**EC Cryptography Tutorials - Herong's Tutorial Examples** - v1.03, by Herong Yang

"keytool -groupname ..." - Select Curve Name

This section provides a tutorial example on how to using 'keytool -groupname ...' option to select a different elliptic curve when generating EC private-public key pairs.

**How To Select a Different Curve with "keytool"?**
If you don't like the default elliptic curve, secp256r1, used
by "keytool", you can use the "-groupname ..." to specify
a different elliptic curve.

Older versions of "keytool" also allows you to use the "-keysize ..." to specify a different key size, which will force "keytool" to use a different elliptic curve.

1. Generate an EC private-public key pair with "-groupname secp521r1" option to select a different curve.

herong> keytool -genkeypair -keyalg EC -groupname secp521r1 -alias 2nd_ec \ -keystore herong.jks Enter keystore password: HerongJKS What is your first and last name? [Unknown]: Herong ... Is CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US correct? [no]: yes Generating 521 bit EC (secp521r1) key pair and self-signed certificate (SHA512withECDSA) with a validity of 90 days for: CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US

2. Generate an EC private-public key pair with "-keysize 521" option to select a different curve. Notice that "keytool" gives me a warning on the "-keysize ..." option. It tells my to use the "-groupname ..." option.

herong> keytool -genkeypair -keyalg EC -keysize 521 -alias 3rd_ec \ -keystore herong.jks Enter keystore password: HerongJKS Warning: Specifying -keysize for generating EC keys is deprecated, please use "-groupname secp521r1" instead. What is your first and last name? [Unknown]: Herong ... Generating 521 bit EC (secp521r1) key pair and self-signed certificate (SHA512withECDSA) with a validity of 90 days for: CN=Herong, OU=My Unit, O=My Home, L=My City, ST=My State, C=US

3. Generate an EC private-public key pair with "-groupname secp192r1" option to select a different curve. But I am getting an error this time. Too bad, "keytool" does not support the "secp192r1" curve. It considers "secp192r1" as too short and not secure enough.

herong> keytool -genkeypair -keyalg EC -groupname secp192r1 -alias 4th_ec \ -keystore herong.jks Enter keystore password: HerongJKS What is your first and last name? [Unknown]: Herong ... keytool error: java.lang.IllegalArgumentException: Curve not supported: secp192r1 [NIST P-192,X9.62 prime192v1] (1.2.840.10045.3.1.1)

4. Generate an EC private-public key pair with "-groupname my_curve" option to see what will happen. I am getting the "Unknown curve name: my_curve", as expected.

herong> keytool -genkeypair -keyalg EC -groupname my_curve -alias 5th_ec \ -keystore herong.jks Enter keystore password: HerongJKS What is your first and last name? [Unknown]: Herong ... keytool error: java.lang.IllegalArgumentException: Unknown curve name: my_curve

Table of Contents

Geometric Introduction to Elliptic Curves

Algebraic Introduction to Elliptic Curves

Abelian Group and Elliptic Curves

Discrete Logarithm Problem (DLP)

Generators and Cyclic Subgroups

tinyec - Python Library for ECC

ECDH (Elliptic Curve Diffie-Hellman) Key Exchange

ECDSA (Elliptic Curve Digital Signature Algorithm)

ECES (Elliptic Curve Encryption Scheme)

"keytool -keyalg EC" - Generate EC Key Pair

►"keytool -groupname ..." - Select Curve Name

Java Program to Generate EC Keys