"brainpoolP256t1"“ - For 256-Bit ECC Keys

This section describes 'brainpoolP256t1' elliptic curve domain parameters for generating 256-Bit ECC Keys as specified by RFC 5639.

What Is "brainpoolP256t1"? "brainpoolP256t1" is a specific elliptic curve and associated domain parameters selected and recommended in "RFC 5639 - Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation" at https://datatracker.ietf.org/doc/html/rfc5639.

The "P256t1" of the "brainpoolP256t1" name indicates:

```P     Field type = Prime field
256   Key size = 256
t     Curve type = Twisted curve
1     Cofactor = 1
```

"brainpoolP256t1" is a twist to "brainpoolP256r1" Their domain parameters (p, a, b, G, n, h) are related as shown below:

```brainpoolP256t1.p    = brainpoolP256r1.p
brainpoolP256t1.a    = brainpoolP256r1.a*Z**4
brainpoolP256t1.b    = brainpoolP256r1.b*Z**6
brainpoolP256t1.G[0] = brainpoolP256r1.G[0]*Z**2
brainpoolP256t1.G[1] = brainpoolP256r1.G[1]*Z**3
brainpoolP256t1.n    = brainpoolP256r1.n
brainpoolP256t1.h    = brainpoolP256r1.h

where:
Z = 0x3E2D4BD9597B58639AE7AA669CAB9837CF5CF20A2C852D10F655668DFC150EF0
```

Calculate "brainpoolP256t1" domain parameters

p: The modulo used to specify the reduced elliptic curve group:

```p = brainpoolP256r1.p
= 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
```

a: The first coefficient of the elliptic curve:

```a = brainpoolP256r1.a*Z**4
= 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374

Because brainpoolP256r1.a is well selected, we also have:
a is congruent to -3 mod p
a%p = -3%p
```

b: The second coefficient of the elliptic curve:

```b = brainpoolP256r1.b*Z**6
= 0x662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04
```

G: The generator (base point) of the subgroup:

```G =(brainpoolP256r1.G[0]*Z**2, brainpoolP256r1.G[1]*Z**3)
=(0xA3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4,
0x2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE)
```

n: The order of the subgroup:

```n = brainpoolP256r1.n
= 0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
```

h: The cofactor of the subgroup:

```h = brainpoolP256r1.h
= 1
```

Verify domain parameters with Python - G is on the curve.

```herong> python

>>> p = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
>>> a = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374
>>> b = 0x662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04
>>> G =(0xA3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4,
...     0x2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE)

>>> G[1]**2 % p == (G[0]**3 + a*G[0] + b) % p
True
```

Verify "brainpoolP256t1" is a twist to "brainpoolP256r1"

```herong> more brainpoolP256.py

# brainpoolP256.py
#

rp = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
ra = 0x7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9
rb = 0x26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6
rG =(0x8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262,
0x547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997)
rn = 0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
rh = 1

tp = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
ta = 0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374
tb = 0x662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04
tG =(0xA3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4,
0x2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE)
tn = 0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
th = 1

Z  = 0x3E2D4BD9597B58639AE7AA669CAB9837CF5CF20A2C852D10F655668DFC150EF0

print(ta == -3 % rp)
print(tp == rp)

print(ta == ((Z**4)*ra) % rp)
print(tb == ((Z**6)*rb) % rp)
print(tG[0] == rG[0]*Z**2 % rp)
print(tG[1] == rG[1]*Z**3 % rp)

print(tn == rn)
print(th == th)

herong> python brainpoolP256.py
True
True
True
True
True
True
True
True
```

Generate a "brainpoolP256t1" key pair with OpenSSL

```herong> openssl ecparam -genkey -name brainpoolP256t1 \
-out brainpoolP256t1.pem -param_enc explicit

herong> openssl ec -in brainpoolP256t1.pem -noout -text

Private-Key: (256 bit)
priv:
2e:6d:c1:d5:6f:32:3d:bd:ea:30:66:8c:55:5f:99:
b3:6c:f9:d3:6a:fa:1c:4f:1c:a2:ee:24:b3:14:c4:
da:66
pub:
f8:a5:be:98:b9:cc:14:46:1d:db:28:dc:9f:58:06:
3f:b8:b8:80:47:8f:ed:4c:c7:91:d5:8e:2f:f5:76:
1c:d0:1b:fc:45:16:01:ee:d0:df:2e:77:23:b7:60:
5e:1b:1f:23:c8
Field Type: prime-field
Prime:
00:a9:fb:57:db:a1:ee:a9:bc:3e:66:0a:90:9d:83:
8d:72:6e:3b:f6:23:d5:26:20:28:20:13:48:1d:1f:
6e:53:77
A:
00:a9:fb:57:db:a1:ee:a9:bc:3e:66:0a:90:9d:83:
8d:72:6e:3b:f6:23:d5:26:20:28:20:13:48:1d:1f:
6e:53:74
B:
66:2c:61:c4:30:d8:4e:a4:fe:66:a7:73:3d:0b:76:
b7:bf:93:eb:c4:af:2f:49:25:6a:e5:81:01:fe:e9:
2b:04
Generator (uncompressed):
04:a3:e8:eb:3c:c1:cf:e7:b7:73:22:13:b2:3a:65:
61:49:af:a1:42:c4:7a:af:bc:2b:79:a1:91:56:2e:
13:05:f4:2d:99:6c:82:34:39:c5:6d:7f:7b:22:e1:
46:44:41:7e:69:bc:b6:de:39:d0:27:00:1d:ab:e8:
f3:5b:25:c9:be
Order:
00:a9:fb:57:db:a1:ee:a9:bc:3e:66:0a:90:9d:83:
8d:71:8c:39:7a:a3:b5:61:a6:f7:90:1e:0e:82:97:
48:56:a7
Cofactor:  1 (0x1)
```

The printed domain parameters (Prime, A, B, Generator, Order, Cofactor) match well with (p, a, b, G, n, h) specified by RFC 5639. Remember that OpenSSL prints "Generator" as 0x04<G.x><G.y>.

Exercise: Verify all "prime field" and "regular" curves: brainpoolP160t1, brainpoolP192t1, brainpoolP224t1, brainpoolP256t1, brainpoolP320t1, brainpoolP384t1, and brainpoolP512t1 specified by RFC 5639.