"brainpoolP256t1"“ - For 256-Bit ECC Keys

This section describes 'brainpoolP256t1' elliptic curve domain parameters for generating 256-Bit ECC Keys as specified by RFC 5639.

What Is "brainpoolP256t1"? "brainpoolP256t1" is a specific elliptic curve and associated domain parameters selected and recommended in "RFC 5639 - Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation" at https://datatracker.ietf.org/doc/html/rfc5639.

The "P256t1" of the "brainpoolP256t1" name indicates:

P     Field type = Prime field
256   Key size = 256
t     Curve type = Twisted curve
1     Cofactor = 1

"brainpoolP256t1" is a twist to "brainpoolP256r1" Their domain parameters (p, a, b, G, n, h) are related as shown below:

brainpoolP256t1.p    = brainpoolP256r1.p
brainpoolP256t1.a    = brainpoolP256r1.a*Z**4
brainpoolP256t1.b    = brainpoolP256r1.b*Z**6
brainpoolP256t1.G[0] = brainpoolP256r1.G[0]*Z**2
brainpoolP256t1.G[1] = brainpoolP256r1.G[1]*Z**3
brainpoolP256t1.n    = brainpoolP256r1.n
brainpoolP256t1.h    = brainpoolP256r1.h

where:
Z = 0x3E2D4BD9597B58639AE7AA669CAB9837CF5CF20A2C852D10F655668DFC150EF0

Calculate "brainpoolP256t1" domain parameters

p: The modulo used to specify the reduced elliptic curve group:

p = brainpoolP256r1.p
  = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377

a: The first coefficient of the elliptic curve:

a = brainpoolP256r1.a*Z**4
  = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374

Because brainpoolP256r1.a is well selected, we also have:
  a is congruent to -3 mod p
  a%p = -3%p

b: The second coefficient of the elliptic curve:

b = brainpoolP256r1.b*Z**6
  = 0x662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04

G: The generator (base point) of the subgroup:

G =(brainpoolP256r1.G[0]*Z**2, brainpoolP256r1.G[1]*Z**3)
  =(0xA3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4,
    0x2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE)

n: The order of the subgroup:

n = brainpoolP256r1.n
  = 0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7

h: The cofactor of the subgroup:

h = brainpoolP256r1.h
  = 1

Verify domain parameters with Python - G is on the curve.

herong> python

>>> p = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
>>> a = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374
>>> b = 0x662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04
>>> G =(0xA3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4,
...     0x2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE)

>>> G[1]**2 % p == (G[0]**3 + a*G[0] + b) % p
True

Verify "brainpoolP256t1" is a twist to "brainpoolP256r1"

herong> more brainpoolP256.py

# brainpoolP256.py
# Copyright (c) HerongYang.com. All Rights Reserved.
#

rp = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
ra = 0x7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9
rb = 0x26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6
rG =(0x8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262,
    0x547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997)
rn = 0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
rh = 1

tp = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
ta = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374
tb = 0x662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04
tG =(0xA3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4,
     0x2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE)
tn = 0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
th = 1

Z  = 0x3E2D4BD9597B58639AE7AA669CAB9837CF5CF20A2C852D10F655668DFC150EF0

print(ta == -3 % rp)
print(tp == rp)

print(ta == ((Z**4)*ra) % rp)
print(tb == ((Z**6)*rb) % rp)
print(tG[0] == rG[0]*Z**2 % rp)
print(tG[1] == rG[1]*Z**3 % rp)

print(tn == rn)
print(th == th)

herong> python brainpoolP256.py
  True
  True
  True
  True
  True
  True
  True
  True

Generate a "brainpoolP256t1" key pair with OpenSSL

herong> openssl ecparam -genkey -name brainpoolP256t1 \
  -out brainpoolP256t1.pem -param_enc explicit

herong> openssl ec -in brainpoolP256t1.pem -noout -text

Private-Key: (256 bit)
priv:
    2e:6d:c1:d5:6f:32:3d:bd:ea:30:66:8c:55:5f:99:
    b3:6c:f9:d3:6a:fa:1c:4f:1c:a2:ee:24:b3:14:c4:
    da:66
pub:
    04:06:06:97:ad:f4:7c:a7:70:86:e2:4d:1c:6f:50:
    f8:a5:be:98:b9:cc:14:46:1d:db:28:dc:9f:58:06:
    3f:b8:b8:80:47:8f:ed:4c:c7:91:d5:8e:2f:f5:76:
    1c:d0:1b:fc:45:16:01:ee:d0:df:2e:77:23:b7:60:
    5e:1b:1f:23:c8
Field Type: prime-field
Prime:
    00:a9:fb:57:db:a1:ee:a9:bc:3e:66:0a:90:9d:83:
    8d:72:6e:3b:f6:23:d5:26:20:28:20:13:48:1d:1f:
    6e:53:77
A:
    00:a9:fb:57:db:a1:ee:a9:bc:3e:66:0a:90:9d:83:
    8d:72:6e:3b:f6:23:d5:26:20:28:20:13:48:1d:1f:
    6e:53:74
B:
    66:2c:61:c4:30:d8:4e:a4:fe:66:a7:73:3d:0b:76:
    b7:bf:93:eb:c4:af:2f:49:25:6a:e5:81:01:fe:e9:
    2b:04
Generator (uncompressed):
    04:a3:e8:eb:3c:c1:cf:e7:b7:73:22:13:b2:3a:65:
    61:49:af:a1:42:c4:7a:af:bc:2b:79:a1:91:56:2e:
    13:05:f4:2d:99:6c:82:34:39:c5:6d:7f:7b:22:e1:
    46:44:41:7e:69:bc:b6:de:39:d0:27:00:1d:ab:e8:
    f3:5b:25:c9:be
Order:
    00:a9:fb:57:db:a1:ee:a9:bc:3e:66:0a:90:9d:83:
    8d:71:8c:39:7a:a3:b5:61:a6:f7:90:1e:0e:82:97:
    48:56:a7
Cofactor:  1 (0x1)

The printed domain parameters (Prime, A, B, Generator, Order, Cofactor) match well with (p, a, b, G, n, h) specified by RFC 5639. Remember that OpenSSL prints "Generator" as 0x04<G.x><G.y>.

Exercise: Verify all "prime field" and "regular" curves: brainpoolP160t1, brainpoolP192t1, brainpoolP224t1, brainpoolP256t1, brainpoolP320t1, brainpoolP384t1, and brainpoolP512t1 specified by RFC 5639.

Table of Contents

 About This Book

 Geometric Introduction to Elliptic Curves

 Algebraic Introduction to Elliptic Curves

 Abelian Group and Elliptic Curves

 Discrete Logarithm Problem (DLP)

 Finite Fields

 Generators and Cyclic Subgroups

 Reduced Elliptic Curve Groups

 Elliptic Curve Subgroups

 tinyec - Python Library for ECC

 EC (Elliptic Curve) Key Pair

 ECDH (Elliptic Curve Diffie-Hellman) Key Exchange

 ECDSA (Elliptic Curve Digital Signature Algorithm)

 ECES (Elliptic Curve Encryption Scheme)

 EC Cryptography in Java

Standard Elliptic Curves

 What Are Standard Elliptic Curves

 "openssl ecparam -list_curves" - Curves Supported by OpenSSL

 "secp256r1" - For 256-Bit ECC Keys

 "secp256k1" - For 256-Bit ECC Keys

 "sect283r1" - For 256-Bit ECC Keys

 "brainpoolP256r1"“ - For 256-Bit ECC Keys

"brainpoolP256t1"“ - For 256-Bit ECC Keys

 Terminology

 References

 Full Version in PDF/EPUB