"brainpoolP256r1"“ - For 256-Bit ECC Keys

This section describes 'brainpoolP256r1' elliptic curve domain parameters for generating 256-Bit ECC Keys as specified by RFC 5639.

What Is "brainpoolP256r1"? "brainpoolP256r1" is a specific elliptic curve and associated domain parameters selected and recommended in "RFC 5639 - Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation" at https://datatracker.ietf.org/doc/html/rfc5639.

The "P256r1" part of the "brainpoolP256r1" name indicates:

```P     Field type = Prime field
256   Key size = 256
r     Curve type = Regular curve
1     Cofactor = 1
```

"brainpoolP256r1" domain parameters (p, a, b, G, n, h)

p: The modulo used to specify the reduced elliptic curve group:

```p = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377

p is congruent to 3 mod 4: p mod 4 = p%4 = 3
This allows fast computation of y for a given x.
```

a: The first coefficient of the elliptic curve:

```a = 0x7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9
```

b: The second coefficient of the elliptic curve:

```b = 0x26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6
```

G: The generator (base point) of the subgroup:

```G =(0x8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262,
0x547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997)
```

n: The order of the subgroup:

```n = 0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
```

h: The cofactor of the subgroup:

```h = 1
```

Verify domain parameters with Python - G is on the curve.

```herong> python

>>> p = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
>>> a = 0x7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9
>>> b = 0x26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6
>>> G =(0x8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262,
...     0x547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997)

>>> G[1]**2 % p == (G[0]**3 + a*G[0] + b) % p
True
```

Generate a "brainpoolP256r1" key pair with OpenSSL

```herong> openssl ecparam -genkey -name brainpoolP256r1 \
-out brainpoolP256r1.pem -param_enc explicit

herong> openssl ec -in brainpoolP256r1.pem -noout -text

Private-Key: (256 bit)
priv:
30:cb:fd:6a:ce:88:9f:ee:b9:57:1c:c5:f0:64:7f:
5c:b2:f7:48:83:07:20:e8:c4:0e:b3:77:08:d1:bb:
22:1c
pub:
04:62:48:3b:be:5d:77:64:59:d9:ff:28:69:5f:b2:
e8:cb:62:14:4e:55:9b:67:78:f4:20:51:05:a1:8c:
3d:bc:4d:30:06:4c:74:34:74:88:08:52:bb:46:21:
7a:51:a4:55:66:8c:48:05:ec:5e:4a:ec:b4:39:63:
1f:90:1f:bd:63
Field Type: prime-field
Prime:
00:a9:fb:57:db:a1:ee:a9:bc:3e:66:0a:90:9d:83:
8d:72:6e:3b:f6:23:d5:26:20:28:20:13:48:1d:1f:
6e:53:77
A:
7d:5a:09:75:fc:2c:30:57:ee:f6:75:30:41:7a:ff:
e7:fb:80:55:c1:26:dc:5c:6c:e9:4a:4b:44:f3:30:
b5:d9
B:
26:dc:5c:6c:e9:4a:4b:44:f3:30:b5:d9:bb:d7:7c:
bf:95:84:16:29:5c:f7:e1:ce:6b:cc:dc:18:ff:8c:
07:b6
Generator (uncompressed):
04:8b:d2:ae:b9:cb:7e:57:cb:2c:4b:48:2f:fc:81:
b7:af:b9:de:27:e1:e3:bd:23:c2:3a:44:53:bd:9a:
ce:32:62:54:7e:f8:35:c3:da:c4:fd:97:f8:46:1a:
14:61:1d:c9:c2:77:45:13:2d:ed:8e:54:5c:1d:54:
c7:2f:04:69:97
Order:
00:a9:fb:57:db:a1:ee:a9:bc:3e:66:0a:90:9d:83:
8d:71:8c:39:7a:a3:b5:61:a6:f7:90:1e:0e:82:97:
48:56:a7
Cofactor:  1 (0x1)
```

The printed domain parameters (Prime, A, B, Generator, Order, Cofactor) match well with (p, a, b, G, n, h) specified by RFC 5639. Remember that OpenSSL prints "Generator" as 0x04<G.x><G.y>.

Exercise: Verify all "prime field" and "regular" curves: brainpoolP160r1, brainpoolP192r1, brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, and brainpoolP512r1 specified by RFC 5639.