Elliptic Curve Cryptography
Elliptic Curve Cryptography (ECC) is based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was independently suggested by Neal Koblitz and Victor Miller in 1985. Certicom holds a number of patents in the Elliptic Curve Cryptography arena.
From a high level, Crypto++ offers a numbers of schemes and alogrithms which operate over elliptic curves. Fields include both Fp and F2m, and schemes include:
- Elliptic Curve Diffie-Hellman Key Agreement (ECDH)
- Elliptic Curve Menezes-Qu-Vanstone Key Agreement (ECMQV)
- Hashed Menezes-Qu-Vanstone Key Agreement (HMQV)
- Fully Hashed Menezes-Qu-Vanstone Key Agreement (FHMQV)
- Elliptic Curve Integrated Encryption Scheme (ECIES)
- Elliptic Curve Digital Signature Algorithm (ECDSA)
- Elliptic Curve Nyberg Rueppel Signature Scheme (ECNR)
- Point Compression
Two Step Construction/Initialization of Keys
If you want to perform two-step construction and initialization of a private key, then perform the following. Note that Initialize takes a RandomNumberGenerator, which causes private key generation. An Initialize that lacks the PRNG does not generate a private key.
While the example below is written for ECIES, the technique applies to all Diffie-Hellman schemes over elliptic curves due to Crypto++'s use of interface programming. That means it works equally well for ECMQV, ECDSA, ECMQV and ECNR.
// From Wei Dai in a private email ECIES<ECP>::Decryptor d; d.AccessKey().GenerateRandom(GlobalRNG(), MakeParameters(Name::GroupOID(), ASN1::secp256r1()));
Alternative, but non-preferred methods include the following.
ECIES<ECP>::Decryptor decryptor; decryptor.AccessKey().AccessGroupParameters().Initialize(prng, ASN1::secp256r1());
As yet another alternative, you can set the private exponent (multiplicand) directly:
ECIES<ECP>::Decryptor decryptor; decryptor.AccessKey().AccessGroupParameters().Initialize(ASN1::secp256r1()); Integer x(prng, Integer::One(), decryptor.AccessKey().GetGroupParameters().GetSubgroupOrder()-1); decryptor.AccessKey().SetPrivateExponent(x);
Minimizing Key Size for Persistence
Keys can be serialized in a number of different formats. Some formats are better for interoperability, while others are better for minimizing size. Keys and their formats are covered in detail at Keys and Formats.
Keys and Formats does not discuss minimizing a serialized key's size. Taking from Wei Dai on the Crypto++ mailing list:
To minimize the size of public and private keys, what you need to do is
encode only the private exponent of the private key, and the public point of
the public key.
// save private exponent privateKey.GetPrivateExponent().DEREncode(privFile); // load private exponent Integer x; x.BERDecode(privFile); privateKey.AccessGroupParameters().Initialize(CryptoPP::ASN1::secp160k1()); privateKey.SetPrivateExponent(x); // save public element publicKey.GetGroupParameters().GetCurve().EncodePoint(pubFile, publicKey.GetPublicElement(), true); // load public element ECP::Point p; publicKey.AccessGroupParameters().Initialize(CryptoPP::ASN1::secp160k1()); publicKey.GetGroupParameters().GetCurve().DecodePoint(p, pubFile, publicKey.GetGroupParameters().GetCurve().EncodedPointSize(true)); publicKey.SetPublicElement(p);
Crypto++ supplies a set of standard curves approved by ANSI, Brainpool, and NIST. Crypto++ does not provide curve generation functionality. If you need a custom curve, see Elliptic Curve Builder.
dpval-2.zip - Elliptic Curve Domain Parameter Validation. The program dumps the public and private keys, and validates the curve per Certicom's SEC 2 Whitepaper (the curve used for demonstration purposes is NIST P-192). In addition, the program demonstrates mathematics with the point of infinity and scalar multiplications using Crypto++.
ecctest.zip - Exercises encryption and decryption using ANSI, Brainpool, and NIST curves by way of #define
ECDSA-Test.zip - Crypto++ ECDSA sample program