EC Cryptography Tutorials - Herong's Tutorial Examples

∟EC Cryptography in Java

∟"keytool -groupname ..." - Select Curve Name

This section provides a tutorial example on how to using 'keytool -groupname ...' option to select a different elliptic curve when generating EC private-public key pairs.

How To Select a Different Curve with "keytool"? If you don't like the default elliptic curve, secp256r1, used by "keytool", you can use the "-groupname ..." to specify a different elliptic curve.

Older versions of "keytool" also allows you to use the "-keysize ..." to specify a different key size, which will force "keytool" to use a different elliptic curve.

1. Generate an EC private-public key pair with "-groupname secp521r1" option to select a different curve.

herong> keytool -genkeypair -keyalg EC -groupname secp521r1 -alias 2nd_ec \
  -keystore herong.jks

Enter keystore password: HerongJKS
What is your first and last name?
  [Unknown]:  Herong
...
Is CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US correct?
  [no]:  yes

Generating 521 bit EC (secp521r1) key pair and self-signed certificate
  (SHA512withECDSA) with a validity of 90 days
     for: CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US

2. Generate an EC private-public key pair with "-keysize 521" option to select a different curve. Notice that "keytool" gives me a warning on the "-keysize ..." option. It tells my to use the "-groupname ..." option.

herong> keytool -genkeypair -keyalg EC -keysize 521 -alias 3rd_ec \
  -keystore herong.jks

Enter keystore password: HerongJKS

Warning:
  Specifying -keysize for generating EC keys is deprecated,
  please use "-groupname secp521r1" instead.

What is your first and last name?
  [Unknown]:  Herong
...

Generating 521 bit EC (secp521r1) key pair and self-signed certificate
  (SHA512withECDSA) with a validity of 90 days
    for: CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US

3. Generate an EC private-public key pair with "-groupname secp192r1" option to select a different curve. But I am getting an error this time. Too bad, "keytool" does not support the "secp192r1" curve. It considers "secp192r1" as too short and not secure enough.

herong> keytool -genkeypair -keyalg EC -groupname secp192r1 -alias 4th_ec \
  -keystore herong.jks

Enter keystore password: HerongJKS
What is your first and last name?
  [Unknown]:  Herong
...

keytool error: java.lang.IllegalArgumentException: Curve not supported:
  secp192r1 [NIST P-192,X9.62 prime192v1] (1.2.840.10045.3.1.1)

4. Generate an EC private-public key pair with "-groupname my_curve" option to see what will happen. I am getting the "Unknown curve name: my_curve", as expected.

herong> keytool -genkeypair -keyalg EC -groupname my_curve -alias 5th_ec \
  -keystore herong.jks

Enter keystore password: HerongJKS
What is your first and last name?
  [Unknown]:  Herong
...

keytool error: java.lang.IllegalArgumentException:
  Unknown curve name: my_curve

Table of Contents

 About This Book

 Geometric Introduction to Elliptic Curves

 Algebraic Introduction to Elliptic Curves

 Abelian Group and Elliptic Curves

 Discrete Logarithm Problem (DLP)

 Finite Fields

 Generators and Cyclic Subgroups

 Reduced Elliptic Curve Groups

 Elliptic Curve Subgroups

 tinyec - Python Library for ECC

 EC (Elliptic Curve) Key Pair

 ECDH (Elliptic Curve Diffie-Hellman) Key Exchange

 ECDSA (Elliptic Curve Digital Signature Algorithm)

 ECES (Elliptic Curve Encryption Scheme)

►EC Cryptography in Java

 "keytool -keyalg EC" - Generate EC Key Pair

►"keytool -groupname ..." - Select Curve Name

 Java Program to Generate EC Keys

 "Legacy SunEC curve disabled" Error

 EC Curves Supported by Java

 Standard Elliptic Curves

 Terminology

 References

 Full Version in PDF/EPUB

"keytool -groupname ..." - Select Curve Name - Updated in 2022, by Dr. Herong Yang