Menu
I'm looking into using curve25519 on a javacard 3.0.4 but I got stuck and I have the following questions:
Does javacard 3.0.4 support such a curve?
What I've tried so far was to convert the Montgomery equation to a Weierstrass equation. Doing this and using Bernstein's website I got the following parameters:
p = 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed
a = 0x2aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa984914a144
b = 0x7b425ed097b425ed097b425ed097b425ed097b425ed097b4260b5e9c7710c864
r = 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed
Gx = 0x9
Gy = 0x20ae19a1b8a086b4e01edd2c7748d14c923d4d7e6d7c61b229e9c5a27eced3d9
As I found some other values on the internet I also tried with
Gx: 0x2aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaad245a
Then I followed the implementation from ykneo-curves and ended up with this:
public class Curve25519 {
public final static byte[] p = { // 32 bytes
(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
(byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
(byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
(byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xed };
public final static byte[] a = { // 32 bytes
(byte) 0x2a, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa,
(byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa,
(byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0xaa,
(byte) 0xaa, (byte) 0xaa, (byte) 0xaa, (byte) 0x98, (byte) 0x49, (byte) 0x14, (byte) 0xa1, (byte) 0x44 };
public final static byte[] b = { // 32 bytes
(byte) 0x7b, (byte) 0x42, (byte) 0x5e, (byte) 0xd0, (byte) 0x97, (byte) 0xb4, (byte) 0x25, (byte) 0xed,
(byte) 0x09, (byte) 0x7b, (byte) 0x42, (byte) 0x5e, (byte) 0xd0, (byte) 0x97, (byte) 0xb4, (byte) 0x25,
(byte) 0xed, (byte) 0x09, (byte) 0x7b, (byte) 0x42, (byte) 0x5e, (byte) 0xd0, (byte) 0x97, (byte) 0xb4,
(byte) 0x26, (byte) 0x0b, (byte) 0x5e, (byte) 0x9c, (byte) 0x77, (byte) 0x10, (byte) 0xc8, (byte) 0x64 };
public final static byte[] G = { // 65 bytes
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
(byte) 0x09, (byte) 0x20, (byte) 0xae, (byte) 0x19, (byte) 0xa1, (byte) 0xb8, (byte) 0xa0, (byte) 0x86,
(byte) 0xb4, (byte) 0xe0, (byte) 0x1e, (byte) 0xdd, (byte) 0x2c, (byte) 0x77, (byte) 0x48, (byte) 0xd1,
(byte) 0x4c, (byte) 0x92, (byte) 0x3d, (byte) 0x4d, (byte) 0x7e, (byte) 0x6d, (byte) 0x7c, (byte) 0x61,
(byte) 0xb2, (byte) 0x29, (byte) 0xe9, (byte) 0xc5, (byte) 0xa2, (byte) 0x7e, (byte) 0xce, (byte) 0xd3,
(byte) 0xd9 };
public final static byte[] r = { // 32 bytes
(byte) 0x10, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
(byte) 0x14, (byte) 0xde, (byte) 0xf9, (byte) 0xde, (byte) 0xa2, (byte) 0xf7, (byte) 0x9c, (byte) 0xd6,
(byte) 0x58, (byte) 0x12, (byte) 0x63, (byte) 0x1a, (byte) 0x5c, (byte) 0xf5, (byte) 0xd3, (byte) 0xed };
static public KeyPair newKeyPair() {
KeyPair kp = new KeyPair(KeyPair.ALG_EC_FP, (short) 256);
ECPrivateKey ecPrv = (ECPrivateKey) kp.getPrivate();
ECPublicKey ecPub = (ECPublicKey) kp.getPublic();
ecPrv.setFieldFP(p, (short) 0, (short) p.length);
ecPrv.setA(a, (short) 0, (short) a.length);
ecPrv.setB(b, (short) 0, (short) b.length);
ecPrv.setG(G, (short) 0, (short) G.length);
ecPrv.setR(r, (short) 0, (short) r.length);
ecPub.setFieldFP(p, (short) 0, (short) p.length);
ecPub.setA(a, (short) 0, (short) a.length);
ecPub.setB(b, (short) 0, (short) b.length);
ecPub.setG(G, (short) 0, (short) G.length);
ecPub.setR(r, (short) 0, (short) r.length);
return kp;
}
}
In the applet I have the following code:
private MyApplet(byte[] bArray, short bOffset, byte bLength) {
ecKeyPair = Curve25519.newKeyPair();
ecKeyPair.genKeyPair();
register();
}
public static void install(byte[] bArray, short bOffset, byte bLength) {
new MyApplet(bArray, bOffset, bLength);
}
When I try to install it on the javacard using GPP I get the following exception:
pro.javacard.gp.GPException: Install for Install and make selectable failed SW: 6F00
at pro.javacard.gp.GlobalPlatform.check(GlobalPlatform.java:1092)
at pro.javacard.gp.GlobalPlatform.installAndMakeSelectable(GlobalPlatform.java:798
)
at pro.javacard.gp.GPTool.main(GPTool.java:478)
Can I use Curve25519 keypairs for ECDSA javacard signing?
406
Not quite. Montgomery and Weierstrass forms can be converted into each other: http://samuelkerr.com/?p=431
However, there are various caveats getting this to work on Javacards, and part of the curve operations / conversion has to be done on a PC talking to the card. I'm currently working on this and am happy to share the code once it's actually done.
UPDATE: I uploaded the respective code here: https://github.com/david-oswald/jc_curve25519
89
No, such curves are not directly supported.
All Java Card Elliptic Curve facilities use the Weierstraß equation which is
y^2 = x^3 + a*x + b mod p
Curve 25519 is based on
y^2 = x^3 + 486662*x^2 + x mod p
Unfortunately its not possible to directly support such Montgomery curves.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
