preferred as the PyPI package is limited to x86_64 Linux. It requires 'make', a C compiler, and an ARM cross-compiler. ```shell pip install . ``` -------------------------------- ### Install pyecsca with specific extras Source: https://github.com/j08ny/pyecsca/blob/master/docs/installation.rst Installs the pyecsca core package with specified optional features, such as smartcard support and improved arithmetic using GMP. This command utilizes pip's extra installation feature. ```shell pip install pyecsca[smartcard,gmp] ``` -------------------------------- ### Install notebook dependencies Source: https://github.com/j08ny/pyecsca/blob/master/docs/installation.rst Installs additional requirements for the pyecsca notebooks. These dependencies are listed in the 'requirements.txt' file within the notebook repository. ```shell pip install -r requirements.txt ``` -------------------------------- ### X25519 Derive using Montgomery Ladder Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/boringssl.rst X25519 key derivation using a Montgomery ladder approach. The process starts with `X25519` and proceeds through `x25519_scalar_mult`, utilizing specific implementations like `x25519_NEON`, `x25519_scalar_mult_adx`, or `x25519_scalar_mult_generic`. This method involves 'xz' coordinates and references a formula from fiat-crypto. ```c X25519 -> x25519_scalar_mult -> x25519_NEON/x25519_scalar_mult_adx/x25519_scalar_mult_generic ``` -------------------------------- ### OpenSSL EC GFp Simple Method Point Addition/Doubling Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/openssl.rst Utilizes LibreSSL's optimized formulas for point addition and point doubling within the EC_GFp_simple_method, employing Jacobian coordinates for efficient calculations. ```c LibreSSL add and LibreSSL dbl ``` -------------------------------- ### secp256k1 ECDH Key Generation Helper Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libsecp256k1.rst Illustrates the key generation process for ECDH using secp256k1, focusing on the use of fixed window precomputation and Jacobian coordinates for point multiplication. It references the `secp256k1_ecmult_gen` function and related helper functions. ```c secp256k1_ec_pubkey_create -> secp256k1_ec_pubkey_create_helper -> secp256k1_ecmult_gen ``` -------------------------------- ### LibreSSL ECDH Key Derivation (C) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libressl.rst Illustrates ECDH key derivation using LibreSSL's Short-Weierstrass curves with the Simple Ladder method. Similar to key generation, it incorporates coordinate blinding and scalar bit-length adjustments for security. ```c /* Based on openbsd/src/lib/libcrypto/ec/ecp_smpl.c */ // Function for key derivation using Simple Ladder method // kmethod.compute_key -> ecdh_compute_key -> EC_POINT_mul -> method.mul_single_ct -> ec_GFp_simple_mul_single_ct -> ec_GFp_simple_mul_ct int ecdh_compute_key_simple_ladder_ct(...) { // Implementation details... return 0; } ``` -------------------------------- ### secp256k1 ECDSA Signing Implementation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libsecp256k1.rst Outlines the implementation flow for ECDSA signing in secp256k1, tracing the execution path from `secp256k1_ecdsa_sign` to `secp256k1_ecmult_gen`. ```c secp256k1_ecdsa_sign -> secp256k1_ecdsa_sign_inner -> secp256k1_ecdsa_sig_sign -> secp256k1_ecmult_gen ``` -------------------------------- ### LibreSSL ECDH Key Generation (C) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libressl.rst Demonstrates ECDH key generation using LibreSSL's Short-Weierstrass curves with the Simple Ladder method. It utilizes Jacobian coordinates and includes optimizations for coordinate blinding and scalar bit-length. ```c /* Based on openbsd/src/lib/libcrypto/ec/ecp_smpl.c */ // Function for key generation using Simple Ladder method // kmethod.keygen -> ec_key_gen -> EC_POINT_mul -> method.mul_generator_ct -> ec_GFp_simple_mul_generator_ct -> ec_GFp_simple_mul_ct void ec_key_gen_simple_ladder_ct(...) { // Implementation details... } ``` -------------------------------- ### OpenSSL EC GFp Simple Ladder Pre Implementation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/openssl.rst Implements the pre-computation step for the Lopez-Dahab scalar multiplication ladder method on short Weierstrass curves using simple field arithmetic. It handles coordinate randomization and fixes scalar bit length. ```c ossl_ec_GFp_simple_ladder_pre ``` -------------------------------- ### libtomcrypt ECDSA Key Generation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libtomcrypt.rst Illustrates ECDSA key generation using libtomcrypt, which reuses the same methods as ECDH key generation. ```c /* Example of ECDSA key generation (conceptual) */ /* Depends on libtomcrypt library */ /* Input: ECC curve parameters */ /* Output: Public and Private keys */ // Same methods as ECDH key generation: ecc_make_key -> ecc_make_key_ex. ``` -------------------------------- ### P-384 Key Generation and Operations using ECCkiila Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/nss.rst Describes the P-384 implementation in NSS, leveraging ECCkiila. It covers key generation using Comb methods, derivation using Regular Window NAF (width 5), and verification using Interleaved multi-scalar window NAF with Shamir's trick. Projective-3 coordinates and specific formulas are noted. ```c // KeyGen for P-384 (ECCkiila) // Uses Short-Weierstrass curve, Comb method // Projective-3 coordinates // Formulas: dbl-2015-rcb-3, madd-2015-rcb-3, add-2015-rcb (point_add_proj) // Calls: EC_NewKeyFromSeed -> ec_NewKey -> ec_points_mul -> ECPoints_mul -> ecgroup.points_mul -> point_mul_two_secp384r1_wrap -> point_mul_g_secp384r1_wrap -> point_mul_g_secp384r1 -> fixed_smul_cmb // Derive for P-384 (ECCkiila) // Uses Short-Weierstrass curve, Regular Window NAF (width = 5) // Projective-3 coordinates // Formulas: dbl-2015-rcb-3, add-2015-rcb // Calls: ECDH_Derive -> ec_points_mul -> ECPoints_mul -> ecgroup.points_mul -> point_mul_secp384r1_wrap -> point_mul_secp384r1 -> var_smul_rwnaf // Verify for P-384 (ECCkiila) // Uses Short-Weierstrass curve, Interleaved multi-scalar window NAF (width = 5) with Shamir's trick // Projective-3 coordinates // Formulas: dbl-2015-rcb-3, madd-2015-rcb-3, add-2015-rcb (point_add_proj) // Calls: ECDSA_SignDigest -> ECDSA_SignDigestWithSeed -> ec_SignDigestWithSeed -> ec_points_mul -> ECPoints_mul -> ecgroup.points_mul -> point_mul_two_secp384r1_wrap -> point_mul_two_secp384r1 -> var_smul_wnaf_two ``` -------------------------------- ### secp256k1 ECDH Key Derivation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libsecp256k1.rst Details the key derivation process for ECDH in secp256k1, employing GLV decomposition and interleaving with width-5 NAFs. It highlights the use of `secp256k1_ecmult_const` and notes the similarity in addition methods to key generation. ```c secp256k1_ecdh -> secp256k1_ecmult_const ``` -------------------------------- ### Botan X25519: ladd-botan-x25519 Formula Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/botan.rst References an external formula `ladd-botan-x25519.op3` for X25519, suggesting a specific or custom implementation detail related to addition in the Montgomery domain. ```text lambda ladd-botan-x25519(x1, y1, x2, y2, p) = ... // Custom formula for X25519 addition ``` -------------------------------- ### LibreSSL ECDSA Signing (C) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libressl.rst Details the ECDSA signing process in LibreSSL, leveraging Short-Weierstrass curves and the Simple Ladder method. It follows a chain of function calls for signature generation. ```c /* Based on openbsd/src/lib/libcrypto/ec/ecp_smpl.c */ // Function for ECDSA signing using Simple Ladder method // ECDSA_sign -> kmethod.sign -> ecdsa_sign -> ECDSA_do_sign -> kmethod.sign_sig -> ecdsa_sign_sig -> ECDSA_sign_setup -> kmethod.sign_setup -> ecdsa_sign_setup -> EC_POINT_mul -> method.mul_generator_ct -> ec_GFp_simple_mul_generator_ct -> ec_GFp_simple_mul_ct int ECDSA_sign_simple_ladder(...) { // Implementation details... return 0; } ``` -------------------------------- ### Botan ECDH KeyGen: Fixed Window Point Multiplication Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/botan.rst Details the KeyGen functionality for ECDH using Short-Weierstrass curves with a Fixed Window (w=3) strategy and full precomputation, avoiding doublings. It utilizes `blinded_base_point_multiply` and `EC_Point_Base_Point_Precompute::mul`. ```c++ #include #include // Example usage (conceptual): // Botan::EC_Group ec_group("secp256r1"); // Botan::EC_PrivateKey private_key(ec_group); // private_key.generate(); ``` -------------------------------- ### OpenSSL EC GFp Simple Ladder Post Implementation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/openssl.rst Implements the post-computation step for the Lopez-Dahab scalar multiplication ladder method on short Weierstrass curves, converting the result from xz coordinates to y-recovery. It uses simple field arithmetic. ```c ossl_ec_GFp_simple_ladder_post ``` -------------------------------- ### secp256k1 ECDSA Verification Implementation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libsecp256k1.rst Describes the implementation of ECDSA verification in secp256k1, detailing the splitting of scalars using GLV and interleaving with width-5 NAFs. It references `secp256k1_ecmult_strauss_wnaf` for the core multiplication. ```c secp256k1_ecdsa_verify -> secp256k1_ecdsa_sig_verify -> secp256k1_ecmult -> secp256k1_ecmult_strauss_wnaf ``` -------------------------------- ### x25519 Key Generation using Pippenger Algorithm Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/openssl.rst Describes the key generation process for x25519 using the Pippenger algorithm, which relies on `ossl_x25519_public_from_private`. It involves mixing different coordinate models: ge_p2 (projective), ge_p3 (extended), ge_p1p1 (completed), and ge_precomp (Duif). ```text KeyGen: - Twisted-Edwards - Pippenger via ``ossl_x25519_public_from_private -> ge_scalarmult_base``. - Mixes coordinate models:: ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T ge_precomp (Duif): (y+x,y-x,2dxy) ``` -------------------------------- ### Ed25519 Signing Process Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/openssl.rst Describes the signing process for Ed25519, which is the same as x25519 key generation, employing `ossl_ed25519_sign` and `ge_scalarmult_base`. ```text Sign: - Same as x25519 KeyGen via ``ossl_ed25519_sign -> ge_scalarmult_base``. ``` -------------------------------- ### OpenSSL EC GFp Simple Ladder Step Implementation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/openssl.rst Implements the step computation for the Lopez-Dahab scalar multiplication ladder method on short Weierstrass curves using simple field arithmetic. It includes coordinate randomization and fixed scalar bit length. ```c ossl_ec_GFp_simple_ladder_step ``` -------------------------------- ### ECDH Formula Sources Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/sunec.rst References the specific files containing the formulas for addition and doubling operations used in ECDH, specifically for the SunEC version 21. These formulas are crucial for the point multiplication process. ```Op3 add-sunec-v21.op3 ``` ```Op3 dbl-sunec-v21.op3 ``` -------------------------------- ### OpenSSL ECDSA Simple Verify Signature Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/openssl.rst Performs signature verification for ECDSA using the EC_GFp_simple_method, EC_GFp_mont_method, and EC_GFp_nist_method. It employs interleaved multi-scalar wNAF via EC_POINT_mul and ossl_ec_wNAF_mul. ```c ossl_ecdsa_simple_verify_sig ``` -------------------------------- ### x25519 Key Derivation using Montgomery Ladder Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/openssl.rst Details the key derivation process for x25519 using the Montgomery ladder algorithm, referencing `ossl_x25519` and `x25519_scalar_mult`. This method utilizes xz coordinates and an unknown ladder formula specified in `ladd-openssl-x25519.op3`. ```text Derive: - Montgomery - Montgomery ladder via ``ossl_x25519 -> x25519_scalar_mult`` - xz coords - Unknown ladder formula: `ladd-openssl-x25519 `__ ``` -------------------------------- ### libtomcrypt ECDH Key Generation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libtomcrypt.rst Demonstrates ECDH key generation using libtomcrypt. It supports various curves and utilizes methods like 'simple ladder' and 'jacobian' for point multiplication. ```c /* Example of ECDH key generation (conceptual) */ /* Depends on libtomcrypt library */ /* Input: ECC curve parameters */ /* Output: Public and Private keys */ // ecc_make_key -> ecc_make_key_ex -> ecc_ptmul -> ltc_ecc_mulmod_timing // Supports Short-Weierstrass and other curves. // Uses 'simple ladder' and jacobian coordinates with specific add/double point algorithms. ``` -------------------------------- ### ECDSA Signing with fastecdsa Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/fastecdsa.rst Illustrates how to sign a message using ECDSA with the fastecdsa library. This process involves using the private key and a specified curve, with optimizations applied during the signing operation. ```python from fastecdsa.keys import gen_keypair from fastecdsa.message import Message from fastecdsa.signature import Signature # Generate a key pair pub_key, priv_key = gen_keypair(curve='SECP256k1') # Create a message to sign message_text = "This is a message to be signed." msg = Message(message_text.encode('utf-8')) # Sign the message signature: Signature = priv_key.sign(msg) print("Signature (r, s):", signature.r, signature.s) ``` -------------------------------- ### Botan ECDSA KeyGen: Fixed Window Point Multiplication Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/botan.rst Specifies ECDSA KeyGen for Short-Weierstrass curves using Fixed Window (w=3) with full precomputation and no doublings. It leverages `blinded_base_point_multiply` and `EC_Point_Base_Point_Precompute::mul`. ```c++ #include #include // Example usage (conceptual): // Botan::ECDSA_PrivateKey private_key(Botan::EC_Group("secp256r1")); // private_key.generate(); ``` -------------------------------- ### secp256k1 ECDSA Verification Addition Formula Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libsecp256k1.rst Provides the mathematical formulas used for point addition during ECDSA verification in secp256k1. It describes the transformation of Jacobian coordinates to an isomorphic curve and the subsequent addition steps. ```mathematica assume iZ2 = 1/Z2 az = Z_1*iZ2 Z12 = az^2 u1 = X1 u2 = X2*Z12 s1 = Y1 s2 = Y2*Z12 s2 = s2*az h = -u1 h = h+u2 i = -s2 i = i+s1 Z3 = Z1*h h2 = h^2 h2 = -h2 h3 = h2*h t = u1*h2 X3 = i^2 X3 = X3+h3 X3 = X3+t X3 = X3+t t = t+X3 Y3 = t*i h3 = h3*s1 Y3 = Y3+h3 ``` -------------------------------- ### libtomcrypt ECDSA Signature Verification Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libtomcrypt.rst Explains how to verify an ECDSA signature using libtomcrypt. It employs techniques like Shamir's trick for efficient verification. ```c /* Example of ECDSA signature verification (conceptual) */ /* Depends on libtomcrypt library */ /* Input: Hash, Signature, Public key */ /* Output: Verification result (true/false) */ // ecc_verify_hash -> _ecc_verify_hash -> ecc_mul2add or two separate sliding windows. // Uses Shamir's trick for verification, employing the same coordinates and formulas as key generation. ``` -------------------------------- ### LibreSSL ECDSA Verification (C) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libressl.rst Explains ECDSA verification in LibreSSL, using Short-Weierstrass curves with a Window NAF interleaving multi-exponentiation method. This method is efficient for verifying signatures. ```c /* Based on openbsd/src/lib/libcrypto/ec/ecp_smpl.c */ // Function for ECDSA verification using Window NAF interleaving multi-exponentiation // ECDSA_verify -> kmethod.verify -> ecdsa_verify -> ECDSA_do_verify -> kmethod.verify_sig -> ecdsa_verify_sig -> EC_POINT_mul -> method.mul_double_nonct -> ec_GFp_simple_mul_double_nonct -> ec_wNAF_mul int ECDSA_verify_window_naf(...) { // Implementation details... return 0; } ``` -------------------------------- ### ECDH Key Generation using Ladder (coZ) in C Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/micro_ecc.rst Implements ECDH key generation using the Ladder algorithm with coZ coordinates. This method is based on specific formulas from an external paper and includes coordinate randomization. The core functionality is found in `uECC_make_key`, `EccPoint_compute_public_key`, and `EccPoint_mult`. ```C /* ... uECC.c ... */ // Function for key generation using Ladder (coZ) // void uECC_make_key(uint8_t public_key[ECCKEYSIZE], uint8_t private_key[ECCKEYSIZE]); // Internal function to compute public key from private key // EccPoint_compute_public_key(EccPoint* p, const EccPoint* k); // Point multiplication using Ladder algorithm // EccPoint_mult(EccPoint* p, const EccPoint* k, const EccPoint* m, uECC_word_t scalar); /* ... uECC.c ... */ ``` -------------------------------- ### Botan ECDSA Verify: Multi-scalar Fixed-Window Verification Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/botan.rst Explains ECDSA verification for Short-Weierstrass curves using multi-scalar, interleaved fixed-window methods via `ECDSA::verify` and `EC_Point_Multi_Point_Precompute::multi_exp`. This is an optimized verification technique. ```c++ #include #include #include // Example usage (conceptual): // Botan::ECDSA_PublicKey public_key = ...; // Botan::AlgorithmIdentifier hash_algo = ...; // Botan::DataSource_Memory signature = ...; // Botan::DataSource_Memory msg = ...; // bool is_valid = Botan::ECDSA_Verifier(public_key, hash_algo).verify(signature, msg); ``` -------------------------------- ### OpenSSL EC Scalar Multiplication Ladder (Lopez-Dahab) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/openssl.rst Implements the Lopez-Dahab ladder algorithm for scalar multiplication on elliptic curves. This method is used by various EC_METHODs, including EC_GFp_simple_method, EC_GFp_mont_method, and EC_GFp_nist_method, for efficient computation of [k]G and [k]P. ```c ossl_ec_scalar_mul_ladder ``` -------------------------------- ### ECDSA Signing using Ladder (coZ) in C Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/micro_ecc.rst Implements ECDSA signing with the Ladder algorithm using coZ coordinates. This process involves `uECC_sign`, `uECC_sign_with_k_internal`, and `EccPoint_mult`, mirroring the key generation and derivation logic. ```C /* ... uECC.c ... */ // Function for signing // int uECC_sign(const uint8_t private_key[ECCKEYSIZE], const uint8_t message_hash[ECCKEYSIZE], uint8_t signature[ECCKEYSIZE*2]); // Internal signing function using k // int uECC_sign_with_k_internal(const uint8_t private_key[ECCKEYSIZE], const uint8_t message_hash[ECCKEYSIZE], uECC_word_t k_scalar[ECCMAXWORDS], uint8_t signature[ECCKEYSIZE*2]); // Point multiplication using Ladder algorithm // EccPoint_mult(EccPoint* p, const EccPoint* k, const EccPoint* m, uECC_word_t scalar); /* ... uECC.c ... */ ``` -------------------------------- ### libtomcrypt ECDSA Signature Generation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/libtomcrypt.rst Details the process of generating an ECDSA signature for a given hash using libtomcrypt. ```c /* Example of ECDSA signature generation (conceptual) */ /* Depends on libtomcrypt library */ /* Input: Hash, Private key */ /* Output: ECDSA signature */ // ecc_sign_hash -> _ecc_sign_hash -> ecc_make_key_ex // Utilizes the private key generated by ecc_make_key_ex. ``` -------------------------------- ### ECDSA Key Generation with fastecdsa Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/fastecdsa.rst Demonstrates the key generation process for ECDSA using fastecdsa, highlighting the use of Short-Weierstrass curves and ladder multiplication for public key derivation. This process relies on optimized point multiplication operations. ```python from fastecdsa.keys import gen_keypair # Generate a key pair for a specific curve (e.g., SECP256k1) pub_key, priv_key = gen_keypair(curve='SECP256k1') print("Public Key:", pub_key.x, pub_key.y) print("Private Key:", priv_key.secret) ``` -------------------------------- ### ECTester BibTeX Entry Source: https://github.com/j08ny/pyecsca/blob/master/docs/papers.rst BibTeX entry for the 'ECTester: Reverse-engineering side-channel countermeasures of ECC implementations' paper presented at CHES 2025. It includes the title, authors, and publication venue. ```Bibtex @InProceedings{2025-ches-jancar, title = {ECTester: Reverse-engineering side-channel countermeasures of ECC implementations}, author = {Vojtech Suchanek and Jan Jancar and Jan Kvapil and Petr Svenda and Lukasz Chmielewski}, booktitle = {IACR Transactions on Cryptographic Hardware and Embedded Systems}, ``` -------------------------------- ### pyecsca BibTeX Entry Source: https://github.com/j08ny/pyecsca/blob/master/docs/papers.rst BibTeX entry for the 'pyecsca: Reverse engineering black-box elliptic curve cryptography via side-channel analysis' paper presented at CHES 2024. It details the paper's title, authors, publication venue, year, and DOI. ```Bibtex @InProceedings{2024-ches-jancar, title = {pyecsca: Reverse engineering black-box elliptic curve cryptography via side-channel analysis}, author = {Jan Jancar and Vojtech Suchanek and Petr Svenda and Vladimir Sedlacek and Lukasz Chmielewski}, booktitle = {IACR Transactions on Cryptographic Hardware and Embedded Systems}, publisher = {Ruhr-University of Bochum}, year = {2024}, doi = {10.46586/tches.v2024.i4.355-381}, url = {https://tches.iacr.org/index.php/TCHES/article/view/11796}, pages = {355–381}, } ``` -------------------------------- ### ECDSA Verification using Shamir's Trick in C Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/micro_ecc.rst Provides ECDSA verification utilizing Shamir's trick, a method for efficient point multiplication. The primary function for verification is `uECC_verify`. ```C /* ... uECC.c ... */ // Function for verification using Shamir's trick // int uECC_verify(const uint8_t public_key[ECCKEYSIZE], const uint8_t message_hash[ECCKEYSIZE], const uint8_t signature[ECCKEYSIZE*2]); /* ... uECC.c ... */ ``` -------------------------------- ### mbedTLS x25519 KeyGen (Montgomery Ladder) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/mbedtls.rst Generates public keys for x25519 using the Montgomery Ladder algorithm in Montgomery coordinates. This implementation is optimized for performance. ```c #include // ... function to generate x25519 keypair using Montgomery Ladder ... // mbedtls_ecdh_gen_public -> ecdh_gen_public_restartable -> mbedtls_ecp_mul_restartable -> ecp_mul_restartable_internal -> ecp_mul_mxz ``` -------------------------------- ### Botan ECDSA Sign: Fixed Window Point Multiplication Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/botan.rst Details ECDSA signing for Short-Weierstrass curves using Fixed Window (w=3) with full precomputation. It utilizes `blinded_base_point_multiply` and `EC_Point_Base_Point_Precompute::mul` for efficient scalar multiplication during signing. ```c++ #include #include #include // Example usage (conceptual): // Botan::ECDSA_PrivateKey private_key = ...; // Botan::DataSource_Memory msg(data_to_sign); // Botan::AlgorithmIdentifier hash_algo = ...; // Botan::secure_vector signature = Botan::ECDSA_Signer(private_key, hash_algo).sign(msg); ``` -------------------------------- ### Shamir's Trick for ECDSA Verification (C) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/fastecdsa.rst Demonstrates the implementation of Shamir's trick in C for optimizing ECDSA verification. This technique allows for the verification of multiple signatures simultaneously or the efficient verification of a single signature by combining point multiplication operations. ```c /* Shamir's Trick: pointZZ_pShamirsTrick(P1, scalar1, P2, scalar2) */ // ... (implementation details for Shamir's trick using point addition and doubling) ``` -------------------------------- ### Ed25519 Key Generation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/openssl.rst Specifies that Ed25519 key generation is identical to x25519 key generation, utilizing `ossl_ed25519_public_from_private` which internally calls `ge_scalarmult_base`. ```text KeyGen: - Same as x25519 KeyGen via ``ossl_ed25519_public_from_private -> ge_scalarmult_base``. ``` -------------------------------- ### Botan X25519: Montgomery Ladder Implementation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/botan.rst Describes the X25519 implementation in Botan, which is based on curve25519_donna. It uses Montgomery laddering, with mentions of unrolled iterations and xz coordinates. ```c++ #include // Example usage (conceptual): // Botan::X25519_PrivateKey private_key; // Botan::X25519_PublicKey public_key = private_key.public_key(); // Botan::secure_vector shared_secret = Botan::X25519::derive_key(private_key, public_key); ``` -------------------------------- ### Ed25519 Formula Sources Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/sunec.rst References the specific files containing the formulas for addition and doubling operations used in Ed25519 for SunEC version 21. These are essential for the cryptographic operations on this curve. ```Op3 add-sunec-v21-ed25519.op3 ``` ```Op3 dbl-sunec-v21-ed25519.op3 ``` -------------------------------- ### Botan ECDH Derive: Fixed Window Point Multiplication Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/botan.rst Describes ECDH secret derivation using Short-Weierstrass curves with a Fixed Window (w=4) strategy. It employs `blinded_var_point_multiply` and `EC_Point_Var_Point_Precompute::mul` for efficient scalar multiplication. ```c++ #include #include // Example usage (conceptual): // Botan::EC_Group ec_group("secp256r1"); // Botan::EC_PublicKey pub_key(ec_group, ...); // Botan::EC_PrivateKey priv_key(ec_group, ...); // std::vector secret = Botan::ECIES_ENCRYPTOR(priv_key).derive_key(32, pub_key, ...); ``` -------------------------------- ### Ed25519 Key Generation and Signing Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/sunec.rst Covers the key generation and signing processes for the Ed25519 curve. It specifies the use of Twisted-Edwards coordinates, the 'Double and add always' method, and references specific formula files for addition and doubling. ```Java Twisted-Edwards Double and add always Extended coords ``` -------------------------------- ### OpenSSL EC NISTZ256 Scalar Multiplication Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/openssl.rst Implements scalar multiplication for the NIST Z256 curve using (signed, Booth) Fixed Window method with a window width of 7, incorporating full precomputation as described in SG14. This method is used for deriving keys. ```c ecp_nistz256_points_mul ``` -------------------------------- ### BouncyCastle Fast Prime Modular Reduction (Java) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/bouncy_castle.rst Highlights specific optimizations in BouncyCastle for modular reduction, particularly fast-prime modular reduction for SECG curves. It also notes an implementation of Curve25519 using a short-Weierstrass form. ```Java https://github.com/bcgit/bc-java/tree/r1rv76/core/src/main/java/org/bouncycastle/math/ec/custom/sec ``` -------------------------------- ### ECDSA Verification with fastecdsa Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/fastecdsa.rst Shows how to verify an ECDSA signature using the public key, the original message, and the signature itself. This function utilizes Shamir's trick for efficient verification, relying on point addition and scalar multiplication operations. ```python from fastecdsa.keys import gen_keypair from fastecdsa.message import Message from fastecdsa.signature import Signature # Generate a key pair pub_key, priv_key = gen_keypair(curve='SECP256k1') # Create a message and sign it message_text = "This is a message to be signed." msg = Message(message_text.encode('utf-8')) signature = priv_key.sign(msg) # Verify the signature is_valid = pub_key.verify(signature, msg) print("Signature is valid:", is_valid) ``` -------------------------------- ### ECDH Key Generation for NIST Curves (C) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/microsoft_symcrypt.rst Handles ECDH key generation for NIST curves using Jacobian coordinates. It leverages specific double-and-add algorithms, including 'dbl-2007-bl' for general doubling and a tweaked version for a=-3, and 'add-2007-bl' for point addition. Optimized versions for side-channel resistance are also available. ```c #include #include // ECDH key generation for NIST curves using Jacobian coordinates // SymCryptEcpointDouble or SymCryptShortWeierstrassDoubleSpecializedAm3 for doubling // SymCryptEcpointAddDiffNonZero or SymCryptShortWeierstrassAddSideChannelUnsafe for addition ``` -------------------------------- ### Ed25519 Verification Process Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/openssl.rst Details the verification process for Ed25519, which may involve a sliding window with interleaving via `ossl_ed25519_verify` and `ge_double_scalarmult_vartime`. Otherwise, it uses the same mixed coordinate systems and formulas as other operations. ```text Verify: - Sliding window (signed) with interleaving? via ``ossl_ed25519_verify -> ge_double_scalarmult_vartime``. - Otherwise same mixed coordinates and formulas. ``` -------------------------------- ### Botan ECDSA Verify: Jacobian and add-1998-cmo-2, dbl-1986-cc Point Arithmetic Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/botan.rst Covers ECDSA verification for Short-Weierstrass curves using Jacobian, add-1998-cmo-2, and dbl-1986-cc point representations. These relate to the efficient verification algorithms. ```c++ #include #include // Example usage (conceptual): // Botan::ECDSA_PublicKey public_key = ...; // ... // Verify operation // Verification involves point operations that depend on the group's representation. ``` -------------------------------- ### mbedTLS ECDH KeyGen (Short-Weierstrass Comb) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/mbedtls.rst Generates public keys for ECDH using the Comb method on Short-Weierstrass curves. It utilizes mbedTLS functions for modular arithmetic and point multiplication. ```c #include // ... function to generate ECDH keypair using Comb method ... // mbedtls_ecdh_gen_public -> ecdh_gen_public_restartable -> mbedtls_ecp_mul_restartable -> ecp_mul_restartable_internal -> ecp_mul_comb ``` -------------------------------- ### ECDH Key Generation with Secp256R1 Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/sunec.rst Details the key generation process for ECDH using the Secp256R1 curve. It specifies the use of a Comb point multiplier for the generator scalar multiplication and outlines the internal method calls and formula sources for projective coordinates and addition/doubling operations. ```Java Secp256R1GeneratorMultiplier ECKeyPairGenerator.generateKeyPair -> ECKeyPairGenerator.generateKeyPairImpl -> ECPrivateKeyImpl.calculatePublicKey -> ECOperations.multiply -> Default(PointMultiplier).pointMultiply ``` -------------------------------- ### Botan ECDSA KeyGen: Jacobian and add-1998-cmo-2 Point Representation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/botan.rst Covers ECDSA KeyGen for Short-Weierstrass curves using Jacobian and add-1998-cmo-2 point representations, focusing on the underlying point arithmetic for key generation. ```c++ #include #include // Example usage (conceptual): // Botan::ECDSA_PrivateKey private_key(Botan::EC_Group("secp256r1")); // private_key.generate(); // Relies on group's internal point handling ``` -------------------------------- ### ECDSA Curve Math (C) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/fastecdsa.rst Provides C code snippets illustrating fundamental ECDSA mathematical operations on elliptic curves. This includes point doubling and point addition, crucial for public key generation and signature verification, often implemented using affine or projective coordinates. ```c /* Point doubling: EC_Double(P) */ // ... (implementation details for point doubling) /* Point addition: EC_Add(P1, P2) */ // ... (implementation details for point addition) /* Scalar multiplication: EC_Mul(scalar, point) */ // ... (implementation details for scalar multiplication, often using ladder method) ``` -------------------------------- ### BearSSL ECDH Key Generation Formulas (op3) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/bearssl.rst Provides the operational formulas for ECDH key generation in BearSSL, specifically for addition and doubling operations. These are used in conjunction with Jacobian coordinates and fixed-width window methods. ```op3 add-bearssl-v06 ``` ```op3 dbl-bearssl-v06 ``` -------------------------------- ### BouncyCastle Scalar Multiplier Implementations (Java) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/bouncy_castle.rst Provides details on different scalar multiplication algorithms implemented in BouncyCastle for elliptic curve cryptography. These include Comb, GLV, and Window NAF methods, each with specific configurations for performance optimization. ```Java https://github.com/bcgit/bc-java/blob/r1rv76/core/src/main/java/org/bouncycastle/math/ec/FixedPointCombMultiplier.java ``` ```Java https://github.com/bcgit/bc-java/blob/r1rv76/core/src/main/java/org/bouncycastle/math/ec/GLVMultiplier.java ``` ```Java https://github.com/bcgit/bc-java/blob/r1rv76/core/src/main/java/org/bouncycastle/math/ec/WNafL2RMultiplier.java ``` ```Java https://github.com/bcgit/bc-java/blob/r1rv76/core/src/main/java/org/bouncycastle/math/ec/WTauNafMultiplier.java ``` -------------------------------- ### ECDH Key Derivation with BoringSSL Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/boringssl.rst This section describes the key derivation process for Elliptic Curve Diffie-Hellman (ECDH) in BoringSSL. It highlights the use of Short-Weierstrass curves and points to the relevant functions for scalar multiplication, including default Fixed Window and Jacobian coordinate methods. ```c ECDH_compute_key -> ec_point_mul_scalar -> meth.mul ``` ```c ec_GFp_mont_mul ``` ```c ec_GFp_nistp256_point_mul ``` ```c ec_GFp_nistp224_point_mul ``` -------------------------------- ### Botan ECDH KeyGen: Jacobian and add-1998-cmo-2 Point Representation Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/botan.rst Covers ECDH KeyGen for Short-Weierstrass curves using Jacobian and add-1998-cmo-2 point representations. This relates to the underlying point arithmetic in Botan's EC group implementations. ```c++ #include #include // Example usage (conceptual): // Botan::EC_Group ec_group("secp256r1"); // Botan::EC_Point point = ec_group.get_generator(); // Uses default representation (often Jacobian) ``` -------------------------------- ### P-256 Key Generation and Operations using HACL* Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/nss.rst Details the implementation of P-256 operations in NSS, utilizing HACL* for key generation, derivation, signing, and verification. It specifies the use of Short-Weierstrass curves, Fixed Window methods (width 4), and projective-3 coordinates with specific formulas like `add-2015-rcb` and `dbl-2015-rcb-3`. ```c // KeyGen, Derive, Sign, Verify for P-256 // Uses Short-Weierstrass curve // Fixed Window (width = 4) for point multiplication // Projective-3 coordinates // Formulas: add-2015-rcb, dbl-2015-rcb-3 // Calls: ec_secp256r1_pt_mul -> Hacl_P256_dh_initiator -> point_mul_g ``` -------------------------------- ### Ed25519 Point Multiplication with Fixed Window Precomputation (C) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/ipp_crypto.rst This snippet details the implementation of Ed25519 point multiplication using a fixed window method with precomputation. It's utilized within the mbx_ed25519_verify function, specifically calling ifma_ed25519_prod_point, which in turn uses ifma_ed25519_mul_point and ifma_ed25519_mul_basepoint. The precomputation window size is set to 4. ```c #include // Placeholder for ifma_ed25519_mul_basepoint function void ifma_ed25519_mul_basepoint(void* output, const void* scalar, const void* point) { printf("ifma_ed25519_mul_basepoint called\n"); // Actual implementation would go here } // Placeholder for ifma_ed25519_mul_point function void ifma_ed25519_mul_point(void* output, const void* scalar, const void* point) { printf("ifma_ed25519_mul_point called\n"); // Actual implementation would go here } // Placeholder for ifma_ed25519_prod_point function void ifma_ed25519_prod_point(void* output, const void* scalar1, const void* scalar2, const void* point1, const void* point2) { printf("ifma_ed25519_prod_point called\n"); ifma_ed25519_mul_point(output, scalar1, point1); // Example usage ifma_ed25519_mul_basepoint(output, scalar2, point2); // Example usage } // Placeholder for mbx_ed25519_verify function int mbx_ed25519_verify(const void* signature, const void* message, const void* public_key) { printf("mbx_ed25519_verify called\n"); void* result = NULL; void* scalar1 = NULL; // Example scalar 1 void* scalar2 = NULL; // Example scalar 2 void* point1 = NULL; // Example point 1 void* point2 = NULL; // Example point 2 ifma_ed25519_prod_point(result, scalar1, scalar2, point1, point2); return 0; // Success indicator } int main() { // Example usage of the verify function mbx_ed25519_verify(NULL, NULL, NULL); return 0; } ``` -------------------------------- ### BouncyCastle ECDSA Key Generation and Signing (Java) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/bouncy_castle.rst Describes the implementation of Elliptic Curve Digital Signature Algorithm (ECDSA) key generation and signing in BouncyCastle. It highlights the use of Short-Weierstrass curves and multiplier algorithms like Comb. ```Java https://github.com/bcgit/bc-java/blob/r1rv76/core/src/main/java/org/bouncycastle/crypto/generators/ECKeyPairGenerator.java#L94 ``` ```Java https://github.com/bcgit/bc-java/blob/r1rv76/core/src/main/java/org/bouncycastle/math/ec/ECCurve.java#L676 ``` ```Java https://github.com/bcgit/bc-java/blob/r1rv76/core/src/main/java/org/bouncycastle/crypto/signers/ECDSASigner.java#L237 ``` ```Java https://github.com/bcgit/bc-java/blob/r1rv76/core/src/main/java/org/bouncycastle/math/ec/ECCurve.java#L676 ``` -------------------------------- ### ECDSA Signing using Fixed-Window Scalar Multiplication (C) Source: https://github.com/j08ny/pyecsca/blob/master/docs/libraries/microsoft_symcrypt.rst Performs ECDSA signing using a signed fixed-window scalar multiplication algorithm. This method aligns with Algorithm 1 in 'Selecting Elliptic Curves for Cryptography: An Efficiency and Security Analysis'. It leverages SymCrypt's ECDSA signing, scalar multiplication, and fixed-window scalar multiplication functions. ```c #include #include // ECDSA signing using fixed-window scalar multiplication // SymCryptEcDsaSignEx -> SymCryptEcpointScalarMul -> SymCryptEcpointScalarMulFixedWindow ```