LIBS.md

Supported libraries

Libraries that ECTester can test.

• BouncyCastle
  • Java
  • Works with the short Weierstrass curve model.
  • Works with coordinates:
    • Affine
    • Projective(Homogenous)
    • Jacobian
    • Jacobian-Chudnovsky
    • Jacobian-Modified
    • Lambda-Affine?
    • Lambda-Projective?
    • Skewed?
  • Multiple scalar multiplication algorithms implemented and used:
    • Double-and-add always (DoubleAddMultiplier)
    • Fixed point comb (FixedPointCombMultiplier)
    • GLV (Gallant-Lambert-Vanstone) using endomorphisms (GLVMultiplier): Faster point multiplication on elliptic curves with efficient endomorphisms. <-- default, if available
    • Binary NAF right-to-left multiplication(mixed coordinates) (MixedNafR2LMultiplier)
    • Montgomery ladder (MontgomeryLadderMultiplier)
    • Binary NAF right-to-left multiplication (NafR2LMultiplier)
    • Binary NAF left-to-right multiplication (NafL2RMultiplier)
    • Double-and-add reference implementation (ReferenceMultiplier)
    • Window NAF left-to-right multiplication (WNafL2RMultiplier) <-- default
    • Window Tau-NAF multiplication (WTauNafMultiplier): Improved Algorithms for Arithmetic on Anomalous Binary Curves
    • Zeroless signed digit binary right-to-left multiplication (ZSignedDigitR2LMultiplier)
    • Zeroless signed digit binary left-to-right multiplication (ZSignedDigitL2RMultiplier)
  • Has custom field and point arithmetic for:
    • Curve25519 (transformed into short Weierstrass model)
    • SMP2 curves
    • SECG curves
• Sun EC
  • Java + C
  • Uses the short Weierstrass curve model.
  • For prime field curves:
    • Uses 5-bit window NAF, Uses mixed Modified-Jacobian coordinates for doubling and Chudnovsky Jacobian coordinates for additions (ecp_jm.c). From: Brown, Hankerson, Lopez, Menezes: Software Implementation of the NIST Elliptic Curves Over Prime Fields.
    • Contains an implementation of scalar multiplication with 4-bit sliding window, using Jacobian coordinates (ecp_jac.c)
    • Contains an implementation of IEEE P1363 algorithm A.10.3 using affine coordinates (ecp_aff.c)
  • For binary field curves:
    • Uses Lopez-Dahab (Montgomery) ladder, XZ coordinates (ec2_mont.c): Fast multiplication on elliptic curves over GF(2^m) without precomputation (Algorithm 2P)
    • Contains an implementation of IEEE P1363 algorithm A.10.3 using affine coordinates (ec2_aff.c)
  • Has some custom arithmetic for some of the NIST primes.
• WolfCrypt(WolfSSL)
  • C + Java
  • Prime field curves only.
  • Jacobian coordinates:
    • Uses sliding window scalar multiplication, (discards b parameter of curve), but validates points.
• OpenSSL
  • C
  • For prime field curves:
    • Uses Jacobian coordinates, and Montgomery ladder, also uses wNAF-based interleaving multi-exponentiation method(ec_mult.c): http://www.bmoeller.de/pdf/TI-01-08.multiexp.pdf
    • Also uses multiplication with precomputation by wNAF splitting(ec_mult.c)
  • For binary field curves:
    • Uses Jacobian coordinates, and Lopez-Dahab ladder, also uses wNAF-based interleaving multi-exponentiation method(ec2_smpl.c)
• BoringSSL
  • C
  • Supports prime field curves only:
    • Use Jacobian coordinates, and Montgomery ladder, also uses optimized arithmetic on NIST P-224, P-256.
  • Bundled as a git submodule in ext/boringssl. To build and use run:

cd ext/boringssl
mkdir build && cd build
cmake -DBUILD_SHARED_LIBS=1 -GNinja ..
ninja

• Crypto++
  • C++
  • For prime field curves:
    • Uses projective coordinates and sliding window scalar multiplication algorithm.
  • For binary field curves:
    • Uses affine coordinates and sliding window scalar multiplication algorithm.
• libtomcrypt
  • C
  • Uses Jacobian coordinates.
  • Sliding window scalar multiplication algorithm.
• libgcrypt
  • C
  • Only supports prime field curves.
  • Uses short Weierstrass, Montgomery and Twisted Edwards models.
    • Uses left-to-right double-and-add always scalar multiplication and Jacobian coordinates in short Weierstrass form.
    • Uses Montgomery ladder and X-only in Montgomery form.
    • Uses left-to-right double-and-add always scalar multiplication in Twisted Edwards form.
• Botan
  • C++
  • Uses blinded(randomized) Montgomery ladder.
  • https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
  • https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-1986-cc
  • https://eprint.iacr.org/2015/657
  • ECTester supports v2.4.0 and up.
• Microsoft CNG
  • C API.
  • Closed source. Not any more: https://github.com/Microsoft/SymCrypt.
  • For prime field curves(only supports):
    • Uses Short Weierstrass model.
    • Uses Twisted Edwards model.
    • Uses Montgomery model.
    • Uses fixed window scalar multiplication.
    • Uses Wnaf multi-scalar multiplication with interleaving.
    • Uses Montgomery ladder.
• mbedTLS
  • C
  • Only supports prime field curves.
  • Uses short Weierstrass and Montgomery models.
  • Uses comb method for short Weierstrass curves, using (randomized) Jacobian coordinates.
  • http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2
  • Uses Montgomery ladder with xz coordinates for Montgomery curves.
• MatrixSSL
  • C
  • Only supports prime field curves.
  • Uses 4 bit sliding window.
  • Uses projective coordinates.
• Intel Performance Primitives
  • C
  • Only supports prime field curves.
  • Uses 5-bit window NAF.
  • Uses Jacobian coordinates.
  • https://github.com/intel/ipp-crypto

Libraries with ECC support

Popular libraries with at least some ECC support, that ECTester does not yet support:

• NSS
• LibreSSL
• Nettle
• BearSSL
• cryptlib
• OpenSSL (FIPS mode)
• Microsoft .NET crypto
• Linux kernel, test via libkcapi